A common approach to test generation and hardware verification based on temporal logic by Kropf, Thomas & Wunderlich, Hans-Joachim
A COMMON APPROACH TO TEST GENERATION AND HARDWARE 
VERIFICATION BASED ON TEMPORAL LOGIC 
Thomas Kropf, Hans-Joachim Wunderlich 
University of Karlsruhe, Institute of Computer Design and Fault Tolerance 
p.o. Box 6980, 7500 Karlsruhe, Germany 
Hardware verification and sequemio/ leSI genera/ion are 
aspects of the same problem. namely /0 prove the equal 
behavior determined by two circuit descriptions. During 
test generatjon, this altempi succeeds for the faulty and 
fault free circuil if redundancy exisis, and during 
verification it succeeds. if the implemenlofion is correct 
with regard to ils specification. This observation can be 
used 10 cross{erli/ize both areas, which hnvc been treated 
separately up 10 now. In this paper, a common jorl1UJl 
framework/or hardware verification and sequential/est pat-
tern generalion is presented. which is based on modeling 
Ihe circuil behavior wilh temporal/ogic. In addition, a new 
approach 10 cope wilh non reselable flip flops in sequential 
lest generation is proposed, which is nol reslricled to 
sluck·at faults. Based on this verification view, it is pass;· 
ble to provide the designer with one tool for checking cir· 
cuit correctness and generating test patterns. Its first 
implementation WId application is olso described. 
I. INTRODUCTION 
The increased use of VLSI especially in safety criLicaI sys· 
lems demands a high confidence in the correct functioning 
of these sySlems. Thus, it has to be ensured that circuits 
contain neither design errors nor fabricaLion faults. 
Hardware verification copes with errors, which occur in 
the circuit during the design process. Verification is per· 
fonned by fonnally proving that an implementation meets 
the specilicaLion, i.e. the behavioral requirements. Usually 
this is done by modeling the fun ctional behavior in terms 
of logic and using a thcorem proving tool to suppon the 
proof process (e.g. [11. (2), [3]). 
Test gencraLion on the oilier hand addrcssc,.<; the problem 
of finding input stimuli for a circuit in such a way that 
fabrication defects are found. Generally, !.his is accom~ 
plished by injecting faults given by an appropriate fault 
model into the descripLion of the correct circuit and com· 
paring the behavior of the resultant faulty circuit and the 
correcL circuit to find input sequences such that the output 
values of the two circuits eventually differ. Most of !.he 
algorithms for test generaLion perfonn the behavioral 
reasoning mainly on the given structural circuit infonna-
Lion (e.g. [4], [5]. (6). [7]). Sequential test generation is 
known to need exponential worst case effort, which is 
reduced by design modifications like a complete scan path 
([8), [9)). a panial scan path ({ 10], [II], [12]). a pseudo· 
exhausLive technique [13) or an appropriate synthesis [141. 
Sometimes such design modifications arc not feasible due 
to area and speed restrictions and test generation has to be 
done for the original circuit, or the modifications only 
reduce the complexity of the sequential test generation 
process. 
Although hardware verificaLion and lcsLing are nceded to 
achieve fault free syslcms, both have been treated in isola-
tior! up to now. Since both have to cope with propositions 
about the behavioral equivalence of circuit descriptions, it 
is possible to combine test generation and verification 
which results in appropriate benefits for both. 
In this paper temporal logic is used to capture the cir-
cuit behav ior. This logic is often used for hardware 
verificaLion, since circuit specifications may be described 
naturally and more complex propcrLies may be expressed 
than in nonnal FSM verification approaches ([15J, [16J, 
[17]). AddiLionally, using temporal logic, the behavior of 
arbitrary faults at gate level may be easily modelled. 
Moreover, using a fonnallogic leads LO a reduction of the 
hardware verificaLion and lcstpattcm generation problem to 
a satisfiability and validity problem and hence new and 
different approaches arc possible. which are based on a 
separaLion between problem formulation and soluLion 
methods [18J. 
Our approach leads to a tool which supports the 
designer at two stages of the design process. When crcaLing 
a circuit implemenlation, he ensures design correctness by 
describing his dcsign in terms of lemporallogic and verify· 
ing it against a givcn specification. The very same circuit 
description and tool is then used to generate test pattern 
sequences. Moreover, as a spin-off, design for lcstability is 
automaLically supponed. since a verifiable implementaLion 
leads automatically to better testable designs. 
A rel:l.IM approach has been pre.'\Cnted by Cho. Somcnzi 
Cl al. which relics on similar implementation principles 
(1l91.l20J). However. it is directly based on FSM equiva· 
INTERNATIONAL TEST CONFERENCE 1991 
CH3032-0/91/0000-0057$01 .00 Cl 1991 IEEE 
Paper 3.1 
57 
Icnce checking and is not able to cope with circuits wilh-
OUI reset line. 
The pnper is organized as follows: In section 2 some 
fundamentals of temporal logic arc introduced. The next 
section shows how to model hardware behavior using lhis 
formal language. In chapler 4 an approach for hardware 
verification with temporal logic is presented. Then the 
verification problem is extended to sequential ATPG. 
Chapter 6 points out some optimizalions which accelerate 
lhe approach. The paper ends with experimental results and 
a conclusion. 
2. TEMPORAL LOGIC 
Propositional temporal logic is frequently used in hardware 
verification ([ 16], [211, [17]). Traditional propositional 
logic is extended by temporal operators, which allow the 
expression of time varyi ng properties as the sequential 
behavior of digiLlI circui ts . Moreover, propositionaltem-
paral logic is decidable, and there are constructive, fully 
automated decision procedures available, which arc lhe 
main advantages compared to approaches based on first or 
higher order logics ([2], [3]). There, mechanized theorem 
proving is slower and often rc<juircs user guidance. 
Two approaches to temporal logic theorem proving are 
mainly used - Computation Tree Logic (CTL) and 
Propositional Temporal Logic (PTL). CTL is a proposi-
tional, branching time logic, i.e. in the future many com-
putation paths are possible [221. A specification is given 
by CTL fommlas and the implementation of lhe system to 
be veri fi ed is given by a state graph [17). PTL is based on 
a linear sequence of discrete time points. In contrast \0 
CTL, no explic it s tate graph is given and both, 
spcci fi calion and implementation arc described in PTL. It 
has been proposed by Manna and Pnueli as a means fo r 
verifying concurrent programs [231 and il~ usefu lness for 
describing and verifying hardware has also been established 
([24], [25], [16]). 
Since o ur approach is based on PTL, its operators as 
well as the underlying decision procedure are explained in 
the following. 
Formulas in P'TL arc constructed in the usual way of 
the propositional calculus. The semantics of PTL is 
explained based on the proposilional operators.., and ~, 
but other logiC:lJ eonn(!cli ve~ :tre Il!:ed :IS abbrcvi!ll.ioM ( .... , 
v, H, <II as and, or, equivalence and exclusive-or respec-
tively). A fonnula F is buill from a SCt A of variables and 
it is called atomic, if F E A or F'=- ..,p with pE A. In 
addition to the propositional connecti ves, tem poral rela-
tionships arc expressed by three operators. The form ula 
Op indicates, that formula p holds in the next time 
instance, Op means, that p is true in this and all follow-
ing time points and Op means lhat p is true in this or one 
Paper 3 . 1 
58 
of the fo llowing lime points. The until operator is omit-
ted, since it is not used in this context 
P1L fonnulas arc defined as follows [23]. 
Definition I: 
a) An atomic proposition is a PTI.. fonnula . 
b) If F and G are PlL fonnulas, then -,1', F ~ G, OF, 
OF and <) F arc PTL fonnulas. 
In the following, small letters denote atomic propositions 
(e.g. p) and capitallctters dcnote compound P1L fonnulas 
(e.g. F, UCj. 
A formula F is called elementary, if it is atom ic or F= 
OG, i.e. F contai ns the next operator as i ts outcrmost 
connective. 
Definition 2: Let CT:= (SO, SI, S2, ... ) be a sequence of 
truth assignments s;: A ~ {O, 1), and be a j := (Si, 
Sj+ 1, ... ) lhe ith truncated suffi x of eJ. We call rJ a 
model of a fonnula H or H is true under a(denol.ed as rJ 
F= I-/) according lO the following rules: 
CT F= p iff sO(P)= l whenpe A 
a )= ..,F iff CT t,iF 
rJFF~G iff al;i For eJl= G 
(7 l= OF iff at l= F 
rJ ):: OF iff Vi,ie N o.ail= F 
eJ F OF iff 3 i ,ie NO. (7;):: F 
Defi nition 3: A formula is satisfiable if there exists a 
model for il. A set of fonnulas is called satisfiable, if 
every formula from this set is satisfiable. A formula F 
is called valid (or lautology, denoted by 1= F) if G F F 
holds fo r every G. 
Automated theorem proving can be done based on tableau 
melhods in a sim ilar way as they are used for the proposi-
tional calculus [261. A property of proving procedures 
required for test generation is their constructiveness, i.e. 
lhe ability to explicilly generate models for a salisfiable 
formula and counterexamples if a tautology check for a 
given formula fails. 
However. for the problems treated in this paper nOlthe 
wholc expressiveness of tcmporallogic is needed. Hence 
methods known from FSM equivalence checking ([27], 
119], 128J) may be used to faslen the temporal logic prov-
ing process sim ilar to suggestions of Burc h, Clarke, 
McMillan and Dill ([171. [29]). This is described in more 
detail in chapter 6.3. 
3. HARDWARE MODELING 
To describe hardware with PTL. thc mOOe1 of discrete lime 
points is mapped onto real lime events. Two approaches 
are conceivable. Eilher every discre\C lime point is defined 
by a fixed time schedule or \.he time points mark the clock 
licks of a synchronous syslem . Although the fonner pos-
sibility allows the expression of asynchronous behavior, it 
complicates the circuit descriptions and limits ilS usc to 
small circuilS. In !his paper, the laner melhod is used. The 
"next"-operator indicates the values of eircuil variables 
after the next clock signal. This modeling is not restricted 
to single clock systems, complex e10cking schemes arc 
allowed provided lhal clock transitions only occur at time 
points describable with PTL. 
A simple example of a single clock circuit is shown in 
figure 1 [30]. 
. --=EfB1-0UI on 
Figure I: Example Circuit 
lIS behavior is described by the following set of fonnulas: 
o (m H ..., (in A out)) 
o (OoutHm) 
The "always"-opcrator indicates, that the functional rela-
tionship between the input and output of the elements 
must hold forcver. For better readability the AND-operator 
is omitted between lhe subfonnulas. 
A nellist description of a circuit is translated into tem-
porallogic in linear time, the PTL formulas to model the 
behavior of basic cells have to be stored in a library. 
4. HARDWARE VERIFICATION 
For performing hardware verification, both circuit specifi. 
cation and circuit implementation can be described as indi-
cated in the last section. If a specification 5 of only certain 
circuit properties, i.e. a partial specification, as well as an 
implcmentation J arc given in temporal logic, the formula 
F(J->.5) (I) 
must be proven {I5]. Often the specification describes lhe 
complelC behavior of lhe circuit. In that case, the behav-
ioral equivalence of two circuit descriptions Sand J must 
be shown 
(2) 
The behavioral equivalcnce of two circuil implementations 
jI and jl has to be checked, if a design has been modified, 
e.g. by minimi7,.ation. The necessary verification can also 
be performed with formula (2), but for an casier processing 
with a temporal proof system , a slig htly different 
approach, based on the definition of behavioral equivalence 
(see e.g. [3 J n is used. 
Definition 4: Two circuits arc behaviorally equivalent, if 
for arbitrary input values the correspondent primary 
outputs carry the same values for all time points, 
provided that both circuiL<; have been initialized 
correctly. 
If the variables Ojl (j = I, . .. , no) denote the primary out-
puts of lhe first circuit and Oj2 denote the correspondent 
outputs of the second circuit, the property P as defined in 
formula (3) states behavioral equivalence directly in terms 
of temporal logic (/\ denotes a conjunction of its 
arguments). 
'" P:= 0 . /\ (Oil H Oi2 ) 
I = 1 
(3) 
The equivalence ...,Ox H O...,X leads to the following 
uncover condition UC (V denotes a disjunction of its 
arguments), which, if satisfiable, indicates a different cir-
cuit behavior. 
'" UC:=O.V (Oi l cB oP) 
I = I 
(4) 
Since the two circuits to be verified must be in the same 
st.arting state at the beginning of the verification process. 
there must be a unique reachable initial state, which is 
guaranteed, if all IJipfiops are resctable. This is expressed 
by lhe following PTL initiali:t..ation condition IC, where 
djl and di2 denote the state variables of both circuits. 
fldl R({1 
JC~ /\ ( ~dil), /\ (~di2) (5) 
i = I j = I 
The correspondence between satisfiability in temporal 
logic and circuit equivalence is stated in lemma I, which is 
an immediate consequence of definition 4 and the definition 
of satisfiability in PTL. 
Lemma I : Let JI and J2 be two circuits, let UC be an 
uncover condition according to (4) and IC an initializa· 
tion condition according to (5) in PTL. If the conjunc-
tion JI A J2 A IC A UC is not satisfiable, then the two 
circuits have identical behavior. 
This lemma reduces verification to lheorem proving, 
moreover, as the proof system is constructive, an input 
sequence is generated automatically. which uncovers the 
different behavior. This input sequence may be used by the 
circuit designer as a hint to identify and eliminate thc 
design errors. 
5. TEST GENERATION 
Test generation is performed by injecting faults given by 
an appropriate fault model into the description J o f the 
correct circuilto get a faulty dcscription fl. The behavior 
Paper 3.1 
59 
of J and JC is then compared to find input sequences so 
that the output values of both descriptions eventually 
differ. 
The fo llowing approach is not restricted to stuck-at 
faul ts. an arbitrJ.ry erroneous behavior can be handled, if it 
is describable in PTL. This includes for instance stuck 
open fa ults (see figure 2). 
x J-r-----' 
x,+r"'1 y 
Behavior of the corroct circuit 
0«-,X\A-,X2)-+ y ) 
O( XI -+ --.y ) 
o «(-,X\ A X2) -+ (y HSIQIC» 
0(0 slate H y ) 
Behavior of the faulty circuit 
Figure 2: NOR-gate with stuck-open fault 
More effort is required for considering the impact of 
hazards and charge-storing on transition faults. These 
mechanisms and delay fa ul ts can be handled by refining the 
grid of the time points ofPTL and by adding timing spcd· 
fi cations to the libr-ill)' clements. Overall this leads 10 a 
considerable increase of complexity and is not incorporated 
in our fi rst implementation. Moreovcr. for conciseness and 
comparability with other approaches [32]. we restrict our· 
selves in the following to the Sluck-at fault moocl. 
Unlike verification, the test generation must not be 
based on the assumption of a reset state, since an initiali· 
zation sequence may be altered by the fault, the reset line 
may be affected or there exists a stuck-open faul t with 
unknown staning value. Hence one must be able to deal 
with unknown values of storage clements althe beginning 
of the tes t generation process. For easier understanding. the 
case that the faulty circuit still has a reset sute is discussed 
first, and then the general case is treated. 
5.1 Circuits with Reset State 
The uncover condition (4) and the initiali7A1tion condition 
(5) defined in the former section sti ll hold for the fau lty 
and fault free circuit. A lesl pal/ern sequ.ence is a truth 
assignment for the primary input variables so that at least 
one of the OUlputs of the correct and faulty circuit eventu· 
ally carries a differcnt value. If such an assignment does 
nol exist, the fault is called u.ndetectable. 
As an immediate consequence of lemma I the following 
fact is proven: 
Paper 3. 1 
60 
Lemma 2: Let J be a correct circuit and let Ji- be a fau lty 
circuit. let UC be an uncover condi tion according to (4) 
and leI IC be accord ing 10 (5). A satisfying variable 
sequence TE for the conjunction J A Ji- A UC A lC is a 
!Cst paucm sequence for the fault 
Example: The modeling of the correct and faulty circuit 
behavior is demonstrated by the circuit, given in figure 3. 
d 
clOCK 
Figure 3: Example circui t 1.aken from t33) 
Given a sLuck·at-O fault at the output RS' the beha vior of 
the correct circuit J and faulty circuit y, is modelled by the 
P1L fonnulas, depicted in figure4. 
O(gl ~ -, d) O(gl£H-,d) 
0(g2 H (-' 00 A d) 0(g2£H (-, <jQ£ A d) 
0(g3 H (00 Ag\Aql» 0(g3£H (<jQ£AgI£"qt£) 
0(g4 H(dA-,r,uAql» O(g4£H(d,,-,00£" <1\ £) 
O(gS H (00 A -, qt» O(gs£ H 0) 
0(g6 H (83 v 84 v gs» 0(g6£ H (83£ V g4£ v gst» 
0(0"' .... ,,) 0(0"" .... ",) 
O(Oq\ H86) O(Ol1J t Hg6£) 
Figure 4:Behavior of the circuit Jand Ji-
The uncover condition UC is as follows: 
O«qO e qO') v (qJ e "')) 
Since all HipnojlS are resetable. the following ini tiali7.a· 
tion condition holds 
IC:=""""'lO A""""'ll A-qrf A""""'l IE 
The formu las from figure 4 a) and b) as well as the 
uncover and initialization condition arc now input to a 
temporal proof system to perfonn a satisfiability check, 
i.e. a variable sequence for the conjunction 
J/\!fo/\IC/\UC 
has to be found. In Ihe example, Ihe proof system will find 
Ihe following solution 
Tt:= d /\ O~/\OO~. 
This fonnula corresponds to a test pattern sequence (d, -.d, 
-d) (end of example). 
S.2 General Case 
A test pattern sequence 'It is called generally valid (denoted 
as Tfy), if it is a trulh assignment for Ihe primary input 
variables so that at least one of the outputs of the correel 
and faulty circuit carries eventually a different value for 
arbitrary initial values of Ihc storage clements of the cir-
cuit. 
Cho and Bryant gcnerated such sequences by introducing 
a Ihird value X to assign an "unknown" Signal value to the 
f1ipflops [30). Since efficient multiple-valued logic theo-
rem tools arc not generally available. an encoding of every 
threc·valued variable by two two-valued variables is 
required and leads to a significanlly larger search space. 
Moreover, Ihis approach leads to test pauern sequences 
which are often not minimal. Even worse, approaches 
based on such a representation of unknown values are 
inherenlly incomplete, since information may get lost 
[331 . 
The approach. presented in the fo llowing avoids an 
explicit representation of unknown signal values and hence 
this drawback of incompleteness. It is based on the trivial 
observation, that if a test pauern sequence is generally 
valid. it is also a test pattern sequence for a circuit with 
resetablc flipflops . Vice versa, in many cases the deter-
mined sequence for circuits with reset state is also a valid 
sequence for arbitrary initial values of the Jlipflops . This 
property is fonnally provable by using the following 
lemma, which states directly general validity . 
Lemma 3: Let J and JC be the PTI... descriptions of a fault 
free and faulty circuit, let UC be an uncover condition 
according to (4) and It a PTI.. fonnula describing a test 
pattern seq uence. The sequence is generally valid, if 
form ula (6) holds. 
1= (J/\ JC /\ TE) -+ U C (6) 
The following algorithm starts by generating a sequence 
for an arbitrary initial state. If a sequence T£ has been 
found which is not generally valid. the test generation pro-
cess is restarted to capture "missing" initial states by 
extending the !ieQl.ICtICC. 
The function isce returns a formula describing the values 
of aU state variables of the counterexample at the first time 
point. 
Note. that the spliuing into the two funct ions 
check_s at and sat_seq has been chosen only for 
clarification. When using a temporal proof system, both 
results are achieved by one pass of the system due to its 
constructiveness. This also holds for check val and 
isce. 
function atpg(J, :;e, UC); 
{UC is determined according to ( 4 ») 
begin 
valid : - false; 
IC ;- 1; (first init. state arbitrary 
while not val do 
begin 
sat : - check_sat (J /\ )£ /\ Ie /\ UC); 
{check satisfiability) 
if sat then 
T£ ; - sat_seq(J /\ JC /\ IC /\ UC) 
(satisfying sequence 
else 
return {"fault undetectable!"); 
val : - check_val {(J /\ )£ /\ TE) --+ UC) 
{check validity ) 
if not val then 
begi n 
ISCE : - isce ((J /\ 7- /\ T£) -+ Uc) ; 
(initial state of counterexample) 
IC :- ISCE /\ T£ 
end 
else 
return ( TE ) : 
end; 
end. 
Theorem: The algorithm atpg finds a test pattern 
sequence, which is generally valid, if one exists. 
frQ.Qf: The correctness of atpg follows immediately from 
lemma 3, since this property is explicitly proven in the 
algori thm. For proving completeness, the termination 
condition must be checked. The algorithm stops, if no fur-
ther test sequence with the given initialization condition 
IC is found. At the beginning, IC leads to a sequence for 
an arbitr.uy, but fixed starting state. If no such sequence is 
found, trivially no generally valid sequence exists. In the 
second and further iterations of the algorithm, the general 
validity property is chcck.ed. If a sequence is nOl generally 
valid, a counterexample is generated. The values of the 
state variables at the first time point indicate an initial 
Paper 3 .1 
61 
state for which the determined sequence 1'( is unable to un-
cover the fault. The proof process is restarted with this 
state and the already generated test sequence as an additional 
constraint. Therefore, a new sequence is generated whieh 
extends the o ld sequence to uncover the fault for this new 
state. The algorithm only fai ls, if the sequence is not 
extendable to comprise all possible initial stales. However, 
thi s is only the case, if it is impossible to find a subse· 
quence beginning at the ends/ate of the circuil after apply-
ing lhe already generated sequence, which uncovers the 
fault. Hence if the circuit would have been in this endstate 
at the beginning of the generat ion process, no sequence 
would have been possible either. Therefore no generally 
valid test pattern sequence exists. • 
Example: If the algori thm is applied to the example circuit 
from figure 3, with the new condition lC:= (...,qo A ...,q l A 
-'Ql£), the result of table J is achieved. The flipflop qO£ 
can be omitted, since the fault may nOl propagate to that 
flipflop. "Chosen state" indicates the state, which has been 
chosen for test generation according to lC. The remaining 
initial states indicate the states for which T£ is not a valid 
teSt pattern sequence. 
Table 1: Variable Assignments for Example Circuit 
Ie chosen stme Te remaining 
initial states 
I q 1 £...,ql--.<Kl -,d q lEq} v 
....,q1E-.q1 
q\[ q1 v 
-.q\E-,q1 qo --d A Od q}t: ql v 
....,qlt: ....,q1 ....,qlr.....ql-.qo 
q]Eql v 
-41 F.""U-40 --dAOdA qlEql qo 
--(II £...,q 1--.QO 02d" 03d 
q lC q lqO ql£q1 qO --d" ad" 0 
02d" 03d 
" 0 4- 11'1" 
0'-<1 
Thus a generally valid test pattern sequence is found (Oi 
abbreviates i consecutive O-operators) 
IT:,., ", ...,d " Od" 02d" 03d " 04...,d " OS--d 
If the sequence (--.d , d, d , d, --d, -.d) is applied to the cir· 
cuit, a SlUck·at-O fault at (he output gS for arbitrary initial 
values of the flipflops is uncovered (end of example). 
Paper 3. 1 
62 
6. OPTIM IZA nONS 
The temporal proving process has an exponential worst 
case complexity with regard to the number of state vari-
ables. Optimizing the proving system, avoiding unneces-
sary proof runs and reducing the problem size are therefore 
crucial to obtain feasible runtimes. 
6.1 Avoid ing Un necessa ry Proof R u ns 
[n case of circuits without reset state, the number and 
length of the proof runs are reduced by t.1king advantage 
from the degrees of freedom in the initial condition I e: 
Especially when starting the algori thm , no constraints are 
imposed on the initial state. Hence, it is first checked, jf 
there exists directly a state, which satisfies the given 
uncover condition. Thus is is always tried to extend the 
generated sequence by only one test veclOT. A real proof 
run is only perfonned, if IC forces it. Moreover, after each 
proof run a fault simulation is pcrfonned by a commercial 
fault simulalOr [341 to reduce the number of faul ts to be 
processed b)' dropping all faults, which have been also 
detected by the determined test pattern sequences. For this 
purpose, the test pattern sequences for all fau lts already 
processed are conca tenated in case of not resetable 
flipflops. Due to the completeness of the presented ap-
proach, the fault simulalOr is only used for speed im-
provements and is not required for val idating the test 
pattern 5e{juences. 
6.2 Reducing the Problem Size 
There are situations in case of circuil<; without reset state 
as well as in case of circuits with reset state in which not 
all pans of the circuil have to be described by P1L formu-
las. Hence, the input to the proof system is reduced by per-
fonning a partial modeling of the correct and faulty circuit. 
Ci rcui t parts which will nOt propagate ilie fault to 
primary outputs can be elim inated in J and in JE. When 
modeling the circuit by a directed graph, this elimination 
affects the predecessor nodes of all primary output nodes 
which are not successors of the faulty node. Furthennore, 
circuit parts, which arc not affected by the fault can be 
modelled only once for Jand 7- (nodes which are not suc-
cessors of the faulty node). F inally, when dealing with 
stUCK-at faulLS, all those nodes can be eliminated, which 
would have been only necessary to compute the value of 
the faully node. 
lllese optimi7.ations lead to considef"dble savings . When 
dealing e.g. with a stuck·at fault at a primary output, it is 
not necessary to model the faulty circuit as in iliat case the 
uncover condition on l)' denotes, that the! correspondent 
output of the correct circuit must eventually carry the 
proper logical val ue (e.g. 0 for a stuck-at-l fault), 
Moreover, only the predecessor nodes of that output mUSt 
bcmodclled. 
A temporal logic based approach is well sui ted for 
incorporating user guidance. It is easily possible to add to 
the circuit description ini tializing values (e.g. a reset sig-
nal) or sequences, the designer knows 10 put the circuit 
into a state, suited for a given faul t by providing additional 
temporal fonnulas 10 the proving procedure. 
6.3 Optimizations of the Proving System 
The proving procedure can be optimized by reducing the 
number of nodes represented by a tableau and by imple-
menting more efficient lIansition conditions than the 
tableau rules, originally used [261. Both approaches can be 
combined. 
Fujita and Fujisawa have shown, that it is possiblc 10 
represent the lIansition cond itions of the tableau with 
binary decision diagrams (BO~s) to reduce the representa-
tion overhead [16J . However, an explicit enumeration of 
all reachable nodes in the large space of the power set of 
all subformulas is still required ([23], [26]. [21]). This 
large space can be reduced when using tcmporallogic only 
for representing and analyzing the behavior of digital cir-
cuits. In that ease, it is possible to represent the states of 
the digital system with propositional state variables and 
the nodes of the tableau can be also encoded by a vector of 
stale variab les, which can be implemented more 
efficientl y, compared to a eharacteri7.ation of states with an 
elementary fonnula labelling. Moreover. the model can be 
represented symbolically by a transition re lation and sets 
of states with characteristic functions. 
Coudcrt et a l. presented a memod for sequential circuit 
verificat ion, which lIaverses the FSMs by symbolic 
manipulations of Boolean functions, represented as BO~s, 
which avoids the state explosion drawback ([351, [27], 
[36j). This approach has proven succcssful and has been 
refined immediately ({19J, [28]). Burch e1 al. have shown, 
that the basic mechanisms are well suited for implement-
ing model checkers for temporal logic ([17], [29]). Our 
own implementation is based on these approaches using 
the BOD-package of Brace e t al. [37J. The construction 
process is stopped after lhe first satisfying variable se-
quence is found. so that the whole tableau of a PTL 
fonnula has to be constructed only if no solution exists. 
7. EXPERIMENTAL RESULTS 
The presented approach has been validated on a variety of 
sequential circuits. In the following, we prescnt the results 
ach ieved on the ISCAS '89 s-benchmark set [32]. All 
runti mes arc given in sco:;:onds and have been achieved on II. 
SUN 4/65 workstation. Table 2 shows the results of 
verification runs, according to lemma 1. The compared 
circuits arc known to have identical behavior. '·Depth" 
indicates the maximal length of an input sequence which 
may be applied to the circuit before a same state is encoun-
tered again . The runtime.. . give a worst case estimation of 
me time effort nceded in case of undetcclable faults for cir-
cuits with reset state, if lhe circuit modeling has not been 
optimized as indicated in section VI. A undetectable fault 
requires at worst the same exploration of the complete 
state spacc. Hence, if Ihe designer succeeds in the verifica-
tion step he can also be sure that for each stuck-at fault a 
test sequence can be generated with similar computing 
time. Aboncd faults are avoided this way. 
Table 2' Verification results 
circuits depth time in seconds 
s344 H s349 7 59.2 
s382 H s400 151 213.7 
s526 H s526n 151 127.6 
s820 H s832 II 1.5 
51488 H sl494 22 3.8 
Table 3: Test Generation Results (resetable flipllops) 
circuit .n~ Itundct ItlCs1 avg. total 
faults vectors ATPG time in 
~ .i. e/fl . seconds 
" 
0 16 0.01 
,208 215 65 135 1.4 
,298 308 36 m 
,344 342 5 98 31.9 837.7 
,349 350 7 101 32.4 944.0 
I s4()() 
399 20 1858 43.4 2405. 
70 162 0.5 74.5 
424 ,. 1815 46.' 2868.7 
s420 430 22 ~ 263. s444 3 60.3 14103.7 ,510 564 .3 33.7 
~ 555 Pi 58.' 7745.3 58.' ~ 850 ~ 870 785 269. S 138 4.7 12725.6 1242 330 2.8 648.2 
, 1238 1355 ~ 133 1.4 ,1488 ~ ,1494 1506 
In table 3 and 4, Ihe close relation of verifiabi lity and 
testability is obvious. Test generation time fo r circu its 
wilh reset state is high for all circuits, which have shown 
Paper 3. 1 
63 
to be hard to verify. With our first implementation we 
were able to generate generally valid test patterns for those 
circuits without reset state, which had small verification 
times. It is apparent that the sequential depth directly 
influences test pattern length and runtimes especially in 
the case of c ircuits with non reseLable flipflops. Since the 
system is based on a breadth-first traversal of the circuits, 
always minimal length test pattern are generated in case of 
circuits wi th reset slate. If a fault is undetectable, accept-
able runtimes arc generall y preserved, since in that case a 
complete exploration of the whole state space has to be 
perfonned, which is a strength of the verification oriented 
approach. By using "cheaper" methods like random-pat-
terns before applying verification based techniques a con-
siderable speed- up may be achieved for test generation [20]. 
However, since we want to emphasi7.e in this paper the 
similarities between test and verification we renounced to 
elaborate these possibilities. 
Table 4: Test Generation Results (non resctable flipfiops) 
circuit .n~ #undet #test avg. tOlat 
faults vectors ATPG time in 
time/flt =0<1s 
m 32 0 t4 O. t 0.7 
s208 215 65 208 0.5 72.2 
s298 308 35 356 20.1 1238 .2 
s386 384 70 t85 0.8 85.5 
s420 430 226 252 6.2 1692.7 
s820 850 35 977 1.8 2057.7 
s832 870 51 977 1.8 2063.7 
s1488 1486 40 1107 5.1 1849.5 
s1494 1506 51 1034 5.5 1586.7 
8. CONCLUSIONS AND FUTURE WORK 
Using temporal logic it is possible to generate test pattern 
sequences by performing a constructive proof of the for-
mally stated lCSting problcm. Follow ing this approach, a 
method has been presented which allows test gencration for 
arbilrary fault models and leads to a novel approach for 
not resetable flipflops, which avoids many drawbacks of 
other approaches. Thus we arc able to provide onc tool, 
which can be usc.d for both, tes t generation and hardware 
verification. 
With our prototype implementation of this design tool, 
we arc currently able to process the small and medium 
sized circuits from the ISCAS '89 benchmark sel. This is 
nOt a fundamental drawback since we have shown, that it 
is possible to reduce test generation to a satisfiability 
problem in fonnallogic as it ha~ been done previously for 
hardware verification. Temporal log ic model checking 
Paper 3. 1 
64 
algorithms are subject to constant improvements so that 
the si7..e of manageable circuits will further increase [381. 
Moreover, it is possible to extcnd the approach to hierar-
chical circui ts since hierarchy is one of the key issues of 
verification and many useful approaches have alrcady been 
published, which can also be applied to testing ([II. [39)). 
ACKl'iOWLEDGEMENTS 
We would like 10 thank Karl Brace, who provided us with 
their BOD-package, which considerably eased the imple-
mentation of oUI proof system [37]. The email correspon-
dence with Ken McMillan revealed some useful implemen-
tation hints to us. Withou t the continuous assiSl.:mce of 
Oliver Seitz, the whole implementation would not have 
been possible. 
REFERENCES 
M. J. C. Gordon: Why High-Order Logic is a good 
Fonnalism for Specifying and Verify ing Hardware; 
Milne/Subrahmanyam (Eds.), Fo rmal Aspects of 
VLSI Design, Proc. Edinburgh Workshop on VLSI 
1985, North- Holland 1986, pp. 153- 178. 
2 V. Stavridou. H. Barringer, D.A. Edwards: Fonnal 
Specification and Verificatio n of Hardware: A 
Comparati ve Case Study; Proc. 25th Design 
Automation Conference (DAC 88), 1988, pp. 197· 
204. 
3 K. Schneider, R. Kumar, T. Kropf: Structuring 
Hardware Proofs: First steps towards AutOmation in a 
Higher-Order Environment; Proc. International 
Conference on Very Large Scale Integration, A. 
Halaas, P.B. Denyer (Eds.), 1991, North-Holland. 
4 R. Marlett An Emcient Test Generation System for 
Sequential Circuits; Proc. 23rd Design Automation 
Conference, June 1986, pp. 250-256. 
5 M. Schulz, E. Trischlcr, T. Safert: SOCRATES: A 
Highly Efficient Automatic Test Pattern Generation 
System; IEEE Transactions on CAD, Vol. 7, No. I , 
January 1988, pp. 126-137. 
6 W.T. Cheng: Thc BACK Algorithm for Sequential 
Test Generation; Proc. Inte rnational Conference on 
Computer Design (ICCD 88).1988, pp. 66-69. 
7 M.H. Schulz, E. Auth: ESSENTIAL: An Efficient 
Self-Learning Test Pattern Generation Algorithm for 
Sequential Circuits; Proc. Inti. Test Conference (ITC 
89), 1989, pp. 28-37. 
8 MJ. Y. Williams, J.B. Angell: Enhancing Testability 
of Large-Scale Integrated Circuits via Test Points and 
Additional Logic; IEEE Transactions on Computers. 
vol. C-22. PI). 46-60. 1973. 
9 E.B. Eichelberger. T.W. Williams: A Logic Design 
Struc ture fo r LS I Testability; Proc. Design 
Automation Conference 1977. pp.462-468. 
10 K.4T. Cheng, V.D. Agrawal: An Economical Scan 
Design for Sequential Logic Test Generation; Proc. 
19th Interna tional Symposium on Fault-Tolerant 
Computing. pp. 28435. 1989. 
II Hans4Joachim Wunderlich: The Design of Random4 
Testable Sequcntial Circuits; Proc. 19th lnt. Symp. 
Fauh4Toieran t Computing. pp. 1104117, 1989. 
12 A. Kunzmann, H.4J. Wunderlich: An Analytical 
Approach to the Partial Scan Problem; Journal of 
Electronic Testing: Theory and Applications, vol. 1, 
pp. 163-174, 1990. 
13 H.-J. Wundcrlic h, S. Hellebrand: The Pseudo-
Exhausti ve Test of Sequenlial Circuits; Proc. 
International Test Conference, 1989. 
14 S. Devadas, H.4K. T. Ma , A. R. Newton, A. 
Sangiovanni. Vincentel li : Irrcdundant Sequential 
Machines Via Optimal Logic Synthesis; IEEE Trans. 
on Computer-Aided Design, vol. CAD-9, pp. 8-18, 
1990. 
IS Paolo Camurati. Paolo Prinetto: Fonnal Verification 
of Hardware Correctness: IntrOduction and Survey of 
Current Research; Computer" July 1988, pp. 8-19. 
16 M. Fujita, H. Fujisawa: Specification. Verification 
and Synthesis of Control Circuits with Propositional 
Temporal Logic; Computer Hardware Description 
Languages and their Applications (CHDL 89), lA. 
Darringer and FJ. Rammig (Eels.). Elsevier Science 
Publishers, Nonh-Holland, 1989, pp. 265 ·279. 
17 J.R. Burch , E.M. Clarke, K.L. McMillan, DL Dill: 
Sequential Circuit Verification Using Symbolic Model 
Checking; Proc. 27th Design Automation Conference 
(DAC 90),1990, pp. 46-51. 
18 B. Krishnamunhy: Hierarchical Test Generation: Can 
AI Help?; Proc. International Test Conference (ITC 
87), 1987 , pp. 694-700. 
19 H. Cho, G. Hach tcJ, S.-W. Jeong, B. Plessier, E. 
Schwarz, F. Somenzi: ATPG Aspects of FSM 
Verification; ?roc. International Comference on CAD 
(ICCAD 90).1990, pp. 134-137. 
20 F. Somenzi. H. Cho. G.D.Hachtel; Fast Sequential 
ATPG Based on Implicit Slate Enumeration; ?roc. 
International Test Conference (ITC 91), 1991. 
21 G.L.J. M. Janssen: Hardware Verification using 
Temporal Logic: A Practical View; Proc. Workshop 
Applied Formal Methods fo r Correct VLS I Design, 
Leuven, Belgium, 1989, pp. 291·300. 
22 E. M. Clarke. E. A. Emerson. A. P. Sistla: 
Automatic Verification of Finite-State Concurrent 
Systems Using Temporal Logic Specifications; ACM 
Transactions on Programming Languages and 
Systems, Vol. 8. No.2, April 1986, pp. 244-263. 
23 Z. Manna, A. Pnueli: Verification of Concurren! 
Programs: The Tem poral Framework; in "The 
Correctness Problem in Computer Science\ R.S. 
Boyer and J.S . Moore (eds.), Academic Press, 1981, 
pp.215-273. 
24 Gregor V. Bochmann: Hardware Specification with 
Temporal Logic: An Example; IEEE Transactions on 
Computers, Vol. C·31, No.3, March 1982. pp. 223· 
23 1. 
25 S. Bapa!. G. Venkatesh: Reasoning About Digital 
Systems Using Temporal Logic; Proc. 23rd Design 
Automation Conference (DAC 86), 1986, pp. 215-
219. 
26 P. Wolper: Temporal Logic Can Be More Expressive; 
Proc. 22nd Annual Symposium on Foundation of 
Computer Science. 1981, pp. 340-348. 
27 O. Couder!, C. Berthet, J.C.Madre: Verification of 
Sequential Machines Using Boolean Functional 
Vcctors; ?roc. Workshop Applied Fonnal Methods for 
Correct VLSI Design, Leuven, Belgium, 1989, 
pp.lll · 128 . 
28 H.1 . Touati, H. Savoj, B. Lin , R.S. Brayton, A. 
Sangiovanni- Vincentelli: Implicit Stale Enumeration 
of Finite State Machines using BDD's; Proc. 
International Conference on CAD (ICCAD 90), 1990, 
pp. 130-133. 
29 l.R. Burch, E.M. Clarke, K.L. McMillan , D.L. Dill, 
LJ. Hwang: Symbolic Model Checking: 10"20 States 
and Beyond; Proc. 5th Annual Symposium on Logic 
in Computer Science. 1990. 
30 K. Cho, R.E. Bryant: Test Pattern Generation for 
Sequential MOS Circuits by Symbolic Faull 
Simu lation; Proc. 26th Design Automation 
Conference (DAC 89), 1989. pp. 418-423. 
31 Z. Kohavi: Switching and Finite Automata Theory; 
McGraw-Hili Computer Science Series, 1970. 
32 P. nrglM, D. Dryon, K. Koz.minski: Combiruu ionai 
Profiles of Sequential Benchmark Circuits; Proc. 
Paper 3.1 
.5 
International Symposium on Circuits and Systems 
(ISeAS 89), Portland, Oregon, May 9-11,1989, pp. 
1929-1934. 
33 A. Miczo: The Sequential A TPG: A Theoretical 
Limit; Proc. International Test Conference. 1983. pp. 
143-147. 
34 GenRad Inc.: System HILO. System Reference 
Manual; Doc. No. 2523-0101, United Kingdom, 
1988. 
35 O. Coudert, C. Bcrthet, 1.c. M:J.dre: Verification of 
Synchronous Sequential Machines Based on Symbolic 
Execution; Proc. Workshop on Automatic Verification 
Methods for Finite State Systems. Grenoble, June 
1989. 
Papar 3.1 
66 
36 Randal E. Bryant: Graph-Based Algorithm s fo r 
Boolean Function Manipulation; JEEE Transactions 
on Computers, Vol. C-35, No.8, August 1986, 
pp.677-691. 
37 K.S. Brace, R.L. Rudell, R.E. Bryant: Efficient 
JmpJcmem.:l.lion of a BOD Package; Proc. 27th Design 
Automation Conference (DAC 90), 1990. pp. 40-45. 
38 J.R. Burch, E.M . Clarke, D.E. Long: Representing 
Circuits More Efficiently in Symbol ic Mode l 
Checking; Proc. 28th Design Automation Conference 
(DAC 91),1991, pp. 403-407. 
39 T.E. Mel ham: Abstraction Mechanisms for Hardware 
Veri fi cation; VLS I Specification, Verification ~nc1 
Synthesis. G. Bir\wistle, P.A. Subrahmanyam (cds.), 
Kluwer Academic Press, 1988, pp. 267·291 . 
