DESIGN FOR TESTABILITY WITH HW-SW CODESIGN by Pataricza, András et al.
PERfODIC_-\ POL)'TECHXfCA SEf{ ;:.:L E.":'; ~.\ '1 Pi) 
DESIGN FOR TESTABILITY WITH HW-SW 
CODESIGN 
Department of .\IeasUretllenl illld In:;trurrlPIJt En~in(,l'rillg 
Technical l" niversity of Budapest 
H-).'i:2] Budapest. Hungary 
e-mail: c:;ertan .. Q:mlllLbme.hu 
Received: Jan. :2. 199G 
Abstract 
Current trends in the de\'eiopmen\ of de:;ign automation toob aill! at a radical increase 
in productivity by offering highly alllolIlatl'd desigll toob. As applicatiuns include even 
critical control applicat ions. dependahility 1)(;c(IlIJ(~S an irrlpurtallt design is:;lIe. 
A !lo\'el approach supporting COllcurrellt diagll'):;tic engineering using a clataflow 
behavioural descriptioll is pre:;ellted in this paper. The hasic idl~a of this new method 
is the extension of the descriptions of the fUllctional elements with the models of fault 
effects and fault propagation at each level of tlle hardware-software codesign hierarchy, 
thus allowing design for testability of digital computing systellls. 
Using the presented approach test generatiull can be done cuncurrently with the 
system design and !lot only in the back-end design phase as it had been done previously. 
For test gelleratioll purposes the gelleralized forms of tIre well-klluwn lugic gate level lest 
design algorithms call be used. 
J( eywo7'd,,: diagllostic desiglI. test abili tv. test gelIeratifln. FO U [.\1. datafJc)\\·. H W-S\\' 
codesigll. 
1. Introduction 
The advent of low-cost implementcltion tecllllOiogil's of applicatioll specific 
circuits opellS new horizons for custolll-tailored :oolutiolls. The availabil-
ity of low-cost. but highly complex off-rhe-shelf programmable components 
(PLDs) alld _-\SIC tecllllologies allm\'s such CL bCLCkgroUllcl for the use even 
for small enterprises. and not ollly for the lllclrket leaders in state-of-the-art 
technologies. like SOllle five years ago. Recent efforts aim at the reduction 
of cost and time' of the design tasks by deYeloping integrated enviro1llnents 
for system engineering. These offer various tools for the computer archi-
tects and circuit designers based 011 Cl hOlllogeneous tool-box anel common 
engineering datCLbase for the whole design process. An important charac-
teristic of SHch tools is that actiyities performed earlier only after the final 
engineering design are pushed forward illto all early desigll phase. thus 
allowing a radical shortelling of the clesigll-feedback loop. Practical expe-
riences show a 1:20 reductioll ill clesigll time. while the resultillg hardware 
26 
Oyerlleeld cluc to the autolllated desigll is as low as 40(1<. ;\Ioreu\'t'l'. the use 
of antomated cksigll tecllllOlogies improves radically tl1(: product's design 
quality. Such a desigll approach is hardware-software coclesigll (Fig. 1). 
that dellot('s ·tIIl' joillt ,.;pccihc(ltioll. dl'sigll. eLlld SYlltllt'sis of mixed H\Y 
S\Y systems' (BOHIELLO et al.. 1995). 
,\ maill illsutficicllCY of these tools originates ill the lack of all inte-
grated support for dIe follow-up pllCLses of dl'pelldability allalysis. This 
becomes crucial ill safet~, rdatpd applicatiolls. like process control alld au-
tomatiOll. The i:lVOideUlCl' of costly re-ciesigll cycles lleecls the pushing of 
diagnostic desigll (test gellC'ratiOll. tl'stabilit~· eLl!alysis). into early phases 
of system dcsign as \\'(,11. III (SI:'II'SO\ SHEPP,-\IW. 1994) a lllethod is 
presrllted for doillg test abilit~· elllalysis as part of integratrd diagnostics ill 
early desigll phases. lm t t he pro blelll of gelll'rClting amI desiglling of the 
test set remaillsstillullsoln.cl. 
The aim of our work is the devdoplllellt of a tool-box for lllodel-
based diagllostic and clepemIahility enlluatioll ill the form of eLl! extellsioll 
of the existing functiollal desigll tools. The basic models and tecllllologies 
developed arc fully colierellt wit h thost' used ill t he original tools in order 
to keep the integrity of the dc-sigll cll\'iwUlllt'llt alld en'oidiug 1lnlleCeSSi:ll'~' 
model transfol'luatiolls. 
The basic idea of the lll(,thoclology is eLS follows: 
1. A system is modelled at the highest le\'lJ of ahstrclctioll of the fU11C-
tiollal design process llS1lally lJ~' dat afiow models (SCH 0 E\, 1992). 
(BO:\IHV,,\LLl SI\IO\Cl\1. 199:3). Oul~' the Ho", of data and the 
processiug-related delay timf's iln' lllOdellPcl ill the form of tokcu Ho\\'s 
witlto1lt i:Lll~' dl'scriptiUll of till' illCli\'id1lal data trcLllsforlllatiou ill the 
COmpOlll'uts (Len-l 1 alld L('\'d :2 If.nilliuprdu/ lI/ocZr;llinl/ iu Fiy. 1). 
This phase aims primarily at perfOl'lUCllln' aUcd~'sis alld optimizatiou 
and it is snpported by formed allal~'sis llldllOds. ('.g. ou the hasis of 
automatic trallslatiolls into Petri nets, 
2. ;\lore aud mol'(' structural aucl fnlluiollal detaib CUT addedl»)' stepwise 
refinement illto this initial model, t hllS defining illlTeasillgl~' precisely 
the systelll's structnre aud the (lata proccssing functiolls of its COlll-
ponents. (Le\'d:3 mi:crd ullintuprr:il;ri-inil:lpn;i(,(/lIIudelliny ill Fig. 1. 
3. Finally. whell all compOllcllt f1luctions bC,(,Ollll' fully dehued (Leye! 4 
intcl'jJl'tiuZ IflOddlilll/ iu Fil}. 1.1. lwnhyare-soft,,'al'l' sq)aratiou Cilll 1)(' 
done and the el1ltolllatic or intnanin' lwrd\\"cllT alld suft\\'arc' sYllthesis 
processes call he started. 
The preseuted approach is based 011 the idca uf ('xtl'ucling the datafiow 
notation by iucorporating faults aml fa1llt effects. This extended uotatioll 
will be used ill the modelliug phases of H\\,~S\\' CO(\vSigll. thus fault related 
co~dcsign process 
(iterative steps of model refmem:nt 
and evaluation) 
input: 
Level1: data & control f'un:tions ere 
not separeted. uninterpretcd modeling 
Levcl2: data & control fun::tions are. 







("" of interactive modules) Leve13: intapn:ted modeling of control functions .~ 
mode~8of~~~m~~ ~ 
output: .S 
abstract arcrutcctllrC Level4: intapn:ted rnodeling of 
(.set of communicating processors) both data & control furx;tions 
informatioll Call 1w gailled cOllcurrelltly with the systelll desigll by the eval-
uatioll of this composite model. 
III ullinterpretecl modelliug the tokens representillg the clata can be 
marked either as correct or as eITOllCOIlS. A supersct of the fault propaga-
tion paths call he estimated by tracing their fio\Y frum the fault site, ill the 
uetwork. Dill' to till' silllplilicatiolls all elClllCllh an' assllml'cl to propagate 
pote11tially all fanlts. (110 data depcll(\encies arc moclelled) 0111y llC'("eS:-iilry 
cOllditiollS call 1)(' e:-itilllCltcd. lJnt l'\"l'll thi:-i ov('r-pes,.;illli,.;tic r(:',.;ult call ,.;till 
be Ilsecl for all effective cOlltrol ,.;triltcgy in tll(' lest ,.;carch prucec!ures ill 
more cletaileclmoclds. 
Later. after illtrudllcing data dl']H'ndencit':-i ilt the mixed awl inter-
preted models costly hcuristic or structural te:-it gl'ncraticJll algorithllllllust 
be illyoked for the fillal decisioll. HO\wwr. the high-kwl clependability 
analysis provides llot olll~' elll illexpt'nsivc \YilY fur comparatiyc allalysis of 
alterllativc CUllstrncts. 1mt ";('l"\"cs as a tool for tl'~t strateg~' dl'sigH. III pre-
vious ,yorks (C~EKL\'\ et al.. 199 .. 1. CSEHT.\.\. 199 .. 1. CSEln . .\.\ et ill.. 1995) 
and ill this work it is sl10wlI that the fullo\villg prohlcllls call be soh'cd usiIlg 
the preseIlt cd a.pproach: 
- fanl t silll1l1a t ion 
test gelleratiou. fail-safe test gt'lIeratioIl 
estimatioll of optimal diagnostics stratcgics 
- testability analysis for hotll built ill aue! maiutenance tests 
failure modes aml cffects illlal~'sis (F:\IE";.). 
The jJapn is org<Luizl'd as follows: Section 2 iutroduces the modelling ap-
proach. aud prescuts a simple system and its model as an example. In Sec-
tiou :3 et rcprcselltatin' of the family of test pattern generation algorithms 
is pn'sl'llted. ilwl a test is g('ulTated for the example. Finally. Sectioll :) 
coutaius couclu<iiug remarks (Lud a short overview of the future work. 
2. The Modelling Approach 
d.1 Tit e Falllt i'v! od cl 
Fanlts arc lllaiuly hardware rebted amI usually modelled at Cl lowcr 
leYd of abstractioll. Therefore it is uecessary to introduce an error model at 
higher leycls of alistraniu11. Siul"c iu lluiuterpreted modelling data depen-
dcucies arc UU(iefilll'd. it has to l'xprcss Hucertaiuties due to the neglected 
data clep('llclcllCi('s. III tIll' proj){)s('d approach a lllulti-nLlued fanlt lllodel 
is llscd instead of the stuck-at ;.',atl'-lcyl'l falllt model. Its adnllltage is the 
high l'xpressiYl' pm\"(T for tIlt' (it-sniptioll: the (jnit(' complex fUllctiollal 
lluits cau Jj(' cl('snihed llW1T prt'ci.>.;cly illld Y(lriuHO-; utIlt'r l'eqnirellleuts, like 
safe t('stiu;.'" C,IU ])(' cousidlTl'cl. :\ p()tl'utialul1llti-\'ct!ned fanlt Illodel can be 
defined: accordiu;.', to thc black-])()x llHJ(ldliug approach. cOIllpOIleut faults 
an' idclltifil'd by t h\' rollglt. awl for tllt' sake of tlt(' COlllpactlless. simplified 
c!assifica tioll of tIt(' rl'Slllr;.; t hl'~' elt-linT 
ok ll)('Ssa;.',l' dellote;.; that dj(' ('(Jl]IPUJl('llt ddin'rt,d correct C01uputa-
tiollill 1'('.>.;111 t 
.- inc IlIl'Ssagl' d('u(Jt(,.~ tItat tIll' (,OlllPOlll'llt ddin'rt'd illCOlTl'Ct <tauL 
- dead llH';';.>';Cl;.',(' \\'ill ])(' ;';('111. if (1)(' COllljlUllt'111. dll(' tu a fatal fanlt. clue;.; 
llot ddiYlT n's11lt;.; it tall. 
- X lllesscLgl' is 11;.;('<1 I() ('XPrt's.~ llll('('n;liut.\·. TIll' COrr('ctll(,;';S of tlll' result 
depellcb Oll tlj(' (letnal data valu('s r('cein,d b.Y tIte COlllj)(Jlll'llt (\lId 011 
the act1lC,l illlplcllu'lltarioll of ill(' COIlljJOlll'lit (for a ;.',In'll data value 
it \\'o1llcl Ill' ok. for Clll()thn it \\"(J1llcl 1)(' incl. 
2.d The Dutafiou' NotatioIl 
The clatafio\\" llotatioll. prop used ill (Jo.\sso.\. 1989). I;'; well-suitable for 
cOllceptllal llluddlillg of cOlllpnrill;.',~~·st('lllS ill the ('arl~' desigll phasE'S 
(BO.\DA\·"\LL1-SI~I().\Cl.,\I). for ('arl~' \"ctlidatiull of c()lllpntiug systellls 
(BER.\AHDESCHI. 199:3). a1l(1 for perforlllCtllCe evalllatioll (CSEHL\..\ et a!.. 
1994). 
A dniajioLU network iV is a set of llocles P y . which executes concnr-
relltly aIld exchallges data oyer poillt-to-poillt cOllllllunication chaIlIlels C,y. 
29 
The daiajlow node represents the fuuctiollal elements of the system. The 
signal propagation attributes of au element are described by a simple re-
lation betweeu inputs and outputs. t'H'ut1l<llly clepeudiug 011 the previous 
state of the Ilode . .:\ote that as the correlation of the iIlputs and outputs 
is described by this relation in a weaker form than by an input-output 
fUllctioIl. this behaviour cau be also nOll-cletermiIlistic. The channels of 
the dataflow lletwork symbolize the iutncLCtiou betweeu the fuuctional el-
emeIlts of the system. Interual challuels link t\VO uodes. Illput (output) 
chaunels counect cl siugle uode tu the outside world represeming the pri-
mary illputs (outputs) of the system. CO'fTl'lf/.uniCILtion events occur \\"hen 
data items (S11 bsequeutly called tokeus) are inserted iuto all input channel 
(iuput event describiIlg the arrival of some data to the primary iuputs) or 
data items are rellloH'd from cll! output dWllllel (output eveut deuoting the 
appearaIlce of results ou Cl primary on tpn t of the system). 
The fnuctiomd hehclviuur of Cl uocle p is defiuecl by a set of firiIlg rules 
Rp. Sp denues the set of pussible states of du' uode. _-\ uode is ready to 
execute as souu clS the (latcl required by oIle of its nriug rules are available 
aucl the uode is iu a proper state. The meallillg of firillg rule f E Rp, 
deuoted by· f = (0'. Xiw s'. _\out) is that if the llode pis iu state .':i E 5, each 
of the illput challuels i E II' holds at least Xi" (i) data items. then firing 
rule f is potentially selectecl for C'xeclltiou. The ('xC'cutiou of firing rule 
f removes Xi" (i) data itellls from each inplI t challllel i E Ip auci ou tpu ts 
Xout(j) data items OIl each 01ltjllIt clWIlIlel j E Or'. \vhik the llode changes 
its state from s to s'. 
J!,.c1 An EDo.mple 
The selected example is very simple due to space limitatioll aud cannot 
iut rod lICt' t he full modelling power of the presented approach (refer to 
CSEHL\:\. 199-!). Tlte system is cUl illtt'lligellt scales. that call calculate 
the price of goods according to its \yeight alld to the nnit price. :-Iodelling 
is dont' at the highest lewl of abstractioll (uuimerprctecl modelliug). The 
fault moclel is restricted tu siugle iuterllal faults. that call be oue of the 
followiug: 
eq-more iclelltifies the fault \vheu Cl compOllellt cleliwrs a result. which 
is either e(pwl to or larger thall the correct Olll'. _-\dually ill our case 
it is cOllsiderecl as Cl fault-free result. 
less is sellt by Cl compollellt if it ddivers Cl result. that is less thau 
the correct one. 
dead clCIlotl'S that Cl compoIlt'Ilt does Ilot dcliycr reslIlts at all. 




p!, ={price in. weight_sensor. controller. display. arithmetic} 




0=( from_ weight_sensor} 
S=(eq-more • less. dead} 
R={f1 ... [8) 
fl=(eq-more; goods=eq-more; eq-more; eq-more->from_weight) 
f2=(eq-more; goods=less; eq-more; less->from_ weight) 
f3=(eq-more; goods=dead; eq-more; x->from_weight) 
f4=(eq-more; goods=x; eq-more; x->from_ weight) 
f5=(1ess; goods=eq-more; less; less->from_ weight) 
f6=(1ess; goods=less; less; less->from_ weight) 
f7=(1ess; goods=dead; less; less->from_weightJ 
f8=(1ess; goods=x; less; less->from_ weight) 
Fig. 2. Data flow model of the intelligellt scales 
\Ye aSSUllle' that the systelllhas uo built-iu fanlt detectiou capabilities. 
From the poiut of viel\" of the shopkeeper fanlt less is of the greatest severity 
siuce ill this case the price paid by the custumer is less thall the value of 
the goods. The datafiO"w graph of the system allci the formal llotation of 
oue of the uocles are ShOWll in Fly . .2. C\ote that if it i.<:; necessary the token 
eq-more conlcl lH' split into t,n) tokellS ok aml more.) 
The s~'stem consists of :j parts: price in recu\s iu t hc pricc per nnit of 
the goods frolll a keyboard aud sew\s it to the coutroller alld to the clispla~' 
as well. },Ialfuuctious of the compoueut are: llot deliverillg resnlt (e.g. clue 
to a hrokeu I\"ire). or <leliyeriug fcUllt~· resnlt 1 e s s The weight sensor 
measures the weight of the goods aud :;(,llds the resnlts to the coutroller. 
The l\'eight :;('usor a!l\'ays :;('uds resnlt. l)\lt it cau be either eq-more or 
less. The controller receives the \wight aue! tht' l)rict' per ullit of the 
goods in the first :;tep of its fUllctiouiug ami dcli\'ers them to the a.rithmetic 
uuit. Iu the seccmcl step the computed price recei\'ed from the arithmetic 
uuit is forwarded to the' disp1cLY. Thc coutroller (,,,tU cldin'r either eq-more 
or less results. or it CCLll be c\'ell dead. The aritllllletic uuit is re:;poHsible 
for computing the price of the goods from the price of the unit aud frolll 
the \wight. \\-heu the COlllPOUt'ut is faulty cOlllplltatiou res1l1ts cau be 
iucorrect or it is po:;:;iblc dtat the CUlllpOllf'llt dot's Hot cldin'r results at 
all. Fillally. the display displays t ht' price' pn ullit alld the price of the 
measnre(l goods. The display CClll have oue of the faults eq-more, less, 
dead. 
Inputs of the s~'st('m are: price_per _unit, goods. while 
price_out is the output of the systelll. TIll' illitial state of fault-free 
componeuts is oku. _-\ yerbal iuterpret atiou of some firillg rules of the 
weight_sensor node (Fig. 2) is: 
£1- Duriug a fault-free fUllctiolliug this rule describes the compouent. 
Since only fault-free messclgl'S eq-more are receivecl alld the COlll-
pouent cloes Hot ha\"(' allY illterllal fanlt. it relllaiHs ill fault-free state 
eq-more. 
f2- Describes the fanlt propagatioll of thc fault-free cOlllpom~llt: if the 
input message. received frolll goods is faulty less. the result will also 
be falllty less cUld it \,'ill he delivered illto from weight. 
f5- Due to an internal fault the sellsor meaSllres the goods fewlty. The 
result of the measurement is less thell! tIle \"eight of the goods. and 
the fault~· result is delivered to the cOlltToller via from weight. 
3. Test Design in HW-SW Codesign 
The base of effective fanlt cletectioll aml cliagll()stics is Cl \,·pll-plalllled test 
strategy. III this section we \,'ill show thelt tcst strategy design can be 
clolle COllc1llTt'ntly with systcm clesigll hy usillg a datafi()\,' model based 
automatic test patterIl geueratioIl (XTPG). Thc prcscllted algorithm is a 
generalizcd form of logic gate-iewl test pattcrIl gCllcl"atiou algorithms. 1 ill' 
idea of geucraliza tioll arises \\" lit'u ("(lllsicleriug t hl' COlTl'SPOlldcucl' l){'nH'2Il 
the two lllodels: 
Similarity to till' gatt'- aJl(1 lllodule-level stllck-at fanlt IllUde!. where 
faults ell'(' modelled ilt the olltp1lt uf logic gctl('S. ElTors of it fnllnioual 
datafi()\\" llode are mcUlifestl'd ilt the ontpnts ill the forIll of elTOIl(,OUS 
l11cssages. 
The behaviour of a clatafiow fuuctioual ell'lUl'llt is descrihed h~' a 
trausfer relatioll. similarly to the truth or state trausitioll tables of 
logic gates alld moclules. 
The model lllay coutaiuloops. that jnst like iu GlSt' of sl'qnl'utiallogic. 
have to 1)(' cut aud CUl iterative array JlH)(ld call he C0l1stl"llCi('(1 ill huth 
cases (ABIL\\IOVICI et al.. 1990). 
SillCl' COlllpoueuts call have states, the tl'stillg of a systl'lU has to 
start from a predefillcd iuitiaI systl'lll state. (Ill practical datafiu\\" 
mudels exallliued till yct there \\"as 110 m'ed for the sl'ardl of cl self-
iuitializatioll sequl'uce). 
Gy" ('5 £11. T.4.\" et a1 
vVe ,,,ill exploit this correspondellce alld presellt the high-level version of a 
gate-level ATPG algorithm. As a representative example we selected the 
well-known PODE:\I algorithm (Al:HL\:'IOVICI et al.. 1990. Go EL. 1981) 
that is widely used for test gelleratioll for stuck-at faults ill logic circuits. 
3.1 The PODElvI Algorithm 
In order to generate a test for a givell fault the problem of test generation 
is recursively divided into the sub-problems of: implication and checking: 
line justification: fault propagatioll. Implication and checking aims at the 
reduction of t he problem space, line justificaticJl[ is responsible for setting 
the primary inputs (PIs) according to a given liue aud fault propagation 
tries to propagate the state of a line to the primary outputs (POs). The 
PODEM (Path-Oriented Decision ~Iaking) algorithm (Fig. 3) is character-
ized by a direct search process: it directly manipulates the PIs and tries 
to propagate the fault to the POs. In each step of the algorithm checking 
and implicatioll is doue. To keep track the still opell problems a set is 
maintained durillg the algorithm: the D-frontier cOlltaills the gates from 
the outputs of which the fault has to be propagated towards the POs. The 
advantage of PODE~'I() OHT other test patterll gl'lll'l'Cltioll algorithms is 
that due to the direct search: 
no consistency check is needed 
the J-frcmtier can be elimillated 
backward implicatioll is not necessary. 
I: POODll.! 
2: begin 
:3: if (error at PO) thell return SlTCESS 
-I: if (test flot possi hip) t hell ret urn F:\ I Lt HE 
.'5: k=Obj('cliYe ( ) 
G: j=Backtrace (k) 
,: for (v=all possible faults) 
<'3: begin 
9: Imply ( j . Y) 
10: if (POOC:Vl()=S\;CCESS) thell return SlTCESS 
11: end 
12: return FAIIXBE 
1:): end 
:):3 
III the proposed <lppWadl suln tiull of the Sll bp1'O blt'Ills is slightly clif-
fen'Ht frolll the origillal ou(>: 
Due tu tht' Ill1l1ti-Yi:dued fanlt lllodel eq-more, less, dead, x yal-
ues are used illstcad of 0 alld 1. It lllCcLlIS ThaI illstcacl of ,,<lInes D 
(1 ill the good. 0 ill the fanlt~· circuit) aml D (0/1). fanlt-pairs eq-
more/less. eq-more/ dead. eq-more/x.less/ eq-more. 
less/dead, less/x, dead/eq-more, dead/less, dead/x are 
propagated. 
Iusteacl of tlll' trntll table tirillg rnlt-s cLlT 11S('<1. Possible actiolls de-
pcwl uu the state of the COIllPOllt'llt. States uf rIll' COlllPOlH'llt haye 
to he C<JllSistellt ill sllbseqnl'llt blocks uf the itl'l'dtin' cllTil~' lllodel 
(preclecl'"sor alld snClTssur st dtCS). 
Cllcckillg has to CllSnl"(' that tlie coustraiuts iIllpused l)~' tll(' global 
t('stillg reqnireIllcllts. e.g. safe testiug. arc fnlfillccl. 
Test gl'lwratioll starts with illitializatiull uf tlH' dWllllels. where the "alnt' 
:\D (llot detiued) is assiglled to each clW1lllCl. .-\.fter the illitializatioll the 
Po cl elll ( ) procednr(' is called (Fiy. S). Iu paeil step ,\·!tCll Podem() is ex-
('cnted SOllll' cl[('ckiugs occnr. Cl PI is s('kneel. implicatioll is elollt'. aucl 
POdl'lll() is calke! l'l'cnrsin'ly agaill to dll'ck tlll' n'''lllt.~ of the illlplicarioll 
step. The acri"itil's uf rlU' Poe!elll() p1'Oc('<1nr(' Cilll 11(' ontli1U'e! as: 
Step 3 the stop criteriull is dll'cke<1. e.g. if CL fanl. jldir has hC(,ll propagatl'cl 
to Cl PO. t{'st gelleratioll is sllccessflli. 
1: OIJj('ctj\"(. (! 
:2: begin 
:3: if {all (Jl!tP1ll uf 11 j;- .\1)) i!!('!1 '\==f1 
"I: "j,(, ,;"I('ct ii ilode \ frOlI! f)./"!"tilllil'! 
,=j; select OllC illplH III of S 
(, ret u1' 11 III 
I: end 
Step 4 if 110 Tt'sr ('Clll be gellerated. P()(ll'lll() has to iJc stopped, This i;-; 
the cas,' \\'l!Cll: 
rhl' targc't falllt ('illlllOt he actiYatl'cl. sillCT a diti'tTl'ltr yalllt' has b(,Cll 
propagated tu tlll' 01ltPllt of rill' falllt~' COlll)Olll'llT, 
110 elTor propagatiull stc]> ('illl lit' clollC'. sill\"(' tlt(' D-frolltil'l' i" t'l11J>t~·, 
Step 5 iLll ohj('ctin' (a dWllllf'l) for ('nor propagatioll is sl'il'nt'd, c'-suclily 
it is Cl Chilllllel from the D-frouriel". 
Step 6 Cl PI bc-iug ill cOllllC'crioll \\'itlt tit(' sdl'("\(,cl dlclll1ll'1 is s('kcted. 
Steps 7-12 All possihle faults are probed at the PIs ill order to fulfil the 
objectiye by implicatiolls. If HOlle of the prob('s are successful Podem() 
retllrI1S failure iUlcl mlOtlu'r PI (according to Stl'l) 6) has to be selected and 
probed <lgain. 
III each step Poelcm() is C'xt'cuteel two otht'r proct'clures art' calleel: 
Objective() sdects a dWlllld to which Cl fanIt pair has to be propagated. 
For t his reason ill: 
Steps 3,4 Cl compollellt is s('kct{'(l. It i.~ l'itlwr tlll' compollellt Cl tcst has 
to be gelleratcd for or it is Cl COlllP01l\'llt frOlH tiu' D-i'rol1tit'l'. 
Step 5 a stillullassigllccl (it has Cl yalne \"D) illpnr of t\tt, llode is selected. 
I: Backtracp (k) 
2: begin 
;3: while (k is all OUTput) 
-t: begin 
S: ,dert all illj>ut j of !lod" II 'k i, illl Illll 1"11 ,,1'1,'. 
fj: k = j 
I: end 
13: return k 
9: ('lid 
The other procednre Bar:lJ/'IlJ:d) is r('sj>ollsihle for tillelillg tllP PIs. \\'ith 
which adjustment a fa1llt pair 11,1." to be jlropagated to the selected dWllnel: 
Steps 3-7 A., seelrdl is dow' to\\'ard tit(' PIs of rill' d;ltati()\\' llwddll'el systClll. 
To all outpnt of it COlllP(Jll\'llt illl illJ!nt is itS . ,igll(·d. It will 11cllOtl' tilt' 
impliccltioll Imtll frolll rill' PI to tllt'"dlTtl'd uhj('niw . 
. i .. ~ TIsl. GU/I/'Ililll/l fo/' thr: E:w.lfl.plc 
To clllightl'll the prt'yi()nsly ddiw'd algorithlll. l('St gt'llcl'atioll is Sli()\\'I1 ill 
detail for the less f'<Lnlt of tll(' ('(lIlt l'()ll('[' (,OllljlOllCllt in tlit, simple eX;llllpk. 
Steps of tIt(, t('sl gl'llt'riltioll ,11'(' pr(''';('llted ill Fi!!. G step by step . .\"ote that 
iclentiti(TS of dlClllllds are ollli tt (·el l 
Steps of t('s' g(,ll('l'atioll (',LlI 1)(, t'xplclill('d il,,; 
Step 0 Illitializatioll. '\"D i;-, it;-,sigll('c! i 0 ill! dlillllll'lS. Test gCllcratioll call 
1)(' started. 
Step 1 First call of tlt(' Podnu() ]>l'()ceclnre. Since the POs have not 
beell reached yet. Ohjectiw() ,llld Backtracc( i ,HP called. III this step all 
the ontpnts of tlll' cOlltrolln Hllir ,lr(' '\"D. thHs the objective is channel 








ImplyO ~> pricc_per_unit=eq-more. tD_display=eq-more. from_pricc_in=eq-more 
0= I controller J 
Step 2: 











-------- weight sensor 
arithmetic 
implication is clone. but IlO error pairs appear. thus the D-fruIltier remains 
empty. 
Step 2 After the illlplicatiull of the first step. Po dl'lll ( ) is called agaiu. 
This time the ol)jectiYe is dlClllIlel froILHeight_sensor. Backtrace uow 
icleutifies the other PI of tht' system: goods. As a result of implication all 
error pair appears OIl tlie outjJut Cliclllllt'l of the clisjJla~' compollellt. that is 
IlOW element of the D-frulltieL 
Step 3 Third. last call of Po clC'lll ( ). Checkillg detect:-; the crror pair eq-
more /less at the PO price_out. thus test gCIleratioll is fiuished S11C-
cessfully. 
The res1llt lllcallS. if the cOIltroller has a less fault. it caIl be detected 
by Ulcasllring CL kIlOWll weight. (Price Illust also bc t.,-,ped correctly.) 
4. Conclusion and Future Work 
In this work \w preseIlted Cl modelling approach which call be used ill the 
earl~' phases of H\Y-S"- coclesign. It supports testability ,md clepcllclabil-
ity aIlalysis ill such Cl way that it I)ecomes all illtegral part of the desigu 
proccss. since iu the proposed data£iow model both the fuuctioual alld 
fault propagation/fault cffects information arc incorporated. By llleallS of 
a simple example \H' haye ShO\Yll that eY(,ll ill this phase of the clesigu test 
strategy design awl t('stahilit~· <lllCll~'sis call be dOlle ("ullC1llTellrly with the 
syst cm dcsigll. 
Futnre work illl'Orpuratt's the illlpll'llH'lltarioll of all l'll\'iroll11H'llt ill 
which clept'wlable lwrd-w(Lrc-soft\\'m'C coclesigll Cilll 1)(' dOllC'. For this reason 
the Ptolem} design l'llyirOllllll'llt. cievelopecl clt the l-lliYl'l'sit~- of Califoruia 
at Berkeley. \\'ill ht' used. 
References 
.-\RIU:.IClVICI. \'1. BltUUl. \'1. ;\. - FltIUJ:.L·\\_ .-\. D.I l(lUll) : Digital Sy;;tel!b Testing 
and Testahle' CCJillPlil (:r SciellCf' Pr,:". :'\ew Ye!rk. 
BORIELLO. C. BrCHE\HIED[!(. 1\. C.\:.II'()~c\\()_ H. Li-:t:. L-- \\'.-\X\i.·\\. H. 
\YOLF, \\'.: llardwarc/'iufrware (·odesigll. IEEE Design mul Test of Computer.". 
pp. in-9L :\Ial·cil IlH):). 
BER\.-\RDESCHI. C. - ,\. [30\IL·\\-.·\LLI. ,\.- L. 'i1\!O\CI\1. L.: Dataflov: Control 'i~-stertl": 
:\n [xalllple of Safet\- \'"iidaliulJ. III Fl'oceuiing:; of SAFECOlvJF·.'JS. pp. 9-:20_ 
Poznan. Polallll. HHJ:3. 
BO\DAVALl.I. :\.-- SI',IO:;CI\i. L.: FillJctionill Paradiglll for j)p;;igning Depellciable Large-
Scale Parallel COlllputiug S\-,I"III';_ In FrocculilJgs of lhe In lU'1L(1 Ilo1lal SY7lljJ{)'''ill11L OH 
AUt01!OIlW11S Ucccnlmli:::cd ,,,'y:;l""L'" fSA US-!!:!. pp. 10,,- II-L I\awasaki .. Japan, 199:3. 
CSER':,\\. Gl'. I3ER\'\R[)E~C!l1. C. BO\J)c\\,\LLI. .\. ~SI:,I()\('I:;1. L. Tillling ;-\nalysis 
of Oataflow \'etworks. In P1'ocI;uiings of the 12th IFile vVorks!wp on Dist.rilm/ed 
Computer ContTol System.,. D(,CS·Y!,. PI'. ]:,:l-l'iS. '1'01,,<10. Spaill. Septellli>Pr 1994. 
CSEltT.~\\. Gl'. G('TIIOFF .. 1. 1',\T,\HIC%.·\ ... \. TIIEBI~. H.: '\IoelPlling of rault~ 
Tolerant COlIll)lIting :;-",,(eI1l5. III Vrocccding., of the 8th .';gmposiwlI {)n Jficnlcom-
PilleT:; awL Applications. u/,·9.;. pp. ~Y)·10.". Bucl'illPst. HIlllgary. OCloher 199~. 
CSERT,\\. Gy. PAT.·\ltlCZA ... \. SELC:;YI. L: Dependability Analysis ill H\Y-5\Y 
Codesign. In l'ToCt;uhugs of t.!u; IHEE IllicrnulirJ1)a/ COIlLjJutcr Pcr!oruumc!; (11lri 
Dependabilit.y Sympo . ;ill7ll. [rlangeIl, Germany .. \prii 199·1. 
CSERT.~\. Gy.: Ocpendahilit.\· Analy,;is in lI\\··~S\Y Codesigll. Technical Report. Institute 
of Cornputer Science Ill. l~ni\'('rsity of Erlallgell~\,iirllherg. '\lartc'nstr. :3.0-910.58 
Erlangell, Gerll1aIlY. ID9'i. 
G()EL. P.: All Implicit Ellllllleratioll :\Igoritlilll to GeIlC'rate Tesls for CCllllbinatioIlal Logic 
Ci['(:uits. IE8E lhl7l.,,,cliOl/.s on ComputeTs. C'-:)O(:j)::.'t;j··:.':t2 . .\larclt 1981. 
.JO\sO'O\. 13.: .. \ Fully :\iJ,;n<lCl Tracp .\Iod"l for !Jalaflo\\' \,ptworks. III Proceedings of the 
fifth ACM Sy"'posilUll un FUI'L. PI'. 1;-);Jj(i'l. :\ll:nill. Texa:;. 19,",9. 
[{OZE\BLIT..J BrCIIE\RIEIlEIL I~. editur,. Cude,;igll. IEEE 1'1'('';';. 199;>. 
5CIIOE\ .. 1. .\1. edilor. P(,l'fUI'IIlCllIC(' aIld Faul1 .\lodelliIlg witll \·HDL. Prellticp Hall. EIl~ 
glewood Cliff's. \'ew .Jer:'ey. 1992. 
51\11'50:,. \ \'. 511 El' I'A RIJ .. 1. \\'.: Sy,;telll Te;;t alld Diagllo:si,;. !(Illwer Academic Pu b-
li:;\ler;;. 199·!. 
