A new approach to functional deductive fault simulation is presented in this paper. In this approach, fault models of complex functional digital components are derived using a new modeling technique and a decomposition principle. Also this approach utilizes the deductive technique {AD721 and the fault simulation algorithm is distributed in all the fault models. Every model is independent and is capable of scheduling itself for execution when it receives the input vectors and fault lists at all its input ports.
As a result, parallelism may be utilized with relative ease. Functional fault models are also observed to be invariant to their internal implementation and performance measurements indicate that functional fault simulation is significantly faster than gate-level simulation.
The CPU time rises linearly with the increasing number of devices simulated as shown by a limited set of experiments.
This approach has been verified in the RDV [GS84] at Stanford University.
1. Introduction
Previous Work
Before Seshu (SS65] introduced the parallel technique, fault simulation was baaed on the serial technique where, corresponding to every fault, a faulty circuit is simulated and its output compared against that of a good circuit,. As a result, serial fault simulation was slow. The parallel technique is faster and is based on the following principle. In it, the fault-free circuit and a number of faulty circuits are simulated simultaneously.
The number of faults simulated during a single pass is a function of the word length of the host machine; for multiple faults, many passes may be required. The performance improvement of the parallel over the serial technique is, therefore, proportional to the word length of the host computer. Mathematically, fault simulation may be described as follows. Let C' denote an arbitrary good circuit and f = {fl,f2,...,fn}, is the set of all faults of interest in C. Assuming a 0,l value system in RDV, let the good output response from using a test vector T be C#(T). Assume Cf denote the circuit under fault condition f in {fl ,...., fn}. A fault in (fl,..., fn} is said to be detected by T if Cf(T) # CY(T).
A fault list at an output of a circuit, under fault simulation, is a list of faults that will force a faulty value at the output, for a given input. Mathematically, if a circuit denoted by C has the following set of relevant faults, f = {fl,...,fn}, then the fault list at an output 0 (good value 0') will be FO = {fi,...,fk}, such that, for each fault in FO, the value at the output 0 will be 0' # Op. Section 2 presents the basic concepts of RDV followed by the derivation of fault models for gates. The fault models for gates explain the basic constituents of a model -the fault modeling knowledge, the evaluation function, and the distributed scheduling and also how it is independent of the rest of the simulator.
In section 3, functional-level models are derived for several commonly used digital devices (using the decomposition principle) such that they can each be integrated with their respective functional and timing models into the RDV. Also, the limitation of the decomposition principle is presented followed by the invariance principle which states that the results of functional fault simulation are invariant to the implementation details. Section 4 contains an analysis of the measurements obtained from running fault simulation on several example circuits in RDV.
Basic Concepts
and Gate Fault Models in RDV
The deductive fault simulation algorithm [AD721 incorpo rated in RDV deduces the output fault lists based on the input vectors, input fault lists, and the input-output behavior of the device being simulated without any explicit simulation that usually involves scheduling of good and faulty events.
In RDV, prior to initiating fault simulation of a digital design, input vectors are assigned to all the primary inputs and any required initialization is performed. When a device as a result of initialization has input vectors and fault lists asserted at all its inputs, the corresponding fault model is executed.
Because scheduling is distributed, at any instant during simulation, the number of such models that are executing simultaneously may be greater than one. The execution process is described as follows.
Every path or net in a circuit is identified in RDV by an integer. A net may connect several nodes of many devices and has a single logical value at any instant during simula, tion. When a fault model of an n-input device, where the input ports are identified by Il,...,In is executed, first, fault lists F(D) , . . . ..F(In) are created.
This process is termed "creating list." When the input value at net Ik is logical 0, F(Ik) contains a single fault entry Ik stuck-at 1. If the value at net Ik is 1 instead then F(Ik) will contain the fault entry Ik stuck-at 0. A fault list is implemented as a linked list of fault records or entries, where each record consists of three fields. In RDV, a fault list for net Ik is pointed at by F(Ik), where F identifies that part of the simulation database that relates to fault simulation. The first field contains the identifier of the net where the fault originates, the second field identifies the nature of the fault -whether stuck-at 0 or stuck-at 1. The third field points to the next fault record and when none is present it points to nil. Figure 1 shows a fault list corresponding to the net identifier X, where the entry is X stuck-at 1. Once input fault lists are created at the inputs of a device, then, the output fault lists are deduced based on the input lists and the input-output behavior of the device. The process of deduction consists of selectively merging the input fault lists to form output fault lists at the output of the device and is termed "merging lists," as discussed in section 2.2.
Because of reconvergence in a circuit, it is sometimes necessary in the deductive technique to subtract selected fault entries from a fault list. In the procedure responsible for subtracting fault lists, the fault entries that are selected for subtraction are usually those that are common beween two or more fault lists. The two procedures that are responsible for extracting the common entries from two or more lists, and subtracting selected entries from a fault list are respectively termed ss "common-entry," and "subtract-lists."
A fault model completes execution after the output fault list is deduced and is propagated to the inputs of other fault models that are connected to it. In RDV, fault models are successively activated, executed, and then the fault lists are propagated to the primary output of the circuit. The fault simulation process terminates when output fault lists are available at all primary outputs of the circuit; the contents of these lists identify all faults that are detectable for the given input vector.
Fault Model of a two-input AND Gate
For the AND gate shown in Figure 2 , the fault model is derived in Figure 3 . First, the model checks whether inputs have been asserted at its inputs and when true it activates itself for execution.
The output fault list is deduced based on the input fault lists, input vectors, and the input-output behavior of the gate. Therefore, deducing the fault list is completely independent of other models and the rest of the simulator.
At the end of execution, the fault model propagates output fault lists to all other fault models that are connected to its output port. Subsequent models a~-tivate themselves when inputs are asserted at their input ports and, the fault lists are propagated in the direction of the primary output of the circuit.
The self-activation and propagation of fault lists to other models at the end of execution constitutes the distributed scheduling of the model. The underlying Ada scheduler simply places active fault models in a queue for execution by a single processor and terminates the executed models.
Also, because the input fault lists are accessed from the simulation database indirectly through the input identifiers input (1) and input (2) and since the computation on input fault lists to derive the output fault lists is based on these identifiers, the fault model is independent of the functional and timing models and may, therefore, be integrated into RDV.
In the device model shown in Figure 3 , the input identifiers are input (1) and input (2) and the output identifier is output (3). The values at input(l), input(a), and output(3) are stored in t(input(l)), t(input(2)), and t(input(3)). Until vectors are assigned to the inputs, the fault model is not executed.
During execution, first, the fault lists F(input (1)) and F(input (2)) are created by the createlist based on the input vector. Then, the output value is determined using the Boolean relationship and the fault list F(output (3)) is created by the create-list. Based on the input vector and considering only single stuck-at faults, the output fault list is determined using the merge-lists are in the following way.
If the inputs input (1) and input (2) are both assigned logical 1, then every record (fault) in the fault lists F(input (1)) and F(input (2)) will force the respective input to 0. Both F(input (1)) and F(input (2)) must be merged into F(output (3)) because for all faults that force an input to 0, the output will be 0 -different from the correct output and, therefore, these faults are detectable at the output. When input (1) and input (2) are both logical 0, then, every record in the fault lists F(input (1)) and F(input (2)) will force the respective input to 0. None of the F(i:nput (1)) or F(input (2)) are merged into F(output (3)) because, for all faults that force an input to 1, the output is 0 -indistinguishable from the correct output and, therefore, these faults are not detectable at the output.
However, if there are common entries between fault lists at input (l) and input(2), then, for each entry, both inputs will be forced to 1 causing a 1 at the output which is detectable.
The output fault list will contain all common entries between F(input(1)) and F(input(2)). If input (I) and input (2) are 0 and 1 respectively, every record in F(input (1)) and F(input (2)) will force the two inputs to 1 and 0 respectively. 0:nly the F(input (1)) is merged with F(output (3)), because, for all faults that force a 1 on input (1)) the output is 1 -different from the correct output and, therefore, these faults are detectable at the output. However, all faults common between F(input(1)) and F(input(2)) must be eliminated from F(output(3)) because each of them will force a 0 on input(a), causing a 0 on the output which is undetectable.
When input (1) and input (2) are 1 and 0 respectively, the F(input (2)) is merged into F(output (3)) and the faults common between F (input (1)) and F(input(2)) are eliminated, by a similar reasoning. For the one-bit adder shown in Figure 4 , the functional fault model is derived assuming the general case that A, B, and CIN are secondary inputs. The boolean equations. that define the adder are given below the Figure 4 , where the symbols ".", "+", and U-n represent Boolean AND, OR, and NOT respectively. Therefore, fault lists F(A), F(B), and F(CIN) may be nonempty. Figure 5 contains the truth tables for COUT(carry out) and S(sum) outputs. For a given input set of values of Cin, A, and B, the COUT and S outputs may be obtained from the tables 1 and 2. Assuming CIN = 1, A = 0, and B = 1, the following fault lists are created by the procedure create-list and appended to the already existing lists. Therefore,
and F(B) = F(B) U B(s-a-0).
For the input vector, the correct outputs are read from the tables 1 and 2 to be S = 1 and COUT = 0; therefore, the fault lists for these outputs are F(S) = S(s-a-0) an F(COUT) = COUT(s-a-l). For all faults in F(CIN), the equivalent faulty input vector is CIN = 0, A = 0, and B = 0 for which COUT is 0 (table 1) and S is 0 (table 2).
The value of COUT is indistinguishable from the correct value; however, any fault common between F(A), F(B), and F(CIN) will be cause a 1 at COUT which is same as the good output.
Therefore,
n F(CIN). The value of S is different and, therefore, the faults in F(CIN) are potentially detectable at the output S. Hence, F(S) = F(S) U F(CIN).
All fault entries that are common between F(A) and F(CIN) will cause a 1 at the S output and hence must be eliminated.
For all faults in F(A), the output values are CIN = 1 and S = 0. Both of these output values are different from the correct output and all faults in F(A) are detectable at both S and COUT.
Therefore, F(S) = F(S) u F(A), and F(COUT) = F(COUT) U F(A). All fault entries common between F(A) and F(B) and between F(A) and F(CIN) must be eliminated from F(S) because they cause a 1 on the S output which is indistinguishable from the good output. The S. Ghosh fault entries common between F(A) and F(B) and between F(A) an F(CIN) must also be eliminated from F(COUT) because they will force a 0 on the COUT output which is same se the good output.
By a similar reasoning process, for all faults in F(B), the following final fault lists are obtained.
The fault model (Figure 6 ) for the one-bit. adder must produce output fault lists for all possible vectors at the inputs A, B, and CIN. In it, first, the input fault lists F(A), F(B), and F(CIN) are determined based on the given input vector. Then, the S and COUT are determined using the truth tables and based on these, the F(S) and F(COUT) are deduced.
All faults in F(A), F(B), and F(CIN) correspond to respective faulty vector for which, the S and COUT outputs are determined again using the truth tables. If the value of S for all faults in F(A) differ from the correct value, then, the fault list F(A) is appended to F(S), because, they are potentially detectable at the S output. Similarly, where the value of COUT for all faults in F(A) differ from the good value, the fault list F(A) is added to F(COUT).
When the fault lists F(A), F(B), and F(CIN) are being appended to F(S) and F(COUT), care is taken to isolate all faults that are common between the input fault lists.
Each of these faults imply a faulty value on more than one input and, consequently, the output must be evaluated using the truth tables. Where such a fault causes an output that is identical to the good value, that fault must be eliminated from appropriate output fault list, because, it will not be detectable.
The fault model terminates execution when the output fault lists are completely determined and are propagated to other fault models that are connected to its output port. In the above functional fault model for a one-bit adder, the truth table size is a function of the number of inputs and outputs.
Reading a table is equivalent to determining the outputs logically using the Boolean equations and with a rise in the number of inputs and outputs as in functional blocks, these equations become complex.
This section describes methods of subdividing functional blocks into modules to simplify fault simulation. A technique is introduced whereby the four-bit adder is functionally decomposed into four one-bit adders as shown in Figure 7 . The four one-bit adders are identified by 1 through 4. The carry output from a previous one-bit adder is connected to the carry input of the subsequent one. For 1, the carry input is primary and for 4, the carry output is primary.
1 and 4 are the least -and the most significant adders respectively.
The decomposition principle may be formally expressed as follows. Let C denote a circuit that may be structurally decomposed into n units, C = c lr-*--, C,., such that, either each unit may be fault simulated completely independent or they must be fault simulated in sequence. In the fault model of the four-bit adder, the four one-bit adders 1 through 4 are fault simulated sequentially using the truth table for a one-bit adder repeatedly.
Because all three inputs AO, BO, and CIN of 1 are primary, they receive input vectors first and 1 is fault simulated.
Results of simulation are fault lists F(S0) and F(CO), where SO and CO are the sum and intermediate carry outputs. Both output fault lists will be some function of the input fault lists F(AO), F(B0) and F(CIN).
and F(S0) = gl(F(AO), F(BO), F(CIN)), where fl and gl are mappings.
Then, 2 is fault simulated and the output fault lists F(S1) and F(C1) are determined as some function of F(Al), F(Bl), and F(C0). Therefore, F(S1) = f2(F(Al),
where f2 and f2r are mappings. Similarly,
, where g2r is a mapping.
Fault models for 3 and 4 are executed in order and finally, the fault liits F(S3) and F(C3) are obtained as follows. F(S3) = f4r(F(AO), .., F(A4), F(BO),.., F(B4), F(CIN)) and F(C3) = g4r(F(AO), .., F(A4), F(BO), e-1 F(B4), F(CIN)), where f41 and g4r are mappings. Figure 8 contains the functional fault model of a fourbit adder. The input(l) through input(g) and output(l0) through output (14) represent the nine inputs and five outputs respectively.
The procedure p-fault-simulation corresponds to the model section for fault simulation. The procedure adder1 is responsible for fault simulating a onebit adder and hss been detailed in an earlier section. The p-fault-simulation calls adder1 four times; during each call, the input fault lists are passed to the adder1 and the resulting output fault lists are sent back to the p-fault-simulation when adder1 completes execution.
An Invariance Principle
While deriving the functional fault model for the adder, the implementation details of these functional blocks have either been ignored or a specific implementation have been assumed. It is reasonable, however, to assume that there could be more than one implementation or a different set of Boolean equations for the same functional block. Functional fault simulation in RDV will always yield the same result despite the implementation or Boolean equations 
Fault
Simulation of Adders Figure 9 shows the normalized CPU times obtained from executing fault simulation on a four-, eight-, slxteen-, and thirty-two-bit adder.
Because it is difficult to manually describe the interconnection database for a large gate-level circuit, the sixteen-and thirty-two-bit adder circuits are not simulated at the gate-level in RDV. However, they are simulated at the functional-level in RDV. For each of these simulations, a set of 240 test vectors generated by a random 0,l generator is used and the fault coverage is 100 percent. For the thirty-two-bit adder consisting of 336 gates, the total number of faults is 448 all of which are detected by the test vector set. It is observed in Figure 10 that the graphs are linear. The linearity of the fault simulator in RDV may be explained as foll.ows.
Because each component in RDV is simulated only once per vector, and as all necessary computa&,ions are (done within the component model, the total CPU time will. be proportional to the total number of device:3 simulated.
11; may be observed from Figure 9 that functional fault models are faster than their equivalent gate-level models. The funct.ional fault models in R'DV of the four-and eight-bit adders are faster than the corresponding gateIevel models in RDV, by factors of 5.2 and 5.4 respectively. The ratio is likely to increase for fault models of functional devices that represent larger number of gates. 
