Abstract-Fault simulation is an essential tool in electronic design automation. The accuracy of the computation of fault coverage in classic n-valued simulation algorithms is compromised by unknown (X) values. This results in a pessimistic underestimation of the coverage, and overestimation of unknown (X) values at the primary and pseudo-primary outputs.
I. INTRODUCTION
Fault simulation and the computation of fault coverage are essential tools in electronic design automation used for example in ATPG, for product quality estimation or assessment of design reliability. An optimistic estimation of fault coverage of a test pattern set may result in shipping defective units, while a pessimistic estimation increases test overhead and cost.
Unknown (X) values may emerge during test generation due to black boxes in the design, and during test application caused by uncontrolled sequential elements, at clock domain crossings or A/D boundaries for example. Standard logic and fault simulation algorithms are based on n-valued logics with a limited number of symbols to denote the signal states in the simulation. Not all X states, and the correlation between them, are reflected accurately. Thus, reconvergences of X values, where canceling of Xs may occur, are not evaluated correctly and the resulting signal values are not exact. In consequence, fault simulation based on n-valued logics like the parallel pattern single fault (PPSFP) and concurrent algorithm [1] - [4] , are pessimistic and underestimate fault coverage 1 . If X values propagate into compaction logic as found in embedded deterministic test (EDT) or built-in self test (BIST) environments, the response signature may be corrupted. Xblocking, X-masking [5] or X-tolerant [6] design-for-test structures try to remedy the problem at increased hardware overhead. A pessimistic analysis of X states further increases this overhead and may cause overmasking of failure data with impact on diagnosability.
This work presents the first fault simulation algorithm which computes the exact fault coverage of a test set in presence of X 1 In the following they are referred to as 3-valued fault simulators.
values and is free of any simulation pessimism. The example in Figure 1 shows a circuit with three gates and three inputs. The simulation result of pattern (a, b, c) = (1, X, 1) with a 3-valued simulator is also annotated to the circuit lines. The signals d, e, and f are evaluated to the unknown value X by the simulator. Therefore, this pattern cannot detect any stuck-at fault in the circuit. Simulations with b = 0 and b = 1 show that in both cases output f has the logic value 1. Hence, the pattern is indeed a test for the stuck-at 0 fault at f . Furthermore, the pattern is also a test for the stuck-at 0 fault at signal a, as computed by the proposed exact algorithm. The reduction of the pessimism of logic and fault simulation is targeted in previous work using heuristics, formal reasoning or a combination thereof. The problem of exact X propagation analysis is an NP-complete problem. Boolean satisfiability, a known NP-complete problem, can be directly reduced to exact X propagation analysis.
Heuristic approaches are typically very fast, but the result is still pessimistic. Proposed methods include circuit analysis like static learning [7] , [8] , or partitioning and exhaustive simulation [9] . In restricted symbolic simulation [10] , the number of symbols to express different X states is increased, allowing to correctly evaluate a subset of reconvergences of X-valued signals.
The exact result in logic simulation can be computed by symbolic simulation of a circuit using reduced ordered BDDs (ROBDDs, [11] ), but may cause excessive memory consumption for arithmetic or larger circuits. The SAT-based approach of [12] allows the analysis of each reconvergence of X-valued signals for X canceling. It also provides the exact result for fault free simulation, but at high runtimes for larger circuits and many X sources. Reasoning about X states also gained importance for verification of designs with black boxes. While modeling X-valued signals with 3-valued logic [13] only helps to distinguish the signals from these with defined binary values, an exact X-analysis based on symbolic simulation [14] , [15] increases the accuracy of the verification.
In fault simulation, each fault free and faulty machine has to be analyzed per pattern, causing very high computational effort or excessive memory consumption. Therefore, the pessimism in fault simulation could only be targeted by heuristic or hybrid approaches combining heuristics and formal methods so far. This includes heuristics based on static learning [8] or restricted symbolic simulation [16] , and hybrid SAT-based [12] or BDD-based [17] , [18] fault simulation.
The recent progress in SAT solvers enables the exact reasoning about fault detection in presence of Xs even for larger circuits. This paper is the first to propose a formal method to exactly compute the stuck-at fault coverage of a test set in presence of Xs. It combines heuristics and SAT reasoning to remove any simulation pessimism found in previous approaches. A state-of-the-art incremental SAT solver is used to incrementally build the SAT instance during analysis and reduce runtime.
Section II introduces the problem and some definitions. The exact fault free simulation is explained in Section III and the stuck-at fault simulation in Section IV. Section V presents experimental results on ISCAS benchmark circuits and NXP circuits. Section VI summarizes the paper.
II. TERMINOLOGY AND OVERVIEW
This section introduces the used terminology and outlines the algorithm for the exact stuck-at fault classification.
A. Terminology and Definitions
In 3-valued logic, the three symbols {0, 1, X} are used to represent logic value 0 (logic-0), logic value 1 (logic-1) and an unknown state, i. e., either logic-0 or logic-1. Signals at which unknown values originate are called X-sources. During logic simulation of a test pattern p, a 3-valued simulator assigns logic-0, logic-1 or X to the signals. Signals with value X for pattern p belong to the set of Pessimistic-Xs PEX(p). PEX(p) can be partitioned into the sets of Real-Xs REX(p) and FalseXs FEX(p). FEX(p) contains the signals of PEX(p) which are independent from the X-sources, i. e., the signals have a binary value of logic-0 or logic-1. REX(p) contains all signals which do depend on at least one X-source. In Figure 1 , output f ∈ FEX(p), while b, d, e ∈ REX(p).
These sets differ in the fault free and in the faulty cases. Superscripts G and f are used to distinguish between the fault free and the faulty case, respectively.
In this work two types of fault detection are distinguished, definite detection (DD) and potential detection (PD) of a fault. A fault f is DD iff an observable output o exists where the fault effect is visible independent of the logic value assignment to the X-sources. Let the functions v G (p, s) and v f (p, s) return the logic value of signal s under pattern p in the fault free and faulty case in presence of unknown values. Then, the definite detection of stuck-at fault f under pattern p is given as
where O is the set of output signals of the circuit. Stuck-at fault f is potentially detected if an observable output o exists where the fault effect can be deterministically measured for at least one logic value assignment to the Xsources:
Note that 3-valued fault simulation may overestimate the number of potentially detected faults.
B. Algorithm Overview
The proposed fault simulation process is divided into two parts. First, the test pattern set is pessimistically simulated with a parallel pattern single fault propagation simulator based on 3-valued logic to mark as many faults as DD as possible. Afterwards the test pattern set is simulated by the exact stuckat fault simulator, which performs an exact logic simulation of the fault free circuit per pattern, and then analyzes the activated faults.
The exact logic simulation algorithm efficiently computes the exact signal states by use of heuristics and formal reasoning based on incremental SAT. This algorithm is also used in the analysis of activated faults to distinguish definitely detected, potentially detected and undetected faults.
III. FAULT FREE SIMULATION
The fault free simulation is performed in two steps. In the first step, a logic simulator and a restricted symbolic simulator are used as heuristics to classify a high number of REXs and FEXs at low computational cost. In addition, a set of FEX candidates is computed which is then formally analyzed in the second step. For the formal proof whether a FEX candidate is a REX or not, the state-of-the-art incremental SAT-solver Antom [19] is utilized. Figure 2 depicts the flow of the exact fault free simulation. 
A. Simulation Step
In the simulation step of a pattern p, p is simulated using restricted symbolic simulation (RSS) to compute a set of PEX signals. In addition, a simulation with randomized assignments to the X-sources is conducted to identify FEX candidates and determine as many REX signals as possible. The FEX candidates are later classified using SAT reasoning.
In RSS, for each X-value at the X-sources a unique symbol X i is introduced in addition to the two symbols for logic-0 and logic-1. Hence, X-values from different Xsources are distinguishable. Furthermore, each X-symbol can be negated. This allows the correct evaluation of simple local reconvergences of X-valued signals and increases accuracy compared to 3-valued simulators. For the example in Figure 1 , RSS correctly computes the output value at f as logic-1, since the symbol X b introduced at X-source b is correctly tracked at d as ¬X b and at signal e as X b . Hence, the reconvergence is exactly evaluated to logic-1. Thus, RSS identifies a subset of FEX 
B. Classification of Remaining FEX Candidates
The FEX candidates computed in the previous step for pattern p are exactly classified by use of an incremental SAT solver. Input to the SAT solver is a Boolean formula in conjunctive normal form (CNF) which maps the classification of a signal to a Boolean satisfiability problem.
For each FEX candidate s it is already known that all 64 random assignments to the X-sources force s to value v i s (0 ≤ i ≤ 63) of either logic-0 or logic-1. Signal s is a FEX, iff it can be proven that s cannot have the complementary value ¬v i s for any assignment to the X-sources. Thus, the Boolean formula is constructed such that it is satisfiable, if and only if s can be driven to ¬v i s . If the formula is satisfiable, s depends on the X-sources and is classified as REX. Otherwise s is independent of the X-sources and classified as FEX.
The FEX candidates are evaluated starting from the Xsources in topological order. To increase efficiency, the SAT instance is extended incrementally for each FEX candidate exploiting the result from the simulation step as well as learnt knowledge from analysis of previous FEX candidates.
To check whether s can be driven to ¬v i s , the characteristic equations of the gates in the adjustment cone, resp. transitive fanin, of s are translated into CNF and added to the SAT instance. This is done using the Tseitin transformation [20] .
The size of the resulting SAT instance is reduced by only considering the gates which generate PEX or REX values for pattern p. The CNF for the adjustment cone of a signal s is created recursively as outlined in Algorithm 1.
This SAT instance is extended by a temporary unit clause with only one literal (called assumption) for FEX candidate s which constrains the value of s in the search process of the SAT solver. If the value of s in the pattern parallel simulation was v s = [0, . . . , 0], the assumption {s} is added to constrain the SAT search to assignments to the X-sources which imply s to logic-1. If the instance is satisfiable, s belongs to the set REX. Otherwise s is a FEX with value logic-0 and v G (p, s) is updated. In the latter case, the unit clause {¬s} is added permanently to the SAT instance to reduce runtime for subsequent calculations of the SAT solver. Correspondingly, if the value of s in the pattern parallel simulation was v s = [1, . . . , 1], the assumption {¬s} is added.
Algorithm 1 CNF creation of the adjustment/fanin cone. end for 18: end procedure For the classification of the next FEX candidate s in topological order, the CNF instance is extended incrementally to include the adjustment cone of s , i. e., only the clauses for gates which are not yet Tseitin transformed are added.
During exact simulation, the algorithm maintains a lookup table derived from the result of the RSS step. The table contains the information if a symbol for an X-state assigned to signals during RSS is a logic-0, a logic-1 or a REX. Before analyzing a FEX candidate s using the SAT technique, a fast lookup is performed to check whether the corresponding symbol X s has already been computed. If the classification for X s is already known, s is set to the corresponding state. Otherwise, s is classified as described above. This effectively restricts the use of the SAT solver to signals at which REX values converge.
IV. EXACT STUCK-AT FAULT SIMULATION
The exact stuck-at fault simulation classifies a set of target faults as definite detect (DD), possible detect (PD) or undetected for a test set in presence of unknowns. It uses the heuristics and formal SAT reasoning of the previous section. An overview of the fault simulation of a pattern p is given in Figure 3 . 3-valued fault simulation is used to mark as many target faults as possible as DD. For the remaining faults, an exact analysis is conducted. The exact analysis starts with the exact logic simulation of the fault free circuit for pattern p to compute the set of activated faults. These faults are then analyzed serially. For the faulty simulation of an activated fault f , f is injected into the circuit model. The algorithm then proceeds in two phases similar to the fault free approach: A heuristic simulation and an exact calculation step. During the simulation step the behavior of the faulty circuit is simulated in event-driven manner by RSS and 2-valued parallel pattern logic simulation which evaluates random assignments to the X-sources. If the results of the simulations allow the fault classification as DD or undetected, further analysis is not required. Otherwise, the SAT solver is invoked for analysis of the outputs of the faulty circuit. Internal signals in the faulty circuit do not need to be considered since the values at observable outputs are sufficient to reason about fault detection.
A. Fault Analysis by RSS and Pattern-Parallel Simulation
For an activated fault f , the circuit outputs o 1 , . . . , o k in the propagation cone, resp. transitive fanout, of f are analyzed using the results of the faulty circuit simulations. According to Section II-A, we only consider outputs o i which have a defined value in the fault free circuit v G (p, o i ) ∈ {0, 1}. If there is one output o i with a defined value in the faulty case v f (p, o i ) ∈ {0, 1} according to RSS, and
, then f is marked as DD and the algorithm proceeds with the next fault. If all outputs in the propagation cone have defined values equal to the fault free case, i. e., v
f is undetected by the pattern and the algorithm analyzes the next fault.
Otherwise, the outputs are divided into three sets: Potential detect outputs O PD , possibly definitive detect outputs O PDD , and possibly potential detect outputs O PPD . The set O PD will contain all outputs at which fault f can be potentially detected. An output o i is added to the set O PD if the faulty value v oi is not equal to [0, . . . , 0] or [1, . . . , 1] . Note that these outputs are elements of the set REX f (p 
, o i is added to O PDD since it may be an output at which the fault can be definitely detected. If the exact analysis later reveals that o i is a FEX, then f is a DD, otherwise f is a PD.
On the other hand, if all v
, o i is added to O PPD since it may be an output at which the fault can be potentially detected. If the exact analysis reveals that o i is a REX, then f is a PD, otherwise f cannot be detected at o i at all.
B. Fault Classification by SAT Reasoning
If the set O PDD is not empty, the output values in the faulty circuit are iteratively derived using the incremental SAT solver. This is similar to the fault free case. A SAT instance is constructed which is satisfiable iff the considered output is a REX (see Section III-B). If output o i belongs to REX f (p), o i is removed from O PDD and added to O PD . In the other case, the fault is marked as DD, because
is true. Thus, the fault is detected for all logic value assignments to the X-sources. Then the next stuck-at fault is analyzed.
If O PDD is empty and O PD is not empty, the stuck-at fault is marked as PD and the algorithm proceeds with the next stuck-at fault.
If the current fault is neither marked DD nor PD and O PPD is not empty, the SAT solver is used to determine if one of the outputs in O PPD belongs to REX f (p). Note that this step is performed only if the fault is not yet marked as PD. If one output of O PPD is member of REX f (p), the fault is marked as PD. In the case that all outputs in O PPD belong to FEX f (p), the fault remains unmarked and undetected.
V. EXPERIMENTAL RESULTS
The presented algorithm has been tested and applied to ISCAS benchmark and large industrial circuits from NXP. The experiments were run on an AMD Opteron CPU with 2.3 GHz.
A. Reduction of Unknown Output Values
The exact logic simulation algorithm of Section III efficiently computes the exact output values of the circuit for a test set. This is important for BIST and EDT environments to avoid unnecessary DFT overhead for X-masking or Xblocking structures, and overmasking of FEX-valued outputs.
For the considered circuits, three simulation runs are performed and averaged. In each run, a fixed percentage of the controllable circuit inputs is randomly selected as X-sources (X-ratio). Then, a test set of 1 000 random patterns is analyzed. The difference in the number of PEX outputs of a 3-valued simulation and the REX outputs of the exact analysis is compared. Figure 4 shows the reduction of the number of unknown outputs for ISCAS circuit c7552 for different X-ratios. The diagram shows that the number of unknown values is reduced by more than 25% for the X-source scenarios with 1% and 7% X-sources. The reduction decreases to 0% if nearly all inputs are X-sources. Similar experiments have been conducted for the other circuits as well. Due to limited space, we only present results for the case of 5% X-sources in Table I . Column 'Circuit' contains the circuit name. Column 'PEX' and 'REX' show the absolute number of unknown values at the outputs for the test set computed by 3-valued simulation respectively the exact algorithm. In a BIST architecture, only these REX outputs have to be masked for the computation of a signature. The last column in the table contains the reduction of X-values at the circuit outputs. In average, the number of X-values is reduced by 20.2%. 
B. Exact Fault Simulation
This section presents the increase of fault coverage of a test pattern set due to the non-pessimistic analysis with the proposed algorithm. Similar to the previous section, three simulation runs are performed per circuit and averaged. In each run, a fixed percentage of the controllable circuit inputs is randomly selected as X-sources. Then, the fault coverage of a test set of 1 000 random patterns is computed using 3-valued fault simulation and the proposed exact algorithm.
For circuit c7552, Figure 5 depicts the increase in fault coverage of the exact algorithm w. r. t. 3-valued fault simulation for different X-ratios, and the runtime in seconds. The circles indicate the increase of fault coverage if 1 000 test patterns are analyzed exactly. The exact algorithm increases fault coverage by up to 14.2%. The highest increase of fault coverage is achieved when approximately 10% of the inputs are X-sources. Compared with the approximate hybrid fault simulation of [12] , the exact algorithm reveals that up to 30% additional faults are actually detectable with the test set. The runtime of the proposed algorithm reaches the maximum of 91s at an X-ratio of about 35%. Compared to the method of [12] with a runtime of 2 749s, the proposed algorithm is 30× faster. For small X-ratios, the runtime is low since RSS uncovers many FEXs at simple X-reconvergences. If the SAT solver is required, the size of the CNF formula is small. For high X-ratios, the pattern parallel simulation of random assignments to X-sources determines most of the REX signals. Table II reports the results for a larger set of ISCAS and industrial circuits. Due to limited space, the results are limited to the case of 5% X-sources. For each circuit, the table shows the absolute number of stuck-at faults. Column '3-val. Fsim.' shows the absolute number of detected faults and the fault coverage in % of 3-valued fault simulation.
The number of additionally detected faults and fault coverage increase by the exact algorithm according to equation (1) is given in column '∆ Exact sim. DD.' Column 'Exact sim. PD' lists the number and ratio of faults marked as potential detect (PD) according to equation (2) . The last column lists the runtime for the exact analysis in seconds.
On average, 3-valued fault simulation computes the coverage of the test sets to 67.2%. The exact fault simulation proves that an additional 1.8% of the faults are detected by the test sets. The increase in additionally detected faults is very high for the multiplier c6288 due to high signal observability and propagation of many X-values in the pessimistic simulation. The results also show that a noteworthy amount of stuck-at faults of 5.7% on average can be classified as potential detect. The runtime of the algorithm for the considered ratio of Xsources ranges from 4 milliseconds up to 190 seconds for a single pattern.
VI. CONCLUSIONS
The work presented the first stuck-at fault simulator, which is able to calculate the exact fault coverage of a test pattern set in the presence of unknown values. The simulator employs logic and restricted symbolic simulation to classify as many signal states as possible without invoking formal SAT reasoning. Incremental SAT solving is utilized only to exactly analyze the remaining signal states. The usage and runtime of the SAT-solver and the size of the CNF formulae are strongly reduced by considering the simulation results and employing incremental SAT techniques. The algorithm is able to handle large industrial circuits.
