. INTRODUCTION
The increased use of VLSI especially in safety critical systems demands a high confidence in the correct functioning of these systems. Thus, it has to be ensured that circuits contain neither design errors nor fabrication faults.
Hardware verification copes with errors, which occur in the circuit during the design process. Verification is performed by formally proving that an implementation meets the specification, i.e. the behavioral requirements. Usually this is done by modeling the functional behavior in terms of logic and using a theorem proving tool to support the proof process (e.g. [11, [21, [31) .
Test generation on the other hand addresses the problem of finding input stimuli for a circuit in such a way that fabrication defects are found. Generally, this is accomplished by injecting faults given by an appropriate fault model into the description of the correct circuit and comparing the behavior of the resultant faulty circuit and the correct circuit to find input sequences such that the output values of the two circuits eventually differ. Most of the algorithms for test generation perform the behavioral reasoning mainly on the given structural circuit information (e.g. [41, [51, [61, [71) . Sequential test generation is known to need exponential worst case effort, which is reduced by design modifications like a complete scan :path ([81, [9] ), a partial scan path ([lo] , [lll, [121) , a pseudoexhaustive technique [13] or an appropriate synthesis (141. Sometimes such design modifications are not feasible due to area and speed restrictions and test generation has to be done for the original circuit, or the modifications only reduce the complexity of the sequential test generation process.
Although hardware verification and testing are needed to achieve fault free systems, both have been treated in isolation up to now. Since both have to cope with propositions about the behavioral equivalence of circuit descriptions, it is possible to combine test generation and verification which results in appropriate benefits for both.
In this paper temporal logic is used to capture the circuit behavior. This logic is often used for hardware verification, since circuit specifications may be described naturally and more complex properties may be expressed than in normal FSM verification approaches ([151, 1161, [ 171) . Additionally, using temporal logic, the behavior of arbitrary faults at gate level may be easily modelled. Moreover, using a formal logic leads to a reduction of the hardware verification and testpattern generation problem to a satisfiability and validity problem and hence new and different approaches are possible, which are based on a separation between problem formulation and solution methods [IS].
Our approach leads to a tool which supports the designer at two stages of the design process. When creating a circuit implementation, he ensures design correctness by describing his design in terms of temporal logic and verifying it against a given specification. The very same circuit description and tool is then used to generate test pattern sequences. Moreover, as a spin-off, design for testability is automatically supported, since a verifiable implementation leads automatically to better testable designs.
A related approach has been presented by Cho, Somenzi et al. which relies on similar implementation principles ([19] , [20] ). However, it is directly based on FSM equiva-lence checking and is not able to cope with circuits without reset line.
The paper is organized as follows: In section 2 some fundamentals of temporal logic are introduced. The next section shows how to model hardware behavior using this formal language. In chapter 4 an approach for hardware verification with temporal logic is presented. Then the verification problem is extended to sequential ATPG. Chapter 6 points out some optimizations which accelerate the approach. The paper ends with experimental results and a conclusion.
. TEMPORAL LOGIC
Propositional temporal logic is frequently used in hardware verification ([ 161, 1211, [17] ). Traditional propositional logic is extended by temporal operators, which allow the expression of time varying properties as the sequential behavior of digital circuits. Moreover, propositional temporal logic is decidable, and there are constructive, fully automated decision procedures available, which are the main advantages compared to approaches based on first or higher order logics ([2] , [3] ). There, mechanized theorem proving is slower and often requires user guidance.
Two approaches to temporal logic theorem proving are mainly used -Computation Tree Logic (CTL) and Propositional Temporal Logic (PTL). CTL is a propositional, branching time logic, i.e. in the future many computation paths are possible [22] . A specification is given by CTL formulas and the implementation of the system to be verified is given by a state graph [17] . PTL is based on a linear sequence of discrete time points. In contrast to CTL, no explicit state graph is given and both, specification and implementation are described in FIT,. It has been proposed by Manna and Pnueli as a means for verifying concurrent programs [23] and its usefulness for describing and verifying hardware has also been established ([24l, P51, [161) .
Since our approach is based on PTL, its operators as well as the underlying decision procedure are explained in the following.
Formulas in PTL are constructed in the usual way of the propositional calculus. [28] ) may be used to fasten the temporal logic proving process similar to suggestions of Burch, Clarke, McMillan and Dill ([171, [291) . This is described in more detail in chapter 6.3.
. HARDWARE MODELING
To describe hardware with PTL, the model of discrete time points is mapped onto real time events. Two approaches are conceivable. Either every discrete time point is defined by a fixed time schedule or the time points mark the clock ticks of a synchronous system. Although the former pos-sibility allows the expression of asynchronous behavior, it complicates the circuit descriptions and limits its use to small circuits. In this paper, the latter method is used. The "next"-operator indicates the values of circuit variables after the next clock signal. This modeling is not restricted to single clock systems, complex clocking schemes are allowed provided that clock transitions only occur at time points describable with F'TL.
A simple example of a single clock circuit is shown in figure 1 [30] . 
The "always"-operator indicates, that the functional relationship between the input and output of the elements must hold forever. For better readability the AND-operator is omitted between the subformulas.
A netlist description of a circuit is translated into temporal logic in linear time, the F'TL formulas to model the behavior of basic cells have to be stored in a library.
. HARDWARE VERIFICATION
For performing hardware verification, both circuit specification and circuit implementation can be described as indi- The behavioral equivalence of two circuit implementations Jl and has to be checked, if a design has been modified, e.g. by minimization. The necessary verification can also be performed with formula (2), but for an easier processing with a temporal proof system, a slightly different approach, based on the definition of behavioral equivalence (see e.g. [31] ) is used. correctly.
The equivalence t) 0 7 x leads to the following uncover condition UC (v denotes a disjunction of its arguments), which, if satisfiable, indicates a different circuit behavior.
Since the two circuits to be verified must be in the same starting state at the beginning of the verification process, there must be a unique reachable initial state, which is guaranteed, if all flipflops are resetable. This is expressed by the following PTL initialization condition IC, where dil and di2 denote the state variables of both circuits. 
The correspondence between satisfiability in temporal logic and circuit equivalence is stated in lemma 1, which is an immediate consequence of definition 4 and the definition of satisfiability in PTL. This lemma reduces verification to theorem proving, moreover, as the proof system is constructive, an input sequence is generated automatically, which uncovers the different behavior. This input sequence may be used by the circuit designer as a hint to identify and eliminate the design errors.
. TEST GENERATION
Test generation is performed by injecting faults given by an appropriate fault model into the description 3 of the correct circuit to get a faulty description B. The behavior Paper 3.1of J' and J'E is then compared to find input sequences so that the output values of both descriptions eventually differ.
The following approach is not restricted to stuck-at faults, an arbitrary erroneous behavior can be handled, if it is describable in PTL. This includes for instance stuck open faults (see figure 2) .
Behavior of the correct circuit More effort is required for considering the impact of hazards and charge-storing on transition faults. These mechanisms and delay faults can be handled by refining the grid of the time points of PTL and by adding timing specifications to the library elements. Overall this leads to a considerable increase of complexity and is not incorporated in our first implementation. Moreover, for conciseness and comparability with other approaches [32] , we restrict ourselves in the following to the stuck-at fault model.
Unlike verification, the test generation must not be based on the assumption of a reset state, since an initialization sequence may be altered by the fault, the reset line may be affected or there exists a stuck-open fault with unknown starting value. Hence one must be able to deal with unknown values of storage elements at the beginning of the test generation process. For easier understanding, the case that the faulty circuit still has a reset state is discussed first, and then the general case is treated.
Circuits with Reset State
The uncover condition (4) and the initialization condition (5) defined in the former section still hold for the faulty and fault free circuit. A test pattern sequence is a truth assignment for the primary input variables so that at least one of the outputs of the correct and faulty circuit eventually carries a different value. If such an assignment does not exist, the fault is called undetectable.
As an immediate consequence of lemma 1 the following fact is proven:
Lemma 2: Let -7 be a correct circuit and let F be a faulty circuit, let UC be an uncover condition according to (4) and let IC be according to (5 The uncover condition UC is as follows:
Since all flipflops are resetable, the following initialization condition holds
The formulas from figure 4 a) and b) as well as the uncover and initialization condition are now input to a temporal proof system to perform a satisfiability check, i.e. a variable sequence for the conjunction Paper 3.1 1 A P A IC A U C has to be found. In the example, the proof system will find the following solution
F : =~A O~A O O~~.
This formula corresponds to a test pattern sequence (d, 4, -4) (end of example).
General Case
A test pattern sequence F is called generally valid (denoted as TS), if it is a truth assignment for the primary input variables so that at least one of the outputs of the correct and faulty circuit carries eventually a different value for arbitrary initial values of the storage elements of the circuit.
Cho and Bryant generated such sequences by introducing a third value X to assign an "unknown" signal value to the flipflops [30] . Since efficient multiple-valued logic theorem tools are not generally available, an encoding of every three-valued variable by two two-valued variables is required and leads to a significantly larger search space. The approach, presented in the following avoids an explicit representation of unknown signal values and hence this drawback of incompleteness. It is based on the trivial observation, that if a test pattern sequence is generally valid, it is also a test pattern sequence for a circuit with resetable flipflops. Vice versa, in many cases the determined sequence for circuits with reset state is also a valid sequence for arbitrary initial values of the flipflops. This property is formally provable by using the following lemma, which states directly general validity.
Lemma 3: Let J and P be the FTL descriptions of a fault free and faulty circuit, let UC be an uncover condition according to (4) and F a PTL formula describing a test pattern sequence. The sequence is generally valid, if formula (6) holds.
The following algorithm starts by generating a sequence for an arbitrary initial state. If a sequence TE has been found which is not generally valid, the test generation process is restarted to capture "missing" initial states by extending the sequence.
The function isce returns a formula describing the values of all state variables of the counterexample at the first time point.
Note, that the splitting into the two functions check-sat and sat-seq has been chosen only for clarification. When using a temporal proof system, both results are achieved by one pass of the system due to its constructiveness. This also holds for check-val and Theorem: The algorithm atpg finds a test pattern proof: The correctness of atpg follows immediately from lemma 3, since this property is explicitly proven in the algorithm. For proving completeness, the termination condition must be checked. The algorithm stops, if no further test sequence with the given initialization condition IC is found. At the beginning, IC leads to a sequence for an arbitrary, but fixed starting state. If no such sequence is found, trivially no generally valid sequence exists. In the second and further iterations of the algorithm, the general validity property is checked. If a sequence is not generally valid, a counterexample is generated. The values of the state variables at the first time point indicate an initial sequence, which is generally valid, if one exists. state for which the determined sequence F is unable to uncover the fault. The proof process is restarted with this state and the already generated test sequence as an additional constraint. Therefore, a new sequence is generated which extends the old sequence to uncover the fault for this new state. The algorithm only fails, if the sequence is not extendable to comprise all possible initial states. However, this is only the case, if it is impossible to find a subsequence beginning at the endstare of the circuit after applying the already generated sequence, which uncovers the fault. Hence if the circuit would have been in this endstate at the beginning of the generation process, no sequence would have been possible either. Therefore no generally valid test pattern sequence exists.
91E 41 90
ExamDle: If the algorithm is applied to the example circuit from figure 3, with the new condition IC := (-140 A -q 1 A 7q1E ), the result of table 1 is achieved. The flipflop qo& can be omitted, since the fault may not propagate to that flipflop. "Chosen state" indicates the state, which has been chosen for test generation according to IC. The remaining initial states indicate the states for which F is not a valid test pattern sequence. 
. OPTIMIZATIONS
The temporal proving process has an exponential worst case complexity with regard to the number of state variables. Optimizing the proving system, avoiding unnecessary proof runs and reducing the problem size are therefore crucial to obtain feasible runtimes.
Avoiding Unnecessary Proof Runs
In case of circuits without reset state, the number and length of the proof runs are reduced by taking advantage from the degrees of freedom in the initial condition IC: Especially when starting the algorithm, no constraints are imposed on the initial state. Hence, it is first checked, if there exists directly a state, which satisfies the given uncover condition. Thus is is always tried to extend the generated sequence by only one test vector. A real proof run is only performed, if IC forces it. Moreover, after each proof run a fault simulation is performed by a commercial fault simulator [34] to reduce the number of faults to be processed by dropping all faults, which have been also detected by the determined test pattern sequences. For this purpose, the test pattern sequences for all faults already processed are concatenated in case of not resetable flipfiops. Due to the completeness of the presented approach, the fault simulator is only used for speed improvements and is not required for validating the test pattern sequences.
Reducing the Problem Size
There are situations in case of circuits without reset state as well as in case of circuits with reset state in which not all parts of the circuit have to be described by F'TL formulas. Hence, the input to the proof system is reduced by performing a partial modeling of the correct and faulty circuit.
Circuit parts which will not propagate the fault to primary outputs can be eliminated in J and in F. When modeling the circuit by a directed graph, this elimination affects the predecessor nodes of all primary output nodes which are not successors of the faulty node. Furthermore, circuit parts, which are not affected by the fault can be modelled only once for 9 and -F (nodes which are not successors of the faulty node). Finally, when dealing with stuck-at faults, all those nodes can be eliminated, which would have been only necessary to compute the value of the faulty node. These optimizations lead to considerable savings. When dealing e.g. with a stuck-at fault at a primary output, it is not necessary to model the faulty circuit as in that case the uncover condition only denotes, that the correspondent output of the correct circuit must eventually carry the proper logical value (e.g. 0 for a stuck-at-1 fault).
Moreover, only the predecessor nodes of that output must be modelled.
A temporal logic based approach is well suited for incorporating user guidance. It is easily possible to add to the circuit description initializing values (e.g. a reset signal) or sequences, the designer knows to put the circuit into a state, suited for a given fault by providing additional temporal formulas to the proving procedure. s344 H s349 s382 H s400
Optimizations of the Proving System
The proving procedure can be optimized by reducing the number of nodes represented by a tableau and by implementing more efficient transition conditions than the tableau rules, originally used [26] . Both approaches can be combined.
Fujita and Fujisawa have shown, that it is possible to represent the transition conditions of the tableau with binary decision diagrams (BDDs) to reduce the representation overhead [16]. However, an explicit enumeration of all reachable nodes in the large space of the power set of all subformulas is still required ( [23] , [26] , [21] ). This large space can be reduced when using temporal logic only for representing and analyzing the behavior of digital circuits. In that case, it is possible to represent the states of the digital system with propositional state variables and the nodes of the tableau can be also encoded by a vector of state variables, which can be implemented more efficiently, compared to a characterization of states with an elementary formula labelling. Moreover, the model can be represented symbolically by a transition relation and sets of states with characteristic functions. [36] ). This approach has proven successful and has been refined immediately ([19], [28] ). Burch et al. have shown, that the basic mechanisms are well suited for implementing model checkers for temporal logic ([17], [29] ). Our own implementation is based on these approaches using the BDD-package of Brace et al. [37] . The construction process is stopped after the first satisfying variable sequence is found, so that the whole tableau of a PTL formula has to be constructed only if no solution exists.
151

. EXPERIMENTAL RESULTS
The presented approach has been validated on a variety of sequential circuits. In the following, we present the results achieved on the ISCAS '89 s-benchmark set [32] . All runtimes are given in seconds and have been achieved on a SUN 4/65 workstation. Table 2 shows the results of verification runs, according to lemma 1. The compared circuits are known to have identical behavior. "Depth" indicates the maximal length of an input sequence which may be applied to the circuit before a same state is encountered again. The runtimes give a worst case estimation of the time effort needed in case of undetectable faults for circuits with reset state, if the circuit modeling has not been optimized as indicated in section VI. A undetectable fault requires at worst the same exploration of the complete state space. Hence, if the designer succeeds in the verification step he can also be sure that for each stuck-at fault a test sequence can be generated with similar computing time. Aborted faults are avoided this way. always minimal length test pattern are generated in case of circuits with reset state. If a fault is undetectable, acceptable runtimes are generally preserved, since in that case a complete exploration of the whole state space has to be performed, which is a strength of the verification oriented approach. By using "cheaper" methods like random-patterns before applying verification based techniques a considerable speed-up may be achieved for test generation [20] . However, since we want to emphasize in this paper the similarities between test and verification we renounced to elaborate these possibilities. s1488 s1494 
. CONCLUSIONS AND FUTURE WORK
Using temporal logic it is possible to generate test pattern sequences by performing a constructive proof of the formally stated testing problem. Following this approach, a method has been presented which allows test generation for arbitrary fault models and leads to a novel approach for not resetable flipflops, which avoids many drawbacks of other approaches. Thus we are able to provide one tool, which can be used for both, test generation and hardware verification. With our prototype implementation of this design tool, we are currently able to process the small and medium sized circuits from the ISCAS '89 benchmark set. This is not a fundamental drawback since we have shown, that it is possible to reduce test generation to a satisfiability problem in formal logic as it has been done previously for hardware verification. Temporal logic model checking algorithms are subject to constant improvements so that the size of manageable circuits will further increase [38] . Moreover, it is possible to extend the approach to hierarchical circuits since hierarchy is one of the key issues of verification and many useful approaches have already been published, which can also be applied to testing ([ll, [391) .
