On the use of testability measures for dependability assessment

Program “testability” is informally, the probability that a program will fail under test if it contains at least one fault. When a dependability assessment has to be derived from the observation of a series of failure free test executions (a common need for software subject to “ultra high reliability” requirements), measures of testability can-in theory-be used to draw inferences on program correctness. We rigorously investigate the concept of testability and its use in dependability assessment, criticizing, and improving on, previously published results. We give a general descriptive model of program execution and testing, on which the different measures of interest can be defined. We propose a more precise definition of program testability than that given by other authors, and discuss how to increase testing effectiveness without impairing program reliability in operation. We then study the mathematics of using testability to estimate, from test results: the probability of program correctness and the probability of failures. To derive the probability of program correctness, we use a Bayesian inference procedure and argue that this is more useful than deriving a classical “confidence level”. We also show that a high testability is not an unconditionally desirable property for a program. In particular, for programs complex enough that they are unlikely to be completely fault free, increasing testability may produce a program which will be less trustworthy, even after successful testin

A Semi-Formal Technique to Generate Effective Test Sequences for Reconfigurable Scan Networks

The broad need to efficiently access all the instrumentation embedded within a semiconductor device called for a standardization, and the reconfigurable scan networks proposed in IEEE 1687 have been demonstrated effective in handling complex infrastructures. At the same time, different techniques have been proposed to test the new circuitry required; however, most of the automatic approaches are either too computationally demanding to be applied in complex cases, or too approximate to yield high-quality tests. This paper models the state of a reconfigurable scan network with a finite state automaton, using the length of the active path as the output alphabet and the configurations as input symbols. Permanent faults are represented as incorrect transitions, and a greedy algorithm is used to generate a functional test sequence able to detect all these multiple state-transition faults. The automaton’s state set and the input alphabet are small subsets of the possible ones, and are carefully chosen. Experimental results on ITC’16 benchmarks demonstrate that the proposed approach is broadly applicable; the test sequences are more efficient than the ones previously generated by search heuristics

An Enhanced Evolutionary Technique for the Generation of Compact Reconfigurable Scan-Network Tests

Nowadays many Integrated Systems embed auxiliary on-chip instruments whose function is to perform test, debug, calibration, configuration, etc. The growing complexity and the increasing number of these instruments have led to new solutions for their access and control, such as the IEEE 1687 standard. The standard introduces an infrastructure composed of scan chains incorporating configurable elements for accessing the instruments in a flexible manner. Such an infrastructure is known as Reconfigurable Scan Network or RSN. Since permanent faults affecting the circuitry can cause malfunction, i.e., inappropriate behaviour, detecting them is of utmost importance. This paper addresses the issue of generating effective sequences for testing the reconfigurable elements within RSNs using evolutionary computation. Test configurations are extracted with automatic test pattern generation (ATPG) and used to guide the evolution. Postprocessing techniques are proposed to improve the evolutionary fittest solution. Results on a standard set of benchmark networks show up to 27% reduced test time with respect to test generation based on RSN exploratio

Fuzzy FMECA Process Analysis for Managing the Risks in the Lifecycle of a CBCT Scanner

The Failure Mode, Effects, and Criticality Analysis (FMECA) is one of the risk analysis techniques proposed by the ISO 14971 Standard. This analysis allows to identify and assess the consequences of faults that affect each component of a complex system. The FMECA is a forward-type technique used for highlighting critical points and classifying them by priority. It also makes it possible to evaluate the extent of failures by means of numerical indices. It can be applied to a product or to a work process. In the latter case we talk about Process-FMECA. The application of the Process-FMECA to bioengineering is of particular interest because this procedure provides an analysis related to risk management during all the different phases of the medical device life cycle. However, practical applications of this method have revealed some shortcomings that can lead to inaccuracies and inconsistencies regarding the risk analysis and consequent risk prioritization. This paper presents an example of application of a Fuzzy Process-FMECA, an improved Process-FMECA based on fuzzy logic, to a small computerized tomography (CT) device prototype designed for studying the extremities of the human body. This prototype is a CT device that uses the Cone Beam CT (CBCT) technology. The Fuzzy Process-FMECA analysis has made it possible to produce a table of risks, that are quantified according to the specifications of the method. The analysis has shown that each phase or activity is fundamental to guarantee a correct functioning of the device. The methodology applied to this specific device can be paradigmatic for analyzing the process risks for any other medical device

A Novel Sequence Generation Approach to Diagnose Faults in Reconfigurable Scan Networks

With the complexity of nanoelectronic devices rapidly increasing, an efficient way to handle large number of embedded instruments became a necessity. The IEEE 1687 standard was introduced to provide flexibility in accessing and controlling such instrumentation through a reconfigurable scan chain. Nowadays, together with testing the system for defects that may affect the scan chains themselves, the diagnosis of such faults is also important. This article proposes a method for generating stimuli to precisely identify permanent high-level faults in a IEEE 1687 reconfigurable scan chain: the system is modeled as a finite state automaton where faults correspond to multiple incorrect transitions; then, a dynamic greedy algorithm is used to select a sequence of inputs able to distinguish between all possible faults. Experimental results on the widely-adopted ITC'02 and ITC'16 benchmark suites, as well as on synthetically generated circuits, clearly demonstrate the applicability and effectiveness of the proposed approach: generated sequences are two orders of magnitude shorter compared to previous methodologies, while the computational resources required remain acceptable even for larger benchmarks

耐ソフトエラーラッチにおける欠陥の分析、検出及び評価に関する研究

The development of modern integrated circuits (ICs) has greatly changed the life of humankind. Nowadays, IC s are also indispensable to mission-critical applications, such as medical devices, autonomous cars, aircraft navigating systems, and satellites. The reliability of these mission-critical applications is a major concern. A soft-error occurring in an IC is a severe threat to its reliability, especially for mission-critical applications. The continuous trend of shrinking technology feature sizes makes modern ICs more and more vulnerable to soft errors. Soft-errors are caused by radiation particles striking an IC and generating current pulses to disturb its functionality. A soft-error can cause data corruption and may eventually lead to system failure s If a soft-error occurs in an operational medical device during surgery, it may cause a malfunction of this device and interrupt the surgery process. A soft-error may change the control data of an autonomous car which may lead to an accident. A soft-error may corrupt the aircraft navigating systems. No one would take the chance to let it happen even though malfunction s caused by soft errors can be solved by resetting these devices. Because reset takes time and severe results may happen during the resetting. If a soft-error causes a malfunction in the control system of a satellite, it may not be able to maintain its height and eventually burn up as it falls into the Earth’s atmosphere. Hence, it is important to protect ICs from soft errors. Many soft-error tolerance methods have been proposed to protect ICs against soft-errors. In an IC, memory elements and storage elements (e.g., latches and flip flops) are the most vulnerable to soft-errors, and data stored in them are crucial to the operation of a circuit. Error correction codes (ECCs) can be u sed to protect memories. Register-level soft-error tolerance methods can be used to detect soft-errors in latches by using parity checking and correct them by resetting. Hardened designs protect latches against soft-errors by using redundant feedback loops to store the same input data and using a voter to select the correct output. The advantage of using hardened designs is that they can prevent soft-errors from reaching outputs while ECCs and register-level soft-error tolerance methods must detect soft-errors and then correct them by restoring the data. For protecting storage elements in mission-critical applications, hardened latch design is the best option because it has high reliability and can save the resetting time. Many state-of-the-art hardened latch designs have been proposed to tolerate soft errors and they are believed to have good soft-error tolerability. Defects (physical flaws due to imperfect production (production defects) and physical changes caused by aging effects after a long operation time (aging-related defects) can also cause a malfunction of a circuit and cause a system failure eventually. Different from the temporal state change of a circuit caused by soft errors, defects are permanent damages to a circuit and can disturb the behavior of a circuit from its desired manner. Defects in storage elements should be detected to make sure a system/device operating correctly and stably. Scan test is a commonly used defect detection method, which connects reconfigured storage elements to form a shift register with external access and the internal states of these storage elements can be easily controlled and checked. However, the impact of defects on existing state of the art hardened latch design has not been considered. This impact requires consideration because added redundancy in hardened latch designs can not only mask soft-errors but also mask the effects of defects and it can lead to two serious problems: Problem-1 (Low Testability): Production defects in hardened latch designs are difficult to detect with conventional scan tests, in which the observability (an important metric to evaluate a circuit’s testability) of defects in hardened latch designs can be greatly reduced. Therefore, existing state-of-the-art hardened latches have low observability and thus low testability. Furthermore, defects that escaped the production test (undetected defects) may become more and more serious and cause a system failure eventually. Problem-2 (Low Soft-Error Tolerability): Undetected defects and aging-related defects can make hardened latch designs vulnerable to soft-errors while defect-free ones do not. The soft-error tolerability of hardened latch designs may be compromise d by undetected defects or aging related defects. This research is the first to consider Problem-1 of low testability of hardened latches and Problem-2 of defects reducing the reliability of hardened latches. Furthermore, this research is the first to pro pose a comprehensive solution to solve these two problems with the following five major contributions: Contribution-1: A first of its kind metric for quantifying the impact of defects on hardened latches, called Post-Test Vulnerability Factor (PTVF). It is used to analyze the residual soft-error tolerability of hardened latches after testing. Problem-2 is solved by this first major contribution. Contribution-2: A novel design called Scan-Test-Aware Hardened Latch (STAHL) that provides the highest defect coverage in comparison with all existing hardened latches. Problem-1 is solved by using STAHL to build a scan c ell to perform a scan test. Contribution-3: A novel scan test procedure is proposed to solve Problem-1 by fully testing the STAHL based scan cell. Contribution-4: A novel High-Performance Scan-Test-Aware Hardened Latch (HP-STAHL) design can also solve Problem-1 and has similar defect coverage as STAHL but has lower power consumption and higher propagation speed. Contribution-5: A novel scan test procedure is proposed to fully test the HP STAHL-based scan cell to solve Problem-1. Comprehensive simulation results demonstrate the accuracy of the PTVF metric and the effectiveness of the STAHL-based scan test and HP-STAHL-based scan test. As the first comprehensive study bridging the gap between hardened latch design s and IC testing, the findings of this research are expected to significantly improve the soft-error-related reliability of IC designs for mission-critical applications. Furthermore, the two proposed hardened latches and the scan test procedures can not only be use d to detect defects after production but also can be applied to detect aging related defects in the field through performing built-in self-test (BIST). In Chapter 1, an example is introduced to indicate Problem-1 and Problem-2. Chapter 2 shows the background information of soft-errors and defects. Chapter 3 shows some typical soft-error mitigation methods and details of a scan test. Chapter 4 describes the detailed information of PTVF Contribution-1). Chapter 5 shows the structure of STAHL (Contribution-2) and Chapter 6 shows the scan test procedure of testing the STAHL-based scan cell (Contribution-3). Chapter 7 shows the structure of HP-STAHL (Contribution-4) and Chapter 8 shows the scan test procedure of testing the HP-STAHL based scan cell (Contribution-5). Chapter 9 shows the experimental results of comparing STAHL and HP-STAHL with state-of-the-art hardened latch designs. Chapter 10 concludes this thesis.九州工業大学博士学位論文 学位記番号：情工博甲第371号 学位授与年月日：令和4年9月26日1. Introduction|2. Background|3. Related Works|4. Post-Test Vulnerability Factor (PTVF)|5. Scan-Test Aware Hardened Latch (STAHL)|6. Scan Test Based on STAHL|7. High Performance Scan-Test-Aware Hardened Latch (HP STAHL)|8. Scan Test Based on HP STAHL|9. Experimental Evaluation|10. Conclusions and Future Works九州工業大学令和4年

New techniques for functional testing of microprocessor based systems

Electronic devices may be affected by failures, for example due to physical defects. These defects may be introduced during the manufacturing process, as well as during the normal operating life of the device due to aging. How to detect all these defects is not a trivial task, especially in complex systems such as processor cores. Nevertheless, safety-critical applications do not tolerate failures, this is the reason why testing such devices is needed so to guarantee a correct behavior at any time. Moreover, testing is a key parameter for assessing the quality of a manufactured product. Consolidated testing techniques are based on special Design for Testability (DfT) features added in the original design to facilitate test effectiveness. Design, integration, and usage of the available DfT for testing purposes are fully supported by commercial EDA tools, hence approaches based on DfT are the standard solutions adopted by silicon vendors for testing their devices. Tests exploiting the available DfT such as scan-chains manipulate the internal state of the system, differently to the normal functional mode, passing through unreachable configurations. Alternative solutions that do not violate such functional mode are defined as functional tests. In microprocessor based systems, functional testing techniques include software-based self-test (SBST), i.e., a piece of software (referred to as test program) which is uploaded in the system available memory and executed, with the purpose of exciting a specific part of the system and observing the effects of possible defects affecting it. SBST has been widely-studies by the research community for years, but its adoption by the industry is quite recent. My research activities have been mainly focused on the industrial perspective of SBST. The problem of providing an effective development flow and guidelines for integrating SBST in the available operating systems have been tackled and results have been provided on microprocessor based systems for the automotive domain. Remarkably, new algorithms have been also introduced with respect to state-of-the-art approaches, which can be systematically implemented to enrich SBST suites of test programs for modern microprocessor based systems. The proposed development flow and algorithms are being currently employed in real electronic control units for automotive products. Moreover, a special hardware infrastructure purposely embedded in modern devices for interconnecting the numerous on-board instruments has been interest of my research as well. This solution is known as reconfigurable scan networks (RSNs) and its practical adoption is growing fast as new standards have been created. Test and diagnosis methodologies have been proposed targeting specific RSN features, aimed at checking whether the reconfigurability of such networks has not been corrupted by defects and, in this case, at identifying the defective elements of the network. The contribution of my work in this field has also been included in the first suite of public-domain benchmark networks

Testing the Trustworthiness of IC Testing: An Oracle-less Attack on IC Camouflaging

Test of integrated circuits (ICs) is essential to ensure their quality; the test is meant to prevent defective and out-of-spec ICs from entering into the supply chain. The test is conducted by comparing the observed IC output with the expected test responses for a set of test patterns; the test patterns are generated using automatic test pattern generation algorithms. Existing test-pattern generation algorithms aim to achieve higher fault coverage at lower test costs. In an attempt to reduce the size of test data, these algorithms reveal the maximum information about the internal circuit structure. This is realized through sensitizing the internal nets to the outputs as much as possible, unintentionally leaking the secrets embedded in the circuit as well. In this paper, we present HackTest, an attack that extracts secret information generated in the test data, even if the test data does not explicitly contain the secret. HackTest can break the existing intellectual property (IP) protection techniques, such as camouflaging, within two minutes for our benchmarks using only the camouflaged layout and the test data. HackTest applies to all existing camouflaged gate-selection techniques and is successful even in the presence of state-of-the-art test infrastructure, i.e. test data compression circuits. Our attack necessitates that the IC test data generation algorithms be reinforced with security. We also discuss potential countermeasures to prevent HackTest