Faculty of Electronics and Telecommunications
Justyna Zawada
On new class of test points and their applications
Ph. D. Thesis
Supervisor:
prof. dr hab. inż. Jerzy Tyszer
Poznań, Poland, 2017
Rapid and continuing progress in semiconductor technologies has made it possible to design integrated circuits with millions of gates on a single piece of silicon. The extremely competitive nature of the microelectronics industry requires that new products achieve the highest performance and the most diverse functionality in parallel with the highest quality possible. This, in turn, creates new challenges for the manufacturing test. Virtually, every leading-edge technology node introduces new types of physical defects that require more complex fault models which, along with the growing complexity of VLSI designs, result in elevated pattern counts inflating both test application time and test data volume. The requirements for new test schemes are also shaped by the safety-critical applications in, for example, medical, military, automotive, or public infrastructure domains. Moreover, recent years have significantly raised concerns over integrated circuit security. It turns out that some of the well-known DFT techniques may expose design to security threats.
Thus, there is an emerging need for new test solutions that would enhance circuit testability without compromising its security at the same time.
In this thesis, a number of new methods are introduced that deploy the concept of test points to decrease pattern counts, reduce test generation and test application times, and to increase test coverage by means of new schemes capable of identifying and resolving conflicts between circuit’s internal signals.
First, a new class of test points aimed at reducing deterministic test pattern count and test data volume is presented. Contrary to traditional test points, this new approach identifies and resolves conflicts between ATPG-assigned design’s internal signals by means of conflict-aware test points. This ability allows one to increase the number of faults detected by a single pattern, and thus to reduce both the number of deterministic tests and test data volume, leading eventually to visibly shorter ATPG and test application times.
Another class of test points is proposed to enhance performance of a hybrid test compression / LBIST technology. This novel test point insertion technique simul-
taneously reduces deterministic test pattern counts and increases detectability of random-resistant faults by means of the same minimal set of test points. A key feature of the hybrid test points is their ability to resolve cases where demands of internal nets for a given logic value come up against very low likelihood of getting this value with pseudorandom vectors.
A new scan-based LBIST scheme that aims at achieving high quality test offered by a conventional LBIST in much shorter time is presented in the subsequent part of the thesis. It is a combination of pseudorandom test patterns delivered in a test- per-clock fashion through conventional scan chains and per-cycle-driven hybrid test points. The presented method either significantly reduces test application time while preserving high fault coverage, or allows applying much larger number of vectors within the same time interval. Such approach is crucial for several domains where a very short test time is of paramount importance, including automotive electronics and other safety critical applications.
Finally, a novel application of test points providing significant two-fold improve- ment in both circuit testability and its hardware security is presented. In addition to their traditional role, it is shown that test points can be reused in the mission mode to facilitate hiding of design functionality, and thus to improve the hardware security against reverse engineering, IC cloning, IP theft. Consequently, the new approach may assure genuine products end-users work with.
All solutions presented in this thesis have been thoroughly verified through ex- periments conducted on large and complex industrial designs. The circuits represent different design styles, different scan methodologies, and mirror the latest technology nodes.
Bezprecedensowy rozwój technologii wytwarzania cyfrowych układów scalonych wielkiej skali integracji umożliwia produkcję coraz wydajniejszych urządzeń elek- tronicznych znajdujących zastosowanie w praktycznie każdej dziedzinie życia co- dziennego. Wysoki stopień miniaturyzacji elementów umieszczonych w pojedynczym układzie scalonym znacząco zwiększa prawdopodobieństwo wystąpienia uszkodzeń.
Nawet nieznaczne niedoskonałości procesu wytwarzania mogą prowadzić do niepra- widłowego funkcjonowania układu. Nowoczesne technologie produkcji charaktery- zują się ponadto nowymi typami defektów, które w wielu przypadkach pozostają niewykrywalne dla klasycznych metod testowania. Wykorzystanie nowych i bardziej złożonych modeli uszkodzeń jest z reguły okupione dużą (i często nieakceptowalną) liczbą wektorów testowych. Rosnący wolumen danych testowych, a zatem także wydłużenie czasu ich dostarczania stanowi z kolei poważne wyzwanie zarówno dla producentów sprzętu diagnostycznego jak i projektantów złożonych systemów cy- frowych. Wysokie wymagania niezawodnościowe stawiane nowym technologiom te- stowania kształtowane są także przez coraz większy udział urządzeń elektronicznych w medycynie, obronności, w systemach bezpieczeństwa transportu lotniczego, kole- jowego i samochodowego. Ich niezawodność jest z kolei w niekwestionowany sposób zależna od wysokiej jakości testowania produkcyjnego oraz stałego monitorowania poprawności pracy układu w trakcie eksploatacji. Istotnym i nowym problemem współczesnego testowania są próby wykorzystania elementów testujących do niele- galnego zidentyfikowania wewnętrznej struktury lub funkcjonalności układu.
W rozprawie zaproponowano nowe metody testowania układów i systemów cy- frowych oparte na wykorzystaniu punktów testowych, które, jak wykazano, mogą ułatwić rozwiązanie wielu z zasygnalizowanych wyżej problemów. Wszystkie propo- nowane metody są pierwszymi znanymi autorce rozwiązaniami, w których punkty testowe efektywnie wspierają generowanie testów deterministycznych, zwiększają wydajność hybrydowej technologii łączącej testowanie deterministyczne z autote- stowaniem losowym, skracają czas dostarczania wektorów testowych w urządzeniach
z autotestem, oraz chronią układy cyfrowe przed niepożądanym dostępem.
W pierwszej części rozprawy zaproponowano metodę projektowania układów ła- two testowalnych, której celem jest redukcja liczby wektorów testowych poprzez za- stosowanie nowej metody identyfikacji punktów testowych. Charakterystyczną cechą przedstawionego podejścia jest wskazanie miejsc, w których konwencjonalne algo- rytmy automatycznej generacji testów wykrywają konflikty przypisań między wy- maganymi wartościami logicznymi niezbędnymi dla wykrycia pewnych grup uszko- dzeń określanych jako uszkodzenia niekompatybilne. Przedstawiona metoda pozwala zredukować wielkość testu, a zatem skrócić także łączny czas testowania w drodze wprowadzenia do układu dodatkowych punktów testowych eliminujących opisane wyżej konflikty.
Kolejna część rozprawy jest poświęcona hybrydowej metodzie identyfikacji punk- tów testowych. Zaproponowane rozwiązanie w istotny sposób redukuje liczbę wekto- rów testowych oraz zwiększa pokrycie uszkodzeń w technologii łączącej testowanie deterministyczne z autotestowaniem losowym. Przedstawiona metoda umożliwia osiągnięcie założonych parametrów jakościowych przy pomocy znaczniej mniejszej liczby hybrydowych punktów testowych niż w przypadku zastosowania dwóch od- dzielnych grup dedykowanych dla testów deterministycznych i losowych.
Nowy schemat autotestowania znacząco skracający czas podawania pobudzeń lo- sowych przy jednoczesnym zagwarantowaniu wysokiego pokrycia uszkodzeń został omówiony w dalszej części rozprawy. Zastosowanie punktów testowych w trakcie podawania testu umożliwia dostarczanie wektorów testowych oraz rejestrację odpo- wiedzi układu za pomocą punktów obserwacyjnych w każdym cyklu zegara. Takie rozwiązanie stwarza warunki do podania zdecydowanie większej liczby wektorów te- stowych niż było to możliwe dotychczas przy założonych ograniczeniach czasowych.
Zaproponowane podejście jest szczególnie ważne dla układów scalonych o wyjątko- wych wymaganiach niezawodnościowych projektowanych i produkowanych na po- trzeby przemysłu motoryzacyjnego, medycznego, obronnego, oraz lotniczego, gdzie krótki czas testowania z zachowaniem wysokiej jakości testu jest wymagany przez międzynarodowe normy bezpieczeństwa.
W ostatniej części rozprawy wykazano, że wprowadzona nowa klasa punktów
testowych pozwala poprawić odporność układu scalonego na nielegalne próby zi- dentyfikowania jego wewnętrznej struktury i/lub funkcjonalności. Zaproponowane w rozprawie rozwiązanie wykorzystuje punkty testowe do celowego zakłócania pracy układu w przypadku niepożądanego lub nieautoryzowanego dostępu. Przedstawiona metoda zwiększa zarówno testowalność jak i bezpieczeństwo układów cyfrowych.
Wszystkie rozwiązania przedstawione w rozprawie zostały zweryfikowane i po- twierdzone w trakcie obszernego programu badań eksperymentalnych przeprowadzo- nych z wykorzystaniem aktualnie produkowanych układów cyfrowych wielkiej skali integracji oraz opracowanego przez autorkę oryginalnego oprogramowania będącego nietrywialnym rozszerzeniem istniejących narzędzi komercyjnych.
List of Terms 15
1 Introduction 17
1.1 Preamble . . . 17
1.2 Motivation . . . 21
1.3 Acknowledgments . . . 24
2 Preliminaries 27 2.1 Test generation . . . 27
2.2 Design for testability . . . 29
2.3 Logic built-in self-test . . . 30
2.4 Test compression . . . 33
2.5 Hybrid test compression / LBIST . . . 35
2.6 Hardware security . . . 37
3 Pattern count reduction 39 3.1 Motivation . . . 39
3.2 Fault blocking . . . 42
3.3 Conflict appraisal . . . 43
3.4 Test point insertion . . . 49
3.5 Experimental results . . . 55
4 Hybrid test points 63 4.1 Motivation . . . 64
4.2 Hybrid conflicts . . . 65
4.3 Probabilistic test coverage estimation . . . 70
8
4.4 Experimental results . . . 75
5 Capture-per-cycle test points 81 5.1 Motivation . . . 82
5.2 Related work . . . 82
5.3 Test architecture . . . 85
5.4 Test point sites . . . 87
5.5 Test point insertion . . . 91
5.6 Experimental results . . . 93
6 Hardware security 99 6.1 Motivation . . . 99
6.2 Activation procedure . . . 102
6.3 Logic locking through test points . . . 104
6.4 Experimental results . . . 107
6.5 Attacks . . . 113
7 Conclusion 115
Bibliography 119
1.1 Physical defects in integrated circuits . . . 19
2.1 D-multiplexed scan cell . . . 30
2.2 STUMPS architecture . . . 31
2.3 Types of control points . . . 32
2.4 Test compression and compaction . . . 34
2.5 Hybrid test compression / LBIST architecture . . . 35
3.1 Internal conflicts . . . 40
3.2 Characteristic of ATPG-based conflicts . . . 41
3.3 Forward value propagation . . . 42
3.4 Fault blocking for FFR . . . 43
3.5 Conflict on branch x1 . . . 44
3.6 Computation of metric Bx1 . . . 46
3.7 Test point insertion . . . 51
3.8 Test point insertion – example . . . 54
4.1 Hybrid conflict . . . 66
4.2 Example of hybrid test point . . . 69
4.3 Basic test coverage estimation . . . 71
4.4 Signal probabilities . . . 73
4.5 Test coverage (design D6, EDT/H) . . . 79
5.1 Test architecture . . . 85
5.2 Scan cell for observation point . . . 86
5.3 Fault propagation . . . 88
5.4 Hybrid conflict . . . 91
10
5.5 Patterns needed to reach 90% test coverage . . . 96
5.6 Test coverage as a function of test pattern count . . . 97
6.1 Basic DFT/DFS architecture . . . 103
6.2 Scrambler architecture . . . 105
6.3 Scrambler with decompressor / PRPG . . . 106
6.4 Transitive closure for a single CP . . . 109
6.5 Cumulative fraction of perturbed primary outputs and scan cells . . . 112 6.6 Fraction of perturbed primary outputs and scan cells per clock cycle . 113
3.1 Metrics for Fig. 3.8 . . . 53
3.2 Circuit characteristics . . . 56
3.3 Experimental results for cell-aware test . . . 57
3.4 Circuit characteristics [58] . . . 60
3.5 Experimental results for stuck-at and transition faults . . . 61
4.1 EDT TPs vs. LBIST test coverage (TC) . . . 64
4.2 LBIST TPs vs. ATPG pattern count (PC) . . . 64
4.3 Circuit characteristics . . . 75
4.4 ATPG pattern count . . . 76
4.5 LBIST test coverage . . . 77
4.6 Test coverage estimation . . . 78
5.1 Circuit characteristics . . . 93
5.2 Experimental results for stuck-at faults . . . 95
6.1 Circuit characteristics . . . 108
6.2 Circuits’ testability . . . 108
6.3 Transitive closure for hybrid test points . . . 111
6.4 Logic locking results after 10K clock cycles . . . 111
12
ATE Automatic test equipment
ATPG Automatic test pattern generation
CAD Computer-aided design
CP Control point
CUT Circuit under test
DFT Design for testability
DPM Defects per million
EDA Electronic design automation EDT Embedded deterministic test
FFR Fan-out-free region
IC Integrated circuit
IP Intellectual property
LBIST Logic built-in self-test
LFSR Linear feedback shift register MISR Multiple-input signature register
OP Observation point
PI Primary input
PO Primary output
PRPG Pseudorandom test pattern generator PUF Physical unclonable function
SCOAP Sandia controllability/observability analysis program
SE Scan enable
SI Scan input
SoC System-on-a-chip
TC Test coverage
TM Test mode
TP Test point
TPI Test point insertion
VLSI Very large scale integration The most important conferences:
ATS IEEE Asian Test Symposium
DAC ACM/IEEE Design Automation Conference DATE Design Automation and Test in Europe
ETS IEEE European Test Symposium
ICCAD ACM/IEEE International Conference on Computer-Aided Design ICCD IEEE International Conference on Computer Design
ITC IEEE International Test Conference
VTS IEEE VLSI Test Symposium
Term Description Page bx, Bx the number of 0s and 1s, respectively, needed on net
x to enable propagation of faults through all relevant gates
45
fx, Fx the number of forward-implied 0s and 1s, respectively, on line x due to earlier backward justifications
45
EDT test points the conflict-aware test points which have been used for the first time in EDT technology
39
faults Ck faults occurring within the cone of logic Ck 40
Introduction
1.1 Preamble
The microelectronics industry has experienced an unprecedented evolution over the past few decades, mainly due to rapid advances in semiconductor manufacturing technologies. The integration of ever-increasing number of transistors on a single chip has been a driving force behind the development of very large scale integration (VLSI) circuits. In 1975, Gordon E. Moore observed that the complexity of inte- grated circuits (ICs) doubles approximately every two years. After more than forty years, this trend, also known as Moore’s Law [62], remains valid as novel techniques are being uninterruptedly introduced to the ICs fabrication processes. Nowadays, VLSI circuits are crucial elements of all modern electronics – from consumer prod- ucts including personal computers, domestic appliances, and mobile phones, to much more sophisticated instruments used in aerospace, automotive, medical, and military systems.
Since electronic devices play an integral role in virtually every aspect of the modern life, the reliability and robustness over their expected lifetime becomes an important concern. The feature sizes of contemporary technology nodes are mea- sured in tens of atoms, while the transistor isolation layers may be a few atoms thick. Although the advances in lithography and technology processes have made it possible to achieve such miniaturization, the physical defects occurring during the fabrication have become more complex. There are many different types of physical flaws and imperfections, such as particles, misalignment, holes, contamination and
others (see Fig. 1.1) whose even minor instances may cause the process variabil- ity margins to be exceeded, resulting in faulty circuits, which in turn may create life-threatening risks, especially when used in safety-critical systems. The diversity of defects precludes finding a test pattern for every possible physical defect, and thus, the abstract models have been devised to reflect behavior of faulty circuits.
Nevertheless, since the new manufacturing techniques introduce defects that are not detectable by using fault models that were successfully applied for the preceding technology nodes, developing more adequate fault models is essential to increase test generation efficiency for cutting-edge ICs.
A high quality manufacturing test is one of the crucial factors in the development of reliable and complex semiconductor architectures, for example, system-on-a-chip (SoC) designs. While continuing miniaturization enables production of evermore sophisticated devices, there is a number of test challenges that emerge with current and future technology nodes. Semiconductor scaling, extremely small feature sizes, multiple patterning lithography, 3D structures, and mass-produced FinFET devices are just a few domains in which advances are explicitly pushing for rapid and deep reshaping of the traditional test solutions, especially that the gate level abstraction and some fault models do not suffice to ensure high-quality and low defects per million (DPM) requirements for state-of-the-art designs. The next generation test solutions are to target novel timing- and layout-related fault models and patterns, such as n-detects, embedded-multi-detects, or cell-aware [34] based on post-layout transistor-level netlists. As a result, inflated test sets and lengthy test application times become efficiency-limiting and cost-increasing factors in testing of embedded systems, system-on-chip designs, or automotive electronics.
Since the early 70s, it became evident that consideration of testing requirements at the early stages of ICs development process is crucial for providing high quality reliable products. Consequently, several design for testability (DFT) techniques were introduced that shaped the ICs industry for many years to come. The most prominent approach that revolutionized testing of sequential circuits was a scan design paradigm [23], [26], [48]. The general idea behind the scan was to improve circuit’s controllability and observability by allowing sequential elements to form
(a) Leaden dinosaur
The ball of solder is made of a mixture of tin and lead, and the silhouette is an anomalous patch of pure lead on the surface.
R.A. Sia, IEEE Spectrum, July, 2011.
(b) Bonsai
The melted ends of gold wires protrud- ing from a semiconductor look like bonsai trees sitting atop a platform.
S. Waginger, IEEE Spectrum, July, 2011.
(c) Nanoflowers
The flowers on a silicon substrate "blos- somed" when an array of vertically oriented silicon nanowires bent from their original up- right position.
R.A. Susantyoko, IEEE Spectrum, July, 2010.
(d) Bird
A particle in the hole caused a cavity for- mation in the precoat material, resembling a birdie.
L. Li, IEEE Spectrum, July, 2014.
Figure 1.1: Physical defects in integrated circuits
shift registers (scan paths) in a test mode. Despite this seminal breakthrough in test-related research and practice, the growing circuit sizes cause the magnitude of test sets produced by contemporary automatic test pattern generation (ATPG) tools to grow at a pace clearly surpassing the Moore’s law. Another significant step forward that reduced test cost in the early 2000s was introduction of test
data compression [10], [75], [90]. It assumes that automatic test equipment (ATE) delivers test patterns in a compressed form, and on-chip decompression logic expands them into actual data loaded into scan chains. Responses captured in the scan chains are reduced again by a compactor logic and then compared to their golden references on the tester. Consequently, test data compression techniques greatly reduce requirements for large ATE memories, leading eventually to test application time reduction and an increased throughput of a tester while maintaining the high quality of test.
Built-in self test (BIST) is another method to reduce test cost by incorporating test infrastructure directly onto a chip. It is based on application of pseudoran- dom test patterns generated typically by on-chip linear feedback shift register(s) (LFSR). Such test vectors may not guarantee sufficiently high fault coverage due to random pattern resistant faults, or require very long test application times to meet the high quality demands of the semiconductor manufacturing test. Several tech- niques were proposed to alleviate this problem. One of the most prominent is a test point insertion (TPI) [35]. Test points increase observability and controllability of internal lines thus making the design more random pattern testable. Despite certain expectations, logic BIST did not become a common manufacturing test paradigm due to its inherent limitations that often preclude generation of tests that can meet extremely high and constantly growing quality requirements.
Although BIST historically preceded test compression, its evident come back is now mainly attributed to the possibility of reusing its on-chip test infrastructure for test compression purposes. With the mass market driving automotive, mobile, or healthcare systems, attempts to overcome the bottleneck of test data bandwidth have made the concept of combining logic BIST and test data compression a vital research and development area. Earlier attempts to implement a hybrid test com- pression/LBIST scheme had a drawback of having separate and expensive logic for BIST and test compression. However, sharing of certain on-chip resources created the hybrid test technology as a new promising direction in the embedded test. In particular, several hybrid BIST schemes were proposed to store deterministic top-up patterns (used to detect random pattern resistant faults) on a tester in a compressed
form, and then use the existing BIST hardware to decompress these test patterns [22], [40], [42].
In recent years, the globalization of ICs supply chains, especially the outsourcing of chip fabrication and the integration of third-party intellectual property (IP) cores, has made ICs more vulnerable to malicious activities and alterations than ever before. The growing incidence of counterfeit ICs poses a major concern to the industry and government as they potentially impact the security and reliability of a wide variety of electronic systems. In addition to the impact on public safety, counterfeit products can also cause significant damage to the economy. As reported in [114], the global value of counterfeit goods for G20 nations can be now in excess of US $1.7 trillion, and that eliminates or replaces 2.5 million jobs that would otherwise be deployed for legitimate goods. The European Union (EU) experienced a tripling in the number of IP infringing goods detained at the EU borders between 2005 and 2013. Only in 2013, almost 87,000 detention cases were registered by customs, involving almost 36 million detained articles, the value of which is estimated to be nearly e800 million.
Unfortunately, also certain DFT schemes may expose designs to security threats.
For example, controllability and observability of the internal nodes provided by the test logic can be used by an attacker to reveal secret information or to identify the device technology, structure, and/or its functionality. Therefore, there is a widely- accepted consensus that IC designers can no longer take the security of microelec- tronics hardware for granted, and there is an emerging need for new solutions that enhance circuit testability without compromising its security at the same time.
1.2 Motivation
Among many factors that impact the quality of VLSI testing, test point insertion schemes are well-known yet auxiliary techniques commonly deployed to improve the overall testability of designs primarily subjected to the LBIST paradigm, where pseudorandom or even weighted pseudorandom test patterns typically do not suffice to detect certain classes of faults. Since their introduction in 1974 [35], it has been
generally agreed that carefully selected test points, in conjunction with designated scan cells, can visibly elevate test coverage by providing direct access to many inter- nal nodes of a circuit under test. Although some attempts have been made to reuse conventional test points in other applications, none of them got very far because of, for example, inherent constraints of their placement schemes. However, since test points help inject and propagate logic values through hard-to-test areas of a cir- cuit, they could also be employed, in principle, to enable more advanced test-related functions. In this thesis, we examine new and alternative paths deploying the very same test points to decrease pattern counts, reduce both ATPG run time and test application time, and increase test coverage, all by means of an innovative scheme whose key feature is the ability to identify and resolve different types of conflicts that occur during test generation. Furthermore, we demonstrate that test-point-centric DFT logic can be successfully used to lock a circuit or hide its functionality. As a result, this approach improves the hardware security against reverse engineering, IC cloning, and IP theft.
The main original contributions of the thesis are as follows:
1. A new method that aims at reducing deterministic pattern counts and test data volume. In particular, it identifies and resolves conflicts between ATPG- assigned design’s internal signals by means of conflict-aware test points.
2. Development of hybrid test points designed to enhance performance of both test compression and LBIST mechanisms in a combined test methodology.
This unique solution employs the same group of test points to facilitate gener- ation of deterministic test patterns as well as to increase detection probability of random-resistant faults.
3. A novel LBIST framework that utilizes test points in an innovative manner to achieve high quality test in much shorter time than that of a conventional LBIST scheme.
4. A new method to ensure effective protection against reverse engineering, IC cloning, and IP theft. The circuit security is enhanced by reusing testability- oriented test points in the mission mode to form the foundations of logic locking scheme.
The thesis is organized as follows. Chapter 2 provides a brief overview of VLSI test and relevant issues addressed in the remaining parts of the thesis. Chapter 3 describes the method that is primarily focused on identification and usage of a new class of test points deployed first to resolve conflicts between internal signals a test generation process is handling and, subsequently, to arrive with a compact test sets.
In particular, it demonstrates that despite bottlenecks posed by the limited ATE bandwidth and memory, the new demanding fault models, such as cell-aware as well as traditional stuck-at and transition faults, are handled efficiently as their pattern counts can be reduced remarkably.
Chapter 4 introduces another new type of test point technology making hybrid test solution a valuable option. This novel TPI technique simultaneously reduces de- terministic test pattern counts and increases detectability of random-resistant faults by means of the same minimal set of test points. A key feature of the hybrid test points is their ability to resolve cases where demands of internal nets for a given logic value come up against very low likelihood of getting this value with pseudorandom tests.
Chapter 5 is devoted to a fast scan-based LBIST scheme that aims at achieving high quality test offered by a conventional LBIST in much shorter time. This is accomplished by applying pseudorandom test patterns every clock cycle through conventional scan chains, and by recording test results by means of per-cycle-driven observation test points. Their content is gradually shifted into a compactor which is shared with the remaining scan chains that still deliver test responses captured once the entire test pattern has been shifted-in.
Finally, a new method to enhance circuit security is detailed in Chapter 6. Unlike the earlier hardware protecting solutions, in this chapter we propose a new approach that avoids the expensive circuit redesign phase and provides significant two-fold im- provement in both circuit testability and its hardware security. In particular, it is shown how test points can facilitate the hiding of design functionality from unau- thorized access and guarantee that verified end-users work with a genuine product.
As a result, not only the overall design testability is improved, but also effective protection against reverse engineering and other forms of attacks is ensured.
The thesis concludes with Chapter 7. Every scheme proposed in this work has been thoroughly verified through experiments conducted on large and complex in- dustrial designs. The circuits represent different design styles and scan methodolo- gies.
1.3 Acknowledgments
The results presented in the thesis are based on the work that I carried out between July 2014 and June 2017 at the Faculty of Electronics and Telecommunications, Poznań University of Technology, and at the Mentor Graphics Poland, Poznań. It was an amazing journey and intensive time resulting in personal and professional development. It would not have been possible without help and support of many people. I would like to take this opportunity to express my sincere gratitude and appreciation to those who walked alongside me during these years.
First and foremost, I would like to thank my supervisors, Prof. Janusz Rajski and Prof. Jerzy Tyszer. Prof. J. Rajski provided invaluable insight into the industrial practices and taught me by example what it means to be a good researcher. I greatly benefited from his expertise and enthusiasm for research. He also allowed me to be a part of the Mentor Graphics internship program which included frequent visits at the Mentor Graphics headquarters in Wilsonville, OR, USA. The collaboration with professional test engineers was extremely useful and let me learn the industrial perspective on this project. I also would like to express my sincere gratitude to Prof. J. Tyszer who guided and advised me from the very beginning of this research project. His knowledge, scientific insight, experience and mission for providing the high-quality work helped me grow as a researcher. I would like to thank him for his professional guidance over these years. Without his assistance and dedication in every step throughout the project it would never have been successfully completed.
My special gratitude goes to Dr. Grzegorz Mrugalski of Mentor Graphics Poland whose stimulating suggestions and constructive feedback helped me many times resolve various technical problems. I extend my thanks to Dr. Jędrzej Solecki who provided technical assistance in conducting some of the experiments. I also would
like to acknowledge the members of DFT group at Mentor Graphics Corporation.
In particular, Dr. Nilanjan Mukherjee and Michael Chen provided questions and responses that were invaluable for my research. Dr. Elham Moghaddam was my main adviser in the implementation of the proposed solutions within the framework of industrial tools. I appreciate their understanding and patience. We had a lot of productive and interesting discussions. Finally, I gratefully acknowledge funding that made my Ph. D. work possible. The Mentor Graphics scholarship I received during my Ph. D. journey allowed me to attend international conferences and to successfully join the international test community.
During the Ph. D project, I had a pleasure to work with VLSI test experts from Intel Corporation, Hillsboro, OR, USA, and Broadcom Corporation, Irvine, CA, USA. The opportunity to verify my solutions by using state-of-the art designs is highly appreciated.
Finally, I would like to thank my parents to whom I dedicate this work. I also extend my gratitude to all family members. Your love, support and encouragement during the past three years is so appreciated. Thank you.
Preliminaries
This chapter recalls the basic DFT concepts and related terminology used in the thesis. It begins with the principles of test pattern generation and then outlines the most common and relevant DFT techniques. Furthermore, the objectives of logic locking are briefly described.
2.1 Test generation
Clearly, generation of test patterns for every physical defect is virtually impossible.
Therefore, fault models have been introduced to make test pattern generation a fea- sible process. The most well-known is a stuck-at fault model which assumes that a line in a circuit is permanently stuck with the logic value of 0 (stuck-at-0) or 1 (stuck-at-1). Although the stuck-at fault model is widely used, it quickly became ev- ident that this model would not be able to represent many possible defects properly.
Over the years, several other fault models have been proposed including transition, delay, small delay [88], bridging faults, and stuck-open faults [89]. With integrated circuit fabrication technology advancing from 90 nm to 65 nm and beyond, a sig- nificant population of defects occurs within the gates, or cells. Many of them can be detected with traditional test methods. However, some require a peculiar set of stimuli. As a result, a cell-aware test [34] was introduced to target the location of defects within the library cells and to produce test patterns that ensure detection of those defects.
First reliable structual test generation methods for combinational circuits were
introduced in the 60’s [82]. Over the years, a number of heuristics have been proposed to handle more complex circuits. Most of them use the concepts intro- duced in the D-algorithm [82], and then widely improved by PODEM [29], FAN [25], TOPS [47], SOCRATES [84], FastScan [103], HITEC [68], NEMESIS [54], Tetra- MAX [95], and other algorithms. With no resemblance to any concrete fault model, a typical ATPG algorithm takes a particular fault as an input and generates a test pattern detecting this fault explicitly or proving it untestable. In particular, it applies a signal value at the fault site that is the opposite of the value forced by a fault (fault excitation), and then subsequently move the resulting fault effect forward (fault propagation) by sensitizing a path from the fault site to an observ- able output. The last phase is accompanied by backward justification, where all internal signal assignments previously made to excite a fault or propagate its effect are justified by setting primary inputs or pseudo-primary inputs of the circuit. To maintain a pattern count at a reasonable level, one may consider detecting several nonequivalent faults by means of a single test vector. However, handling several faults in parallel may lead to conflicts between desired internal signals. In general, a conflict between logic values within a given test stimulus relates to faults which cannot be detected by the same test pattern because of incompatible decisions made by ATPG on internal lines due to fault excitation, backward justification, or fault propagation. As a result, the size of test set depends on the number of faults that can be detected by a single vector. The quality of test patterns is measured by test coverage, i.e., a fraction of detected faults among all testable faults.
Although ATPG methods exploit structural information to produce high-quality tests, some of the circuit structures are intricate and hinder test pattern generation.
For example, reconvergent fan-out is a subcircuit where a signal branches out from a single node and follows multiple parallel paths, and then reconverges into a sin- gle node. This structure may exhibit a poor testability because signals along the parallel paths are not independently controllable. Another example is a tree-like structure called fan-out-free region (FFR). Although fault detection within FFR is relatively simple, all gates inside the FFR feed a single FFR top gate, i.e., all faults hosted by this cone of logic have to propagate through the common output of the
FFR (also referred to as a root). Careless handling of the logic values inside the FFR or in the other part of circuit may block propagation of faults within this FFR.
Modern circuits contain thousands of interconnected FFRs that may pose difficulties to generate a single test vector detecting faults hosting by different FFRs. Further- more, logic gates with a large number of inputs may also be the cause of inflated ATPG-based pattern counts.
2.2 Design for testability
As the size and complexity of digital circuits grew, especially with respect to the number of sequential elements, controlling and observing the internal nodes using only primary inputs became cumbersome. In fact, it was the main reason for changes in design paradigm leading to the advent of design for testability (DFT) methods.
In particular, the most influential structured DFT technology was a scan [23], [26], [48]. The scan allows a direct access to memory elements of a circuit under test (CUT) by forming shift registers, further referred to as scan chains, in a test mode (TM). In order to facilitate such functionality, every flip-flop needs to be redesigned into a scan cell by adding a multiplexer in the front of each flip-flop. A typical D-multiplexed scan cell, shown in Fig. 2.1, supports two modes of operation. In the scan shift mode, when a scan enable (SE) signal is asserted, every flip-flop of the sequential logic is transformed into a stage of a shift register connected to the preceding scan cell or a primary input (if it is the first flip-flop in the scan chain) through the scan input (SI). On the other hand, during the capture mode (SE=0), a scan cell captures the next state of a circuit through D input, the same way as it is done in the functional mode.
The operative paradigm of scan-based testing is to employ automatic test equip- ment (ATE) or another source of test patterns to feed serial inputs of the scan chains, with the same ATE or a test response compactor recording test responses that leave the scan chains through their serial outputs, further referred to as scan chain out- puts. The resultant high controllability and observability of internal nodes made it possible to automatically generate high quality tests and to debug the first silicon.
0
1 D Q
CLK SE
D SI
Figure 2.1: D-multiplexed scan cell
Moreover, a simple architecture of scan chains enables their automated stitching and insertion supported by electronic design automation tools, and over the years scan has become the foundation for many other advanced DFT techniques.
2.3 Logic built-in self-test
Logic built-in self-test is one of the well-established scan-based DFT schemes that al- low CUT to test itself. LBIST employs a test pattern generator, a test response com- pactor, and an on-chip controller. The most popular scheme using multiple-input signature register (MISR) and parallel shift register sequence generator (STUMPS) [7] architecture is shown in Fig. 2.2. It comprises a pseudorandom pattern gener- ator (PRPG), typically implemented by means of a linear feedback shift register (LFSR) or a ring generator [64] that provide stimuli to a number of scan chains.
Test responses are compacted in a MISR. At the end of the test session the resultant signature is verified.
As mentioned in Section 1.1, test patterns generated in a purely pseudorandom fashion may not succeed in detecting some faults. Therefore, achieving high fault coverage with LBIST generally can be accomplished, for example, by modifications of a pattern generator to produce weighted vectors [46], [65], [107]. Other techniques enhance LBIST efficiency by perturbing pseudorandom stimuli [32], [36], [108], [99], [100]. In contrast to aforementioned methods, test point insertion techniques im- prove a detection probability of random-resistant faults by deploying control points (CPs) and observation points (OPs) to excite and observe faults, respectively. Two
...
Scan chains
PRPG
CUT
MISR Reference
X-masking
Control logic
Figure 2.2: STUMPS architecture
types of control test points, i.e., an AND CP and an OR CP are shown in Fig. 2.3.
The AND control point is connected to a flip-flop (FF) via the extra NAND gate, whereas the OR control point is driven by the AND gate. In order to force a fixed logic value at a particular node in a circuit, one needs to enable the correspond- ing control point, and then activate it. An asserted test point enable (TPE) signal makes it possible for all control points in a design to work. An individual activa- tion of a given test point, however, depends on its driver flip-flop. For example, if an AND control point is driven by a flip-flop set to the logic value of 1, then it produces 0 regardless of values arriving from other parts of the circuit. A similar rule applies to an OR control point which, when active, produces 1 under otherwise similar conditions.
In general, TPI methods try to improve the fault detection likelihood while minimizing the necessary hardware [79], [87], [110]. Identification of test point locations in circuits with reconvergent fan-outs is a complex problem [14] and, hence, numerous empirical guidelines and approximate techniques have been proposed to identify suitable test point locations and to improve the overall circuit testability.
The first systematic TPI method was introduced in [13], where simulations are used
enableTP
Combinational
logic Combinational
logic
V
D Q CLK
(a) AND control point
Combinational
logic Combinational
logic
D Q
V
enableTP
CLK
(b) OR control point
Figure 2.3: Types of control points
to obtain profiles of fault propagation and correlations between internal signals.
Test points break then signal correlations. Similarly, [41] employs fault simulation to identify gates that block fault propagation and inserts test points to regain successful propagation of fault effects. A divide-and-conquer approach of [96] partitions the entire test into multiple phases. Within each phase, a group of test points is activated to maximize the fault coverage calculated over the set of still-undetected faults.
A probabilistic fault simulation, which computes the impact of a new control point in the presence of the control points already selected, is used as a vehicle to select test points.
To avoid time-consuming simulations, other methods utilize the controllabil-
ity and observability measures to identify the hard-to-control and hard-to-observe sectors of a circuit, at which test points are subsequently inserted. In particular, the schemes of [17], [66] use COP estimates [12] to extract testability data. Hy- brid testability measures [101] that use the SCOAP metrics [30], cost functions [27], a gradient-based method [86], or signal correlation [16] are used as well to determine the best TP sites.
2.4 Test compression
As integrated circuits become more and more complex, the growing volume of test data causes a significant increase in test cost mainly due to much longer test ap- plication time and larger ATE memory requirements. Over the years, a number of test data compression techniques [98] have been developed to address this prob- lem. The first commercial test compression scheme was embedded deterministic test (EDT) [75]. In contrast to LBIST, the primary objective of test compression is to reduce tester memory requirements, rather than eliminate it altogether. In gen- eral (see Fig. 2.4), compressed test stimuli, stored in a tester memory, are delivered through tester channels to on-chip decompression logic which restores the expected data and loads them into scan chains. Test responses captured in the scan cells are compacted before they reach back the ATE for verification. Depending on a test pat- tern encoding technique, one can distinguish different groups of test data compres- sion schemes such as purely combinational solutions [6], code-based schemes [109], static reseeding [28], [31], [36], [57], [80], [104], [106], and dynamic reseeding [9], [20], [75]. Surveys of these techniques can be found, for example, in [45] and [98].
Although test data compression has been a very successful mainstream DFT methodology of the last decade, the amount of test data required to test ICs is growing rapidly in each new generation of technology. Achieving high test quality in ever smaller geometries requires more test patterns targeting delay faults and other fault models beyond stuck-at faults. The alarming conclusion is that in the following years the state-of-the-art test compression techniques may not be able to provide an adequate and desired reduction of test data. The solution presented in Chapter 3
...
Scan chains
CUT
Decompressor Compactor
Compressed
stimuli Compacted
responses ATE
Figure 2.4: Test compression and compaction
is an attempt to address this problem. The proposed scheme identifies the largest internal conflicts precluding efficient ATPG-based test reduction. Locations corre- sponding to such conflicts are modified by inserting test points in order to increase the number of faults targeted by a single pattern, and thus to reduce ATPG test pattern counts and the resultant test data volume.
Interestingly, there were also attempts to employ traditional test points to reduce the number of deterministic test vectors. However, performance of LBIST test points in reducing ATPG-based test patterns is quite unpredictable as they may not affect test pattern counts at all with their average reduction being anywhere between 0 and 35% [53]. In contrast, Chapter 3 introduces an original new class of conflict-aware test points devised specifically to increase the number of faults targeted by a single pattern, and to overcome the growing test set size problem, leading eventually to shorter ATPG and test application times.
2.5 Hybrid test compression / LBIST
Given a reasonable test time (or alternatively a pattern count), the resultant LBIST fault coverage can be unacceptably low. Consequently, the concept of hybrid BIST that stores compressed deterministic top-up patterns (used to detect random-resistant faults) on a tester, and then use the existing BIST infrastructure to perform a vector decompression has become a vital research area [37], [40], [52], [74], [105]. If existing BIST logic is used to handle compressed test data, then encoding schemes typically take advantage of low fill rates, as originally proposed in most methods of sequential test data compression recalled in Section 2.4.
The example of a hybrid EDT/LBIST architecture is shown in Fig. 2.5. It shares several on-chip DFT resources including a single-block PRPG, a test response com- pactor, and the hybrid controller. Typically, this type of sharing provides additional 20% – 50% hardware reduction. A hybrid EDT/LBIST controller can be accessed through a standard IEEE 1687 network, allowing easier access to the embedded test capabilities from anywhere in the system.
Ring generator Phase shifter MISR
…
scan inBIST BIST
scan out
Chain mask register EDT input
channel
EDT input channel
EDT output channel
EDT output channel 1
1
LBIST enable
EDT low power X-masking
Scan chains
Figure 2.5: Hybrid test compression / LBIST architecture
Clearly, the hybrid scheme saves external test data and reduces the number of pseudorandom patterns. It operates in two steps. First, a PRPG produces a pre- determined number of random stimuli that detect random (or easy) testable faults.
To avoid a prohibitively large number of random patterns, the second step targets the random resistant faults by using ATPG patterns whose compressed forms are applied through on-chip decompression logic. Now, the same hardware – a pseu- dorandom test pattern generator – is reused to decompress test cubes and to feed scan chains. This is only possible provided sequential test compression is deployed.
Hence, as can be seen in Fig. 2.5, an n-bit ring generator and a phase shifter make up a sequential test data decompressor feeding scan chains. The decompressor receives compressed test data through input injectors (or EDT input channels). Further- more, several two-input multiplexers are placed in the front of the ring generator.
These multiplexers are controlled by a single LBIST enable signal. When asserted, the multiplexers feed the ring generator with constant 1s, which facilitates gener- ation of pseudorandom patterns by turning the decompressor into a conventional PRPG.
On the output side, a MISR is used as a test response compactor in the LBIST mode. The very same MISR receives data from XOR trees acting as spatial test response compactors for bundles of scan chains. In addition to serving the MISR, the XOR trees produce compressed test data that are sent directly to an external tester if a circuit operates in a deterministic test compression mode.
Although the benefits of using a hybrid approach are well pronounced, there was no reliable TPI technique to be successfully applied in the hybrid test environment until recently. While testability-based test points may be used to support LBIST, their impact on deterministic test pattern reduction is unpredictable as they are poorly suited to the other party functionality. Thus, in Chapter 4, we present a novel test point insertion scheme which is able to enhance performance of both test compression and LBIST at the same time. This technique is accompanied by a new LBIST test coverage estimation method that has been developed to quickly guide a test point selection process.
It is also worth observing that one of the main drawbacks of scan-based testing
relates to the fact that all scan chains must be filled with a test pattern before it is applied. Consequently, the vast majority of test time is spent on just shifting test data. Consider a design with 100-cell long scan chains. Applying 10,000 single- capture test patterns will require 1,000,000 shift cycles and 10,000 capture cycles.
Thus, as low as 1% of cycles are actually spent on testing. This simple example indi- cates how much potential there is still to be explored as far as the scan methodology is concerned. This observation was a driving factor for the approach presented in Chapter 5. To utilize the test application time in a more efficient manner, a novel scan-based scheme is proposed that allows one to achieve high quality test in a much shorter time, or alternatively, to apply a much larger number of vectors within the same time interval.
2.6 Hardware security
Along with new challenges in manufacturing test, it turns out that some of DFT techniques can lead to a number of threats and may jeopardize the overall system security. For example, malicious users can deploy scan chains to recover confidential data stored in cryptographic devices as demonstrated by backdoors discovered in high-security devices that can then be exploited by deploying a boundary scan test access port [91]. Similarly, debug ports provided by the standard interfaces, such as IEEE 1500, can also be maliciously misused. Although certain advanced DFT structures, e.g., test compression, were believed to be scan-based-attacks resistant, some techniques, including a differential analysis, have invalidated this conjecture.
Furthermore, modern IC designs often involve third-party IP cores, outsourced test services, EDA software tools supplied by different vendors, and manufacturing to contract foundries in order to reduce the cost per IC. As a result, the involvement of third-parties in semiconductor design, fabrication and testing processes make ICs more vulnerable to malicious activities and alterations than ever before. One of these malicious activities is reverse-engineering. Growing attempts to steal or violate a design IP, or to identify the device technology in order to counterfeit ICs raise serious concerns in the IC design community. The objective of the attacker is
to successfully recover a design structure by means of destructive or non-destructive methods [97]. Once the IP netlist is known, it can be illegally sold or used to design other ICs (IC piracy). Also, one can reuse the components extracted from competing products, thus revealing trade secrets. Due to these harmful effects, a pure social loss, and the cost of combating IC counterfeiting and piracy, reverse engineering is considered to be one of the most serious threats to the semiconductor industry.
As the information derived from these practices can be used in a number of ma- licious ways, various active techniques have been proposed and deployed to protect intellectual property, of which logic locking is a vital part. In this technique, addi- tional logic (also known as key gates), typically XOR gates [83], multiplexers [71], or memory elements are inserted into the design in order to hide circuit’s functionality and its implementation. Clearly, a design will function properly only if a correct key drives all key gates. It is worth noting that the ability to hide circuit’s function- ality by means of extra logic added to a design carries major implications such as unacceptable area, performance, and power overheads. Unlike the earlier solutions, Chapter 6 demonstrates the method that avoids the expensive circuit redesign phase due to reusing test points in the mission mode to facilitate the hiding of circuit’s functionality from adversaries.
Since both the growing manufacturing cost and the ICs security are the crucial aspects that need to be addressed by new testing schemes, the Chapters 3–6 describe in detail how, in particular, test points can be employed to address these concerns.
The remaining four chapters provide a comprehensive characterization of the TPI scenarios and propose techniques to reduce both pattern count and test application time, and to increase fault coverage. Furthermore, it is shown that test points can be successfully used to improve the hardware security by means of logic locking scheme.
Pattern count reduction
The chapter presents a TPI technique that aims at reducing ATPG test pattern counts and test data volume through insertion of conflict-aware test points. In contrast to traditional test points tackling random resistant faults, a key feature of the proposed scheme is its ability to identify and resolve conflicts between ATPG- assigned design’s internal signals. This ability allows the new approach to increase the number of faults targeted by a single pattern, and to overcome the growing test set size problem, leading eventually to shorter ATPG and test application times.
Since EDT is the commercial test compression technology, where the conflict-aware test points have been used for the first time, throughout this thesis the terms conflict- aware test points and EDT test points are used interchangeably. This material has been presented in papers [1], [2], [3], [50], and is a subject of a pending patent application [72].
3.1 Motivation
Consider a simple example having no resemblance to any concrete fault model. In order for a test pattern to detect a fault, it must apply a signal value (or values) at the fault site that is the opposite to the value produced by the fault, and must sub- sequently move the resulting fault effect forward (fault propagation) by sensitizing a path from the fault site to a scan cell or a primary output.
To reduce a pattern count, a single test vector could be used to detect several nonequivalent faults. An attempt to find such a pattern may lead, however, to
