IEEE TRANSACTIONS ON ELECTRONIC COMPUTERS VOL. EC-15, NO. 1 FEBRUARY, 1966

On Finding a Nearly Minimal Set of Fault DetectionTests for Combinational Logic Nets

D. B. ARMSTRONG

Abstract-A procedure is described for finding, by shortcut In this paper the fault table approach is again invoked;methods, a near-minimal set of tests for detecting all single faults how,-ever, only a very small fraction of all possible testsin a combinational logic net. The procedure should prove useful fornets which are too large to be treated by more exact methods [2]. aree din te tab.e tesse r are arilyThe set of tests so found also appears useful for diagnosing (i.e., those which detect large numbers of faults, and thelocating) faults. The class of faults considered is that which causes main problem attacked here is the derivation of a short-connections to be stuck at logical one or logical zero. The nets cut procedure for finding these desirable tests. This pro-considered may include AND, OR, NAND, NOR, and NOT gates. cedure also appears to ensure finding a sufficient set of

The bases of the procedure are the "path sensitizing" concept, tests to detect all detectable faults. This point is dis-and reduction of a net to its "equivalent normal form," abbreviated cussed deter in tect faph of S on t isenf. It is shown that if a set of tests can be found which detects an cussed further in the last paragraph of Section II. It isappropriate subset of faults in the enf, this set will detect all faults not guaranteed that the set of tests thus derived willin the original net. The enf also provides a vehicle for systematically contain a truly minimal subset, but it is likely to con-finding the most desirable tests, namely those which each detect tain one that is near minimal. The procedure may be-many faults in the net. The procedure is illustrated in detail by an

example. ~~~~~~~~comecumubersome when the number of paths throughexample. the net is large. This tends to be the case when many

I. INTROD-UCTION gates have a high-fanout index.The method is developed for nets composed of any of

N PREVIOUS papers [1]-[3] on fault detection in the following gate types: AND, OR, NOT, NAND, andcombinational logic, the following general strategy NOR. Only single faults are considered. The fault typefor finding a minimal set of fault detection tests has is that which causes any wire to be (or appear logically

been employed. A particular class of faults is hypothe- to be) "stuck at one" or "stuck at zero." These namessized, and the net in question is analyzed to find wvhich are abbreviated to s-a-i and s-a-0, respectively, in thefaults of the class are detected by each possible test. For sequel. This is the same type as treated in previouscombinational logic a test is just an input combination. papers [2], [3].A test detects a fault if the net output differs from the Section II of this paper develops some concepts under-correct output when the test is applied and the fault is lying the procedure and Section III describes the pro-present. The analysis permits a "fault table" to be con- cedure. It appears that the set of tests so generated isstructed. A fault table is a table in which there is a row also useful for fault diagnosis (i.e., fault location). Thisfor each possible test and a column for each possible aspect is briefly considered in Section IV.fault. A 1 is entered at the intersection of a row and Before proceeding, it is worthwhile pointing out thatcolumn if the corresponding test detects the correspond- if a network contains logical redundancy, not all faultsing fault; otherwise a 0 is entered. The problem of find- are detectable. Specifically we have:ing a minimum set of tests then reduces to the problemof finding a minimum set of row-s in the table such that Theorem 1they include at least one 1 in every column. This is All s-a-t and s-a-0 faults in a net are detectable if andidentical to the well-known prime implicant covering only if the net is irredundant.problem [4]. A formal proof of the theorem is omitted, since it fol-

For large nets the previously described procedure be- loWs directly from the definition of irredundance. A netcomes extremely unwieldy because of the size of the is defined to be irredundant if it contains no redundantfault table. For example, for a net with 20 input vari- connections. A connection is redundant if it can be cutables the table could contain more than a million rows. without altering the output functions. A cut input con-Galey et al. [3] presented a method for deriving the nection to a NAND or AND gate is logically equivalentcomplete set of tests for each fault in a compact form. to having that input stuck at one. A cut input connec-They then derived an approximately minimal set of tion to a NOR or OR gate is logically equivalent to hay-tests for all faults by performing a prescribed sequence ing that input stuck at zero. It appears that M4artel-of intersections on the test sets for the individual faults. lotto and Mayne [5] were first to state the aforemen-

tioned theorem. In the remainder of this paper, when

Manuscript received July 12, 1965; revised October 18, 1965. dtcig"l als ssoe f twl en"lThe author is with Bell Telephone Labs, Inc., Murray Hill, N. J. detectable faults."

66

ARMSTRONG: FAULT DETECTION TESTS FOR COMBINATIONAL LOGIC NETS 67

II. PATH SENSITIZING AND REDUCTION inspection of the net. Unfortunately, no such directTO EQUIVALENT NORMAL FORM technique has been discovered. However, if the net is

first reduced to its "equivalent normal form" (enf), sys-This procedure is based on the "path sensitizing" tematic procedures can then be applied to find these

technique1 for detecting faults. Figure 1 depicts a por- "good" tests.tion of a net, and it is desired to find a test which detects The enf of a net is obtained by expanding the (gen-a s-a-i fault at B. Figure 1 shows a path from B to an erally factored) Boolean expressions representing eachoutput J. Suppose this is the only path from B to the output function in the net, using well-known procedures,outputs. Then a test which detects a s-a-i fault at B but with the following restrictions:must be such that, when the circuit is normal, a 0 . 1) The identity of every path from each net input toappears on B and "1"s appear on all remaining inputs the outputs must be retained.to NAND and AND gates in the path, while "40"1s 2) In general, no redundant terms or literals result-appear on all remaining inputs to NOR and OR gates in ing from the expansion may be discarded. The one ex-the path. This is necessary to insure that when B ception to this rule is discussed in Appendix II-B.changes from 0 to 1 upon occurrence of the fault, the The reduction of a single-output net to its enf is illus-change propagates to output J where it is detected. The trated for the net of Fig. 2. The input variables are a,path is now said to be "sensitized." b, c, and d. The internal connections are identified by theThe previously stated conditions on a test may not lettersf, j, k, m, u, and v; the output by y. The gates are

hold on gates which are points of reconvergence for two identified by numbers 1 through 7. The gates are as-or more fanout paths from some preceding gate. Thiscomplication does not invalidate the procedure used sing thlevel 1t the outpu an orking back-here, as will be illustrated by a later example. More ward. th derivatlon of the enf proceeds in steps. Indetails on reconverging fanout are given in Appen- terms of the inputs to gates in level 1 we havedix II-B.

t

The actual changes in values along the path in Fig. 1, y = (u + V)7 (1)upon occurrence of the fault at B, are also indicated inFig. 1. Connections C, D, and E undergo the change where the subscript 7 identifies the involved gate in1-O>0, while connections B and J undergo the change level 1. In terms of the inputs to level 2 we have0-si. It is now apparent that a test which detects as-a-i fault on B also detects a s-a-i fault on J and s-a-0 y = ((b])4 + (km)6)7 (2)faults on C, D, or E. If it is desired to detect a s-a-0fault on B, a test would be applied such that a 1 appears where subscripts 4 and 6 identify the involved gates inon B, while the remaining inputs to the gates on the level 2path remain as before. This new test would also detectthe complementary set of faults to those detected by thefirst test on this path. Thus, the two tests together -7-

would detect all s-a-i and s-a-0 faults on this path. I OR NOTThis suggests that if tests are chosen which detect all NET. B O O JINPUTS C 1 E OUTPUTS

faults on the net inputs, all faults in the network will be D

detected, provided only that the set of tests chosen sen-sitizes a set of paths containing all connections in thenet. This, in fact, is guaranteed to happen if there is no Fig. 1. Example of a sensitized path in a net.fanout in the net, because in this case there is only onepath from each net input to the outputs; therefore, theset of paths originating at net inputs will contain all LEVEL LEVEL LEVEL LEVEL LEVELconnections. When fanout exists there occurs the addi-tional problem of sensitizing a set of paths which, infact, contain all connections.

u

It has been observed, by trying numerous examples,that tests usually exist having the property that each c a' 2sensitizes several paths through a net simultaneously. IObviously, these tests must be discovered and used if aI |near-minimal set of detection tests is to be obtained. ItIIJIwould be desirable if such tests could be found by directI l I

1 To the author's knowledge this approach was first suggestedl l l lat the Conference on Diagnosis of Failures in Switching Circuits,l l ll lsponsored by the AIEE at the University of Michigan, May, 1961.Recently, J. P. Roth 161 has also exploited this technique. Fig. 2. An illustrative network.

68 IEEE TRANSACTIONS ON ELECTRONIC COMPUTERS FEBRUJARY

The analogous relations for the remaining levels are ing term tests all literals in that particular term fors-a-O.

y = ((bj)4 + ((j')s(b' + d')3)6)7 (3) The enf of a multioutput net is defined to be the set

y = ((b(a' +f)2)4 + (((af')2)5(b' + d')3)6)7 (4) of enfs for the individual outputs of the net. Fer clarity

y = ((b(a' + (c'd)l) 2)4 + (((a(c + d')1)2)5(b' + d')3)6)7. (5) we will refer to the individual enfs in the multioutputcase as sub-enfs. The rules for detecting faults in the enf

The right side of (5) is now expanded, eliminating of a multioutput net are the same as those previouslyparentheses but retaining subscripts. The result is the mentioned, except that a single test now can have theenf for the net of Fig. 2. property of simultaneously testing literals in some of the

sub-enfs for a s-a-i and literals in other sub-enfs for= a'247b47 + b47c'i247d1247 ± a2567c12567b'867 s-a-O. This is possible because the paths in the two-level

+ a2567c12567d'367 + a2567d'12567b'367 AND-OR net corresponding to any sub-enf are disjoint+ a2567d'12567d'367d (6) from the paths in the two-level net corresponding to

any other sub-enf.Certain characteristics of the enf of a single output In order to state precisely how fault detection in the

net, useful in the sequel, are now noted. enf is related to fault detection in the original net, it is1) The enf is a "sum of products" expression; hence, necessary to distinguish between literals and appear-

the name normal form. ances of literals in the enf. A particular literal may2) Each literal consists of an input variable, possibly make several appearances. For example, in (6) the lit-

primed, subscripted by a sequence of gate numbers. eral a2567 makes appearances in each of the last fourThe variable and its subscript sequence identifies a path terms. A theorem and a corollary may now be stated.from the corresponding net input to the output. Forexample, the literal a2567 in the third term of (6) identi- Theorem 2fies the path from input a' on gate 2, through gates 5, A test devised for a literal appearance in the enf sensi-6, and 7 to the output. tizes the path in the original net associated with that

3) The enf may contain redundant terms and literals literal appearance.even though the original net is irredundant. For ex-ample, one of the literals involving d' in the last term is Corollary 2logically redundant. So also is the next-to-last term. If a set of literals {L } is selected whose paths contain

4) From the method constructing the enf and ob- every connection in the net, and if a set of tests { T}servation 3), it follows that there is at least one literal can be found which tests at least one appearance of eachappearing in the enf for every possible path from each of these literals for s-a-i and s-a-O; then the set of testsinput to the outputs. detects every s-a-i and s-a-O fault in the net.

5) If the path associated with a literal in the enf con- Theorem 2 is proved in Appendix I. The corollarytains an odd number of inversions (an inversion is pro- followvs sufficiently directly from the theorem and previ-duced by each NAND, NOR, and NOT element in the ous discussion so that a proof is omitted. Observe thatpath), the priming on the literal will be opposite to that Corollary 2 does not guarantee finding a set { T } whichon the corresponding input in the original net. If the tests every literal in {L } for s-a-i and s-a-O. However,number of inversions on the path is even, the priming this paper conjectures that such a set of tests can beon the literal wTill be the same as on the corresponding found. More precisely, it is believed that the followinginput in the original net. For example, the literal a2567 result holds: there exist at least one set of literals { L }in the third term of (6) is unprimed. It is associated and an associated set of tests { T} that tests an appear-with the path 2567 which contains an odd number (= 1) ance of every literal in { L } for s-a-i and s-a-O and alsoof inversions. This literal corresponds to the input a' on detects every fault in the net. As yet this result has notgate 2. been proven; however, efforts to find a counter example

Performing fault detection on the enf of a single-out- have been unsuccessful.put net is now considered. Since a enf is a sum-of-products expression, it corresponds to a hypothetical III. ALGORITHM FOR SELECTING TESTSnet consisting of a set of AND gates feeding a single OR Trials on several sample nets indicate that the algo-gate. The path sensitizing rules therefore require, to rithm which follows has high probability of finding thetest a particular literal for s-a-i, that literal must be most desirable tests, namely those which each detectassigned value 0, while the remaining literals in the many faults. The algorithm w^ill be described ratherterm are assigned value 1. Also, at least one literal in loosely, primarily by applying it to find tests for the neteach remaining term must be 0 in order that all remain- of Fig. 2. The first version applies to single-output nets,ing inputs to the OR gate be 0. By similar reasoning, a and it is later extended to multioutput nets.test which assigns value 1 to all literals of a particular As suggested by Corollary 2, the first step of the algo-term and assigns at least one 0 to literals in each remain- rithm might be to select a set of literals in the enf whose

1966 ARMSTRONG: FAULT DETECTION TESTS FOR COMBINATIONAL LOGIC NETS 69

paths cover the net, and then determine tests for these previously given. The scoring function currently in useliterals. However, for nets with much fanout there may is defined in Appendix 11-A.be many different sets of covering paths. Consequently, The construction of s-a-O tests requires somewhat dif-a "bad" choice of covering set may be made, in the sense ferent heuristics from the two used for s-a-i tests, thusthat the best set of tests for the selected set of paths is requiring a new scoring function. Recalling observationfar from optimal and, indeed, may not even detect all (5) following (6) in Section II, and the analysis of Fig. 1,faults. it is seen that in nets containing inversions, a mixture of

Therefore it is chosen to proceed as follows. Tests will s-a-0 and s-a-i faults are detected by a single s-a-O orbe selected sequentially without regard initially to the s-a-i test on the enf. Therefore, it is undesirable toparticular paths they sensitize. The first test will be one introduce two different scoring functions if this can bewhich tests as many distinct literals as possible for avoided. It is, in fact, avoidable by making use ofeither s-a-i or s-a-O. The next test wAvill test as many as theorem 3.yet untested literals as possible, and so on. At variousstages during the test-forming process a check may be Theorem 3made to determine whether the set of literals tested to

date orresondsto a et ofpath coveing te ne A s-a-O (1) test for a particular literal in the enf of adatecrnatvelones ould selt tests unt tle one single-output net (or sub-enf of a multioutput net) is aAlternatively, one could select tests until at least one sat()ts o h orsodn iea ntecmappearance of every literal is tested for s-a-i and s-a-O. s (This should ensure testing every connection in the net plemented enf (or sub-enf).but may include many more tests than necessary if the The proof of Theorem 3 is quite direct and so is not

net contains much fanout. The particular strategy for included.terminating the test-forming process is left open. The complemented enf is defined to be the enf that is

* ~~~~derived from the complements of the Boolean expres-Not only are tests selected sequentially, but the con- dived frometh m nthe Booeexpres-struction of each test is a sequential process. That is sions representing the original net. For example, thevalues are first assigned to the smallest possible subset oean expression representingthesnet ofpFig.n2eiof the net input variables, which results in sensitizing at gleast one path through the net. A further small subset enf is obtained by complementing the right-hand side ofof the variables is then assigned so as to sensitize at relation (5) and expanding it. The result isleast one additional path. This is continued until all y= a'2567b'47 + a247a2567c1247variables have been assigned, thus completing a test. . . .1dMore specifically, a s-a-i test is constructed as fol- ± a247C2567d1257+ a247C'12567

lows. First, a term in the enf exhibiting the fewest num- + a247e1247c'12567d125>7 + 247G'12567d'1247d12567ber of variables is chosen. Call this "property A." Then, + b'47b367d367 + a247b367c1247d367that literal in the term such that the prime of the vari- + a247b367d'1247d367. (7)able appearing in this literal has the most number of ap-pearances in the remaining terms of the enf is chosen. Theorem 3 states that s-a-0 tests can be obtained forCall this "property B." Value 0 is then assigned to this literals in an enf by generating the complemented enfliteral and value 1 to the remaining literals in this term. and finding s-a-i tests for the corresponding literals inProperty A assures that when the selected term has the latter. For example, a test which is a s-a-1 test forthese values assigned, as many variables as possible a2$567 in (7) is a s-a-0 test for a2567 in (6).remain unassigned, thus giving maximum flexibility in Therefore, both the enf and the complemented enfassigning values in the remaining terms. Property B will be employed and only s-a-t tests will be constructed,results in many Is being assigned in all terms, a desir- using the s-a-i scoring function for both enfs. Duringable goal since the ideal condition is to have just a construction of tests, the next test to be constructedsingle 0 assigned in each term and the remaining literals will start with the as yet untested literal appearance ofassigned ls. Properties A and B are the two main heuris- highest score in either the enf or the complemented enf.tics employed in constructing s-a-i tests. Together The remainder of the construction of this test will bethey result in constructing a test which simultaneously confined to the particular enf in which it started.tests a literal in each of many terms for s-a-i. To illustrate, the algorithm is applied to the net of

In practice, the order of testing literals is determined Fig. 2. For brevity, replace the subscript sequences inby assigning a numerical score to each literal appear- the enf (6) and in the complemented enf (7) as follows:ance. At any stage of formation of a test, variable values 247-*, 47-÷2, i247-*3, 2567->4, 367-*5, i2567-6.area ssigned so as to test the as yet untested literal Two tables are constructed, Table I for the enf andappearance of highest score, provided no other appear- Table II for the complemented enf. Rowv i in eachance of this literal has already been tested. Otherwise Table exhibits the relevant enf. Only five of the ninethis literal appearance is passed over. The scoring func- terms comprising the complemented enf appear intion assigns appropriate weights to properties A and B Table LI. The remaining four terms were eliminated

70 IEEE TRANSACTIONS ON ELECTRONIC COMPUTERS FEBRUARY

TABLE ITESTS FOR ENF

enf-* 1 4 V 1 x V x 8 V 1 8 V V 1 4 x xa1' b2 b2 C3' d3 a4 b5' d6' a4 b5' C6 a4 C6 d5' a4 d6' d5'

200 100 132 84 84 84 84 84 84 152SCr* 168 100 100 100 84

Orderingof 1 2 5 6 4 9 7 10 11 8 12 13 14 15 3 -

Literals

Test 1 0 1 1 0 1 1 0 0 1 0 1 1 1 0 1 0 0

Test 4 1 0 0 0 0 0 1 1 0 1 1 0 1 1 0 1 1

Test 8 0 0 0 1 1 1 1 0 1 1 0 1 0 0 1 0 0

TABLE IITESTS FOR COMPLEMENTED ENF

Complemented 3 2 A/ 3 7 V 3 x 2 V 5 V x x 5 6enf a4' b2' b2' C6' d6 b' b5 d5 a, b5 C3 d5 a, b5 d3' d5

170 119 85 187 - 17 17 - - 136SCl->)187 85 187 51 17 85

Orderingof 4 1 6 7 8 2 3 1 10 12 13 - 5 9

Literals

Test 2 1 0 0 0 1 0 1 1 0 1 1 1 0 1 0 1

Test 3 0 1 1 0 1 1 0 1 1 0 1 1 1 0 0 1

Test_ 0 0 0 1 1 0 1 1 1 1 0 1 1 1 0 1

Test 6 0 0 0 0 0 0 1 0 1 1 1 0 1 1 1 0

Test 7 0 1 1 1 0 1 0 0 1 0 0 0 1 0 1 0

because none of their literals are testable for s-a-i. See in the last term will be 1. It is now apparent that vari-Appendix II for further explanation. able c must be assigned 1, otherwise all literals in theThe second row in the tables, labeled Scl, contains second term will be 1, again aborting the test. The test

numbers proportional to the s-a-i score for each literal is now complete, because all variables have been as-appearance, derived as shown in Appendix II-A. The signed.third row gives an ordering of the literal appearances Above those literal appearances in Table I whichwithin the particular table according to their scores. were tested by this test, the number of the test is writ-The ordering is arbitrary in case of tie scores. Hence- ten. Four distinct literals are seen to have been tested.forth, any literal appearance is referred to by the num- A check mark is also placed above all other appearancesber assigned in this row. The remaining rows contain in the enf of these literals, since only one appearance ofthe binary values assigned to each literal by s-a-i tests each need be tested.generated by the algorithm. Derivation of the first two To start the second test the highest scoring literal ap-tests is now described. pearance in Table I or II, which does not represent an

First, the literal appearance of highest score in either already-tested literal, is chosen. In this case it is literaltable is selected. This is literal 1 of Table I; therefore, 1 of Table II, so the second test is constructed entirelythe first test will be constructed entirely within Table I. in Table II. Literal 1 is assigned value 0, and the otherLiteral 1 is assigned value 0 and the remnlaing literal in literal in this term is assigned 1. This assigns values 0this term is assigned value 1. This assigns value 1 to and I to variables a and b, respectively. Next, assign allvariables a and b. Next, assign all other appearances of other appearances of these variables their appropriatethese variables their appropriate values in Table I. values in Table II. It is now observed that no furtherNow check to see if the values of additional variables variables need be assigned at this time solely for theare forced in order to prevent the test from aborting. A purpose of avoiding aborting the test. Therefore, the astest aborts if the variable assignment produces one or yet untested literal appearance of highest score, whichmore terms of all is. Variable d falls in this category. It is literal 2 appearing in the third term, is sought. Sincemust be assigned 1, because if it is assigned 0, all literals another appearance of this literal has already been

1966 ARMSTRONG: FAULT DETECTION TESTS FOR COMBINATIONAL LOGIC NETS 71

tested by this test, it is passed over. Further search plete fault diagnosis if it permits every distinguishableindicates that only one other literal can be tested by the pair of faults to be distinguished. There is a close anal-current test, namely literal lt in the fourth term. To ogy between the construction of efficient single-error-test it, variables c and d must both be assigned value 1, correcting codes and the construction of efficient diag-completing the construction of this test. The literals nostic tests sets. The corresponding entities are showntested are a1 and b2'. If this test is applied to the enf, it in the accompanying table.will be seen that it tests literals a,' and b2 in the firstterm of the latter for s-a-O, as expected. Error Correction Diagnosis

Proceeding as previously stated, eight tests whichtesteverydingastn, treviostableliteral einoth thest wnfan Set of bits to be corrected Set of faults to be diagnosedtest every distinct, testable literal in both the enf and Set of parity check bits Set of diagnostic testscomplemented enf for s-a-i were constructed. (Literals Group of bits entering a parity Group of faults detected by ain Tables I and II having an x above them are untest- check diagnostic testable.) It is found, by constructing and reducing thecomplete fault table for this net, that six of these eight The two important characteristics of a minimaltests form a minimal fault detection set. Two such mini- single-error correcting code for our purposes are:mal test sets are (1, 3, 4, 5, 6, 7) and (1, 2, 3, 6, 7, 8). 1) The number of bits in each parity check group isThe underlined tests are essential; they must be in- approximately half of the number of bits being cor-cluded since they each detect faults not detected by any rected.other test. 2) Each parity check group roughly half overlaps

Extension of the algorithm to multioutput nets is every other group.quite straightforward. The same s-a-i scoring function These two properties result in a minimal number ofis used and is applied over the entire enf rather than to check bits, approximately equal to log2 of the numbersub-enfs separately. The complemented enf is assumed of bits to be corrected.available and is scored in the same manner as is the enf. The analogy suggests that a minimal set of diagnosticThe complemented enf is defined to be the set of com- tests should have the aforementioned two propertiesplemented sub-enfs. with respect to the group of faults that each test detects.The only novel condition which can arise in forming However, we do not have similar freedom in selecting

tests in the multioutput case is that a valid test may diagnostic tests. The network topology fixes the groupproduce terms of all ls in some sub-enfs. The situation of faults detected by each test and, in general, the twowill be clarified by an example. Consider a two-output properties are far from being satisfied. Analysis of realis-net, whose sub-enfs are designated X and Y, with cor- tic nets indicates that, in general, few, if any, testsresponding complemented sub-enfs designated CX and detect as many as half the faults in the net, and that theCY. In initiating construction of a test, suppose the as amount of overlap of these fault sets is considerably lessyet untested literal with highest score occurs in X. Sup- than half. It is therefore expected that in most cases thepose also that the partial variable assignment which minimal number of diagnostic tests will be appreciablytests this literal for s-a-i also produces a term of all Is greater than log2 of the number of faults.in Y. This does not abort the test, but merely means The algorithm of this paper has high probability ofthat this test will detect s-a-i faults in the sub-enfs X choosing the tests which each detect the most faults,and CY. therefore satisfying property 1) as far as possible. By

Note that a test cannot produce terms of all Is in making three small modifications, the algorithm willboth a sub-enf and its complement simultaneously, be- choose tests which also satisfy property 2) to an appreci-cause this would imply that the corresponding net out- able extent. These are:put takes on the values 0 and 1 simultaneously, which 1) Generate tests for every literal in the enf, not justis impossible. In general, therefore, a s-a-i test will enough literals to form a covering of the net.develop over one of the members of each pair consisting 2) Test every appearance of each literal rather thanof a sub-enf and its complement. Nevertheless, a par- just one appearance of each literal.tially formed test may abort, for the same reason as in 3) If, in forming a test, the situation arises that somethe single-output case: namely, when a literal in some variables remain unassigned but no further as yetsub-enf has already been tested for s-a-i by this partial untested literals can be tested, then the remaining vari-test and further variable assignments then produce a ables are to be assigned so as to test as many as possibleterm of all is in the same sub-enf. already tested literals.

With the addition of the previous three rules, it is be-IV. APPLICABILITY TO DIAGNOSIS lieved that the tests obtained by the algorithm will form

It is believed that the set of tests generated by the the core of an efficient set of diagnostic tests. However,previous algorithm for fault detection wTill also be rea- they may not form a complete diagnostic set. That is,sonably adequate for fault diagnosis. An attempt to additional tests may be needed to distinguish pairs ofjustify this conclusion by qualitative considerations is faults not distinguished by the previous tests. MIethodsnow given. A set of tests is considered to perform com- for finding the additional tests are not treated here.

72 IEEE TRANSACTIONS ON ELECTRONIC COMPUTERS FEBRUARY

APPENDIX I LEVEL LEVEL

Proof of Theorem 2

The theorem needs to be proven for single-output netsonly, because the enf of a multioutput net is just a set of u k

sub-enfs which are constructed independently for the x NET.

individual outputs. Let the gates of a single-output netbe organized into n + 1 levels, placing the output gate onlevel 1 and working backward. This can be accomplishedin such a way that every gate is placed on a higher level Fig. 3. Net decomposition used in proving Theorem 2.than that of any gate which it feeds.Theorem 2 is now proved by induction. It is obviously

true for n = 1. Suppose it is true for n. Now modify the formed with each remaining gate type (OR, NAND,circuit by cutting the wires connecting the gates in level and NOR) replacing AND gate k, and for s-a-i tests asn±+1 to the gates in lower levels. Suppose one of the well as s-a-0 tests. The remaining cases will not begates in level n+1 is an AND gate, labeled k, having treated in this paper. It is also evident that the resultstwo inputs labeled u, v and two outputs (fanout=2) generalize to any number of inputs and outputs fromlabeled w, x. The situation is as shown in Fig. 3. The gate k.enf for the modified net may be written in the following APPENDIX IIform. (The symbols 0, 1, and X appearing above literals APENI fIin (8) and (9) will be explained.) A. A scoring function for s-a-i faults, which appears to

assign appropriate relative weights to properties A and BYmod = i A) + (,I In 0) (which were discussed in Section III), is

+ (xj...j,, D) E (8) (Sc1)k=(1_V) + +

where A, B, C, D, and E are Boolean variables that areindependent of w and x. The enf for the net wvith the ( fAND gate k included may be written in the form property A) property B)

= 'oVk0 1 1\ ( 1 0A whereuki1... in Vk i n A) + kil . B) (SC1)k=the s-a-i score for the kth literal in the enf,

(,0 0 ~+ (uk.0 .i 1 X) V1Vthe number of variables exhibited in the jth+ \Vk .. ., B) + term of the enf, where this term contains theVk"1 ..

nB Ui n Vkjl .. in c kth literal,

+ (,1 ) + I0 0 0 (9) V=total number of variables,

Uk*jl. iJnD \Vkjl...in D + E. L total number of literal appearances in the enf,(Ai' if the kth literal is unprimed

Now, for example, a test of the first literal in the first Xk= 2term of (9) for s-a-i requires the particular variable Ai, if the kth literal is primedassignment written above the literals in (9). That is Ai-number of unprimed appearances of the ith

u=B=D E=0, variable in the enf, andAi'- number of primed appearances of the ith vari-

v = A = 1, able in the enf.

C = X (i.e., don't care). To illustrate the use of the scoring function, the scorefor a particular literal in the enf of Table I is computed

This test obviously sensitizes the fragmentary-path from in the following table. First the values of Ai and Ai' forinput u to output w of gate k. This variable assignment each variable in the enf are tabulated.results in w=x=0; therefore, the test in question as-signs the literal values wvritten above the literals in (8).Froma these it is evident that this test tests the first lit- VariableAi Ai'eral in the first term of (8). a 4 1

Since the theorem is assumed true for n levels, the c2 1test sensitizes the path (i1 .,in) from w to the d 1 4output. Therefore, the previous analysis shows that

thi tstsesiizs hepah h1 .. ~ ro utoth 2It is assumed that the kth literal represents an appearance ofoutput Q.E.D. The preceding analysis may be per- the ith variable.

1966 ARMSTRONG: FAULT DETECTION TESTS FOR COMBINATIONAL LOGIC NETS 73

For example, the first entry in column Ai indicates ously sensitizes two reconverging fanout paths withthat there are four appearances of variable a in the enf. unequal Inversion Parities. The associated input wiresThese appearances are in the literal a4, which occurs in at the node of reconvergence will have complementaryeach of the last four terms. In this example the number values. Upon occurrence of a fault at or preceding theof variables V is 4. The total number of literal appear- fanout node, these values will change simultaneouslyances L in the enf is 17. and thus remain complementary. This implies that theTo compute the score of the literal a,' in the first term output of the node of reconvergence does not change its

of the enf in Table I, observe that the number of vari- value; hence, the effect of the fault cannot propagateables exhibited in this term is 2, and Xk for this literal is beyond it. Such tests are, therefore, inadmissible.4. Therefore, the score for this literal is In the worked example, two reconverging fanout

24 50 200 paths with unequal Inversion Parities occur betweenSc = - + = - = _ gates 2 and 7 (See Fig. 2). In the complemented enf

_\4 17_ 68 272 associated with this example, four of the nine terms were

All literal scores in Tables I and II have been brought eliminated because no s-a-i tests could be found for theto the common denominator 272, and this denominator literals appearing in them. The reason is that each ofis omitted throughout. the four terms contains literals associated with both

reconverging fanout paths. For example, in termB. Fanout paths that reconverge again are referred to as a247a'2567C1247 of relation (7), literal appearances a247 and"reconverging fanout" paths. Two cases of interest can a'2567 involve the paths in question. The values of theseoccur. literals are always complementary, regardless of

Case 1: All reconverging fanout paths between a whether the corresponding net input a', to gate 2, isspecified fanout node and a specified node of reconver- faulty or normal. Therefore, a247 and a'2567 cannot begence have the same Inversion Parity. tested in this particular term. Furthermore, since one or

Case 2: Not all these paths have the same Inversion the other of them has value 0 at all times, no other lit-Parity. The Inversion Parity of a reconverging fanout eral appearance in this term can be tested. Therefore,path is defined to be the number of inversions, modulo such terms may be disregarded when deriving tests.2, along the path between the specified fanout node andthe specified node of reconvergence. ACKNOWLEDGMENT

In Case 1, suppose a test is applied which sensitizes Suggestions by H. Y. Chang, M. C. Paull, and T. H.n(> 1) of the reconverging fanout paths. In this case Crowley in deriving a proof for Theorem 2 are grate-the n-input wires to the node of reconvergence, which fully acknowledged.belong to these paths, will have the same logical value.Upon occurrence of a fault at or preceding the fanout REFERENCESnode, the n values in question will change simulta-neously to the same new value. For Case 1, therefore, [1] R. D. Eldred, "Test routines based on symbolic logical state-neously to tesmnwvlments," J. ACM, vol. 6, pp. 33-36, January 1959.the sensitizing rules for a node of reconvergence are a [2] J. F. Poage, "Derivation of optimum tests to detect faults indirect extension of those given in Section II for gates combinational circuits," Proc. 1963 Symp. on Math. Theory of

Automata, Brooklyn, N. Y.: Polytechnic Press, pp. 483-528.which are not nodes of reconvergence. Specifically, if [3] J. M. Galey, R. E. Norby, and J. P. Roth, "Techniques for thethe node is an OR or NOR gate, all inputs other than diagnosis of switching circuit failures," IEEE Trans. on Com-munications and Electronics, vol. 83, pp. 509-514, September 1964.those contained in the sensitized paths must have value [4] E. J. McCluskey, Jr., "Minimization of Boolean functions," Bell0; if the node is an AND or NAND gate, all inputs other Sys. Tech.J., vol. 35, pp. 1417-1444, November 1956.[5] N. A. Martellotto and R. H. Mayne, "On Test Conditions forthan those contained in the sensitized paths must have Combinational Logic Circuits," Bell Telephone Labs., Murrayvalue 1. Hill, N. J., unpublished.

[6] J. P. Roth "Algorithms for diagnosis for automaton failures,"In Case 2, suppose a test is applied which simultane- IBM J. Res. and Develop., vol. 9, April 1966, to be published.