The present invention relates, generally, to the testing of electronic systems and, more specifically, to a method and circuitry for injecting faults into integrated circuit components, circuit boards and systems for testing the effectiveness of diagnostic software.
Diagnostic software is software which is used by engineers to debug device, board and system designs during development or for prototype testing and fault isolation of failed devices, boards, and systems. Before such software can be put into service, it must be verified to ensure that it functions properly. To that end, fault insertion, also known as fault injection, has been used to evaluate the effectiveness of diagnostic software. Even though it is possible to perform this evaluation using simulation, it is usually difficult because of the absence of proper tools and models. A common method of performing verification is to inject faults at the pins of components of a circuit board using hardwiring, switches or other similar hardware. Usually, only a few carefully chosen faults can be inserted using this primitive mechanism. For each revision of a circuit board, a few boards are selected and modified to add the fault injection mechanism. This method is becoming less practical as it becomes necessary to inject more faults into more complex systems in which physical access to components and tracks of the board is reduced. The process has several drawbacks. It is expensive since the modifications on the selected boards are done after the board is designed. Faults can only be injected into limited number of tracks on the board which, in turn, results in low fault coverage.
Recently, several authors have demonstrated how Boundary Scan can be used to insert faults in complex systems containing Application Specific Integrated Circuits (ASICs). In a paper entitled xe2x80x9cBoundary scan: Beyond Production Testxe2x80x9d, 12th VLSI Test Symposium (1994), Cherry Hill, N.J., pp. 415-420, Richard Sedmak suggests methods of injecting faults at the output of Application Specific Integrated Circuits (ASICs). In one method, all outputs of a given ASIC are faulted using standard boundary scan instructions (HIGHZ, CLAMP or EXTEST). In another method, a boundary scan chain is loaded with faulty value(s) using the SAMPLE/PRELOAD instruction followed by another instruction that exposes the values to the output pins. However, Sedmak does not describe any specific implementation to demonstrate how this can be done.
In a paper entitled xe2x80x9cFault Injection Boundary Scan Design for Verification of Fault Tolerant Systemsxe2x80x9d, ITC""94, October 1994, pp. 667-682, Savio Chau describes in detail how a boundary scan cell can be modified to inject faults. In the proposed scheme, any combination of inputs or outputs can be faulted at the same time. The faults are injected in a way such that the performance of the circuit is not affected more than it would be due to the presence of boundary scan alone (i.e. one multiplexer delay). The boundary scan output register holds a flag indicating whether its associated input or output pin is to be affected by a fault. The value of the faulty data itself can be determined in two ways. It can be driven from a bit of the Instruction Register of the Test Access Port (TAP) or from the shift register of the boundary scan chain. In the first case, the value of the faulty data is unique for a given chip which imposes constraints when multiple faults must be considered. The second option is difficult to manage because it is not possible to scan in the faulty data values without corrupting the flags shifted in previously unless the update state of the Test Access Port (TAP) state machine is suppressed during this mode. Another problem is that the output of the faulty pins ripple when faulty data values are scanned in. This is unacceptable for many applications since the handling of a stuck-at 1 or a stuck-at 0 fault can differ in the diagnostic software program. Finally, it is not possible to use structural tests, including an interconnect test, to locate the fault once its presence has been detected by the system.
Wilcox et al U.S. Pat. No. 5,130,988 granted on Jul. 14, 1992 for xe2x80x9cSoftware Verification by Fault Insertionxe2x80x9d describes another scheme that addresses most of the limitations of Chau. Wilcox et al propose using the parallel latch of a boundary scan cell to carry the faulty data value to be inserted at one or more selected pads and storing a fault flag, which indicates whether a particular pin is to be faulted, in a separate register that is part of the boundary scan chain.
In a conventional Boundary scan implementation, the boundary scan cell output control signal, which selects either the system data or the data value in the update latch of the cell, is only activated when an interconnect test is performed (the EXTEST instruction in the IEEE 1149.1 standard) or when it is necessary to maintain all chip outputs at a particular value (the CLAMP instruction). However, when a fault insertion cell is present, the global control cell output control signal can be replaced with the output of the latch located in the fault insertion cell (fault flag) using a multiplexer controlled by a global enable signal generated by the Test Access Port. The signal is activated when a fault insertion instruction that also selects the Boundary scan chain is loaded into the instruction register. When the signal is active, the fault flag determines whether a fault is inserted at its associated pad. The faulty value is determined by the output of the latch located in the boundary scan cell. At least one flip-flop, a latch and a multiplexer are needed for each potential fault site.
This cell allows multiple and un-correlated faults to be injected at the same time while the system is running, does not add further delays to the signal path and does not require modifications on the boundary scan cell itself. At the time this fault insertion scheme was proposed, the diagnostic software was still mainly based on functional tests. However, as the structural tests (e.g. interconnect test, logic BIST, scan) became easier to use at the system level, it became clear that the fault insertion scheme described above had a serious limitation, namely, that it was not possible to find a fault that is inserted because it disappears when structural tests are applied.
In general, there are a number of factors which must be considered when incorporating fault insertion capability into boundary scan cells. Importantly, the cells must be fully compliant with the IEEE 1149.1 standard. The cell should be as small as possible to minimize silicon area. The significance of this advance is better appreciated given that thousands of such cells are typically required. The boundary scan cell design should be compliant with the structure in the Boundary Scan Development Language (BSDL) file. Known prior art require complex and non-standard additions to the BSDL file. The design should be capable of being described using any RT-level language and synthesized gates. Some prior art methods require custom implementation. There should no speed degradation on the functional path (i.e. between the cell primary input and primary output) over of that normally required for Boundary scan. Finally, one should be able to apply structural tests to detect faults.
The present invention proposes a number of fault injection circuit embodiments for use with boundary scan cells and corresponding methods for injecting correlated, uncorrelated, non-persistent and persistent faults at the primary outputs of the cells. The present invention also provides fault injection circuitry for injecting faults into application or core logic internal signals. Further, the present invention provides fault injection circuitry designed so that it also can be tested automatically using scan testing. All boundary scan cell designs are fully compliant with the IEEE 1149.1 standard.
In all embodiments, fault data is loaded in the boundary scan cell update latch of all boundary scan cells at which a fault is to be injected. The fault injection circuits generate a fault inject signal which is applied to the control input of the standard cell output selector, an active signal causing the content of the update latch to be applied to the cell primary output.
In embodiments for injecting correlated, non-persistent faults, the data loaded into the update latch serves as both the fault data to be injected and also as a fault flag indicating whether the data is to be injected at the output of the cell and a fault type signal(s) is (are) applied to indicate the type of fault to be injected.
In embodiments for injecting uncorrelated (different faults at each site) and/or persistent faults (which persist during structural tests), the fault flag is stored in a fault flag latch or register which is arranged in parallel with the boundary scan cell update latch in such a manner that the fault data and fault flag data can be independently loaded into the update latch and fault flag latches, respectively, from the standard boundary scan cell shift register element using a standard shift operation in which the boundary scan cell serial inputs and serial outputs are connected in series between the Test Access Port Test Data Input and Test Data Output. Logic is provided to prevent the data from being changed while the cells are in fault injection mode for embodiments supporting persistent faults.
In order to provide for scan testing of the fault injection circuitry, the boundary scan cell shift and update latches and the fault flag latch (if employed) are provided with hold capability and appropriate scan path organization so that the contents of these elements can be controlled and their input captured in accordance with standard scan testing techniques while preserving compliance with the IEEE 1149.1 standard.