ARTICLE IN PRESS

INTEGRATION, the VLSI journal 35 (2003) 25–44

Pattern-based verification of connections to intellectual

property cores
.
Ilia Poliana,*, Wolfgang Gunther b
, Bernd Beckera
a
.
Albert-Ludwigs-University of Freiburg, Institute of Computer Science, Georges-Kohler-Allee 51, 79110
Freiburg i. Br., Germany
b
Infineon Technologies AG, CL DAT TDM VM, 81730 Munich, Germany
Received 15 February 2003; received in revised form 18 February 2003; accepted 26 February 2003

Abstract

Verification of designs containing pre-designed cores is a challenging topic in modern IC design, since
traditional approaches generally do not use the information that parts of the design (like IP cores) are
already verified. The port order fault model (POF) has recently been introduced for detecting design errors
occurring during integration of a core into a system-on-chip or during test logic insertion. In this work, we
generate verification patterns with 100% coverage of a sub-class of POF, called 2-POF. We provide
theoretical arguments and experimental results backing the efficiency of these patterns also for detecting
higher-order POFs. Moreover, verification pattern sets generated by our approach are more compact
compared to the results published before.
r 2003 Elsevier Science B.V. All rights reserved.

Keywords: SoC verification; IP cores; BDDs

1. Introduction

The system-on-chip (SoC) paradigm is gaining popularity today due to its positive impact on
time-to-market and handling the IC complexity. Rather than designing each block from scratch,
embedded cores are prepared independently from each other or even purchased from third parties
as intellectual property (IP). Hence, the integration of many cores of various origins into a single
SoC by someone who is not necessarily familiar with each of the cores becomes an issue. Also,
providing test access for deeply embedded cores may be non-trivial. For the latter purpose, test

*Corresponding author. Tel.: +497612038142; fax: +497612038143.

.
E-mail addresses: polian@informatik.uni-freiburg.de (I. Polian), wolfgang.guenther@infineon.com (W. Gunther),
becker@informatik.uni-freiburg.de (B. Becker).

0167-9260/03/$ - see front matter r 2003 Elsevier Science B.V. All rights reserved.
doi:10.1016/S0167-9260(03)00003-8
 ARTICLE IN PRESS

26 I. Polian et al. / INTEGRATION, the VLSI journal 35 (2003) 25–44

TAM TAM
Sub0 SUB1
IP Subtracter
Sub1 SUB2

Fig. 1. TAM-based IP core integration leading to a port order fault.

access mechanisms (TAMs) [1] and wrappers [2,3] are added. The process of test logic insertion
itself is typically done by another person than the core integrator and can result in design
inconsistencies.
For reasons of protecting IP, core vendors often do not provide all implementation details.
Embedded cores with restricted available information for IP protection reasons are called IP
cores. Integrating such cores into a design is more difficult than integrating a core (or a library
cell) for which complete information is known [4–6]. It is a new challenge in the IC design flow.
A prominent class of design errors occurring both during core integration and test logic
insertion is misplacing the ports of a core when connecting it to another core or to the test access
mechanism. Such errors can be detected applying verification patterns and evaluating the core’s
responses. In order to do the latter systematically, the port order fault (POF) model [7–11] has
been introduced. A POF is an erroneous misplacement of the circuit’s ports. Also in these
publications, it is argued that detecting all POFs in which only the core’s inputs are involved is
sufficient, as POFs between the core’s outputs and POFs involving input(s) and output(s)
simultaneously are also then detected. Thus, for a core with n inputs, POFs are defined as
permutations of its inputs; there are n!
1 POFs. In order to reduce the complexity, k-POFs are
defined as POFs in which exactly k inputs are interchanged. For instance, 2-POFs are those with
two inputs erroneously exchanged (there are nðn
1Þ=2 2-POFs). 3-POFs are POFs for which
three inputs are misplaced. However, a 2-POF does not count as a 3-POF, neither a 2-POF nor a
3-POF counts as a 4-POF and so on. Note that port order faults are design inconsistencies and
not manufacturing failures. Moreover, the core itself is assumed to be pre-verified and thus fault-
free; only its connections may be flawed.
In Fig. 1, an IP subtracter (which subtracts SUB2 from SUB1) is embedded in a larger design.
According to the specification, it has to perform the subtraction of Sub1 from Sub0. Note that
SUB1 and SUB2 are inputs of the IP core while Sub0 and Sub1 are internal signals of the design.
A TAM (which consists of two blocks) is inserted,1 connecting the inputs and the outputs of the
subtracter with primary inputs and outputs of the circuit. In test mode, TAMs activate these
connections and disable the connections to the circuit’s internal signals, so that test patterns can
be applied directly. Many modern designs have TAMs [12]. We want to employ TAMs (which are
designed to help perform manufacturing testing) in the formal verification of core connections in
SoC designs.

1
For clarity, we do not divide the test access architecture into a TAM (which is a system-wide access facility) and
wrappers (a wrapper is attached to an individual core), but rather use the term TAM referring to the whole access
infrastructure.
 ARTICLE IN PRESS

I. Polian et al. / INTEGRATION, the VLSI journal 35 (2003) 25–44 27

For an IP subtracter, the only information available to the designer may be given by means of a
VHDL description like

library ieee;
use ieee.std logic signed.00 -00 ;

entity sub is
port (SUB1 : in std logic vector(15 downto 0);
SUB2 : in std logic vector(15 downto 0);
DIFF : in std logic vector(15 downto 0));

end sub;

architecture behavior of sub is

begin
DIFF o= SUB1 - SUB2;
end behavior;

Since the core is assumed to be pre-verified and thus be implemented correctly, integration
problems only arise around the core. One of the main problems is the difficulty to generate
interconnections among cores automatically. Up to now, it is often the designer who has to
understand the specifications and do the connection by himself [13]. For instance, to connect the
IP subtracter mentioned above, the designer has to specify

sub PORT MAP (SUB1=>sub0, SUB2=>sub1, DIFF=>result);

in the block containing the subtracter.
Furthermore, I/O ports of the cores might have ambiguous names (for instance, the name
‘SUB1’ might mean both minuend and subtrahend), and the names of signals in the surrounding
design which are to be connected to the core might be cryptic since they have been changed during
the flow of the design process. This may lead to errors in core connectivity. In Fig. 1, the designer
was obviously mislead by the apparent name correspondence which resulted in a faulty
connection.
Another source of design inconsistencies during core integration is the insertion of the TAM.
For instance, in Fig. 1, the subtracter core itself might be connected correctly. However, the test
engineer responsible for implementing test access, might have confused SUB1 and SUB2. Thus,
the core would be integrated correctly, but applying test patterns through this flawed TAM would
be very likely to result in fault-free manufactured ICs failing the test and thus yield loss. Hence, it
is also important to detect these inconsistencies.
For detection of POFs, verification patterns (VPs) can be applied to the TAM signals connected
to the core’s input ports. By simulation, the values of the core’s inputs and outputs are computed
and compared to the specification. The VPs are generated for efficient detection of POFs. The so-
computed VPs can be given by the core vendor to the customers to help them verify the
integration. Note that there is a significant difference between the patterns for manufacturing
testing, also provided by the vendor, and the VPs for detecting POFs. The former ones are applied
 ARTICLE IN PRESS

28 I. Polian et al. / INTEGRATION, the VLSI journal 35 (2003) 25–44

to real silicon during the manufacturing testing stage, using a test machine. They are generated in
order to detect many possible manufacturing defects like missing material (opens) or extra
material (shorts) [14]. Their efficiency is measured in terms of coverage with respect to a fault
model (stuck-at faults, bridging faults, delay faults, etc.) The latter ones are employed in the
design verification stage, using simulation software, before any silicon is manufactured. They are
generated for discovering design inconsistencies caused by the designer during IP core integration
and not manufacturing defects caused by the equipment. Regarding measuring their efficiency, an
approach similar to the manufacturing testing can be chosen: the POFs are defined as a fault
model, and the pattern efficiency is defined as the coverage with respect to this fault model.
For a core with n inputs, there are n!
1 POFs. In their seminal publication on port order
faults, Tung and Jou [7] considered faults arising from exchanging two inputs only (such faults are
called 2-POFs in this work), since their amount is reasonably small. They presented no results on
how good the patterns generated for 2-POFs are detecting other kinds of POFs. In [8–11], Wang
et al. proposed a method for generating a complete set of verification patterns for all POFs (i.e. a
set of patterns such that each POF is detected by at least one of the patterns). However, in the
worst case all 2n
2 possible patterns except the all-zero and all-one patterns had to be tried.
Since the worst case occurs in presence of redundant faults (i.e. symmetrical inputs, a
misplacement of which has no impact on functionality and hence cannot be detected), the
authors did not report experimental results on this exact method. Instead, they gave a heuristic
method which did not guarantee detection of all POFs but still lead to coverage close to 100% for
all circuits.
In this work, we perform the generation of verification patterns for detecting POFs based on the
2-POF model. However, in contrast to [7], we focus on the detection capability of the obtained VP
sets with respect to the higher-order POFs. We provide theoretical analysis of 3-POF and 4-POF
detection capabilities of VP sets with 100% coverage of lower-order POFs. Large amount of
experimental results is provided: first, we generate VP sets with 100% 2-POF coverage and
determine the coverage of 3-POFs (which turns out to always exceed 99.6% and, in most cases,
even to be 100%). Intuitively, a higher-order POF alters the core function more severely than a 2-
POF or a 3-POF does, so one can expect their effects to be easier to detect than those of a 2- or a
3-POF (however, there are theoretical objections against this reasoning, detailed out in Section
4.1). Secondly, we show that a set of random VPs has a much lower 3-POF coverage than the
complete 2-POF set of verification patterns of the same size. Finally, we perform a Monte-Carlo
simulation for our VP sets with a random sample of 10,000 higher-order POFs. It turns out that
not only all 10,000 faults are detected but also only a subset of patterns have actually been needed
for detection. The used sets are considerably smaller than the ones obtained using the heuristic
version of the complete method reported in [8–11]. We conclude that a complete 2-POF VP set has
very high general POF detection capability, is more compact than sets generated by methods from
[8–11] and has an easier generation procedure.
Since an IP core is under consideration, no net-list representation is available and no standard
test pattern generation based on propagation of the fault effect to the output can be done. Instead,
we assume that only the Boolean function of the IP core is known, given as binary decision
diagram (BDD) [15]. Thus, the core vendor can employ the method as soon as the logic function
of the core is known; since BDDs are technology independent, he does not have to wait for gate-
level implementation to be completed and furthermore remains flexible in changing the
 ARTICLE IN PRESS

I. Polian et al. / INTEGRATION, the VLSI journal 35 (2003) 25–44 29

implementation details later.2 On the other hand, if the customer has received no patterns for POF
testing but a BDD (or a similar description) of the core, he can generate the patterns using the
proposed method and employ them for efficient verification of each instance of a core in all
designs containing it. Further, assumptions are that the core’s ports are accessible through a TAM
and that the core is combinational (this is a valid assumption since a TAM typically provides
access to the memory elements of the core through scan). The proposed approach can be
parameterized with a value g leading to pattern sets all with complete coverage but requiring
different resources with respect to the algorithm run-time and the size of the VP set.
The remainder of the paper is structured as follows: in the next section, POFs are introduced
more formally and the BDD-based set covering algorithm used later is presented. In Section 3, the
proposed pattern generation approach is described in more detail. Section 4 contains some
theoretical remarks on higher-order POFs. Experimental results are given in Section 5. Section 6
concludes the paper.

2. Preliminaries

2.1. Port order faults

Let the core have n inputs and m outputs and let its function be f : Bn -Bm : A POF is a
permutation of inputs p : Nn -Nn ; paid: This fault lets the core implement the faulty-function
ff : Bn -Bm with
ff ðx1 ; x2 ; y; xn Þ :¼ f ðxpð1Þ ; xpð2Þ ; y; xpðnÞ Þ:
A verification pattern (VP) tABn is said to detect a POF if f ðtÞaff ðtÞ: A POF is called redundant if
no VP detecting it exists (which means that the POF does not change the functionality of the
core).
For nX2 and iaj; the 2-POF ði; jÞ is the POF resulting from exchange of inputs i and j and
leading to the faulty-function
ff ðx1 ; y; xi ; y; xj ; y; xn Þ ¼ f ðx1 ; y; xj ; y; xi ; y; xn Þ:
Next, 3-POFs are defined as permutations of three inputs which are no 2-POFs. For nX3 and
i; j; k pairwise different, there are two 3-POFs: ði; j; k; leftÞ is a cyclic re-assignment of core inputs i;
j; and k leading to the faulty-function
ff ðx1 ; y; xi ; y; xj ; y; xk ; y; xn Þ ¼ f ðx1 ; y; xk ; y; xi ; y; xj ; y; xn Þ;
ði; j; k; rightÞ is a cyclic re-assignment of core inputs i; j; and k leading to the faulty-function
ff ðx1 ; y; xi ; y; xj ; y; xk ; y; xn Þ ¼ f ðx1 ; y; xj ; y; xk ; y; xi ; y; xn Þ:
There are n!
1 POFs, nðn
1Þ=2 2-POFs, and nðn
1Þðn
2Þ=3 3-POFs. The coverage of a set
of patterns is defined as the fraction of faults detected by at least one pattern from the set to all
faults under the given fault model. For example, if there are 15 2-POF, two of which are
redundant, and the patterns in the VP set detect 10, the 2-POF coverage is 66.7% while the
2
Note that it is possible to translate an RT-level or gate-level description directly to a BDD.
 ARTICLE IN PRESS

30 I. Polian et al. / INTEGRATION, the VLSI journal 35 (2003) 25–44

non-redundant 2-POF coverage is 76.9%. We refer to a set of VPs detecting all non-redundant 2-
POFs (3-POFs) as to a complete VP set for 2-POF (3-POF).

2.2. BDD-based set covering

In this section, the set covering problem is formulated and a solution approach is presented
first. Then, the BDD-based variant of thisSapproach is outlined.
Given N sets D1 ; y; DN ; find a set DC N j¼1 Dj such that

1. Di -Da| holds for each 1pipN ðD covers all sets) and

2. the size of D is minimal.
Since this problem is NP-complete, it is solved heuristically for sets of practical size. The
standard approach used for the solution is a greedy method:

Algorithm: Greedy set cover

(1) D :¼ |;
(2) while (there are still sets to cover) do
(3) Determine the element d contained in a maximal number of sets Di ;
(4) D :¼ D,d;
(5) Remove each Di with dADi ;
(6) end while
return D;
end Greedy set cover
In the following, the symbolic application of this algorithm is reviewed [16]. All sets Di are
assumed to be subsets of BK for some K: Each set Di is given by a BDD representing the function
wDi ðd1 ; y; dK Þ : BK -B having Di as onset, i.e.
wDi ðd1 ; y; dK Þ ¼ 1 3 ðd1 ; y; dK ÞADi :
The algorithm constructs the set D:
First, M :¼ Jlog2 mn additional variables c1 ; y; cM are introduced. For each Di the number i is
encoded by some unique code codei ABM (where
codei ðc1 ; y; cM Þ ¼ 1 : 3 ðc1 ; y; cM Þ
is the code of i). Then, this code is combined with the corresponding Di :
_
N
wset cov ðc1 ; y; cM ; d1 ; y; dK Þ :¼ ðcodei ðc1 ; y; cM Þ4wDi ðd1 ; y; dK ÞÞ;
i¼1

wset cov ðc; dÞ describes the covering matrix. It can be represented symbolically by a single BDD.
Let the Boolean variables used in the BDD be ordered as follows: The K variables d1 ; y; dK
representing the element d are ordered before the M variables of codei : After the BDD has been
built, a cut is placed between the d and the c nodes of the BDD. The idea of the covering
algorithm is as follows: a path d i ; cj in the BDD of wset cov ðc; dÞ consists of two parts: An element
component d i in the d variables and a set component cj in the c variables. A one-path d i ; cj in the
BDD means that the element represented by d i is contained in the set coded with cj :
 ARTICLE IN PRESS

I. Polian et al. / INTEGRATION, the VLSI journal 35 (2003) 25–44 31

Let an element d i be represented by a path leading to a c variable directly after the cut, i.e. an
incoming edge of c crosses the cut. The onset of the BDD rooted by this variable contains codes of
all sets containing d i (in general, there is more than one such set and thus the size of the onset may
be greater than one). To select an element d in the greedy fashion mentioned above, we perform
the following steps.
1. Calculate the size of the onset (i.e. the number of satisfying assignments) for all BDDs that have
a root-node directly after the cut.
2. Find the maximal size of the onset, and let the corresponding BDD be rooted by cmax :
3. Select an arbitrary path d j to cmax ; i.e. select an element contained in most sets.
After the element has been chosen, it is added to D: Finally, the covered sets must be removed,
which is done by
wset cov :¼ wset cov 4:funcðcmax Þ;

where funcðcmax Þ means the Boolean function, represented by the BDD with root cmax :
After that, the sizes of the onsets and a new cmax must be recalculated. The algorithm stops if
there are no more sets to cover, i.e. wset cov  0: In this case, D is a set of elements with non-empty
intersection with each Di :

3. Verification pattern generation

In this section, the algorithm for generating a set of verification patterns T with 100% non-
redundant 2-POF coverage is presented. It has a parameter g; which can take any value X1:
Choosing a large value of g usually leads to more compact T as a ‘‘large’’ set covering problem has
to be solved. Choosing a small g reduces memory requirements of the approach (because it
requires the solution of smaller covering problems). For g ¼ 1; no covering at all is necessary.
In the beginning, T is set to fð10Þn=2 ; ð1Þn=2 ð0Þn=2 g and all 2-POFs are simulated with it. These
patterns induce many 1/0 values on different core inputs, so they are expected to detect many
POFs. Faults detected by these two patterns (easy-to-detect POFs) are excluded from further
considerations (dropped). Then, additional patterns are added to T iteratively until it detects all
non-redundant 2-POFs. In each iteration, only 2-POFs not detected yet are considered.
The main idea of the approach is to construct T incrementally. We select g POFs first and
generate a set of VPs which definitively detect them. These VPs might (but are not guaranteed to)
detect some other POFs. All detected POFs (including g target faults) are determined by
simulation and dropped. The obtained VP set is added to T: Then, next g POFs are selected, the
VP set for them is generated and added to T; the detected POFs are determined by simulation and
dropped. This algorithm is iterated until all non-redundant POFs are dropped.
For 1pipm; let fi : Bn -B be the function of the ith output of the fault-free core and let
ffi : Bn -B be the function of the ith output of the core having 2-POF fault under consideration.
For each of the 2-POF not detected yet, the BDD for
_
m
xorðx1 ; y; xn Þ :¼ fi ðx1 ; y; xn Þ"ffi ðx1 ; y; xn Þ
i¼1
 ARTICLE IN PRESS

32 I. Polian et al. / INTEGRATION, the VLSI journal 35 (2003) 25–44

is computed. For each pattern t; the following is true: If xorðtÞ ¼ 1 holds, then fi ðtÞ and ffi ðtÞ must
differ for at least one i: Thus, f ðtÞaff ðtÞ; and t is a VP detecting the 2-POF under consideration.
So, the onset of xor encodes all VPs detecting this POF. If xor is the constant 0 function, no
detecting VP exist for POF under consideration, i.e. it is redundant. In case only redundant POFs
are left, the computation is terminated. Otherwise, xorðx1 ; yxn Þ is taken as one of the sets Di from
Section 2.2.
Now, VP set generation for given g POFs is described. The hope is that they detect some other
POFs they are not generated for. Therefore, if there are more undetected POFs than g; the
hardest-to-detect ones are selected. Since no net-list is available, some functional property must be
employed as metric for hardness-to-detect of a 2-POF. In this work, the size of the onset of the
corresponding xor function is used as 2-POF testability metric, since a smaller onset means that
there are less patterns that detect the POF under consideration, and thus this POF is hard-to-
detect. Therefore, the g BDDs with the smallest onset are taken and a minimal VP set for
corresponding POFs is estimated. The BDDs are denoted as xor1 ; xor2 ; y; xorg :
Since a VP detects a POF corresponding to xorj if and only if xorj ðtÞ is 1, a minimal VP set
t1 ; t2 ; y; tl must be estimated so that for each xorj there is at least one tk with xorj ðtk Þ ¼ 1: This
problem corresponds to the set covering problem, for which a symbolic algorithm was described
in Section 2.2. The patterns t1 ; t2 ; y; tl which were found by the algorithm are added to T: Yet-
undetected POFs are simulated and POFs detected by new patterns are excluded from
consideration. Below we give the pattern generation method in algorithmic form.

Algorithm: Gen VP POF

(1) T :¼ f10101:::010; 11:::100:::0g
(2) Simulate all 2-POFs with T
(3) while (there are still undetected POFs) do
(4) for each 2-POF not detected yet
(5) Compute xor (as BDD)
(6) if (all computed BDDs are 0)
(7) break; // Only redundant POFs left
(8) Choose g BDDs with smallest onsets
(9) Estimate a minimal VP set for chosen POFs
(10) Add estimated verification patterns to T
(11) Simulate yet-undetected POFs with T
(12) Drop POFs detected by T
(13) end while
return T;
end Gen VP POF

4. Analysis of higher-order POFs

Obviously, the verification patterns generated for detecting 2-POFs, may also detect 3-POFs
and further higher-order POFs. Indeed, the experimental results reported in Section 5 suggest that
this is typically the case. In this section, we provide theoretical arguments on the relationship
 ARTICLE IN PRESS

I. Polian et al. / INTEGRATION, the VLSI journal 35 (2003) 25–44 33

between lower- and higher-order POFs that help understand the efficiency of lower-order POFs,
in particular 2-POFs, in detecting higher-order POFs.

4.1. On the relation between 2-POFs and 3-POFs

Let there be a core with at least three inputs computing the function f : Without loss of
generality, we focus on the first three inputs of the core, which we assume to be non-symmetrical.
In absence of a POF, let these inputs be connected to signals a; b and c; respectively. Thus, the
correctly connected core calculates the value f ða; b; c; yÞ: If the first two inputs are exchanged (a
2-POF), it calculates the function f ðb; a; c; yÞ instead. Since the inputs are not symmetrical, there
must be a pattern for which the two functions compute different values. (1, 0, 0,y) may be such a
pattern; then, f ð1; 0; 0; yÞaf ð0; 1; 0; yÞ must hold. Such a pattern is said to detect this fault. For
simplicity, we denote this POF as bac.
On the first three inputs, there are three 2-POFs: bac, acb, cba and two 3-POFs: cab and bca.
For each POF, there may be several verification patterns detecting it. Obviously, a POF cannot be
detected by a pattern which has the same logical value on all inputs involved in a POF (for instance,
the pattern (0, 0, 1,y) could under no circumstances detect the fault bac mentioned above).
Here, the following question is of interest: let there be a set of verification patterns with 100% 2-
POF coverage. What can be said about its capability to detect 3-POFs? To answer this question,
we assume that the set includes one pattern detecting bac, one detecting acb and a third one
detecting cba (we comment later on what happens if one pattern detects more than one fault).
Table 1 gives a summary.
Table 1 consists of three parts, describing the 2-POFs bac, acb and cba. For each 2-POF, there
are four possible value assignments to a; b; c which can be part of a pattern detecting the 2-POF
under consideration. They are given in the leftmost three columns of the table. Since the set of
verification patterns detects all 2-POFs, at least one of the patterns in the set will have its first three
values according to one of the four options listed in the table. This means, at least one of the patterns
starts either with 010 or with 011 or with 100 or with 101, otherwise the 2-POF bac would not be
detected. Assume the pattern detecting this faults starts with 010 (first row of the table), i.e.
f ð0; 1; 0; yÞaf ð1; 0; 0; yÞ holds. In presence of the 3-POF cab, applying the same pattern would
result in f ð0; 0; 1; yÞ: This value can differ from the fault-free value f ð0; 1; 0; yÞ (so the 3-POF
cab would be detected), but there is no guarantee for this (indicated by the entry ‘Maybe’ in the
‘Detect?’ column of the table). On the other hand, applying the same pattern in presence of the
other 3-POF, bca, results in the computed value of f ð1; 0; 0; yÞ: It matches with the result in
the presence of the 2-POF bac, which the pattern detects. Hence, the pattern is guaranteed to
detect also the 3-POF bca, indicated by the entry ‘Yes’.
If the pattern detecting the 2-POF bac starts with 011, it will definitely detect the 3-POF cab,
and it can (however does not necessarily have to) detect the 3-POF bca. For the other two 2-
POFs, listed in the table rows below, the situation is similar. Thus, if there are three patterns in the
set of verification patterns, each detecting one of the 2-POFs, every one of them will detect at least
one of the two 3-POFs (and possibly detect the other one). Only if all three patterns detect the
same 3-POF, the detection of both 3-POFs is not guaranteed.
It can happen that the same verification pattern detects two 2-POFs (for instance, one starting
with 010 may detect both bac and acb). It can be seen from Table 1 that such a pattern guarantees
 ARTICLE IN PRESS

34 I. Polian et al. / INTEGRATION, the VLSI journal 35 (2003) 25–44

Table 1
3-POF coverage of complete 2-POF set
a b c f ðb; a; c; yÞ f ðc; a; b; yÞ Detect? f ðb; c; a; yÞ Detect?
0 1 0 f ð1; 0; 0; yÞ f ð0; 0; 1; yÞ Maybe f ð1; 0; 0; yÞ Yes
0 1 1 f ð1; 0; 1; yÞ f ð1; 0; 1; yÞ Yes f ð1; 1; 0; yÞ Maybe
1 0 0 f ð0; 1; 0; yÞ f ð0; 1; 0; yÞ Yes f ð0; 0; 1; yÞ Maybe
1 0 1 f ð0; 1; 1; yÞ f ð1; 1; 0; yÞ Maybe f ð0; 1; 1; yÞ Yes

f ða; c; bÞ
0 0 1 f ð0; 1; 0; yÞ f ð1; 0; 0; yÞ Maybe f ð0; 1; 0; yÞ Yes
0 1 0 f ð0; 0; 1; yÞ f ð0; 0; 1; yÞ Yes f ð1; 0; 0; yÞ Maybe
1 0 1 f ð1; 1; 0; yÞ f ð1; 1; 0; yÞ Yes f ð0; 1; 1; yÞ Maybe
1 1 0 f ð1; 0; 1; yÞ f ð0; 1; 1; yÞ Maybe f ð1; 0; 1; yÞ Yes

f ðc; b; aÞ
0 0 1 f ð1; 0; 0; yÞ f ð1; 0; 0; yÞ Yes f ð0; 1; 0; yÞ Maybe
1 0 0 f ð0; 0; 1; yÞ f ð0; 1; 0; yÞ Maybe f ð0; 0; 1; yÞ Yes
0 1 1 f ð1; 1; 0; yÞ f ð1; 0; 1; yÞ Maybe f ð1; 1; 0; yÞ Yes
1 1 0 f ð0; 1; 1; yÞ f ð0; 1; 1; yÞ Yes f ð1; 0; 1; yÞ Maybe

the detection of both 3-POFs. This also holds for all other patterns detecting two 2-POFs. This
suggests that compact sets with 100% coverage of 2-POFs are especially efficient in detecting 3-
POFs. Notice, however, that there is no pattern able to detect all three possible 2-POFs.
Now, we give a pessimistic estimation of the probability for detection of a 3-POF by a complete
2-POF verification pattern set. We do not count possible detections (‘Maybe’-entries of the table)
as detections. We abstract from the situation that a pattern does detect two 2-POFs and, as
demonstrated above, both 3-POFs are guaranteed to be detected (thus the pessimism). We also do
not account for ‘occasional detections’ by other patterns from the set. Under these assumptions, a
3-POF is not detected only if each of three patterns detects the other 3-POF. We assume an
equiprobable distribution of the beginnings of the patterns (in essence, a random function is
assumed). Hence, the probability that a pattern does not detect a 3-POF is p12: For three patterns
not detecting a fixed 3-POF, the probability is pð12Þ3 ¼ 18: Thus, the detection probability of both
3-POFs is X1
18 ¼ 78:

4.2. 2-POFs, 3-POFs and 4-POFs

In this section, the analysis is extended to 4-POFs, so the first four inputs of a core, connected
with signals a; b; c and d in the fault-free case, are regarded. Among these inputs, there are six 2-
POFs, eight 3-POFs and nine 4-POFs.
Table 2 contains information on the detection of the nine 4-POFs considering 12 possible
beginnings of a pattern detecting the 3-POF acdb. This table corresponds to Table 1, however the
function values are not given in full. Instead, the letter ‘D’ indicates that this fault is guaranteed to
be detected by such a pattern (corresponds to the entry ‘Yes’ in Table 1), and the absence of the
letter indicates that a detection is not guaranteed (corresponds to the entry ‘Maybe’ in Table 1).
 ARTICLE IN PRESS

I. Polian et al. / INTEGRATION, the VLSI journal 35 (2003) 25–44 35

Table 2
4-POF detection using patterns for 3-POF acdb
a b c d f ða; c; d; b; yÞ badc bcda bdac cadb cdab cdba dabc dcab dcba
0 0 0 1 f ð0; 0; 1; 0; yÞ D D D
0 0 1 0 f ð0; 1; 0; 0; yÞ D D D
0 0 1 1 f ð0; 1; 1; 0; yÞ D
0 1 0 0 f ð0; 0; 0; 1; yÞ D D D
0 1 0 1 f ð0; 0; 1; 1; yÞ D
0 1 1 0 f ð0; 1; 0; 1; yÞ D
1 0 0 1 f ð1; 0; 1; 0; yÞ D
1 0 1 0 f ð1; 1; 0; 0; yÞ D
1 0 1 1 f ð1; 1; 1; 0; yÞ D D D
1 1 0 0 f ð1; 0; 0; 1; yÞ D
1 1 0 1 f ð1; 0; 1; 1; yÞ D D D
1 1 1 0 f ð1; 1; 0; 1; yÞ D D D

Probability 2/12 6/12 0 6/12 2/12 0 0 6/12 2/12

The last row of the table gives the detection probability of the 4-POFs, given that all 12 beginnings
of the patterns are equally probable. The numbers are obtained by the division of the number of
the ‘D’-entries in a column by 12, the number of patterns potentially able to detect the 3-POF
acdb.
Table 3 summarizes the detection probabilities using all patterns for 2- and 3-POFs among first
four inputs of the core (for instance, the first 3-POF (row 10) with acdb in its leftmost entry
corresponds to the last row of Table 2). In the row ‘Cum. 2-POF’ (row 8), cumulated detection
probabilities for 4-POFs given that all 2-POFs are detected are given. These numbers are
computed as follows: consider the 4-POF cdab (featured in column 6). The probability that the
pattern in the verification set detecting the 2-POF abdc does not detect this 4-POF is given as
p1
14: The probability that the pattern detecting acbd does not detect is 1
0; and so on. The
probability that none of the patterns detects the 4-POF cdab is the product of the probabilities
corresponding to a single 2-POF. Thus, the probability that some of the patterns detects the 4-
POF is given as X1
ð1
14Þð1
0Þð1
12Þð1
0Þð1
12Þð1
0ÞE0:813: This number is reported in
row 8, column 6. Similar figures computed for patterns detecting 3-POFs and for the combined set
of patterns detecting 2-POFs and 3-POFs are given in the last two rows of the table.
Still considering the 4-POF cdab, the number means that, given a set of verification patterns
including patterns detecting all 2-POFs, the pessimistic estimation of probability of detecting cdab
is 0.813. If a set detecting all 3-POFs is given (and no information on 2-POFs detection is taken
into account), the probability estimation is 0.721, and if 100% coverage is guaranteed for both 2-
POFs and 3-POFs, the estimation becomes 0.948. Note that these numbers are not smaller if it is
the same pattern that detects several 2-POFs and 3-POFs.
In summary, 100% coverage of 2-POFs implies good lower bounds for 3-POF and 4-POF
coverage. In the next session, we show empirically that the higher-order POF coverage of a
complete 2-POF VP set tends to be even higher in reality.
 ARTICLE IN PRESS

36 I. Polian et al. / INTEGRATION, the VLSI journal 35 (2003) 25–44

Table 3
Detection probabilities using patterns for 2-POFs and 3-POFs
2-POF badc bcda bdac cadb cdab cdba dabc dcab dcba
abdc 1/2 1/4 0 1/4 1/4 0 1/4 1/4 1/4
acbd 0 1/4 1/4 1/4 0 1/4 1/4 1/4 1/2
adcb 0 1/4 1/4 1/4 1/2 1/4 1/4 1/4 0
bacd 1/2 1/4 1/4 1/4 0 1/4 1/4 1/4 0
cbad 0 1/4 1/4 1/4 1/2 1/4 1/4 1/4 0
dbca 0 1/4 1/4 1/4 0 1/4 1/4 1/4 1/2

Cum. 2-POF 0.75 0.822 0.763 0.822 0.813 0.763 0.822 0.822 0.813

3-POF

acdb 1/6 1/2 0 1/2 1/6 0 0 1/2 1/6

adbc 1/6 0 1/2 0 1/6 1/2 1/2 0 1/6
bcad 1/6 1/2 1/2 0 1/6 0 0 1/2 1/6
bdca 1/6 1/2 1/2 0 1/6 1/2 0 0 1/6
cabd 1/6 0 0 1/2 1/6 1/2 1/2 0 1/6
cbda 1/6 1/2 0 1/2 1/6 1/2 0 0 1/2
dacb 1/6 0 1/2 1/6 0 0 1/2 1/2 1/6
dbac 1/6 0 1/2 0 1/6 0 1/2 1/2 1/6

Cum. 3-POF 0.767 0.938 0.969 0.896 0.721 0.938 0.938 0.938 0.860

Cum. 2+3-POF 0.942 0.989 0.993 0.981 0.948 0.985 0.989 0.989 0.979

5. Experimental results

In this section, experimental results are described that have been carried out on a Sun Ultra1
with memory limit of 256 Mbytes: All run times are given in CPU seconds. We used the CUDD
package [17] as underlying BDD package.

5.1. Verification pattern generation

We applied our method to some LGSynth93 benchmarks. Since our method does not depend
on the surrounding circuit, the whole circuit is treated as embedded IP core. Since we are only
interested in its Boolean function and not the implementation itself, initially the BDD is build for
the circuit. Accessibility of all inputs and outputs of a core is assumed.
The results are presented in Table 4. In the first column, the circuit’s name is given, followed by
the number of its inputs and g; the parameter of the method. In Column #Iters, the number of
iterations used is given, the fifth column contains the size of resulting VP set.
Since some of the benchmarks have symmetries (see e.g. [18,19]), not all of the 2-POFs really
have an influence on the functionality of the design. Permutations of the inputs that do not induce
an error correspond to redundant port-order faults in the terminology of testing. There was one
 ARTICLE IN PRESS

I. Polian et al. / INTEGRATION, the VLSI journal 35 (2003) 25–44 37

redundant 2-POF in the circuits apex6, x1, x3 and x4; two redundant faults in c5315; three in c880;
five in too large; and 30 in c2670.
In the next column, the number of all possible non-redundant 3-POFs is presented followed by
the number of 3-POFs actually found using the patterns generated for 2-POF. Since no
implementation details are available, BDD-based simulation is performed for 3-POF coverage
estimation. The percentage of faults found by these patterns is given in column Coverage. In the
last column, the run time of the algorithm is given.
As can be seen, the choice of g has implications on the size of the resulting VP set. With
exception of x1, the VP sets are more compact for g ¼ 8 and 12 than for g ¼ 1 and 4, and most of
the VP sets are more compact for g ¼ 12 than for g ¼ 8: For c2670, c3540, apex6, apex7, and x3
g ¼ 1 leads to smaller VP sets than g ¼ 4; for other circuits, the opposite holds. In summary,
larger values of g tend to lead to a reduction in number of VPs.
Regarding run time, a too small g leads to large number of iterations, while a too large g leads
to significant increase of memory and run time requirements per iteration since a large number of
BDDs are under consideration simultaneously. There are examples for increasing g leading to
both explosion of run time (c432, c499, c1355, x1, x3), and to decrease of run time (c17, x4).
Furthermore, there are circuits for which the choice of g has no significant implications on run
time (c1908, alu4, apex7, too large).
A comparison of the obtained results with those from [7] is given in Table 5. Its first column
contains the circuit’s name, followed by the size of 2-POF VP sets generated by the proposed
method. Since this value depends on the choice of g; a range is given rather than a single number.
In the third column, the VP set size from [7] is given. The last column contains the 2-POF
coverage as given in [7]. Note that our method always leads to 100% non-redundant 2-POF
coverage. No run time comparison is done since no run times are given in [7].
It can be seen that, though in [7] the circuits are not treated as IP cores and net-list information
is used, the proposed method leads to better results both in terms of VP set size and coverage.
The 3-POF coverage of generated 2-POF VP sets is always greater than 99.6%, in most cases it
even reaches 100%. Note that at most seven 3-POFs remain undetected (for frg2 with g ¼ 1).
Furthermore, the size of VP sets does not seem to be related to 3-POF coverage. Thus, we
conclude that the 2-POF detection capability of a VP set rather than its size determines its 3-POF
detection capability.

5.2. Comparison with random verification pattern sets

To further emphasize the impact of high 2-POF detection capability on the POF detection
efficiency, non-redundant 2-POF and 3-POF coverage of random verification pattern sets of the
same size as the deterministically generated ones was estimated. Results are given in Table 6. In
Column jVP Setj; the size of the VP set generated by the BDD-based approach is given. Only
results for g ¼ 4; 12 are presented. The next column contains the non-redundant 3-POF coverage
of the deterministic VP set (this is the value from the Table 4 given for comparison purpose). A set
of the same size containing random patterns (random VP set) is generated and non-redundant 2-
POF and 3-POF coverage of this VP set is estimated. Results can be found in the fifth and sixth
column of the table.
 ARTICLE IN PRESS

38 I. Polian et al. / INTEGRATION, the VLSI journal 35 (2003) 25–44

Table 4
3-POF coverage for LGSynth93 circuits
Circuit #Ins g #Iters jVP Setj #3-POF Found Coverage Time
c17 5 1 3 5 20 20 100.000 0.24
c17 5 4 1 6 20 20 100.000 0.12
c17 5 8 1 4 20 20 100.000 0.08
c17 5 12 1 4 20 20 100.000 0.05
c432 36 1 21 23 14280 14280 100.000 27.49
c432 36 4 8 28 14280 14275 99.965 29.11
c432 36 8 6 22 14280 14277 99.979 34.26
c432 36 12 5 19 14280 14280 100.000 122.64
c499 41 1 34 36 21320 21320 100.000 750.27
c499 41 4 12 37 21320 21320 100.000 781.78
c499 41 8 6 23 21320 21320 100.000 841.52
c499 41 12 4 15 21320 21320 100.000 3903.70
c880 60 1 27 29 68440 68440 100.000 3505.15
c880 60 4 10 35 68440 68440 100.000 5252.88
c1355 41 1 34 36 21320 21320 100.000 806.02
c1355 41 4 18 46 21320 21320 100.000 894.83
c1355 41 8 8 31 21320 21320 100.000 920.19
c1355 41 12 5 20 21320 21320 100.000 5895.55
c1908 33 1 23 25 10912 10912 100.000 149.37
c1908 33 4 7 27 10912 10912 100.000 149.50
c1908 33 8 6 20 10912 10912 100.000 143.82
c1908 33 12 4 16 10912 10912 100.000 155.27
c2670 233 1 181 183 4162200 4162198 100.000 12853.02
c2670 233 4 50 171 4162200 4162197 100.000 9071.61
c2670 233 8 27 117 4162200 4162198 100.000 7060.30
c2670 233 12 20 92 4162200 4162200 100.000 7742.76
c3540 50 1 24 26 39200 39200 100.000 1197.44
c3540 50 4 7 23 39200 39200 100.000 1203.79
c3540 50 8 5 19 39200 39200 100.000 1282.39
c3540 50 12 4 18 39200 39200 100.000 2372.84
c5315 178 1 85 87 1848352 1848352 100.000 74591.63
c5315 178 4 23 79 1848352 1848352 100.000 74441.19
c5315 178 8 14 55 1848352 1848352 100.000 74442.85
alu4 14 1 7 9 728 728 100.000 1.88
alu4 14 4 3 11 728 728 100.000 1.76
alu4 14 8 2 8 728 728 100.000 1.53
alu4 14 12 2 7 728 728 100.000 1.72
apex6 135 1 65 67 801990 801990 100.000 575.00
apex6 135 4 21 64 801990 801989 100.000 525.73
apex6 135 8 13 48 801990 801990 100.000 425.62
apex6 135 12 11 38 801990 801990 100.000 660.90
apex7 49 1 32 34 36848 36848 100.000 16.95
apex7 49 4 9 27 36848 36847 99.997 15.38
apex7 49 8 6 24 36848 36848 100.000 13.37
apex7 49 12 5 19 36848 36848 100.000 14.58
frg2 143 1 71 73 954382 954375 99.999 1215.67
frg2 143 4 28 86 954382 954381 100.000 1193.79
 ARTICLE IN PRESS

I. Polian et al. / INTEGRATION, the VLSI journal 35 (2003) 25–44 39

Table 4 (continued)
Circuit #Ins g #Iters jVP Setj #3-POF Found Coverage Time
frg2 143 8 19 61 954382 954381 100.000 852.98
frg2 143 12 15 59 954382 954382 100.000 886.22
pair 173 1 53 55 1696092 1696092 100.000 62843.82
too large 38 1 30 32 16870 16867 99.982 16.16
too large 38 4 11 35 16870 16868 99.988 16.32
too large 38 8 6 29 16870 16870 100.000 19.41
too large 38 12 5 20 16870 16867 99.982 18.35
vda 17 1 14 16 1360 1359 99.926 2.66
vda 17 4 4 17 1360 1360 100.000 2.01
vda 17 8 3 15 1360 1355 99.632 1.88
vda 17 12 3 14 1360 1357 99.779 1.90
x1 51 1 22 24 41650 41650 100.000 106.63
x1 51 4 10 28 41650 41650 100.000 122.57
x1 51 8 6 29 41650 41650 100.000 174.78
x1 51 12 4 15 41650 41649 99.998 604.74
x3 135 1 58 60 801990 801990 100.000 487.69
x3 135 4 19 56 801990 801990 100.000 478.19
x3 135 8 12 43 801990 801990 100.000 625.49
x3 135 12 11 40 801990 801990 100.000 1608.53
x4 94 1 44 46 268088 268088 100.000 80.33
x4 94 4 14 42 268088 268088 100.000 71.17
x4 94 8 8 36 268088 268088 100.000 59.27
x4 94 12 7 30 268088 268088 100.000 59.27

Table 5
Comparison of verification pattern sets to [7]
Circuit jVP setj; proposed method jVP setj [7] 2-POF coverage [7]
c17 4–6 10 100.0%
c432 19–28 72 99.7%
c499 15–37 82 100.0%
c880 29–35 120 99.8%
c1355 20–46 82 99.8%
c1908 16–27 45 99.8%
c2670 171–183 454 —
c3540 18–26 100 100.0%
c5315 55–87 356 100.0%

It can be seen that the 2-POF coverage is almost always (and sometimes significantly) less than
100%. Note that all deterministic VP sets have 100% 2-POF coverage. Also the 3-POF coverage is
clearly worse than the 3-POF of deterministic VP sets. While most deterministic VP sets also
achieve 100% 3-POF coverage, very few random ones do so. For g ¼ 12; no random set achieves
100% 2-POF or 3-POF coverage. Furthermore, 3-POF coverage is always higher than 2-POF
coverage, indicating that 2-POF is harder to detect than 3-POF. Note that there is also a formal
reason for this: on one hand, for n > 5 there are more 3-POFs than 2-POFs. On the other hand, if
 ARTICLE IN PRESS

40 I. Polian et al. / INTEGRATION, the VLSI journal 35 (2003) 25–44

Table 6
Comparison of deterministic and random VP sets
Circuit g jVP Setj Coverage
3-POF det. 2-POF random 3-POF random
c17 4 6 100.000 70.000 90.000
c17 12 4 100.000 70.000 90.000
c432 4 28 99.965 99.365 99.986
c432 12 19 100.000 95.873 99.538
c499 4 37 100.000 99.878 100.000
c499 12 15 100.000 96.463 99.442
c880 4 35 100.000 99.830 99.999
c1355 4 46 100.000 100.000 100.000
c1355 12 20 100.000 99.512 99.991
c1908 4 27 100.000 98.864 99.927
c1908 12 16 100.000 98.106 99.872
c2670 4 171 100.000 83.032 93.127
c2670 12 92 100.000 82.928 93.076
c3540 4 23 100.000 91.429 97.796
c3540 12 18 100.000 91.184 97.691
c5315 4 79 100.000 99.993 100.000
alu4 4 11 100.000 100.000 100.000
alu4 12 7 100.000 96.703 99.451
apex6 4 64 100.000 99.834 99.995
apex7 4 27 99.997 98.810 99.900
apex7 12 19 100.000 98.469 99.840
frg2 4 86 100.000 90.899 97.322
frg2 12 59 100.000 89.993 96.901
pair 1 55 100.000 99.987 100.000
too large 4 35 99.988 64.183 79.775
too large 12 20 99.982 40.258 55.530
vda 4 17 100.000 68.382 83.676
vda 12 14 99.779 59.559 75.735
x1 4 28 100.000 99.608 99.981
x1 12 15 99.998 96.154 99.376
x3 4 56 100.000 99.834 99.995
x3 12 40 100.000 99.701 99.986
x4 4 42 100.000 98.238 99.857
x4 12 30 100.000 96.315 99.457

no VP from a set detects a 3-POF, it is also unlikely that any of three 2-POFs would be detected.
Thus, our results are in line with expectations.

5.3. Monte-Carlo simulation for higher-order POFs

In order to demonstrate the efficiency of complete 2-POF pattern sets, we performed a fault
simulation with these sets (obtained using g ¼ 1) with respect to a POF list consisting of 2000 non-
identical randomly generated 4-POFs, 5-POFs, 6-POFs, 7-POFs and 8-POFs, respectively,
totaling 10,000 higher-order POFs. The results are summarized in Table 7. The first three columns
 ARTICLE IN PRESS

I. Polian et al. / INTEGRATION, the VLSI journal 35 (2003) 25–44 41

of the table contain the name of the circuit, the number of generated verification patterns (VPs) and
the number of VPs actually needed for detecting all 10,000 higher-order POFs. For each circuit,
100% of the higher-order POFs were detected, and even not every pattern was needed for that.
The remainder of the table summarizes the relation to the complete approaches from [8–11].
Columns 3 and 4 contain the number of generated VPs taken from [8,9], respectively (these figures
are equal for most circuits), and in the next column the POF coverage can be found (which does not
differ among these two papers). Improved results from [10,11] (which are identical to each other) are
given in the last two columns of the table. Note that the coverage reported in other publications is
with respect to the general POF model and not to the fault sample used in our Monte-Carlo
simulation. It is very likely that all sets generated in [9], including those with coverage under 100%,
would also detect all faults in our Monte-Carlo simulation. Nevertheless, we demonstrate that our
sets of verification patterns, which are much more compact, also perform well.

6. Conclusions

We presented a novel approach for verifying designs containing IP cores. Since IP cores usually
are pre-verified, faults were assumed only in the connectivity between the design and the core.
Patterns were generated for the core under a restricted fault model (2-POF). The functionality of
the core was given as a BDD, which hides all implementation details of the core (IP protection).
We elaborated on formal arguments on the relationship between 2-POFs and higher-order
POFs. Given a complete 2-POF set, the probability estimation for 3-POF detection capability was

Table 7
Monte-Carlo simulation and comparison with complete approaches
Circuit Number of Patterns Results from [8,9] Results from [10,11]
Gener. Needed for 100% Set size POF Cov. Set size POF Cov.
[8] [9]
c432 23 17 38 38 100 35 100
c499 36 10 33 33 100 40 100
c880 29 10 243 255 99.999999 130 99.999999
c1355 36 12 64 64 100 51 100
c1908 25 12 51 51 100 45 100
c2670 183 19 521 547 99.999999 351 99.999999
c3540 26 10 145 158 100 89 100
c5315 87 13 371 371 100 222 100
apex6 67 19 234 234 99.999999 187 100
apex7 34 15 — — — — —
frg2 73 18 — — — — —
pair 55 13 217 217 100 186 100
too large 32 22 — — — — —
vda 16 16 — — — — —
x1 24 10 275 275 99.999999 75 99.999999
x3 60 14 249 249 99.999999 165 99.999999
x4 46 9 352 398 99.999999 141 99.999999
 ARTICLE IN PRESS

42 I. Polian et al. / INTEGRATION, the VLSI journal 35 (2003) 25–44

demonstrated to be 78 ¼ 0:875: However, experimental results obtained earlier had shown that the
actual coverage (99.6–100%) considerably exceeds the estimate. The 4-POF detection capability
of a complete 2-POF set ranges between 0.75 and 0.822. The numbers are between 0.721 and 0.969
for a complete 3-POF set and between 0.942 and 0.993 for a set detecting 100% of both 2-POFs
and 3-POFs.
The sets of verification vectors generated by our method are guaranteed to detect all 2-POFs.
Thus, the pessimistic estimate for their 4-POF detection capability always exceeds 0.75. However,
empirical evidence suggests that most of the sets also detect 100% of 3-POFs. For these circuits,
the estimates reported in the last row of Table 3 can be used, which are all greater than or equal to
0.942. In particular, they all exceed 0.875, the 3-POF detection capability of the complete 2-POF
set. Thus, if an estimate of 0.875 has resulted in 99.6 to 100% coverage for 3-POFs, very high
coverage for higher-order POFs is likely as well.
Two experiments underline the validity of our conclusions. We analyzed random verification
vector sets and found their 3-POF coverage to be much lower than the figures obtained for
complete 2-POF sets of the same size. We performed a Monte-Carlo simulation using a large
sample of higher-order POFs and achieved 100% coverage, often without even needing all the
vectors generated for 2-POFs. Comparing our sets of verification vectors to the ones reported in
the literature, we conclude that our sets have similar quality and at the same time are more
compact.
There are several possible ways for specifying the functionality of an IP core without disguising
its implementation details. Although BDDs are rarely used for that purpose, we have chosen this
representation of an IP core for two reasons: the technology independence and the efficiency of
performing the redundancy analysis (compared to alternative methods). On the other hand,
BDDs are impractical to represent blocks like dividers and multipliers. Thus, a subject of interest
in the future will be employing our method with some standard IP core description technique like
higher-order logics (HDL).

Acknowledgements

We thank the anonymous reviewer for his comments concerning the statements of Section 4.1,
which finally led to the proof given in this section and the further investigations in Section 4.2.

References

[1] J. Aerts, E.J. Marinissen, Scan chain design for test time reduction in core-based ICs, in: International Test
Conference, 1998, pp. 448–457.
[2] http://grouper.ieee.org/groups/1500/.
[3] E.J. Marinissen, R. Arendsen, G. Bos, H. Dingermanse, M. Lousberg, C. Wouters, A structured and
scalable mechanism for test access to embedded reusable cores, in: International Test Conference, 1998, pp.
284–293.
[4] J.R. Burch, D. Dill, E. Wolf, G. De Micheli, Modeling hierarchical combinational circuits, in: International
Conference on CAD, 1993, pp. 612–617.
[5] T.-H. Liu, K. Sajid, A. Aziz, V. Singhal, Optimizing designs containing black boxes, in: Design Automation
Conference, 1997, pp. 113–136.
 ARTICLE IN PRESS

I. Polian et al. / INTEGRATION, the VLSI journal 35 (2003) 25–44 43

.
[6] W. Gunther, N. Drechsler, R. Drechsler, B. Becker, Verification of designs containing black boxes, in:
EUROMICRO, 2000, pp. 100–105.
[7] S.-W. Tung, J.-Y. Jou, Verification pattern generation for core-based design using port order fault model, in: Asian
Test Symposium, 1998.
[8] C. Wang, S. Tung, J. Jou, An AVPG for SoC design verification with port order fault model, in: International
Symposium on Circuits and Systems, Vol. V, 2001, pp. 259–262.
[9] C. Wang, S. Tung, J. Jou, On automatic-verification pattern generation for SoC with port-order fault model, IEEE
Trans. CAD 21 (4) (2002) 466–479.
[10] C. Wang, S. Tung, J. Jou, An improved AVPG for SoC design verification using port order fault model, in: Asian
Test Symposium, 2001, pp. 431–436.
[11] C. Wang, S. Tung, J. Jou, An automorphic approach to verification pattern generation for SoC design verification
using port order fault model, IEEE Trans. CAD 21 (10) (2002) 1225–1232.
[12] Y. Zorian, E.J. Marinissen, Sujit Dey, Testing embedded-core based system chips, in: International Test
Conference, 1998, pp. 130–143.
[13] R.A. Bergamaschi, W.R. Lee, Designing systems-on-chip using cores, in: Design Automation Conference, 2000,
pp. 420–425.
[14] M. Abramovici, M.A. Breuer, A.D. Friedman, Digital Systems Testing and Testable Design, Computer Science
Press, Rockville, MD, 1990.
[15] R.E. Bryant, Graph-based algorithms for Boolean function manipulation, IEEE Trans. Comput. 35 (8) (1986)
677–691.
[16] T. Kam, T. Villa, R. Brayton, A. Sangiovanni-Vincentelli, A fully implicit algorithm for exact state minimization.
in: Design Automation Conference, 1994, pp. 684–690.
[17] F. Somenzi, CUDD: CU Decision Diagram Package Release 2.3.0, University of Colorado at Boulder, 1998.
.
[18] D. Moller, J. Mohnke, M. Weber, Detection of symmetry of Boolean functions represented as ROBDDs, in:
International Conference on CAD, 1993, pp. 680–684.
[19] S. Panda, F. Somenzi, B.F. Plessier, Symmetry detection and dynamic variable ordering of decision diagrams, in:
International Conference on CAD, 1994, pp. 628–631.

Ilia Polian received his diploma (master’s) degree in Computer Science from the Albert-
Ludwigs-University of Freiburg, Germany, in 1999. Currently he is working towards his
doctorate and is member of the scientific staff at the Chair of Computer Architecture at the
Albert-Ludwigs-University. His previous affiliations were Micronas in Freiburg and IBM
.
Germany R&D in Boblingen. He was European Champion and Vice World Champion at the
1999 ACM International Collegiate Programming Contest and VDE award laureate 1999. His
research interests include formal verification, design-for-test and defect-based testing.

Wolfgang G.unther received his diploma and Dr.rer.nat. degree in computer science from the
Albert-Ludwigs-University in Freiburg in Breisgau, Germany, in 1998 and 2001, respectively.
In 2001, he joined the verification group in the Corporate Technology department of Siemens
AG, Munich. The group has been acquired by Infineon Technologies AG in 2002, where he is
currently responsible for the VHDL compiler. He has coauthored the book entitled Towards
One-Pass Synthesis (Kluwer Academic Publishers). His research interests include verification,
logic synthesis, and hardware description languages.
 ARTICLE IN PRESS

44 I. Polian et al. / INTEGRATION, the VLSI journal 35 (2003) 25–44

Bernd Becker studied Mathematics and Computer Science at the University of Saarland,
Germany, from 1973 to 1982. Between 1979 and 1988, he was with the Sonderforschungsber-
eich Electronic Speech Recognition (1979–81), Institute for Computer Science and Applied
Mathematics (1981–83) and the Sonderforschungsbereich VLSI Design Methods and
Parallelism (1984–88), all at the University of Saarland. From 1989 to 1995, he was an
Associate Professor for ‘‘Complexity Theory and Efficient Algorithms’’ at the J.W. Goethe-
University Frankfurt. In 1995, he joined the Faculty of Applied Sciences at the Albert-
Ludwigs-University Freiburg as a Full Professor (Chair of Computer Architecture). His
research interests include data structures and efficient algorithms (for circuit design), design,
test and verification of circuits and systems, multimedia in research and teaching.