>
curriculum/VLSI Design
section 15 of 223 min read

15. Design for Testability

You cannot ship a chip you cannot test. Modern DFT methodologies are central to the design flow.

15.1 Fault models

  • Stuck-at-0 / stuck-at-1: a node is permanently shorted to GND or VDDV_{DD}. The classical model.
  • Bridging faults: two nodes shorted to each other.
  • Open faults: a wire is broken.
  • Delay faults: a path is too slow (typically caused by resistive opens or coupling).
  • Transition faults: a node cannot make a 0→1 or 1→0 transition.

15.2 Controllability and observability

Two questions you ask of every internal node:

  • Can I drive it to a known value from the primary inputs?
  • Can I see its value at the primary outputs?

If both are "yes," the node is testable. DFT structures answer "yes" by adding test infrastructure.

15.3 Scan chains

Every flip-flop becomes a scan flip-flop (Section 11.5). All scan flops are chained into one or several long shift registers. In test mode:

  1. Switch all flops to scan mode.
  2. Shift in a test pattern through scan_in.
  3. Switch to functional mode for one or more clock cycles.
  4. Switch back to scan mode and shift out the captured response through scan_out.
  5. Compare to the expected response.

ATPG (Automatic Test Pattern Generation) tools generate scan patterns to maximize fault coverage. 99 percent stuck-at coverage with a few thousand patterns is typical.

15.4 BIST

Built-In Self-Test integrates the tester onto the chip. A linear feedback shift register (LFSR) generates pseudo-random patterns; a multi-input signature register (MISR) compresses responses; the chip compares the final signature to a stored expected value. BIST runs at full speed on power-up or on demand; vital for SRAM/DRAM (memory BIST) and for in-field test (e.g., automotive).

15.5 JTAG

IEEE 1149.1 JTAG boundary scan: an additional scan chain wraps every I/O pad, letting an external tester drive and observe each pin. JTAG is also used for in-system programming, debug, and fault diagnosis. Essentially every modern chip has JTAG.

Security tie-ins.

  • JTAG must be locked or disabled on production chips. If left open, attackers can dump full chip state (including secret keys), inject test vectors that bypass security, and reprogram firmware. Many embedded devices have been pwned via JTAG.
  • Scan chains can be exploited: scan-based side-channel attacks read internal state during test mode, exposing keys. Modern chips obfuscate scan chains or include scan-encryption.