Stage map (what each stage must prove)

• Minimum power: rails reach window and remain stable for a hold time.
• Clock stable: reference present, PLLs lock, and lock stays stable long enough to trust downstream timing.
• Reset release: reset is released only after power+clock are stable (avoid races).
• Basic interconnect: minimum “link-ready” signals are consistent (no protocol deep dive).
• Critical peripherals: key fault/status bits are readable and latched faults are captured.
• Extended tests: short, high-information tests are optional and gated by time/impact budget.

Gating rules (turn random boot issues into deterministic outcomes)

• Window gating: declare “OK” only inside voltage/clock windows and after a stability window.
• Sequencing gating: each checkpoint starts only after the previous checkpoint is stable, not merely asserted.
• State gating: if critical latched faults or abnormal counters appear, route to a controlled failure path.

Key principle: gating protects evidence. Without stable prerequisites, later failures become ambiguous.

Fast-fail vs safe-mode vs retry (policy, not preference)

• Fail-fast (HALT): choose when prerequisites are not met or evidence cannot be preserved.
• Safe mode (DERATE): allow controlled startup only when monitoring+logging remain trustworthy.
• Retry with backoff: allow limited retries when a transient is plausible; every retry must log cause and count.

Verdict is not binary: the correct choice minimizes fleet risk and shortens MTTR.

Common pitfalls (and how to neutralize them)

• One pass ≠ reliable: boundary issues depend on temperature, ramp, and timing distributions.
• Race windows: lock/reset/enable timing differs across devices; record durations, not just “OK.”
• Cold vs warm restart: residual state changes initial conditions; tag the boot type and carry it into logs.

Minimum evidence set per checkpoint (keep it small but decisive)

• Checkpoint ID + timestamp (monotonic when possible).
• Reset cause (current + previous) and a “last-known-good checkpoint.”
• Rail/clock summary (window pass + stability window duration).
• Counter snapshot (with a consistent clear policy).
• Log marker that survives retries/backoff.

Loopback levels (fault-domain boundaries)

• Digital loop (MAC/logic): validates digital datapath continuity; does not validate analog link behavior.
• SerDes loop (PCS/PMA): validates training/CTLE/DFE behavior and lane logic within the transceiver boundary.
• Physical loop (connector/cable/fixture): validates the real channel segment and exposes connector/fixture issues.

What a pass means (and what it does not mean)

• Pass at an inner loop: narrows faults to segments outside the loop point (channel/connector/fixture).
• Fail at an inner loop: points to transceiver-side issues (training stability, lane logic, or margin).
• All loops pass but instability remains: often indicates boundary conditions (temperature/jitter), too-short BER windows, or incomplete correlation.

Interpretation must be aligned with the chosen evidence metrics (LOCK / BER / MARGIN / CNT).

Evidence metrics to record (minimal but decisive)

• LOCK: stable lock duration and re-lock events (not only “locked once”).
• BER: adequate observation window for confidence; short windows can hide intermittent issues.
• MARGIN: use as a trend indicator across temperature/voltage conditions (not a single absolute number).
• CNT: counter snapshots must carry timestamps for causality and comparison.

Practical uses (kept within page scope)

• Baseline link health during POST and post-anomaly triage.
• Channel consistency across lanes; validate lane swap and polarity mapping.
• Board-level screening for routing/connector sensitivity before deeper system-level tests.

Why signatures are used (compression with intent)

• Bandwidth and storage: full response traces are too large for boot-time and fleet-scale logging.
• Speed: a short signature enables fast screening and deterministic routing (pass / isolate / retest).
• Portable evidence: signatures can be stored and compared across runs while keeping logs small.

Compression increases ambiguity; governance and policy restore interpretability.

Signature sources (three common compressors)

• CRC: lightweight detection for data streams and short sequences.
• MISR / LFSR: multi-input compaction of long response streams into a fixed-size signature.
• Trace summary: selective sampling and aggregation (e.g., event counts and short windows) when full trace is not feasible.

Consistency triplet (what must match before comparing)

• Stimulus identity: test vectors and test suite ID must be identical.
• Initial conditions: seed, reset state, and initialization must be deterministic.
• Observation window: start/stop points and loop counts must be consistent.

Most “mismatch” events are explained by a broken consistency triplet, not a failing device.

Golden signature governance (the real control plane)

• Version binding: tie the golden to firmware/build ID and a configuration profile ID (not just a name).
• Platform identity: classify by stepping / board revision / allowed BOM variants.
• Environment tags: record temperature band and clock mode to separate drift from defects.
• Test identity: record suite ID, vector ID, and compressor parameters (seed/polynomial ID).

Compare policy (strict vs window vs mask)

• Strict: strongest detection, best for stable domains and manufacturing screens.
• Window: allow controlled variation by selecting a permitted set (multi-golden per tag) and bounded retries.
• Mask: ignore known-unstable segments only under explicit change control (highest leak risk).

Policy must be explainable: every relaxation should be audited and reversible.

False positives vs false negatives (root causes to isolate)

• False positives: seed/init mismatch, vector mismatch, window mismatch, unclassified platform variance.
• False negatives: insufficient vector coverage, rare boundary faults, over-aggressive masking.
• Drift drivers: jitter sensitivity, metastable edges, temperature/voltage margin erosion.

Why tests use power gating (practical goals)

• Fault-domain localization: gate a domain and observe whether symptoms persist.
• Recovery validation: prove controlled restart and post-gate re-initialization.
• Brownout-style injection: emulate supply disturbance to validate detect/isolate/restore.
• De-coupling: prevent one failing domain from polluting observability in others.

Domain model for testing (separate “target” from “evidence”)

• Target domains (A/B/C): independently gateable test subjects.
• Isolation boundary: prevents back-power and unpredictable boundary states.
• Always-on evidence island: logging + timestamps + minimal control must remain powered.

Evidence-first rule: logging must survive both the injection and the recovery.

Isolation and retention (test-view constraints)

• Isolation gates: enforce deterministic boundary signaling during and after gating.
• Retention policy: keep only the state required for post-gate comparisons and recovery proofs.
• Recoverability: recovery must attribute resets to injection markers, not to “unknown causes.”

Safe sequencing (a minimal injection procedure)

• Mark: write an injection marker into the evidence island.
• Snapshot: capture a small counter/status snapshot (pre-injection).
• Gate/Glitch: apply controlled gating or disturbance within a defined impact scope.
• Stabilize: wait for stability windows to avoid transient misclassification.
• Snapshot + verdict: capture post-injection evidence and route (halt/safe/retry).

Two red lines (non-negotiable test rules)

• Do not expand the fault: gating must not create new uncontrolled side effects.
• Do not lose evidence: never gate the evidence island before markers and snapshots are recorded.

Two families, two verification targets

• Error insertion: injects modeled errors (e.g., ECC bit-flip, parity fault, link error, timeout) to validate detect → isolate → recover paths.
• Physical perturbation: injects boundary stress (power droop/glitch, clock glitch, reset bounce, temperature edge) to validate margin and real-world susceptibility.

Error insertion proves the safety logic; perturbation probes the physical boundary where intermittent failures live.

Error insertion: mechanisms and what must be proven

• ECC / parity: injected flips must trigger the correct fault flag and counter delta, then route to the expected containment action.
• Link error inject: injected error bursts must increment lane/link counters and create an event record tied to the injection marker.
• Timeout inject: injected timeouts must exercise retry/backoff rules and produce a clean, explainable recovery outcome.

The pass condition is not “an error happened”, but “the evidence chain explains it end-to-end.”

Physical perturbation: boundary stress without turning it into randomness

• Power droop/glitch: apply within a defined window and scope, with bounded amplitude and count.
• Clock glitch: keep glitches time-gated and traceable; avoid uncontrolled spread across multiple domains.
• Reset bounce: use controlled patterns to validate reset-cause capture and deterministic re-entry paths.
• Temperature edge: treat as a boundary trigger; correlate transitions to counters and traces on the same timeline.

Perturbation should confirm a hypothesis about margin, not create a new failure mode.

Decision criteria (choose by repeatability, model coverage, risk, diagnostic value)

• Repeatability: insertion is high; perturbation depends on window control and boundary stability.
• Fault model: insertion covers modeled detection paths; perturbation covers timing/electrical margin faults.
• Risk: insertion is usually lower; perturbation requires hard guardrails to avoid cascading effects.
• Diagnostic value: insertion is best for verifying response logic; perturbation is best for revealing true intermittents.

Safety guardrails (non-negotiable)

• Injection window: enable only in approved checkpoints/states; reject injection outside the window.
• Amplitude & count limits: cap intensity and total attempts; enforce cool-down/backoff.
• Rollback and exit: define stop conditions (unexpected symptoms, missing evidence, reset loops) and force safe halt.
• Evidence first: marker + pre-snapshot must be recorded before any injection; evidence storage must remain available.

The four-piece set (what each component proves)

• Counters: quantify accumulation and deltas (errors, retries, resets, recoveries).
• Events: discrete flags and reason codes (what happened, where, why).
• Trace: short ordered snippets around the injection window (what led to what).
• Timestamps: the anchor that makes everything correlatable across domains.

Minimal evidence bundle (a repeatable record format)

• Injection marker (type ID + sequence ID).
• Pre-snapshot (key counters + domain states).
• Post-snapshot (same fields, after stabilization).
• Trace snippet (optional but recommended for ordering).
• Black-box record (boot ID + checkpoint + verdict) on the same time base.

Correlation fails when any of these is missing or not aligned to the same marker.

Counter design rules (avoid “looks fine but is wrong”)

• Domain binding: counters must be scoped (domain/lane/subsystem), not only global totals.
• Clear policy: define boot-clear vs periodic-clear vs never-clear and record the policy.
• Overflow handling: detect wrap/rollover or provide sufficient width; mark wrap in records.
• Snapshot-first: compute deltas from pre/post snapshots, not from asynchronous polling.

Trace and event design (keep it small, make it indexable)

• Event IDs: include domain ID, reason code, severity, and sequence ID.
• Trace windows: capture around injection and reset edges; do not attempt full-time tracing.
• Indexing: every trace snippet must be searchable by marker sequence ID and timestamp.

Common correlation failures and the fix

• Unsynchronized sampling: marker and snapshots are triggered by different clocks → unify triggering.
• Bad reset/clear rules: counters reset unexpectedly → log clear policy and boot ID.
• Overflow/wrap: deltas look negative or jump → add wrap flags and wider counters.
• Event loss: marker exists but event is missing → use bounded buffers with backpressure rules.

What the black-box must solve

• Non-reproducible faults: capture the last-known-good context and the transition into failure.
• Post-reset amnesia: preserve evidence across reboot or partial loss of volatile state.
• Broken causal chains: keep marker → snapshots → deltas → trace → verdict on one identity (boot ID / sequence ID).

A long log is not a good log. A good log is provable and correlatable.

Ring buffer is for windows, not for capacity

• RAM ring continuously covers the most recent time span or the last N events.
• Freeze on trigger to protect the pre-trigger window from overwrite.
• Post-trigger capture records the system response chain (retry → degrade → isolate → reset → recover).

Trigger policy (threshold / pattern / composite)

• Threshold: error-rate spikes, counter deltas, signature mismatches, repeated training failures.
• Pattern: recurring reset causes within a short interval, oscillating “almost failing” states.
• Composite: marker + state transition + counter delta required to trigger (reduces false positives).

Trigger sensitivity should be paired with a cool-down rule to avoid log spam.

Pre/Post trigger windows and the minimal evidence set

• Pre-window: must include the last-good checkpoint and the drift leading into the trigger.
• Post-window: must include the containment and recovery actions until stabilization or exit.
• Minimal set: domain states, reset cause, last-good checkpoint, signature delta, key counter deltas, and marker ID.

Forensic quality (provable, non-silent loss)

• Anti-overwrite: trigger records should move into a frozen/append-only segment.
• Anti-truncation: each record carries length + sequence + CRC so partial writes are detectable.
• Anti-silent-clear: clear operations must be explicit and auditable, never silent.

Forensics is about verifying completeness and ordering, not about storing everything forever.

Flush policy (writing order under power loss)

• Evidence-first: write header + minimal evidence bundle before any extended payload.
• On trigger: flush immediately; on exit conditions, flush final verdict and stop reason.
• Atomic mindset: if a record cannot be fully written, it must be marked invalid, not “half-valid”.

Two environments, two primary constraints

• Manufacturing: time equals cost; results must be fast, repeatable, and easy to bin (pass/rework/fail).
• In-field: tests must not disrupt workloads; they must be shardable, pausable, and safe under partial failure.

Manufacturing: short BIST + high-information signature

• Short suite: keep runtime bounded; focus on high-yield screens.
• Information density: prefer signatures and counter deltas that separate fault classes with minimal vectors.
• Fast verdict: output a binning result that is explainable and consistent across identical units.

Manufacturing aims to screen and route units efficiently, not to exhaust every edge case.

In-field: sharded self-tests with safe post-failure actions

• Sharding: test one domain or one slice at a time; avoid long uninterrupted runs.
• Low-priority windows: schedule in allowed maintenance windows or idle time.
• Failure actions: degrade/derate/lockout/maintenance-flag with a correlatable evidence record.

Coverage strategy: prioritize by frequency, impact, observability

• Frequency: start with fault models that occur often in the target population.
• Impact: prioritize models that drive SLA/MTTR and large blast radius.
• Observability: choose models that can be proven with counters, signatures, and black-box evidence.

Expand from core detection paths to boundary scenarios only after evidence quality is stable.

Tiered suites (Tier 0/1/2) to balance time vs coverage

• Tier 0: shortest, highest-yield screen; suitable for both production and field.
• Tier 1: targeted add-ons; used when time allows or when a symptom appears.
• Tier 2: boundary deep-dive; primarily for validation/diagnostics with strict guardrails.