Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Copyright OneSpin Solutions 2014
Fo
rma
l
Ve
rification
When Failure Is Not An Option
Automated Verification, No Testbench
Rigorous Testing, Maximizing Coverage,
Accelerated Implementation Flow
Safety Critical Component Verification
Leveraging Formal Techniques
Sergio Marchese
TVS Formal Verification 2014, Thursday, 15th May 2014
Royal Berkshire Conference Centre, Reading
Copyright OneSpin Solutions 2014 2
Why Is This Important? Avoiding Catastrophes
Imagine the following headlines:
• Wrongly Guided Missile Hits Innocent Country
• Faulty Mars-Rover Leads To Trillion $ Loss
• Increase of Road-Accidents Due To Faulty
Electronic Control Units
• Death Could Have Been Prevented By Airbag
– Massive Callback By Supplier
You don’t want to make these news!
Copyright OneSpin Solutions 2014 3
How did we get there? And what’s it all about?
Ever higher integration density and increasing number of
functions make random and systematic failures much more
likely than in the past!
Since 2006 market awareness of functional safety standards
shifted customer requirements to demand specific safety
measures…
…this shift resulted in component vendors having to take an
active role to ensure system safety by design.
Leading to rigorous automated processes to avoid systematic
failures such as human error and design flow error…
…and furthermore safeguarding for random failures by
design and ensuring effectiveness through quantitative analysis
of safety architecture.
ISO
26262? DO-
254?
flow
compliant
Copyright OneSpin Solutions 2014 4
Functional Safety Standards and Industries
Functional Safety
DO254
Aerospace
Defense
IEC 61508
Automotive / ISO 26262
Ind. Process Control / IEC
61511
Machine Tooling / IEC
62061
Nuclear Power / IEC
61513/62138
Medical Devices / IEC
62404
DIN EN ISO 13485
Railway Transportation
/ EN 50128
Failure to comply can result in harm to people, loss of business and prosecution
Standards imply rigorous requirements on design and verification
Governed by strict rules, industry / domain specific
Copyright OneSpin Solutions 2014 5
General Flow for Safety Critical Applications
5
Planning
Requirements
Conceptual Design
Establish project plans and standards
Allocate system functions to hardware
Create derived requirements
High level description of design
Define strategy for compliance
Identify major components
RTL Design, Compile
Synthesis and P & R
Timing Model
Generate bitstream file
Program Device / Generate Mask
Detailed Design
Implementation
5
Random failures are introduced in the field
Safeguarding against random failures by design needed
Safety functions are tracked through complete flow
Systematic failures introduced at each step
Safeguarding against systematic failures equally important
Copyright OneSpin Solutions 2014 6
Don’t want to be risky? Design for Safety – Verify
Quote from United States Nuclear Regulatory
Commission (U.S.N.R.C.):
“Advanced techniques such as formal verification
together with the code coverage analysis should be
encouraged for use in the verification of safety-
critical FPGA designs as an integral part of the
design life cycle.”
Copyright OneSpin Solutions 2014 7
How to get there? Let us help you
Verification beyond doubt:
Minimizing systematic failures as well as
safeguarding for random failures can be
supported through formal verification tools,
when failure is not an option.
Now let’s look at some practical
industry applications…
Copyright OneSpin Solutions 2014 8
Example: Preventing Synthesis Bugs
Problem
• Systematic failure by synthesis tool introduced during implementation
• Example: Wrong sequential optimization leads to reading outdated value from FPGA flop
Solution
• Formal sequential equivalence checking*) with EC-FPGA to verify synthesis result
• Disable specific faulty synthesis option and re-run synthesis
Sequential
s3
s2
s1
s4
s5
r4
s1
s2
s3
Combinational
Out
Out
Conventional Equivalence Checkers
– Do not support advanced FPGA optimizations
– Require extensive manual intervention and complex scripting
– Require and rely on information from synthesis “side files”
OneSpin 360TM EC-FPGA
– Complete synthesis sign-off without writing test vectors
– Handles ALL FPGA-specific optimizations
– Does not rely on synthesis side files
– Verifies whole-chip flat netlists “as is”
– Provides high degree of automation and simple scripting & easy error location
– Makes latest FPGA and synthesis technology available in regulated environments
*) Recommended procedure by US nuclear regulatory commission, provides independent output assessment in DO-254
Copyright OneSpin Solutions 2014 9
Example: Preventing Programming Errors
Problem
• Systematic failure by human error introduced during detailed design
• Example: Wrongly supplied full-case-pragma leads to unintended branch taken on silicon
Solution
• Automatic formal inspection*) using DV-Inspect automatically identifies large class of problems
• Analyze reported issues and fix RTL
Conventional Lint Checkers
– Require extensive setup
– Report large numbers of potential issues
– Provide no trace for debugging
OneSpin 360TM DV-Inspect
– Easy setup and flow integration
– Finds real issues using formal reachability analysis
– Provides debug trace and includes strong debugger
– Automates tedious manual inspection without test vectors
– Applicable on early RTL avoiding late debug cycles
else begin
case (nstate) // synopsys full_case
2'b00: nstate = 2'b01;
2'b01: nstate = 2'b10;
2'b10: nstate = 2'b11;
endcase
o = nstate[0];
end
end
endmodule
*) Recommended to be used regularly by each designer
Copyright OneSpin Solutions 2014 10
Example: Quantitative Analysis of Simulation
Completeness in DO-254
Problem
• Insufficient code coverage during DO-254 elemental analysis*) prevents certification
• Example: Some branch is never executed because ‘ack’ cannot be asserted in context
Solution
• Automatic formal inspection using DV-Inspect automatically identifies unreachability
• Proven dead code can be documented or fixed to achieve certificate
*) Level A/B designs governed by DO-254 Appendix B devise coverage on sub-functional level during elemental analysis
…
case (state)
2'b00: nstate = 2'b01;
2'b01: nstate = 2'b11;
2'b10: nstate = 2'b00;
2'b11: if (ack)
state = 2'b10;
else
state = 2'b11;
endcase
…
Simulation-Only flow
– Can not prove unreachability
– Requires lots of manual work to inspect coverage holes
– Often hard to judge if coverage is possible
OneSpin 360TM DV-Inspect
– Easy setup and flow integration
– Automatically proves unreachability
– Gives guidance for test creation for reachable scenarios
– Supports large number of coverage classes
– Provides strong argument for waiving coverage goals
Copyright OneSpin Solutions 2014 11
Example: Preventing Implementation Errors
Problem
• Systematic failure by human error introduced during detailed design
• Example: Simultaneously asserting two mutually exclusive signals in case of a full buffer, two requests, and …
Solution
• Formal assertion based verification of vital design functions using DV-Verify
• Analyze situation and fix RTL
Conventional Simulation
– Requires anticipating error scenarios
– Incomplete coverage of input vectors
– Inefficient on large combinational requirements
OneSpin 360TM DV-Verify
– Good and bad cases states by assertion
– Complete coverage of input space
– Scales well for large combinational space
– Can find issues unlikely to be found by other methods
– More efficient than other methods on many design classes
assert($onehot(a,b));
Copyright OneSpin Solutions 2014 12
Example: Preventing Specification Errors
Problem
• Systematic failure by human error during conceptual design
• Example: Scenario when break and gas hit simultaneously not considered
Solution
• Capture all specified functions using assertions and use formal gap detection*) with DV-Certify to spot omissions
• Specify missing function and re-implement RTL
Manual Inspection of Properties
– Detecting human error by humans
– Incomplete and errors prone by construction
– Inefficient on large detailed requirement sets
OneSpin 360TM DV-Certify
– Systematically detects human error by machine
– Only method for complete inspection of properties
– Can handle large diverse requirements
Gas and
no break
No gas,
No break
inputs
state
outputs ? … …
…
Break and
no gas
*) Requires thorough planning and execution by trained personnel
Copyright OneSpin Solutions 2014 13
Example: Safeguarding Memory
Problem
• Random failure on SRAM introduced in field
• Example: Wrong value in memory leads to wrongly computing airbag release condition
Solution
• Implement error correcting code (ECC) on SRAM
• Verify proper error correction using formal assertion based verification with DV-Verify
Simulation Based Verification
– Hard to anticipate all relevant conditions
– Inefficient on large detailed requirement sets
OneSpin 360TM DV-Verify
– No knowledge of ECC algorithm needed for verification
– High number of parameter and inputs handled
– Easy to specify behavior and inject faults
– Can handle huge number of combinations for potential faults
Encoder Decoder SRAM
Encoder Decoder
Fault
Injection
Read Write
#faults
Copyright OneSpin Solutions 2014 14
Example: Safeguarding Status Registers
Problem
• Random failure introduced by single event upset in field
• Example: Status register value flips for one cycle
Solution
• Use redundancy, error detection and error handling in safety management unit
• Use formal assertion based verification with DV-Verify to ensure correct handling of faults and error propagation*)
Simulation with Fault Injection
– Limited number of faults
– Low degree of automation
– Long run times
OneSpin 360TM DV-Verify
– Exhaustive fault activation including multiples
– Efficient modeling of faults and specification of requirements
– Highly automated
– Handling large blocks and huge number of faults simultaneously
*) ISO26262 demands verification of safety features on net list level for ASIL-D compliance
(H. Busch, Infineon Technologies, “Formal Safety Verification of Automotive Microcontroller
Parts”, ZuE2012, Bremen)
Copyright OneSpin Solutions 2014 15
Example: Qualification of Formal Verification
Environment in ISO-26262
Problem
• Quantitative assessment of formal verification environment needed
• Example: Qualify verification environment for safety functions*)
Solution
• Use observation coverage to identify coverage holes
• Integrate coverage results with simulation coverage
Other Coverage Methods
– No concept of assertion quality
– Inadequate in terms of accuracy
OneSpin 360TM Quantify MDV
– Precise coverage metrics
– Based on the ability to detect bugs, not just to activate code
– Comprehensive management metrics for progress and guidance
– Easily layered into simulation-based flow
verification
hole
verified
code
constrained
code
dead
code
Statistic
overview
*) Don’t miss the full story by Holger Busch at DAC’14 on “Formal Safety Verification With Qualified Property Sets” during DESIGNER
TRACK: Accelerating Productivity Through Formal and Static Methods, Session 38.3
Copyright OneSpin Solutions 2014 16
So what’s in it for you? Increasing performance & confidence
Why this should matter to you:
• Improving the design process quality, leading to
optimized approval processes.
• No holding back in innovative development, tools
appropriate for any advanced design process.
• Conformity with safety critical quality standards.
• Don’t get slowed down by standard-compliance issue.
• Increasing safety by minimizing human error.
Copyright OneSpin Solutions 2014 17
Verified Beyond Doubt Don’t rely on human perfection
Why Formal Verification – Everybody
wins:
Formal verification is an automatic solution for
proving what is often done manually. Implementing a
software based formal verification process implies
less availability to systematic failure and random
failure.
Increase the quality of your process standards while
speeding up implementation.
Copyright OneSpin Solutions 2014 18
The Impact of Formal Verification Dramatic Schedule and Quality Improvements
• Find hidden corner cases
• Avoid last minute bug disruption
• Faster verification execution
• Reduced stimuli coding
Impact of increasing design
size on verification effort
Simulation
Formal +
Simulation Veri
fic
ati
on
Eff
ort
Design Size
Bu
g R
ate
Earlier
Tapeout formal
+ Simul.
formal
Simulation
Improved bug finding rate after
adding formal to verification flow
Cluster Block System Post-Silicon
Bug finding rate using traditional
verification approach
Cluster Block System Post-
Silicon
Bu
g R
ate
Simulation
Only
Tapeout
Time/Cost For Fixing Bugs
However, old solutions used to be too complex
Formal Verification offers significant benefits
OneSpin 2nd Generation Formal Technology: Performance, Usability, Accessibility
Time/Cost For Fixing Bugs
Copyright OneSpin Solutions 2014 19
From Automated Solutions
To Advanced Verification
OneSpin Advanced Formal Proof Engine
Quick & Easy,
Automated,
Comprehensive
Design Analysis
Rapid, Exhaustive
Coverage-Driven Property
Verification
ASIC & FPGA
Tool Sign-off Accuracy
Sequential
Equivalency Checking
High Performance, Easy to use, Accessible Technology Platform
Assertion
Constraint
Set Formal
Engine
Integrated
Debug Assertion
Set
RTL
Code
Quantify™
Observation
Coverage
Solutions: Protocol Analysis, Register &
Connectivity Checking, Score-boarding
Formal
Engine
Safety
Checks
Integrated
Debug
Setup
&
Lint Activation
Checks
RTL
Code
RTL-RTL,
RTL-Gate
Gate-Gate Sequential
EC
Place & Route
Gate
Synthesis
RTL
X-Propagation Analysis
Assertion Synthesis
Handwritten SV / PSL Assertions
Operational Transaction Assertion Library
Silicon
Copyright OneSpin Solutions 2014 20
OneSpin Solutions
A New Spin On Verification
• Solutions for all Verification Needs
Automated, Plug & Play Verification
Exhaustive, Coverage-Driven Property Analysis
Leading-Edge Equivalency Checking
• Pioneering, Leading Technology
Award-Winning Technology Foundation
100s Years Usage & Development Experience
• User Oriented Approach
Easy to use
High-Performance
Cloud Accessibility
Visit us at DAC 2014, Booth #1219
Thank You!
• Follow Infineon’s Holger Busch at the DESIGNER TRACK on “Formal Safety Verification
With Qualified Property Sets”, Session 38.3, Tue June 03, 4:00pm - 6:00pm | Room 105
• Watch the PAVILION PANEL: “The Asymptote of Verification” moderated by Bryon Moyer -
EE Journal, Mo June 02, 5:15pm - 6:00pm | Booth 313
Copyright OneSpin Solutions 2014 21
About OneSpin
Copyright OneSpin Solutions 2014 22
OneSpin Solutions
A Brief History
• Original formal group at Siemens/Infineon, spun out to separate
company, 300+ development & application years into products
• 2010-2012: Euro lead customers focus, Gap Free Verification
• 2012: Corporate restructuring, new CEO, refinancing, global focus
• 2012-now: Global expansion, Automated EC and DV solutions
• 2013: Significant growth, doubled revenue, tripled bookings
• Today: Cash flow positive, capital injection to accelerate growth
2010 2011 2013 2012 2014+
Spin out & product
development
European lead
customer focus
Global expansion
US & Asia team
Copyright OneSpin Solutions 2014 23
OneSpin Solutions Innovative Formal Technology
Unique Formal Technology
•Push button observation coverage analysis for verification progress
•Functional coverage using unique gap free verification
•Mature sequential equivalence checking for FPGA and ASIC synthesis
Advanced Usability Features
•Structural assertion debugger and active value/driver tracing through RTL
• Incremental compilation of assertions for quick turn around
•Faster assertion development with operational assertions
World Wide Company Success
•Doubled Revenue in 2013
•Tripled Bookings in 2013
•Increased World Wide Adoption
• Simulation-based verification methodologies
predominant
• Significant Market Growth for Formal
Verification
• Significant EC FPGA market growth
• OneSpin customers benefit from Mature Formal
Design Verification products
• OneSpin keeps innovating! Verification Market Sizes 2008 - 2013 Source EDAC MSS 2013
OneSpin Solutions is
growing faster than the
market.
Accumulated Growth Since 2008 Source EDAC MSS 2013
Pioneering, Leading Technology
Broad Range of Solutions
User Oriented Approach