Automated Verification, No Testbench Rigorous Testing ... · Failure to comply can result in harm to people, loss of business and prosecution Standards imply rigorous requirements

Copyright OneSpin Solutions 2014

Fo

rma

l

Ve

rification

When Failure Is Not An Option

Automated Verification, No Testbench

Rigorous Testing, Maximizing Coverage,

Accelerated Implementation Flow

Safety Critical Component Verification

Leveraging Formal Techniques

Sergio Marchese

TVS Formal Verification 2014, Thursday, 15th May 2014

Royal Berkshire Conference Centre, Reading

Copyright OneSpin Solutions 2014 2

Why Is This Important? Avoiding Catastrophes

Imagine the following headlines:

• Wrongly Guided Missile Hits Innocent Country

• Faulty Mars-Rover Leads To Trillion $ Loss

• Increase of Road-Accidents Due To Faulty

Electronic Control Units

• Death Could Have Been Prevented By Airbag

– Massive Callback By Supplier

You don’t want to make these news!


How did we get there? And what’s it all about?

Ever higher integration density and increasing number of

functions make random and systematic failures much more

likely than in the past!

Since 2006 market awareness of functional safety standards

shifted customer requirements to demand specific safety

measures…

…this shift resulted in component vendors having to take an

active role to ensure system safety by design.

Leading to rigorous automated processes to avoid systematic

failures such as human error and design flow error…

…and furthermore safeguarding for random failures by

design and ensuring effectiveness through quantitative analysis

of safety architecture.

ISO

26262? DO-

254?

flow

compliant


Functional Safety Standards and Industries

Functional Safety

DO254

Aerospace

Defense

IEC 61508

Automotive / ISO 26262

Ind. Process Control / IEC

61511

Machine Tooling / IEC

62061

Nuclear Power / IEC

61513/62138

Medical Devices / IEC

62404

DIN EN ISO 13485

Railway Transportation

/ EN 50128

Failure to comply can result in harm to people, loss of business and prosecution

Standards imply rigorous requirements on design and verification

Governed by strict rules, industry / domain specific


General Flow for Safety Critical Applications

5

Planning

Requirements

Conceptual Design

Establish project plans and standards

Allocate system functions to hardware

Create derived requirements

High level description of design

Define strategy for compliance

Identify major components

RTL Design, Compile

Synthesis and P & R

Timing Model

Generate bitstream file

Program Device / Generate Mask

Detailed Design

Implementation

5

Random failures are introduced in the field

Safeguarding against random failures by design needed

Safety functions are tracked through complete flow

Systematic failures introduced at each step

Safeguarding against systematic failures equally important


Don’t want to be risky? Design for Safety – Verify

Quote from United States Nuclear Regulatory

Commission (U.S.N.R.C.):

“Advanced techniques such as formal verification

together with the code coverage analysis should be

encouraged for use in the verification of safety-

critical FPGA designs as an integral part of the

design life cycle.”


How to get there? Let us help you

Verification beyond doubt:

Minimizing systematic failures as well as

safeguarding for random failures can be

supported through formal verification tools,

when failure is not an option.

Now let’s look at some practical

industry applications…


Example: Preventing Synthesis Bugs

Problem

• Systematic failure by synthesis tool introduced during implementation

• Example: Wrong sequential optimization leads to reading outdated value from FPGA flop

Solution

• Formal sequential equivalence checking*) with EC-FPGA to verify synthesis result

• Disable specific faulty synthesis option and re-run synthesis

Sequential

s3

s2

s1

s4

s5

r4

s1

s2

s3

Combinational

Out

Out

Conventional Equivalence Checkers

– Do not support advanced FPGA optimizations

– Require extensive manual intervention and complex scripting

– Require and rely on information from synthesis “side files”

OneSpin 360TM EC-FPGA

– Complete synthesis sign-off without writing test vectors

– Handles ALL FPGA-specific optimizations

– Does not rely on synthesis side files

– Verifies whole-chip flat netlists “as is”

– Provides high degree of automation and simple scripting & easy error location

– Makes latest FPGA and synthesis technology available in regulated environments

*) Recommended procedure by US nuclear regulatory commission, provides independent output assessment in DO-254


Example: Preventing Programming Errors

Problem

• Systematic failure by human error introduced during detailed design

• Example: Wrongly supplied full-case-pragma leads to unintended branch taken on silicon

Solution

• Automatic formal inspection*) using DV-Inspect automatically identifies large class of problems

• Analyze reported issues and fix RTL

Conventional Lint Checkers

– Require extensive setup

– Report large numbers of potential issues

– Provide no trace for debugging

OneSpin 360TM DV-Inspect

– Easy setup and flow integration

– Finds real issues using formal reachability analysis

– Provides debug trace and includes strong debugger

– Automates tedious manual inspection without test vectors

– Applicable on early RTL avoiding late debug cycles

else begin

case (nstate) // synopsys full_case

2'b00: nstate = 2'b01;

2'b01: nstate = 2'b10;

2'b10: nstate = 2'b11;

endcase

o = nstate[0];

end

end

endmodule

*) Recommended to be used regularly by each designer


Example: Quantitative Analysis of Simulation

Completeness in DO-254

Problem

• Insufficient code coverage during DO-254 elemental analysis*) prevents certification

• Example: Some branch is never executed because ‘ack’ cannot be asserted in context

Solution

• Automatic formal inspection using DV-Inspect automatically identifies unreachability

• Proven dead code can be documented or fixed to achieve certificate

*) Level A/B designs governed by DO-254 Appendix B devise coverage on sub-functional level during elemental analysis

…

case (state)

2'b00: nstate = 2'b01;

2'b01: nstate = 2'b11;

2'b10: nstate = 2'b00;

2'b11: if (ack)

state = 2'b10;

else

state = 2'b11;

endcase

…

Simulation-Only flow

– Can not prove unreachability

– Requires lots of manual work to inspect coverage holes

– Often hard to judge if coverage is possible

OneSpin 360TM DV-Inspect

– Easy setup and flow integration

– Automatically proves unreachability

– Gives guidance for test creation for reachable scenarios

– Supports large number of coverage classes

– Provides strong argument for waiving coverage goals


Example: Preventing Implementation Errors

Problem

• Systematic failure by human error introduced during detailed design

• Example: Simultaneously asserting two mutually exclusive signals in case of a full buffer, two requests, and …

Solution

• Formal assertion based verification of vital design functions using DV-Verify

• Analyze situation and fix RTL

Conventional Simulation

– Requires anticipating error scenarios

– Incomplete coverage of input vectors

– Inefficient on large combinational requirements

OneSpin 360TM DV-Verify

– Good and bad cases states by assertion

– Complete coverage of input space

– Scales well for large combinational space

– Can find issues unlikely to be found by other methods

– More efficient than other methods on many design classes

assert($onehot(a,b));


Example: Preventing Specification Errors

Problem

• Systematic failure by human error during conceptual design

• Example: Scenario when break and gas hit simultaneously not considered

Solution

• Capture all specified functions using assertions and use formal gap detection*) with DV-Certify to spot omissions

• Specify missing function and re-implement RTL

Manual Inspection of Properties

– Detecting human error by humans

– Incomplete and errors prone by construction

– Inefficient on large detailed requirement sets

OneSpin 360TM DV-Certify

– Systematically detects human error by machine

– Only method for complete inspection of properties

– Can handle large diverse requirements

Gas and

no break

No gas,

No break

inputs

state

outputs ? … …

…

Break and

no gas

*) Requires thorough planning and execution by trained personnel


Example: Safeguarding Memory

Problem

• Random failure on SRAM introduced in field

• Example: Wrong value in memory leads to wrongly computing airbag release condition

Solution

• Implement error correcting code (ECC) on SRAM

• Verify proper error correction using formal assertion based verification with DV-Verify

Simulation Based Verification

– Hard to anticipate all relevant conditions

– Inefficient on large detailed requirement sets


– No knowledge of ECC algorithm needed for verification

– High number of parameter and inputs handled

– Easy to specify behavior and inject faults

– Can handle huge number of combinations for potential faults

Encoder Decoder SRAM

Encoder Decoder

Fault

Injection

Read Write

#faults


Example: Safeguarding Status Registers

Problem

• Random failure introduced by single event upset in field

• Example: Status register value flips for one cycle

Solution

• Use redundancy, error detection and error handling in safety management unit

• Use formal assertion based verification with DV-Verify to ensure correct handling of faults and error propagation*)

Simulation with Fault Injection

– Limited number of faults

– Low degree of automation

– Long run times


– Exhaustive fault activation including multiples

– Efficient modeling of faults and specification of requirements

– Highly automated

– Handling large blocks and huge number of faults simultaneously

*) ISO26262 demands verification of safety features on net list level for ASIL-D compliance

(H. Busch, Infineon Technologies, “Formal Safety Verification of Automotive Microcontroller

Parts”, ZuE2012, Bremen)


Example: Qualification of Formal Verification

Environment in ISO-26262

Problem

• Quantitative assessment of formal verification environment needed

• Example: Qualify verification environment for safety functions*)

Solution

• Use observation coverage to identify coverage holes

• Integrate coverage results with simulation coverage

Other Coverage Methods

– No concept of assertion quality

– Inadequate in terms of accuracy

OneSpin 360TM Quantify MDV

– Precise coverage metrics

– Based on the ability to detect bugs, not just to activate code

– Comprehensive management metrics for progress and guidance

– Easily layered into simulation-based flow

verification

hole

verified

code

constrained

code

dead

code

Statistic

overview

*) Don’t miss the full story by Holger Busch at DAC’14 on “Formal Safety Verification With Qualified Property Sets” during DESIGNER

TRACK: Accelerating Productivity Through Formal and Static Methods, Session 38.3


So what’s in it for you? Increasing performance & confidence

Why this should matter to you:

• Improving the design process quality, leading to

optimized approval processes.

• No holding back in innovative development, tools

appropriate for any advanced design process.

• Conformity with safety critical quality standards.

• Don’t get slowed down by standard-compliance issue.

• Increasing safety by minimizing human error.


Verified Beyond Doubt Don’t rely on human perfection

Why Formal Verification – Everybody

wins:

Formal verification is an automatic solution for

proving what is often done manually. Implementing a

software based formal verification process implies

less availability to systematic failure and random

failure.

Increase the quality of your process standards while

speeding up implementation.


The Impact of Formal Verification Dramatic Schedule and Quality Improvements

• Find hidden corner cases

• Avoid last minute bug disruption

• Faster verification execution

• Reduced stimuli coding

Impact of increasing design

size on verification effort

Simulation

Formal +

Simulation Veri

fic

ati

on

Eff

ort

Design Size

Bu

g R

ate

Earlier

Tapeout formal

+ Simul.

formal

Simulation

Improved bug finding rate after

adding formal to verification flow

Cluster Block System Post-Silicon

Bug finding rate using traditional

verification approach

Cluster Block System Post-

Silicon

Bu

g R

ate

Simulation

Only

Tapeout

Time/Cost For Fixing Bugs

However, old solutions used to be too complex

Formal Verification offers significant benefits

OneSpin 2nd Generation Formal Technology: Performance, Usability, Accessibility

Time/Cost For Fixing Bugs


From Automated Solutions

To Advanced Verification

OneSpin Advanced Formal Proof Engine

Quick & Easy,

Automated,

Comprehensive

Design Analysis

Rapid, Exhaustive

Coverage-Driven Property

Verification

ASIC & FPGA

Tool Sign-off Accuracy

Sequential

Equivalency Checking

High Performance, Easy to use, Accessible Technology Platform

Assertion

Constraint

Set Formal

Engine

Integrated

Debug Assertion

Set

RTL

Code

Quantify™

Observation

Coverage

Solutions: Protocol Analysis, Register &

Connectivity Checking, Score-boarding

Formal

Engine

Safety

Checks

Integrated

Debug

Setup

&

Lint Activation

Checks

RTL

Code

RTL-RTL,

RTL-Gate

Gate-Gate Sequential

EC

Place & Route

Gate

Synthesis

RTL

X-Propagation Analysis

Assertion Synthesis

Handwritten SV / PSL Assertions

Operational Transaction Assertion Library

Silicon


OneSpin Solutions

A New Spin On Verification

• Solutions for all Verification Needs

Automated, Plug & Play Verification

Exhaustive, Coverage-Driven Property Analysis

Leading-Edge Equivalency Checking

• Pioneering, Leading Technology

Award-Winning Technology Foundation

100s Years Usage & Development Experience

• User Oriented Approach

Easy to use

High-Performance

Cloud Accessibility

Visit us at DAC 2014, Booth #1219

Thank You!

• Follow Infineon’s Holger Busch at the DESIGNER TRACK on “Formal Safety Verification

With Qualified Property Sets”, Session 38.3, Tue June 03, 4:00pm - 6:00pm | Room 105

• Watch the PAVILION PANEL: “The Asymptote of Verification” moderated by Bryon Moyer -

EE Journal, Mo June 02, 5:15pm - 6:00pm | Booth 313


About OneSpin


OneSpin Solutions

A Brief History

• Original formal group at Siemens/Infineon, spun out to separate

company, 300+ development & application years into products

• 2010-2012: Euro lead customers focus, Gap Free Verification

• 2012: Corporate restructuring, new CEO, refinancing, global focus

• 2012-now: Global expansion, Automated EC and DV solutions

• 2013: Significant growth, doubled revenue, tripled bookings

• Today: Cash flow positive, capital injection to accelerate growth

2010 2011 2013 2012 2014+

Spin out & product

development

European lead

customer focus

Global expansion

US & Asia team


OneSpin Solutions Innovative Formal Technology

Unique Formal Technology

•Push button observation coverage analysis for verification progress

•Functional coverage using unique gap free verification

•Mature sequential equivalence checking for FPGA and ASIC synthesis

Advanced Usability Features

•Structural assertion debugger and active value/driver tracing through RTL

• Incremental compilation of assertions for quick turn around

•Faster assertion development with operational assertions

World Wide Company Success

•Doubled Revenue in 2013

•Tripled Bookings in 2013

•Increased World Wide Adoption

• Simulation-based verification methodologies

predominant

• Significant Market Growth for Formal

Verification

• Significant EC FPGA market growth

• OneSpin customers benefit from Mature Formal

Design Verification products

• OneSpin keeps innovating! Verification Market Sizes 2008 - 2013 Source EDAC MSS 2013

OneSpin Solutions is

growing faster than the

market.

Accumulated Growth Since 2008 Source EDAC MSS 2013

Pioneering, Leading Technology

Broad Range of Solutions

User Oriented Approach

Documents

Automated Verification, No Testbench Rigorous Testing ... · Failure to comply can result in harm to people, loss of business and prosecution Standards imply rigorous requirements