Formal Verification in the Design of Automotive · PDF fileFormal verification is the act of...

1 S.Bulach | 2010.06.22 | © Robert Bosch GmbH 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing,

distribution, as well as in the event of applications for industrial property rights.

Automotive Electronics

Formal Verification

in the Design of Automotive SoCsBest Practices and Challenges

Slava Bulach




Abstract

The complexity of modern automotive Systems-on-Chips (SoC) grows at

the comparable rate as integrated circuits in other application domains

in close correlation with the self-fulfilling prophecy of Moor’s Law. It is

becoming quite common to see sophisticated digital blocks, such as

processors or microcontrollers, situated on the same die right next to

large analog/mixed-signal (AMS) blocks. It is practically impossible to

achieve the required quality of IC’s intended for safety-critical

applications without advanced verification approaches such as formal

verification. Besides mature equivalence checking techniques novel

property checking methodologies are steadily fighting their way into

the mainstream. As they become part of the established verification

flow the necessity to push verification limits even further brings up

multitudes of exciting new challenges.

3

Formal Verification of Automotive SoCs

S.Bulach | 2010.06.22 | © Robert Bosch GmbH 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing,



Outline

� Bosch Automotive Electronics

� Semiconductor IC

� business of ASICs

� digital HW design

� motivation for verification

� Equivalence Checking

� Assertion-based Verification

� Operation-based Verification

� Summary

4

Reutlingen: 200mm FAB launched on 18.03.2010

AE/EIM3-Bulach | 2010.06.22 | © Robert Bosch GmbH 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing,



5

Bosch Group - facts and figures

Bosch Group

Automotive

Technology

Structure of the Bosch Group

Business sectors

Industrial

Technology

Consumer Goods &

Building Technology

6


Milestones of automotive technology

1897 1902 1951 1967 1976

Low-voltage magneto ignition for vehicles

High-voltage magneto ignition with spark plugs

Diesel injection pump

Gasoline injection systems for cars

Electronic gasoline injection (Jetronic)

Lambda sensor for three-way catalytic

converter

Antilock braking system (ABS)

1927 19781933

Acquisition of Ideal-Werke, today's Blaupunkt GmbH

1979

Combined digital control of gasoline injection and ignition (Motronic)

7


Milestones of automotive technology

1991 1995 1997 2002

• Electronic stability program (ESP)

• Vehicle navigation system with voice guidance

Electronic battery management (EBM)

• Electronic diesel injection (EDC)

• Traction control system (TCS)

Controller Area Network (CAN)

1986 2003 2005

Night-vision

system

Third generation common-railtechnology, with piezo in-line injectors

Common-rail high-pressure

injection system for diesel cars

Gasoline direct injection with piezo injectors

20062006

8

Automotive Technology




yesterday……today

~40 electro/electronic systemswith 50-100 uP>100 sensors

…in middle class car

Engine

Control

Unit

Braking System

(ABS/ESP)

Thermo-

systems,

Climate

Control

Cleaning SystemsWindow

and Door

Mechatronics

Bord

Network

Info and

Entertainment

Systems

Electronic

Steering

Side Crash Sensor

(Accelaration)

Side Crash

Sensor (Pressure)Weigth

Sensing

Crash

Sensing

Adaptive

Cruise Control

Sensor

Light

Control

Airbag

Park Pilot

Transmission

Control UnitPark Pilot

Source: Bosch

Radio, Navigation System

9

Automotive Electronics - Product Portfolio




Semiconductors for automotive applications

http://www.semiconductors.bosch.de/en/10/index.asp

10

Motivation for Hardware Verification




� Found On First Spin ICs/ASICs:

� Overall 61% of New ICs/ASICs Require At Least One Re-Spin.

Functional Logic Error

Analog Tuning Issue

Signal Integrity Issue

Clock Scheme Error

Reliability Issue

Mixed Signal Problem

Uses Too Much Power

Has Path(s) Too Slow

Has Path(s) Too Fast

IR Drop Issues

Firmware Error

Other Problem

###################### 43%

########## 20%

######### 17%

####### 14%

###### 12%

##### 11%

##### 11%

##### 10%

##### 10%

#### 7%

## 4%

# 3%

Source : Aart de Geus, Chairman & CEO of Synopsys, Boston SNUG 03, ESNUG 417

11

Hardware Verification Methods




verification goals in the design cycle

� from customer (Specification) to RTL (low level of automation)

� HW designer:

� implementation of functional requirements in HDL

� verification engineer:

� implementation of functional requirements in HVL

� search for functional discrepancies (bugs)

� remove them from design

� prove absence of functional discrepancies

� do so as early as possible in the design cycle (RTL)

� from RTL to layout (high degree of automation)

� HW designer:

� preservation of functionality throughout synthesis and layout

� verification engineer:

� prove absence of functional discrepancies

12

Verification of Implementation




design flow

RTL Domain

GL Domain

ScanScan

SynthesisSynthesis

PlacePlace Clock

Tree

Clock

Tree RouteRoute

SpecificationSpecificationSpecificationSpecification

verification of

implementation

13

Verification of Preservation




design flow

RTL Domain

GL Domain

ScanScan

SynthesisSynthesis

PlacePlace Clock

Tree

Clock

Tree RouteRoute

verification of

preservation

14

Formal Hardware Verification




Formal Methods - Definition

� Formal methods are a particular kind of mathematically-based techniques

for the specification, development and verification of software and

hardware systems [1]

� Formal verification is the act of proving or disproving the correctness of

intended algorithms underlying a system with respect to a certain formal

specification or property, using formal methods of mathematics.

� Steps in Formal Verification

� formalize specification (eg. write a property in HW Verif.Lang., HVL)

� formalize implementation (compile HDL into a formal circuit model)

� use mathematic algorithms to prove:

� function_a( impl_1 ) = specification Property Checking

� set of functions is gap free Completeness Checking

� function( impl_1 ) = function( impl_2 ) Equivalence Checking

[1] Jean François Monin, Michael Gerard Hinchey, Understanding formal methods, Springer, 2003, ISBN 1852332476

15





Equivalence Checking…

� … is a FV method of functional verification which provides mathematical

proof that two different circuits descriptions are functionally equivalent

� employed for checks at abstraction levels

� RTL : RTL (eg. re-design)

� RTL : NL (eg. synthesis)

� NL : NL (eg. pre layout : post layout)

� Verifies:

� logic synthesis

� clock-tree buffering and/or test structure insertions

� redesign at RTL

� redesign at gate level (metal fix!)

� …

16





in the past…

RTL Domain

GL Domain

RT-Simulation Testbench

Gate-Level Simulation

ScanScan

SynthesisSynthesis

PlacePlace Clock

Tree

Clock

Tree RouteRoute

17





today: simulation & formal

RTL Domain

GL Domain


Gate-Level Simulation

ScanScan

SynthesisSynthesis

PlacePlace Clock

Tree

Clock

Tree RouteRoute

Equivalence Checking

Static Timing

Analysis

18





Equivalence Checking

� status

� mature technology

� good degree of automation

� widely accepted by HW designers

� challenges

� sequential equivalence

� synthesis optimizations

� FPGA synthesis

� higher degree of automation desired

� Eq.Checking of low power features

19





design flow

RTL Domain

GL Domain

ScanScan

SynthesisSynthesis

PlacePlace Clock

Tree

Clock

Tree RouteRoute


verification of

implementation

20





in the past…

RTL Domain


SynthesisSynthesis


21





today…

RTL Domain

RT-Simulation

Testbench

SynthesisSynthesis


22





example of a formal verification flow

� OneSpin Formal Flow

source: OneSpin Solutions

23

Verification of Implementation – Formal ABV




AutoChecks (Consitency Checking)

� Common Design Errors:

•Array out of bounds access

•Integer division by zero in VHDL

•Integer negative exponent in VHDL

•Int. neg. divisor in remainder in VHDL

…

� Simulation-Synthesis Mismatches:

•Parallel/full-case pragmaviolation

•Non-01 values

•Inconsistent reset usage

…

� Design Optimizations:

…

•Design resetability

•Floating signals

•Unread signals

…

source: OneSpin Solutions

24





Two kinds of Formal ABV

� Implementation Intent Verification

� bug hunting in HW

� can be done by HW designer

� may not need HW specification

� rudimentary level Hardware Verification Language (HVL) proficiency

� typically done at block level

� tool capacity problems unlikely

� Functional Requirements Verification

� proof of functionality

� can be done by HW designer

� HVL proficiency required

� may need guidance/assistance of a Verification Engineer

� definitely need Functional Specification

� may be done at top level

� may run into tool capacity problems

25





Verification of Functional Requirements

� JTAG: TAP Controller

26





Verification of Functional Requirements (cont’d)


macros

Reset_is_inactive: assertion :=

during [t_first, t_last]: trst = '1';

end Reset_is_inactive;

end macros;

property tms_5_highs_go_init isassume:

Reset_is_inactive;during[t+1,t+5]: tms = '1';

prove:at t+6: tap_controller/tap_fsm_state = init;

end property;

State INIT: … Whatever may be the actual state of the controller, it will enter the IDLE state when the TMS input is held '1' for at least five rising edges of TCK pulses. The exact required number of TCK pulses depends on the current state of the TAP controller. The controller remains in this state while TMS is held '1'.

27





Verification of Functional Requirements


� very easy with formal vs. very cumbersome with simulation

> do_property_check

-I- current property file is: tms_5_highs_go_init.prp

-I- current property is: tms_5_highs_go_init-I- Examination window: [t+1,t+6]

-I- Generating standard clocking scheme for clock 'tck'.

-I- Simulating clocking scheme.

-I- Assumption is not contradictory, checked in 0.00 sec.

-R- The property holds, 0.02 sec CPU in total, 7 MB used.

28





Formal ABV - Challenges

� status

� mature technology

� good degree of automation

� seen by HW designers as having potential

� challenges

� acceptance barriers

� Hardware Verification Language (PSL, SVA, ITL, …)

� may run into tool capacity problems

� question of verification coverage

29

Operational Formal ABV




Gap-Free Verification

source:

OneSpin Solutions

30





Operation-Based Verification

� Gap-Free Verification summary

� proof of functionality

� definitely need Functional Specification

� want proofs as black-box as possible

� HVL proficiency required

� should be done by an experienced Verification Engineer

� may be done at block/top level

� may run into tool capacity problems (arithmetic, e.g. multiplier)

31





summary

� complexity of automotive SoCs grows (Moor’s Law)

� formal verification has reached enough maturity

� digital HW design

� part of a HW design flow already

� keeps on gaining acceptance

� FV of AMS circuits is still in research phase

� challenges in FV of digital HW:

� technical

� multiple clock domains

� clustering (super cluster)

� arithmetic functions

� serial protocol IPs (LIN, FlexRay)

� parameterised verification

� …

32





summary cont’d

� challenges in FV of digital HW (cont’d):

� technical

� FV of abstractions levels above RTL (eg. ESL)

� Equivalence Checking (ESL vs. RTL)

� ABV

� Verification of Low Power Features

� question of verification coverage

� formal vs. simulation

� formal & simulation

� non-tech (human factor)

� acceptance of FV

� question of automation (push-button approach)

� need to continue research in FV to stay competitive!

33





possibilities at Bosch for students

� Praktikum / Internship

� Studienarbeit

� Bachelor Thesis

� Diplomarbeit / Master’s Thesis

� PhD




Thank You!

…questions?

Formal Verification in the Design of Automotive · PDF fileFormal verification is the act of...

Documents

Transcript of Formal Verification in the Design of Automotive · PDF fileFormal verification is the act of...