

### Hierarchy of Design Requirements

formal verification at the RTL interface level

C. Norris Ip ip@tempusf.com, Tempus Fugit, Inc.



### Outline

| •                                          | act on<br>sign                                                                                                               |
|--------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|
| system                                     |                                                                                                                              |
| requirements<br>functional<br>requirements | Formal Requirement Verification on RTL<br>• shorten the lengthy verification process<br>Formal Interface Verification on RTL |
| interface<br>requirements                  | • easy to adopt Formal Interface Verification Module                                                                         |
| embedded<br>assertions                     | Second pair of eyes Basic Formal Verification fully automated                                                                |



- Embedded Assertions
  - document designer's local decision



- Example
  - one hot state machine encoding state[0] + state[1] + ... + state[13] == 1
  - buffer overflows

fifo\_size == 4'b1111 && next\_fifo\_size == 4'b0000

- logical assumption
  - ~ sig\_A => sig\_B | sig\_C



- Interface Requirements
  - avoid interoperability problem
  - avoid misunderstanding of spec
  - exchange designers' assumption
- Example:
  - PCI (frame enable control)

last\_frame\_enable && ~last\_frame\_n => frame\_enable

- PCI (CBE interpretation)
  - the master must always assert byte enables on the upper bits of CBE when the master asserts REQ64# and the slave has not responded





- Functional Requirements
  - corner cases in how data is transformed
  - corner cases in how data flows through the design
- Example
  - PCI Express (packet-based interface)
    - retrying a packet when the timer expires before the acknowledgement comes in (PCI-Express)
      - Sequence number is generated correctly
      - Packets come out in the right order with possible retries
      - Data integrity
      - No drop packets
      - No duplicated packets





- System Requirements
  - throughput, error rates, drop rates



- Traditionally this is where simulation is strongest:
- System Requirements
  - complex distributed protocols
  - micro-architecture
- Traditionally verification of this is done on system-level description



## Summary





# **Summary of Complexity**





## **Requirements at the Interface Level**

- Simple Synchronization
  - when should I assert a signal?
- Complex Sequence of Events



- target initiates wait-state during a write-transaction/splitcompletion only at appropriate data phases (PCI-X)
- FRAME is de-asserted at appropriate cycle w.r.t. the IRDY depending on the number of data phases (PCI-X)
- Functional Requirements at Interface Level !
  - data being scrambled correctly by maintaining the correct linear functional shift register values (PCI-Express)
  - sequence number is generated correctly
  - packets come out in the right order with possible retries





## **Pure Formal Verification !**

| simulation  | capacity                              |            |                    |  |
|-------------|---------------------------------------|------------|--------------------|--|
|             | coverage                              | directed t | ests               |  |
|             | coverage                              | constr     | ained random tests |  |
| semi-formal |                                       |            |                    |  |
|             | capacity                              |            |                    |  |
|             | coverage                              |            |                    |  |
|             |                                       |            |                    |  |
| formal      | capacit                               | y (1999?)  |                    |  |
|             | 100% coverage w.r.t. the requirements |            |                    |  |
|             |                                       |            |                    |  |
|             |                                       |            |                    |  |



# **Pure Formal RTL Verification !**



EDP workshop, April 2003 (Norris Ip)



# **Productivity Gain**

For an engineer, capturing requirements is easy; enumerating corner cases is difficult.

- Requirement spec is >10X fewer lines than test benches
- 100% coverage vs. incomplete coverage

#### IUT must de-assert IRDY# the clock after

the completion of last data phase

(PCI 2.2 spec 3.3.3.1)





## **Formal Contract**



% assume b\_req % assume a\_req % prove a\_req % prove b\_req



# Formal IP Sign-off



% assume ip\_req % prove env

Or use "env" as simulator monitor

# Formal Verification in a Design Flow



- Verify on partially completed RTL units
- Exchange assumptions
- Straightforward integration and regression



# **Second Pair of Eyes**



Requirement development in parallel to RTL developments

- Standard Interface : purchased
- Proprietary Interface : internal CAD
- Block-level requirements : architect / verification engineer





### **Robust Unit Tests => Easy Integration**



EDP workshop, April 2003 (Norris Ip)



EDP workshop, April 2003 (Norris Ip)



# **Formal Requirement Verification**

SoC consists of blocks and interfaces

- Formal Interface Verification
  - the blocks understand one another
- Formal Functional Verification
  - the blocks generate the right data





- Embedded Assertions
  - document designer's decision
- Interface Requirements
  - exchange designers' assumption
  - avoid misunderstanding of spec
  - avoid interoperability problem
- Functional Requirements
  - corner cases in how data is transformed
  - corner cases in how data flows through the design
- System Requirements
  - throughput, error rates, drop rates











### Simulation







### **Formal Verification**



EDP workshop, April 2003 (Norris Ip)