VIEWS: 22 PAGES: 13 POSTED ON: 7/3/2010 Public Domain
Assertion Based Analog Mixed Signal Verification Himyanshu Anand EDA Strategy John Havlicek, Hillel Miller Advanced Verification Technologies Design Technology Freescale Semiconductor Inc. August 11, 2008 TM Overview............................................................................................................................. 3 Abstraction Level............................................................................................................ 3 Model simulation speeds............................................................................................. 4 Assertion Based AMS Verification .................................................................................... 5 Motivation....................................................................................................................... 5 Proposal........................................................................................................................... 5 Academic Research and Industry Status......................................................................... 6 Possible Property Checking Flows ..................................................................................... 7 Layered AMS Assertions................................................................................................ 7 Timed Operators ............................................................................................................. 8 Inequalities...................................................................................................................... 9 Interpolation.................................................................................................................... 9 Sampled Values ............................................................................................................ 10 Extension Syntax Details .................................................................................................. 11 Variable Types in A-SVA Properties ........................................................................... 11 A-SVA Property Syntax ............................................................................................... 12 Figure 1 Layers of System Verilog Assertion..................................................................... 7 Figure 2 Extended analog layer in System Verilog Assertions .......................................... 8 Overview Assertions are widely used in digital verification and are well understood. However, analog verification has not had much exposure to assertion based verification. To verify analog/mixed signal designs, analog designers and verification engineers use primarily spice simulations at the lower level and behavioral simulation at the chip level for performance reasons. The solution which is quite often used today involves the analog designer writing Verilog-A or Verilog-AMS models and then handing the models over to the verification engineer to plug in SoC level simulations in mixed-mode simulators. This approach allows the analog designer to play with the circuit model stand-alone and tweak it for performance and accuracy. The verification engineer then picks the model and uses test- benches to verify that the Analog-to-Digital (A2D) and Digital-to-Analog (D2A) interfaces work as expected. Abstraction Level A wide range of abstraction levels exist for modeling analog mixed signal designs. The models range from high-level behavioral models for higher speed simulation speed and low-level spice models for better accuracy. Hence different models are used at different stages of the design. The digital verification engineer comes up with high level behavioral models in Verilog or C to aid the simulation in purely digital simulators. Sometimes, low-level transistor models are used to replace critical functionality in a high-level model of the design. This approach has the following pros and cons: Cons Pros Verilog and C models are inaccurate Greater Simulation Speeds Corner cases and bugs missed Higher level of abstraction Incompatible tests for validating high level Ability to run more system level tests models against low level models A mixture of Verilog behavioral, gate level, Clean separation of analog and digital transistor level and C models in the same verification efforts test-bench Easy integration with existing digital Difficult to model all analog characteristics verification setup and use of assertions Table: Advantages and disadvantages of a high level description of an analog circuit for Mixed Signal Verification The high level behavioral models in C or Verilog are well suited for initial phase of verification when the transistor level or Verilog-A or Verilog-AMS models are not available. During the later stages of the design, as the Verilog-AMS or transistor level models are available they are used in place of behavioral models for more accuracy in the mixed signal simulations. Model simulation speeds With the increase in accuracy the speed of simulation goes down. Hence, typically C models are the fastest and transistor level models are the slowest. However, in some circumstances due to the interaction of Analog-Digital interfaces, Verilog-AMS models are the slowest, since every signal change crossing the digital-analog interface needs to be converted to the correct domain values. Keeping the places where these conversions are required as few as possible will ensure faster simulation. Assertion Based AMS Verification Assertions have not been traditionally used in AMS Verification for a variety of reasons. The prime reason being that most of the AMS simulations are extremely long and there has not been much research into formalizing properties for real valued signals over dense time. Another reason is frequency domain analysis does not lead to properties that can be easily specified as time domain properties. However, the current AMS verification methodology can be made more robust by using assertions to verify not only system level properties on simulation traces but also providing automated checks against undesirable conditions in analog circuits which are temporal in nature. The current work aims to target time domain properties in analog mixed signal designs. Motivation The motivating factors for assertion based AMS verification are as follows – 1. AMS verification is still manual/semi-automatic a. Analog designers spice analog portions of the circuit b. Digital designers simulate digital portions of the circuit c. Verification engineers have ad-hoc models of analog circuits integrated with digital circuits 2. Numerous levels of abstraction from behavioral to transistor level a. Minimal sharing of test-bench checkers/monitors across different abstraction levels b. Mostly tests focus on corner cases rather than on system level properties 3. Analog/Digital Interface Issues a. There is no clean way to verify the analog-digital boundary issues because of the non-overlapping knowledge sets of analog, digital and verification engineers. b. Using assertions will alleviate the above problem by enabling verification engineer to write analog-mixed signal properties to verify the correct integration of analog-digital blocks. 4. Why Assertions? a. No instrumentation of the design required in order to verify it against the specification as opposed to ad-hoc monitors being used today b. Reuse of assertions across multiple abstraction levels and projects c. Just needs a simulation trace produced by any simulator d. Increased confidence in higher level models e. Properties are easier to understand for digital/SoC verification engineers f. Properties can be added progressively as design matures g. Provide coverage metrics for the design Proposal Our proposal for assertion based AMS verification is outlined below – Develop a language to succinctly describe time domain mixed signal properties a. Gather requirements for properties from companies. a. Base the language as an extension to SVA b. Introduce Analog-Boolean Threshold abstraction to convert real valued signals to boolean valued signals c. Use the abstracted boolean valued signals in SVA to write safety properties d. Extend SVA by adding linear temporal logic operators with time domain ranges The methodology presented above will invariably involve close interaction of both analog and verification engineers. Academic Research and Industry Status Recently, there has been renewed interest in assertion based verification. • Verimag (Oded Maler, Dejan Nickovic, Amir Pnueli) has extended PSL and used property verification on mixed signal designs at ST and Rambus • IIT Kharagpur (Pallab Dasgupta and team) has extended SVA and generated monitors, checkers and SVA properties and used them to verify circuits at National Semiconductors • University of Utah (Chris Myers, Scott Little) researchers are working on a tool to extract formal models of AMS designs by analyzing spice simulations • University of Concordia (Sofiene Tahar, Mohammed Zaki), Canada researchers are working to apply model checking techniques on Matlab models of AMS designs • Freescale has used SVA to verify behavioral models of analog designs. Possible Property Checking Flows Assertion based AMS verification can be either – a. Online (while the simulation is running, assertions are checked at run-time) or b. Offline (assertions are checked on the simulation results). Given that online assertion checks will involve close interaction among various simulators and the presence of a standard assertion language understood by mixed signal simulators, it seems that the best approach for time being would be to do offline assertion checks on simulation traces. The advantages of offline assertions also include the ability to use any simulator in addition to any modeling language for analog and digital blocks at abstract high level as well as at spice level. The flow will have to convert different simulator outputs to a common standard output. However, for the maximum return on investment, online checks are required. Online check will – 1. Enable the user to abort the simulation early if a violation is detected. 2. Make it possible to have a feedback loop from the checker back to the model if so desired. 3. One stop solution for assertions needs as the assertions are checked by the simulator itself. Layered AMS Assertions System Verilog Assertions are layered and can be viewed as having being composed of the following layers sitting on top of each other. 1. Boolean Layer: Atomic Boolean expressions which evaluate to true/false. These are at the leaf level of System Verilog Assertions (SVA). For example – a && b. 2. Temporal Layer: Boolean expressions are combined to form complex sequences to define behavior over time. Sequences are regular expressions composed of Boolean expressions. For example – (a && b) ##1 (c && d). 3. Property Layer: Properties are composed of sequences and/or Boolean expressions and are at the top of the SVA layer. Property Layer Temporal Layer Boolean Layer Figure 1 Layers of System Verilog Assertion We propose to introduce another layer before the Boolean layer in SVA which will abstract real values of analog signals and convert them into Boolean values. We call the new layer Analog Layer. Property Layer Temporal Layer Boolean Layer Analog Layer Figure 2 Extended analog layer in System Verilog Assertions The abstraction of analog signals/expressions to Boolean values can be achieved in a couple of ways – 1. Threshold Abstraction: Real valued analog signals are compared against fixed thresholds as linear inequalities and the result of the inequalities are stored as the abstracted Boolean values. For example – f <= 2.5, where f is a real valued signal. Other inequality operators will be <, >, >=. 2. Generalized Function Abstraction: We could allow the user to write a complex mathematical function with real parameters which produces a Boolean output. For example – sin (a) >= 0.56, (a * 0.245 + 1.4 * b) > 0.76. 3. Abstraction with Error Margin: This will allow the user to specify the error margin in the values to be extracted. This can be constructed out of the Threshold Abstraction as a derived abstraction. For Example – (a >= 2.5 && a <= 2.5025). This ranged abstraction can be viewed as an abstraction of (a >= 2.5) with 0.1% upper relaxation. We could similarly have a lower relaxation as well as total relaxation. The abstracted values of the analog signal/functions will then be used in the Boolean layer of the SVA property to form Analog Threshold SVA properties. Timed Operators Linear temporal logic operator like “Next Time” loses its meaning in dense time logic because there is no central clock [Refer to STL/PSL work by Oded Maler, et. al). Thus, we need to extend SVA temporal operators which will allow more natural specification of timed properties in the absence of “Next Time” operator. There needs to be more discussion before the exact nature of these extensions can be finalized. Inequalities Basic linear inequalities should be supported in the analog layer and consist of the following analog expressions, where Inequality is an element from the set of following operators {<, <=, >, >=} – • Analog Value • Analog Value Inequality Analog Value Where Analog Value is one of – 1. Analog Variable 2. Number Constant 3. Analog Value Operator Analog Value And Operator is from the set of {+,-,*,/} The above restriction on the type of expressions is to ensure fast determination of the interpolated values of the analog signals at the crossing point where the analog expression changes its Boolean value. Other generalized real functions will be added as required. If no interpolation is used then, the tool should support polynomial inequalities too. Interpolation Analog signals are continuous and not discrete like Boolean signals. However, since the analog signals in the simulation output are sampled values of the signals in simulation, analog signal values are not continuous in simulation output. This sampled nature of the analog signals leads to inaccurate evaluations of the analog threshold inequalities as illustrated by the example below. • Example: o Let analog signal A = 1.5 at time t=0, and A = 3.5 at time t = 10. o Let analog threshold inequality ‘IA’ be A <= 2.5 o At t = 0, IA = 1 since A <= 2.5 o At t = 10, IA = 0 since A > 2.5 o Let clk be a high frequency clock with following (time, value) pairs clk = (0,0) (2,1) (4,0) (6,1) … o Let B have the following sampled (time, value) pairs B = (0, 1) (7, 0) i.e. B changes value at t = 7 from 1 to 0 o Let property p = always @(clk) B implies (A <= 2.5) o If no interpolation is used then property p is satisfied on the above trace, since A’s sampled value changes to 3.5 only at time t = 10 at which point B=0 o If linear interpolation is used then A = 2.5 at t = 5 with a slope of 0.2/time unit and the property fails at t = 6 when evaluated at the clock edge since B = 1 and (IA <= 2.5) is false In the above example the property gives incorrect result when no interpolation is used because we did not know when IA switched from 1 to 0, as the signal A was not sampled at the crossing point of the inequality. This inaccuracy in the evaluation of the expression led to incorrect property evaluation. Thus, analog signals have to interpolated when – • The inequality involving the analog signal changes value between two sampled values of the signal [Note: This still leaves the possibility that even though the inequality did not change the value at the two sampled values, the real continuous signal did change the value in between the two and it was just that those values were not sampled] • The property uses a local variable or timed operator such that the property duration ends before the next sampled value of the analog signal Using interpolated values for the analog signals under the above conditions should ensure that the property evaluation is clock accurate. However, there might still be the possibility of incorrect evaluation if the signals switch simultaneously. Sampled Values The sampled values of the analog signals used in the properties need to be stable. The values can be sampled at the following two places – 1. Previous Value: The previous computed stable value. a. The value is already committed to and cannot be changed in the current evaluation iteration. However, the downside is that the properties will always be lagging the evaluated values. 2. Current Value: The current computed stable value in current iteration. a. Depending upon when the value is sampled in the current evaluation iteration, the value might be changed before it is committed. However, if the value is sampled in the post-commit region, then the value is already committed and cannot be changed. Using the current value might be more intuitive and easier to comprehend than using the previous value. Extension Syntax Details We will keep updating this section as more details are finalized. Variable Types in A-SVA Properties Variables used in the Analog-SVA properties can be of the following types as given below in the table. The information presented below has been taken from the IEEE P800/D4 (October 2, 2007) System Verilog specification. Size in bits No of states/Other Comments Default Sign Short int 16 2 Signed Int 32 2 Signed Integer 32 4 Signed Long int 64 2 Signed Byte 8 2 Signed Bit User defined 2 Unsigned Logic User defined 4 Unsigned Reg User defined 4 Unsigned Time 64 4 (64-bit unsigned integer) Unsigned Short real 32 Same as ‘c’ float Real 64 Same as ‘c’ double Real Time 64 Same as Real • Follow IEEE Std. 754-1985 for real number specification • Net types default to ‘logic’ if no data type is specified in the net declaration • Time can be integer or real and is scaled to the current time unit and rounded to the current time precision • Conversion: o Real numbers shall be converted to integers by rounding the real number to the nearest integer. If the fractional part is 0.5 it will be rounded away from zero o Individual bits that are ‘x’ or ‘z’ in the net or the variable shall be treated as zero upon conversion o Explicit conversion can be done using casting. See IEEE P1800/D4 specification of System Verilog for more details The variables used in the A-SVA properties shall be declared in the same way as other System Verilog variables are declared. A-SVA properties will allow only the variable types listed above. A-SVA Property Syntax The following rules will be followed in decreasing order of priority for sub- expressions/expressions in the analog-extension of SVA • The following data-type precedence will be followed when evaluating property expressions, where Real has the highest precedence and byte has the lowest. a. Real > short-real > long int > integer > int > short int > byte b. For user-defined bit, reg and logic vectors convert them into appropriate integer as defined in System Verilog standard c. NOTE: There might be a loss in precision when converting integers or long int to real • The inequality operators (<, <=, >, >=) will always evaluate to a scalar single bit result • The type of an expression evaluation will always be the type of its sub-expression with the highest type precedence a. If an expression contains a real variable/constant the resulting expression will be of type real b. If an expression contains a short-real variable then the resulting expression will be of type short-real c. If an expression contains an integer then the resulting expression will be an integer The introduction of real variables in the A-SVA properties does not lead to a change in the variable declaration grammar and it remains the same as in System Verilog. The grammar for the extension A-SVA affects the Boolean layer as it introduces another layer – Analog threshold Boolean abstraction. The other layers of the SVA are not touched in Phase 1. The extension grammar is given below – Boolean_Abstraction: | Analog_Expr LEQ Analog_Expr | Analog_Expr LE Analog_Expr | Analog_Expr GEQ Analog_Expr | Analog_Expr GE Analog_Expr Analog_Expr: | ID | Constant | OPEN_PAREN Analog_Expr CLOSE_PAREN | Analog_Expr PLUS Analog_Expr | Analog_Expr MINUS Analog_Expr | Analog_Expr MULT Analog_Expr | Analog_Expr DIV Analog_Expr The type of Boolean_Abstraction will always be ‘single bit’. ID can be of any type described in the previous section. Constant numbers can be specified as integer constants or real constants. Constants will default to signed or unsigned as defined in the table above and will be consistent with System Verilog standard. For full grammar of the constants, please refer to the System Verilog standard specification document describing numbers.