Design experience and verification methods using the latest Microsemi RTAX FPGAs

# SEFUW Workshop 2014 – Noordwijk

O. Ried, T. Helfers, M. Plintovic – Airbus DS, Germany

17. September 2014



- RTAX Heritage
- Applications
- Challenges
- Solution

of Airbus Defence & Space

This doc

- Formal Verification Method
  - -What is Formal Verification
  - -Example
  - -Experience with Formal Verification



### Heritage

Microsemi RTAX FPGAs are used in almost all flight programs:

- Mass Memories
- PCDUs
- Instrument Control Units

Developments with Microsemi (Actel) FPGAs for about 20years, Usage of RTAX FPGAs for >10 years

Complex Units contain more than 20 RTAX devices

Used RTAX Devices are mainly RTAX2000, recently also RTAX4000

Used Packages are mainly CQ352, but also CG624 and recently the 1272 pin Package



High Pin Count Package CCGA Assembly and Repair Process



#### **Applications**

Functions, among others:

- Mass Memory SDRAM Controller with File Management Support, Input/output rate: (RTAX2000)
- Mass Memory SDRAM/Flash Data Recorder Controller, Input/output rate: (RTAX4000)
- Input/Output Data Formatter (RTAX2000)
- Control Interface FPGAs for providing CAN bus, MilBus, SPI, SpaceWire and customised interfaces (RTAX2000)
- Image Compression (RTAX2000)



Image Compression Module



**Data Formatting Module** 



**Mass Memory Module** 



#### Challenges (1): Speed and timing accuracy

High Speed Serial Link Wizard Link Physical Layer: Clock Frequency higher than 100 MHz





Challenges (2): Functionalities, Complexity, Pin count





# Challenges (Summary)

Device complexity and complexity of required functions increases

Package pin count increases, making assembly more difficult and especially repair hardly possible

High Speed serial links are required in nowadays equipments and need to be implemented using RTAX FPGAs, which is difficult, because

- no internal PLLs available
- device speed decreases with larger device types (e.g. RTAX4000 vs RTAX2000)

Commercial prototypes (AX) not available for RTAX4000 in the same way as for RTAX2000

No reprogrammability -> repair necessary in case of a modification after RTAX soldering

→ Challenge: Verification of FPGA design



### Solutions



"ASIC similar" Development Process



ChipIt Emulation System (Synopsys)



```
Employment of Formal Verification Methods
```



Prototype Adapter Boards with same footprint as RTAX FPGAs





# Formal Verification Methods as a solution to the RTAX design challenges

Referenz: White Paper "Understanding Formal Methods for use in DO-254 Programs" Harry Foster, David Landoll, Michelle Lange, Mentor Graphics Corporation



This document and its content is the property of Airbus Defence & Space

#### Understanding Formal Methods: One Analogy

Υ

5

-1

Problem:  $2X^2 + 8X + 5 = 0$ 

One Solution: Try various solutions for X; Analogy: Simulation based tests

Х

0

1

Test #1 Test #2

Test #3

Alternative Solution: Calculate x; Analogy: Formal, mathematical method

$$x = \frac{-b \pm \sqrt{b^2 - 4ac}}{2a}$$

Result: X has to be somewhere between 0 and 1 and between 3 and 4

2 -3 Test #4 3 -1 Test #5 4 5 Test #6 5 15 . . .

Result: X=0.775 and X=3.225



#### Simulation vs. Formal analysis in the digital domain







#### What is the difference to simulation?

| Issue                        | Simulation                          | Formal                             |
|------------------------------|-------------------------------------|------------------------------------|
| Model (DUT)                  | RTL (e.g. VHDL)                     | RTL (e.g. VHDL)                    |
| Testbench                    | Required                            | None                               |
| Test cases                   | Usually hand created                | Automatic (via assertions)         |
| Types of Circuitry Supported | Just about all                      | Some better than others            |
| Design Le∨el                 | Block or Top Level                  | Block Better                       |
| Exhausti∨e                   | No                                  | Yes                                |
| Linked to Requirements       | Depends on testcases                | Yes, requirements-based assertions |
| Support Assertions           | Yes                                 | Yes, required                      |
| Used for Early Verification  | Prohibiti∨e (infrastructure needed) | Well suited                        |



### What is needed?

Three items required to perform formal verification:

- Formal Engine: This is in fact the tool to run the mathematical analysis. In Airbus DS, Mentor Questa Formal tool suite is used.
- Design Model: This is the VHDL code, which shall be verified. Note that the source code is used as designed for the target hardware, no intermediate model to be generated as it may be required for software code formal verification
- Requirement: The requirement, normally stated in the specification, is to be written in a formal specification language, e.g. Property Specification Language (PSL, IEEE1850) or System Verilog Assertions (SVA, IEEE1800)





# What is the output of the Formal Engine?

There are three different results from Formal Verification

- Proof: A proof provides evidence that exhaustive analysis reveals that a model will always operate according to the requirement (no exceptions).
- Counter Example: The formal engine outputs a counter example if it has found an illegal state in respect to the specified property
- Inconclusive: This situation indicates that given the current conditions, a tool is unable to come up with one of the previous options. The property might need to be adapted or the amount of circuitry to be analysed need to be de-scoped.





This document and its

perty of Airbus Defence & Spac

#### When should it be used?

Three areas of use have been established

- Enhanced verification on block level at an early stage of the design process to deliver robust, pre-verified blocks for system integration and reuse
- Searching for bugs (i.e bug hunting)
- Exhaustively prove that no bug exist (i.e. design assurance)

Formal Verification does generally not take the place of simulation, but should rather be used alongside of it.

| When/Where to Use                                                                | When/Where to Avoid                 |
|----------------------------------------------------------------------------------|-------------------------------------|
| Control or datapath circuitry with high concurrency (and no data transformation) | Datapaths with data transformations |
| Arbiters, On-chip bus bridges                                                    | Floating Point Units                |
| Power management units                                                           | MPEG decoder                        |
| DMA, Interrupt, memory controllers                                               | Convolution unit in DSP             |
| Bus interfaces, Schedulers, Standard<br>Interfaces, Protocol handler             | Graphics shading unit               |





### Formal Verification & Simulation Comparison

Exhaustive verification of an EDAC circuit, capable of correcting one bit Simulation uses brute force method

FV properties are described by one assertion and one assumption:

- -- psl default clock is rising\_edge(clk\_sys);
- -- psl property p\_check\_val is always dataout = prev(datain) abort not reset\_n;
- -- psl assert p\_check\_val;
- -- psl assume always onehot0(err\_inj);





#### **Comparison result**

#### 1000000 100000 10000 1000 **FV** Sim 100 10 1 1 3 9 11 13 15 17 19 21 23 25 27 29 33 35 37 39 41 43 45 47 49 51 53 55 57 59 61 63 65 5 7 31 ECC width

# ECC run time in sec - FV & Sim



### **Other Formal Methods**

- Equivalence checking
- Automatic design checks
  - → Basic design checks e.g.:
    - Latch inferred
      - Register has no reset
    - Illegal index value
    - FSM deadlock
    - ... and many others
- Clock Domain Crossing (CDC) check
  - $\rightarrow$  Several synchronization schemas could be proofen automatically.
  - $\rightarrow$  Unknown synchronization schemas are detected
- → These methods are quick to setup and to execute.
- → Equivalence, Automatic design and CDC checks are now mandatory for all designs.



# Experience with Formal Verification at Airbus DS

#### **Resulting Benefits**

- Formal Verification has been employed on multiple design blocks of two FPGAs
- Both of these FPGA designs were bug free at delivery to the system level integration team

#### Challenges:

- Learning curve for assertion languages and formal methodology.
  - To enable formal verification, designers must write assertions, constraints and cover properties to describe the design intent.
  - The designers also have to become accustomed to using formal verification tools and methodology
- Formal Verification is not the best solution any type of design. It has to be analyzed whether Formal Verification or timing simulation is the best solution for a block.
- Formal Tools are expensive

#### Outlook

- Broader deployment of the formal verification methodology is envisaged.
- Guideline for writing assertions and a pool of standard assertions for common design blocks or interfaces



# Thank You!

