Formal verification can be a powerful tool for low-power design optimization, according to a paper authored by Cadence and Freescale and presented at the recent DVCon conference. The paper showed how formal property checking can validate whether retention flip-flops are controllable, and identify those that might need to be replaced with clock-state independent (CSI) flops.
Titled "Optimizing Area and Power Using Formal Methods," the paper was co-authored and presented by Alan Carlin, microcontroller verification engineer at Freescale. The other co-authors were Anuj Singhania of Freescale and Chris Komar of Cadence. The paper describes a flow used at Freescale in connection with the Kinetis K40 microcontroller. This and other archived papers will be available at the DVCon web site April 18.
In his presentation, Carlin noted that when chips power down, the design state should normally be restored as quickly as possible at power-up, so the "design picks up right where it left off." State-retained power gated (SRPG) flip-flops provide an easy way to do that.
Clocking Presents a Problem
While SRPGs provide a good solution for state retention, there's a potential problem to consider - the state of the clock at the point of retention. If there's a clock edge on the flop at the instant of retention, what state will actually be preserved? For this reason, the basic SPRG cell requires that the clock be inactive when changing states. If this cannot be guaranteed, SPRG flops may need to be replaced with CSI flops, which, unfortunately, consume more area and power.
Freescale's goal, therefore, is to identify all uncontrollable SPRG flops in the system-on-chip, and determine whether they need to be replaced with CSI flops. Of course, the goal is to use as few CSI flops as possible. They use Cadence Incisive Formal Verifier (IFV) to run this check. Carlin noted that Freescale engineers use a script that looks at the design and generates assertions for each unique hierarchical clock.
Complex assertions are not needed. Basically, if there's a posedge clock tree, the clock must be low when the retention signal is asserted. If there's a negedge clock tree, the clock must be high when the retention signal is asserted. However, as Carlin noted, it may be necessary to check hundreds of thousands of clocks.
If the formal tool issues a "pass," no CSI flop is needed. If it's a "fail," a CSI flop may be needed. If it's an "explore," some work is required to get a more conclusive result. As described in the paper, cutpoints can prune the cone of influence by creating a virtual primary input to the design at a specific hierarchical location.
The final steps involve placing CSI flops in the netlist, running synthesis, and using a static checker such as Cadence Conformal to ensure that the implementation has CSI flops on all required instances.
A Manageable Effort
While formal tools can hit a memory and capacity bottleneck, Carlin observed that "it is very practical to run thousands of assertions at the SoC level." For the Kinetis K40 microcontroller, he said, engineers ran 3,000 assertions in an 8-hour run time, with only about a dozen "explores." In answer to a question, however, he noted that it's not totally a push-button process, and that some amount of debugging is involved.
"One real benefit of formal analysis," Carlin said, "is that when assertions pass, they really pass. No stone is left unturned. When formal analysis is complete, you're done. When simulation is complete, it just means the regression is finished."
A video interview with Chris Komar of Cadence, co-author of the paper, is available in a Functional Verification blog post by Joe Hupcey III.