Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Pragmatic Formal Verification of Sequential Error Detection and Correction Codes (ECCs) used in Safety-Critical Design

Aman Kumar

TL;DR

This work tackles the challenge of exhaustively verifying sequential ECC cores used in safety-critical designs, where the error space and pipeline latency create prohibitive state-space growth. It presents a pragmatic verification flow that combines memory removal, syndrome-linearity exploitation, a reduced-latency combinational model, and SST-trace–assisted k-induction to achieve unbounded proofs within about a day. Key contributions include helper properties for the syndrome generator, an equivalence-check-based glue model between RTL and a combinational ECC generator, and SST-driven constraints that fix verification bottlenecks, uncovering bugs such as improper one-hot encoding early in sign-off. The approach demonstrates ISO 26262–relevant assurance for ECC cores and suggests avenues to scale to larger widths or leverage graphically distinct formal tools (e.g., CBMC/ESBMC) for faster proofs through word-level reasoning, with RTL–abstract-model equivalence as a future step.

Abstract

Error Detection and Correction Codes (ECCs) are often used in digital designs to protect data integrity. Especially in safety-critical systems such as automotive electronics, ECCs are widely used and the verification of such complex logic becomes more critical considering the ISO 26262 safety standards. Exhaustive verification of ECC using formal methods has been a challenge given the high number of data bits to protect. As an example, for an ECC of 128 data bits with a possibility to detect up to four-bit errors, the combination of bit errors is given by 128C1 + 128C2 + 128C3 + 128C4 = 1.1 * 10^7. This vast analysis space often leads to bounded proof results. Moreover, the complexity and state-space increase further if the ECC has sequential encoding and decoding stages. To overcome such problems and sign-off the design with confidence within reasonable proof time, we present a pragmatic formal verification approach of complex ECC cores with several complexity reduction techniques and know-how that were learnt during the course of verification. We discuss using the linearity of the syndrome generator as a helper assertion, using the abstract model as glue logic to compare the RTL with the sequential version of the circuit, k-induction-based model checking and using mathematical relations captured as properties to simplify the verification in order to get an unbounded proof result within 24 hours of proof runtime.

Pragmatic Formal Verification of Sequential Error Detection and Correction Codes (ECCs) used in Safety-Critical Design

TL;DR

This work tackles the challenge of exhaustively verifying sequential ECC cores used in safety-critical designs, where the error space and pipeline latency create prohibitive state-space growth. It presents a pragmatic verification flow that combines memory removal, syndrome-linearity exploitation, a reduced-latency combinational model, and SST-trace–assisted k-induction to achieve unbounded proofs within about a day. Key contributions include helper properties for the syndrome generator, an equivalence-check-based glue model between RTL and a combinational ECC generator, and SST-driven constraints that fix verification bottlenecks, uncovering bugs such as improper one-hot encoding early in sign-off. The approach demonstrates ISO 26262–relevant assurance for ECC cores and suggests avenues to scale to larger widths or leverage graphically distinct formal tools (e.g., CBMC/ESBMC) for faster proofs through word-level reasoning, with RTL–abstract-model equivalence as a future step.

Abstract

Error Detection and Correction Codes (ECCs) are often used in digital designs to protect data integrity. Especially in safety-critical systems such as automotive electronics, ECCs are widely used and the verification of such complex logic becomes more critical considering the ISO 26262 safety standards. Exhaustive verification of ECC using formal methods has been a challenge given the high number of data bits to protect. As an example, for an ECC of 128 data bits with a possibility to detect up to four-bit errors, the combination of bit errors is given by 128C1 + 128C2 + 128C3 + 128C4 = 1.1 * 10^7. This vast analysis space often leads to bounded proof results. Moreover, the complexity and state-space increase further if the ECC has sequential encoding and decoding stages. To overcome such problems and sign-off the design with confidence within reasonable proof time, we present a pragmatic formal verification approach of complex ECC cores with several complexity reduction techniques and know-how that were learnt during the course of verification. We discuss using the linearity of the syndrome generator as a helper assertion, using the abstract model as glue logic to compare the RTL with the sequential version of the circuit, k-induction-based model checking and using mathematical relations captured as properties to simplify the verification in order to get an unbounded proof result within 24 hours of proof runtime.
Paper Structure (10 sections, 5 equations, 13 figures, 1 table)

This paper contains 10 sections, 5 equations, 13 figures, 1 table.

Table of Contents

  1. Introduction
  2. Background
  3. ECC
  4. Formal Verification
  5. Formal Verification of ECC
  6. Addressing Complexity Step 1: Remove Memory and Model Errors
  7. Addressing Complexity Step 2: The Linearity Approach
  8. Addressing Complexity Step 3: Using Reduced Latency Model
  9. Addressing Complexity Step 4: Use SST Traces to Help with Induction-Based Proof
  10. Conclusion and Future Work

Figures (13)

  • Figure 1: Verification efforts required in overall product development VerStudy
  • Figure 2: ECC design with a memory
  • Figure 3: Formal verifier aman_dvcon_21
  • Figure 4: Verification plan for ECC
  • Figure 5: Remove memory and model errors
  • ...and 8 more figures