A Formal Verification Methodology for Checking Data Integrity

Formal verification techniques have been playing an important role in pre-silicon validation processes. One of the most important points considered in performing formal verification is to define good verification scopes; we should define clearly what to be verified formally upon designs under tests. We considered the following three practical requirements when we defined the scope of formal verification. They are (a) hard to verify (b) small to handle, and (c) easy to understand. Our novel approach is to break down generic properties for system into stereotype properties in block level and to define requirements for Verifiable RTL. Consequently, each designer instead of verification experts can describe properties of the design easily, and formal model checking can be applied systematically and thoroughly to all the leaf modules. During the development of a component chip for server platforms, we focused on RAS (Reliability, Availability, and Serviceability) features and described more than 2000 properties in PSL. As a result of the formal verification, we found several critical logic bugs in a short time with limited resources, and successfully verified all of them. This paper presents a study of the functional verification methodology.

💡 Research Summary

The paper presents a practical methodology for applying formal verification to ensure data integrity in pre‑silicon validation, focusing on how to define verification scopes that are both effective and manageable. The authors argue that a successful formal verification effort must satisfy three pragmatic criteria: (a) the properties should be hard to verify by conventional simulation, (b) the verification problem should be small enough to keep the state space tractable, and (c) the properties should be easy for designers to understand and write. To meet these goals, they introduce a two‑step approach. First, high‑level system properties related to data integrity are decomposed into “stereotype properties” at the block level. This decomposition maps generic requirements—such as “no data corruption during transfer” or “consistent state after reset”—onto concrete, reusable templates that correspond to specific interfaces, clock domains, or control signals. Second, they define a set of “Verifiable RTL” coding guidelines that shape the RTL so that a model‑checking engine can efficiently analyze it. These guidelines include explicit asynchronous reset declarations, clear clock‑domain crossing handling, minimization of complex combinatorial logic, and a disciplined state‑machine encoding style. By enforcing these constraints, the design is kept within a size that formal tools can handle without excessive state‑space explosion.

A key contribution of the methodology is that it empowers ordinary RTL designers, not only verification specialists, to write properties in Property Specification Language (PSL). The authors provide a template‑driven workflow: a property generator creates a skeleton PSL file for each block, and the designer fills in only the module‑specific parameters. This dramatically reduces the learning curve and the effort required to produce a large property set.

The methodology was validated on a real‑world project: a component chip for server platforms with a strong emphasis on RAS (Reliability, Availability, Serviceability) features. Over the course of the development, more than 2,000 PSL properties were authored using the proposed templates. The verification was performed on all leaf modules in a hierarchical fashion, leveraging parallel model‑checking runs to keep total runtime within a few weeks. The formal analysis uncovered several critical logic bugs that would have been extremely difficult to detect with simulation alone, such as subtle concurrency violations, missed register initializations, and illegal state transitions across clock domains. These bugs were fixed early, saving both silicon re‑spins and costly post‑silicon debugging.

The paper discusses the benefits of the approach: (1) systematic scope definition leads to a focused verification effort that catches the most error‑prone aspects of the design; (2) the property‑template mechanism lowers the barrier for designers to contribute to formal verification; (3) the Verifiable RTL guidelines keep the verification problem size manageable, improving tool performance and result confidence. Limitations are also acknowledged. The initial investment to create and maintain the property templates can be non‑trivial, and some high‑level system properties may not map cleanly onto block‑level stereotypes, requiring manual refinement. The authors suggest future work in automatic property extraction, hierarchical model checking, and scaling the methodology to larger SoC‑level designs.

In summary, the study demonstrates that a well‑structured formal verification methodology—grounded in clear scope criteria, block‑level stereotype properties, and disciplined RTL coding—can be integrated into a standard design flow. It enables designers to verify data‑integrity requirements thoroughly, discovers critical bugs early, and does so with limited verification resources, thereby improving overall design quality and time‑to‑market.