Verification is a process used to demonstrate the functional correctness of an integrated circuit design. While the growth rate of design complexity is increasing, to verify whether a design is error-free is becoming more difficult. Today, in a design team properly staffed to address the verification challenge, the number of verification engineers usually doubles the number of designers. After the design projects are finished, the verification usually takes from 60% to 80% of the total development efforts for the design. Thus, design verification plays a crucial role in the modern design flow.
The design verification proceeds in two stages. In the first stage, a Boolean network is extracted from the actual design description. Next, in the second stage, the extracted Boolean network is verified against the specification. Traditionally, logic verification is carried out by pattern simulation. However, to exhaustively simulate all possible patterns is impractical for designs with large numbers of inputs. Thus, formal logic verification methods are becoming popular. It is possible to guarantee the correctness of a design by using these formal methods.
Existing approaches to formally verify the equivalence of two Boolean networks can be classified into two categories: (1) structural, and (2) functional. The structural methods identify some internal nodes of two Boolean networks and use them to construct a miter structure. It examines if the output of the miter stuck-at-0 fault is untestable by Automatic Test Pattern Generation (ATPG) (See: I. Hamzaoglu and J. H. Patel, “New Techniques for Deterministic Test Pattern Generation,” in Proc. of VLSI Test Symposium, pp. 446-452, 1998.). If the fault is untestable, there does not exist a pattern to distinguish the two logic cones and, hence, these internal nodes are equivalent. Then one internal node can be replaced by the other internal node and the network is simplified. The capability of this approach relies on the efficiency of ATPG. However, the approach becomes inefficient if the fault test at the miter output is time-consuming or intractable.
On the other hand, the functional methods use canonic representations to represent the Boolean networks. Two Boolean networks are equivalent if and only if the representations are equal. Reduced Ordered Binary Decision Diagram (ROBDD) is a canonic representation of Boolean networks. Although one can use ROBDD to verify the equivalence of two Boolean networks directly, the ROBDD construction often results in memory explosion problems and is a time-consuming process. Furthermore, the size of ROBDD is sensitive to the variable ordering.
To verify the equivalence of two Boolean networks is not easy. However, to assert that two Boolean networks are nonequivalent is generally much easier. Signature-based approaches are proposed to efficiently justify the nonequivalence of two Boolean networks. The signature-based approaches apply signature functions on Boolean networks/equations to characterize circuits' inputs or outputs. For example, the number of minterms in a Boolean network is a basic signature function to characterize circuits' outputs. If the signature values of two Boolean networks are different, the two Boolean networks are not equivalent. Otherwise, however, they are only possibly equivalent. Where two different Boolean networks have the same signature value, this is known as aliasing. A good signature function should be both descriptive and easy to calculate. However, both objectives are not easy to simultaneously achieve. Various signature functions are proposed to effectively reduce the aliasing rate. Nevertheless, signature based approaches still only act as a preprocessor to justify the nonequivalence of two Boolean networks.
Signal probability of a Boolean network has applications to power estimation and testability analysis. But only approximate values are needed for these two applications. On the other hand, although output probability of a Boolean network is considered as a signature function for logic verification (See: V. D. Agrawal and D. Lee, “Characteristic Polynomial Method for Verification and Test of Combinational Circuits,” in Proc. of Int. Conf. on VLSI Design, pp. 341-342, 1996. & J. Jain, J. Bitner, D. S. Fussell, and J. A. Abraham, “Probabilistic Design Verification,” in Proc. of Int. Conf. On Computer-Aided Design, pp. 468-471, 1991.), the correct output probability is a must under input probability assignments. When the output probabilities are not equal under the same set of input probability, the two Boolean networks are not equivalent. But the inverse is not true. That is, aliasing could occur. Although the aliasing rate of this approach would be reduced with multiple runs of input probability assignments, the equality of two output probabilities still does not guarantee the equivalence of two Boolean networks. It is obvious that the occurrence of aliasing relies on the input probability assignments.
Assuming that the Boolean network consists only of AND, OR, and NOT gates for simplicity. Complex gates can be decomposed into these gates. An upper case letter denotes a node in the Boolean network and the corresponding lower case letter denotes its 1's probability. The known probability formulae for 2-input AND, OR, and NOT gates with independent inputs are summarized in FIG. 1. The formulae for AND, OR gates with more than 2 inputs can be extended from these 2-input gates.
The probability expression of a Boolean network can be derived from primary inputs to primary outputs by using these probability formulae. However, this expression is correct only if the Boolean network is a tree structure, as shown in FIG. 2. Its probability expression can be easily obtained. If the Boolean network contains reconvergent gates, the corresponding probability expression cannot be correctly derived as that of a tree structure network. This is because the input signals of reconvergent gates are correlated rather than independent. Thus, the process of deriving probability expression has to be modified. The modification is named exponent suppression, which replaces the term xm with x for every node X in the original probability expression. This is because a node X is fully correlated with itself; the probability xm has to be modified as x. After the exponent suppression, the modified probability expression is correct. For example as shown in FIG. 3, the probability expression at output is originally axb+bxc−axb2xc. After the exponent suppression modification, the probability expression becomes axb+bxc−axb2xc (b2 is replaced by b). It is proven that the probability expression with the exponent suppression modification is unique for a Boolean network (See: J. Jain, J. Bitner, D. S. Fussell, and J. A. Abraham, “Probabilistic Design Verification,” in Proc. of Int. Conf. On Computer-Aided Design, pp. 468-471, 1991.). Namely, if two Boolean networks (regardless of having reconvergent gates or not) have the same probability expression after the exponent suppression modification, they are equivalent; otherwise, they are nonequivalent. Thus, the probability expression is a canonic representation.
Although probability expression is a canonic representation, deriving it for the logic verification of large circuit is intractable. This is because O(n×2n) operations are required for an n-input Boolean network. Also, the number of product terms in the probability expression is in the worst case. For example, the number of possible product terms in a 3-input Boolean network is 23=8 and they are [1, x3, x2, x2, x3, x1, x1, x3, x1, x2, x1, x2, x3 ].