Power aware verification of ARM-based designs - Embedded.com

Power aware verification of ARM-based designs


Power dissipation has become a key constraint for the design of today’s complex chips. Minimizing power dissipation is essential for battery-powered portable devices, as well as for reducing cooling requirements for non-portable systems. Such minimization requires active power management built into a device.

This article is from class ATC-155 at ARM Technology Conference. Click here for more information about the conference.

In a System-on-Chip (SoC) design with active power management, various subsystems can be independently powered up or down, and/or powered at different voltage levels. It is important to verify that the SoC works correctly under active power management.

When a given subsystem is turned off, its state will be lost, unless some or all of the state is explicitly retained during power down. When that subsystem is powered up again, it must either be reset, or it must restore its previous state from the retained state, or some combination thereof. When a subsystem is powered down, it must not interfere with the normal operation of the rest of the SoC.

Power aware verification is essential to verify the operation of a design under active power management, including the power management architecture, state retention and restoration of subsystems when powered down, and the interaction of subsystems in various power states. In this presentation, we summarize the challenges of power aware verification and describe the use of IEEE 1801-2009 Unified Power Format (UPF) to define power management architecture. We outline the requirements and essential coverage goals for verifying a power-managed ARM-based SoC design.

Critical design constraints
The continual scaling of transistors and the end of voltage scaling has made power one of the critical design constraints in the design flow. Trying to maintain performance levels and achieve faster speeds by scaling supply and threshold voltages increases the subthreshold leakage current due to exponential relationships with threshold voltage [1]. 

Leakage currents lead to power dissipation even when the circuit is not doing any useful work, which limits operation time between charges for battery-operated devices, and creates a heat dissipation problem for all devices.

Minimizing power dissipation starts with minimizing the dynamic power dissipation associated with the clock tree, by turning off the clock for subsystems that are not in use. This technique has been in use for many years. But at 90nm and below, static leakage becomes the dominant form of power dissipation. Active power management minimizes static leakage through various techniques, such as shutting off the power to unused subsystems or varying the supply voltage or threshhold voltage for a given component to achieve the functionality and performance required with minimum power.

Active power management
Active power management can be thought of as having three major aspects:

the power management architecture , which involves the partitioning of the system into separately controlled power domains, and the logic required to power those domains; mediate their interactions, and control their behavior;

the power managed behavior of the design , which involves the dynamic operation of power domains as they are powered up and down under active power management, as well as the dynamic interactions of those power domains to achieve system functionality;

-the power control logic that ultimately drives the control inputs to the power management architecture, which may be implemented in hardware or software or a combination thereof.

All three of these aspects need to be verified to ensure that the design will work properly under active power management. Ideally such verification should be done at the RTL stage. This enables verification of the active power management capability much more efficiently than would be possible at the gate level, which in turn allows more time for consideration of alternative power management architectures and simplifies debugging.

Power management techniques
Several power management techniques are used to minimize power dissipation: clock gating, power gating, voltage scaling, and body biasing are four of them. Clock gating disables the clock of an unused device, to eliminate dynamic power consumption by the clock tree. Power gating uses a current switch to cut off a circuit from its power supply rails during standby mode, to eliminate static leakage when the circuit is not in use.

Voltage scaling changes the voltage and clock frequency to match the performance required for a given operation so as to minimize leakage. Body biasing changes the threshhold voltage to reduce leakage current at the expense of slower switching times.

Power gating is one of the most common active power management techniques. Switching off the power to a subsystem when it is not in use eliminates the leakage current in that subsystem when it is powered down, and hence the overall leakage power dissipation through that subsystem is reduced. However, this technique also results in loss of state in the subsystem when it is switched off. Also, the outputs of a power domain can float to unpredictable values when they are powered down.

Another common technique is the use of different supply voltage levels for different subsystems. A subsystem that has a higher voltage supply can change state more quickly and therefore operate with higher performance, at the expense of higher static leakage and dynamic power.

A subsystem with a lower voltage supply cannot change state as quickly, and consequently operates with lower performance, but also with less static leakage and dynamic power. This technique allows designers to minimize static leakage in areas where higher performance is not required.

Multiple voltage supplies can also be used for a single subsystem, for example, by enabling it to dynamically switch between a higher voltage supply and a lower voltage supply.

This allows the system to select higher performance for that subsystem when necessary, but minimize static leakage when high performance is not required. Multi-voltage and power gating techniques can be combined to give a range of power/performance options.

All of these power management techniques must be implemented in a manner that preserves the intended functionality of the design. This requires creation of power management logic to ensure that the design operates correctly as the power supplies to its various components are switched on and off or switched between voltage levels. Since this power management logic could potentially affect the functionality of the design, it is important to verify the power management logic early in the design cycle, to avoid costly respins.

Power management specification
The power management architecture for a given design could be defined as part of the design, and ultimately it will be a part of the design’s implementation. A better approach, however, is to specify the power management architecture separate from the design. This simplifies exploration of alternative power management architectures, reduces the likelihood of unintended changes to the golden design functionality, and maintains the reusability of the design data.

This is the approach supported by IEEE 1801-2009, “Standard for Design and Verification of Low Power Integrated Circuits.” This standard is also known as the Unified Power Format (UPF) version 2.0. Initially developed by Accellera, UPF is currently supported by multiple vendors and is in use worldwide [5].

UPF provides the concepts and notation required to define the power management architecture for a design. A UPF specification can be used to drive the implementation of power management for a given design, during synthesis or subsequent implementation steps.

A UPF specification can also be used to drive verification of power management, during RTL simulation, gate-level simulation, or even via static verification methods. The ability to use UPF in conjunction with RTL simulation enables early verification of the power management architecture. The ability to use UPF across all of these applications eases implementation and validation by enabling reuse of power management specifications throughout the flow.

UPF syntax is defined as an extension of Tcl [6], which enables UPF descriptions to leverage all of the control features of Tcl. UPF captures the power management architecture in a portable form for use in simulation, synthesis, and routing, reducing potential omissions during translation of that intent from tool to tool. Because it is separate from the HDL description and can be read by all of the tools in the flow, the UPF side file is as portable and interoperable as the logic design’s HDL code.

The concepts introduced in the following pages of this article are illustrated with the UPF commands used to specify them.

In order to employ active power management techniques such as power gating and multiple voltage supplies, the design must be partitioned into separate functional areas that can be independently powered. Additional logic must be inserted into the design to perform special functions such as power switching, state retention, isolation, and level shifting. These additional components constitute the power management architecture for a given system.

Operating modes. Designing the power management architecture for a given system starts with characterization of the functions and operating modes of the system. Since the goal of active power management is to optimize the use of power based on the function and performance required of the system at any given time, the first step involves identifying the distinct combinations of functionality and performance that will be required of the device in use.

Analysis of the set of distinct operating modes allows the designer to determine how to partition the design into independently powered subsystems or subcomponents, so that any given operating mode can be supported by providing the necessary subset of system components with the appropriate power.

For example, the design in Figure 1 below has two operating modes: ON, and SLEEP. In the ON mode, it reads input data streams, interleaves them, and stores them in the memory before driving them onto outputs. In the SLEEP mode, it monitors inputs and maintains the state of its memory, but it does not process inputs.

 Figure 1. A power-managed design.

Power domains . Each independently powered subsystem or subcomponent is called a power domain. At the RTL stage, a power domain is typically somewhat abstract, consisting of some or all of the RTL logic within a given portion of the design hierarchy.

At the logical netlist stage, a power domain consists of a collection of cells that will share the same primary power and ground supplies. At the physical level, the cells associated with a given power domain may be placed in a contiguous region of a chip or distributed over multiple discontiguous regions of the chip.

The design in Figure 1 has several major components. These include the interleaver block, the memory controller block, and the memory itself. Each of these can be defined as a separate power domain. The top-level of the design is also a separate power domain. The dotted lines in Figure 1 indicate power domain boundaries. The following UPF commands in Listing 1 below would be used to define these power domains:


Listing 1

The –elements option on each command lists the instance names of the elements to be included in the specified power domain.

Power distribution. Each power domain may have one or more power supplies. The primary supply provides power for most of the functional elements in that domain. Additional supplies may provide power for retention, isolation, or level shifting cells associated with the power domain.

The primary supply may be a switched supply, which can be turned on and off via a control input to the switch. Either the VDD or VSS supply may be switched. A supply may be driven by multiple switches connected to the same voltage source.

The switches are turned on incrementally, to minimize rush currents when the supply is switched on. A supply may also be driven by multiple switches connected to different voltage sources, so that the supply voltage level delivered to elements of the power domain may be varied. Switches may be on-chip or off-chip.

Power is distributed to power domains via supply ports interconnected by supply nets. Supply ports may represent external supplies or may be driven by internal supply sources. Supply ports are connected to supply nets, each of which is ultimately connected to a power domain. Each supply port has one or more supply states defined. The port may drive only one state at any given time. That state is propagated by the supply net connected to the port.

For the example in Figure 1, the following UPF commands could be used to define top-level supply ports, and to define and connect supply nets to those ports as shown in Listing 2 below:


Listing 2

The following UPF command in Listing 3 below would be used to identify a particular pair of supply nets as the primary power and ground supplies for a given power domain:


Listing 3

Additional UPF commands could be used to propagate the top-level supply nets into subordinate power domains and to define a power switch to create a switched ground (VSS_SW) for one of the power domains as shown in Listing 4 below :


Listing 4

Power distribution logic may also include on-chip analog components such as regulators and sensors. A regulator takes an input supply voltage and generates a specific output voltage. A sensor monitors a supply rail and signals when the voltage has stabilized at its nominal value with respect to ground.

Sensors enable construction of a feedback loop so that power control logic can determine when a power rail has completed transitioning. Analog components such as these are not specifiable in UPF, but can be modeled in HDL code using UPF package functions to model the ramp-up and ramp-down of power supplies as they switch on and off.

Power states. UPF provides commands for defining a power state table that captures the possible power states of the system. The power state table defines system power states in terms of the states of supply ports or nets.

For the example in Figure 1, the following UPF commands in Listing 5 below define the possible states of the supply ports VDD_0d81, VDD_0d99, and VSS, as well as the switched ground supply VSS_SW:


Listing 5

The power states of the system in Figure 1 are defined in the above power state table. Note that these power states are the same as the operating modes of the system, plus the state in which the system is completely turned off.

Even though each power domain may be independently powered on and off, their logical and physical connections to other power domains remain; therefore, when one domain is turned off, it is still connected logically and electrically to other domains.

These connections between power domains require special cells to mediate the interaction between domains as their respective power states change. Two kinds of cells are involved: isolation cells, and level shifting cells.

Isolation cells ensure that signals coming from unpowered domains are clamped to a well-defined logic value while the source domain is powered down, so that any sink domain that is powered up sees reliable inputs.

Depending upon the architecture of the design, and the particular characteristics of a signal that crosses from one power domain to another (e.g., how many power domains it fans out to, and when those power domains are on or off with respect to the source domain), it may be appropriate to insert isolation cells at either the source of the signal or at its sink(s). However, since the isolation cell must be powered on when the source domain is powered off, isolation cells are typically powered by a separate, “always-on” supply voltage.

The following UPF commands in Listing 6 below specify the addition of isolation for the PD_mem_ctrl power domain in the example in Figure 1. The first command defines the supplies powering the isolation cell and specifies its clamp value. The second command defines the control signal for the isolation cell.


Listing 6

Level shifting cells ensure that a signal coming from a power domain operating at one voltage is correctly interpreted when it is received by a power domain operating at a different voltage. Depending upon the relative voltage levels of the two power domains, a level shifter may increase or decrease the operating voltage of the signal.

As with isolation cells, level shifters may have separate power supplies that are always on, or they may be powered by the primary supplies of the source and sink domains, respectively, as shown in Listing 7 below .


Listing 7

The UPF commands above specify addition of level shifters for the PD_interleaver power domain in the example in Figure 1. The first command specifies addition of level shifters for inputs; the second command specifies addition of level shifters for outputs. Whether level shifters will actually be inserted depends upon the respective supply voltages of the source and sink domains involved.

State Retention. When a power domain is powered down, any normal state elements within the power domain will lose their state. When the power domain is powered on again, the power domain must be brought to a predictable state again.

This may involve resetting all state elements in the domain, or resetting some subset that will be sufficient to cause the rest of the domain to reach a well-defined state after a few clock cycles. Another alternative is to save the state of certain state elements before the domain is powered down, and restore those statements to their saved state after the power domain is powered up again.

Retention cells are special memory elements that preserve their data during power down. Such cells involve extra logic and possibly complex timing to save and restore their values across powered-down periods [2]. Various kinds of retention cells have been designed [2],[3],[4].

Some of these use balloon latch mechanisms [2], which are made up of high threshold transistors to minimize leakage through them. They are separated from the critical path of the design by transmission gates and thus are not required to be timing critical. Others depend on complex sequences of different controls to achieve data retention.

The following UPF command in Listing 8 below specifies where retention should occur in the example in Figure 1.


Listing 8

This command identifies the power domain (PD_mem_ctrl) within which retention registers should be used, specifies the power supply used to maintain retained values, and specifies the control signals required for saving and restoring the values of retention registers.

Power managed behavior
With the power management architecture implemented on top of the design, it should be possible to repeatedly power up each power domain and later power it down again. Each time a domain is powered up, it should reach a well-defined state from which to continue its operations. That state may be the initial reset state, or a state saved before the power domain was last powered down, or a combination of the two.

While a power domain is powered down, its elements cannot drive their outputs to well-defined logic values. As a result, those outputs may float to 1 or float to 0, or may be at an intermediate value. In this situation, those outputs are considered corrupted. This is not a problem as long as no other active power domain sinks those corrupted values; otherwise logical and/or electrical problems could result.

During the power down process, it is essential for the isolation cells in the design to be enabled before the domain’s primary supply is shut off, for those isolation cells to clamp signals from the powered-down domain to appropriate values, and for the isolation cells to remain enabled until the shut-off domain’s primary supply is turned on again.

Similarly, when two interconnected power domains have been put into respective power states that involve different supply voltages, the level shifters in the design must convert logic 1 signal voltage levels in the source domain to logic 1 signal voltage levels in the sink domain.

Although level shifters function continuously and therefore do not need to be enabled, dynamic changes in the supply voltages for the respective power domains may result in unexpected situations.

Power management may involve both software and hardware control. For example, a power control unit (PCU) can be specified in RTL internal to the SoC. The PCU may be under software control by an embedded processor.

The combination of these power management controls drive the signals that define the PCN, based on the system’s power management strategy—signaling power domains to retain state, enable isolation, power down (turn off switches), power up (turn on switches), disable isolation, and restore state.

Correct operation of the power management architecture depends upon correct sequencing of power control signals. For example, outputs of a domain must be isolated before the power is shut off, and must remain isolated until after power is turned on again.

Thus the control signal initiating isolation must come before the control signal that turns off the power switch. Similarly, the control signal that turns on the power switch must occur before the control signal that terminates isolation.

In fact, turning power on and off may involve handshaking between the PCU and the supply source (or a sensor monitoring the supply) to ensure that voltage-dependent delays in ramping up or down the power supply are factored into control signal sequencing.

Power aware verification flow
Verifying RTL-level specification of active power management for a given design involves several steps. First, we need to verify that the power management architecture is correctly structured, given the operating modes of the device and the power states that have been defined to reflect those modes.

Second, we need to verify that the design (both each power domain individually and all of them collectively) behave correctly when power management control signals are given in the correct sequence. Third, we need to verify that the power control logic will always generate power control signals in the correct sequence.

Figure 2 below shows the high-level design of an ARM-based SoC with active power management. The above verification steps as applied to this example are described below.


Figure 2. An ARM-based SoC with active power management .

This design consists of multiple functional units communicating over the AXI bus. Each functional unit may be defined as a separate power domain, or even as a collection of power domains.

A UPF file for this design would specify the power management architecture for the whole system, including the specific requirements for power distribution, switching, and state retention for each power domain, and the requirements for isolation and level shifting between interacting power domains.

The Power Control Unit (PCU) is a hardware implementation of power control logic that drives power control signals for each domain in the correct order. The Cortex R4 CPU is an embedded ARM processor that drives system-level power state changes by sending transactions to the PCU.

Verifying the power management architecture
Verifying the sufficiency of the power management architecture can be done in part through static analysis. Given a complete definition of the power domains and power states for a given design, it is relatively straightforward to verify that the necessary isolation cells and level shifters are present (or implied by a UPF specification) to ensure that the power domains will interact correctly and will not be adversely affected when their neighboring power domains are powered down.

Static analysis can also ensure that the necessary supply structures are present to provide the ability to control power to each power domain. However, static analysis is not always possible.

Depending upon the sequencing of power state changes, and the ramping of power supplies as they transition, there may be a requirement for level shifters that is not obvious from the power state table. Also, the power state table may not be complete, and power states that are not defined might actually occur during operation of the device.

Finally, external supply sources may be switched or may vary in voltage beyond what is defined in the power state table. For these and other reasons, simulation is often required. In this case, power aware simulation is necessary, to ensure that the power management architecture and its controls are taken into account during simulation.

Power Aware simulation enables functional verification of power management in the context of an RTL design. A power aware simulation run does the following:

  • Compiles the design and UPF specifications
  • Infers sequential elements from the RTL design (registers, latches and memories)
  • Applies the UPF-specified power management architecture to the RTL design
  • Augments the simulation model with appropriate power aware models
  • Dynamically modifies the RTL behavior to reflect the impact of active power management.

Using the UPF and sequential element information, the simulator is able to augment the normal RTL behavior with the UPF-specified power aware behavior (power distribution and control, retention, corruption, and isolation).

This involves selecting the appropriate simulation models to implement the UPF-specified power management architecture. It may also involve recognizing and integrating user-supplied power aware simulation models.

Power aware simulation can be used to visualize the effects of active power management on the dynamic behavior of the design, as well as visualizing the behavior of the power management architecture itself under control of power management logic.

In a power aware simulation, the internal state and outputs of a power domain will be set to X to reflect the corruption of those signals when the primary supply to that domain is turned off.

When the supply is turned on again, the X values will be replaced as the power domain reinitializes or has its state restored. Signals driven by outputs of a powered-down domain should be clamped to 0 or 1, so that downstream power domains see a well-defined value and won’t be affected by corrupted outputs of a power domain that has been powered down. Retention should be evident in that the state of signals following power up will correspond to the state of signals prior to the previous power down.

Visualizing the effects of active power management helps the designer confirm that all of the necessary power domains and power states required to implement the operation modes of this device have been defined, and that all the necessary isolation, level-shifting, and retention cells necessary to enable power management have been added.

If there are errors in the power management architecture, they will very likely cause signal corruption that does not go away after power up, which in turn will lead to functional errors in the design.

Debugging power management errors can be performed by tracking corruption of signals in the waveform view, but that method is tedious and error-prone. A much more effective method is the use of assertions to check for correct operation of the design under active power management.

For example, an assertion to check that an output of a power domain is clamped to the correct value when the power domain is powered down will immediately catch any error related to the clamp value, or the powering of the isolation cell involved, rather than just generating an X and letting it propagate. Such assertions can be automatically generated by the power aware simulator.

Verifying power control logic
Power aware simulation can also be used to verify the control logic driving the power management architecture, provided that the control logic is part of the design rather than being implemented in a testbench.

For software-based power control logic, simulation is the only method available. In particular, hardware/software co-simulation is necessary if the power control logic is split between hardware and software components, as is often the case. For hardware-based power control logic, such as a power control unit, another alternative is available.

Formal verification is particularly suited to verifying complex control logic. In contrast to simulation, which runs one input sequence at a time to test a device, formal verification considers all valid input sequences in one pass.

A formal verification tool can therefore identify all possible behaviors of the power control logic, which enables it to automatically find any corner cases in which the generated control sequences may not be complete or in the correct order.

Formal verification is driven by assertions, so use of formal verification requires creation of assertions about the expected behavior of the power control unit. Although this takes some effort, the ability to thoroughly verify the power control logic makes it worthwhile.

Active power management is becoming a necessary part of today’s SoC designs. To add active power management to a design and verify that it is working correctly, it is critical to have a well-defined methodology that addresses all aspects of active power management.

The methodology needs to support defining and verifying an appropriate power management architecture, verifying that the design behaves correctly under the power management architecture, and verifying that the power control signals controlling the power management architecture are generated correctly.

IEEE 1801-2009 UPF supports such a methodology, as does static analysis of power management architecture, power-aware simulation of power-managed designs, and formal verification of power control logic. These methods provide a comprehensive solution for defining and verifying active power management.

Ping Yeung, Ph.D. is the principal engineer in the 0-In Business Unit of Mentor Graphics Corporation. He was part of the 0-In team that developed and introduced Assertion-Based Verification (ABV) to the industry. He has over 16 years application, marketing, and product development experience in the EDA industry, including positions at 0-In, Synopsys, Mentor Graphics, and GenRad. He holds five patents in the CDC and formal verification areas.

Erich Marschner is verification solutions manager at Mentor Graphics . He has more than 30 years experience developing language-based tools, systems, methodology, and industry standards for electronic systems design, verification, and software development in the areas of language design and implementation, hardware design & verification languages, assertion languages and temporal logic, software architecture design and specification and functional verification tools and methodologies.

[1] N.S. Kim, T. Austin, T. Blaauw, T. Mudge, K. Flautner, H.S. Hu, M.J.Irwin, M. Kandemir, and V. Narayanan. Leakage current: Moore's law meets static power. IEEE Computer, 36(12):68–75, 2003.

[2] S. Shigematsu, S. Mutoh, Y. Matsuya, Y. Tanabe and J. Yamada, “A 1-V High-Speed MTCMOS Circuit Scheme for Power-Down Application Circuits,” IEEE J. Solid-State Circuits, Vol. 32, No. 6, pp. 861–869,1997.

[3] Hyo-Sig Won; Kyo-Sun Kim; Kwang-Ok Jeong; Ki-Tae Park; Kyu-Myung Choi; Jeong-Taek Kong, “An MTCMOS design methodology and its application to mobile computing,” Low Power Electronics and Design, 2003. ISLPED '03. Proceedings of the 2003 International Symposium on , vol., no., pp. 110-115, 25-27 Aug. 2003

[4] Zyuban, V.; Kosonocky, S.V., “Low power integrated scan-retention mechanism,” Low Power Electronics and Design, 2002. ISLPED '02. Proceedings of the 2002 International Symposium on , vol., no., pp. 98-102, 2002

[5] IEEE 1801™-2009, “Standard for Design and Verification of Low Power Integrated Circuits”, IEEE

[6] Tcl/Tk Documentation, Tcl Developer Xchange, http://www.tcl.tk.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.