A Correctness Verification Technique for Commercial FPGA Synthesis Tools

The PLCs (Programmable Logic Controller) have been widely used to implement the safety-critical system such as RPSs (Reactor Protection System) in Korean nuclear power plants. Recently, there have been attempted to implement the software in RPSs by FPGAs (Filed-Programmable Gate Array) [1][2], due to the increasing maintenance cost of PLCs and the higher performance of FPGAs. The FPGAs are typically modeled with HDLs (Hardware Description Languages) such as Verilog and VHDL by software designers manually, and then subsequently synthesized into gate-level design and physical layout by software synthesis tools of FPGA vendors (e.g., ‘Synopsis Synplify Pro’ [3] and ‘Cadence Encounter RTL Compiler’ [4]). Once the FPGA designers designs Verilog programs, the commercial synthesis tools automatically translate the Verilog programs into EDIF programs so that the designers can have largely focused on HDL designs for correctness of functionality. Nuclear regulation authorities, however, require more considerate demonstration of the correctness and safety of mechanical synthesis processes of FPGA synthesis tools, even if the FPGA industry have acknowledged them empirically as correct and safe processes and tools. In order to assure of the safety, the industry standards for the safety of electronic/electrical devices, such as IEC 61508 [5] and IEC 60880 [6], recommend using the formal verification technique. There are several formal verification tools (i.e., ‘FormalPro’ [7], ‘Conformal’ [8], ‘Formality’ [9] and so on) to verify the correctness of translation from Verilog into EDIF programs, but it is too expensive to use and hard to apply them to the works of 3rd-party developers. This paper proposes a formal verification technique which can contribute to the correctness demonstration in part. It formally checks the behavioral equivalence [10] between Verilog and subsequently synthesized Netlist with the VIS verification system [11]. A Netlist is an intermediate output of FPGA synthesis process, and EDIF [12] is used as a standard format of Netlists. If the formal verification succeeds, then we can assure that the synthesis process from Verilog into Netlist worked correctly at least for the Verilog used. In order to support the formal verification, we developed the mechanical translator ‘EDIFtoBLIFMV,’ which translates EDIF into BLIF-MV [13] as an input front-end of VIS system, while preserving their behavior equivalence. It consists of three-steps – Parsing, Pro-processing and Translation. On other hands, the translation from Verilog to BLIF-MV is straightforward because the VIS provides an in-house translator ‘vl2mv’ [14], which translates Verilog into BLIF-MV automatically. We performed the case study with an example of a preliminary version of RPS [15] in a Korean nuclear power plant in order to provide the efficiency of the proposed formal verification technique and implemented translator. It uses the ‘Actel Libero IDE’ [16] (internally, ‘Synopsys Synplify Pro’ [3]) to synthesize Netlist from the Verilog program, and also uses the ‘EDIFtoBLIF-MV’ to translate Netlist into BLIF-MV. The VIS verification system is then used to prove the behavioral equivalence. This paper is organized as follows: Section 2 provides background information. Section 3 explains the developed tool, which translates EDIF to BLIF-MV. A case study with Verilog examples of a Korean nuclear power plant is presented in Section 4 and Section 5 concludes the paper and provides remarks on future research extension.