Abstract
Introduction
Correct standard cell models are a good foundation for successful synthesis and simulation. LibQA is a qualityassurance tool currently in industrial service to compare Synopsys synthesis models against VHDL simulation models and against electrical models extracted from layout. Starting from a synthesis model, LibQA generates an equivalent FSM. Using graph algorithms, LibQA generates stimuli for simulations. "he results of the simulations give these benefits:
Synopsys Technology Library cell model testing VHDL cell model testing
I Cell timing characterization
In most cases, LibQA is automatic. However, cells which cannot be defined in the syntax of the synthesis model require manually supplied stimuli.
The synthesis model is analyzed formally, and the simulation stimuli generated from it are formally correct. Assuming there are no unexpected states in the models, the test coverage is total, showing that the electrical and VHDL models implement the specification of the synthesis model. Others have proven equivalence of certain VHDL models using formal methods, but this is not practical for a general production tool. Abstraction of electrical models has been done so far without proof, and is limited in scope.
Progress on those two fronts should create new opportunities in model validation.
LibQA also supports inspection of timing models: 
FSM for Combinational Cells
To benefit from the simple graph search algorithms that generate the test vectors, even the combinational cells are translated into FSMs. To illustrate the process, here is the functional part of the synthesis specification for a tristate buffer with resistive input pull-up: c e l l ( T R 1 BUF) { p i n ( Z ) 7 d i r e c t i o n : o u t p u t ; f u n c t i o n : "A"; three-state : "E'" 1 p i n ( A ) { d i r e c t i o n : i n p u t ; d r i v e r -t y p e : pull-up; I p i n ( E ) { d i r e c t i o n : i n p u t ; 1 
Sequential Cell FSM Construction
Synopsys models sequential cells use just two primitives: f f for flip-flops, and l a t c h for latches. There is obsolete s t a t e primitive we do not use.
Here is a Synopsys description of a sample flip-flop:
{ n e x t -s t a t e : " ( D T E ' ) + ( T I TE)"; clocked-on : "CP"; clear : "CD'"; preset : 'SD' "; clear p r e s e t -v a r l : L; c l e a r p r e s e t -v a r 2 : H; f u n c t i o n 'IQ"; 1 
I
The steps LibQA uses to construct its FSM model are:
1. Call constructff, which returns an FSM where boolean expressions next-state, clocked-on, anid all the otlcer ff inputs a~ represented by a single term.
2.
Expand the FSM for each ff input expression.
3. Construct the output function A.
FSM * c o n s t r u c t f f ( 1 is a function which constructs a complete FSM structure which models an elementary ff. These come in several variations depending on attributes which coflcern the preset and clear functions: whether preset and clear exist. the state when clear and set are applied together.
For example, a multiplexed D ff is expressed as:
{ n e x t s t a t e : "(D TE')+(TI.TE)"; clocEed-on : "CP";
1
The FSM will be constructed by first calling c o n s t r u c t -f f to return an elementary FSM for the ff. Then, new state variables are created for each input, and each arc to the (now replaced) next-state and clocked-on variables is replaced by a set of arcs accounting for all the cases due to the expressions. In the present case, clocked-on is simple, so re-labeling is all that is needed.
The ff primitive is expanded to: 
FindTest Procedure
A test sequence is selected so that every arc of the FSM is traversed in optimal or near-optimal order. Optimal order is not useful when hding it costs more than the impmement in simulation time it buys, so sub-optimal paths are accepted when complexity exceeds a limit. 
Timing Test Sequence
Only the arcs that result in an output signal change are required in the timing test sequence. The resulting sequence is much shorter than the functional test. Setup and Hold. All terms of n e x t -s t a t e are exercised for setup and hold.
Recovery. All terms alf preset and clear are exercised for recovery time in combination with all terms of clocked -on.
Hazard Test Sequence
VHDL models can be coinfigured to respond to hazards in a variety of ways: with transport delays, inertial delays, glitch X generation, spike: X generation, and message generation. All arcs leading to an output change can be subjected to hazards. Testbenches are generated for all these behaviors because all possible choices need to be tested. 
Electrical Testlbench Generation

VHDL Testbench Generation
The properties of the VHIIL models which need to be tested include functional operation, backannotated timing, X and report generation in response to glitches and timing constraint violations. The VHDL testbenches themselves consist of stimuli and p r d u r e s . We need to know if the models survive the stimuli without fatal errors, if the functional operation is correct. and if the timing values from the SDF are respected.
VHDL Procedures
qa-input
Apply STIMULUS-VALUE to the cell. 
qa-function
This procedure verifies the function only -not the timiig. errors in the models. This is an excerpt from the timing test for an inverter; other tests follow similar lines.
architecture TEST of TB-IV is signal STIMULUS: std-ulogic-vector(1 to 1); signal EXPECT, ACTUAL:
signal CLOCK: std-logic := '0'; begin std-ulogic-vector(1 to 1); test : process begin qa-input (STIMULUS,"O") ; wait for 100 ns; qa-input (STIMULUS, "1") ; qa-timing1 (ACTUAL, EXPECT, wait for 100 ns; qa-input (STIMULUS,"O") ; q a t imingl (ACTUAL, EXPECT, wait for 100 ns; assert false report "end of test" severity failure;
end process test; inst: IV port map (A=>STIMULUS (l), Z=>ACTUAL (1) ) ; end TEST;
qa-timing1
This procedure verifies function and timing for a singleoutput cell. 
VHDL Stimuli
VHDL header and closing statements are generated from the FSM structure. The test sequence generation procedures return a p a t h data structure for each kind of test: function, timing, violation, and glitch. Each of these is translated into VHDL stimuli. LibQA generates the constants that provide delay values for the stimuli and the constants for the SDF, the test benches can detect timing
Timing Characterization
LibQA starts with an existing synthesis model, generates test patterns, runs electrical simulations, and produces a characterization database. Another program, U2STF 131, generates the new synthesis model set from the characterization database. A separate synthesis model is necessary for each operating condition (process, temperature, voltage) to avoid derating errors.
Propagation delays are measured with the timing test patterns previously described. The Eldo electrical simulator has primitive functions to do the measurements. One simulation is done for each point in the timing table. Both propagation delay and rise time are measured for all timing events in each run, while load capacitance and input rise time are parameters which change for each run. One Eldo description used for an inverter is: .extract tpdUD (A, Z, t v t h i n = l . 0 8 0 0 0 0 , v t h o u t = 1 . 6 2 0 0 0 0 , a f t e r = l U S ) . e x t r a c t t f a l l ( Z , t vh=2.295000, v l = 1 . 3 5 0 0 0 0 , a f t e r = l U S )
. e x t r a c t t p d D U ( A , 2, + v t h i n = l . 6 2 0 0 0 0 , v t h o u t = 1 . 0 8 0 0 0 0 , a f t e r = Z U S )
. e x t r a c t t r i s e ( Z , t v h = 1 . 3 5 0 0 0 0 , v l = 0 . 4 0 5 0 0 0 , a f t e r = 2 U S ) . p r i n t t r a n V ( Z ) .tran lus 3us
.END
Often. a set of related events have negligible differences in propagation delay. LibQA groups these into equivalence classes. Where necessary, the classes are differentiated using sdf-cond attributes. This ability to decide which timing events to use gives an important contribution to aCCUraCy.
Timing violations are measured with the violation test patterns previously described. A violation test tells whether the observable outputs failed to arrive at the expected value. A binary search on pass/fail gives a numerical result, but at more expense than the simpler delay measurements.
Because each simulation run tests all the constraints, a separate binary search record is maintained for each one.
Timing Report Generation
LibQA tests the characterization database rather than the completed synthesis model because individual derating information is merged into global derating k-factors, so good scrutiny is not possible there. LibQA checks for properties that experience has linked to characterization problems. Statistics for each class of event are calculated, and individual events are compared to the statistics. These statistics are also used during synthesis model regeneration to calculate the k-factors. Some specific tests are:
Monotonicity. Timing functions are tested for monotonicity with respect to all of their independent variables: input rise time. load, temperature, voltage, and process. Range. Check the range and domain of all timing functions. No timing should ever be negative, non-numeric, or infinite. Extreme values. For each class of event, the ten extreme cases are reported in ranked order. This can be interesting reading.
Timing Graph Viewer and Calculator
The timing graph viewer reveals timing properties difficult to recognize in tabular data. Timing characterization can produce subtle problems, but looking at every timing graph for a library will often reveal defects. The graphs can be output in printable format.
LibQA's calculator gives a numerical evaluation for any timing in the library.
Results
LibQA was used to develop a 151-cell library of O.5micron CMOS standad cells. Two of the cells ( buskeepers) required hand-generated stimuli because they had the 'dont-use' property and no functional description. Using a Sparc 10, functional verification using Eldo took 72 minutes, and some flip-flops having set and clear inputs were found incorrect when set and clear are applied together. Characterization for the library took 49 hours. As a result of the timing report, some of the max-cap values were corrected, and the choice of transition time and net-capacitance samplle points were optimized. The VHDL simulation took 130 minutes, and an array out of bounds error due to a hand edited cell, and a number of undetected violations were revealed. The development time for LibQA was less than the time previously spent preparing tests, the coverage was much higher, and new classes of testing were applied. Finally, the time-to market for our latest library was signilicantly faster than the previous generation, and there have been no bug reports on the library.
Conclusions
LibQA is an industrial tcol used to support the production and test of VHDL synthesis and simulation models. The application of formal methods increases precision and lowers costs. LibQA re:quires manual stimuli for cells which cannot be expreszed in the syntax of the synthesis models, but it is fully automatic for 147 of 151 cells in a 0.5 micron CMOS standard cell library.
References
[ 11 "Introduction to Automata Theory, Languages, and Computation", Hopclroft and Ullman, Addison-Wesley Publishing Co., 1979
[2] "Library Compiler Rleference Manual" Synopsys, Inc., March 1994
[3] "U2STF User Guide", SGS-Thomson Microelectronics, November 1994
[4] " ELDO Electrical Circuit Simulator", Anacad, November 1994 
