Verification

Power-Aware Verification: UPF-Based Low Power Design Verification

17 min read Verification

Power-Aware Verification: UPF-Based Low Power Design Verification

Modern SoCs spend a significant fraction of their silicon area and engineering effort managing power. Multiple supply voltages, dozens of switchable power domains, and aggressive sleep states have made power intent a first-class part of the design, not an afterthought handled at place-and-route. Power-aware verification validates that this power intent, captured in the Unified Power Format (UPF / IEEE 1801), behaves correctly across every power state transition before tapeout. A single missing isolation cell or unretained register can silently corrupt logic after a power-down event, producing a bug that no functional RTL simulation will ever catch.

Quick Summary

What Verifying power intent (domains, isolation, retention, switching) described in UPF/IEEE 1801
Why Power management bugs are invisible to standard RTL sim and are catastrophic at silicon
How Power-aware simulation, supply-network checks, and low-power static/formal checks driven by UPF

UPF / IEEE 1801 Methodology

UPF is a Tcl-based language standardized as IEEE 1801 that describes a design's power architecture independently of the RTL. The same Verilog/VHDL describes logical behavior; the UPF sidecar file describes how that logic is powered. This separation lets a single RTL netlist target multiple power configurations and lets power intent flow consistently from RTL through synthesis, place-and-route, and signoff.

Core UPF Concepts

A UPF description is built from a small set of commands that define the supply network and the special cells that protect signals crossing power boundaries:

  • create_power_domain: Groups logic instances that share the same primary supply and power behavior
  • create_supply_port / create_supply_net: Defines the physical and logical supply rails
  • create_supply_set: Bundles power and ground functions (power, ground, nwell, pwell) for reuse
  • set_isolation / set_level_shifter: Inserts protection cells on domain-crossing nets
  • set_retention: Marks registers whose state must survive power-down
  • create_power_state_table (add_power_state): Enumerates legal combinations of domain power states
Tool flow: The same golden UPF is consumed by simulation (VCS, Xcelium, Questa), static low-power checkers (VC LP, Conformal Low Power, Spyglass Power), and the implementation tools. Inconsistent or hand-edited UPF between stages is a leading source of late-stage escapes.

Power Domains and Supply Networks

A power domain is a region of logic that can be powered, voltage-scaled, or switched off as a unit. Each domain has a primary supply set plus optional secondary supplies for the retention and isolation cells it contains. Domains form a hierarchy: a child domain may be powered down while its parent (often the always-on domain) remains active to drive control logic.

  • Always-On (AON) domain: Hosts power management controllers, isolation control signals, and retention save/restore logic. Never powered down.
  • Switchable domains: Connected to the main rail through power switches and can be collapsed to save leakage.
  • Voltage domains: Operate at an independent voltage, requiring level shifters on outgoing signals.

Correct domain partitioning is the foundation of power-aware verification: every signal that crosses a domain boundary must be inspected for isolation and level-shifting requirements.

Power States and the Power State Table (PST)

The Power State Table (PST) enumerates the legal combinations of supply states across all domains. Each row is a named system state such as ACTIVE, RETENTION, or SHUTDOWN, mapping each domain to a voltage level or the OFF state. Modern UPF uses add_power_state on supply sets and power domains to express the same intent with logic expressions.

The PST is the contract that power-aware verification checks against. Verification must confirm that:

  • Only states defined in the PST ever occur during simulation
  • Transitions between states follow legal sequences (e.g., isolate before power-down, restore before isolation release)
  • No domain is read by active logic while it is OFF without isolation
Illegal-state detection: A robust testbench drives the power management unit through every PST row and every transition edge, then asserts that simulation supply values match the expected PST entry at each step. Coverage on power-state transitions is as important as functional coverage.

Isolation Cells

When a domain powers down, its output nets float to an unknown value (X in simulation, indeterminate in silicon). Isolation cells clamp these signals to a known, safe value (0, 1, or latched) before the driving domain collapses, protecting the always-on logic that still reads them.

  • Clamp value: The forced logic level (0 or 1) while isolation is active; chosen so downstream logic stays in a benign state
  • Isolation control signal: Driven from the always-on domain; must be asserted before power-down and de-asserted after power-up
  • Location: Typically placed in the receiving (always-on) domain so the cell itself stays powered

Power-aware simulation models isolation explicitly: with isolation correctly inserted, a powered-down output reads the clamp value; without it, the simulator injects X, exposing the missing-isolation bug.

Level Shifters

Signals crossing between domains operating at different voltages need a level shifter to translate logic levels. A net going from a 0.8 V domain into a 1.1 V domain that lacks a shifter may be interpreted as an invalid level, causing functional failure or excessive crowbar current.

  • High-to-low (HL) and low-to-high (LH): Direction determines the cell topology required
  • Enable level shifters: Combine voltage translation with isolation in a single cell, common on switchable + voltage-scaled crossings
  • Strategy-based insertion: set_level_shifter rules in UPF select cells automatically based on source/sink voltage and threshold

Static low-power checks flag any voltage-domain crossing that lacks a level shifter, while functional simulation confirms the shifter's enable timing matches the power sequence.

Retention Registers

To resume quickly after a power-down without rebooting, critical state is held in retention registers. These flops have a secondary always-on supply (or a balloon latch) that preserves their value while the primary supply collapses. UPF's set_retention defines the save and restore control signals.

  • Save signal: Captures the register value into the retention element before power-down
  • Restore signal: Reloads the saved value when the domain powers back up
  • Save/restore ordering: Must be sequenced correctly relative to isolation and power-switch control

Verification must prove that every retention register restores its pre-shutdown value and that non-retained registers are properly reset on wake-up. A common bug is assuming a register is retained when the UPF only marked a subset of the bank.

Power Switches

Power switches (header or footer cells) connect a switchable domain's virtual supply rail to the always-on rail. Asserting the switch enable powers the domain; de-asserting it collapses the virtual rail, cutting leakage. UPF describes them with create_power_switch, mapping control inputs to supply on/off states and optional acknowledge outputs.

  • Daisy-chained enables: Large domains use chains of switches to limit inrush current during wake-up
  • Acknowledge feedback: The power controller waits for the ack before declaring the domain ready
  • Rush current / IR drop: Verified in power-network analysis, but the control sequencing is verified functionally

Low-Power Techniques: Clock Gating, Power Gating, and DVFS

UPF-driven verification covers the structural power techniques used to cut both dynamic and static power. The three most common are compared below.

Technique Power Saved Mechanism UPF / Verification Impact Wake Latency
Clock Gating Dynamic only Stops toggling clock to idle flops Mostly RTL/CDC; no domain shutdown Immediate
Power Gating Leakage + dynamic Switches off domain supply via switches Needs isolation, retention, switches Moderate
Multi-Voltage (MV) Dynamic + leakage Runs domains at independent voltages Needs level shifters on crossings Low
DVFS Dynamic + leakage Scales V and f to workload at runtime PST with multiple voltages, shifters Variable

Clock gating halts dynamic power in idle blocks and is verified with structural and CDC checks. Power gating attacks leakage by collapsing supplies and is the most verification-intensive, demanding correct isolation, retention, and switch sequencing. DVFS (Dynamic Voltage and Frequency Scaling) adds many voltage operating points to the PST, multiplying the level-shifter and timing scenarios that must be covered.

Simulation with Power Intent

In power-aware simulation the simulator reads both the RTL and the UPF, then dynamically models supply behavior on every cell. When a domain's supply goes OFF, registers in that domain are corrupted to X, combinational outputs become X, and only isolation and retention cells fed by an active supply hold defined values. This makes power bugs manifest as X-propagation that ordinary RTL simulation, which assumes ideal always-on power, would never produce.

  • Supply-aware corruption: Powered-down logic is automatically driven to X, modeling real loss of state
  • Isolation/retention modeling: The simulator honors clamp values and save/restore behavior from UPF
  • Power-state assertions: Built-in checks flag illegal PST states and bad control sequencing at runtime
  • Coverage: Power-state and transition coverage ensures every sleep/wake path was exercised

The Three Pillars of Power-Aware Signoff

1. Static (structural) checks: Verify isolation, level shifters, and retention are present and correctly connected on every crossing — independent of stimulus.

2. Dynamic (simulation) checks: Verify control sequencing, clamp values, and state restoration through real power-up/down scenarios.

3. UPF consistency: Verify the same golden UPF is used and refined consistently from RTL through implementation.

Common Power-Management Bugs

Power-aware verification exists to catch a recurring set of defects that escape conventional functional verification:

  • Missing isolation: A net leaves a domain that powers down with no isolation cell, propagating X into always-on logic and corrupting state machines
  • Wrong clamp value: Isolation clamps to a level that puts downstream logic into an unsafe state (e.g., asserting a request during sleep)
  • State corruption: A register expected to survive power-down was never marked for retention, so it wakes with garbage
  • Control sequencing errors: Isolation released before restore completes, or power switch enabled before isolation is set up
  • Missing level shifter: A voltage-domain crossing lacks a shifter, causing invalid logic levels or crowbar current
  • Always-on violations: Isolation or retention control logic placed in a switchable domain, so it loses power exactly when needed
  • Illegal power states: The power controller drives a domain combination not present in the PST

Implementation Best Practices

  1. Maintain a single golden UPF: Drive simulation, static checks, and implementation from one source; never hand-edit per stage
  2. Run static low-power checks first: Catch missing isolation, level shifters, and AON violations before burning simulation cycles
  3. Exercise every PST transition: Build directed and random tests that cover all sleep/wake sequences, not just steady states
  4. Track power-state coverage: Treat power-state and transition coverage as mandatory signoff metrics alongside functional coverage
  5. Enable X-propagation: Use pessimistic X handling so corruption from powered-down logic is visible, not masked
  6. Verify control sequencing with assertions: Assert isolate-before-off, restore-before-isolation-release, and ack handshakes
  7. Validate retention coverage explicitly: Confirm exactly which registers are retained and that non-retained state resets cleanly
  8. Re-verify at gate level: Confirm the inserted UPF cells in the netlist match RTL power intent after synthesis and P&R

Conclusion

Power-aware verification has become indispensable as low-power SoCs adopt aggressive power gating, multi-voltage operation, and DVFS. The UPF/IEEE 1801 standard provides a single, portable description of power intent, but it is only as good as the verification that proves it correct. Static low-power checks, supply-aware simulation, and rigorous power-state coverage together expose the missing-isolation, retention, and sequencing bugs that no conventional RTL test can reveal.

Treating power intent as a verifiable contract — written once in golden UPF and validated from RTL through gate level — is the difference between a chip that sleeps and wakes reliably and one that corrupts state in the field.

Vcores offers low-power verification services and silicon-proven IP, including UPF authoring and review, power-aware simulation environments, static and formal low-power signoff, and power-managed IP cores ready for integration into your FPGA and ASIC designs.

Tags: power-aware verification UPF low power design power gating isolation cells retention

Related Articles

UVM Verification: Building Reusable Testbenches for Complex SoCs Verification UVM Verification: Building Reusable Testbenches for Complex SoCs
Formal Verification: Proving Correctness Without Simulation Verification Formal Verification: Proving Correctness Without Simulation
CDC Verification: Clock Domain Crossing Analysis and Verification Verification CDC Verification: Clock Domain Crossing Analysis and Verification
Coverage-Driven Verification: Measuring Verification Completeness Verification Coverage-Driven Verification: Measuring Verification Completeness

Need IP Cores for Your Design?

Vcores offers silicon-proven IP cores for ASIC and FPGA designs. Get high-quality, verified IP with comprehensive documentation and support.

Explore Products Contact Us