IEC 62531: Property Specification Language (PSL) for Formal Verification of Digital Circuits

Mastering PSL for hardware assertion-based verification — from temporal logic fundamentals to advanced formal verification methodologies

IEC 62531, adopted from IEEE Std 1850, defines the Property Specification Language (PSL), a formal language for specifying properties of digital hardware designs. PSL enables engineers to express complex temporal behaviours and constraints in a precise, unambiguous manner that can be verified through both dynamic simulation and formal verification tools. As integrated circuit designs grow exponentially in complexity, with modern System-on-Chip devices containing billions of transistors and hundreds of clock domains, traditional simulation-only verification approaches have become insufficient to ensure functional correctness. PSL, alongside SystemVerilog Assertions (SVA), provides the foundation for assertion-based verification (ABV) methodologies that have become essential in the semiconductor industry.

PSL is unique among hardware assertion languages in its layered architecture: it separates the Boolean layer (expressions over signals), the temporal layer (sequences and temporal operators based on Linear Temporal Logic), and the verification layer (directives for tools). This clean separation makes PSL equally applicable to RTL simulation, gate-level simulation, and formal model checking without modification.

PSL Language Architecture and Temporal Logic Foundations

The PSL language is built on a four-layer architecture. The Boolean layer consists of standard Boolean expressions over the design signals, identical to those used in HDL expressions. The Temporal layer provides operators for specifying behaviour over time, built upon Linear Temporal Logic (LTL) extended with Sequential Extended Regular Expressions (SEREs). The Verification layer provides directives such as assert, assume, and cover that tell verification tools what to do with the properties. The Modelling layer allows auxiliary code to support property specification, including functions for computing expected values or configuring verification environments.

The temporal operators are the heart of PSL. The fundamental LTL operators include always (G operator in LTL — globally), never (G with negation), eventually! (F — future), until! (U — strong until), before, and next. These operators are supplemented by clocked variants using the @ operator, which allows properties to be specified relative to specific clock edges. The SERE layer enables regular-expression-like specification of sequential behaviours, with operators including concatenation (;), fusion (:), kleene star ([+] and [*N]), and Boolean intersection (&).

Core PSL Temporal Operators and Their Semantics
Operator Syntax Example LTL Equivalent Meaning
always always (req -> ack) G (req -> ack) Property holds at every cycle
never never (busy & grant) G !(busy & grant) Condition never occurs
eventually! eventually! (done) F done Condition must hold eventually (strong)
until! req until! ack req U ack req holds until ack occurs (strong)
next next (ready) X ready Condition holds in next cycle
next_a[3:5] next_a[3:5] (done) Condition holds in all cycles 3-5 from now
before a before b a occurs before b
SERE concatenation {req; ack} req followed by ack in next cycle
SERE fusion {req : ack} req and ack overlap in same cycle
SERE repetition {start; data[*4]; done} data holds exactly 4 cycles between start and done
A common pitfall when writing PSL properties is the distinction between strong and temporal operators. The eventually! operator (with exclamation mark) is a strong operator meaning the event must occur, while eventually (without exclamation) would be a weak operator in some contexts. In formal verification, using a weak operator where a strong one is needed can result in vacuously passing properties that do not actually constrain the design. Always verify that properties are sufficiently strong to capture the intended behaviour.

Assertion-Based Verification Methodology and Engineering Practice

PSL supports three verification directives that serve distinct purposes in a verification methodology. The assert directive specifies a property that must always hold; if the property fails during simulation or is found to be false in formal analysis, the tool reports an error. The assume directive specifies a constraint on the design environment — these are assumptions about the inputs that the verification tool must respect, and they enable the verification of internal blocks with constrained input stimuli. The cover directive specifies coverage points that track whether certain behaviours have been exercised during simulation, providing quantitative measurement of verification completeness.

From an engineering methodology perspective, effective PSL usage follows several established patterns. The first is the specification of interface protocol properties: every bus protocol — AXI, AHB, APB, PCI Express, USB — has timing relationships that can be captured as PSL assertions. For example, an AXI valid-ready handshake property in PSL ensures that when valid is asserted, ready must eventually be asserted. These interface properties are reusable across projects and form the basis of a verification IP library. The second pattern is the use of PSL assume directives to constrain formal verification tools, defining the legal input sequences that the design can receive. Without such assumptions, formal tools explore unreachable states, generating false counter-examples that waste engineering time.

Third, PSL cover directives are used to define functional coverage points, complementing code coverage metrics by capturing whether specific behaviours specified by the design intent have been exercised. A typical coverage specification might track all possible arbitration scenarios in a bus arbiter, ensuring that each master has been granted access under varying priority conditions. Industry experience shows that designs with comprehensive PSL assertions achieve 30-50% higher bug-finding rates during verification and 40-60% fewer post-silicon escapes compared to designs relying solely on directed test and code coverage.

PSL Verification Directives and Their Applications
Directive Purpose Dynamic Simulation Formal Verification Typical Application
assert Mandatory design property Check at each cycle Prove property holds Protocol compliance, data integrity
assume Environmental constraint Monitor input legality Constrain input space Bus interface assumptions, reset sequence
cover Coverage measurement Track behaviour occurrence State reachability analysis Functional coverage, corner cases
The most effective PSL verification strategies combine dynamic simulation with formal verification. Simulation runs millions of cycles with realistic traffic patterns to verify system-level behaviour, while formal tools exhaustively prove critical properties such as “no data corruption,” “no deadlock,” “one-hot encoding always holds,” and “FIFO never overflows.” This complementary approach achieves higher verification confidence than either method alone.

Engineering Design Insights for PSL-Based Formal Verification

Deploying PSL effectively in a real-world verification flow requires careful attention to several engineering considerations. First, the property set must be developed as an integral part of the design specification, not as an afterthought added during verification. Writing properties after the RTL is complete tends to reflect the design as implemented rather than the design as intended, reducing the likelihood of finding specification-to-implementation mismatches. Best practice is to capture PSL assertions during the architecture phase, before RTL coding begins, turning the properties into executable specifications that guide implementation.

Second, the complexity of PSL properties significantly affects formal verification tool performance. Highly complex properties with deeply nested temporal operators or long SERE sequences can cause state-space explosion in model checking. Engineers should decompose complex properties into smaller, simpler assertions that are easier to prove. A property such as always (req -> eventually! (ack before [!30])) (request must be acknowledged within 30 cycles) is both intuitive and efficiently verifiable, while a property spanning hundreds of cycles with multiple intervening conditions may require property decomposition or abstraction techniques to be tractable.

Third, the interaction between PSL assume directives and the reset sequence requires careful design. During reset, many design signals are in undefined or transitional states that would violate normal operating assertions. PSL provides the default clock and reset handling constructs to manage these scenarios, typically specifying that assertions are disabled during reset and only become active after a defined reset completion condition. Failure to properly handle reset can result in hundreds of false assertion failures during the reset sequence, overwhelming engineers and obscuring genuine design bugs.

Q1: What is the difference between PSL and SystemVerilog Assertions (SVA)?
A: Both are property specification languages for hardware verification. PSL (IEC 62531 / IEEE 1850) has a cleaner separation of Boolean, temporal, and verification layers, uses LTL-based temporal operators, and is tool-independent. SVA is integrated into the SystemVerilog language, uses a different temporal syntax based on sequences and properties, and is tightly coupled with SystemVerilog simulation semantics.
Q2: Can PSL be used for software verification?
A: While primarily designed for hardware, PSL concepts have influenced software verification languages. The temporal logic foundations are applicable to embedded software and concurrent software verification, though dedicated software assertion languages (like MSL for SPARK Ada or ACSL for C) are more commonly used in the software domain.
Q3: How many PSL assertions are typically needed for a complex IP block?
A: Industry experience varies, but a typical complex IP block (e.g., a DDR controller or PCIe endpoint) might have 200-1000 assertions. The number depends on interface complexity, internal state machine count, and verification thoroughness requirements. A general guideline is 5-10 assertions per interface protocol and 3-5 assertions per finite state machine.
Q4: What is the main limitation of formal verification with PSL?
A: The primary limitation is the state-space explosion problem. For large designs (above approximately 5000 flip-flops), complete formal verification becomes computationally intractable. Techniques such as compositional verification (verify blocks separately), abstraction, and proof decomposition are used to manage this complexity. For full-chip verification, PSL properties are typically verified through simulation with formal methods reserved for critical blocks and specific properties.
© 2026 TNLab — This article is for educational and technical reference purposes.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending now

IEC 60300-3-7: Reliability Stress Screening — Exposing Hidden Defects Before They Reach Your Customer
IEC 60309-4: Industrial Plugs and Sockets — How Colour Coding and Keying Prevent Fatal Wiring Errors
IEC 60310: Traction Transformers — The Heartbeat Device Powering High-Speed Trains and Metros
IEC 60318-2: Acoustic Couplers — The “Artificial Ear” Calibrating Hearing Aids and Headphones