Verification of a CAN bus model in SystemC with

functional coverage
Gilles B. Defo, Christoph Kuznik, Wolfgang Müller
University of Paderborn/C-LAB
Faculty of Electrical Engineering
Computer Science and Mathematics
33102 Paderborn, Germany
{defo, kuznik, wolfgang}@c-lab.de

Abstract—Many heterogeneous embedded systems, for exam-
ple industrial automation and automotive applications, require
hard-real time constraints to be exhaustively verified - which
is a challenging task for the verification engineer. To cope
with complexity, verification techniques working on different
abstraction levels are best practice. SystemC is a versatile
C++ based design and verification language, offering various
mechanisms and constructs required for embedded systems
modeling. Using the add-on SystemC Verification Library (SCV)
elemental constrained-random stimuli techniques may be used
for verification. However, SCV has several drawbacks such as
lack of functional coverage. In this paper we present a functional
coverage library that implements parts of the IEEE 1800-2005
SystemVerilog standard and allows capturing functional coverage
throughout the design and verification process with SystemC.
Moreover, we will demonstrate the usability of the approach with
a case study working on a CAN bus model written in SystemC.
I. I NTRODUCTION
In several domains like industry automation and automo-
tive systems, the verification of hard real-time constraints
and verification of functional and non-functional properties
for integrated system behaviors is essential. For example,
machine-aided assembly lines, where process steps of auto-
matic units and human workers intertwine with each other
require a safe and deterministic behavior for the team play.
In automotive applications multiple field busses running in
parallel, exchanging messages with each other need to be
verified to guarantee safety-critical behavior. Verifying these
systems is a time consuming and tedious task. To cope with
always more complexity and to boost productivity, more effi-
cient verification techniques and technologies were introduced
through the last years like the notion of functional verification
[1] which supports features such as verification of assertions,
constrained-based random test pattern generation, and func-
tional coverage. This article, focuses on the implementation
of a functional coverage library in SystemC and applies it on
the verification of a CAN bus case study.
Functional coverage is a user defined metric to investigate
to which extend the functionality of a given design under
test (DUT) has been verified by simulation runs. As such,
functional coverage keeps track of value assignments and
changes of expressions and conditions within the code. Thus,
it is not verified if the DUT is working properly rather than
just gives information of the quality of the test pattern with
respect to the user-defined metrics. The task to verify the
actual simulation behavior of the DUT functionality with the
expected one still has to be accomplished by implementing a
testbench. So, functional coverage can tell if a property was
executed at the right time, in the right order and context.
In the ideal case of a close coupling of a testbench and
functional coverage analysis, the information can even be
processed at runtime to steer the constrained random stimuli
generation. While the IEEE 1800 SystemVerilog [2] standard
and other Hardware Verification Languages (HVL) such as e
incorporate functional coverage language features, these are
neither available in the IEEE 1666 SystemC standard [3]
nor in any publicly available SystemC library. To overcome
this, we developed a SystemC functional coverage library and
testbench and applied it to a SystemC model of a Controller
Area Network (CAN) based on the standard described in [4].
In this article, we first introduce our SystemC implementa-
tion of the IEEE 1800-2005 SystemVerilog coverage language
features in Section II. The fundamentals of the CAN Controller
bus model are introduced in Section III. Section IV outlines
the testbench architecture and components of the implemented
Controller Area Network (CAN) case study. Thereafter, sce-
narios of the verification environment are discussed in detail
in Section V. Section VI compares our approach with existing
standards and related work in the area of functional coverage
within SystemC before we close with a conclusion in Section
VII.
II. S YSTEM C C OVERAGE L IBRARY
The SystemC functional coverage (SCFC) library partly
implements the covergroup concept of the IEEE 1800-
2005 SystemVerilog standard [2] via a singleton Factory class
implemented in SystemC. In details, the library supports the
definition of:
• bins to collect hits for variable ranges of the coverpoint
• default bins to capture all non-specified values
• ignore bins, i.e., values to ignore and disregard for
coverage computation
• illegal bins, where a bin hit calls sc_stop()
• transition bins to define value sequences and evaluation
with help of user-defined sample function

978-1-4244-5841-7/10/$26.00 ©2010 IEEE 28 SIES 2010

 • cross bins to cover cross-products with binsof() and
intersect() operators
following the instantiation hierarchy as defined by the Sys-
temVerilog standard. The SCFC factory is the main facility
of the library, providing all necessary setup and manage-
ment API calls for the creation and administration of ev-
ery element of the implemented covergroup concept. More-
over, the factory provides the administration of the cover-
age database in order to store collected functional cover-
age information. The database has to fulfill two require-
ments. It has (i) to capture already sampled coverage in-
formation prior to the next run and (ii) to save this data
after the test, which is supported by a set of convenience
API functions. The set_coverage_db_name(name)
function defines where to store the collected data. By
load_coverage_db(name), this data may be loaded and
evaluated at later steps. To compute the functional coverage
of all covergroup types, the factory provides the method
get_coverage().

K
92:563J
K to 63, and the single value 65. The notation bins b[]
defining on what signal the sampling of the covergroup is
performed, for example, on a rising or falling edge of a
certain signal. This feature is necessary if the covergroup
shall automatically cover variable in dependence of a clock
signal. So far the library has support for automatically covering
signals of type sc_signal<int> or via an explicit API
sample() function call. Once the covergroup is created,
the actual coverage elements such as coverpoints, cross-
coverpoints, bins, transition bins, illegal bins etc. can be
defined starting in line 9. The order of the definition is the
same as in the SystemVerilog standard and has to be respected.
In the following, two more detailed examples of the SCFC
library coverage features shall be illustrated. In Figure 2
an example from the SystemVerilog specification is shown.
Here, the covergroup cg has one defined coverpoint v_a
with four associated bins definitions and a default bin. In
this example, the bins are not derived automatically (for every
possible value) rather than they are defined to capture certain
variable ranges. Additionally, the coverage computation only
considers the defined ranges. Bins a covers the range 0
K Q creates as many bins as values within the specified interval.
K 
9I/
9%E:

J
KO
$K The same holds for bins c[]. bins others[] holds all
)K 
J9, 90R8R0KD9, JK non-specified values. These values are not considered during
+K Q
K  coverage computation.
.K 
 P
B/@!9

 J8S
T80R8R0KO
"K 

4K V


K V
K L"D4M9O

K  K

K 
R
9P!
JS
9T80RR0KO K 


XJ

KO
$K 

9
Fig. 1. Definition and instantiation of a covergroup in SystemC )K Q
+K PQL4D+M8+)VO
K (LMPQL
D
)4M8L
$.D
"
MVO
Figure 1 shows the abstract principles of the defini- .K LMPQ4484
84VO
tion and instantiation of a covergroup using our library. "K ,PQL
444D
4MVO

4K LMP
" O
A covergroup is created using a SystemC SC_MODULE

K V
macro which implicitly results in a C++ class defini-
K 

tion. The covergroup class is defined as a friend,
allowing access to variables of the surrounding class. Fig. 2. A SystemVerilog covergroup
In line 5, the constructor of the covergroup is defined.
The method new_SVCovergroup(SVRef scm, char*
name, const char* instname,/*...*/) creates a

K
92:563J
K
new covergroup type name and a associated first instance K Q
called instname. The actual instantiation is shown in line K  (D
$K 
9I/
9%E:

J
KO
13. The instance cg_inst (with the parameter cg_inst) is )K
+K 
J9, 98*4"R KD9, JK
constructed via the constructor of SC_MODULE cg. This also K Q
leads to the creation of the covergroup type cg to which the .K 
927I:5JKO
"K 9?? @O
instance is assigned.
4K ,9 JKO
The pointer scm is used both for the type and the in-

K

K 
 P
B/@!9

 J8\
\88 KO
stance and saves the hierarchical relation, pointing to the
K 
B/@!9
J8\9\8ZJ @9KKO

$K 
B/@!9
J8\\8
8$848+8+)8+)KO
first instance. scm is a reference of the SC_MODULE of
)K 
B/@!9
J8\(\8/67:-G
8$8
8
)48
$.8
"
KO
the covergroup, whereas SVRef is a just macro for void*.
+K 
B/@!9
J8\\8/67:-G
8+84484484
84
8
484KO
name identifies the name of the covergroup, instname the
K 
B/@!9
J8\,\8
88
4448
4KO
name of the instance of the covergroup. Moreover, additional
.K 
B/@,,9, J\\KO

"K V
parameters are possible and indicated by the ... charac- 4K VO
ters. The constructor allows the definition of a SC_METHOD
sample() method in line 7. This sensitivity method allows Fig. 3. SystemC implementation of the SV covergroup from Figure 2

978-1-4244-5841-7/10/$26.00 ©2010 IEEE 29 SIES 2010

 The corresponding SystemC implementation is shown in
K 
J9, 98 R8(,KD9, JK
K Q
Figure 3. AUTOBINS is the equivalent to the SystemVerilog K  927I:5JKO
[] notation and creates as many bins as present values in the $K 9??@O
defined range. The definition of a certain number of bins is )K ,9 JKO
done via the third parameter of new_SVBins(). The default +K
bin is defined in line 18. The add_default() method K 
 P B/@!9 
 J8\
\88KO
computes all non-covered values and adds them to the default .K  RP B/@!9 J8\\8@
KO
"K  R(P B/@!9 J8\(\8@
KO
bin. Bins which are created after this call will be ignored.
4K  B/@!9 J\(\KO
In Figure 4, an example for the original SystemVerilog no-

K  B/@,,9 99JKO

K  B/@,,9 99J(KO
tation for ignore and illegal bins is displayed. Ignore
K  R
9P B/@!9
9 
bins specify values or ranges which shall be ignored while J\
9\8(9J8$8)8)8
8KKO

$K  R9P B/@!9
9 
covering the expression, even if they are included in the J\9\8 B/@(9J(88(,8(,KKO
declaration of other bins. Illegal bins specify values on
)K V
which the simulation shall be halted. In this case, a user-
defined error message is shown. A cross-coverpoint allows Fig. 5. SystemC implementation of Figure 4
computing the cross product on all values of given coverpoints.
As this may result in a large data sets, it is useful to limit
the product on certain bins. Therefore, this example makes in transition bins.
just use of the two operators binsof and intersect. The III. C ONTROLLER A REA N ETWORK (CAN) MODEL
binsof operator refers to the bins of an existing coverpoint.
In our case study we use a CAN controller model imple-
By the intersect expression the possible candidates can
mented in SystemC. The architecture of the model is depicted
be limited using specific values or intervals.
in Figure 6. This architecture was motivated by the Stand-
alone CAN controller SJA1000 from Philips Semiconduc-

K LD4M8(O tors [5]. The implemented controller mainly consists of four
K modules: a Message Buffer module, an Interface Management
K 

J(,KXJ

KO
$K 8(
Logic module (IML ), a Bit Stream Processing (BSP ) module
)K Q and an Error Management Logic (EML ) module. Furthermore,
+K 
&
9P"JK

Q)8L
DMVO the CAN simulation model also contains a so-called bus
K 
 &9P"J(K

Q(,VO module (CAN Bus) used as an abstraction of the physical bus.
.K V
"K 

Host

Fig. 4. SystemVerilog ignore and illegal bins

CAN controller
The corresponding implementation of the illegal and
IML
ignore concept within the SCFC library is shown in Figure
5. To define a cross-coverpoint, a coverpoint has to be declared
first. Using the methods new_illegal_SVCrossBins Clock Message Buffer
EML
and new_ignore_SVCrossBins the respective bins are txb
created. Moreover, the cross product is limited using the
intersect operator and an expression consisting of boolean
operators !, &&, and ||, which are also supported by the
rxfifo

BSP
SystemC library. Transition bins are support in two ways. First,
ACF
it is possible to define a custom sample function whereas return
value true leads to a bin hit. Second, transition vectors are
assigned to a transition bin and are elaborated with a vector
matching class.
In summary, our SystemC functional coverage implementa-
tion allows the definition of coverpoints with bins, transition CAN bus

bins, illegal bins, ignore bins, default bins as well as cross-

coverpoints. As it is implemented as a library and based Fig. 6. CAN bus model
on the factory concept, the solution is highly flexible and
can be easily combined with existing SystemC designs to • Message buffer is used to store messages (CAN frames)
leverage functional coverage. Compared to SystemVerilog, coming from or going to the bus. In the current imple-
the current implementation does not support clocking block mentation, it consists of two simple buffers for incoming
signals, conditional guards to avoid sampling and wildcards and outgoing frames.

978-1-4244-5841-7/10/$26.00 ©2010 IEEE 30 SIES 2010

 • Interface Management Logic (IML) is a module that
transforms data and identifier received from the host into
CAN frames. Following, the built frame is stored into the
message buffer and is ready for transfer.
• Bit Stream Processing (BSP) is responsible for the recep-
tion (de-serialization) and transmission (serialization) of
the CAN messages. It performs aspects of the CAN pro-
tocol like bitwise arbitration, (de-)stuffing, error detection
(bit errors, form errors and acknowledge errors). Further-
more, the BSP performs acceptance filtering (ACF) and
CRC checking.
• Error Management Logic (EML) is a module that im-
plements fault confinements rules according the CAN
specification described in [4]. This module consists of
several counters to keep track of reception and transmis-
sion errors. The counters are updated depending of the
kind of error that occurred (Bit Error, Stuff Error, Form
Error, CRC Error, Acknowledgement Error).
• The CAN bus module is needed for simulation purposes,
it is a SystemC channel, that was implemented to abstract
the physical bus.
The implemented CAN controller is an abstract high level
CAN model. Therefore, not all the features of the specification
are supported. In the current implementation, there is no
support of extended CAN frames. Only standard CAN frames
are used for network communication. Figure 7 compares a
Fig. 7. Structure of a CAN message
standard and an extended CAN message format. As it can be
seen, the main difference lies in the size of the arbitration
and the control field. Furthermore, Bit Timing Logic (BTL)
which is a module that handles bit timing in CAN systems
is not implemented. Instead, the assumption is made that
all controllers in the network are triggered by the same
clock. Therefore, no synchronization is needed. For further
information of the module Bit Timing Logic see [4]. Due to
the absence of the BTL module, no overload frames are sent
by the BSP.
IV. CAN T ESTBENCH
The general architecture of the implemented CAN is given
in Figure 8. It comprises six components:
978-1-4244-5841-7/10/$26.00 ©2010 IEEE
• Stimulus generator
• Transfer function
• Driver
• Design under test
• Coverage monitor
• Logging and Acceptance evaluation
The stimulus generator of the testbench is used for the
input stimuli generation for the CAN controller (DUT). The
transfer function module simulates the input and generates
the expected output using a reference model of the CAN
controller. The driver (adaptation) component converts the data
received from the stimuli generator and drives it to the DUT.
Another important component of the testbench is the coverage
monitor, as it collects various coverage information based on
the output of the stimulus generator and the output of the DUT
for later scoreboarding. Note, that the coverage monitor is part
of the testbench and autonomous for the functional coverage
collection. The logging and acceptance module is needed for
data logging and acceptance evaluation based on a scoreboard.
Transfer-
function
Stimulatus-
Driver
Design Under
Logging and
Acceptance
generator Test
Evaluation
Coverage-
monitor
Fig. 8. testbench model
A. Stimulus generation
The stimulus generator creates specific or completely ran-
domized messages for the Design Under Test based on the
parameterization. It offers the possibility to generate both
standard and extended CAN frames along CAN Specification
2.0 (see [4]. The choice is made based on a value that indicates
with what percentage standard CAN frames will be generated
throughout the simulation process. 100% means that only
standard CAN frames shall be generated. This value can be
set by a specific function within the testbench. Furthermore,
it is possible to set a fixed ID for the CAN message that is
generated. Here, the use of the stimulus generator is inspired
by the SystemC Verification Library (SCV). Its application
is as follows: After its instantiation it can be parameterized
using appropriate function calls. New CAN frame objects
are created by the function call next() and can be directly
referenced in the generator. Furthermore, CAN frames which
do not need stuff bits can also be generated by using the
next no stuff() function call. Stuff bits are special bits needed
for synchronization purposes during data transmission on a
CAN bus. After five consecutive bits of the same value an
inverted bit has to be inserted. For the generation of Stuff-
bit-free CAN frames, the fields Arbitration, Control and Data
are created without stuff bits. Thereafter, the CRC check is
simulated to verify that no stuff bits are really expected. If
this is the case, the message is stored in the generator and
31 SIES 2010

can be used within test cases to investigate the behavior of
the system for this specific case. The generated CAN frames
are then passed to the reference model for simulation purpose
and, after treatment of data by the adaptation module (Driver),
to the actual model for data transmission.
B. Transfer function
The transfer function module receives all CAN frames
generated by the stimulus generator as input. These are then
taken to compute the expected output of the DUT in order
to compare it with the actual output produced by the DUT
later within the LA (Logging and Acceptance evaluation)
module. Another task of the transfer function is to compute
the transmission durations of the frames in clock ticks and
stores them in the scoreboard of the LA module. Hereby, the
length of the frame including the stuff bits that are inserted
during transmission and the arbitration on the CAN bus are
considered. The computation of the frame length is done by
the so-called StuffbitChecker.
The StuffBitChecker is part of the transfer function module.
It automatically checks the number of stuff bits of each frame
generated by the stimulus generator and stores it with its
position. For this, it iterates through the relevant fields of the
frame (SOF, ARB, CTRL, DATA, CRC). Furthermore, CRC-
Check is simulated for the computation of Stuff bits present
in the CRC field. Afterward the results of the computation can
be accessed by the LA Module or by the Coverage monitor.
All frames present in the system are stored in a vector and
processed according to their respective IDs. This guarantees
that only those messages compete as in the arbitration phase
of the CAN network.
C. Driver
Since the message objects produced by the stimulus gener-
ator are standard data types (int, char), and because of the
fact that the CAN model uses sc_logic vectors to store the
individual message elements, the driver module makes use of
a message converter to convert the generated values into CAN-
frames before driving them to the DUT.
D. Coverage monitor
The coverage monitor is used in the testbench model to
gather coverage information for message objects produced by
the generator and for messages received from the DUT. For
this, we define a functional coverage metric with help of our
functional coverage library and make use of it in several test
scenarios. The coverage metric monitors the desired values
and performs a functional coverage analysis. An example is
to cover the IDs of the generated CAN frames of the stimulus
generator. A termination condition can be set based on the
information from the coverage analysis like for instance when
a specific number of IDs within a certain interval have been
generated.
978-1-4244-5841-7/10/$26.00 ©2010 IEEE
received transfer function message:
data --> 01011110
arbitration -- > 548(1000100100)
generation_time -- > 0 s
start_time -- > -
Fig. 9. transfer function
received controller message:
data -- > 01011110
arbitration -- > 548(1000100100)
generation_time -- > -
start_time --> 5
Fig. 10. logging and acceptance evaluation
E. Logging and Acceptance evaluation
The LA module in the testbench is used for system analysis
and for logging of generated and received CAN frames.
These are the messages produced by the generator and the
received by the receiving controller within the DUT are
logged. The second task of the LA module is the comparison
and verification of the output provided by the Transfer function
module with the actual output of the DUT. Figures 9 and
10 depict such a log-file generated by the LA module. As
shown in the figure, only the dynamic part (i.e., parts that
were automatically generated) of the messages are logged with
some additional timing information.
Figure 9 shows the message produced by the stimulus
generator, and simulated by the transfer function. This file
contains the generation time, the calculated arrival time in
clock ticks and the ID controller sending of this message.
Figure 10 shows the message after its transmission over the
CAN bus. It contains the time stamp at which the controller
started the message transfer and the time stamp at which
the message was received. These log files can be used for
manual review of DUT behavior. Furthermore, the LA module
monitors the bus traffic in order to rebuild the transmitted
CAN-frames. Hereby, the main focus is to test and verify the
behavior of the BSP module by investigating aspects such
as the recognition of stuff bits and correct behavior during
the arbitration phase. These are stored in a map with the
appropriate CAN frame along with the position of stuff bits
for each message. The stuff bits identified by the BSP module
are compared with those calculated by the transfer function
and taken into account during the acceptance evaluation. The
frames calculated by the transfer function and the frames
transmitted on the CAN bus are stored in a scoreboard and
can later be used to conduct the acceptance evaluation. In
order to check the reliability of the design under the conditions
provided by the test cases, it is possible to alter various metrics
such as the percentage of error free message receptions or the
32 SIES 2010
maximum latency.
V. S CENARIOS
For verification of the CAN bus model and usability study
of the SystemC coverage library, we have defined and im-
plemented several test scenarios. First the relevant signal
valuations of the DUT have to be identified such as ID fields,
CRC and Stuff Bits in order to cover the associated expressions
within the simulation. Moreover, with help of the functional
coverage library the DUT control path logic can be efficiently
covered using transition bins. In the following subsection, we
first give a briefly overview about these scenarios and how we
made use of the functional coverage features of our developed
library. There, we also summarize Scenarios V-A to V-D, as
scenario V-E is a superset of all previously iterative developed
scenarios, applying most coverage library features.
A. Sender/Receiver Scenario
This scenario verifies the CAN data packet transmission
via the CAN bus from a single CAN controller to two CAN
controllers. The controller which intends to send data starts
to send a data packet with a certain CAN message ID onto
the CAN bus. Two other controllers are configured in a way
to accept this CAN message ID. In the test run, the IDs are
randomized and the SystemC functional coverage library is
used to determine the coverage of the ID variable. Though this
use case quite simple, it allows the efficient combination of
random constrained stimuli and functional coverage analysis.
The developer has easy access to information like how much
RRU
of the overall variable values have been assigned during the
test run.
RRU
B. Bus Arbitration Scenario
5'5.S2555@
5'S/U
In this scenario, three CAN controllers start to drive a
CAN packet onto the CAN bus model at the same time. One
F-5.S2555S/U
controller sends the message for the receiving CAN controller,
(G
55 ./U
the other two send data with different CAN IDs. So despite
there is not collision in this test, it verifies the wiring of the
CAN bus model and the bus arbitration. Again, the SystemC
coverage library is used to cover the CAN ID and to emphasize
verification efforts to corner cases. Additionally, the control
flow logic of the controller is covered via transition bins.
C. Priorities & Arbitration Scenario
This scenario combines V-A and V-B to verify that messages
with lower IDs, and a higher priority, win the bus arbitration.
Here, at least two sender and receivers are created. In the
fourth controller scenario, the first sender controller sends a
CAN message to the other controllers. The second sender also
sends a message with a higher ID. So this model verifies the
bus arbitration in a multi-sender and receiver CAN network.
The coverage library is again used to cover simulated IDs.
Illegal bins have been specified to capture disallowed variable
assignments as they should not occur during the simulation.
978-1-4244-5841-7/10/$26.00 ©2010 IEEE
D. Messages Coverage 1
Scenario V-D is an extensive test case where a large set
of controllers is applied. In fact, for every possible binary
combination of the ID field (which is used for arbitration
in the CAN bus standard) a CAN controller is configured
and instantiated. This leads to 2032 CAN Controllers each
sending messages with the same ID as their Controller ID.
Additionally, all controllers act as receivers once they sent
their messages or in case of lost arbitration, accepting mes-
sages with arbitrary ID value. This scenario enables extensive
coverage collection with help of the SystemC coverage library.
During the simulation, the received CAN messages ID are
sampled (covered), resulting in one bin for every occured
message ID. With help of this collected data, the coverage
of the input data can be calculated.
Figure 11 shows the constructor of the test class. The
SystemC functional coverage library is instantiated and a
database file for the collected coverage information is specified
via set_coverage_db_name(). For a proper working
coverage, the factory is initialized via init_factory().
Additionally, the CAN bus itself, the transfer function compo-
nent and the CAN messages generator are instantiated. These
initializing steps of the verification environment are based on
SCV Library behaviors [6].
5):!"+.255/
P
5:K.255/7.SS/
P
5)D:!.@/U
5,./U
@5
5)D:!./U
5,./U
@5
FI5I>77./U
(G5@
(G5>./U
'  F-5' .S' S<55 /U
' (G./U
5 F
5 (G./U
 (G5./U
V
Fig. 11. Constructor of test scenario V-D
E. Messages Coverage 2
Figure 12 shows the constructor of Scenario five. First,
relevant variables are defined and initialized. The variable
message_counter is a counter variable and represents
how many messages are present in the system. If a new
message is generated it is incremented. Once a message is
received it is decremented. This indicates how many messages
have to be driven to the bus simultaneously in the arbitration
phase. Variable stuff_bit_count_sig is a sc_signal
from type int. It is used for the coverage computation and
represents the stuff bits in a generated CAN message. The
boolean compute_coverage indicates if the coverage has
to be computed within the specific clock cycle or not. It is
33 SIES 2010
 5):!"+.255 / @./P
. 5@
/P
P I5@
 O
>F(G
5I5@
 5>.<
5:K.255 /7 .S S/ S 55@
 S/U
P .
>QF2"++/
..2"++//U NN,, 
>(G./U
 RRSKK:K7I5@
  TSU

5 F3U
 5@
FU
 5'5 5
-.(
/U V
 5@
FU .5 (G5>5
./FF /P
FI5I>77./U  5'5 5
-.5 (G
5 5'5 .//U
(G5@
5'5.S255 5@
5''S/U  5@
F U
5 (G5>5
-./U
(G5>./U V
5)D:!.
555-5
/U .F3UR55 UYY/P
5,./U 5OF..5O/.55>WX//U
@RR U .(G955@'5
.//P
(G955@'5
-./U
5)D:!./U 5WX(G
5
55' ./U
5,./U 
5 ((U
@RR U V
'  F-5' .S' S<55 /U V
' (G. /U .Q 5@
[[(G
5I5@
 5>.<
S 55@
 S/(G
5@
./GF$3/P

F-5.S255 5S/U  RRS SRR55./RRS- ('(@

5 F
(G
55 ./U SRR(G
5I5@
 5>.<
5 (G. /U S 55@
 S/(G
5@
./RRSTSU
(G5./U ./U
V
V V


Fig. 12. Constructor of test scenario V-E Fig. 14. sample() method of test scenario V-E

always set to true once the transfer function has determined
the stuff bits of a generated CAN message.
Additionally, two SC_METHOD are defined which will be
executed every clock cycle. In order to generate meaningful
traffic for the CAN bus model, one method is utilized to
generate and transmit new messages, as depicted in Figure
13.
on the stuff_bit_count_sig signal which is driven
by the transfer function and contains the amount of stuff
bits generated for the latest generated CAN message. The
transitions bin makes use of that value in order to check
if they are covered. After these steps, the coverage library
is instantiated, configured by setting database filename, and
initialized.

Fig. 13. CAN message randomizer of test scenario V-E Fig. 15. Verification Environment (transition bins) in test scenario V-E

Here, the sample() method in Figure 14 can be subdi-

vided into four tasks:
1) Start of the coverage analysis once the transfer function
calculated the stuff bits of a new CAN message.
2) Check if the transfer function calculated stuff bits of a
new CAN message.
3) Check if the CAN controller received a CAN message
when delivering this message to the Logging and Ac-
ceptance evaluation model.
4) Stop in case of sufficient coverage (stop criterion).
The verification environment is depicted in Figure 15. First,
a covergroup for the stuff bit coverage is defined. For every
stuff bit class a transition bin is declared. The coverpoint relies
VI. R ELATED WORK
In the area of CAN bus testing, [7] validated a CAN IP
and analyzed several aspects of verification methodologies to
validate designs in the context of automotive systems develop-
ment. However, the authors apply manual directed test pattern
design and no constrained random stimuli generation and no
functional coverage in the sense of functional verification and
the SystemVerilog standard. Our studies have shown that for
the identification of corner cases, constrained random tech-
niques are much ahead of classical techniques. Moreover, it is
not possible to define allowed sequences of variable transitions
(e.g., via transition bins) or forbidden cases (e.g., via illegal

978-1-4244-5841-7/10/$26.00 ©2010 IEEE 34 SIES 2010

bins). In the area of verification libraries, the Open Verification
Library (OVL) [8] is maintained by Accellera and provides
checkers that may work as assertion, assumption or coverage
point checkers. The most recent versions support SystemVer-
ilog, Verilog and VHDL. Unfortunately, there is currently
no support for SystemC. Additionally, except SystemVerilog
the supported languages are working on RTL level, impeding
verification on higher levels of abstraction on more abstract
data types. In the area of functional coverage implementations
with SystemC, [9] introduces a functional coverage prototype.
Unfortunately, just a list of functions without any details is
available. In contrast, our library is open with all details
as open source. In [10] the authors introduce a verification
framework based on the SystemC Verification Library (SCV)
providing a coverage monitor library for functional coverage
modeling. The implemented basic coverage operators range
from logical OR, equal, non-equal, greater, etc. and
are not as powerful as the IEEE 1800 SystemVerilog cover-
age features. In [11] the authors propose a coverage-driven
verification methodology approach that uses the their own
bve_cover class. This class has also been referenced in [12]
and [13]. It is reported that the approach allows definition
of (illegal) buckets (similiar to bins) and cross-coverage.
Unfortunately, the authors do not given more details. In [14]
a coverage driven testing policy is proposed whereas Property
Specification Language (PSL) expressions which are converted
to C++ are used to gather and inspect function coverage
information. In [15] the author uses the callback facility of
the SystemC SCV library to achieve functional equivalent of
SystemVerilog value and transition coverpoints. Unfortunately,
this approach does not include advanced features like cross
coverage, illegal bins or default declaration.
VII. C ONCLUSION & O UTLOOK
In this article, we introduced a SystemC functional coverage
library and testbench and applied it to a SystemC model of
a Controller Area Network (CAN). The SystemC implemen-
tation of the coverage language features of IEEE 1800-2005
SystemVerilog, such as covergroup, allows functional cov-
erage to be efficiently collected and evaluated within SystemC
simulation runs. In advanced testbenches this coverage data
may be efficiently used to steer the stimuli generators or
the constraint solvers of constrained random variables into
the right direction, targeting closure of the coverage gap.
With our library, we could efficiently analyze the testbench
for different configurations of CAN controllers. We defined
several test scenarios, each utilizing the different features of
the functional coverage library. With help of our coverage
collection uncovered corner cases of the CAN testbench and
the DUT could be identified which were not addressed by the
initial verification environment. By improving the testbench
we could successfully identify various design flaws and bugs
of the CAN bus model. As such, the functional coverage
collection helped to emphasize verification effort into the
right directions during the development. For example, control
path logic can be efficiently covered using transition
978-1-4244-5841-7/10/$26.00 ©2010 IEEE
bins, whereas forbidden cases may be modeled as illegal
bins. Though SystemC CAN model is implemented at RTL
level, test cases could be driven and managed by a high level
testbench.
Future work, is the investigation of the impact of the Open
Verification Methodology (OVM) to SystemC in combination
with adding coverage support for arbitrary data types such
as events on transaction level. Additionally, a closer database
coupling to, for example, Accellera UCIS could enhance
coverage results reuse and management.
ACKNOWLEDGEMENTS
This work was partly funded by the DFG Collaborative
Research Centre 614 and by the German Ministry of Education
and Research (BMBF) through the BMBF projects SANITAS
(01M3088) and VERDE (01IS09012). We greatly appreciate
the cooperation with the project partners.
R EFERENCES
[1] J. Bergeron, “Writing testbenches: Functional verification of HDL
models.” Kluwer Academic Publishers, 2003.
[2] “IEEE Standard for System Verilog-unified Hardware design, specifica-
tion, and verification language,” IEEE STD 1800-2009, 2009.
[3] Open SystemC Initiative, “IEEE Standard SystemC language reference
manual,” IEEE Std 1666-2005, 2006.
[4] Robert Bosch GmbH, “CAN Specification version 2.0”, 1991.
[5] Philips Semiconductors, “SJA1000 stand-alone CAN controller,” Data
sheet, 2000.
[6] SystemC Verification Library v1.0p2, Open SystemC Initiative, 2006.
[Online]. Available: http://www.systemc.org/downloads/standards/
[7] J. S. Antonio Souza and P. Domingues, “Functional verification of a
CAN data layer implementation: a case study,” Brazil Semiconductor
Technology Center (BSTC), 2003.
[8] Accellera Organization Inc., Open verification library (OVL). (2009,
May) [Online]. Available: http://www.accellera.org/activities/ovl/
[9] R. Siegmund, U. Hensel, A. Herrholz, and I. Volt. (2004) Functional
coverage prototype for SystemC-based verification of chipset designs.
AMD Dresden Design Center.
[10] S. Park and S.-I. Chae, “A C/C++-based functional verification frame-
work using the SystemC verification library,” Rapid System Prototyping,
IEEE International Workshop on, vol. 0, pp. 237–239, 2005.
[11] K. R. G. da Silva, E. U. K. Melcher, G. Araujo, and V. A. Pimenta, “An
automatic testbench generation tool for a SystemC functional verification
methodology,” in SBCCI ’04: Proceedings of the 17th symposium on
Integrated circuits and system design. New York, NY, USA: ACM,
2004, pp. 66–70.
[12] G. S. Silveira, K. R. G. da Silva, and E. U. K. Melcher, “Functional
verification of an mpeg-4 decoder design using a random constrained
movie generator,” in SBCCI ’07: Proceedings of the 20th annual
conference on Integrated circuits and systems design. New York, NY,
USA: ACM, 2007, pp. 360–364.
[13] C. L. Rodrigues, K. R. G. da Silva, and H. N. Cunha, “Improving func-
tional verification of embedded systems using hierarchical composition
and set theory,” in SAC ’09: Proceedings of the 2009 ACM symposium
on Applied Computing. New York, NY, USA: ACM, 2009, pp. 1632–
1636.
[14] Y. Lahbib, O. Missaoui, M. Hechkel, D. Lahbib, B. Mohamed-Yosri, and
R. Tourki, “Verification flow optimization using an automatic coverage
driven testing policy,” in Design and Test of Integrated Systems in
Nanoscale Technology, 2006. DTIS 2006. International Conference on,
sept. 2006, pp. 94 –99.
[15] K. Schwartz, “A Technique for Adding Functional Coverage to Sys-
temC,” in DVCON 2007. Willamette HDL, Inc., 2007.
35 SIES 2010