Symbolic model checking of analog/mixed-signal circuits* by Myers, Chris J. & Walter, David
3 C - 3
S y m b o l i c  M o d e l  C h e c k i n g  o f  A n a l o g / M i x e d - S i g n a l  C i r c u i t s  *
D a v id  W alte r, S c o tt  L ittle , N ic h o la s  S c c g m illc r . C h ris  J. M y e rs  T o m o h iro  Y o n ed a  
U n iv e rs ity  o f  U ta h  N a tio n a l  In s ti tu te  o f  In fo rm a tic s  
S a lt L a k e  C ity , U T  8 4 1 1 2  T o k y o , Ja p a n  
{ d w a lte r , little , se e g m ill, m y e rs } @ v ls ig ro u p .e c e .u ta h .e d u  y o n e d a @ n ii.a c .jp
Abstract— This paper presents a Boolean based symbolic 
model checking algorithm for the verification of analog/mixed- 
signal (AMS) circuits. The systems are modeled in VHDL-AMS, 
a hardware description language for AMS circuits. The VHDL- 
AMS description is compiled into labeled hybrid Petri nets (LH- 
PNs) in which analog values are modeled as continuous variables 
that can change at rates in a bounded range and digital values are 
modeled using Boolean signals. System properties are specified 
as temporal logic formulas using timed CTL (TCTL). The verifi­
cation proceeds over the structure of the formula and maps sep­
aration predicates to Boolean variables. The state space is thus 
represented as a Boolean function using a binary decision diagram 
(BDD) and the verification algorithm relies on the efficient use of 
BDD operations.
I .  I n t r o d u c t i o n
W h ile  taking up on ly a sm all portion o f the ch ip  area, 
analog/mixed-signal (A M S ) c ircu its are responsib le fo r 50 per­
cent o f the errors that resu lt in  a redesign [11 ]. Therefore, im ­
provem ents in  A M S  c ircu it va lidation  m ethodology are very 
im portant. A na log  c ircu it va lidation  is typ ica lly  ach ieved  us­
ing S P IC E  sim ulation. A lthough  m ixed-signal va lidation  can 
be done using V H D L - A M S  sim ulation, it is often done in  a 
m ore ad hoc way. U n til recently, d ig ital c ircu it va lidation  also 
u tilized  this sim ulation-only based m ethodology, but now  fo r­
m al verification  is often em ployed. Form al verification  u tilizes 
nondeterm inism  and state space exploration to sim ultaneously 
validate a ll possible sim ulations over a range o f param eters and 
in itia l conditions. W h ile  sim ulation has the potential to identify 
any error, it is necessary to id en tify the particu lar sim ulation 
param eters that w ou ld  resu lt in  each error. Form al verification  
approaches a llev ia te  this necessity. These techniques, there­
fore, provide a prom ising m echanism  to validate designs in  the 
face o f noise and uncertain  param eters.
Perhaps the first w ork in  the form al verification  o f A M S  c ir­
cuits is from  Kurshan and M c M illa n  in  w h ich  analog c ircu it 
m odels are translated to fin ite state m odels using hom om or­
ph ic transform ations [ 12], H artong et al. ve rify  analog c ir­
cuits by d ivid ing  the continuous state space into regions that 
are represented in  a Boo lean  m anner [8]. T h is a llow s them  
to perform  m odel checking using standard Boolean-based ap­
proaches though at some loss o f accuracy. Tools fo r ve rify in g  
hybrid  system s have also been adapted to ve rify  A M S  circu its. 
G upta et al. u tilize  C h e c k M a te  to ve rify  analog c ircu its such
*This research is supported by SRC contract 2005-TJ-1357 and an SRC 
Graduate Fellowship.
as a tunnel diode oscilla to r and a delta-sigm a m odulator [7 ]. In
[3 ], D ang et al. use d/dt to ve rify  a b iquad low-pass filter. In
[6], Frehse et al. use PH  AVer to ve rify  analog oscilla to r circu its. 
These approaches, however, require a user to describe an A M S  
c ircu it using a hybrid automaton w h ich  is un fam iliar to m ost 
A M S  c ircu it designers. In  [13 ], L ittle  et a l. adapt a zone-based 
algorithm  fo r the verification  o f A M S  circu its. T h is m ethod, 
how ever, on ly supports constant rates o f change fo r the con tin ­
uous variab les and conservative ly abstracts the continuous state 
space.
T h is paper describes a new  exact sym bolic m odel check­
ing algorithm  fo r the verification  o f A M S  circu its w h ich  sup­
ports ranges on the rates o f change fo r the continuous variab les. 
F igu re  1 presents a flow chart o f the steps in  this verification  
m ethod. A  m odel o f the A M S  c ircu it is first specified  by the 
designer using a subset o f V H D L - A M S  described below . B y  
a llow ing  the designer to specify the m odel in  a language that 
is fam ilia r to them , we hope to encourage the acceptance o f 
form al verification  m ethodologies. The V H D L - A M S  descrip ­
tion is au tom atically com piled  into a labeled hybrid Petri net 
(L H P N ) w h ich  includes Bo o lean  signals to represent d ig ital 
c ircu itry  and continuous variab les to m odel voltages and cu r­
rents in  the analog c ircu itry. The L H P N  m odel provides a fo r­
m alism  fo r reasoning about the system  being analyzed. System  
properties are specified  as tem poral log ic form ulas using timed 
CTL (T C T L ). The T C T L  can be au tom atically generated from  
asse rt statem ents in  V H D L - A M S  or m ore com plicated proper­
ties can  be specified  by the designer. In  [17 ], Sesh ia and B ryan t 
describe a sym bolic m odel checking procedure fo r real-tim e 
system s based on the one described in  [9 ]. T h e ir m ethod m aps 
separation predicates to Bo o lean  variab les so that analysis can 
be perform ed using B D D  operations. S in ce  this w ork  is on ly 
fo r real-tim e system s, a ll continuous variab les can on ly change 
w ith  a rate o f one. Therefore, this paper extends this w ork  to 
support continuous variab les that can change at any rate w ith in  
a range in  order to a llo w  fo r the sym bolic m odeling checking 
o f A M S  circu its w ith  B D D s . In  preparation fo r the app lication  
o f the Bo o lean  m odel checking m ethod, the L H P N  is converted 
to a Boo lean  sym bolic m odel and the T C T L  is converted into a 
timed /j  (T/u ) property. F in a lly , m odel checking is perform ed 
and a verification  result is obtained.
I I .  M o t i v a t i n g  E x a m p l e
T h is paper uses the sw itched capacitor integrator shown in  
F ig . 2 as a running exam ple. T h is c ircu it takes as input a 5 kH z 
square w ave that varies from  —1 V  to +1 V  and generates a
1-4244-0630-7/07/$20.00 ©2007 IEE E . 3 1 6







Vin =  ±1 V 
freq( Vin) =  5 kHz
-O  Vout
Cy =  1 pF 
C2 =  25 pF
fre .q(‘f | )  =  fre.q(‘£2 ) =  500 kHz 
dVout/dt =  ±(18 to 22) mV/;;s
Verification Result 
Fig. 1. Verification tool flow.
triang le w ave as output representing the integral o f the input 
voltage. D iscrete-tim e integrators typ ica lly  u tilize  sw itched ca­
pacitor c ircu its to accum ulate charge w h ich  can cause gain er­
rors in  the integrator due to capacitor m ism atch. Therefore, 
the output voltage in  our m odel is allow ed  to have a slew  rate 
anyw here between 18 to 22 mV//zs to represent a ± 10 percent 
variance in  c ircu it param eters. The verification  goal is to ensure 
that Vout never saturates (i.e ., it is a lw ays betw een —2000 m V  
and 2000 m V ). A n  experienced analog c ircu it designer m ay 
rea lize the potential o f this c ircu it to fa il. H ow ever, a very spe­
c ific  and unusual S P IC E  sim ulation is required to dem onstrate 
this fa ilu re . Sp ecifica lly , a fa ilu re  on ly appears in  a sim ulation 
w here capacitor m ism atch results in  a d ifferent slew  rate when 
charging the capacitor versus when discharging the capacitor. 
Furtherm ore, it is h ig h ly u n lik e ly  that a sim ulation allow ing  fo r 
random  uncertainty in  the system  variab les w ould  reveal the er­
ror. Therefore, a fo rm al verification  approach is beneficia l.
U sing  a subset o f V H D L - A M S , the c ircu it in  F ig . 2 can be 
m odeled as shown in  F ig . 3. The V H D L - A M S  subset that is 
supported a llow s variab les o f types std_log ie fo r representing 
Boo lean  signals and re a l fo r representing continuous quanti­
ties. Continuous variab les can be in itia lized  using b re a k  state­
m ents. The rates o f continuous variab les can be updated us­
ing sim ultaneous statem ents such as the if-use and case-use 
statem ents. Sequential behavior can be specified  using p ro ­
cess statem ents w ithout sensitivity lists. W ith in  a process, sup­
ported statem ents are w a it, signal assignm ent, if-then, case, 
and w h ile- loop. F in a lly , asse rt statem ents can be used to state 
basic safety properties about the system . Fo r convenience, our 
V H D L - A M S  descriptions also use procedures defined in  the
Fig. 2. Circuit diagram for a switched capacitor integrator.
library IEEE;
use IEEE . s t d _ l o g ic _ l l  64 .all; 
use w o rk . h a n d s h a k e . all; 
use w o r k .n o n d e te r m in i s m .all; 
entity i n t e g r a t o r  is 
end i n t e g r a t o r ;
architecture s w itc h C a p  of i n t e g r a t o r  is 
quantity V o u t : r e a l ; 
signal V in : s t d - l o g i c  : = 'O ' ;  
begin
break V out => - 1 0 0 0 .0 ;  — I n i t i a l  v a lu e
if v i n = ' 0 '  use
V o u t 'd o t  = 
elsif V in  = ' 1 '
s p a n ( 1 8 .0 ,  2 2 .0 ) ;  
use
s p a n ( - 2 2 .0 ,  - 1 8 .0 ) ;V o u t ' d o t  
end use; 
process begin
a s s i g n ( V i n , ' 1 ' , 1 0 0 ,1 0 0 ) ;  
a s s i g n ( V i n , 'O ' ,1 0 0 ,1 0 0 ) ;  
end process;
assert (V o u t'’ a b o v e  ( -2 0 0 0  . 0) and 
not V o u t ' a b o v e (2 0 0 0 . 0) ) 
report ' ' e r r o r '  ' 
severity f a i l u r e ;  
end sw itc h C a p ;
Fig. 3. VHDL-AMS for a switched capacitor integrator.
h and shake  and n o n d eterm in ism  packages [15 ]. Fo r exam ­
ple, the assign  procedure perform s an assignm ent to a signal 
at som e random  tim e w ith in  a bounded range specified by its 
param eters and w aits un til the assignm ent has been perform ed 
before returning. The span  procedure takes tw o rea l values and 
returns a random  value w ith in  that range. T he span  procedure 
is used to assign a range o f rate to a continuous variab le.
W h ile  sim ila r to the V H D L - A M S  description in  [13 ], the 
V H D L - A M S  shown in  F ig . 3 is m ore concise because our 
analysis a llow s rates to be specified  as ranges. T h is m odel 
tracks the rea l quantity Vout that represents the output vo lt­
age. The Boo lean  variab le  V in  determ ines the rate o f Vout 
using the if-use statem ents. W h en  V in  is 0, Vout increases at 
a rate betw een 18 and 22 mV//zs and when V in  is 1, Vout 
decreases at a rate between —22 and —18 mV//us. In itia lly  
Vout is —1000 m V  and increasing betw een 18 and 22 mV/fis. 
A fte r 100 /us, V in  is assigned to 1 by the assign  function 
w h ich  causes Vout to begin decreasing at a rate o f —22 to 
— 18 mV/fis. The asse rt statem ent is used to check if  Vout 
fa lls  below  —2000 m V  or goes above 2000 m V.
3 1 7
3 C - 3
O ur V H D L - A M S  description is com piled  into an L H P N  for 
analysis. A n  L H P N  is a Pe tri net m odel developed to repre­
sent A M S  circu its w ith  the goal o f being easily  generated from  
V H D L - A M S  descriptions. The m odel is insp ired by features in  
both hybrid  Pe tri nets [4 ] and hyb rid  autom ata [1 ], A n  L H P N  
is a tuple N  = [P, T, B , V, F, L, M 0,S 0, Q0, R 0):
• P  : is a fin ite  set o f p laces;
• T  : is a fin ite set o f transitions;
• B  : is a fin ite  set o f Bo o lean  signals;
• V  : is a fin ite set o f continuous variab les;
• F  C (P  x T) LJ (T  x P ) is the flow  relation ;
• L : is a tuple o f labels defined below ;
• M (3 C P  is the set o f in itia lly  m arked places;
• S q ’ is the set o f in itia l Boo lean  signal values;
• Qo : is the set o f in itia l continuous variab le  values;
• i?o  : is the set o f in itia l continuous variab le  rates.
A  key com ponent o f L H P N s  are the labels. Som e labels 
contain hybrid separation logic (H S L ) form ulas w h ich  are 
a Boo lean  com bination o f Bo o lean  variab les and separation 
predicates (a  restricted form  o f inequalities relating  real va ri­
ab les). H S L  is an extension o f separation log ic  (som etim es re­
ferred to as d ifference lo g ic ) that a llow s fo r non-unit slopes on 
the separation predicates. These form ulas satisfy the fo llow ing  
gram m ar;
III. Labeled  Hybrid  Petri N ets O M  [o, o]
IVout. := [-22,-18]!
<l> true | false | b-i | -><j) | <l> A <l> \ CiXi >  Cj Xj  +  c
[100,100]
iKn} [0,0]




P,(m) — - |
w here 6* are Boo lean  variab les, Xi and Xj are continuous va ri­
ables, and Ci, c,j, and c are constants from  the set o f rational 
num bers, Q . E a ch  transition t E T  is labeled  using the func­
tions defined in /. (E, D, BA, VA, RA):
•  E  : T  —► <j> labels each t  w ith  an enabling cond ition;
• D : T  —► Q  x (Q  LJ {o c } )  labels each t w ith  a low er and 
upper bound delay value, [d\, du\;
• BA : T  2 (B x ^0’1^  labels each t  w ith  Boo lean  signal 
assignm ents m ade w hen t  fires;
• VA : I  ■ 2^v x(®  labels each t  w ith  continuous variab le 
assignm ents m ade w hen t  fires;
• RA : T  —► 2 ('/x(0 ><(© labels each transition w ith  a range 
o f rate assignm ents, [ri,ru], m ade w hen t fires.
The L H P N  shown in  F ig . 4 is au tom atically generated from  
the V H D L - A M S  m odel in  F ig . 3. The b re a k  statem ent sets the 
in itia l va lue fo r Vout. The if-use statem ent is com piled into 
the L H P N  in  F ig . 4a. The process statem ent is com piled  into 
the L H P N  in  F ig . 4b. The asse rt statem ent is com piled  into 
the L H P N  shown in  F ig . 4c w h ich  fires a transition to set the 
Boo lean  signal fa i l  to true w hen the assertion is vio lated .
Form al sem antics o f L H P N s  are g iven  in  [13, 18]. In tu ­
itive ly , transitions in  L H P N s  are contro lled  by enabling con­
ditions and tim ing constraints. W h en  the enabling condition 
becom es satisfied, the c lo ck  on the transition begins, and the
{ Vout- < -2000 V Vout > 2000}
[0,0\(Jail := T)
(c)
Qo =  { Vout =  - 1000} R 0 =  { V' out =  [18,22]} S„ =  - b  Vm, - i fail} 
Fig. 4. LHPN for the switched capacitor integrator.
transition fires som etim e after the c lo ck  reaches its low er bound 
and before it exceeds its upper bound. U pon  firing , the discrete 
m arking is updated by rem oving tokens from  the preset places 
o f the transition and p lacing  tokens in  the postset p laces o f the 
transition. A d d ition a lly , assignm ents are m ade to Bo o lean  sig ­
nals, continuous variab les, and rates o f continuous variab les. 
Fo r the LHPN in  F ig . 4, the m arking is in itia lly  {po, P2■,P i} , 
the Bo o lean  signal Vin is fa lse, the continuous variab le  Vout 
is —1000, and Vout is increasing at a rate o f 18 to 22 mV//zs. 
A fte r 100 /us, f 2 fires resulting in  p-2 becom ing unm arked, ps 
becom ing m arked, and the assignm ent o f true to Vin. T h is as­
signm ent causes the enabling and im m ediate firing  o f to and 
thus the assignm ent o f —22 to —18 mV//us to the rate fo r Vout.
IV . B o o le a n  R e p r e s e n ta t io n
T he verification  algorithm  re lies on perform ing Boo lean  op­
erations using B D D s . Thus, it is necessary to e ffic ien tly  rep­
resent HSL form ulas as Boo lean  form ulas. T h is requires a 
canon ical representation o f HSL separation pred icates.1 The 
canon ical representation is o f the form  >  CjXj +  c w ith  
the fo llow in g  restrictions w here Xo is a special variab le  repre­
senting zero;
• The continuous variab les x-i and Xj are distinct.
• I f  x-i =  Xo or Xj = Xo then the corresponding constant c-i 
or c,j is one.
• The constants and c,j are not both negative.
• I f  c-i or c,j is negative (but not both), then in  the ordered 
set o f real variab les, Xi com es before Xj.
• The constants c-i and c,j are a rb itra rily  large integers w ith  
a greatest com m on denom inator o f one.
• The constant c is a rational num ber using arb itra rily  large 
integers as the num erator and the denom inator.
U sing  these restrictions and the fact that separation predicates 
o f the form  c-iX-i > c,j Xj +c are equivalent to c,j x  j > c-iX-i H— c, 
any separation predicate can be represented in  a unique w ay.
A similar approach is suggested for octagonal polyhedra in [ 14].
3 1 8
3 C - 3
Fo r c la rity , w e show separation predicates throughout the re ­
m ainder o f this paper, how ever they are actua lly  m apped to 
B D D  variab les in  their canon ical form .
U sin g  the canon ical form  o f separation predicates, re lation ­
ships am ong continuous variab les in  L H P N s  can now  be rep ­
resented in  a Boo lean  m anner. It  is also necessary to m aintain 
relationships am ong the tim ers on transitions. T h is necessitates 
the creation o f add itional continuous variab les, denoted by c,t, 
to represent the value o f the c lo ck  on transition t.
To com plete the Boo lean  representation, B D D  variab les are 
created fo r each p lace in  the L H P N  to ind icate if  the p lace is 
m arked, fo r each Boo lean  signal (denoted using the Boo lean  
signal’s nam e), and fo r each transition ’s c lo ck  to ind icate if  
the c lo ck  is active or inactive (denoted as at fo r the c lo ck  on 
transition t). F in a lly , a B D D  variab le  is created fo r each possi­
b le rate on each continuous variab le . These B D D  variab les are 
know n as Boo lean  rate variab les and are denoted as t>[r i.r)i] fo r 
the B D D  variab le  corresponding to the continuous variab le  v 
having  rate [ri, r „ ] .  A d d ition a lly , and represent the preset 
and postset o f t, respectively, and the notation (£•) :=  T  means 
that each elem ent in  the postset o f t  is assigned true. The nota­
tion t  • — • t  is used as a cond ition  to ensure that the places in  
the postset o f the transition t, aside from  places that form  a se lf 
loop , are not m arked.
V . Sym bo lic  M o del
In  order fo r analysis to proceed, a sym bolic m odel is gener­
ated that contains the essential in form ation fo r analysis. The 
sym bolic m odel consists o f three com ponents: an invariant, a 
set o f possible rates, and a set o f guarded commands.
The invariant (<t>j) is an H S L  statem ent that must be satis­
fied in  every state o f the system . F irs t, it states that on ly the 
discrete states (represented by $ ) can be reached. The fo r­
m ula $  is found by perform ing a state space exploration o f the 
L H P N  neglecting the continuous variab les. The discrete state 
space exploration is based on the Pe tri net algorithm  described 
in [16] w ith  extensions to include values o f Boo lean  signals and 
Boo lean  rate variab les in  the state space. In  other w ords, $  is 
a form ula over the Boo lean  variab les fo r the Pe tri net m arking, 
Boo lean  signals, and Boo lean  rate variab les. N ext, <j>i states 
that fo r a transition ’s c lo ck  to be active, the preset must be 
m arked, the enabling cond ition  must be satisfied, and the c lo ck  
m ust be greater than zero but not greater than its upper bound. 
T h is portion o f <j>i prevents an active c lo ck  from  exceeding its 
upper bound. The last part o f <j>i states that if  a transition ’s 
c lo ck  is not active it must either have an unm arked p lace in  
its preset or the non-strict inverse (E (t ) )  o f the enabling cond i­
tion must be satisfied. In  the non-strict inverse, a ll > separation 
predicates becom e < separation predicates and vice-versa. The 
last tw o portions o f <j>i when taken together enforce the activa ­
tion or deactivation o f a c lo ck  if  a changing continuous variab le  
should cause an enabling condition to change evaluation. The 
invariant is defined fo rm ally as fo llow s:
4>l =  $  A f \  
te r
Fo r the integrator exam ple in  F ig . 4, the invariant is:
4>X =  ((PoPlP2p3 V in V o u t[ - 2 2 , - 1 8 } V o u t [ 1 8 a 2]) V 
(P0pIp2P3 V in V o u t^ 2 2 - 18] V o u t[18,2 2 }) V 
(PoPlP2>3 V in V o u t^ 2 2 - 18] [18,22]) V 
(F0 P 1 P2 F3 V in V o u t{_ 22, - 18] V o u t [1 8 _2 2 ]))  A 
(at0 => Po a  Vin  A cto =  0) A (aj~ => V Vin) A 
(atl => p i A Vin  A etl =  0) A (Wt7  p i  V Vin) A 
(at2 => P2  A 0 <  ct2 < 100) A (ai~ => P2 ) A 
(«t3 => P'a A 0 <  ct3 < 100) A (ai~ => ps) A 
(au  p i  A ct4 =  0 A 
( Vout < -2 0 0 0  V Vout > 2000)) A 
( a ^  => p i  V ( Vout >  -2 0 0 0  A Vout <  2000))
T he set o f possible rates (1Z) consist o f an H S L  statem ent in ­
d icating a possib le Boo lean  rate assignm ent and the set o f rate 
assignm ents to continuous variab les corresponding to the state­
ment R))- T h is set is constructed from  <I>, the Boo lean  
state set, by ex isten tia lly abstracting a ll non-rate Boo lean  va ri­
ables. Each  product term  corresponds to a 4>r  o f a pair in  1Z. 
The Boo lean  rate assignm ent sets (R ) are b u ilt from  the product 
term s. Fo r exam ple, the possible rate set fo r F ig . 4 is:
7Z = { ( V  OUt{_22,~\&] A ^  OUt {18,22};
{ V o u t := [ -2 2 ,-1 8 ]} ) ,
(Vout[_ 22, - 18} A V  Out [18 ,22];
{V o u t := [18,22]})}
T he set o f guarded com m ands (C) is used to determ ine in 
each state w h ich  transitions are enabled and the effect on the 
state due to the firing  o f a transition. It  is constructed using a 
set o f primary guarded commands (Cp) and a set o f secondary 
guarded commands (Cs)• Each  guarded com m and consists o f 
a guard, 4>g , represented using an H S L  form ula and a set o f 
commands. A , to be perform ed when the guard is satisfied.
A  prim ary guarded com m and is created fo r each transition 
t  € T. The guard fo r transition t  ensures that the preset for 
t  is m arked, the enabling cond ition  on t  is satisfied, and the 
c lo ck  associated w ith  t  is active and exceeds its low er bound. 
The com m ands fo r transition t  cause the postset o f t  to becom e 
m arked and the app lication  o f the assignm ents associated w ith  
t. Fo rm ally, the set o f prim ary guarded com m ands is defined 
as fo llow s:
Cp =  [ J  {{4>GP(t), -Ap(t))}
t€ T
w here 4>GP(b) = (* t  A E (t)  A at A ct > l(t))
and Ap(t") =  {(• £  — £•) :=  F.(t») := T ,a t :=  F ,ct := 
[—oo, 00], BA(t), VA(t), RA(t)}. The p rim ary guarded com ­
m and fo r transition t 2 in  F ig . 4 is:
(at => »t A E (t)  A 0 < ct < u(t)) A 0 GP (t2) = P2 A A at,2 A ct,2 > 100
____ A p ( t2) = {P2 ■= F,P3 := T. Vin := T.
(ai =>»iV E (t)) at,2 := F, ct,2 :=  [—00, o o ]}
3 1 9
3 C - 3
Tw o secondary guarded com m ands are created fo r each tran­
sition  t €  T, one to activate and one to deactivate the c lo ck  as­
sociated w ith  t. The first one activates the c lo ck  fo r t and sets it 
to zero when its preset is m arked and its enabling cond ition  is 
true. The second one deactivates the c lo ck  when t is no longer 
enabled and sets its values to [—00, 00]. T h is has the effect o f 
rem oving the c lo ck  from  the state space. The set o f secondary 
guarded com m ands is defined as fo llow s:
Cs = U  { ( <t>GsA(t )>'AsA(t)),{<f>GsD('t )> 'A sD (t))}
t(ET
w here 4>GSA(t) =  *t A E (t)  A at , A sA (t)  =  {o* :=  T ,c t :=
[0 . 0]}, 4>GSD(t)  =  (*f  v  E (t )) A °t» and A s o ( t )  =  {a t :=
F.c-t :=  [—cc.cc]} . The activating  and deactivating guarded 
com m ands fo r transition to in  F ig . 4 are:
<f>GSA (t 0) 
A sA (to )  
4>GSD (to) 
A s o ( t  0)
Po A Vin A ato 
{at0 ■— T. cto := 
(Po V Vin) A ato 











T, Vin :=  T, 
[0,0],
[—00, 00] }
VI. Spe c ify in g  Pro perties
Properties to be checked are specified  using a dense rea l­
tim e version  o f C T L  know n as T C T L . Fo r exam ple, the T C T L  
property to check fo r the integrator is A G (- 1fail). T h is prop­
erty is au tom atically generated from  the asse rt statem ent in  the 
V H D L - A M S  code. M o re  com plex properties can be m anually 
p rovided  by the user, i f  desired.
A  T C T L  property is translated into a T / i calcu lus form ula 
as described in  [9 ]. T / i calcu lus has the fo llow ing  gram m ar as 
defined in  [9 ]:
Y  | 4> | -«p | ipi V (p2 | (fi > (f2 | z.ip | nY.ip | vY.ip
w here <f> is an H S L  form ula, z  is a specification clock variable, 
and Y  is a. formula variable used in  fixpoint com putation. The 
next operator m eans that ipi is true as tim e elapses un til a 
discrete transition is taken resulting in  ip2- W h en  the specifica­
tion c lo ck  variab le  z  is assigned to zero in  ip, z.ip is true. The 
expressions /lY.ip and vY.ip are the least fixpoint and greatest 
fixpoint, respectively, o f ip w ith  the form ula variab le  Y  bound 
inside ip. The property fo r the integrator gets transform ed into 
the fo llow ing  T / i form ula:
->jiY .[fail V ( t r u e  > F)]
w here <f>mit is  the in itia l set o f states:
The sets Cp and Cs are m erged to form  the set C. It  is neces­
sary to m erge these com m ands because the firing  o f a transition 
m ay result in  the activation  or deactivation  o f clocks associated 
w ith  other transitions by changing the m arking or the values o f 
the Bo o lean  or continuous variab les. O n ly  the in tu ition  behind 
the m erging process is described here. The basic idea is that fo r 
each transition, t, the effect o f its assignm ents associated w ith  
its p rim ary guarded com m and A p (t)  m ust be checked against 
the guards <f>GSA(t') and <f>GSD(t') fo r each other transition t' 
to determ ine i f  the assignm ent m ay have enabled the guard. I f  
the assignm ents have no effect on the guard or d isable it, then 
the secondary fo r t' is not m erged w ith  the prim ary fo r t. I f  
the assignm ent w ould m ake the guard true, then the com m ands 
associated w ith  the secondary m ust be com bined w ith  those 
fo r the prim ary. F in a lly , i f  the assignm ent m ay have changed 
the guard’s evaluation, then tw o guarded com m ands m ust be 
constructed. O ne is fo r the case in  w h ich  the guard fo r the 
secondary is true in  w h ich  the com m ands are m erged, and the 
other is fo r when the guard is fa lse in  w h ich  the secondary com ­
m ands are not m erged. Fo r exam ple, since the prim ary guarded 
com m and fo r t? assigns Vin to true, a cond ition  in  the guard 
o f the activating  guarded com m and on to, they are m erged into 
the guarded com m and shown below :
4>imt =  Po Pi P2 Ps Pi Vin Fail V o u t^ 22,- is]  V out[lsa2] 
Oj~Oj~ at2 at^  0*7 A c-t2 =  0 A Vout =  —1000
I f  a state in  w h ich  fail is true cannot be reached from  the in itia l 
state then the form ula evaluates to true.
V I I .  S y m b o lic  M o d e l  C h e c k in g  w i th  B D D s
H enzinger et al. describe a sym bolic m odel checking algo ­
rithm  fo r timed automata in  w h ich  a ll continuous variab les 
change at rate one [9 ]. Sesh ia  and B ryan t adapted this algo ­
rithm  fo r im plem entation using B D D s  [17]. T h is adapted algo ­
rithm  is shown in  F ig . 5. It  proceeds over the structure o f <p, 
a T n  property, g iven  the sym bolic m odel fo r the system  to be 
verified . U pon  term ination o f the algorithm , the resu lting H S L  
form ula is equivalent to (f>x i f  the property is satisfied and the 
m odel is non-zeno. The outline o f the algorithm  in  F ig . 5 is ap­
p licab le  to m odels w ith  rates other than one [2], but extensions 
are necessary to three c ritica l parts o f this algorithm . These 
parts, assignment (<f>[A}), weakest precondition (pre(<f>)), and 
time elapse (<f> 1 <^2), are described below .
W h en  an assignm ent, <^[A], operation is perform ed, a set o f 
assignm ents, as specified by A, are sim ultaneously perform ed. 
The set, A, contains assignm ents to Boo lean  signals and/or as­
signm ents to continuous variab les as defined by a guarded com ­
m and. Assignm ents to Bo o lean  signals are o f the form  b :=  T  
or b :=  F  and are perform ed on <f> by calcu lating  the cofactor 
o f (f> w ith  respect to the positive or negative form  o f b, respec­
tive ly. The assignm ent set, A, m ay also contain assignm ents to 
rea l variab les o f the form  Xi :=  [—00, 00] or Xi :=  a. W h en  
an Xi :=  [—00, 00] assignm ent is m ade, a ll B D D  variab les in  
4> m apping to separation predicates contain ing Xi are existen­
tia lly  quantified. W h en  an assignm ent o f the form  Xi :=  a is 
m ade, a ll B D D  variab les in  (f> contain ing Xi are found and B D D  
substitutions to <f> are perform ed using the B D D  com position 
operation such that c-iXi >  CjXj +  c <— Xo > CjXj +  (e  — C jo) 
and CjXj > c-iXi +  e • C j X j  > X q + (c +  CjO).
The w eakest precondition operation, pre(4>), calcu lates a ll 
the possible states that cou ld  have resulted in  <f> b y firing  d is­
crete transitions. In  particu lar, fo r each guarded com m and,
3 2 0
f a  A4> 
f a  A -\(p\
IVll V \ V>2 I
Kl^il V |^ 2|) — p re (|^2|)|
M[~ := o]
the result of the following iteration: 
4>new :=  fa lse  
r e p e a t
4*old '■= 4>new
4>new ■= :=  4>old]\
u n t i l  (4>new = *  4>old) 
r e t u r n  4>oid
Fig. 5. Symbolic analysis algorithm (courtesy of [17]).
(4>g -. A ) €  C, it first performs the assignments (A )  to the cur­
rent set of states, and then applies the guard ( fa ) .  By taking the 
disjunction of the result for each guarded command, all possi­
ble previous states are determined. Finally <j> is disjunctively 
combined with the result, and f a  is conjunctively combined to 
ensure that impossible states are not introduced into the calcu­
lation. This is defined formally below:
pre(4>) = f a  A (4> V \ J  <j>G A {fa  A 4>)[A]))
(d>a,A)€C
The time elapse operation (~^) calculates all the states that 
can reach fa  by allowing time to elapse while remaining in (j>i 
in between. The general idea of time elapse is that the state 
region fa  is expanded to include all states that can reach fa  by 
moving time backward. The result is then intersected with all 
the states that can result in (j>i by moving time backward up to 
the point where (j>i A fa  is no longer satisfied. Fig. 6 presents 
a visual representation of the time elapse operation. Given an 
initial state region, fa ,  the result of time elapse encompasses 
fa  plus the region within the dotted lines where <j>i is satisfied. 
The time elapse calculation is performed by iterating over the 
possible rate set, TZ, and operating on the portion of the state 
space for which <f>n is true. The separation predicates in that 
portion of the state space are evolved backwards based on the 
rates for each continuous variable in R. During this calculation, 
separation predicates that cannot be guaranteed to remain true 
are existentially abstracted, and new separation predicates that 
represent the result of time evolution are introduced.
An example of applying a time elapse and transition precon­
dition step to the integrator example is shown in Fig. 7. Begin­
ning with the state shown in Fig. 7c, applying the time elapse 
operation in a backwards fashion results in the state shown in 
Fig. 7b. Similarly, applying the weakest precondition operation 
to the state in Fig. 7b results in the state shown in Fig. 7a.
1^
hv>
Vi v  'r-2 
b i  > 'r-2 
\z.ip 
\liY.ip
3 C - 3
-  d> i
<bi <!)■> /
y __ i__ i__ i__ i__ i__ i__ i__ i__ i__ i
x 10
Fig. 6 . Visual representation of <j>\ (p‘2 where 1 <  x  <  2 and 1 <  y  <  2.
{Kin} [0,0] . {Kin} [0,0] . {Kin} [0,0]( V out : = i—22, — 18]} < V out : = i—22, — 18]} < V out : = i—22 ,—18])
-200 < Vout < 200 -200 < Vout < 2000 Vout = 2000Cf3 = 100 0 < ch < 100 ch = 100
Vout > 22c(2 — 200 
Vout < 18Ct3 + 200 
(a) (b) (c)
Fig. 7. Application of time elapse and weakest precondition operators to the 
integrator example. Note that the analysis is backwards beginning from the 
state shown in (c).
V I I I .  C o n s t r a i n t  G b n b r a t i o n
As new separation predicates are generated and mapped to 
Boolean variables, constraints are added to create relationships 
with existing Boolean variables and prevent Boolean assign­
ments from being made that are impossible. The use of mul­
tiple variable rates in LHPNs, requires an enhanced constraint 
generation approach over [17] with consideration given to the 
canonical representation. The constraints are generally added 
to the HSL formula before a particular variable is going to be 
existentially abstracted. When constructing transitivity con­
straints, the signs of the coefficients must be taken into account 
and both the regular and inverted forms of the variables must be 
considered. There are two main types of constraints. In the first 
type, one separation predicate implies the second as follows:
1. CiXi >  CjXj +  Cl = ? CiXi >  CjXj +  C2 if Oi >  c2.
2. CjXj > Cj.xI +  - C l  =?■ CjXj > CjXi +  - c 2 if - c i  >  - c 2 .
3. CiXi > CjXj +  ci =j- CiXi > CjXj +  —c2 if ci >  - c 2.
4. CjXj > CiXi +  - c i =?■ CiXi > Cj2Xj +  c2 if - c i >  c2.
3 2 1
3 C - 3
The second type o f constraint is a tran sitiv ity  constraint—  
tw o constraints together im p ly a th ird  new ly created constraint 
thus form ing new  relationships betw een rea l variab les. Fo r ex­
am ple, the tw o separation predicates 2x i  >  3*2 +  2 and 5*2 > 
x 3 +  3 form  the new  separation predicate ll t e i > 3*3 +  19 
by tran sitiv ity  and thus a constraint is form ed. G iven  the sep­
aration predicates CiXi > CjXj +  c i and CkXk > cm.xm. +  c2 
(referred  to as e.i and e2, respective ly), tran sitiv ity  constraints 
are form ed as fo llow s:
1. If  Xj = Xk, let es represent the separation predicate ^ X i  >
— xm +  ( — + — ) and 64 represent the separation predicateCfc C-j ck
^ X m  > ^ X i +ck ~  Cj V ck C.j >
(a) If  c,j >  0 and c,k >  0 then e \  A e -2 => es.
(b) If  Cj < 0 and Ck < 0 then - « i A -«2 => -'€4.
(c) If  Cj > 0 and Ck < 0 then -iei A 62 => 64 and -<ei A e -2 => 
-'e3 ■
(d) I f  Cj <  0 and Ck >  0 then - ie i  A 62 => 63 and - « i  A 62 =>
e4■
2. If  Xi = Xk, let 63 represent the separation predicate — xrn >ck
+ <T?
£iz. > Sm-x- + £2-)Ck ’
Vin = ±1 V 
freq( Vin) =  5 kHz
freq (‘i>i) =  freq (‘J>2) =  500 kHz 
d Vout/dt = ±(16 to 24) mV/ju-s
+ f- ) and 64 represent the separation predicate
n +  (-
(a) I f  a  > 0 and c,k > 0 then e\ A 62 => e3.
(b) I f  Ci <  0 and Ck <  0 then - « i  A ->62 => ^ 6 4 .
(c) I f  Ci > 0 and Ck < 0 then ->ei A 62 => 64 and -<ei A 62 
-.e3.
(d) I f  Ci <  0 and Ck >  0 then ->ei A 62 => es and -<ei A  62 
^e4.
IX .  R e s u l t s
The V H D L - A M S  to L H P N  com p iler and sym bolic m odel­
ing checking algorithm  described in  this paper have been im ­
plem ented and pre lim inary results are prom ising. In  add ition to 
checking our too l on several sm all hyb rid  system  benchm arks, 
w e have also verified  various versions o f the sw itched capaci­
tor integrator c ircu it. In  particu lar, w e have experim ented w ith  
d ifferent ranges o f rates fo r Vout. W h en  the low er and upper 
bound fo r these rates are equal, our too l determ ines a few  sec­
ond o f C P U  tim e that the property is satisfied (i.e ., the c ircu it 
does not saturate).2 W h en  the low er and upper bounds are not 
equal, our too l determ ines co rrectly  in  a few  seconds that the 
c ircu it vio lates the property. T h is error occurs if  the rising  slew  
rate o f Vout is consistently larger than the fa llin g  slew  rate, 
then charge can bu ild  up leading to Vout eventually saturating 
at the h igh supply ra il.
Saturation o f the integrator can be prevented using the c ir­
cu it shown in  F ig . 8. In  this c ircu it, a resistor in  the form  o f a 
sw itched capacitor is inserted in  p ara lle l w ith  the feedback ca ­
pacitor. T h is causes Vout to d rift back to 0 V . In  other words, 
if  Vout is increasing , it increases faster when it is fa r below
0 V  than w hen it is near or above 0 V . Therefore, the m odel 
fo r this c ircu it uses a Vout range o f 22 to 24 m V/^s when it is 
below  —1000 m V, and it uses a range o f 16 to 22 m V/^s when 
it is above —1000 m V. A  sim ila r m odification  is m ade fo r the 
ranges o f rates w hen Vout is decreasing. W ith  these changes, 
verification  finds that the c ircu it no longer saturates.
All tests performed on a 3GHz PentiumlV with 1GB of RAM.
Fig. 8. Circuit diagram of a switched capacitor integrator that has been 
modified to prevent saturation.
T he sym bolic m odel checker described in  this paper is the 
first to support the verification  o f V H D L - A M S  m odels w ith  
ranges o f rates. T h is is accom plished due to the fact that the 
m odel checker is designed to w ork  w ith  L H P N  m odels w h ich  
are developed w ith  the goal o f being easily  generated from  
V H D L - A M S  descriptions. Fo r com parison purposes, it is pos­
sib le to hand translate the L H P N  m odel fo r the sw itched ca ­
pacitor integrator into a h yb rid  autom aton. W h ile  this is not 
too com plicated  fo r this sm all L H P N , this translation is in  gen­
era l d ifficu lt and can resu lt in  a b low up in  the size o f the hybrid  
autom aton. T h is hand generated hyb rid  autom aton can then 
be verified  using the hyb rid  autom ata tools H yT ech  [10] and 
P H A V e r [5 ], W h ile  both tools rap id ly  verified  the integrator 
exam ple w ith  equal bounds on the rates o f change fo r Vout, 
they are unable to com plete fo r the integrator w ith  ranges o f 
rates fo r Vout. Upon closer exam ination, w e determ ined that 
this is due to the fact that the state space is unbounded in  these 
cases. To address th is problem , w e add by hand invariants to 
the hyb rid  autom aton to bound the state space that is explored. 
B o th  tools can then com plete the verification  o f the integrator 
exam ples in  runtim es that are com parable w ith  our tool.
X . C o n c l u s i o n
To gain acceptance o f form al verification  by A M S  designers, 
it is cru c ia l to a llo w  them  to describe c ircu its using a m ethod 
that they are com fortab le w ith . To th is end, this paper de­
scribes a m ethod fo r sym bolic m odel checking o f A M S  circu its 
described using a subset o f V H D L - A M S . These V H D L - A M S  
descriptions are com piled  into L H P N s  w h ich  are then analyzed 
using an algorithm  that maps separation predicates to Boo lean  
variab les a llow ing  fo r the use o f B D D s . T h is algorithm  ex­
tends previous w ork  by provid ing  a canon ical representation o f 
separation predicates contain ing tw o rea l variab les w ith  arb i­
trary slopes and introduces an expanded constraint generation 
m ethod. The tim e elapse calcu lation , in  particu lar, m ust also
3 2 2
3 C - 3
be m odified substantially. These extensions are necessary fo r a 
B D D  based im plem entation o f an algorithm  that allow s fo r real 
variab les to change at ranges o f rates.
W e are currently developing a SP IC E- d eck  front-end w hich  
w ill further im prove the ab ility  o f A M S  designers to use our 
tool. W e  are also p lanning to develop abstraction m ethods to 
reduce the num ber o f B D D  variab les that are created and to 
help  a llev ia te  the state explosion problem  that can occur as we 
app ly these m ethods to larger scale exam ples. A dd itionaly, we 
believe that m any o f the m ethods described in  this paper m ay 
lend them selves w e ll to a bounded m odel checking approach 
using S A T  and/or S M T  system s. In  this approach, the transi­
tion  relation  and tim e elapse calcu lation  w ould introduce next 
state variab les and tim e step variab les at each step o f the anal­
ysis. F in a lly , we plan to investigate m ethods to im prove user 
feedback w hen a fa ilu re  is detected.
Ack n o w led g em en ts
W e w ould lik e  to thank G oran  Frehse o f V E R IM A G  fo r his 
help  w ith  PH A V er. W e  w ould also lik e  to thank Sa n jit Sesh ia 
o f U C  Berke ley, Randal B ryan t o f C M U , R e id  H arrison  o f the 
U n ive rs ity  o f U tah , Robert Kurshan o f Cadence, and K ev in  
Jones o f Ram bus fo r their com m ents on this work.
R efer en c es
[1] R . A lu r, C . Courcoubetis, T. A . Henzinger, and P- H . Ho. 
H yb rid  autom ata: A n  algorithm ic approach to the spec­
ifica tion  and verification  o f hyb rid  system s. In  Hybrid 
Systems, pages 209-229, 1992.
[2] R . A lu r, T. A . Henzinger, and P- H . H o. A utom atic sym ­
b o lic  verification  o f em bedded system s. In  IEEE Trans­
actions on Software Engineering, pages 181-201, 1996.
[3] T. Dang, A . Donze, and O . M aler. V erification  o f ana­
log and m ixed-signal c ircu its using hyb rid  system s tech­
niques. In  Formal Methods for Computer Aided Design, 
2004.
[4] R . D av id  and H . A lla . O n  hyb rid  petri nets. Discrete 
Event Dynamic Systems: Theory and Applications, 11:9— 
40, Jan . 2001.
[5] G . Frehse. Phaver: A lgo rithm ic verification  o f h yb rid  sys­
tem s past hytech. In  M an fred  M o rari and Lo th ar T h ie le , 
editors, HSCC, volum e 3414 o f Lecture Notes in Com­
puter Science, pages 258-273. Springer, 2005.
[6] G . Frehse, B . H . K rogh , and R . A . Rutenbar. V e rify in g  
analog oscilla to r c ircu its using forw ard/backw ard refine­
m ent. In  Proc. Design, Automation and Test in Europe 
(DATE), pages 257-262. IE E E  Com puter So c ie ty  Press, 
2006.
[7] S . Gupta, B . H . K rogh, and R . A . Rutenbar. Towards 
form al verification  o f analog designs. In  International 
Conference on Computer-Aided Design, pages 210-217, 
2004.
[8 ] W . Hartong, L . H edrich , and E . Barke . M odel checking 
algorithm s fo r analog verification . In  Design Automation 
Conference, pages 542-547, 2002.
[9 ] T. H enzinger, X . N ico llin , J .  S ifak is , and S . Yovine . Sym ­
b o lic  m odel checking fo r real-tim e system s. In  7th. Sym­
posium o f Logics in Computer Science, pages 394-406, 
Santa-Cruz, C a lifo rn ia , 1992. IE E E  Com puter Scien ty 
Press.
[10] T. A . Henzinger, P-H . H o, and H . W ong-Toi. H Y T E C H : 
A  m odel checker fo r h yb rid  system s. International Jour­
nal on Software Tools for Technology Transfer, 1(1- 
2): 110-122, 1997.
[11] IB S  Corporation. Industry reports, 2003.
[12] R . P. Kurshan and K . L . M cM illa n . A na lys is  o f d ig ital 
c ircu its through sym bolic reduction. IEEE Transactions 
on Computer-Aided Design, 10(11): 1356—1371, N ovem ­
ber 1991.
[13] S. L ittle , N . Seegm iller, D . W alter, and C . J .  M yers. V e ri­
fication  o f analog/m ixed-signal c ircu its using labeled  h y ­
b rid  petri nets. In  Proc. International Conf Computer- 
Aided Design (ICCAD), N ovem ber 2006.
[14] A . M in e . The octagon abstract dom ain. In  Analyzing, 
Slicing, and Transformation, pages 310-319. IE E E  C om ­
puter Socie ty  Press, O ctober 2001.
[15] C . M yers. Asynchronous Circuit Design. W ile y , 2001.
[16] E . Pastor, O . R o ig , J .  C ortadella, and R . M . Bad ia . Petri 
net analysis using boolean m anipulation. In  R . Valette, 
editor, Proc. o f the 15th Int. Conf. on Application and 
Theoty o f Petri Nets (PNPM’94), Zaragosa, Spain, L N C S  
815, pages 416-435. Springer, June 1994.
[17] S. A . Sesh ia and R . E . B ryan t. Unbounded, fu lly  sym ­
b o lic  m odel checking o f tim ed autom ata using boolean 
m ethods. In  Proc. International Workshop on Computer 
Aided Verification, pages 154—166, 2003.
[18] D . W alter. Verification o f Analog and Mixed-Signal Cir­
cuits Using Binary Decision Diagrams and Predicate Ab­
straction. Ph D  thesis, U n ive rs ity  o f U tah , 2007.
3 2 3
