Formale Verifikationsmethodiken für nichtlineare analoge Schaltungen by Steinhorst, Sebastian
Formal Veriﬁcation Methodologies
for Nonlinear Analog Circuits
Dissertation
zur Erlangung des Doktorgrades
der Naturwissenschaften
vorgelegt beim Fachbereich Informatik und Mathematik
der Johann Wolfgang Goethe-Universit¨ at
in Frankfurt am Main
von
Sebastian Steinhorst
aus Mainz
Frankfurt (2011)
(D 30)vom Fachbereich Informatik und Mathematik der Johann Wolfgang
Goethe-Universit¨ at als Dissertation angenommen
Dekan: Prof. Dr. Tobias Weth
Gutachter: Prof. Dr. Lars Hedrich
Priv.-Doz. Dr. Helmut Gr¨ ab
Datum der Disputation: 3. Februar 2011Acknowledgments
This thesis is the result of ﬁve years of my research in the Electronic Design Methodo-
logy Group at the Institute of Computer Science of the Goethe-University of Frankfurt
am Main. It would not have been possible without the support of many people.
First of all, I would like to express my deepest gratitude to my doctoral advisor,
Lars Hedrich, for his encouragement, guidance and support from the beginnings of my
research until the ﬁnalization of this thesis. His keen mind and overwhelming interest
in my work have been an invaluable help.
I am especially indebted to Helmut Gr¨ ab for fruitful discussions, his continuous
interest in this thesis and for acting as a referee.
Moreover, I owe a big thank you to my examiners Georg Schnitger and Uwe Brink-
schulte for their interesting questions and valuable remarks.
I am grateful to Angelika Schiﬁgnano for all of her assistance, being the nicest and
most caring secretary I could imagine.
I would like to thank Oliver Mitea, with whom I shared the ofﬁce for 4 years, for
the great time we had together as colleagues and most of all for becoming a friend.
Furthermore, Iwould like tothankmycolleagues MingyuMa, Markus Meissner,Julius
von Rosen and Felix Salfelder for the great working atmosphere in our group. Thank
you also to Ronja D¨ uffel, Andreas Hofmann, Conrad Rau, David Sabel and Manfred
Schmidt-Schauß for the good times we had.
Finally, I would like to thank my wonderful wife Christina Steinhorst, my parents
Doris and Gerhard Steinhorst, my parents-in-law Melitta and Fred Bayer and grand-
ma Ottilia Gutermann for their patience, continuous support and for allowing me to
concentrate on my research work by managing my private affairs.
iiiAbstract
The objective of this thesis is to develop new methodologies for formal veriﬁcation of
nonlinear analog circuits. Therefore, new approaches to discrete modeling of analog
circuits, speciﬁcation of analog circuit properties and formal veriﬁcation algorithms
are introduced.
While the design ﬂow for digital circuits is mostly automated and formalized, the
analog design ﬂow still contains several manual steps. This particularly applies to the
area ofveriﬁcation, whichisthe processofsystematically assuringspeciﬁcation confor-
mance of all design steps. There are two global classes of veriﬁcation approaches, rep-
resented by conventional non-formal veriﬁcation and formal veriﬁcation. Non-formal
test bench-based simulation is the state of the art in the area of analog veriﬁcation in
industrial design ﬂows. Due to the experimental character of this approach, critical
speciﬁcation-violating corner-case behavior can remain unreached by the simulation
runs and therewith undiscovered by the designer.
Formal approaches to veriﬁcation of analog circuits are not yet introduced into in-
dustrial design ﬂows and still subject to research. Formal veriﬁcation proves speci-
ﬁcation conformance for all possible input conditions and all possible internal states
of a circuit. Automatically proving that a model of the circuit satisﬁes a declarative
machine-readable property speciﬁcation is referred to as model checking. Equivalence
checking proves the equivalence of two circuit implementations.
Starting from the state of the art in modeling analog circuits for simulation-based
veriﬁcation, discrete modeling of analog circuits for state space-based formal veriﬁca-
tion methodologies ismotivated inthisthesis. Theup tonowmost capableapproach to
discrete modeling partitions the state space into paraxial hyperboxes of homogeneous
behavior of the state space dynamics. Due to the paraxial slicing, the non-paraxial
vector ﬁeld dynamics representing the state space dynamics cannot be sufﬁciently cap-
tured. Hence, the hyperbox-approach isnot rotation invariantwith respectto the struc-
ture of the state space dynamics which results in a massive over-approximation of the
successor relation of the discrete transition model. In order to improve the discrete
modeling of analog circuits, a new trajectory-directed partitioning algorithm was de-
veloped in the scope of this thesis. This new approach determines the partitioning of
the state space parallel or orthogonal to the trajectories of the state space dynamics.
iiiAbstract
Therewith, a high accuracy of the successor relation is achieved in combination with a
lower number of states necessary for a discrete model of equal accuracy compared to
the hyperbox-approach. Themappingof the partitioning to a discrete analogtransition
structure (DATS) enables the application of formal veriﬁcation algorithms.
Formal property speciﬁcation forthe initialapproachestomodelcheckingofanalog
circuits was strongly related to temporal logic speciﬁcation approaches in the digital
domain. However, speciﬁcation of analog properties such as slew rate and oscillation
is fundamentally different from digital properties such as fairness and liveness. Addi-
tionally, already in the digital domain, speciﬁcation by using temporal logics such as
the Computation Tree Logic (CTL) was considered not to be designer-friendly. Hence,
specifying analog properties with CTL cannot be considered as suitable for analog de-
signers that, in general, do not have a background in computer science. By analyzing
digital speciﬁcation concepts and the existing approaches to analog property speciﬁ-
cation, the requirements for a new speciﬁcation language for analog properties have
been discussed in this thesis. On the one hand, it shall meet the requirements for for-
mal speciﬁcation of veriﬁcation approaches applied to DATS models. On the other
hand, the language syntax shall be oriented on natural language phrases. By syn-
thesis of these requirements, the analog speciﬁcation language (ASL) was developed
in the scope of this thesis. ASL includes a natural language encapsulation of tempo-
ral logic operations, advanced operations for determination of transition paths and
oscillations, as well as arithmetic calculations on state space variable values. Hence,
a combination of high expressiveness with a designer-oriented syntax was achieved.
An extended variable concept, parameterized macros and an assertion-layer allow to
develop reusable speciﬁcations for complex analog properties. The veriﬁcation algo-
rithms for model checking, that were developed in combination with ASL for appli-
cation to DATS models generated with the new trajectory-directed approach, offer a
signiﬁcant enhancement compared to the state of the art.
In order to prepare a transition of signal-based to state space-based veriﬁcation
methodologies, an approach to transfer transient simulation results from non-formal
test bench simulation ﬂows into a partial state space representation in form of a DATS
has been developed in the scope of this thesis. As has been demonstrated by exam-
ples, the same ASL speciﬁcation that was developed for formal model checking on
complete discrete models could be evaluated without modiﬁcations on transient sim-
ulation waveforms.
An approach to counterexample generation for the formal ASL model checking
methodology offers to generate transition sequences from a deﬁned starting state to a
speciﬁcation-violating state for inspection in transient simulation environments. Based
on this counterexample generation, a new formal veriﬁcation methodology using com-
plete state space-covering input stimuli was developed. On a DATS model of the ana-
log circuit, an input stimulus is determined such that all reachable states and tran-
ivAbstract
sitions of the modeled circuit are visited at least once from a deﬁned starting state.
The generated sequence of tuples of value and time for the input variables represent
piecewise linear input stimuli for each input of the circuit. By conducting a transient
simulation with these complete state space-covering input stimuli, the circuit adopts
every state and transition that were visited during stimulus generation. An alterna-
tive formal veriﬁcation methodology is given by retransferring the transient simula-
tion responses to a DATS model and by applying the ASL veriﬁcation algorithms in
combination with an ASL property speciﬁcation.
Moreover, the complete state space-covering input stimuli can be applied to de-
velop a formal equivalence checking methodology. The new approach introduced in
the scope of this thesis replaces the user-deﬁned input stimuli from conventional non-
formal equivalence checking approaches with complete-coverage stimuli. Therewith,
the equivalence of two implementations can be proven for every inner state of both
systems by comparing the transient simulation responses to the complete-coverage
stimuli of both circuits.
In order to visually inspect the results of the newly introduced veriﬁcation method-
ologies, an approach to dynamic state space visualization using multi-parallel particle
simulation was developed. Due to the particles being randomly distributed over the
complete state space and moving corresponding to the state space dynamics, another
perspective to the system’s behavior is provided that covers the state space and hence
offers formal results.
The prototypic implementations of the formal veriﬁcation methodologies devel-
oped in the scope of this thesis have been applied to several example circuits. The
acquired results for the new approaches to discrete modeling, speciﬁcation and veriﬁ-
cation algorithms all demonstrate the capability of the new veriﬁcation methodologies
to be applied to complex circuit blocks and their properties.
vviZusammenfassung (German Abstract)
Gegenstand dieser Dissertation ist die Entwicklung neuer Methodiken zur formalen
Veriﬁkation nichtlinearer analoger elektronischer Schaltungen. Dazu werden im Rah-
men dieser Arbeit entstandene neue Ans¨ atze in den Bereichen veriﬁkationsgerechte
diskrete Modellierung analoger Schaltungen, Speziﬁkation analoger Schaltungseigen-
schaften und formale Veriﬁkationsalgorithmen vorgestellt.
W¨ ahrend der Entwurfsprozess digitaler Schaltungen weitgehend automatisiert
und formalisiert ist, sind zum Entwurf analoger Schaltungen noch viele manuelle
Schritte notwendig. Insbesondere im Bereich der Sicherstellung, dass ein Entwurf die
in einem Lastenheft speziﬁzierten Eigenschaften zu jeder Zeit erf¨ ullt, stehen wesent-
lich weniger Verfahren zur Verf¨ ugung als im Bereich digitaler Schaltungen.
Die systematische Sicherstellung der Speziﬁkationseinhaltung von Entwurfsschrit-
ten wird als Veriﬁkation bezeichnet. Aufbauend auf Analysewerkzeugen, wie der
Simulation von Schaltungsverhalten im Zeitbereich unter Ber¨ ucksichtigung sich
ver¨ andernder Eingangsgr¨ oßen, wird f¨ ur die Veriﬁkation eine Systematik der durch-
zuf¨ uhrenden Analysen ben¨ otigt. Es gibt zwei Klassen von Veriﬁkationsverfahren, wel-
che durch die Bereiche der konventionellen, nicht-formalen Veriﬁkation und der for-
malen Veriﬁkation gebildet werden.
Der Stand der Technik im Bereich der Analogveriﬁkation in industriellen Ent-
wurfsprozessen ist die Testbench-basierte Simulation. Dieser nicht-formale Ansatz
charakterisiert das Schaltungsverhalten anhand von Simulationsl¨ aufen mit einer be-
grenzten Zahl von benutzerdeﬁnierten Eingangssignalen. Abh¨ angig von der Erfah-
rung des Schaltungsentwicklers decken diese Signale einen Teil der zuk¨ unftigen realen
Eingangssignale der Schaltung nach ihrer Fertigung ab. Durch den experimentellen
Charakter der Veriﬁkation k¨ onnen kritische nicht-speziﬁkationsgerechte Verhaltensei-
genschaften der Schaltung durch die Simulationen unerreicht und so durch den Schal-
tungsentwickler unentdeckt bleiben. Das Ausbleiben des Entdeckens weiterer Fehler
wird im Bereich der nicht-formalen Veriﬁkation als Erf¨ ullen der Speziﬁkation betrach-
tet. Wie bereits erl¨ autert, ist dies aber nicht hinreichend f¨ ur den Nachweis, dass die
Schaltung unter allen zuk¨ unftigen Umst¨ anden die Speziﬁkation erf¨ ullt. Diese Proble-
matik wird in dieser Arbeit anhand eines einf¨ uhrenden motivierenden Beispiels dar-
gestellt, bei dem eine Oszillatorschaltung erst nach ihrer Fertigung kritisches Verhal-
viiZusammenfassung (German Abstract)
ten offenbart hat und so nicht einsetzbar war. W¨ ahrend die Simulationsl¨ aufe im Ent-
wurfsprozess die Schaltung als voll funktionsf¨ ahig darstellten, zeigte sich sp¨ ater, dass
bestimmte Startbedingungen, sogenannte ”Initial Conditions“ diese Schaltung repro-
duzierbar daran hindern k¨ onnen, in eine Oszillation zu laufen. Die im Rahmen dieser
Arbeit entwickelten formalen Veriﬁkationsmethodiken k¨ onnen derartige Fehler iden-
tiﬁzieren.
Formale Veriﬁkationsverfahren f¨ ur analoge Schaltungen sind noch Gegenstand der
Forschung. Formale Veriﬁkation beweist, dass f¨ ur alle m¨ oglichen Eingangssignale und
f¨ ur alle m¨ oglichen internen Zust¨ ande einer Schaltung die Speziﬁkation eingehalten
wird. Formale Verfahren, die ein Modell einer Schaltung automatisiert auf die Ein-
haltung einer deklarativen maschinenlesbaren Eigenschaftsspeziﬁkation ¨ uberpr¨ ufen,
werden als”Model Checking“ bezeichnet. Vergleicht man formal die ¨ Aquivalenzzwei-
er Implementierungen, stellt dieser Prozess das Verfahren des ”Equivalence Checking“
dar.
Ausgehend vom Stand der Technik der Modellierung analoger Schaltungen f¨ ur die
simulationsbasierte Veriﬁkation wird im Rahmen dieser Arbeit die diskrete Modellie-
rung analoger Schaltungen f¨ ur zustandsraumbasierte formale Veriﬁkationsverfahren
betrachtet. Der leistungsf¨ ahigste bestehende Ansatz zur diskreten zustandsraumba-
sierten Modellierung teilt den Zustandsraum in achsenparallele Hyperboxen homoge-
nen Verhaltens der Zustandsraumdynamik auf. Hierbei besteht eine Problematik bei
der Abbildung nicht-achsenparalleler Vektorfelddynamik, die die Zustandsraumdy-
namik repr¨ asentiert. Da der bestehende Ansatz nicht rotationsinvariant im Bezug auf
die Vektorfeldstruktur ist, ﬁndet eine massive ¨ Uberabsch¨ atzung der Nachfolgerrela-
tion des diskreten Transitionsmodells statt. Um dieser Problematik entgegenzutreten
wurde im Rahmen dieser Arbeit ein neuer Ansatz zur diskreten Modellierung ent-
wickelt, der die Aufteilungsstruktur anhand der Trajektorien der Vektorfelddynamik
bestimmt. So wird eine hohe Genauigkeit der Nachfolgerrelation erm¨ oglicht, woraus
eine niedrigere Zahl an Zust¨ anden f¨ ur ein diskretes Modell gleicher Genauigkeit im
Vergleich mit dem Hyperbox-Ansatz folgt.
Der neue Ansatz zur Trajektorien-gesteuerten Partitionierung basiert auf der Be-
stimmung eines initialen transienten Simulationsschritts von einem Startpunkt im
Zustandsraum. Um den Transitionsvektor wird unter Einsatz des Gram-Schmidt-
Orthogonalisierungsverfahrens ein Orthogonalsystem erzeugt, dessen Addition und
Trajektorienﬂussrichtung-korrigierte Subtraktion mit dem initialen Startpunkt neue
Startpunkte f¨ ur transiente Schritte mit nachfolgender Orthogonalsystem-Erzeugung
bildet. Eine Skalierung der Vektoren stellt die Homogenit¨ at eingeschlossener Zu-
standsraumpartitionen sicher. Mit diesem neuen Diskretisierungsverfahren werden
die Eckpunkte geometrischer Objekte bestimmt, die den Zustandsraum bis zu nut-
zerdeﬁnierten Ausdehnungsgrenzen partitionieren. W¨ ahrend die Topologie des Gra-
phen der Ecken und Kanten der Partitionsobjekte isomorph zum entsprechend kon-
viiiZusammenfassung (German Abstract)
struierten Graph eines Hyperw¨ urfels ist, gibt es sonst keine Regularit¨ at zur einfachen
Beschreibung der Partitionen durch Objekte, wie z.B. Polytope. Eine vorgeschlagene
Approximation der Grenzﬂ¨ achen der Partitionsobjekte durch eine gewichtete Kombi-
nation von Hyperebenen erlaubt dennoch die Bestimmung von Punkt-Einschl¨ ussen in
den Partitionsobjekten. Die Abbildung der Partitionierung auf eine diskrete analoge
Transitionsstruktur (DATS) erfolgte auf einer dualen Darstellung der Partitionsobjek-
te, sodass die von transienten Simulationsschritten repr¨ asentierten Kanten der Parti-
tionen als Zentren von Zustandsraumgebieten betrachtet werden k¨ onnen. Dies erlaubt
eine efﬁziente Bestimmung des diskreten Modells mit hoher Genauigkeit der Transiti-
onsrelation, die so direkt durch transiente Simulationsschritte bestimmt wird.
Da automatisierte Veriﬁkationsmethodiken im analogen Bereich noch nicht eta-
bliert sind, ist in der Praxis die Formalisierung der Speziﬁkation ebenfalls noch nicht
weit fortgeschritten. Als n¨ achster Entwicklungsschritt ist eine verbreitete Anwendung
von Verfahren zur Assertion-basierten Simulation im Analogbereich zu erwarten. Ei-
genschaftsspeziﬁkationen f¨ ur dieses Verfahren, bei dem Simulationsergebnisse auto-
matisiert mit einer maschinenlesbaren Speziﬁkation verglichen werden, stellen einen
ersten Schritt zur Formalisierung analoger Eigenschaftsspeziﬁkation dar. Die hierbei
eingesetzte signalbasierte Eigenschaftsformulierung ist allerdings nicht f¨ ur die zu-
standsraumbasierte Veriﬁkation einsetzbar.
Die formale Speziﬁkation von Eigenschaften in ersten Ans¨ atzen zum Model
Checking analoger Schaltungen hat sich stark an den bestehenden Verfahren aus dem
Bereich digitaler Hardware orientiert. Eine Erweiterung der Temporallogik ”Computa-
tion Tree Logic“ (CTL) um einen analogen Operator und die Speziﬁkation von Zeitbe-
schr¨ ankungen erlaubten nur eine sehr begrenzte Formulierung analoger Systemeigen-
schaften. Analoge Eigenschaften wie z.B. Flankensteilheit und Oszillation sind grund-
legend anders zu speziﬁzieren als digitale Eigenschaften wie ”Fairness“ und ”Leben-
digkeit“. Zudem ist die temporallogische Speziﬁkation bereits im digitalen Bereich als
nicht anwenderfreundlich betrachtet worden. Analoge Eigenschaften mit CTL zu spe-
ziﬁzieren ist somit f¨ ur die nicht aus dem Bereich der Informatik stammenden Analog-
entwickler nicht zielf¨ uhrend.
Ausgehend von einer Analyse digitaler Speziﬁkationskonzepte und der bestehen-
den Ans¨ atze f¨ ur analoge Eigenschaften wurden Anforderungen an eine neue Speziﬁ-
kationssprache f¨ ur analoge Eigenschaften abgeleitet. Sie soll den formalen Speziﬁkati-
onsanspr¨ uchen f¨ ur Veriﬁkationsverfahren auf diskreten analogen Transitionsstruktu-
ren gen¨ ugen und dabei eine Sprachsyntax besitzen, die an nat¨ urlichsprachliche For-
mulierungen angelehnt ist. Die aus diesen Anforderungen im Rahmen dieser Arbeit
entwickelte analoge Speziﬁkationssprache ”Analog Speciﬁcation Language“ (ASL) ba-
siert auf einer nat¨ urlichsprachlichen Kapselung temporallogischer Operationen, die
mit erweiterten Algorithmen zur Transitionspfadbestimmung, Durchf¨ uhrung von Be-
rechnungen auf Zustandsparametern und Oszillationsbestimmung eine hohe Aus-
ixZusammenfassung (German Abstract)
drucksst¨ arke analoger Eigenschaften mit einer anwenderfreundlichen Syntax kombi-
nieren konnte. Ein erweitertes Variablenkonzept, Kapselung in parametrisierte Ma-
kros und eine Assertionen-Ebene erlauben es, wiederverwendbare Speziﬁkationen
f¨ ur komplexe Eigenschaften zu erzeugen. Die zusammen mit ASL entwickelten Mo-
del Checking-Veriﬁkationsalgorithmen zur Auswertung von ASL-Speziﬁkationen auf
einem mit dem Trajektorien-gesteuerten Diskretisierungsverfahren erzeugten DATS-
Modell bilden eine wesentliche Erweiterung zum Stand der Technik. Die neuen Spe-
ziﬁkationsm¨ oglichkeiten konnten anhand von neuen Speziﬁkationsmethodiken f¨ ur
¨ Uberschwingen, erweiterte Oszillationseigenschaften wie Eingangsspannungssensi-
tivit¨ at von spannungsgesteuerten Oszillatoren und Startverhalten von autonomen
Schaltungen demonstriert werden.
Um einen ¨ Ubergang der Veriﬁkation von signalbasierten zu zustandsraumbasier-
ten Methodiken zu erm¨ oglichen, wurde im Rahmen dieser Arbeit ein Ansatz entwi-
ckelt, der die ¨ Ubertragung von transienten Simulationsergebnissen aus nicht-formalen
Testbench-Simulationsumgebungen in eine partielle DATS-Zustandsraumdarstellung
erlaubt. Damit kann, wie anhand von Beispielen gezeigt werden konnte, die gleiche
ASL-Speziﬁkation f¨ ur Eigenschaften eines vollst¨ andigen diskreten Modells ohne Mo-
diﬁkation auch auf Simulationsergebnissen ausgewertet werden.
Ein f¨ ur das formale ASL-basierte Model Checking entwickelter Ansatz zur Erzeu-
gung von Gegebenbeispielen f¨ ur als speziﬁkationsverletzend identiﬁzierte Zustands-
raumgebiete erlaubt es, Transitionsfolgen von einem deﬁnierten Startzustand zu ei-
nem speziﬁkationsverletzenden Zustand zu ermitteln. Diese Transitionsfolgen ent-
sprechen auf einer DATS st¨ uckweise-linearen analogen Signalverl¨ aufen, die das in den
ungew¨ unschten Zustand f¨ uhrende Schaltungsverhalten in Signalform repr¨ asentieren.
Neben der M¨ oglichkeit der direkten Beurteilung aller Zustandsraumparameter auf Si-
gnalebene bietet dieser Ansatz die M¨ oglichkeit, den Gegenbeispiel-Signalverlauf auch
f¨ ur die Eingangsvariablen der Schaltung zu exportieren. Diese st¨ uckweise-linearen
Eingangsstimuli k¨ onnen in einer herk¨ ommlichen Testbench-Umgebung verwendet
werden, um das speziﬁkationsverletzende Verhalten in einer gewohnten Veriﬁkations-
umgebung per Simulation mit diesen Eingangsstimuli zu reproduzieren.
Auf Basis des Gegenbeispiel-Verfahrens wurde eine neue formale Veriﬁkationsme-
thodik mittels vollst¨ andig den Zustandsraum einer Schaltung abdeckenden Eingangs-
stimuli entwickelt. Die zugrundeliegende Motivation war es, formale Verfahren in die
bislang nicht-formalen Testbench-basierten Simulationsumgebungen zu integrieren.
Dazu wird auf einem diskreten Modell der analogen Schaltung ein Eingangsstimulus
so ermittelt, dass von einem Startzustand aus alle im Modell vorhandenen Zust¨ ande
und Transitionen mindestenseinmal besucht werden. Die dabei entstehende Folge von
Wert-Zeit-Paaren f¨ ur die Eingangssignale stellen wiederum st¨ uckweise-lineare Ein-
gangsstimuli f¨ ur jeden Eingang der Schaltung dar. F¨ uhrt man eine transiente Simu-
lation der Schaltung mit diesen vollst¨ andig den Zustandsraum abdeckenden Stimuli
xZusammenfassung (German Abstract)
durch, wird die Schaltung w¨ ahrend der Simulation alle Zust¨ ande und Transitionen an-
nehmen, die bei der Traversierung des diskreten Modells aufgezeichnet wurden. So-
mit kann eine Simulation in einer konventionellen Testbench-Umgebung durchgef¨ uhrt
werden, die im Gegensatz zu anwenderdeﬁnierten Stimuli jeden m¨ oglichen erreichba-
ren Zustand der Schaltung annimmt. Mit der G¨ ultigkeit der Simulationsergebnisse f¨ ur
jeden Zustand der Schaltung ist somit ein efﬁzientes Verfahren zur vollst¨ andig den Zu-
standsraum abdeckenden und somit formalen Simulation gegeben. ¨ Ubertr¨ agt man die
mit diesem Verfahren ermittelten Simulationsergebnisse wieder in ein DATS-Modell
und f¨ uhrtdaraufASL-Veriﬁkationsalgorithmen aus, isteineformale Assertion-basierte
Veriﬁkation m¨ oglich, die eine alternative Veriﬁkationsmethodik zum Model Checking
darstellt.
Die vollst¨ andig den Zustandsraum abdeckenden Eingangsstimuli bieten noch ei-
ne weitere Anwendungsm¨ oglichkeit im Bereich des ¨ Aquivalenzvergleichs. Nur weni-
ge existierende Ans¨ atze im Bereich der Forschung bieten die M¨ oglichkeit, f¨ ur nichtli-
neare analoge Schaltungen die vollst¨ andige Verhaltens¨ aquivalenz bez¨ uglich einer de-
ﬁnierten Fehlergrenze zu beweisen. Aufgrund komplexer Algorithmen ist der Anwen-
dungsbereich limitiert auf den Vergleich von Implementierungen, die keine wesentli-
chen Unterschiede in ihrem Abstraktionsgrad besitzen. Im industriellen Einsatz wird
¨ Aquivalenzvergleich nicht-formal durch den Vergleich von Simulationsergebnissen
durchgef¨ uhrt, diemittelsanwenderdeﬁniertenEingangsstimuli berechnetwurden.Die
im Rahmen dieser Arbeit entwickelte Methodik zum formalen ¨ Aquivalenzvergleich
auf Basis der vollst¨ andig den Zustandsraum abdeckenden Eingangsstimuli ersetzt die
anwenderdeﬁnierten Eingangsstimuli durch die vollst¨ andig den Zustandsraum abde-
ckenden. So kann die ¨ Aquivalenz f¨ ur jeden m¨ oglichen Zustand der zu vergleichenden
Implementierungen anhandeinesautomatisierten Vergleichs derSimulationsergebnis-
se beider Implementierungen gezeigt werden. Eine vollst¨ andige Veriﬁkationsaussage
kann getroffen werden, wenn Stimuli f¨ ur jede der zu vergleichenden Implementierun-
gen generiert werden und die Simulation jeder Implementierung mit allen Stimuli der
eigenen und der anderen Implementierung erfolgt. Der Abstraktionsgrad zwischen
den Implementierungen ist hierbei irrelevant.
Um die Ergebnisse der neu eingef¨ uhrten formalen Veriﬁkationsmethodiken visu-
ell zu untersuchen, wurde ein Verfahren entwickelt, das den Zustandsraum und seine
Dynamik mittels eines Partikel-Simulationsansatzes visualisiert. Da die Partikel ¨ uber
den gesamten Zustandsraum randomisiert verteilt werden und sich dann gem¨ aß der
Vektorfelddynamik fortbewegen, kann auch hier ein Einblick in das Systemverhal-
ten gewonnen werden, der eine weitestgehend vollst¨ andige und somit formale Re-
pr¨ asentation des Zustandsraums bietet.
Die prototypische Implementierung der im Rahmen dieser Arbeit entwickelten for-
malen Veriﬁkationsmethodiken wurde auf zahlreiche Beispielschaltungen angewen-
det. Ein modiﬁzierter Ringoszillator wurde mittels ASL-Model Checking und Parti-
xiZusammenfassung (German Abstract)
kelsimulation auf Startbedingungen untersucht, die eine Oszillation verhindern. Das
¨ Uberschwingen eines aktiven Sallen-Key Tiefpassﬁlters wurde mittels ASL-Model
Checking mit Gegenbeispielgenerierung untersucht. Eine transiente Simulation dieser
Schaltung mit einem vollst¨ andig den Zustandsraum abdeckenden Eingangsstimulus
wurde wiederum mitderASL-Speziﬁkation veriﬁziert. Ein Vergleich derneuendiskre-
ten Modellierung mittels des Trajektorien-gesteuerten Ansatzes mit dem Hyperbox-
Diskretisierungsverfahren konnte eine wesentliche Steigerung der Modellierungsge-
nauigkeit des neuen Verfahrens dokumentieren. F¨ ur eine Charge-Pump-Schaltung
wurde das Startverhalten per Model Checking veriﬁziert und die ASL-Speziﬁkation
zudem auf die Ergebnisse einer konventionellen transienten Simulation angewendet.
Das Model Checking der Eingangsspannungssensitivit¨ at eines spannungsgesteuerten
Oszillators konnte sowohl die F¨ ahigkeit des neuen Diskretisierungsverfahrens wie
auch der Speziﬁkations- und Veriﬁkationsmethodik zeigen, erfolgreich auf komplexen
Zustandsraumstrukturen zu operieren. Schließlich wurde das neue Stimuli-basierte
¨ Aquivalenzvergleichsverfahren anhand einer Bandpass-Schaltung, eines Delta-Sigma-
Modulators zweiter Ordnung und weiterer Schaltungen demonstriert und mit einem
bestehenden Verfahren verglichen.
Trotz der in der Arbeit diskutierten bestehenden Herausforderungen, die bis zu
einem industriellen Einsatz der neu vorgestellten Methodiken noch bearbeitet werden
m¨ ussen, konnten mehrere neue Methodiken zur Formalisierung analoger Veriﬁkation
motiviert und erfolgreich prototypisch umgesetzt werden.
xiiContents
Acknowledgments i
Abstract iii
Zusammenfassung (German Abstract) vii
List of Tables xviii
List of Figures xxii
List of Algorithms xxiii
List of Symbols and Abbreviations xxv
1 Introduction 1
1.1 Analog Circuit Design Flow . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Analog Circuit Analysis and Veriﬁcation . . . . . . . . . . . . . . . . . . . 4
1.3 Formal Veriﬁcation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.4 Motivating Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.5 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.6 Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.7 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2 System Representation for Veriﬁcation 11
2.1 System Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2 Digital Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.3 Analog Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.3.1 Device Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.3.2 Network Analysis using the Modiﬁed Nodal Approach . . . . . . 18
2.3.3 Numerical Simulation . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.3.4 DAE Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
xiiiContents
2.3.5 Analog Behavioral Modeling and Hardware Description Lan-
guages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.3.6 State Space Representation . . . . . . . . . . . . . . . . . . . . . . 24
2.4 Discrete Modeling of Analog Systems . . . . . . . . . . . . . . . . . . . . 24
2.4.1 Discrete Analog Transition Structure . . . . . . . . . . . . . . . . . 25
2.4.2 The Discretization Problem for Analog Circuits . . . . . . . . . . 27
2.4.3 Hyperbox Discretization . . . . . . . . . . . . . . . . . . . . . . . . 31
2.4.4 Trajectory-Directed Discretization . . . . . . . . . . . . . . . . . . 32
2.4.4.1 Calculating the State Space Partitioning . . . . . . . . . 33
2.4.4.2 Geometric Structure of the State Space Partitions . . . . 38
2.4.4.3 Transition Relation of the Hypercells . . . . . . . . . . . 43
2.4.4.4 Mapping the Trajectory-Directed Partitioning to a DATS 44
2.4.4.5 Duality of the Trajectory-Directed Partitioning . . . . . 45
2.4.4.6 Handling Input Variables . . . . . . . . . . . . . . . . . . 47
2.4.4.7 Runtime Complexity . . . . . . . . . . . . . . . . . . . . 48
2.4.4.8 Modeling Error Analysis . . . . . . . . . . . . . . . . . . 50
3 Property Speciﬁcation for Veriﬁcation 55
3.1 Basic Deﬁnitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
3.2 Operational and Declarative Speciﬁcation . . . . . . . . . . . . . . . . . . 56
3.3 Property Speciﬁcation for Discontinuous Systems . . . . . . . . . . . . . 57
3.3.1 Linear Temporal Logic (LTL) . . . . . . . . . . . . . . . . . . . . . 58
3.3.2 Computation Tree Logic (CTL) . . . . . . . . . . . . . . . . . . . . 59
3.3.3 Property Speciﬁcation Language (PSL) . . . . . . . . . . . . . . . 61
3.4 Existing Approaches to Speciﬁcation of Analog System Properties . . . . 62
3.4.1 Speciﬁcation of Assertions within Analog Hardware Description
Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
3.4.2 PSL for Analog Signal Property Speciﬁcation . . . . . . . . . . . . 64
3.4.3 CTL Speciﬁcation of Analog Properties in the State Space . . . . 64
3.5 Analog Speciﬁcation Language (ASL) . . . . . . . . . . . . . . . . . . . . 65
3.5.1 Language Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
3.5.2 EBNF Grammar of ASL . . . . . . . . . . . . . . . . . . . . . . . . 67
3.5.3 Semantics of ASL Operations . . . . . . . . . . . . . . . . . . . . . 69
4 Veriﬁcation of Systems 75
4.1 Non-Formal Veriﬁcation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
4.1.1 Simulation-Based Veriﬁcation . . . . . . . . . . . . . . . . . . . . . 76
4.1.2 Assertion-Based Veriﬁcation . . . . . . . . . . . . . . . . . . . . . 76
4.2 Veriﬁcation Coverage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
4.2.1 Structural Coverage . . . . . . . . . . . . . . . . . . . . . . . . . . 79
4.2.2 Functional Coverage . . . . . . . . . . . . . . . . . . . . . . . . . . 80
xivContents
4.3 Formal Veriﬁcation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
4.3.1 Model Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
4.3.2 Equivalence Checking . . . . . . . . . . . . . . . . . . . . . . . . . 82
4.4 Existing Approaches to Non-Formal Analog Circuit Veriﬁcation . . . . . 83
4.4.1 Assertion-Based Approaches to Analog Veriﬁcation . . . . . . . . 83
4.4.2 Analog Veriﬁcation Coverage . . . . . . . . . . . . . . . . . . . . . 84
4.4.3 Formalizing the Analog Veriﬁcation Flow . . . . . . . . . . . . . . 85
4.5 Existing Formal Approaches to Analog Veriﬁcation . . . . . . . . . . . . 86
4.5.1 Reachability Analysis and Veriﬁcation of Analog Circuits . . . . . 86
4.5.2 Analog Model Checking . . . . . . . . . . . . . . . . . . . . . . . . 87
4.5.3 Analog Equivalence Checking . . . . . . . . . . . . . . . . . . . . 88
4.5.3.1 The VERA Equivalence Checking Algorithm . . . . . . 90
5 Analog Formal Veriﬁcation Methodologies 93
5.1 New Veriﬁcation Methodologies for the Analog Design Flow . . . . . . . 93
5.1.1 Veriﬁcation Methodology Perspective . . . . . . . . . . . . . . . . 94
5.1.2 Design Flow Perspective . . . . . . . . . . . . . . . . . . . . . . . . 95
5.2 ASL Property Speciﬁcation and Veriﬁcation Methodology . . . . . . . . . 96
5.2.1 Speciﬁcation of Circuit Overshoot . . . . . . . . . . . . . . . . . . 96
5.2.2 Speciﬁcation of Oscillation and Voltage Controlled Oscillator
Gain KVCO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
5.2.3 Speciﬁcation of the Startup Time of Autonomous Circuits . . . . 100
5.3 ASL Property Veriﬁcation on Transient Simulation Waveforms . . . . . . 101
5.4 Counterexample Generation for Model Checking . . . . . . . . . . . . . . 103
5.4.1 Counterexample Generation in the ASL Veriﬁcation Flow . . . . 106
5.5 Complete-Coverage Input Stimuli Generation . . . . . . . . . . . . . . . 106
5.5.1 Veriﬁcation Methodology . . . . . . . . . . . . . . . . . . . . . . . 109
5.6 Equivalence Checking using Complete-Coverage Input Stimuli . . . . . 111
5.6.1 Error Measures for Waveform Comparison . . . . . . . . . . . . . 112
5.6.2 Automation in the ASL Veriﬁcation Flow . . . . . . . . . . . . . . 113
5.7 Multi-Parallel State Space Particle Simulation . . . . . . . . . . . . . . . . 114
6 Experimental Results 117
6.1 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
6.2 Veriﬁcation of Initial Conditions of a Ring Oscillator . . . . . . . . . . . . 118
6.3 Veriﬁcation of Active Lowpass Filter Overshoot . . . . . . . . . . . . . . 120
6.3.1 Model Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
6.3.2 Counterexample . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
6.3.3 Complete-Coverage Input Stimulus . . . . . . . . . . . . . . . . . 124
6.3.4 Comparison to Hyperbox Discretization . . . . . . . . . . . . . . . 125
6.3.5 ASL Veriﬁcation on Simulation Waveforms . . . . . . . . . . . . . 126
xvContents
6.4 Veriﬁcation of CMOS Charge Pump Startup Time . . . . . . . . . . . . . 128
6.4.1 Model Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
6.4.2 ASL Veriﬁcation on Simulation Waveforms . . . . . . . . . . . . . 131
6.5 Model Checking of VCO Gain KVCO . . . . . . . . . . . . . . . . . . . . . 132
6.6 Equivalence Checking with Complete-Coverage Stimuli . . . . . . . . . 134
6.6.1 Biquad Bandpass Filter . . . . . . . . . . . . . . . . . . . . . . . . 135
6.6.2 Second-Order Delta-Sigma Modulator . . . . . . . . . . . . . . . . 136
6.6.3 Further Circuit Examples . . . . . . . . . . . . . . . . . . . . . . . 138
6.7 Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
7 Conclusions 143
7.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
7.2 Challenges and Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . 145
A Appendix 147
A.1 VCO State Space Slices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Bibliography 149
xviList of Tables
2.1 State transition table for the two-bit down counter. . . . . . . . . . . . . . 15
2.2 Comparison of the trajectory-directed discretization and the hyperbox
discretization approaches. . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.1 Explanation of LTL syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
3.2 Explanation of CTL syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . 60
3.3 Explanation of CTL-AT syntax. . . . . . . . . . . . . . . . . . . . . . . . . 65
6.1 Veriﬁcation results for the modiﬁed ring oscillator with results obtained
from ASL model checking (MC) and transient analysis (TRA). . . . . . . 119
6.2 Runtimes of the trajectory-directed discretization algorithm for the
Sallen-Key lowpass ﬁlter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
6.3 Veriﬁcation results calculated by the ASL model checking algorithms on
the DATS for the Sallen-Key lowpass ﬁlter. . . . . . . . . . . . . . . . . . 123
6.4 Veriﬁcation results calculated by the ASL model checking (MC) al-
gorithms on the DATS for the Sallen-Key lowpass ﬁlter compared to
the ASL evaluation on the transient simulation results (Sim) using a
complete-coverage input stimulus. . . . . . . . . . . . . . . . . . . . . . . 128
6.5 Runtimes of the trajectory-directed discretization algorithm for the
CMOS charge pump. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
6.6 Comparison between ASL property evaluation on a DATS generated by
the trajectory-directed discretization (TDD) method and on simulation
waveforms obtained from transient analysis (TRA). . . . . . . . . . . . . 132
6.7 Comparison of the results between ASL model checking and transient
analysis for the oscillation period of the VCO at different input voltages. 134
6.8 Comparison of the results between ASL model checking and transient
analysis for the gain KVCO of the VCO. . . . . . . . . . . . . . . . . . . . . 134
6.9 Comparison of the results between equivalence checking by complete
state space-covering input stimuli (stimEC) and the transformed state
space comparison approach (VERA). . . . . . . . . . . . . . . . . . . . . . 141
xviiList of Tables
6.10 Runtimesofthe stimEC equivalencecheckingapproach compared tothe
approximated simulation runtimes of circuit comparison by systematic
simulation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
xviiiList of Figures
1.1 Y-chart for hierarchical analog design with exemplary synthesis steps. . 3
1.2 The synthesis steps in the design ﬂow transfer a speciﬁcation to an im-
plementation. Every implementation step needsto be analyzedfor spec-
iﬁcation conformance by veriﬁcation methods. . . . . . . . . . . . . . . . 5
1.3 Modiﬁed ring oscillator with an even number of inverter stages and
cross-coupling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.4 Transient responses of the ring oscillator for transistor ratio α/β = 1.95. 7
1.5 State space trajectories of initial conditions leading into the non-
oscillating steady states for transistor ratio α/β = 1.95. . . . . . . . . . . 8
2.1 General illustration of a system. . . . . . . . . . . . . . . . . . . . . . . . . 12
2.2 Circuit schematic for the two-bit down counter (a) and the correspond-
ing state transition graph (b). . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.3 Simple nonlinear analog circuit example with input voltage Vin, resistor
R1, diode D1 and capacitor C1. . . . . . . . . . . . . . . . . . . . . . . . . 19
2.4 Schematic of the CMOS implementation of the charge pump circuit (a)
and simpliﬁed macro model (b). . . . . . . . . . . . . . . . . . . . . . . . . 22
2.5 Transient startup response of the transistor netlist charge pump (solid
line) and the simpliﬁed model (dashed line). . . . . . . . . . . . . . . . . 23
2.6 Schematic illustration of a graph structure representing a DATS. . . . . . 27
2.7 Illustration of a vector ﬁeld with paraxial ﬂow. . . . . . . . . . . . . . . . 33
2.8 Illustration of a non-paraxial vector ﬁeld ﬂow with a trajectory-directed
state space partitioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.9 Schematic visualization of the process of determining the trajectory-
orthogonal point sets q(a) and q(b) in a two-dimensional space. . . . . . 37
2.10 Illustration of the orthogonal sets constructed around the transition vec-
tors in a three-dimensional state space. . . . . . . . . . . . . . . . . . . . . 38
2.11 Illustration of a hypercell object in a three-dimensional space. . . . . . . 40
2.12 Basis vector sets for each vertex of a hypercell facet for determination of
the position of point p with respect to the facet. . . . . . . . . . . . . . . . 41
2.13 Curved surface in a three-dimensional space representing a facet of a cell. 42
xixList of Figures
2.14 Schematic illustration of contracting and expanding vector ﬁeld ﬂow,
with the corresponding partitioning and the successor relation for the
hypercells. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
2.15 Illustration of a two-dimensional vector ﬁeld with calculated transition
endpoints as boxes and the quadrilateral enclosed regions of the state
space. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
2.16 Schematic illustration of a DATS with a possible input change-induced
transition path (a). The corresponding input signal (b) and output signal
(c) is assumed for this path. . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.1 Property space with speciﬁcation and performances. . . . . . . . . . . . . 56
3.2 Illustration of the LTL operation semantics. . . . . . . . . . . . . . . . . . 59
3.3 Illustration of the CTL operation semantics. . . . . . . . . . . . . . . . . . 60
3.4 Illustration of ASL algorithms transition, oscillation and delta compare. 73
4.1 Simulation-based veriﬁcation ﬂow. . . . . . . . . . . . . . . . . . . . . . . 77
4.2 Assertion-based veriﬁcation ﬂow. . . . . . . . . . . . . . . . . . . . . . . . 78
4.3 Illustration of structural coverage. . . . . . . . . . . . . . . . . . . . . . . 80
4.4 Model checking ﬂow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
4.5 Comparison of veriﬁcation coverage in the state space by test bench-
based transient simulation and formal veriﬁcation. . . . . . . . . . . . . . 85
4.6 Structure of the VERA equivalence checking methodology. . . . . . . . . 91
5.1 Analog veriﬁcation framework for different veriﬁcation methodologies. 94
5.2 New veriﬁcation methodologies in the analog design ﬂow. . . . . . . . . 96
5.3 Overshoot of the output voltage caused by a trajectory in the state space. 97
5.4 Oscillation in the time domain (a), in the continuous state space (b) and
in the DATS (c). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
5.5 Schematic illustration of oscillations for different input voltages V1, V2,
V3 and V4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
5.6 Schematic illustration of startup transition paths. . . . . . . . . . . . . . . 101
5.7 Graph structure obtained by transient simulation waveforms. . . . . . . 103
5.8 Periodic transient signal waveforms s1(t) (a) and s2(t) (b). State space
representation of periodic signals s1(t) and s2(t) (c). . . . . . . . . . . . . 103
5.9 ASL assertion-based veriﬁcation ﬂow for transient simulation results
transferred to a state space representation. . . . . . . . . . . . . . . . . . . 104
5.10 Path generated by the stimuli generation algorithm (a) and the corre-
sponding input/output behavior (b). . . . . . . . . . . . . . . . . . . . . . 109
5.11 Complete-coverage input stimuli generation and veriﬁcation ﬂow. . . . 110
5.12 Equivalence checking ﬂow using complete state space-covering input
stimuli. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
xxList of Figures
5.13 Determining nearest sample point q2 in state space for particle p1 within
discrete vector ﬁeld VD. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
5.14 Particle simulation for the two-dimensional state space of an oscillator
circuit with increasing time from (a) to (d). . . . . . . . . . . . . . . . . . 116
6.1 Transition vectors between states of the detected oscillation set and non-
periodic steady states of the modiﬁed ring oscillator detected by model
checking for α/β-ratio 1.95 (a). Particle simulation visualizing the oscil-
lation trajectory and the non-periodic steady states (b). . . . . . . . . . . 120
6.2 Circuit schematic of Sallen-Key biquad lowpass ﬁlter. . . . . . . . . . . . 121
6.3 Reachable state space of the Sallen-Key biquad lowpass ﬁlter. . . . . . . 122
6.4 Transient response to the counterexample input stimulus of the Sallen-
Key biquad lowpass ﬁlter. . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
6.5 Complete generated input stimulus and transient output response ofthe
Sallen-Key biquad lowpass ﬁlter. . . . . . . . . . . . . . . . . . . . . . . . 124
6.6 Transient response to the generated input stimulus of the Sallen-Key bi-
quad lowpass ﬁlter plotted over VC1 and VC2. . . . . . . . . . . . . . . . . 125
6.7 Excerpt of the transient response to the complete-coverage input stimu-
lus of the Sallen-Key biquad lowpass ﬁlter with the expected response
generated by the trajectory-directed discretization approach. . . . . . . . 126
6.8 Transient response to the complete-coverage input stimulus of the
Sallen-Key biquad lowpass ﬁlter with the expected response generated
by the hyperbox discretization approach. . . . . . . . . . . . . . . . . . . 127
6.9 Circuit schematic of the CMOS charge pump. . . . . . . . . . . . . . . . . 128
6.10 Transient output waveform of the CMOS charge pump circuit. . . . . . . 129
6.11 Startup trajectory projected to VC1, VCload and Vclk, identiﬁed by evaluat-
ing the ASL property speciﬁcation on the DATS of the charge pump. . . 130
6.12 Transient simulation waveforms of the charge pump for VC1, VCload and
Vclk transferred into a DATS representation for application of ASL veri-
ﬁcation algorithms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
6.13 Circuit schematic of the voltage controlled oscillator. . . . . . . . . . . . . 132
6.14 Oscillation areas of the voltage controlled oscillator at different control
voltages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
6.15 Circuit schematic of the biquad bandpass ﬁlter circuit netlist. . . . . . . . 136
6.16 Complete generated input stimulus and transient output response ofthe
biquad bandpassﬁlter transistor netlist (Output A)andVHDL-AMS be-
havioral model (Output B). . . . . . . . . . . . . . . . . . . . . . . . . . . 137
6.17 Transient response to the generated input stimulus of the biquad band-
pass ﬁlter plotted over VC1 and VC2. . . . . . . . . . . . . . . . . . . . . . 137
6.18 Circuit schematic of the second-order delta-sigma modulator. . . . . . . 138
xxiList of Figures
6.19 Simple behavioral model for the second-order delta-sigma modulator
using an allpass ﬁlter for signal delay modeling. . . . . . . . . . . . . . . 138
6.20 Transient response to the generated input stimulus of the delta-sigma
modulator transistor netlist plotted over VC1 and VC2. . . . . . . . . . . . 139
A.1 State space slices with all state transitions for input voltages 0.66 V
(a), 0.83 V (b), 1.00 V (c) and 1.17 V (d) showing the adaption of the
trajectory-directed discretization to the changed transition structure. . . 148
xxiiList of Algorithms
1 Trajectory-Directed Partitioning Algorithm. . . . . . . . . . . . . . . . . . . 39
2 ASL Transition Algorithm. . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
3 ASL Oscillation Algorithm. . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
4 ASL Delta compare Algorithm. . . . . . . . . . . . . . . . . . . . . . . . . . 72
5 Counterexample Generation Algorithm. . . . . . . . . . . . . . . . . . . . 105
6 Complete-Coverage Input Stimuli Generation Algorithm. . . . . . . . . . 108
7 Particle Simulation Algorithm. . . . . . . . . . . . . . . . . . . . . . . . . . 115
xxiiixxivList of Symbols and Abbreviations
Notation
x Scalar value x ∈ R
x Vector x = (x1, x2,..., xn)T ∈ Rn
A Matrix A ∈ Rn×n
|x| Absolute value of x
[x] Interval [x] = [x, x]
 x  Vector norm of x
˙ x Temporal derivative of x(t)
f() Function returning a scalar
f() Function returning a vector
Symbols
a Vertices constraining a partition of the trajectory-directed discretization
α, β Scalar factors
B Orthogonal basis
C Runtime complexity
deg Out-degree
∆rs Length difference ratio between two vectors vr and vs
ǫ Error function
ǫ∆ Mean direction error
ǫθ Mean length error
ǫsuc Mean successor relation error
J Jacobian matrix
k Number of state space partitions (Section 2.4)
xxvList of Symbols and Abbreviations
κ Approximated number of sample points of the trajectory-directed dis-
cretization in one dimension
L Labeling function
LA Labeling function of the DATS for the atomic propositions
LT Labeling function of the DATS for the atomic transition propositions
LV Labeling function of the DATS for the extended state space variable val-
ues
LX Labelingfunction ofthe DATSfor the DAEsystem’s innervariablevalues
M Model
nd Number of dimensions of the extended state space z(e)
nu Number of input variables in u
ny Number of output variables in y
nz Number of linear independent state space variables in z
O Asymptotic upper complexity bound
P Property space
Pspec Speciﬁcation
π Ordered sequence of states π = σ1,σ2,...,σn representing a directed state
path
Π Set of paths Π = {π1,π2,...,πn}
φ, ψ Formula in a speciﬁcation logic
p,q Points in Z
R Transition relation
R Partition of Z
R Set of all real numbers
r User-deﬁned scalar value
S System
Σ Unordered set Σ = {σ1,σ2,...,σn} of states
T Temporal labeling function for the edges of a DATS
θrs Angle between two vectors vr and vs
u Vector u = (u1,u2,...,unu)T of input variables
V Continuous vector ﬁeld in Rnd
v Direction vector
xxviList of Symbols and Abbreviations
x Vector x = (x1, x2,..., xnx)T of inner variables of a system
y Vector y = (y1,y2,...,yny)T of output variables
z Vector z = (z1,z2,...,znz)T of linear independent state space variables
z(e) Vector z(e) of extended state space variables (zT, uT)T
Z Inﬁnite point set in Rnd
Z Set of all integer numbers
Abbreviations
ABV Assertion-Based Veriﬁcation
AC Alternating Current
AMS Analog/Mixed-Signal
AP Atomic Proposition
ASL Analog Speciﬁcation Language
ATPG Automatic Test Pattern Generation
AVF Analog Veriﬁcation Framework
BCE Branch Constitutive Equation
BDD Binary Decision Diagram
BE Backward Euler
BMD Binary Moment Diagram
CCIS Complete-Coverage Input Stimuli
CMOS Complementary Metal Oxide Semiconductor
CTL Computation Tree Logic
DAE Differential Algebraic Equation
DATS Discrete Analog Transition Structure
DC Direct Current
DUV Design Under Veriﬁcation
EBNF Extended Backus-Naur-Form
EC Equivalence Checking
EDA Electronic Design Automation
FE Forward Euler
HDL Hardware Description Language
KCL Kirchhoff’s Current Law
xxviiList of Symbols and Abbreviations
KVL Kirchhoff’s Voltage Law
LIC Line Integral Convolution
LTE Local Truncation Error
LTL Linear Temporal Logic
MC Model Checking
MNA Modiﬁed Nodal Analysis
MOSFET Metal-Oxide-Semiconductor Field-Effect Transistor
NP Nondeterministic Polynomial Time
NR Newton-Raphson
ODE Ordinary Differential Equation
OVL Open Veriﬁcation Library
PL List of accepted partitioning points
PSL Property Speciﬁcation Language
RF Radio Frequency
RTCTL Real Time Computation Tree Logic
SAT Satisﬁability Problem of Boolean Formulas
SERE Sequential Extended Regular Expression
SMV Symbolic Model Veriﬁer
SPICE Simulation Program with Integrated Circuit Emphasis
STL Signal Temporal Logic
SVA System Verilog Assertions
TDD Trajectory-Directed Discretization
TR Transient
TRA Transient Analysis
VCO Voltage Controlled Oscillator
VHDL Very High Speed Integrated Circuit Hardware Description Language
WL Waiting List
xxviii1
Introduction
The impact of electronic devices on our everyday life is inevitable. With the depen-
dency on electronics increasing continuously, the consequences of errors in such elec-
tronic systems are increasing just as well. There are several levels of severity from just
being disconnected during a phone call to possible airplane crashes due to errors in the
electronic components. Even for non-safety-critical cases, errors in electronic systems
have an economic dimension, where the cost of missed design ﬂaws is determining
whether a company can stay competitive or not.
Due to the increasing system complexity and decreasing time to market, design
veriﬁcation has become a more and more crucial part of the electronic circuit design
ﬂow. While formal veriﬁcation methods are established in the digital domain, indus-
trial analog circuit design ﬂows are lacking formal or at least formalized veriﬁcation
methodologies. Analog circuit veriﬁcation still depends on the designer’s experience
and expertise to manually deﬁne appropriate test benches for simulation-based design
ﬂows and to select the right input signals in order to detect possible design errors.
In contrast to the common perception of digital circuits dominating today’s elec-
tronic devices, the importance of analog circuits and especially of analog circuit design
is increasing. This is due to the fact that most electronic circuits are nowadays mixed-
signal systems, using analog interfaces to the external environment in combination
with a digital core. Moreover, with decreasing feature sizes, not only the relative per-
centage of the not equally-scaling analog part of mixed-signal designs increases, but
also the analog behavior of digital circuit components becomes more and more critical.
11 Introduction
Finally, important parts of digital systems such as clock generators have always been
designed on the analog level.
Hence, driven by the perennial demand for higher design efﬁciency, new method-
ologies offering more automation of the analog veriﬁcation process are of vital impor-
tance.
While approaches to assertion-based simulation are emerging, which are mainly
automating previously manual efforts, they are not targeting the fundamental prob-
lem of analog circuit veriﬁcation: veriﬁcation coverage. Today’s established common
veriﬁcation methodology is analyzing the circuit’s behavior by simulation using test
benches. Speciﬁcation conformance is checked by performing several transient sim-
ulations with input signals which are considered to be representative for the future
operating conditions of the circuit. Although this approach to discover design errors
hasbeenworking fordecades, redesignshaveoccurred frequentlyduetomissingsome
critical behavior of the circuit during simulation.
There has been signiﬁcant progress in several areas of electronic design automation
(EDA) for analog circuits. Some complex tasks such as sizing, placement and design
centering have been addressed by EDA-vendors, now being available as automated
tools which are fully integrated into the design ﬂow. These tools are exploiting algo-
rithmic concepts which by far outperform manual approaches. By contrast, the area of
analog design veriﬁcation is not yet systematically covered by existing tools.
Therefore, the goal of this thesis is to advance the ﬁeld of formal veriﬁcation
methodologies for analog circuits in order to contribute to the development and fu-
ture productive application of analog formal veriﬁcation methodologies.
1.1 Analog Circuit Design Flow
The objective of the design ﬂow for analog circuits is to transfer a functional speciﬁca-
tion of the design into a physical implementation satisfying the speciﬁcation. Between
the initial speciﬁcation and the ﬁnal implementation, several design steps are required
in order to hierarchically partition the complex tasks into solvable portions.
For a classiﬁcation of the design abstraction levels and the design domains, the
application of the Y-chart to the analog design task offers a structured approach to
this hierarchy [GDWL92, HBKK94]. The Y-chart consists of three views which build
the functional domain, the structural domain and the physical domain. Different lev-
els of abstraction range from the top-level concept layer to the low-level component
layer. Descending from higher abstraction levels to lower levels by increasing the over-
all complexity of the design is regarded as synthesis. Comparing the conformance of
lower levels of abstraction with higher levels or different domains is regarded as anal-
ysis. Figure 1.1 shows the Y-chart for the analog design ﬂow with a possible top-down
21.1 Analog Circuit Design Flow
Functional Domain Structural Domain
Physical Domain
Concept
Algorithm
Macro
Component
Device
Circuit
Block
System Specification
Algorithms
Transfer Functions
Differential Equations
Partitioning
Floorplan
Cells
Polygons
Figure 1.1: Y-chart for hierarchical analog design with exemplary synthesis steps.
design ﬂow from the functional speciﬁcation to the physical implementation, which
will be explained in the following.
Starting in the functional domain with a speciﬁcation on the concept layer, the algo-
rithms describing the circuit’s behavior are determined by descending to the algorithm
layer in the functional domain. For the selected algorithms, the top level building
blocks are allocated by a transition to the structural domain and the topology of these
analog blocks has to be generated or is selected from existing libraries. The functional
design of the analog blocks is determined by the transfer functions on the macro layer,
altogether forming the desired behavior of the previously selected analog system al-
gorithms. The transition back to the structural domain maps the transfer functions to
circuit structures, which are then represented by devices on the component layer. The
topology of the circuit structures in conjunction with the parameters of the component
devices determine the behavior of the circuit. The selection of device parameters in or-
der to meet the speciﬁcation for a given topology is referred to as circuit sizing. Finally,
the devices and their topology have to be transferred to polygons in the physical do-
main. This process is the layout generation, determining the geometry of the physical
structures in silicon for production of the resulting integrated circuit.
From the design synthesis point of view, three main steps characterize the design
ﬂow: topology selection or generation, circuit sizing and layout generation. On the
other hand, for each synthesis step, it must be assured that the design still satisﬁes
31 Introduction
the speciﬁcation. Hence, a functional equivalence between abstraction level changes
or domain changes is mandatory for a successful design ﬂow, which by deﬁnition is
provided by analysis. Therefore, analysis is the central tool for assuring the validity of
every design step.
1.2 Analog Circuit Analysis and Veriﬁcation
Within the terminology of the Y-chart design ﬂow, the term analysis describes the
checking of the synthesis steps to retain functional equivalence with higher abstrac-
tion levels and hence with the speciﬁcation. While in abstract theory this deﬁnition is
sufﬁcient, in practice, circuit analysis is a multi-faceted issue.
The central tool for circuit analysis is simulation. By simulation, for a given circuit
in form of its mathematical representation, the reaction to input excitations is calcu-
lated. Different types of simulations offer direct current (DC), alternating current (AC)
and transient (TR) analysis.
For DC-analysis the system reaction in its steady state (t → ∞) is observed. Hence,
the steady state characteristics of a circuit can be analyzed by a DC-analysis sweep
over an input interval. AC-analysis considers the frequency response of linear systems
at the linearized operating points of nonlinear systems. Being the most complex and
therewith computationally intensive analysis, TR-simulation calculates the dynamic
transient response of the circuit to a piecewise linear input stimulus over time. For this
purpose, the implicit nonlinear differential equation system describing the circuit is
transferred to a system of difference equations by numerical integration. This system
ofdifferenceequationsincorrelation with theinputvaluesatthespeciﬁctimepointcan
then be solved by the Newton-Raphson method. Implementing the described analysis
methods, the ancestor of most modern analog circuit simulators is SPICE (Simulation
Program with Integrated Circuit Emphasis) [Nag75].
While the capability of analyzing the behavior of analog circuits is the basis of ana-
log circuit veriﬁcation, methodologies that systematically apply simulations are nec-
essary in order to meet the veriﬁcation tasks arising from the transitions within the
design ﬂow. Thus, in this context, veriﬁcation can be considered as the systematic
application of simulations in order to detect behavioral differences of the abstraction
levels or design domains. Figure 1.2 illustrates the relationship between synthesis and
analysis in the design ﬂow.
1.3 Formal Veriﬁcation
In order to detect design errors, non-formal veriﬁcation procedures try to analyze the
design under veriﬁcation (DUV) whether it corresponds to a speciﬁcation or a refer-
41.4 Motivating Example
Specification
Implementation
Synthesis/
Design
Analysis/
Verification
Figure 1.2: The synthesis steps in the design ﬂow transfer a speciﬁcation to an imple-
mentation. Every implementation step needs to be analyzed for speciﬁcation confor-
mance by veriﬁcation methods.
ence design with a ﬁnite number of veriﬁcation test cases with external conditions of
the DUV deﬁned in a test bench.
In contrast, formal veriﬁcation does not search for deviations between DUV and
speciﬁcation but proves the absence of any deviations for all possible states and input
conditions of the DUV. Depending on the veriﬁcation task, there are two major ap-
proaches to formal veriﬁcation: model checking (MC) and equivalence checking (EC).
Model checking algorithms prove that the model M of the DUV is correct for every
possible input stimulus and internal state of the system with respect to a property
speciﬁcation Pspec speciﬁed in a machine-readable speciﬁcation language. In MC ter-
minology, the model then satisﬁes the property speciﬁcation: M ￿ Pspec. If the model
does not satisfy the speciﬁcation, all erroneous states are detected and counterexam-
ples in form of state transitions to these erroneous states can be returned.
Equivalence checking proves the general functional equality of two implementa-
tions of a design. The implementations can be of different abstraction levels and dif-
ferent description methods such as transistor netlists and hardware description lan-
guages.
As will be motivated in this thesis, the concept of formal veriﬁcation can be gen-
eralized from speciﬁc algorithmic approaches such as model checking or equivalence
checking to the idea of veriﬁcation coverage. Therewith, any veriﬁcation approach that
obtains results that hold for any input signal and any state of the DUV are considered
as formal veriﬁcation, as they cover the complete possible behavior a DUV can exhibit.
1.4 Motivating Example
The following motivating example will illustrate that conventional analog circuit sim-
ulation within a test bench setup can lead to wrong veriﬁcation assumptions and how,
in contrast, a complete formal veriﬁcation using some of the methodologies developed
in this thesis can identify hidden design errors.
51 Introduction
α
α
α
α
β β β β
I II
III IV
Figure 1.3: Modiﬁed ring oscillator with an even number of inverter stages and cross-
coupling.
When a ﬁnite number of simulations with input stimuli or initial conditions is con-
ducted and the expected behavior of the circuit is validated by the simulations, in
today’s industrial veriﬁcation applications the circuit is assumed to be successfully
veriﬁed due to the lack of formal veriﬁcation tools. However, as pointed out in the pre-
vious section, not ﬁnding a speciﬁcation violation with simulation runs cannot prove
that the speciﬁcation is satisﬁed under any circumstances.
The example circuit illustrated in Figure 1.3 is a modiﬁed ring oscillator with an
even number of inverter stages and cross-coupling [JKK08]. Due to the bridges β, the
circuit oscillates if there is a ratio α/β of the transistor sizes in the feedback chain to
those of the bridges within the interval [0.4, 2.0].
This circuit has in fact been considered as successfully veriﬁed by transient simu-
lation with a set of predeﬁned initial conditions and went into production. What was
discovered only after the tapeout of the circuit is its crucial property of being prone
to certain initial conditions that prevent it from oscillating when the α/β ratio reaches
or exceeds the interval boundaries. These particular initial conditions have not been
covered by the simulation runs during veriﬁcation. For two different initial conditions,
the simulation runs are illustrated in Figure 1.4.
The critical behavior with certain initial conditions could have been detected by
applying the formal veriﬁcation approaches developed in the scope of this thesis. In
order to demonstrate this, a formal property veriﬁcation of the circuit was performed
using the ASL veriﬁcation methodology (introduced in Section 5.2) on a discrete state
space model generated with the trajectory-directed approach (introduced in Section
2.4.4). Therewith, for transistor ratio 1.05, 1.35 and 1.65, no initial conditions violating
the oscillation behavior are reported by the veriﬁcation algorithms.
In contrast to the oscillation starting from every initial condition with transistor
ratios 1.05 to 1.65, for transistor ratio 1.95, initial conditions are detected by the formal
veriﬁcation method for which the circuit will not run into an oscillation. This area of
nontrivial bad initial conditions is illustrated in Figure 1.5, projected to the state space
61.5 Contributions
t [ns]
V
I
I
[
V
]
20 15 10 5 0
3.5
3
2.5
2
1.5
1
0.5
0
(a)
t [ns]
V
I
I
[
V
]
20 15 10 5 0
1.5
1.4
1.3
1.2
1.1
1
0.9
0.8
0.7
(b)
Figure 1.4: Transient responses for the node voltage VII of the ring oscillator for tran-
sistor ratio α/β = 1.95. With initial conditions VI,VII,VIII = 0 V and VIV = 0.5 V,
the circuit oscillates (a). With the initial conditions VI = 3.33444 V, VII = 1.49605 V,
VIII = 3.16195 V, VIV = 0.207917 V detected by formal veriﬁcation, the circuit does not
oscillate (b).
variables VI, VII and VIII. The non-oscillating behavior shown in Figure 1.4(b) was
identiﬁed by transient simulations starting from the set of these initial conditions.
1.5 Contributions
With the objective of advancing the state of the art in the ﬁeld of analog formal veriﬁ-
cation, this thesis presents a framework of new formal veriﬁcation methodologies for
the analog circuit design ﬂow. The contributions will be outlined in the following.
In order to formalize speciﬁcations of analog circuit properties for automated ver-
iﬁcation approaches, a new Analog Speciﬁcation Language (ASL) is introduced with
a designer-oriented syntax but also with semantics satisfying the demands of formal
property veriﬁcation algorithms. Therefore, the model checking tool ASL-MCT (Ana-
log Speciﬁcation Language model checking tool), implementing the ASL veriﬁcation
algorithms, was developed to build an ASL-based model checking framework for ana-
log complex property veriﬁcation based on models obtained by a discrete modeling
approach. ASL model checking offers a syntax much easier understandable than CTL-
based temporal logic speciﬁcation and the expressiveness of ASL for analog circuit
properties is signiﬁcantly higher. A state space-based speciﬁcation methodology de-
veloped in conjunction with ASL offers speciﬁcation reuse by building up a library
of parameterizable macros. Regression veriﬁcation is offered by a high level asser-
tion layer, allowing the combination of several property veriﬁcations to an automated
veriﬁcation run with a detailed veriﬁcation report. For identiﬁed design errors, coun-
terexamples in form of piecewise linearinput stimuli can beautomatically generated in
71 Introduction
VI
VII
VIII
Figure 1.5: State space trajectories of initial conditions leading into the non-oscillating
steady states for transistor ratio α/β = 1.95.
order to give the circuit designer the possibility of conducting a conventional transient
simulation that leads to the error state.
ASL model checking increases the possible analog properties that can be speci-
ﬁed and veriﬁed on discrete state space models. Nevertheless, the state-of-the-art dis-
crete modelingapproach [HHB02a]based on hyperbox binary spacepartitioning of the
modeled circuit’s state space limits the complexity of the circuits that can be modeled.
Therefore, a new approach for improving the discrete model generation is developed
in the scope of this thesis, increasing modeling precision and therewith reducing the
number of state computations necessary for the generated model. The new approach
is based on trajectory partitioning of the state space, letting the ﬂow of the state space
dynamics deﬁne the boundaries of the state space partitions forming the system states.
In order to apply ASL-based speciﬁcations to today’s non-formal test bench-based
simulation ﬂows, a method to transfer conventional simulation waveforms to a state
space representation was developed. Therewith, proﬁting from formalized property
speciﬁcation and veriﬁcation is possible within the established non-formal industrial
design ﬂows, transferring the ASL speciﬁcation methodology to assertion-based veri-
ﬁcation. As will be presented, ASL property speciﬁcations can be exchanged without
modiﬁcations between formal ASL model checking and transient simulation wave-
form evaluation.
In conjunction with the counterexample generation algorithms for ASL veriﬁca-
tion, a new method of complete state space-covering input stimuli generation was
developed. On the discrete state space, a traversal algorithm efﬁciently visits every
81.6 Publications
reachable state of the state space, recording the piecewise linear input stimulus that is
necessary to bring the circuit into this state during a transient simulation. Therewith, a
transient simulation with complete coverage of the circuit’s state space is obtained and
the beneﬁts of a complete, hence formal, veriﬁcation approach can be provided within
a conventional transient simulation-based veriﬁcation ﬂow. By evaluating these tran-
sient simulation results with the aforementioned ASL veriﬁcation on transient simula-
tion results, an alternative to the model checking approach for formal analog property
veriﬁcation is given.
Moreover, based on the complete state space-covering input stimuli generation, an
analog equivalence checking methodology has been developed. By generating such
stimuli for each of the two systems under veriﬁcation A and B and simulating each
system with the stimuli generated for A and B, the level of equivalence of both systems
can be determined by the deviation of the transient responses. Due to the complete
state space-covering input stimuli bringing each of the systems to all of its reachable
states, a formal equivalence checking methodology is given. As an advantage over
other approaches, the level of abstraction between the two systems under veriﬁcation
is not restricted.
A tool for visualization of the state space and its dynamics by application of a par-
ticle simulation algorithm was developed for visually exploring the state space prop-
erties veriﬁed with the aforementioned formal veriﬁcation approaches.
1.6 Publications
Parts of this thesis have been published in [SJH06, SH08a, SH08b, SPH09, SH09,
SH10b]. The analog model checking approach based on the development of the analog
speciﬁcation language (ASL) is detailed in [SJH06, SH08b]. The applicability of ASL
speciﬁcations to transient simulation waveforms transformed to a state space repre-
sentation has been demonstrated in [SH09]. The foundations of state space-directed
transient simulation for veriﬁcation with complete-coverage input stimuli have been
introduced in [SH08a] and their extension to an analog equivalence checking approach
is presented in [SH10b]. Supporting the veriﬁcation insight, state space visualization
and visualized particle simulation is introduced in [SPH09].
1.7 Overview
The remainder of this thesis is organized as follows. Chapter 2 discusses approaches
to system representation for veriﬁcation with emphasis on discrete modeling of analog
circuits which is essential for application of the veriﬁcation algorithms developed in
this thesis. In Chapter 3, approaches to property speciﬁcation are analyzed with the
91 Introduction
goal of ﬁnally developing an analog speciﬁcation language. The existing approaches
to non-formal and formal system veriﬁcation are described in Chapter 4 in order to in-
troduce new methodologies for formal veriﬁcation of analog circuits in Chapter 5. The
experimental results obtained by application of the new veriﬁcation methodologies to
example circuits are discussed in Chapter 6. In Chapter 7, conclusions and suggestions
for future work are given.
102
System Representation for Veriﬁcation
Electronic systems can be hierarchically divided into several classes. The most gen-
eral distinction is made between discontinuous and continuous systems, commonly
referred to as digital and analog systems. While digital systems are characterized by
discrete time steps with a clocked or event-based time domain, analog system classes
are distinguished by the type of differential equation system required for describing
their continuous behavior in time and values.
In contrast to experiment-based static or transient dynamic network analysis, ana-
log formal veriﬁcation techniques require a state space representation of the system
dynamics which cannot be acquired in an analytical way. Hence, discrete modeling
approaches for nonlinear analog systems are mandatory.
This chapter introduces the basic representations of electronic systems and the
modeling methods for applying analysis and veriﬁcation techniques. Emphasis is put
on developinganewtrajectory-directed discrete modelingapproach for nonlinearana-
log circuits.
2.1 System Description
Starting with a more general system concept, the deﬁnition of analog circuits and their
relevant characteristics is developed based on the classiﬁcation of general system char-
acteristics. Therefore, fundamentals such as the deﬁnition of signals and signal types,
system types and the state space of a system will be introduced.
112 System Representation for Veriﬁcation
Deﬁnition 2.1.1 (System)
A system S maps a vector of inputs u and inner variables x to a vector of output vari-
ables y with the operator relation
y = S(u,x) (2.1)
as illustrated in Figure 2.1. The inputs represent the system excitation and the outputs
represent the system reaction.
u1
u2
unu
y1
y2
yny
x
System S
Figure 2.1: General illustration of a system S with input variable vector u =
(u1,u2,...,unu)T, output variable vector y = (y1,y2,...,yny)T and the vector of inner
variables x = (x1, x2,..., xnx)T.
While this deﬁnition of a system deﬁnes the basic relation of system variables, a
more detailed deﬁnition is needed for quantifying their characteristics in form of in-
formation. The information of the inputs and outputs of a system, as well as the inner
variables, are in the following deﬁned by signals.
Deﬁnition 2.1.2 (Signal)
A signal is the variation of information over another quantity such as time. Signals can
be of time-continuous or time-discontinuous form, which means that the time domain
of the signal function f is either deﬁned as f(t) with t ∈ R or f[n] with integer-valued
n ∈ Z. An analog electrical signal is the continuous variation of an electrical quantity
over time.
An important characteristic of a system is whether there is a dependency between
the time when an input signal occurs and the reaction the system exhibits. For this
purpose, the class of time-invariant systems has to be deﬁned.
Deﬁnition 2.1.3 (Time-Invariant System)
The output of a time-invariant system does not depend on the absolute time of the
occurrence of an input signal. If the input is shifted by time δ, a time shift of δ of the
output occurs:
y(t) = S(u(t)) ⇔ y(t + δ) = S(u(t + δ)) (2.2)
122.1 System Description
With the previous deﬁnition of time-invariant systems, it is now possible to distin-
guish two major classes of systems: static and dynamical systems.
Deﬁnition 2.1.4 (Static / Dynamical System)
If the output of a time-invariant system at each point in time is only depending on the
current input at that time, it is a static (memoryless) system:
y(t) = S(u(t)) (2.3)
If a system is depending on internal states that are part of the vector of inner vari-
ables x determined by previous input values, it is a dynamical system:
y(t) = S(u(t),x(t)) with x(t) = f(u(τ),x(τ)) for 0 ≤ τ ≤ t (2.4)
The concept of a dynamical system is closely related to the idea of internal states
of a system that will be further detailed in Section 2.3.6. Hence, there is a set of inner
variables which are controllable by the input variables but depending on the previous
evolvement of the inputs over time. The system reaction is therefore a function of the
input variables and the conﬁguration of these inner variables determining the state of
the system within a state space as deﬁned in the following.
Deﬁnition 2.1.5 ((Extended) State Space)
The state space of a system is spanned by a subset of its inner variables. This subset
is the vector z ⊆ζ x of nz linear independent state space variables. The subset relation
“⊆ζ” is deﬁned by:
z ⊆ζ x ⇔ ∀i ∈ {1,...,nz} : zi = xζ(i) (2.5)
A valid assignment of values to the state space variables represents a state of the sys-
tem. The extended state space z(e) of a system is spanned by its state space variables z
and the input variables u.
Preparing the terminology of analog circuits, the distinction between linear and
nonlinear systems has a great impact on the problem complexity of circuit analysis
techniques. Hence, the deﬁnition is as follows:
Deﬁnition 2.1.6 (Linear / Nonlinear System)
A system is linear if the linear combination of the system’s reaction to input signals
u1(t) and u2(t) equals the system’s reaction to the linear combination of the input sig-
nals:
S(k1u1(t) + k2u2(t)) = k1S(u1(t)) + k2S(u2(t)) (2.6)
hence
S(ku(t)) = kS(u(t)) (2.7)
If this property does not apply, the system is considered as nonlinear.
132 System Representation for Veriﬁcation
2.2 Digital Systems
Although digital systems are not in the focus of this thesis, the state of the art in dis-
crete modeling and speciﬁcation for veriﬁcation of analog circuits is based on the ideas
developed for digital circuits. Therefore, a brief introduction into digital systems and
their representation is given in order motivate the transfer of digital veriﬁcation meth-
ods to the analog domain at a later stage.
A digital system is operating on discrete values internally and on its inputs and
outputs. Digital refers to a ﬁnite number of input and output values and in the fol-
lowing digital systems are considered as binary digital systems with two signal levels
abstracted by 0 and 1. The fundamental beneﬁt of this binary approach is the possi-
bility of a rigorous formulation of all digital system behavior by mathematical logic
[Men01] for reasoning about the truth of a formula and Boolean algebra [Whi95] for
combining and manipulating logic statements.
Every Boolean formula can be transferred into a representation of the basic Boolean
operators AND, OR and INVERT. Hence, an arbitrary Boolean logic formula can be
implemented as a digital circuit consisting of the hardware implementation of this ba-
sic operators called logic gates. Digital circuits can be distinguished into combinato-
rial and sequential circuits. A combinatorial circuit has a direct mapping of the input
values to the outputs by the logic function implemented by the circuit. Hence, it repre-
sents a static system. A sequential circuit contains internal memories called ﬂip-ﬂops
which in the most basic form can store one Boolean signal level and propagate it to its
output until a new Boolean value is stored. Moreover, a feedback of the internal states
through logic functions causes the internal states being dependent on the input sig-
nals and the previous internal state. Therewith, sequential circuits represent dynamic
systems. Clocked sequential circuits only propagate signals when an external trigger
called clock signal event occurs. Due to the internal states and the time behavior, se-
quential circuits are the more complex and powerful digital circuit class [KB05].
The behavior of sequential circuits can be modeled by ﬁnite state machines where
the states represent an unique conﬁguration of the internal state variables of the circuit
and the transitions are labeled with the input combinations that cause a transition from
a state to its successor state. Boolean functions representing sequential circuits can be
easily transferred into ﬁnite state machines and vice versa via state transition tables.
The example circuit shown in Figure 2.2(a) is a two-bit down counter. Triggered
by the clock signal clk, the outputs Q1 and Q0 of the two ﬂip-ﬂops cyclically count the
binary values 11,10,01,00 when the input enable is set to 1. If enable is set to 0, the
circuit remains in its current state. The state transition table for this behavior is shown
in Table 2.1 with Q1 and Q0 being the outputs of the ﬂip-ﬂops and the next states of
the counter denoted as Q+
1 and Q+
0 .
142.2 Digital Systems
Table 2.1: State transition table for the two-bit down counter.
enable Q1 Q0 Q+
1 Q+
0
0 1 1 1 1
0 1 0 1 0
0 0 1 0 1
0 0 0 0 0
1 1 1 1 0
1 1 0 0 1
1 0 1 0 0
1 0 0 1 1
From the state transition table, the Boolean functions for Q+
1 and Q+
0 can be di-
rectly read by ﬁnding the Boolean function of Q1 and Q0 with the result Q+
1 and Q+
0 ,
respectively:
Q+
1 = enable ∧ (Q1 ⊕ Q0) ∨ enable ∧ Q1 (2.8)
Q+
0 = enable ∧ Q0 ∨ enable ∧ Q0 (2.9)
The corresponding state transition graph is illustrated in Figure 2.2(b), with the
edge labels representing the value of the input enable. The states are labeled with the
values for Q1 and Q0 .
This state transition graph can, with some additions, directly serve as a circuit
model which can be processed by digital formal veriﬁcation tools using temporal logic
property speciﬁcations [Pnu77, CE82] that will be described in Section 3.3. In the do-
main of discrete state system modeling for formal veriﬁcation approaches, the Kripke
structure [CGP99] is a common model combining a transition graph structure and a
labeling of the states with atomic propositions for identifying sets of states where a
certain proposition is true. The following deﬁnition of the Kripke structure is the the-
oretical model to which temporal logic property veriﬁcation is applied.
Deﬁnition 2.2.1 (Kripke Structure)
For a set of atomic propositions AP, the Kripke structure M over AP is a four tuple
M = (Σ,Σ0, R, L) where
• Σ is a ﬁnite set of states of the system.
• Σ0 ⊆ Σ is the set of initial states.
• R ⊆ Σ × Σ is a total transition relation, hence for every state σ ∈ Σ there exists a
state σ′ such that (σ,σ′) ∈ R.
152 System Representation for Veriﬁcation
clk
Q0
Q1
=1
Q
Q D
Q
Q D
MUX
0
1
MUX
0
1
enable
(a)
11 10
01 00
0 0
0 0
1
1
1
1
(b)
Figure 2.2: Circuit schematic for the two-bit down counter (a) and the corresponding
state transition graph (b).
• L : Σ → 2#AP is a labeling function that labels each state with the set of atomic
propositions that are true in that state.
Within the structure M, a path π beginning at state σ is a sequence of states π =
σ0,σ1,σ2,...,σn with σ0 = σ and (σi,σi+1) ∈ R for 0 ≤ i < n.
However, the explicit representation of the states of a digital hardware system
quickly exceeds what is efﬁciently manageable by computer memories. Consider a
sequential system containing 64 ﬂip-ﬂops. The state machine describing this system
can be estimated to contain 264 states which corresponds to several exabytes of data
even if it was possible to require only one byte of information per state for its represen-
tation. This problem was solved by an implicit state representation. Using a symbolic
representation based on binary decision diagrams (BDDs), the state space can be de-
scribed by a symbolic transition relation on which the veriﬁcation algorithms can be
evaluated [McM92]. This leads to a logarithmic decrease in state space representation
complexity for digital systems.
2.3 Analog Systems
Analog systems are characterized by their continuous value and time domain. In the
scope of this thesis, analog electronic circuits are nonlinear dynamic analog systems
that are deﬁned by the connection of the physical device models of the circuit elements
via Kirchhoff’s circuit laws [Kir47]. The methodology of computer-supported analog
circuit analysis is based on the idea that there is an appropriate mathematical model of
162.3 Analog Systems
the physical system which can be analyzed using mathematical methods. The results
of the analysis then correspond to the behavior of the real system.
The physical device models are mathematically described by differential equations.
These differential equations of the circuit elements and their connection via Kirchhoff’s
laws form a differential algebraic equation (DAE) system describing the analog elec-
tronic circuit. To obtain a differential equation system from a circuit topology modeled
by a network of circuit elements, network analysis techniques such as the modiﬁed
nodal analysis are applied (see Section 2.3.2). The type of differential equation sys-
tem set up for analysis of analog electronic circuit is deﬁned by the equations of the
physical device models of the circuit. Depending on the accuracy of the model and
therewith affecting the accuracy of the analysis, several levels of model complexity can
be available.
2.3.1 Device Models
Modeling the physical devices of an electronic circuit in form of mathematical equa-
tions is a basic necessity for analyzing analog circuits using mathematical methods.
Therefore, depending on the purpose, compact models for circuit design or physical
device models for device design can be distinguished. For electronic circuit simula-
tion, only compact models are considered due to the fact that a large number of devices
within a circuit has to be simulated simultaneously within a tolerable time frame. In
contrast, for designing devices for fabrication processes, substantially more complex
device models are required for simulation of subtle physical effects of one single de-
vice.
The main devices for integrated circuit design are resistors, capacitors, inductors,
independent and controlled voltage and current sources, diodes and transistors. The
most complex device behavior in integrated circuits is exhibited by transistors for
which several compact model families exist. Due to its well-suited characteristics for
integrated circuits, the metal-oxide-semiconductor ﬁeld-effect transistor (MOSFET) is
of great importance. Depending on the type of analysis to conduct and the trade-off
between accuracy and simulation complexity, different types of compact models exist
in form of physical models, empirical models and table models [Tsi03]. Table models
are generated using measurements of real transistors by capturing the behavior at dis-
crete parameter steps. Therewith, fast models are generated but for each combination
of the width and length of the transistors, new tables have to be measured. Empirical
models describe the captured characteristics by mathematical functions using curve
ﬁtting approaches.
The most ﬂexible approach is given by physical models that can be adjusted in
their level of complexity. This is achieved by setting up equations for the basic physical
behaviorand addingmore andmore physical parametersin eachlevel. For an-channel
172 System Representation for Veriﬁcation
MOSFET transistor, the drain-source current IDS for the DC case has three regions of
operation, dependent on the gate-source voltage VGS, the threshold voltage VTH and
the drain-source voltage VDS: cutoff (VGS ≤ VTH), saturation (0 < VGS − VTH ≤
VDS) and linear (0 < VDS < VGS − VTH). These three regions of operation can be
quadratically approximated by the following equations [Vla94]:
IDS =

     
     
0 for VGS ≤ VTH
KP
2
W
Lef f (VGS − VTH)2(1 + LAMBDA   VDS) for 0 < VGS − VTH ≤ VDS
KP
2
W
Lef fVDS(2(VGS − VTH) − VDS)(1 + LAMBDA   VDS)
for 0 < VDS < VGS − VTH
(2.10)
The parameters W and Lef f are the width and effective length of the transistor and
KP and LAMBDA are the MOSFET parameters of transconductance factor and output
conductance factor in saturation.
This is a basic level 1 model for the static operation of the transistor which can be
reﬁned toahigherlevelmodelbyaddingmore physicaleffects [CJL+97]. Formodeling
the dynamic behavior, additionally the charge effects of the gate capacitance have to be
considered, resulting in more complex equations [CHHK98] that improve the accuracy
of the solutions of AC and TR analysis.
2.3.2 Network Analysis using the Modiﬁed Nodal Approach
In order to obtain a mathematical model for nonlinear analog circuits, modiﬁed nodal
analysis (MNA) [HRB75] is used by most circuit analysis tools to set up the circuit
equations as a DAE system. The MNA is based on three basic fundamentals:
• Kirchhoff’s current law (KCL), stating that the sum of the currents ﬂowing into a
circuit node must equal the currents ﬂowing out of this circuit node. Hence, their
sum must be zero at any time.
• Kirchhoff’s voltage law(KVL), stating that the sum of voltages around anyclosed
loop of the circuit must be zero at any time.
• Branch constitutive equations (BCE), deﬁning the mathematical model of the be-
havior of the physical circuit elements. For application of the MNA, the current
of each BCE has to be described by a function of the connected node voltages and
the device model of the respective circuit element.
Consider the circuit illustrated in Figure 2.3. It is a simple nonlinear analog circuit
example with input voltage Vin, resistor R1, diode D1 and capacitor C1. The KCL and
the BCEs for the circuit elements are sufﬁcient for setting up the network equations for
nodes n1 and n2. The node voltages of the circuit represent the vector x = (Vn1,Vn2)T
182.3 Analog Systems
R1
D1 Vin C1
n1 n2
iin
Figure 2.3: Simple nonlinear analog circuit example with input voltage Vin, resistor R1,
diode D1 and capacitor C1.
of unknowns of the equation system and the vector u = (Vin) contains the inputs. The
goal is to obtain a general formulation as a ﬁrst-order nonlinear DAE system in form
of:
f(˙ x,x,u) = 0 (2.11)
For node n1, according to KCL, the sum of the input current iin and the current
through resistor R1 has to be zero:
fn1 : iin −
Vn1 − Vn2
R1
= 0 (2.12)
For node n2, the ingoing current is the current through resistor R1 and outgoing cur-
rents run through the parallel diode D1 and the capacitor C1. By ﬁlling in the device
equations, the following node equation is set up:
fn2 :
Vn1 − Vn2
R1
− Is
 
e
Vn2
uT − 1
 
− C1  
d
dt
Vn2 = 0 (2.13)
Finally, the voltage source sets the voltage Vn1 of node n1 to Vin, resulting in:
Vn1 = Vin (2.14)
Application of the MNA results in implicit equations for each circuit node with the
system variables usually being the node voltages, some device currents and additional
variables resulting from device equations or behavioral description of parts of the ana-
log circuit. Another characteristic of the MNA is the high occurrence of algebraic equa-
tions and the occurrence of only some differential equations.
2.3.3 Numerical Simulation
By having set up the DAE system for the circuit, different numerical simulation tech-
niques can be applied in order to analyze its behavior. The basic type of analysis is the
192 System Representation for Veriﬁcation
DC-analysis, where the operating point for a given constant input vector is calculated.
Due to changes over time not being considered for the solution of the system in its
steady state, the vector ˙ x is zero. Hence, the equation system f(x,u) = 0 for given u
has to be solved. Due to the nonlinearity of the equation system in the general case,
this is a mathematically challenging task.
Thecommon algorithm used fornumericallysolving the nonlinearequation system
is the Newton-Raphson (NR) iteration [Rap90, Ypm95]. Starting with a guess of an
initial solution x0, thisinitial solution isiterativelyreﬁned untilitfallsbelowaspeciﬁed
error bound. However, there has to be a limit on the number of iterations as there is no
guarantee that the NR-algorithm will succeed in ﬁnding a solution. On the other hand,
in the neighborhood of a solution, the convergence is quadratic. For the NR-algorithm,
the Jacobian matrix J containing the derivatives of the node equations for the system
variables is needed:
J =




dfn1
dx1    
dfn1
dxn
. . . ... . . .
dfnn
dx1    
dfnn
dxn



 (2.15)
The NR-algorithm is based on the idea that the evaluation of f for an approximated
x(a) is related to the correct x by an amount ∆x given by:
∆x = −J−1(x(a))f(x(a)) (2.16)
Equation 2.16 can be solved using linear equation system approaches such as LU fac-
torization [GVL96], which is a modiﬁcation of the Gaussian elimination method in
order to obtain a triangular system. Finally, the goal of the NR-algorithm is improv-
ing the initial guess for x in every iteration by xi = xi−1 + ∆x until the norm of the
evaluated f(x) falls below the error bound and hence a sufﬁcient solution is found.
For TR-analysis, a time domain solution for the circuit’s transient response to ar-
bitrary piecewise linear input stimuli has to be calculated [Nag75, Vla94]. This is
achieved by dividing the simulation over time into a sequence of quasi-static solu-
tions at time points tn,tn+1,.... Consider a solution x(tn) for the initial time point tn
obtained by the DC solution. The idea is to express the solution at tn+1 by a Taylor
series approximation around the previous time point tn and time step h either by the
explicit forward Euler (FE) integration formula
x(tn+1) = x(tn) + h˙ x(tn) (2.17)
or by the implicit backward Euler (BE) integration formula
x(tn+1) = x(tn) + h˙ x(tn+1) (2.18)
Depending on the size of the chosen time step, the accuracy of the numerical integra-
tion is affected by the approximation of the ﬁrst term of the Taylor series. Hence, the
202.3 Analog Systems
local truncation error (LTE) can be approximated by evaluating the second term of the
Taylor series. Therewith, the LTE for the FE integration is given as:
LTE =
 
 
 
 
h2
2
¨ x(tn)
 
 
 
  (2.19)
A combination of the FE and BE formula in form of
x(tn+1) = x(tn) +
1
2
h(˙ x(tn) + ˙ x(tn+1)) (2.20)
results in a better approximation, which can be proven by calculating the LTE. By eval-
uating the LTE, an adaptive time step control algorithm can be applied by calculating
h according to a speciﬁed upper error bound [Vla94].
2.3.4 DAE Index
The differentiation index of a differential equation system determines its solvability.
While ordinary differential equations (ODEs) have no algebraic variables and are of
index 0, DAE systems contain algebraic variables and their index is of at least 1. Index-
1-DAEs can be directly targeted by the numerical solution approach described in the
previous subsection, while systems with an index greater than 1 have to be prepro-
cessed by advanced techniques that are still subject to research [Tis96, ES00]. Due to
only special cases of analog circuits being of index greater 1, the presented simulation
approach is used in most circuit analysis tools. Nevertheless, approaches for higher
index systems can be applied in the numerical simulation algorithms used in the re-
mainder of this thesis.
2.3.5 Analog Behavioral Modeling and Hardware Description Lan-
guages
The description of analog circuits by a netlist containing the physical circuit compo-
nents is directly transferable to a real physical design, as well as into a mathematical
model for design analysis. Due to the abstraction hierarchy of the circuit design ﬂow,
dealing with transistor netlists is not appropriate at higher abstraction levels. Hence,
building hierarchical entities of such low-level circuits allows a structuring of the de-
sign in higher levels. However, due to the large number of transistors, the representa-
tion on transistor level in conjunction with the complex mathematical analysis efforts
described in the previous subsections render a transistor-level system analysis impos-
sible for practical design ﬂows.
Therefore, an abstraction of the structurally modeled low-level circuits in form of
behavioral models is needed. Such behavioral models enable a higher-level analysis,
212 System Representation for Veriﬁcation
capturing the important characteristics of the system building blocks with less compu-
tation time. In mathematical terms, behavioral modeling abstracts from the detailed
complex equations of the BCEs and replaces them by simpliﬁed equations. These sim-
pliﬁed equations capture the characteristics necessary for initial evaluation of the de-
sign on high abstraction levels. Of course, the abstractions cause the system based
on behavioral models not to be transferable to a physical circuit level directly. How-
ever, the entities modeled on BCE level and those using behavioral descriptions can be
interchanged.
Replacingstructural modeling using BCEswith behavioral modeling, two common
approaches are available. On the one hand, behavioral models can be created by de-
scribing more complex circuits with simpliﬁed structures that are still implemented
on transistor level using BCEs. As an example, a charge pump circuit as illustrated in
Figure 2.4(a) is considered. The transient startup behavior of the transistor netlist can
be abstracted by a circuit as illustrated in Figure 2.4(b). While the transient response of
the abstracted model retains the main behavior, the ripple originating from the clock
switching is not present as illustrated in Figure 2.5. This approach, sometimes referred
to as macro modeling, is often incorporated in higherlevel modeling in order to use the
transistor netlist environment without invoking another circuit description approach.
C1 clk
VDD
Cload Rload
TP1
TN1
TN2
TN3
Vout
VC1 Vclk
(a)
Vout Cload
R1
VDD
Rload
Vup
(b)
Figure 2.4: Schematic of the CMOS implementation of the charge pump circuit (a) and
simpliﬁed macro model (b).
On the other hand, speciﬁc analog hardware description languages are available
in order to efﬁciently describe analog circuit behavior using a programming-language
like concept. Such hardware description languages have very sophisticated descrip-
tion methodologies. Depending on the complexity of the language syntax, simulation
of the descriptions is possible by setting up a differential equation system from the
code which then again can be numerically processed directly by the simulation algo-
rithm detailed in Section 2.3.3. Popular analog hardware description languages are
VHDL-AMS [APT03] and Verilog-AMS [KZ04], which both are extensions to the dig-
222.3 Analog Systems
1.8
2
2.2
2.4
2.6
2.8
3
3.2
3.4
3.6
3.8
4
4.2
4.4
4.6
4.8
5
5.2
0 0.02 0.04 0.06 0.08 0.1 t
out V
Figure 2.5: Transient startup response of the transistor netlist charge pump (solid line)
and the simpliﬁed model (dashed line).
ital versions of the languages for description of analog and mixed analog/digital sys-
tem behavior. The VHDL-AMS behavioral model for the charge pump is described in
Listing 2.1, using an implicit differential equation for deﬁning the startup-behavior of
the output voltage.
Listing 2.1: VHDL-AMS implementation modeling the charge pump behavior.
LIBRARY DISCIPLINES;
USE DISCIPLINES.ELECTROMAGNETIC_SYSTEM.ALL;
ENTITY chargepumpmodel IS
GENERIC( r1 :real := 1.0e5;
rload :real := 1.0e9;
c :real := 5.0e-8;
vdd :real := 3.0);
PORT(TERMINAL outp, gnd : ELECTRICAL );
END chargepumpmodel;
ARCHITECTURE behavior OF chargepumpmodel IS
QUANTITY vout ACROSS iout THROUGH outp TO gnd;
BEGIN
(1.6*vdd-vout)/r1 - c*vout’dot - vout/rload == 0.0;
END behavior;
232 System Representation for Veriﬁcation
2.3.6 State Space Representation
Based on the idea of a system’s state space in Deﬁnition 2.1.5, the linear independent
state space variables z = (z1,...,znz)T of the implicit DAE system with z ⊆ζ x span
a subspace of Rn, representing the state space of an analog system. The number of
independent state variables is not always clear, e.g. due to capacitor loops [ES00]. Ad-
ditionally, extracted netlists have lots of resistor-capacitor paths leading to many state
variables which may not all be of interest for the main input-output behavior. The
state space variables of the analog circuit are given by the representation of the linear
independent energy storing elements of the circuit such as capacitors and inductors in
the differential equation system set up for the circuit by network analysis. Depending
on the level of modeling abstraction, additionally, parasitic capacitances can be consid-
ered.
Candidates z(all) ⊆ζ x for state space variables can be identiﬁed in the DAE system
by their occurrence as ﬁrst-order time derivatives. This is due to the BCEs of the cir-
cuit elements containing ﬁrst-order time derivatives such as the current ICap through
a capacitor Cap with capacity C is given by ICap = C   d
dtVCap. Similarly, inductors
introduce inductor currents as a state space variable. Capacitor loops and their dual
equivalent of inductor nodes lead to linear dependencies, reducing the number of lin-
ear independent state space variables. The linear independent state space variables z
are a subset of z(all), hence z ⊆ζ z(all) ⊆ζ x.
If there are capacitors within the circuit that are not connected to ground nodes,
the MNA generates two derived node voltages, one for each node the capacitor is
connected to. In order to obtain only one state variable for the capacitor, the nodal
analysis can be changed to a charge-oriented equation formulation [ST00].
The extended state space z(e) of an analog system is spanned by the linear indepen-
dent state space variables z and the input variables u with dimension nd = nz + nu:
z(e) =
 
z
u
 
(2.21)
2.4 Discrete Modeling of Analog Systems
The value and time continuous characteristics of analog circuits require a special rep-
resentation for application of formal methods. While in the digital circuit domain au-
tomata models are a common approach for system representation, analog circuits are
not easily transferable to such a discrete model. Digital systems have an enumerable
ﬁnite number of states which can be directly transferred into a ﬁnite state machine
automata representation. Formal veriﬁcation algorithms can check this set of states
completely in order to identify whether there exist states that violate the speciﬁcation.
242.4 Discrete Modeling of Analog Systems
In contrast, the continuous state space of analog systems is not enumerable. Hence,
for completely checking their behavior, either an analytical approach reasoning on the
continuous model or a discretization to a state model is required at the cost of intro-
ducing a discretization error. Due to the difﬁcult solution of nonlinear DAE systems,
analytical approaches are not feasible. Therefore, a discrete modeling based on numer-
ical sampling-based algorithms isnecessary for state space-based formal veriﬁcation of
analog circuits. In the following, the requirements of a discrete modeling will be dis-
cussed and after analyzing the only state-of-the-art approach operating on DAE sys-
tems[Har03], anewdiscrete modelingalgorithm willbe introduced. Otherapproaches
from the domain of hybrid system analysis, operating on ODEs, that either do not offer
a complete representation of the state space or cannot automatically generate models
from circuit descriptions will be discussed in Section 4.5.1 and Section 4.5.2.
2.4.1 Discrete Analog Transition Structure
In the domain of discrete state system modeling for formal veriﬁcation approaches, the
Kripke structure asdescribed in Deﬁnition 2.2.1 isa common model combining a timed
automaton and a labeling of the states with atomic propositions for identifying sets of
states where a certain proposition is true. In order to generate a discrete model of an
analog circuit for veriﬁcation purposes, the Kripke structure can be extended to a dis-
crete analog transition structure (DATS) which incorporates the following additional
information needed for describing an analog system:
• The states of the DATS represent value combinations of the extended state space
variables of an analog system. Therefore, an extended labeling of the states has to
assign this extended state space variable value vector to each state. Additionally,
the values of the algebraic variables of the DAE system in this state are stored.
• As the structure of the DATS is determined by discretization algorithms de-
scribed in the following subsections, the transition times between states cannot
be considered equal like in transition systems for synchronous clocked digital
systems. Hence, the transitions of the DATS have to be labeled with real val-
ued transition times. As the discretization algorithms will only describe the start
and end points of the transitions with the intermediate behavior considered as
a linear trajectory, the transition time is considered as a linear change from the
variable vector of the initial state to its successor described by the transition rela-
tion. Therewith, a transition sequence within the DATS corresponds to the idea
of a piecewise linear trajectory obtained from transient analysis of analog circuits
wheretime stepsrepresentthesampledstate variable valueswhich areconnected
by piecewise linear transitions.
252 System Representation for Veriﬁcation
• The atomic propositions for states identify sets of states where these propositions
are true. In addition, a selection on the transitions will be necessary in order
to identify transitions not introduced by dynamic transitions in the state space
but from an input variable model. Therefore, a labeling of the transitions by
propositions is necessary for the DATS.
• The analog system model does not need to identify a set of initial states. The set
of initial states for an operation on the DATS will be determined by an atomic
proposition.
With these considerations, the DATS can be deﬁned as follows.
Deﬁnition 2.4.1 (Discrete Analog Transition Structure (DATS))
For a set of atomic state propositions AP and a set of atomic transition propositions
TP, the DATS MDATS over AP,TP is a seven-tuple MDATS = (Σ, R, LA, LV, LX,T, LT)
where
• Σ is a ﬁnite set of states of the system.
• R ⊆ Σ × Σ is a total transition relation, hence for every state σ ∈ Σ there exists a
state σ′ such that (σ,σ′) ∈ R.
• LA : Σ → 2#AP is a labeling function that labels each state with the set of atomic
propositions that are true in that state.
• LV : Σ → Rnd is a labeling function that labels each state with the vector of nd
variables containing the values in this state of the extended state space variables
z(e) of the DAE system.
• LX : Σ → Rnx is a labeling function that labels each state with the vector of nx
variables containing the values in this state of the inner variables x of the DAE
system.
• T : R → R+
0 is a labeling function that labels each transition from σ to σ′ with a
real valued positive or zero transition time that represents the time required for
the trajectory in the extended state space between these states.
• LT : R → 2#TP is a labeling function that labels each transition with the set of
atomic transition propositions that are true for that transition. This labeling will
be used in Section 2.4.4.4 for distinguishing between dynamic transitions and
those transitions that are introduced into the DATS by an input model.
Within the structure MDATS, a path π beginning at state σ is a sequence of states π =
σ0,σ1,σ2,...,σn with σ0 = σ and (σi,σi+1) ∈ R for 0 ≤ i < n.
262.4 Discrete Modeling of Analog Systems
Figure 2.6 illustrates a schematic graph structure representing a DATS with nine
vertices modeling an imaginary analog circuit. The DC-operating-points of the mod-
eled circuit, that can be identiﬁed by DC-analysis as introduced in Section 2.3.3, are
represented by vertices 1, 5 and 9. Thus, they have a loop transition to themselves stat-
ing that the circuit stays in this steady state inﬁnitely until a change of input occurs.
These transitions have zero transition time. A transition induced by an input change is
modeled by a bidirectional edge, implying that this transition can only be taken if there
is an input variable change in the corresponding extended state space dimension. Any
non-steady state of the system has outgoing directed edges representing the dynamic
behavior of the circuit.
2 1
4 5
3
6
7 8 9
Vout
Vin
t = 1 s
Figure 2.6: Schematic illustration of a graph structure representing a DATS.
2.4.2 The Discretization Problem for Analog Circuits
Discrete model generation for analog circuits is the key to applying graph-oriented
veriﬁcation algorithms that will be introduced in Section 3.4 and Chapter 5.
Deﬁnition 2.4.2 (Discrete State Space Modeling Task)
The task of discrete state space modeling is to transfer a continuous analog system
represented as a DAE system into a DATS:
f(˙ x,x,u) = 0
discrete modeling
−→ MDATS (2.22)
Therefore, the continuous vector ﬁeld of the time derivatives of the state space vari-
ables that are representing the dynamics of the analog circuit has to be partitioned. As
will be detailed in the following, each partition is represented by a state of the DATS
272 System Representation for Veriﬁcation
model with a transition relation connecting the states corresponding to the dynamic
behavior of the circuit. However, the quality of the discretization determines how
signiﬁcant the veriﬁcation results are. Therefore, there is an optimization problem con-
nected to the discrete modeling task which has to capture the continuous behavior of
the DAE system with a minimal discretization error.
Consider an inﬁnite point set Z of points p in Rnd of the state space of the circuit
that is constrained to user-deﬁned interval boundaries r = [r,r] for every of the nd
extended state space dimensions:
Z = {p|ri ≤ pi ≤ ri} for all 1 ≤ i ≤ nd (2.23)
On Z, the continuous vector ﬁeld V : Rnd → Rnd is generated by the time derivatives
of the state space variables in the vector of extended state space variables
˙ z(e) =
 
˙ z
0
 
(2.24)
of the DAE system describing the circuit:
V(z(e)) = {˙ z(e) |f(˙ x,x,u) = 0} (2.25)
The vectors vi are deﬁning a linearized trajectory in V from points pi to the points
p′
i with vi = p′
i − pi, calculated by a time step-controlled transient simulation, as
described in Section 2.3.3, starting in pi with integration time ∆t.
The goal is to generate a partitioning of Z to k non-overlapping partitions Rj with
 
1≤j≤k
Rj = Z (2.26)
such that the inhomogeneity of the vector ﬁeld ﬂow within each Rj is minimal. Each
Rj will represent a state σj of the DATS. The concept of inhomogeneity is deﬁned by
two criteria which are for a given integration time
1. the difference in direction
2. and the length difference
of the inﬁnite set of trajectory vectors in Rj.
Let θrs with
θrs = arccos
 
vr   vs
 vr  vs 
 
(2.27)
be the angle between any of two sampled transition vectors vr and vs starting in Rj.
282.4 Discrete Modeling of Analog Systems
Deﬁnition 2.4.3 (Direction Error)
The maximum direction error ǫ
(Rj)
θ represented by the maximum angle between some
vr and vs is given by:
ǫ
(Rj)
θ = max(θrs : pr,ps ∈ Rj) (2.28)
The overall mean direction error over Z is then deﬁned by:
ǫθ =
1
k ∑
1≤j≤k
ǫ
(Rj)
θ (2.29)
Let ∆rs with
∆rs = max
 
 vr 
 vs 
,
 vs 
 vr 
 
(2.30)
be the length difference ratio between any of two sampled transition vectors vr and vs
starting in Rj.
Deﬁnition 2.4.4 (Length Error)
The maximum length error ǫ
(Rj)
∆ between some vr and vs is given by:
ǫ
(Rj)
∆ = max(∆rs : pr,ps ∈ Rj) (2.31)
The overall mean length error over Z is then deﬁned by:
ǫ∆ =
1
k ∑
1≤j≤k
ǫ
(Rj)
∆ (2.32)
While minimizing the overall mean length and direction error are optimization cri-
teria for obtaining an accurate discretization, for describing the optimization problem
of state space discretization, a third optimization criterion, which is the number of
partitions, has to be considered. Increasing the number of partitions and therewith
decreasing the size of the partitions has negative effects on the efﬁciency of the veri-
ﬁcation algorithms. Moreover, in a n-dimensional state space, decreasing the size of
every partition to half of its initial size in every dimension, the number of partitions
increases by the factor 2n. Therefore, keeping the number of partitions as small as
possible is critical for developing feasible discretization algorithms.
Another important part is the determinism of the successor relation between ad-
jacent partitions. If the partitions are perfectly enclosing homogeneous state space
dynamics, every trajectory starting in a partition ends in a single adjacent partition.
Hence, the out-degree deg(Rj) of dynamic transitions ending in other partitions shall
be minimal for each partition, ideally being 1. Additionally, by transferring the par-
titioning to a DATS, the successor relation between states representing the partitions
determines the paths in the DATS. As the state space variable vectors of the states in
292 System Representation for Veriﬁcation
the DATS are determined by the centers of the partitions, a sequence of transitions in
the DATS corresponds to a trajectory in the state space. If the successor relation of the
DATS is determined inaccurately, the behavior of the model does not correspond to the
real state space trajectories. Therewith, a successor relation error has to be deﬁned.
Consider two adjacent partitions Ri and Rj represented by states σi and σj, con-
nected by a transition (σi,σj) ∈ R with center points LV(σi) = p
(c)
i and LV(σj) = p
(c)
j
and the vectors
v
(c)
ij = p
(c)
j − p
(c)
i (2.33)
and
v
(tr)
i = p′(c)
i − p
(c)
i (2.34)
with v
(tr)
i determined by a transient step of length  v
(c)
ij   starting in p
(c)
i .
Deﬁnition 2.4.5 (Successor Relation Error)
The successor relation error ǫ
(ij)
suc between two connected adjacent partitions Ri and Rj
is deﬁned by:
ǫ
(ij)
suc = arccos


v
(c)
ij   v
(tr)
i
 v
(c)
ij   v
(tr)
i  

 (2.35)
The overall mean successor relation error for a given partitioning is then deﬁned
by:
ǫsuc =
1
k ∑
1≤i≤k
max {ǫ
(ij)
suc|(σi,σj) ∈ R} with 1 ≤ j ≤ k (2.36)
Deﬁnition 2.4.6 (Optimization Problem for the Discrete Modeling Task)
Based on the deﬁnition of
• the direction error ǫ
(Rj)
θ ,
• the length error ǫ
(Rj)
∆ ,
• the number of partitions k,
• the determinism deg (Rj) for all 1 ≤ j ≤ k of the successor relations,
• and the overall mean successor relation error ǫsuc,
the multi-objective optimization problem connected to partitioning Z into Rj with
1 ≤ j ≤ k can now be stated with user deﬁned maximum error bounds rθ and r∆ and a
minimum number of partitions rk:
{R1,...,Rj,...,Rk} = arg min

  
  
1
k ∑
1≤j≤k
deg (Rj)
ǫsuc
k

  
  
s.t.

  
  
∀1 ≤ j ≤ k : ǫ
(Rj)
θ < rθ
∀1 ≤ j ≤ k : ǫ
(Rj)
∆ < r∆
k > rk

  
  
(2.37)
302.4 Discrete Modeling of Analog Systems
This optimization problem illustrates which criteria have to be considered for algo-
rithmic approaches. Therewith, an algorithm that deﬁnes how the partitioning of the
state space vector ﬁeld has to be constructed is needed to meet the challenge.
2.4.3 Hyperbox Discretization
The only state-of-the-art approach that can transfer a circuit represented by a nonlinear
DAE system into a discrete graph structure for application of veriﬁcation algorithms is
presented in [Har03] and recapitulated in the following.
A paraxial binary slicing algorithm is used to partition the state space in form of
an inﬁnite point set Z of the analog system. Z is constrained to user-deﬁned interval
boundaries r for every of the nd extended state space dimensions:
Z = {p|ri ≤ pi < ri} for all 1 ≤ i ≤ nd (2.38)
The slicing algorithm determinespartitions Rj with paraxial boundaries s representing
hyperboxes for each state space dimension:
Rj = {p|s
(j)
i ≤ pi < s
(j)
i } for all 1 ≤ i ≤ nd (2.39)
The algorithmic approach to obtain this partitioning is sampling the state space with
randomly distributed test points for which a transition step is calculated. By compar-
ing the transition vectors of the transient steps to predeﬁned error margins for length
anddirection, itisdecidedwhetherthe vectorﬁeldﬂowishomogeneousenough. Ifthe
error margins are exceeded, the state space partition is split into two partitions using
a binary paraxial partitioning. For each of the two resulting partitions, the length and
direction error is again checked and, if above the error margin, split again. This process
is continued recursively until a predeﬁned maximum recursion depth is reached. Each
resulting hyperbox is considered as a state of the discrete model representing the ana-
log system, and a tree structure with the hyperbox containing the complete state space
as root node and the binary partitions hierarchically forming the children is created.
The states of the analog system model are the leaf nodes of the tree structure.
In order to obtain a discrete transition system, the transition relation between the
created hyperboxes from the partitioning algorithm has to be determined. The exact
calculation of the geometric structure Rexact representing the successor of a hyperbox
Rtest would be obtained by a point-to-point mapping from points p to p′:
Rexact = {p′ |p ∈ Rtest} (2.40)
This exact mapping would result in the impossibility to create the simple state space
partitioning geometry of the hyperbox discretization. Hence, for each hyperbox, the
successors shall be those adjacent hyperboxes that enclose the exact geometric struc-
ture of the successor relation. This is achieved again by using transient simulation
312 System Representation for Veriﬁcation
steps for a discrete number ntestpoints of test points pi within a box. All those neighbor-
ing boxes Rj which can be reached by transient simulation steps to points p′
i that start
in pi in the box Rtest for which the successors shall be determined, are a successor of
this investigated box:
Rsucc =
 
j
{Rj |p′
i ∈ Rj ∧ pi ∈ Rtest} with 1 ≤ i ≤ ntestpoints (2.41)
Therewith, in general, an over-approximation of the analog transition relation is
generated due to the hyperboxes forming Rsucc enclosing the more complex geometric
structure Rexact being the convex hull of all computed p′
i for ntestpoints → ∞. Due to
the number of test points being limited in order to reduce the computational effort, an
under-approximation of the transition relation is possible as well.
Whilethis approach of state space discretization for analogcircuits hasproven to be
robust and algorithmically very manageable, there are some downsides that motivate
the search for an improved, yet algorithmically not too complex approach. The main
problem of the approach is due to the paraxial slicing of the state space. Therewith,
the discretization is not rotation invariant to the vector ﬁeld which results in an insuf-
ﬁcient capture of the vector ﬁeld ﬂow dynamics within the state space and in large
out-degrees deg(Rj).
Considering for example the ﬂow in Figure 2.7(a) which is parallel to the axis x1.
A trajectory from point p1 to p2 in the continuous ﬂow maps to the transition illus-
trated in Figure 2.7(b) from box d1 to d2 with a deterministic successor representing
a good discrete approximation of the vector ﬁeld ﬂow. By rotating the vector ﬁeld
by 45 degrees in Figure 2.7(c), the trajectory from p3 to p4 maps to the massively over-
approximated nondeterministic transition pathsillustrated in Figure 2.7(d)from box d3
to d4. Due to the paraxial slicing, the calculation of the subsequent boxes reports three
successors enclosing the exact successor geometry of each box. This leads to a large
number of possible paths and hence a substantial over-approximation of the reachable
area which is not accurately representing the dynamic system behavior for practical
veriﬁcation purposes. While this over-approximation is considerable for pessimistic
reachability computation for safety veriﬁcation in order to prove that a bad state will
never be reached, false negatives have to be expected.
2.4.4 Trajectory-Directed Discretization
In order to overcome the limitations of the hyperbox discretization approach described
in the previous section, the desired behavior of an improved discretization algorithm
has to be characterized.
The discretization shall be rotation invariant and therefore the state space inter-
sections for partitioning cannot be paraxial. As a massive over-approximation of the
322.4 Discrete Modeling of Analog Systems
x1 x1
x1 x1
x2 x2
x2 x2
p3
p4
p1 p2
d3
d4
d1 d2
(a) (b)
(c) (d)
Figure 2.7: Illustration of a vector ﬁeld with paraxial ﬂow (a) and the corresponding
discretization (b) including the transition path. In comparison, the vector ﬁeld ﬂow
rotated by 45 degrees (c) results in a massive over-approximation of the transition path
in the hyperbox discretization (d).
successor relation of the state space partitions signiﬁcantly weakens the expressiveness
of the veriﬁcation algorithms, the geometric structure of the state space partitions shall
follow the ﬂow of the state space dynamics. Hence, the intersections dividing the state
space shall be either parallel or orthogonal to the state space trajectories enclosed by
the partitions. Therewith, the nondeterminism of the successor relation of the state
space partitions shall be minimized due to the uniqueness of the successor relation
being determined by the real trajectories between the preceding state space partition
and its successor. By using time step control algorithms for determining the acceptable
trajectory length which can be approximated by a straight line between two points in
state space, the homogeneity of the enclosed state space dynamics in the partitions
shall be guaranteed. Figure 2.8 illustrates a non-paraxial trajectory-directed state space
partitioning applied to the example ﬂow from Figure 2.7(c).
2.4.4.1 Calculating the State Space Partitioning
The central idea for a new discretization algorithm is that the intersections of the state
space are no longer determined by paraxial slicing but by the trajectories of the state
332 System Representation for Veriﬁcation
x1 x1
x2 x2
p3
p4
d3
d4
(a) (b)
Figure 2.8: Illustration of a non-paraxial vector ﬁeld ﬂow with a trajectory-directed
state space partitioning resulting in a transition path from d3 to d4 (b) matching the
initial trajectory between p3 and p4 (a).
space dynamics. Hence, starting from the inﬁnite point set Z constrained to user-
deﬁned interval boundaries r for each of the nd extended state space dimensions as
deﬁned in Equation 2.23 representing the state space of the analog system, a slicing
structure into k non-overlapping state space regions Rj of the state space shall be con-
structed:  
1≤j≤k
Rj = Z (2.42)
A linear transformation of Z is necessary in order to handle size differences of the
ranges of the state space variables. All ranges shall be translated and normalized to
the interval [0,1]. Therefore, a translation vector v(t) has to be calculated to move the
lower bound of the nd extended state space variable ranges ri to 0 and to scale them to
the interval [0,1] by factors λi:
λi = (ri − ri)−1 (2.43)
v(t) =



−r1   λ1
. . .
−rnd   λnd


 (2.44)
The transformation matrix T for the scaling vector λ and the translation vector v(t) in
homogeneous coordinates [Mir95] is then given by:
T =



 




λ1 0     0 v
(t)
1
0 λ2
... . . . v
(t)
2
. . . ... ... 0
. . .
. . . ... λnd v
(t)
nd
0         0 1



 




(2.45)
342.4 Discrete Modeling of Analog Systems
The linear transformation for a point p(orig) to p with
 
p
1
 
= T  
 
p(orig)
1
 
(2.46)
is applied to all following coordinate calculations and reversed for determining the
ﬁnal structure in the untransformed space. The 1-entry in position nd +1 of the vectors
for using homogeneous coordinates is added or removed correspondingly.
After the preceding preparations, the actual partitioning can be described. The goal
of the partitioning algorithm is to determine the vertices and edges of the geometric
objects partitioning Z into the k Rj. Therefore, the algorithm starts from a random
starting point that is no DC-operating-point of the system by appending it to an ini-
tiallyemptywaitinglistWL. DC-operating-points aredetected byathreshold levelrDC
where the ratio between the norm of the transient step vector and the used integration
time falls below this value.
For every point p in the waiting list, a step-length controlled transition vector v
to the point p′ with v = p′ − p is calculated using a transient simulation back-end.
In order to identify new starting points for transition vectors, across each vector v an
orthogonal basis vector set B is constructed:
B = {b1,...,bnd : bi   bj = 0} for all 1 ≤ i, j ≤ nd; i  = j; v ∈ B (2.47)
B is constructed using the Gram-Schmidt orthogonalization algorithm [GVL96]. The
input to the Gram-Schmidt algorithm
B = GramSchmidt(M) (2.48)
is the matrix
M =
 
v i1     ij−1 ij+1     ind
 
(2.49)
consisting of the vector v and nd − 1 of the nd column vectors of the unity matrix Ind
such that the eliminated vector ij has its 1-entry in the same dimension j where v has
its maximum absolute magnitude |vj|:
j = arg max
1≤j≤nd
|vj| (2.50)
The vectors returned by the algorithm are normalized to length 1. The resulting
orthogonal basis set is now scaled to the initial length of v. Additionally, in order to
control the discretization error, for each element bi of B a scaling factor β
(a)
i is cal-
culated. This β
(a)
i shall assure that the direction and length differences between two
transition vectors vr and vs, with vr being calculated starting from p + β
(a)
i   bi and vs
352 System Representation for Veriﬁcation
being the initial transient vector starting from p, are below predeﬁned tolerance levels
rθ and r∆:
θrs < rθ ∧ ∆rs < r∆ (2.51)
Starting with β
(a)
i = 1, the scaling algorithm compares the two transition vectors vr
and vs and iteratively halves the length of β
(a)
i until the error criteria are satisﬁed.
Therewith, just as the time step control using the LTE for controlling the error of tran-
sient simulation that was discussed in Section 2.3.3, a state space step control is applied
for controlling ǫ
(Rj)
θ and ǫ
(Rj)
∆ within each state space partition Rj, determined by the
correspondingly scaled B and the adjacent orthogonal sets.
Satisfying rθ and r∆ in the state space area around singularities such as attractors
represented by DC-operating-points would cause the length of the vectors β
(a)
i   bi to
be decreased inﬁnitely. Therefore, the previously mentioned threshold rDC controls the
minimum length of the vectors for obtaining a ﬁnite set of partitions.
Each of the scaled orthogonal basis set vectors added to p describes starting points
q(a) for a new transient step calculation for which in turn the orthogonal basis set is
calculated. By an additional point reﬂection of the vector set B across p by vector
subtraction, resulting in the point set q(b), the expansion into all trajectory-orthogonal
directions of the state space is obtained with correspondingly calculated error control
scaling factors β
(b)
i :
q
(a)
i = p + β
(a)
i   bi for all 1 ≤ i ≤ nd (2.52)
q
(b)
i = p − β
(b)
i   bi for all 1 ≤ i ≤ nd (2.53)
For everynewstarting point putinto theWL, the inclusion in thedeﬁneddiscretization
ranges of the extended state space has to be assured:
WL = WL ∪ {qi ∈ (q(a) ∪ q(b))|qi ∈ [0,1]nd} (2.54)
Figure 2.9 outlines the described process of determining the set of trajectory-
orthogonal points q(a) and q(b) in a two-dimensional space.
The point q
(b)
1 generated by the point reﬂection of the initial transition vector v
across p is critical. Between q
(b)
1 and p shall be a transition in the direction of the
trajectory ﬂow, which is not given by the reﬂection of v. Hence, the transition vector
obtained from atransient step starting in q
(b)
1 mustnot necessarily map to p. Therefore,
a correction has to be calculated such that a transient step starting in q
(b)
1 goes through
p. This can be iteratively resolved by determining the deviation vector
∆pi = p − q′
1i (2.55)
362.4 Discrete Modeling of Analog Systems
x1 x1 x1 x1
x2 x2 x2 x2
(1) (2) (3) (4)
p
p p p p
p′
v b1
β
(a)
2 b2 q
(a)
1
q
(a)
1
q
(a)
2 q
(a)
2
q
(b)
1 q
(b)
2
WL = {p}
WL = {q
(a)
1 ,q
(a)
2 ,q
(b)
1 ,q
(b)
2 }
Figure 2.9: Schematic visualization of the process of determining the trajectory-
orthogonal point sets q(a) and q(b) in a two-dimensional space.
between p and the point q′
1i with q′
1i determined by a transient step starting in q
(b)
1i .
The corrected q
(b)
1i+1 is then given by:
q
(b)
1i+1 = q
(b)
1i + ∆pi (2.56)
This correction algorithm that corresponds to the ideas in [DL09] is repeated either
up to a predeﬁned number imax of times or until ∆pi is below a user-deﬁned error
bound. If the algorithm terminates without ∆p being acceptable, the length of v being
projected to generate the initial guess for q
(b)
1 as well as of all transient step calculations
are halved and the process is repeated until the error bound is reached.
Another issue is posed by the set of new starting points to put into the waiting
list possibly containing points that are very close to points that have already been
processed. Hence, a proximity criterion has to control the structure of the new start-
ing points in order to avoid overlapping with existing points, giving priority to those
points generated by transition vectors over those generated by the orthogonal vectors.
If any of the new starting points qi from q(a) or q(b) is closer to an already calculated
existing point than 0.75 times the distance between p and qi, qi is considered as re-
dundant. In this case, qi is replaced by the existing point or vice versa, keeping points
originating from transient steps. The accepted points from q(a) and q(b) are appended
to the waiting list WL. Every point in WL that has been processed is removed from
WL and put into the list PL of accepted partitioning points.
The orthogonal sets to which an accepted point is connected to are stored, in order
to later reconstruct the topology of geometric objects from these points. These connec-
tions are either represented by transition step vectors or by those from the orthogonal
basis set. The coordinates of the accepted points in the untransformed state space can
be calculated by inversing the transformation from Equation 2.45. Figure 2.10 illus-
trates a subset of the intended trajectory-directed partitioning for a three-dimensional
372 System Representation for Veriﬁcation
state space with starting points, transition vectors and their orthogonal basis vectors
forming the partitioning of the state space. The trajectory-directed partitioning algo-
rithm is summarized in Algorithm 1.
x1
x2
x3
Figure 2.10: Illustration of the orthogonal sets constructed around the transition vec-
tors in a three-dimensional state space.
2.4.4.2 Geometric Structure of the State Space Partitions
From the vertices and edges of the state space partitions calculated, geometric objects
can be formed in order to deﬁne enclosures of distinct subsets Rj of Z where for every
p ∈ Z can be decided in which Rj it is enclosed.
The geometric object, spanned by the orthogonal set across the initial transition
vector and constrained by those of neighboring transition vectors enclosing a region
of the state space dynamic ﬂow, exhibits a very general structure. It does not offer a
regularity such as rectangular edges in order to be ﬁtted into geometrical object classi-
ﬁcation. In the following, it will be referred to as hypercell in the n-dimensional case
using the terminology of hyperdimensional partitioning. However, it can be described
by the topology of its vertices and edges such that the undirected graph formed by the
vertices and edges of the hypercell is isomorphic to the graph constructed for a hy-
percube in the same manner. In two dimensions, the object is a general quadrilateral.
In three dimensions, the object is described of six of such quadrilateral facets, each of
them spanned by four non-coplanar points connected by straight lines which can be
imagined as a distorted cube. The hyperdimensional equivalent to the sides or facets
of the hypercell in the three-dimensional case will be referred to as hyperfacets which,
due to their non-planar form, are not (n-1)-hyperplanes.
The facets can be described by the mathematical concept of ruled surfaces which
require for every point on the surface that there exists a straight line through this point
382.4 Discrete Modeling of Analog Systems
Algorithm 1: Trajectory-Directed Partitioning Algorithm.
Input: Waiting list WL = {p1}
Output: List of accepted partitioning points PL with geometric topology
1 apply transformation T to all following steps
2 foreach pj ∈ WL do
3 WL = WL \ pj
4 calculate transient step vector vj = p′
j − pj
5 generate orthogonal set B from vj
6 foreach bi ∈ B do
7 calculate error control scaling factors β
(a)
i and β
(b)
i
8 calculate points q
(a)
i and q
(b)
i
9 if i==1 then
10 calculate corrected q
(b)
1
11 end
12 end
13 foreach qi ∈ {q(a) ∪ q(b)} do
14 if qi ∈ [0,1]nd then
15 if ¬∃p(ex) ∈ (PL ∪WL) :  p(ex) − qi  < 0.75   pj − qi  then
16 WL = WL ∪ qi
17 end
18 end
19 end
20 PL = PL ∪ pj
21 end
22 reverse transformation T
with every point on this line again being a point on the ruled surface. This matches the
idea that the surface is a linearization between its spanning edges, which is adequately
approximating the behavior of imaginary ﬂow trajectories in the state space. Figure
2.11 illustrates a hypercell in three dimensions with faces deﬁned by ruled surfaces.
While offering high approximation accuracy, in higher dimensions, the concept of
non-planar hypersurfaces deﬁning the faces of geometric objects makes it very difﬁcult
to calculate for a given point in state space to which hypercell it is assigned. Never-
theless, the non-overlapping complete non-uniform irregular partitioning of the state
space into hypercells is the theoretical model for a high accuracy discretization with
the introduced linearization error between vectors controlled by step-size control.
The goal is to reduce the complexity of the hypercell description in order to obtain
a feasible description. The ﬁrst observation is that, if the surface facets were hyperpla-
392 System Representation for Veriﬁcation
x1
x2
x3
Figure 2.11: Illustration of a hypercell object in a three-dimensional space.
nar, the hypercell could be represented by n-polytopes due to the faces of n-polytopes
by deﬁnition being (n-1)-polytopes for which the decision of point-enclosure is easy.
However, transferring the hypercell to n-polytopes would destroy the accuracy of the
enclosures as this is a major simpliﬁcation.
The inclusion of a point p within a hypercell can be decided by checking the posi-
tion of p relative to each of the 2n hyperfacets of the hypercell. If for every hyperfacet
of the hypercell p lies, relative to the hypercell, on the inner side of the hyperfacet, p
lies within the hypercell. Due to the edge-topology of the hypercell being isomorphic
to the one of a hypercube, the 2n−1 vertices spanning each facet of the hypercell can
be identiﬁed by graph traversal. A function f(p) describing the position of p to the
hyperfacet is needed such that:
f(p) =

  
  
> 0 if p lies on the inner side of the hyperfacet
0 if p lies on the hyperfacet
< 0 if p lies on the outer side of the hyperfacet
(2.57)
Such a function is given by the distance ofthe normal vector on the hypersurface point-
ing to p. Due to the hypersurface equation not being determinable analytically from
the set of its vertices, a nonlinear hypersurface function shall be developed, describing
the hypersurface by a weighted combination of (n-1)-hyperplanes, each spanned by
the n − 1 edges connected to each vertex of the hyperplane. As illustrated in Figure
2.12 for a facet of a three-dimensional cell, for each of the four vertices a1 to a4, a plane
is spanned by its adjacent edges. For vertex a1 the corresponding plane is spanned by
the edges e
(a)
14 = a4 − a1 and e
(a)
12 = a2 − a1.
If a point p is on this plane, it can be directly described by a linear combination
of both edge vectors representing a parametric formulation of the plane. In order to
402.4 Discrete Modeling of Analog Systems
a1
a2
a3 a4
p
x1
x3
x2
Figure 2.12: Basis vector sets for each vertex of a hypercell facet for determination of
the position of point p with respect to the facet.
identify the position of an arbitrary point relative to the plane, a normal vector n1 on
the plane is added to the linear combination. With the coefﬁcient of n1 determining the
distance to the plane corresponding to Equation 2.57, the position of p relative to the
plane can be calculated.
For the n-dimensional case, a hypercell has 2n hyperfacets and each of the hyper-
facets is described by m = 2n−1 vertices a1 to am. Each vertex ai is connected to n
edges eij of the hypercell of which n − 1 span a hyperplane. The position of a point p
relative to such a hyperplane can be described by the linear combination of the edges
eij spanning the hyperplane and the normal vector n
(a)
i added to ai:
p = αi1ei1 + αi2ei2 +     + αin−1ein−1 + αinn
(a)
i + ai (2.58)
For a subset of the hyperplanes, the normal vectors already have been computed as
a member of the orthogonal set around the vertex connected to the hyperplane. How-
ever, due to the proximity criterion allowing vectors that are not in the direction of the
trajectories to be non-orthogonal to the vectors spanning the hyperplane, a calculation
of the normal vector can be mandatory for those hyperplanes. Unfortunately, the cal-
culation of the normal vector n
(a)
i is nontrivial in the higher dimensional case. While in
R3 the cross product of the two spanning vectors yields the normal vector on the plane,
the general case in Rn is not directly accessible. The cross product v1 × v2 × ...× vn−1
of any ordered (n-1)-tuple of vectors can be computed by forming a matrix whose sub-
sequent rows are the vectors v1,v2,...,vn−1. The k-th component of v1 × v2 × ...× vn−1
is (−1)k times the determinant of the submatrix obtained by deleting the k-th column
[Mas83]. As an alternative to the generalized cross product, the normal vector can
412 System Representation for Veriﬁcation
again be computed by the Gram-Schmidt orthogonalization where the n − 1 vectors
spanning the edges of the hyperplane and the pseudo-orthogonal vector vn from the
initial point determination are used as input, resulting in an orthogonalization of vn to
the vectors spanning the (n-1)-hyperplane.
The parametric equation for the hyperplane is given by setting αin = 0 in Equa-
tion 2.58. In order to determine the coefﬁcients αij for a given p, an equation system
consisting of m equations for every vertex of the hyperplane can be set up:
α11e11 + α12e12 +     + α1n−1e1n−1 + α1nn
(a)
1 + a1 − p = 0
α21e21 + α22e22 +     + α2n−1e2n−1 + α2nn
(a)
2 + a2 − p = 0
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
αm1em1 + αm2em2 +     + αmn−1emn−1 + αmnn
(a)
m + am − p = 0
(2.59)
Two out of four planes spanned by the edge vectors of a facet in a three-dimensional
space are illustrated in Figure 2.13.
x1
x3
x2
a1
a2
a3
a4
Figure 2.13: Curved surface in a three-dimensional space representing a facet of a cell.
Two of the four planes spanned by the edge vectors of the vertices a1 and a3 are illus-
trated. The weighting function uses one plane for each vertex of the facet in order to
obtain a nonlinear surface function describing the facet.
Finally, after calculating the coefﬁcients αin of the m normal vectors n
(a)
i , the curved
surface function of the hypersurface can be approximated by a combination of the
planes spanned by the edge vectors of each vertex using a weighting of the coefﬁcients
422.4 Discrete Modeling of Analog Systems
αin corresponding to the distance of points p to each ai. This yields the function f(p)
determining the position of p relative to the hypersurface:
f(p) =
α1nc− p−a1  + α2nc− p−a2  +     + αmnc− p−am 
c− p−a1  + c− p−a2  +     + c− p−am  (2.60)
The basis c shall be chosen such that every other c− p−ai  evaluates to 0 if there is
an aj with  p − aj  below a threshold value. This ensures that the weight of other
hyperplanes goes towards zero when a point is near a vertex aj.
The hypersurface function describing the points on the facet is obtained by setting
f(p) = 0. Thedenominatorscalesthesum oftheweightsto1. Byusingtheexponential
function such that distance 0 results in a weight of 1 and by the normalization of the
distances, high approximation accuracy is guaranteed.
2.4.4.3 Transition Relation of the Hypercells
The paraxial hyperbox partitioning approach needed to calculate the trajectories of
sample points in a hyperbox in order to determine which hyperboxes are reached by
these trajectories for determining the nondeterministic over-approximated successor
relation. In contrast, the trajectory-directed approach guarantees by design that the
successor of a hypercell is the adjacent hypercell in the direction of the transition vec-
tors spanning the hypercell. The ﬂow of the state space dynamics is considered to be
homogeneous within a partition enclosed by the transition vectors of the edges of the
partition. Due to the edges in ﬂow direction being parallel to the ﬂow, every point
within a hypercell maps to the same adjacent subsequent hypercell. This successor re-
lation can be directly obtained from the iterative partitioning algorithm that explores
the state space using the trajectory-orthogonal expansion.
The only exception arises when the partitioning algorithm is splitting the subse-
quent hypercell by insertion of additional points. This is due to an expansion of the
vector ﬁeld ﬂow or merging the ﬂow of preceding hypercells into a single successor
caused by a contraction of the ﬂow. In such cases, the proximity criterion maps one
successor to more than one predecessor or vice versa. Hence, more than one hyper-
facet can be adjacent to a larger facet of a hypercell if the ﬂow contracts. If the ﬂow
expands, one hyperfacet of a hypercell can be adjacent to more than one hyperfacet of
subsequent hypercells. In such a case, the successor relation has to be adapted to map
to the corresponding successors as illustrated in Figure 2.14. In order to calculate the
surface of the larger hyperfacet, the hypersurface formula, as introduced in Equation
2.59, can then be computed by taking into account all vertices of the adjacent smaller
hyperfacets.
432 System Representation for Veriﬁcation
x1
x2
Figure 2.14: Schematic illustration of contracting and expanding vector ﬁeld ﬂow, with
the corresponding partitioning and the successor relation for the hypercells.
2.4.4.4 Mapping the Trajectory-Directed Partitioning to a DATS
With the vertices and edges of the state space partitioning determined by using the
trajectory-directed approach, a mapping onto a DATS has to be generated in order to
apply veriﬁcation algorithms.
While the state space partitions, represented by hypercells, and the inherent suc-
cessor relation have been introduced in the previous subsections, it has to be deﬁned
how a hypercell is represented by a state of the DATS. Moreover, deﬁning the succes-
sor relation of the DATS connecting the states, as well as the rest of the parameters of
the DATS, is required to complete the discrete model.
Determining point inclusion in the hypercells is important for the completeness
of the theoretical model of the partitioning. It could for example be applied to de-
velop veriﬁcation algorithms not operating on a discrete graph structure but directly
on symbolically determined point-to-point mappings within the ﬁnite set of hyper-
cells. In such a concept, the homogeneous ﬂow in the hypercells, determined by the
transition vectors spanning the hypercells, could deﬁne the transition vector length
and direction of a point by taking into account the weighted position of the point to
the hypercell transition vectors.
However, for application of graph-based veriﬁcation algorithms, each state σi of the
DATS is corresponding to one hypercell Ri with 1 ≤ i ≤ k. Hence, the cardinality of Σ
is k:
Σ = {σ1,...,σk} (2.61)
The DATS is then constructed by the following mappings. The parameter vectors of
the states is given by the labeling
LV(σi) = p
(c)
i (2.62)
442.4 Discrete Modeling of Analog Systems
with p
(c)
i being the center point of Ri, representing the extended state space variables
in this point. The center is calculated from the m = 2nd vertices aj that constrain a
hypercell:
p
(c)
i =
1
m ∑
1≤j≤m
aj (2.63)
A transition relation exists between those states where the state space trajectories start-
ing in a hypercell Ri reach the adjacent hypercell Rj. The adjacency is determined by
the intersection of the sets of vertices a(i) spanning Ri and a(j) spanning Rj not being
empty:
R = {
 
(σi,σj)|∀p ∈ Ri ∃∆t : p + v   ∆t ∈ Rj} with a(i) ∩ a(j)  = ∅ (2.64)
The transition times between σi and σj are determined by the trajectory time ∆t com-
puted by a transient step from p
(c)
i to p
(c)
j :
T(R(σi,σj)) = ∆t(p
(c)
i ,p
(c)
j ) (2.65)
Each transition with a transition time greater zero has an atomic transition proposition
of 0, marking it as dynamic transition created by a state space trajectory:
LT(R(σi,σj)) = 0 ⇔ T(R(σi,σj)) > 0 (2.66)
A trajectory starting in a DC-operating-point ends within this point, hence there is a
transition of a state representing a DC-operating-point to itself:
(σi,σi) ∈ R ⇔ {∀p ∈ Ri : p + v   ∆t ∈ Ri} for all ∆t ≥ 0 (2.67)
By deﬁnition, the transition time of such transitions shall be zero, as the circuit stays in
this loop state until an external excitation makes the circuit leave this state:
T(R(σi,σi)) = 0 and LT(R(σi,σi)) = 0 (2.68)
2.4.4.5 Duality of the Trajectory-Directed Partitioning
With the mapping of the trajectory-directed state space partitioning onto a DATS, ap-
plication of veriﬁcation algorithms to the DATS modeling an analog circuit would be
possible. However, one observation can motivate an approach to decrease the model-
ing effort of determining the hypercells signiﬁcantly without decreasing the discretiza-
tion accuracy for the DATS. This observation is the duality of the trajectory-directed
edges connecting the vertices of hypercells and the transition vectors between the cen-
ters of the hypercells. Figure 2.15 illustrates this duality where the transient steps be-
tween the vertices determining the edges of the hypercells exhibit the same transition
452 System Representation for Veriﬁcation
behavior asthe transitions connecting the centers of the hypercells, themselves approx-
imating the trajectories between adjacentcenters of the hypercells. Moreover, while the
transition relation between two adjacent centers is an approximation calculated by the
connection of the centers of both hypercells, the transition steps creating the edges of
the hypercells are by design computed with the accuracy of transient analysis.
Therefore, for animplementation ofthe trajectory-directed partitioning, the vertices
and edges computed by the partitioning algorithm shall be directly deﬁning the states
of the DATS and the corresponding transition relations.
When transferring the trajectory-directed partitioning to a DATS, only the parame-
ter vector for each state has to be changed compared to the mapping deﬁned in Section
2.4.4.4:
LV(σi) = pi (2.69)
with pi representing the original sampled points in state space of the trajectory-
directed discretization algorithm. The transition relations are directly determined by
the transient step vectors vij computed during the initial state space sampling, result-
ing in a deterministic transition relation where each state has exactly one successor
state:
R = {
 
(σi,σj)|∃vij : pi + vij = pj} (2.70)
All other mappings deﬁned in Section 2.4.4.4 apply correspondingly by replacing the
centers of the hypercells p
(c)
i with the initially sampled pi.
x1
x2
Figure 2.15: Illustration of a two-dimensional vector ﬁeld with calculated transition
endpoints asboxes andthe quadrilateral enclosed regions of the state space. The circles
represent the centers of the enclosed state space regions, connected corresponding to
the initially calculated transition relation. The regions enclosed by the quadrilaterals
of four region centers are dual to the regions bounded by the transition vectors.
462.4 Discrete Modeling of Analog Systems
2.4.4.6 Handling Input Variables
The DATS obtained from the trajectory-directed discretization of the state space pre-
sented in Section 2.4.4.4 with the simpliﬁcation from Section 2.4.4.5 models the dy-
namic behavior of an analog circuit. For systems without inputs or with constant in-
put values, this discrete model completely represents the system in order to be veriﬁed
using veriﬁcation algorithms on the graph structure. However, for systems with input
variables determined by external input stimuli, this model has to be extended.
Therefore, an input variable model for the trajectory-directed discrete modeling has
to be developed. This model shall correspond to the idea of the transient simulation
algorithm for analog circuits, where in every time step the solution is computed con-
sidering constant input values and changes of the input variables are only considered
between the time steps. Hence, those dimensions of the extended state space repre-
sented by input variables are explored by the trajectory-orthogonal sampling just as
the other state space variables determined by energy-storing elements of the circuit.
In order to allow arbitrary input changes for transitions between states in the dis-
crete model, for each state and for each input dimension, an input transition for a state
to its successor and predecessor parallel to the axis of the corresponding input dimen-
sion has to be created in the DATS.
Fortunately, using the dual representation where the sampled points in the state
space correspond to the centers of the states LV(σi) = pi, the trajectory-directed dis-
cretization algorithm already generates the information about the two neighboring
states for σi parallel to the corresponding input axis dimension s due to the orthogonal-
ization algorithm. The input axis is described by the vector is, being the s-th column
vector of the identity matrix Ind. Calculated from the transition vector v starting in
pi, the orthogonal vector bs, generating the points q
(a)
s and q
(b)
s , is parallel to the in-
put axis. This is due to the trajectories being sampled with piecewise constant inputs,
and the inputs are only changed between sample steps. Hence, the dynamic transition
vectors have zero magnitude in the direction component of the input dimensions and
therefore, the normalized bs equals to is.
For a state σi, every identiﬁed neighboring state σj for every input dimension is
ﬁnally connected to σi by an undirected transition in the DATS, meaning that these
input edges can be traveled in both directions corresponding to any external input
variable change:
R = R ∪ (σi,σj) ∪ (σj,σi) (2.71)
By deﬁnition, the transition time of such transitions shall be zero:
T(R(σi,σj)) = 0 and T(R(σj,σi)) = 0 (2.72)
472 System Representation for Veriﬁcation
2 1
4 5
3
6
7 8 9
Vout
Vin
(a)
t
Vin
(b)
t
Vout
d
y
n
a
m
i
c
 
t
r
a
n
s
i
t
i
o
n
s
t
a
y
i
n
g
 
i
n
D
C
-
p
o
i
n
t
(c)
Figure 2.16: Schematic illustration of a DATS with a possible input change-induced
transition path (a). The corresponding input signal (b) and output signal (c) is assumed
for this path.
Finally, these transitions have to be identiﬁed as input edges in the DATS for offering
the possibility of masking these states for veriﬁcation algorithms such as oscillation
detection:
LT(R(σi,σj)) = 1 and LT(R(σj,σi)) = 1 (2.73)
Figure 2.16(a) illustrates an imaginary DATS with nine states with a highlighted input
change-induced transition path. The input signal that can be traced in the DATS lead-
ing to this path is illustrated in Figure 2.16(b) with the corresponding output signal
behavior illustrated in Figure 2.16(c). Consider the system to be in the DC-operating-
point represented by state 9. The circuit can stay there inﬁnitely. However, the ﬁrst
step of the input voltage brings the circuit to leave state 9 over an input edge into the
state corresponding to the new input voltage represented by state 6. This is a dynamic
state which meansthat immediately a dynamic timed transition to state 5 occurs which
again represents a DC-operating-point. The process is repeated for the next input step,
ﬁnally bringing the modeled circuit to stay in state 1. With the modeled input edges in
the DATS, all possible input connections between states can be considered for veriﬁca-
tion.
A limitation of the edge steepness of input signal changes should be handled by the
veriﬁcation algorithms on the DATS, assigning a nonzero transition time to these input
transitions when a limited input bandwidth has to be considered. Therewith, arbitrary
piecewise linear input stimuli can be represented on the transition paths.
2.4.4.7 Runtime Complexity
Considering the discretization of an analog circuit to a DATS with respect to the direct
mapping of the states to the sampled points in the state space as described in Sec-
482.4 Discrete Modeling of Analog Systems
tion 2.4.4.5, the asymptotic worst-case runtime complexity of the trajectory-directed
discretization algorithm is correlated to the number of points np sampled in the state
space of the modeled circuit. This number of points increases exponentially with the
number of dimensions nd of the extended state space (variables of the energy storing
elements and input dimensions). The base κ of the exponential function represents the
average number of sampling points needed for covering an one-dimensional range,
which is determined by the step length control of the transient steps between the sam-
pled points in the state space:
np = κnd (2.74)
For every sampled point, the trajectory-directed discretization algorithm computes the
transient simulation step contributing ttr, the Gram-Schmidt orthogonalization con-
tributing tgs and the distance information contributing tpr for the proximity criterion.
The remaining parts of the algorithm with subordinate contribution to the complexity
of the algorithm are summed up in tre. An exact asymptotic complexity for transient
analysis depends on the applied set of algorithms. However, the transient analysis
algorithm contains parts with cubic asymptotic worst-case complexity with respect to
the matrix of the circuit equations and the number of variables being related to nd. The
Gram-Schmidt algorithm has a complexity of O(n3
d) [GVL96]. The proximity neighbor
search conducted by a Kd-tree consumes O(np lognp) to be created and O(lognp) for
the query [Ben90]. Hence, the runtime td of a discretization run can be estimated by:
td = κnd   (ttr + tgs + tpr + tre)
      
tp
(2.75)
The overall computation time of a single sample point tp is dominated by the large
factor oftransientanalysis ttr, with tpr onlybecomingdominantforhigh statenumbers.
Anyhow, with respect to np, the asymptotic runtime complexity of the discretization
algorithm is dominated by the proximity computation as it is the only component with
direct dependency on np:
Cnp = O(np lognp) (2.76)
However, changing the perspective of complexity considerations to be relative to
the number of state space dimensions, the asymptotic worst-case runtime complex-
ity of the trajectory-directed discretization algorithm is dominated by the exponential
growth of sample points with respect to the number of state space dimensions:
Cnd = O(κnd) (2.77)
While this exponential runtime complexity in the number of extended state space di-
mensions is common to all discrete modeling approaches for analog circuits, relevant
analog circuit blocks usually do not exceed a system order of eight, which can be han-
dled well by this approach. Moreover, by application of an eigenvalue-based model
492 System Representation for Veriﬁcation
order reduction of the DAE system [HKH04], an extension to circuits with parasitic
capacitances and full BSIM3 transistor models would be possible. The reduction can
be achieved by reducing the state space to the dominant state variables of a system and
separating the parasitic ones which are mathematically proven not to affect the system
behavior above a deﬁned threshold.
2.4.4.8 Modeling Error Analysis
The goal of the previously introduced discrete modeling of analog systems is to ob-
tain a circuit model with minimal discretization error, corresponding to the criteria
presented in Section 2.4.2. In order to obtain an overall impression on the different
modeling errors of analog systems, three major classes of errors have to be distin-
guished when comparing a physical circuit implementation with any type of math-
ematical model.
Firstly, the error in the following referred to as “physical modeling error” will de-
scribe all differences between the physical implementation and the mathematical DAE
circuit model. Secondly, the results of transient analysis are affected by numerical com-
putation errors which are referred to as “simulation error”. This simulation error is
common for all contemporary circuit analysis tools. Thirdly, the error introduced by
the discrete modeling process will in the following be referred to as “discretization
error”. This discretization error distinguishes the different discretization approaches.
Physical Modeling Error The DAE model generated for transient circuit analysis by
MNA, as described in Section 2.3.2, introduces an error due to the simpliﬁed BCEs of
the circuit elements using device models not representing the complete physical effects
down to the quantum level. Especially for transistor models in sub-micron technolo-
gies, high effort of modeling is spent on capturing their behavior.
However, as discussed in Section 2.3.1, even the most exact models available do not
offer a complete model of the physical behavior. Often, modeling accuracy is traded
in for faster runtimes of the algorithms operating on the DAE model, as the number of
equations has a negative inﬂuence on the runtime of the analysis algorithms.
Simulation Error Not only the model itself contains an error but also the transient
analysis algorithm described in Section 2.3.3, which is based on numerical integration,
contributes an error when computing the system’s behavior on the DAE model. Al-
though the LTE of each step controls the time step length, in implementations of the
SPICE algorithms there are user deﬁned error thresholds such as RELTOL and AB-
STOL which affect the accuracy of the transient analysis. However, by increasing the
accuracy, the number of computed time steps and the number of iterations of the nu-
merical integration in each step increases just as well.
502.4 Discrete Modeling of Analog Systems
Discretization Error The discretization error is introduced by the representation of
the continuous dynamics of an analog circuit by a discrete transition system in which
the behavior of the circuit has to be captured.
As a general benchmark for a discrete model of a circuit, the comparison of state
space trajectories can be considered. On the one hand, they are computed by a tran-
sient analysis with the algorithm described in Section 2.3.3, on the other hand the tra-
jectory is determined by a discrete set of states in the modeled DATS. Such practical
evaluations will be made in Chapter 6 in order to compare the results of the imple-
mentation of the new trajectory-directed discretization to the state-of-the-art hyperbox
discretization algorithm and to transient analysis.
Based on the ﬁve criteria to evaluate a discretization approach deﬁned in Section
2.4.2, thetheoretical modelingqualityofthetrajectory-directed discretization approach
is discussed in the following in comparison to the hyperbox discretization approach.
Table 2.2 summarizes the characteristics of both approaches. Besides these theoretic
considerations, a comparison of experimental results for the successor relation error
and the determinism of the successor relation of the trajectory-directed discretization
compared to the hyperbox discretization will be discussed in Section 6.3.4.
Direction Error The direction error ǫ
(Rj)
θ within the partitions Rj of the trajectory-
directed approach is controlled by a user-deﬁned maximum rθ. Hence, the algo-
rithm controls the size and structure of the partitions to be below this bound. How-
ever, around singularities such as the attractors in the state space introduced by DC-
operating-points, a threshold value controls the minimum partition size not be de-
creased inﬁnitely. This comes at the cost of not meeting the error threshold in this
particular case.
In order to obtain a DATS model of a size that can be checked well by veriﬁcation
algorithms, the integration time of the transient simulations used for computing the
transition vectors determining the partition size can be set to a user-deﬁned minimum
and maximum. The same applies to the hyperbox discretization approach. Due to the
higher degree of freedom for deciding the partitioning of the state space, the trajectory-
directed approach can be expected to create less partitions for the same ǫθ compared
to the hyperbox discretization.
Length Error Just like the direction error, the length error ǫ
(Rj)
∆ within the parti-
tions Rj is controlled by a user-deﬁned maximum r∆. The same considerations as for
the direction error apply correspondingly.
Number of Partitions The number of partitions k of the trajectory-directed ap-
proach is indirectly determined by the user-deﬁned bounds rθ and r∆. This is due to
512 System Representation for Veriﬁcation
the size of the partitions within a selected part of the state space to be discretized being
correlated to the allowed direction and length errors or the minimum and maximum
allowed partition size.
Determinism of the Successor Relation The trajectory-directed discretization
creates the successor relation parallel to the ﬂow of the state space dynamics. There-
with, the out-degree of the states in the DATS is mostly 1. The only possible exception
was discussed in Section 2.4.4.3. Moreover, the dual representation of the partitioning
assures the out-degree to be exactly 1 when no borders of the state space are reached
that cause the determination of successors to be stopped.
In contrast, the hyperbox discretization can over-estimate the angle of the successor
relation up to 90 degrees. Therewith, depending on the number nd of dimensions of
the state space, the out-degree can be up to 2nd − 1. This is due to the paraxial slicing
and therewith, in a worst-case scenario as previously illustrated in Figure 2.7(d), in all
dimensions all adjacent boxes within an angle of 90 degrees can be selected as succes-
sors. Those nondeterministic paths are weakening the expressiveness of the model as
an over-approximated set of possible trajectories is reported.
Successor Relation Error With the arguments given in the previous paragraph,
the successor relation error ǫsuc of the trajectory-directed discretization is almost 0 de-
grees as most of the successors shall be directly determined by transient steps when
using the initially sampled points as center vectors of the states of the DATS. Even
when using the centers of the hypercells for the center vectors, the possible successor
relation error between two states is bounded by the user deﬁned rθ. This is due to the
enclosing vectors of the hypercell, that have been calculated by transient analysis, are
controlled not to have an angle difference above rθ. Corresponding to the previous
considerations, the only exception applies to states representing DC-operating-points.
For the hyperbox discretization approach, ǫsuc can be up to 90 degrees. This can
again be concluded from the example shown in Figure 2.7(d).
522.4 Discrete Modeling of Analog Systems
Table 2.2: Comparison of the trajectory-directed discretization and the hyperbox dis-
cretization approaches.
Criterion Trajectory-directed Hyperbox
Direction error < rθ < rθ
Length error < r∆ < r∆
Partitions determined by rθ, r∆ determined by rθ, r∆
Successor determinism ≈ 1 ≤ 2nd − 1
Successor relation error ≈ 0◦ < 90◦
53543
Property Speciﬁcation for Veriﬁcation
In the previous chapter, the system representation for veriﬁcation with emphasis on
developing a DATS model of analog systems has been presented. Based on this intro-
duced discrete system representation, property speciﬁcation approaches will be intro-
duced in the following. Starting with a deﬁnition of the three elementary concepts of
property, performance and speciﬁcation, an advanced approach for analog property
speciﬁcation is systematically developed by discussing existing approaches.
3.1 Basic Deﬁnitions
A set of properties can be deﬁned for a system that are relevant to evaluate the system
behavior.
Deﬁnition 3.1.1 (Property)
A system’s property can be any function that can be calculated on the system’s vari-
ables. All properties of a system span the property space P.
Within the property space, the system exhibits a characteristic behavior that con-
strains the property space to nominal performances that the system can exhibit by
system analysis.
Deﬁnition 3.1.2 (Performance)
A system performance f(S, P) is the result of an evaluation of system properties and
hence represents a point in the property space.
553 Property Speciﬁcation for Veriﬁcation
p1
p2
Pspec(p1, p2)
f(S, P) / ∈ Pspec(p1, p2)
f(S, P) ∈ Pspec(p1, p2)
Figure 3.1: Property space for properties p1, p2 with speciﬁcation Pspec(p1, p2) and per-
formances satisfying and violating the speciﬁcation.
Deﬁnition 3.1.3 (Speciﬁcation)
A speciﬁcation Pspec ⊂ P deﬁnes a subspace of the property space by constraining it
to required system performances. Figure 3.1 illustrates a property space with a system
performance satisfying and a performance violating the speciﬁcation.
3.2 Operational and Declarative Speciﬁcation
In order to verify a system, it is mandatory to deﬁne under which performance con-
straints it will be considered as fully functional. The property speciﬁcation used to
evaluate these performance constraints has several aspects. While deﬁnition 3.1.3 de-
scribes the abstract characteristics of a speciﬁcation, practical requirements to speciﬁ-
cations are complex.
Initially, the functional requirements are often deﬁned informally in a natural lan-
guage speciﬁcation in the system design process. Based on these requirements, a tech-
nical speciﬁcation is created which then has to be transferred into a property speciﬁ-
cation that can be evaluated during the design process. For automated approaches,
this speciﬁcation has to be formalized to be machine-readable and therewith can be
evaluated by veriﬁcation algorithms. Moreover, the property values not only have to
be speciﬁed. Additionally, a formal and well-deﬁned speciﬁcation of how these prop-
erties are evaluated within the veriﬁcation environment has to be made. This can be
achieved by deﬁning consistent veriﬁcation semantics for the available measurements.
With the level of formality of the veriﬁcation approach, the requirements in the formal-
ity of the speciﬁcation are increasing as well.
563.3 Property Speciﬁcation for Discontinuous Systems
Formal speciﬁcations can either be operational or declarative [Lam00]. An opera-
tional speciﬁcation describes a model of the system to be designed as a collection of
processes that the system shall incorporate. In the area of digital system speciﬁcation,
an operational speciﬁcation would be in form of a ﬁnite state machine describing the
desired operation of an implementation of this machine. While operational speciﬁca-
tions are common in the area of software design using a component model, operational
models for speciﬁcation of digital systems quickly grow in complexity and hence are
not widely used.
Operational speciﬁcation in analog hardware design is applied when a top down
system design ﬂow is speciﬁed by a set of simpliﬁed behavioral models to specify the
high-level design of the system. By checking the functional equivalence between such
operational behavioral speciﬁcations and a lower abstraction level implementation,
much of the design ﬂow veriﬁcation is accomplished.
Declarative speciﬁcation uses a logic-based reasoning on elementary properties of
a system from which more complex relations are speciﬁed in a recursive approach. For
digital systems, declarative property speciﬁcation can be connected with Boolean logic
that is enhanced by a temporal reasoning layer. In contrast, analog declarative speci-
ﬁcation needs a translation from the complex analog system properties to a consistent
speciﬁcation language with a logic foundation for a well-deﬁned semantic deﬁnition.
There is a wide gap between declarative temporal logic-based speciﬁcation that will be
discussed in the following section and the designer’s intent of informal speciﬁcation of
analogcircuit properties. Hence, the characteristics ofexisting logic-based formal spec-
iﬁcation approaches have to be analyzed in order to develop a formal speciﬁcation and
veriﬁcation methodology for analog circuit properties in Section 5.
3.3 Property Speciﬁcation for Discontinuous Systems
The foundations of formal system property speciﬁcation have been developed in con-
junction with the application of temporal logic reasoning to program veriﬁcation. Lin-
ear Temporal Logic (LTL) [Pnu77] and Computation Tree Logic (CTL) [CE82] speciﬁ-
cations are evaluated on transition systems represented as Kripke structures which are
directed labeled graphs. This proof-based veriﬁcation of system properties formulated
in temporal logics on system models is called model checking.
Temporal logic speciﬁcation applied to models of digital circuits enabled CTL-
based model checking approaches. The breakthrough was marked by the introduction
of symbolic approaches of modeling transition systems and transition relations using
Binary Decision Diagrams (BDDs), solving the problem of state space explosion due
to its explicit representation, handling up to 1020 states [BCM+90] and introducing the
Symbolic Model Veriﬁer (SMV) [McM92]. In order to overcome the problem of very
abstract speciﬁcation formulation, approaches to classiﬁcation of common property
573 Property Speciﬁcation for Veriﬁcation
patterns in CTL [DAC98] and application of natural language speciﬁcation by trans-
lating English natural language speciﬁcations to SMV code [Hol99] attempted to align
formal property speciﬁcation and veriﬁcation engineers’ thoughts.
With formal veriﬁcation gaining more and more importance, a consortium of IC-
design and EDA-companies developed the proposal of the Property Speciﬁcation Lan-
guage (PSL), ﬁnally becoming IEEE standard 1850 in 2005 [FMW05].
3.3.1 Linear Temporal Logic (LTL)
Linear temporal logic (LTL) [Pnu77] has a linear, non-branching time model with tem-
poral modal operators operating on propositional variables as atomic propositions
connected by the logical connectives negation, and, or and implication. The syntax
of well-formed LTL formulas is deﬁned by the following context-free grammar:
φ = a | ¬φ | φ1 ∧ φ2 | φ1 ∨ φ2
| ⋄ φ | φ1 U φ2
(3.1)
An explanation of the placeholders for the language symbols of LTL is given in
Table 3.1 and Figure 3.2 visualizes the semantics of the temporal operators of LTL. The
semantics of LTL are deﬁned as follows with respect to a path π = σ0,σ1,σ2,...,σn in
the Kripke structure M and properties φ and ψ of atomic propositions a:
M,σ0 ￿ a ⇔ a ∈ L(σ0) (3.2)
M,σ0 ￿ ¬φ ⇔ logical negation of (σ0 ￿ φ) (3.3)
M,σ0 ￿ φ ∧ ψ ⇔ σ0 ￿ φ and σ0 ￿ ψ (3.4)
M,σ0 ￿ φ ∨ ψ ⇔ σ0 ￿ φ or σ0 ￿ ψ (3.5)
M,σ0 ￿ X φ ⇔ σ1 ￿ φ (3.6)
M,σ0 ￿ G φ ⇔ ∀ i ≥ 0 : σi ￿ φ (3.7)
M,σ0 ￿ F φ ⇔ ∃ i ≥ 0 : σi ￿ φ (3.8)
M,σ0 ￿ φ U ψ ⇔ ∃ i ≥ 0 : σi ￿ ψ and ∀ 0 ≤ j < i : σj ￿ φ (3.9)
The temporal operators of LTL allow to specify important system characteristics
such as safety and liveness. Safety assumes that something bad never happens, which
maps to the following LTL formula when considering the states with the atomic propo-
sition φ as bad: G ¬φ. This speciﬁcation states that generally, i.e. for all future states of
the design under veriﬁcation (DUV), states labeled with φ will never be reached. Live-
ness assumes that something good, represented by states where the atomic proposition
ψ is true, keeps happening, which maps to the LTL formula GFψ.
583.3 Property Speciﬁcation for Discontinuous Systems
Table 3.1: Explanation of LTL syntax.
a atomic proposition
⋄ temporal operator F = eventually
G = generally
X = next
U U = until
σ0
φ φ φ
φ
φ φ φ φ
φ
ψ
M,σ0 ￿ F φ
M,σ0 ￿ G φ
M,σ0 ￿ X φ
M,σ0 ￿ φ U ψ
Figure 3.2: Illustration of the LTL operation semantics.
3.3.2 Computation Tree Logic (CTL)
Computation Tree Logic (CTL) [CE82] is branching time logic where, in contrast to the
linear non-branching time domain of LTL, path quantiﬁers specify the validity of for-
mulas on a branching inﬁnite computation tree of future states obtained from unwind-
ing the Kripke structure into this tree. The semantics of the LTL temporal operators
remain unchanged but for each temporal operator, an associated path quantiﬁer de-
ﬁnes whether the expression shall hold on all possible paths of the computation tree
or whether one path of the computation tree for which the temporal operator holds
is sufﬁcient for satisfying the CTL formula. The universal path quantiﬁer “A” deﬁnes
the former and the existential path quantiﬁer “E” the latter requirement. A CTL for-
mula can be a nested expression of operations as shown in the following CTL syntax
grammar.
593 Property Speciﬁcation for Veriﬁcation
ψ
ψ
φ
φ
φ
φ
φ
φ
φ
φ
E ψ U φ EF φ EG φ EX φ
A ψ U φ AF φ AG φ AX φ
Figure 3.3: Illustration of the CTL operation semantics.
The syntax of a formula φ in CTL with atomic propositions a is deﬁned by:
φ = a | ¬φ | φ1 ∧ φ2 | φ1 ∨ φ2
| ⊲ ⋄ φ | ⊲ φ1 U φ2
(3.10)
An explanation of the placeholders for the language symbols of CTL is given in Table
3.2, and Figure 3.3 describes the operations visually such that the respective formula is
satisﬁed for the root node.
Table 3.2: Explanation of CTL syntax.
a atomic proposition
⊲ path quantiﬁer A = on all paths (universal quantiﬁer)
E = on at least one path (existential quantiﬁer)
⋄ temporal operator F = eventually
G = generally
X = next
U U = until
Due to the logical duality of the universal and the existential quantiﬁer, the uni-
versally quantiﬁed CTL-operations can be composed from the operations EX, EG and
EU.
603.3 Property Speciﬁcation for Discontinuous Systems
The universal quantiﬁer postulates the validity of a proposition with respect to the
temporal operator on all paths. The dual statement is that there exists no path, on
which this proposition is not valid:
∀a ≡ ¬∃¬a ⇒ AGφ ≡ ¬EF¬φ (3.11)
3.3.3 Property Speciﬁcation Language (PSL)
Property speciﬁcation of concurrent systems using CTL paved the way for introduc-
tion of formal methods in system design. Especially in the area of digital circuit design,
model checking approaches using CTL were applied at the end of the 1990s. Following
the ﬁrst veriﬁcation successes, the demand for a more designer friendly speciﬁcation
emerged. CTL turned out to be hard to write and read by non-specialists and an im-
proved syntactic layer on top of CTL was introduced by IBM with their in-house speci-
ﬁcation language called “sugar” [BBDE+01]. In addition to CTL operations, sugar was
extended by sequential extended regular expressions (SEREs) to reason about more
complex state transitions within Kripke structures. LTL was added as a basic temporal
foundation, as digital simulation traces are strictly linear in time. Sugar was exten-
sively used in veriﬁcation of these simulation traces.
An industry consortium selected IBM’s sugar to be the basis for a new standard-
ized property speciﬁcation language (PSL) and in 2005 PSL became IEEE standard
1850 [FMW05]. PSL builds a common speciﬁcation and veriﬁcation layer for direct
interfacing with digital hardware description languages (HDLs) such as VHDL, Ver-
ilog, SystemVerilog and SystemC. PSL expressions are composed from a Boolean layer,
a temporal layer and a veriﬁcation layer.
The Boolean layer forms the atomic propositions using simple Boolean expressions
interfaced with variables of the underlying HDL. In addition, local temporal operators
are introduced in the Boolean layer for further reﬁning propositions using operations
such as rose(a) and fell(a), which are true if in the previous step the variable a
was 0 and now is 1 for rose() or vice versa for fell().
The temporal layer deﬁnes behavior over time, forming properties from timed rea-
soning about Boolean layer expressions. Temporal operators can be the extended LTL
semantics resulting in always, never, eventually, next, before and until. In
addition, SEREs allow to specify more complex timed behavior. The expression a;b;c
for example speciﬁes the non-overlapping sequence of b directly following to a and
c directly following to b. For a detailed explanation of the expressiveness of SEREs
please refer to [Con04] or [EF06].
The veriﬁcation layer ﬁnally consists of directives specifying how the properties
speciﬁed on the temporal layer should be evaluated by the veriﬁcation back-end. The
main veriﬁcation layer directives are:
613 Property Speciﬁcation for Veriﬁcation
• assert for telling the veriﬁcation back-end that a temporal layer expression
shall hold,
• assume for constraining the veriﬁcation to those states where the temporal layer
expression is true,
• restrictforconstraining design inputsequencestoget toa speciﬁcstate before
checking assertions,
• cover for directing the veriﬁcation back-end to check if a speciﬁed path was
covered by the veriﬁcation and
• fairness for assumptions corresponding to liveness properties.
3.4 Existing Approaches to Speciﬁcation of Analog Sys-
tem Properties
In contemporary analog design ﬂows, veriﬁcation is not formalized and so is the spec-
iﬁcation. Test bench-based characterization of circuit properties is comparing an infor-
mal speciﬁcation, often given in form of a table, of allowed ranges of certain circuit
properties such as maximum power consumption, slew rate, startup time, etc. to ex-
perimental evaluation of the DUV in a circuit test bench. Hence, there is no machine
readable formalized speciﬁcation methodology that guarantees a standardized veriﬁ-
cation approach. In fact, the incomplete and indirect speciﬁcation of circuit properties
leaves considerable freedom of interpretation to transfer the designer’s intent into a
circuit design as well as how to verify the speciﬁed properties. While in modern test
benches, a set of simulation measurements is predeﬁned in order to quickly charac-
terize a given circuit, global quality management of the speciﬁcation and veriﬁcation
is not yet widely introduced into design ﬂows. Nevertheless, without a formalized
detailed speciﬁcation, several sources for design errors exist.
There are two fundamental domains of property speciﬁcation which have a high
impact on how the veriﬁcation of the properties can be performed. On the one hand,
for today’s design ﬂows, a signal-oriented temporal property speciﬁcation is needed in
order to describe the desired behavior of simulation results. On the other hand, formal
veriﬁcation methodologies for analog circuits consider circuit behavior to be analyzed
in the circuit’s state space. Therefore, speciﬁcation of dynamic temporal analog prop-
erties for application in formal veriﬁcation ﬂows is required to consider the state space
domain.
In the following, existing approaches to formalizing property speciﬁcation of ana-
log circuits in the signal domain as well as in the state space domain are discussed. In
the subsequentsection asynthesis ofthe ﬁndings willleadto the developmentofa new
623.4 Existing Approaches to Speciﬁcation of Analog System Properties
Analog Speciﬁcation Language (ASL) which is capable of specifying analog behavior
in both the signal and the state space domain of the circuit.
3.4.1 Speciﬁcation of Assertions within Analog Hardware Descrip-
tion Languages
Property speciﬁcation and property veriﬁcation are closely linked as the veriﬁcation
can be considered to be the evaluation of the speciﬁcation. In the context of this the-
sis, a property speciﬁcation is a stand-alone deﬁnition of desired system behavior that
is created independently from the implementation to be veriﬁed. A possible applica-
tion of hardware description languages (HDLs) for operational analog property spec-
iﬁcation is to have a specifying system set up for a circuit implementation and then
comparing both implementations using an analog equivalence checking approach.
However, in the terminology of formal veriﬁcation, declarative property speciﬁca-
tions in a machine-readable language are distinguished from operational specifying
implementations, as the former shall be more formal and lightweight. Moreover, the
property speciﬁcation shall deﬁne properties in a speciﬁc but sufﬁciently abstract way
that the type of implementation is not restricted by the property speciﬁcation. In gen-
eral, these requirements are not satisﬁed by specifying implementations in HDLs.
While HDLs hence cannot be applied to formal speciﬁcation of analog circuit prop-
erties directly, they incorporate internal concepts to specify properties of implemented
behavioral description code blocks using assertions [Syn03, CVK05]. Therewith, state-
ments can be inserted into the behavioral modeling code that can monitor internal
properties of the design whether they comply with speciﬁed values [KZ04]. While
this does not satisfy the requirement of independent speciﬁcation, a set of assertions
inserted into the HDL is a step towards property checking of the system during simu-
lation runs. For example in VHDL-AMS the assert statement allows to have Boolean
conditions trigger events controlled by a level of severity ranging from “note” to “fail-
ure” to which the simulator can react [APT03]. Moreover, information can be reported
to the user giving debug information.
As the Boolean conditions can be generated from logical combinations of the com-
parison of time or signal values to speciﬁed constraints, complex assertions can be
formulated. However, while motivating the development of assertion evaluations
for analog circuits, the VHDL-AMS approach does not target an independent formal
property speciﬁcation of analog circuits. In Section 4.4.3 the veriﬁcation part of the
assertion-based approaches will be discussed in detail.
633 Property Speciﬁcation for Veriﬁcation
3.4.2 PSL for Analog Signal Property Speciﬁcation
With the growing acceptance of PSL in the digital domain, approaches to apply the
PSL speciﬁcation methodology to analog signals for developing automated evaluation
tools have emerged.
A syntax extension called Signal Temporal Logic (STL) to PSL was developed in
order to verify properties on transient simulation waveforms [NM07, MNP08]. STL
connects to the Boolean layer where threshold crossings of an analog signal represent
Boolean events. Hence, the expressiveness of PSL/STL is mostly directed to timing
veriﬁcation and was demonstrated on a ﬂash memory case-study [JKN10]. Another
approach formulating analog speciﬁcations in form of recurrence equations directly by
incorporating PSL sequential extended regular expressions as proposed in [SZDT07]
can again express only very abstract, timing-oriented speciﬁcations.
3.4.3 CTL Speciﬁcation of Analog Properties in the State Space
In order to have a rigorous speciﬁcation of analog circuit properties to be formally
checked on a discrete state space representation, an analog extension to CTL has been
introduced in [HHB02a]. For application of the temporal methodology of CTL speciﬁ-
cations to such discrete state space models of analog circuits, the atomic propositions
have to be generated as they are not given by the modeling process. In the ﬁrst ap-
proach to CTL-based analog speciﬁcation, state sets are selected by constraining state
space variable values to intervals using the operators “<” and “>”. The inclusion of a
state in a set is described by the Boolean variable labels which form the atomic propo-
sitions. If a state is a member of a set, its labeling by the Boolean variable of the set is
true and otherwise false. For example, an atomic proposition can be generated from
Vin > 0.75. Hence, all states for which the extended state space variable Vin has a value
greater 0.75 are selected. The temporal logic CTL, extended by the operators “<” and
“>”, is deﬁned as CTL-A in [HHB02a]. In order to specify explicit timed behavior
for CTL-A operations, CTL-AT was introduced as an extension, offering to constrain
the validity of CTL-formulas to a time interval[GPHB05]. This reﬁned speciﬁcation of
temporal properties is derivedfrom the concepts of Real-TimeCTL (RTCTL)[EMSS92],
where, for example, AF[1, 3](φ) selects only those states from the result of the opera-
tion that run into the set φ within the time interval [1, 3]. The syntax of formulas φ in
CTL-AT is described in Equation 3.12 with the placeholders deﬁned in Table 3.3.
φ = a | z ∗ v | ¬φ | φ1 ∧ φ2 | φ1 ∨ φ2
| ⊲ ⋄ φ | ⊲ φ1 U φ2
| ⊲ ⋄−1 φ | ⊲ φ1 U−1 φ2
| ⊲ ◦ ￿ φ | ⊲ φ1 U￿ φ2
| ⊲ ◦−1 ￿ φ | ⊲ φ1 U−1 ￿ φ2
(3.12)
643.5 Analog Speciﬁcation Language (ASL)
Another important feature is the possibility to reverse the direction in which paths
in the state space are processed by the CTL algorithms. Therefore, the syntax of a
temporal logic expression can be extended by “−1” which implies the reversal of all
edge directions for this operation. With the additional labelings of the edges remaining
unchanged, the temporal logic expression is then evaluated on the inverted transition
relation R−1:
∀(σi,σj) ∈ R : R−1 =
 
(σj,σi) (3.13)
Table 3.3: Explanation of CTL-AT syntax.
a atomic proposition
z continuous state space variable
v number in R
∗ analog operator < = smaller
> = greater
⊲ path quantiﬁer A = on all paths (universal quantiﬁer)
E = on at least one path (existential
quantiﬁer)
⋄ temporal operator F = eventually
G = generally
X = next
◦ F = eventually
G = generally
U U = until
−1 time reversal paths are traveled in reverse direction
￿ time interval [tlow,thigh] = continuous time interval
with tlow ∈ R+
0 ,thigh ∈ R+
0 ∪∞,tlow ≤
thigh
3.5 Analog Speciﬁcation Language (ASL)
Property speciﬁcation for analog circuits is fundamentally different to property spec-
iﬁcation for digital circuits. While in the digital domain logic functions and abstract
properties like fairness have to be veriﬁed, in the analog domain properties such as
slew rate, oscillation, startup times, etc. have to be considered. Temporal logics are not
sufﬁcient to express such properties.
653 Property Speciﬁcation for Veriﬁcation
Although analog operators in CTL-AT in combination with time constraints allow
to specify some basic properties such as reachability of states from DC-operating-
points, advanced speciﬁcations for analog properties cannot be formulated in a sys-
tematic way. This is on the one hand due to CTL-AT not allowing to acquire additional
information about the execution of the operations. Therewith, intermediate results of
the operations cannot be taken into account. This leads to the impossibility of sequen-
tial speciﬁcation with operating on values measured during the evaluation of preced-
ing operations. On the other hand, the solely temporal speciﬁcation methodology itself
is not suited for specifying complex analog behavior, where additional operations are
needed to determine state space sets more sophisticatedly.
Therefore, a speciﬁcation language is necessary that on the one hand allows to spec-
ify complex analog properties in a designer-oriented way and on the other hand can be
mapped to formal veriﬁcation algorithms that operate on a discrete state space model
of the analog circuit under veriﬁcation.
Due to its origin in temporal logics, CTL is not capable of offering a designer-
oriented speciﬁcation methodology. In order to gain acceptance for formal approaches
in analog veriﬁcation, a new methodology of property speciﬁcation is necessary. While
PSL offered this step towards designer-oriented speciﬁcation in the digital domain, the
ﬁrst approaches to analog speciﬁcation with PSL, as discussed in Section 3.4.2, are only
covering signal-based properties for assertion-based veriﬁcation. Hence, they are not
suited for describing properties of analog systems in the state space.
In the following, a new Analog Speciﬁcation Language (ASL) for state space-based
property speciﬁcation of analog systems is introduced, which, in combination with
the corresponding ASL veriﬁcation algorithms, will allow to extend the complexity of
analog circuit properties speciﬁable for formal property veriﬁcation.
ASL syntax shall be designed to be semantically deductive and therewith it shall
reduce the time needed for understanding existing speciﬁcations in comparison to
temporal logic speciﬁcation. This is achieved by providing the possibility of creating
parameterized macro functions involving a macro preprocessor. Hence, speciﬁcation
code can be sourced out to macro libraries allowing encapsulation and reuse of speciﬁ-
cation code. As will be presented, the application of ASL speciﬁcations and algorithms
is not restricted to state space models generated with the approaches described in Sec-
tion 2.4, so it can be adopted to other ﬁnite state machine-based modeling approaches
like [FSS06]. Moreover, as will be shown in Section 5.3, ASL can be used to specify
and verify properties on conventional transient simulation waveforms by transferring
them to a state space representation.
663.5 Analog Speciﬁcation Language (ASL)
3.5.1 Language Concept
From the point of view of analog circuit developers, analog properties are represented
by continuous physical values and their alteration over time. Thus, it is necessary to
select states by calculations on their state space parameter values. Whether a state
belongs to a set is decided by comparing the result of an arithmetic calculation to a
speciﬁed interval. Extended path operations abstract from the reachability analysis
concept of temporal logics and allowexamination of more complex properties on paths
within the state space. Assigning measured values of the operations such as maximum
and minimum path times to number variables allows to sequentially specify complex
properties.
A high level assertion layer shall allow to evaluate a veriﬁcation run without in-
terpretation effort, additionally generating a veriﬁcation report where all intermediate
results can be inspected.
Basedon thepreviously introduced concept, thefollowing subsection deﬁnesacon-
densed Extended Backus Naur Form (EBNF) grammar for the syntax of ASL. Terminal
symbols are printed in bold capital letters, user-deﬁned variables are printed italic.
Some epsilon-productions are omitted for the purpose of clarity. In Section 3.5.3, the
semantics of the operations will be described.
3.5.2 EBNF Grammar of ASL
ASL Speciﬁcation :=
Spec Sequence QUIT; | QUIT;
Spec Sequence :=
Spec Expression | Spec Sequence Spec Expression
Spec Expression :=
SETVAR Set Variable;
| NUMVAR Number Variable; | Set Variable = Set Expression;
| Number Variable = Number;
| CALCULATION Calc Name ( Calc Expression );
| FOR Set Expression ASSERT Set Expression;
| FOR Number ASSERT Interval;
| Number Variable = FOR Set Expression ASSERT Set Expression;
| Number Variable = FOR Number ASSERT Interval;
Set Expression :=
673 Property Speciﬁcation for Veriﬁcation
ON Base Set Operation Set | Operation Set
Base Set :=
Elementary Set | Set Variable | State Space Variable Interval
| ( Base Set ) | NOT Base Set | Base Set AND Base Set
| Base Set OR Base Set
Operation Set :=
Elementary Set | Set Variable | State Space Variable Interval
| ( Operation Set ) | NOT Operation Set
| Operation Set AND Operation Set
| Operation Set OR Operation Set
| Calc Name ( calc parameters ) Interval
| VALUE ( State Space Variable ) Interval
| ASSIGN ( Number Variable, Assign Type ) Operation Set
| SELECT Operation Set
| OSCILLATION | Temporal Logic Expression Operation Set
| DELTA COMPARE ( State Space Variable ) Interval FROM Operation Set TO Opera-
tion Set
| DELTA COMPARE ( State Space Variable 1, State Space Variable 2 ) Interval FROM Op-
eration Set TO Operation Set
| TRANSITION FROM Operation Set TO Operation Set
| COUNTEREXAMPLE FROM Operation Set TO Operation Set
| INPUTSTIMULI FROM Operation Set
Elementary Set :=
ALL | DCPOINTS
Interval :=
[Number, Number] | [< Number] | [<= Number] | [> Number] | [>= Number] | ε
Temporal Logic Expression :=
Temporal Logic Operator Interval Direction Operation Set
| ALWAYS Direction Operation Set UNTIL Interval Operation Set
| A Direction Operation Set U Interval Operation Set
683.5 Analog Speciﬁcation Language (ASL)
| EXISTS Direction Operation Set UNTIL Interval Operation Set
| E Direction Operation Set U Interval Operation Set
Temporal Logic Operator :=
UNIVERSALLY | AG | EVENTUALLY | AF
| STAY | EG | REACH | EF
Direction :=
ε | FROM | ˆ -1
Calc Expression :=
Number | calc parameter N | ( Calc Expression )
| Calc Expression Math Operator Calc Expression
Number :=
Floatingpoint Constant | Number Variable
| ( Number ) | Number Math Operator Number | ABS ( Number )
Assign Type :=
MAX | MIN | AVERAGE | RANGE
Math Operator :=
+ | - | * | /
3.5.3 Semantics of ASL Operations
In the following, the semantics of the main ASL operations are described. The method-
ology descriptions of Section 5.2 will provide additional insights into the application
of ASL speciﬁcations.
Thereare two typesofsetsthat inﬂuencethe evaluation ofASLoperations: Base Set
and Operation Set. A Set Expression in ASL can either be evaluated on all states of the
DATS or the evaluation can be constrained to operate only on a subset of the states of
the DATS which is then selected by a Base Set. Hence, a Set Expression that has the
Syntax “ON Base Set Operation Set” will determine the results of the Operation Set
only on the set of states identiﬁed by Base Set. The keyword “SELECT” has no seman-
tic function and is only used for syntax beautiﬁcation.
VALUE: With the operation “VALUE”, a set of states φ can be selected on the whole
state space or on another set by a state space variable constrained to a speciﬁed in-
terval. Algorithmically, for each state σi is decided whether it is included within the
693 Property Speciﬁcation for Veriﬁcation
given interval by a comparison of the actual value p
(s)
i of the entry in position s in the
state space variable value vector pi = LV(σi) and the interval boundaries r and r:
σi ∈ φ ⇔ p
(s)
i ∈ [r,r] (3.14)
The worst-case runtime complexity of the value operation is O(n) with n being the
numberof states in the Base Set the operation is applied to. This is due to a single loop
iterating over the set of states and deciding the inclusion in the interval boundaries.
Temporal logic expressions: Although the temporal logic operations of CTL-AT can
be used in ASL, as a language convention, their natural language equivalents shall
be used for better understandability of the ASL syntax. Therefore, for the six basic
combinations of path quantiﬁers and temporal operators in CTL, a natural language
equivalent has been selected in order to correspond to the syntax style of ASL. The
ASL syntax grammar in the previous section introduces the natural language oper-
ation syntax, each followed by its CTL equivalent. For example, the ASL operation
“UNIVERSALLY” maps to its CTL equivalent “AG”.
The worst-case runtime complexity of the temporal logic operations is closely con-
nected to graph traversal algorithms such as depth-ﬁrst search or breath-ﬁrst search
used for implementing the temporal logic operations in ASL. In the worst-case, for
every state, every path to all other states in the graph has to be checked. Due to
a marking of visited states and edges with the already acquired information, in the
worst-case due to the reuse of information, a quadratic runtime complexity O(n2)
with n being the maximum of the number of states and edges is given. A nesting
of operations introduces an addition of the complexities of the single operations and
hence does not increase the asymptotic complexity. For using time intervals in the
operations, the semantics of CTL-AT apply.
TRANSITION: Previous approaches to property speciﬁcation of analog systems were
directly derived from temporal logics and mostly perform some kind of reachability
analysis. Although CTL-AT operations are still possible in ASL, the abstract reacha-
bility operation of ASL is called “TRANSITION” and selects states on paths between
two state areas. It determines the minimum, maximum, average and the range of the
transition times detected on the transition paths. These values can be assigned to nu-
meric variables using the “ASSIGN” command. The sum of edge weights on a path
between two vertices i, j is deﬁned as distance and is calculated by Dijkstra’s algo-
rithm once as shortest path and once as longest path by inversion of the edge weights.
The longest path computation is possible efﬁciently as the path algorithms are mod-
iﬁed to consider the DATS to be a directed acyclic graph where a labeling function
assures not to travel loops. A pseudocode deﬁnition is given in Algorithm 2 and an il-
lustration of the states identiﬁed by the transition operation is shown in Figure 3.4(a).
703.5 Analog Speciﬁcation Language (ASL)
Algorithm 2: ASL Transition Algorithm: ON Base Set TRANSITION FROM
Start Set TO Dest Set
foreach vertex i in (Start Set ∩ Base Set) do
foreach vertex j in (Dest Set ∩ Base Set) do
if shortest and longest distance(i → j) < ∞ then
add shortest and longest distance(i → j) to transition times;
add vertices on paths between i → j to Transition Set;
end
end
report minimum, maximum, average and range of the detected transition
times.
end
Algorithm 3: ASL Oscillation Algorithm: ON Base Set SELECT OSCILLATION
foreach vertex i in Base Set do
if (shortest and longest distance(i → i) > 0 and < ∞) then
add shortest and longest distance(i → i) to oscillation periods;
add vertices on paths i → i to Oscillation Set;
end
report times of minimum, maximum, average and range of the detected
oscillation periods.
end
When considering the edges to be all labeled with a transition time of 1, the minimum
transition time is 4 and the maximum transition time is 6.
As can be concluded from Algorithm 2, the worst-case runtime complexity of the
transition operation is dominated by the all-pairs shortest path problem which can be
computed in O(n3) with n being the number of vertices of the DATS.
OSCILLATION: The operation “OSCILLATION”identiﬁes states on cycles in the state
space and calculates the corresponding minimum, maximum and average oscillation
period. The pseudocode deﬁnition is presented in Algorithm 3. In Figure 3.4(b) a
schematic illustration of a set of states of an oscillation cycle is shown with an shortest
oscillation period of 11 and longest period of 12 when considering the edges all to
be labeled with a weight of 1. The cycle detected from state i is identiﬁed due to i
being reachable from i with a path length greater zero and less than inﬁnity when
a single self-transition is ignored using a modiﬁed path traversal algorithm. The
worst-case runtime complexity of the oscillation detection algorithm is O(n3) with n
being the number of states in the Base Set the operation is applied to. This is due
to the oscillation operation relying on distance information generated by a modiﬁed
713 Property Speciﬁcation for Veriﬁcation
Algorithm 4: ASL Delta compare Algorithm: ON Base Set DELTA COMPARE (
State Space Variable ) Interval FROM Start Set TO Dest Set
foreach vertex i in (Start Set ∩ Base Set) do
foreach vertex j in (Dest Set ∩ Base Set) do
if shortest and longest distance(i → j) < ∞ then
add vertices on paths i → j to Transition Set;
end
end
end
foreach vertex pair i, j with (σi,σj) ∈ R in (Transition Set) do
if
∆value(State Space Variable)ij
∆timeij ∈ Interval then
add i, j to Result Set;
end
end
report minimum, maximum, average and range of
∆value(State Space Variable)
∆time
path traversal algorithm such as Dijkstra’s with, in the worst case, n calls to the path
algorithm with a quadratic runtime complexity. Corresponding to the explanation for
the transition operation, the longest path detection operates on inversed edge weights
and does not travel loops due to a labeling of visited edges. However, closing a loop
from vertex i along a path to i is allowed by a modiﬁcation of the algorithm.
DELTA COMPARE: The operation “DELTA COMPARE” evaluates ∆value
∆time between all
pairs of consecutive states of detected paths within a given transition area. Hence,
it is possible to measure the rate of change of a state space variable value over time
on paths. This is of particular use for determining slew rates on transition paths. A
pseudocode deﬁnition is introduced in Algorithm 4. Considering the two state space
variables a and b in Figure 3.4(c). For variable b, the algorithm calculates
b2−b1
2 and
b3−b2
3 .
The worst-case runtime complexity is dominated by the computation of the transition
set with O(n3). The calculation of the derivative only takes linear time, hence its
worst-case runtime complexity is O(n).
Moreover, by passing two variables to the operation, the partial derivative ∆variable1
∆variable2
between the two variables can be measured. Referring again to Figure 3.4(c), the al-
gorithm calculates
b2−b1
a2−a1 and
b3−b2
a3−a2.
CALCULATION: By deﬁning a calculation formula, a set of states can be selected by
evaluatinganarithmetic property on the state space variablevaluesofeach state in the
Base Set. Additionally, the numerical calculation results can be used by subsequent
723.5 Analog Speciﬁcation Language (ASL)
Start
Dest
(a)
i
(b)
a
b
t=2
t=3
b1
b2
b3
a1 a2 a3
(c)
Figure 3.4: States in the transition set between sets “Start” and “Dest” (a). States
of an oscillation set identiﬁed by the oscillation algorithm (b). Illustration of the
delta compare operation (c).
operations. Algorithmically, the formula is calculated on the variable values of each
state and therewith decided if it meets the given value constraint while recording
the calculation results. A deﬁnition of a calculation contains placeholders for each
parameter which will later be passed on to the calculation.
For example, the calculation formula
calculation fraction (calc_parameter2 / calc_parameter1 )
can be deﬁned. An application in the body of the ASL speciﬁcation could be:
result_set = on test_set fraction(V_C1,V_C2)[0.2,0.5]
In this code line, for the two state space variables VC1 and VC2 for every state in the set
test set, the division as presented in the deﬁnition of the formula is computed. If the
result for a state is within the exemplary interval [0.2,0.5], the state is inserted into the
result set. With such calculations, complex properties can be deﬁned.
The call to a calculation has a worst-case runtime complexity of O(n) with n being the
number of states in the Base Set as the evaluation of the calculation formula can be
computed by a single loop iterating over the set of states.
DCPOINTS: The operation “DCPOINTS” returns the steady states represented by
DC-operating-points of the state space. For different input values, the corresponding
DC-operating-points determine the set φDC of steady states of the system. This set is
directly identiﬁed by the discretization process. The DATS represents DC-operating-
points with a self-transition and no other outgoing dynamic edges:
σi ∈ φDC ⇔ (σi,σi) ∈ R ∧ deg(σi) = 1 (3.15)
733 Property Speciﬁcation for Veriﬁcation
ASSIGN: The operation “ASSIGN” allows to assign a numerical value returned by
another ASL operation to a number variable. The possible values are minimum, max-
imum, average and range of the set of single values determined on a set of states.
ASSERT: To complete the veriﬁcation of a property, it is necessary to include asser-
tions in the speciﬁcation code. These assertions evaluate to either the Boolean result
true (1) or false (0), which is always printed to the veriﬁcation report and in addi-
tion can be optionally assigned to a number variable for further evaluation. For sets,
the operation “ASSERT” checks whether a given set is the subset of the reference set.
Hence, “FOR φ ASSERT ψ” reports true if the following equation holds:
φ ∩ ψ = φ (3.16)
Numeric assertions check values determined during the veriﬁcation process with re-
spect to a given interval. Therewith, the assertion returns true if the number variable
in the expression is within the speciﬁed interval boundaries.
The worst-case runtime complexity of assertions is O(n) with n being the number of
states in the Base Set for the evaluation of set assertions and O(1) for the evaluation
of number assertions.
COUNTEREXAMPLE: The operation “COUNTEREXAMPLE” starts the counterex-
ample generation algorithm which will be detailed in Section 5.4.
INPUTSTIMULI: The operation “INPUTSTIMULI” starts the complete state space-
covering input stimulus generation algorithm which will be detailed in Section 5.5.
744
Veriﬁcation of Systems
The goal of electronic circuit design is to create an implementation that completely sat-
isﬁes the circuit speciﬁcation. Therefore, at several stages within the design process,
the current state of the design has to be checked whether it satisﬁes the initial speciﬁ-
cation for the circuit. This task can be accomplished in different ways.
After presenting the general deﬁnitions and methods that distinguish veriﬁcation
concepts, existing approaches to analog non-formal and formal veriﬁcation are dis-
cussed in this chapter.
Deﬁnition 4.0.1 (Veriﬁcation)
Veriﬁcation of a system compares the performances of a model of the system with
speciﬁed properties either in order to detect design errors (non-formal veriﬁcation) or
to prove the correctness of the system with regard to the speciﬁed properties (formal
veriﬁcation). The general term veriﬁcation refers to non-formal veriﬁcation.
The level of formality of the speciﬁcation as well as of the conducted veriﬁcation ef-
forts ranges from informal and incomplete with experimental character to proof-based
formal approaches with absolute certainty of the veriﬁcation results. Consequently, a
classiﬁcation of the different veriﬁcation approaches is necessary, distinguishing non-
formal from formal veriﬁcation and introducing the corresponding approaches and
terminologies.
In the following, deﬁnitions and existing methodologies are discussed in order to
develop a hierarchy of veriﬁcation approaches to prepare the introduction of new ana-
754 Veriﬁcation of Systems
log formal veriﬁcation methodologies in the next chapter that allow formal and analog
design-oriented veriﬁcation.
4.1 Non-Formal Veriﬁcation
Under the notion of non-formal veriﬁcation all those approaches to veriﬁcation are
summarized that do not guarantee completeness of the veriﬁcation.
Deﬁnition 4.1.1 (Non-Formal Veriﬁcation)
Non-formal veriﬁcation of a circuit conducts a ﬁnite number of simulations in order to
detect circuit performances that do not meet the speciﬁcation. A successful veriﬁcation
only holds for the speciﬁc input conditions and internal states of the circuit that were
covered by the n simulation runs:
¬∃fi(S, P)   Pspec for all 1 ≤ i ≤ n (4.1)
A successful veriﬁcation using a non-formal approach does not prove the absence
of errors as it is only a sequence of incomplete experiments. Experiments can remain
for which the investigated property causes the veriﬁcation to fail.
4.1.1 Simulation-Based Veriﬁcation
The most common way to check whether a system conforms to its speciﬁcation is to
simulate test cases in order to obtain performances that are considered representative
for its future operation. A set of simulation test benches is set up and by conducting
the simulations, the system behavior is compared to a speciﬁcation. While design er-
rors can be detected by this approach, it is never known when enough test cases have
been simulated to consider a system as error free. Moreover, the evaluation of simu-
lation results and comparison with speciﬁed properties is a manual task. Because of
the speciﬁcation not necessarily being conformant to any speciﬁcation standard, there
is a high level of uncertainty whether the speciﬁcation is interpreted correctly by the
designer. The simulation ﬂow is illustrated in Figure 4.1.
4.1.2 Assertion-Based Veriﬁcation
In contrast to simulation-based veriﬁcation using test benches with manual inspection
of the results, assertion-based veriﬁcation tries to overcome some downsides of the
previous approach. This is accomplished by introducing formalization of the speciﬁ-
cation and the evaluation of simulation runs in order to reduce the manual effort and
to increase standardization of the veriﬁcation approach. The automation is achieved
by having system properties deﬁned in a machine readable speciﬁcation which can
764.2 Veriﬁcation Coverage
Simulation
Algorithms
Property
Specification
System/Circuit
R1
C1
C2
R2
R3
+
-
R4
R5
Vi n Vout
Input Signal Input Signal Input Stimuli
Designer Result
Figure 4.1: Simulation-based veriﬁcation ﬂow. The system is simulated using simula-
tion algorithms with user-deﬁned input stimuli. The designer compares the simulation
results with the property speciﬁcation of the system and either considers the speciﬁca-
tion as satisﬁed or not.
be processed by an evaluation tool on the simulation waveforms. This evaluation can
be directly linked to the simulation environment, resulting in incrementally online-
monitoring the simulation results. In the case of speciﬁcation violations, the simu-
lation can be interrupted immediately. Therewith, time can be saved by not ﬁnish-
ing long simulation runs when an error is detected early during the simulation. The
ofﬂine-monitoring approach receives the complete simulation results after ﬁnishing
the simulation. While the advantage of online-monitoring is obvious, algorithmically,
some propositions about the simulation results can only be checked when the com-
plete results are available. This applies for example to averaged values or the number
of crossings of a given threshold.
While the assertion-based veriﬁcation approach does not cover all possible states
of a system due to incorporating incomplete experiment-based simulation, using a
machine-readable speciﬁcation approach and automated evaluation improves the veri-
ﬁcation quality signiﬁcantly. Figure 4.2 illustrates the assertion-based veriﬁcation ﬂow.
4.2 Veriﬁcation Coverage
One common challenge among all non-formal veriﬁcation approaches is veriﬁcation
coverage. The question when a veriﬁcation is complete and a design can be consid-
ered as error-free cannot be answered conﬁdently. As test bench-based simulation
approaches are based on a ﬁnite set of simulation cases, the number of detected de-
sign errors should decrease with the number of simulations performed. The decision
774 Veriﬁcation of Systems
Simulation
Algorithms
Property
Specification
System/Circuit
R1
C1
C2
R2
R3
+
-
R4
R5
Vi n Vout
Input Signal Input Signal Input Stimuli
Result
Assertion
Evaluation-Tool
Figure 4.2:Assertion-based veriﬁcation ﬂow. The system issimulated using simulation
algorithms with user-deﬁned input stimuli. The assertion-evaluation tool compares
the simulation results with the machine-readable property speciﬁcation of the system
and reports whether the speciﬁcation is satisﬁed by the simulation results.
when enough simulation runs have been conducted depends on the designer’s experi-
ence, and deducing that a design considered to be simulated sufﬁciently can be taken
as error free is a common misconception. It can still contain numerous critical design
errors that just have not been covered by the test cases designed by the veriﬁcation
engineer. For digital as well as for analog hardware veriﬁcation, exhaustive simulation
is considered not to be possible efﬁciently and therefore veriﬁcation coverage of test
bench-based approaches is not complete.
Theoretically, digital designs have a ﬁnite set of states that can be enumerated and
test cases could be constructed that cover every possible state the system can adopt.
However, even for very small designs this effort is infeasible due to the combinatorial
explosion. Hence, measures for veriﬁcation coverage are mandatory in order to rate
the veriﬁcation quality and actively control which parts of a design are not covered
sufﬁciently.
Besides the aforementioned challenge of never knowing whether or not a given
speciﬁcation is completely satisﬁed by the DUV, another challenge even valid for for-
mal veriﬁcation approaches using declarative property speciﬁcations exists. It is posed
by the question, whether the formal property speciﬁcation is sufﬁcient for capturing
the design intent. Even a perfectly formally veriﬁed system can contain errors if the
speciﬁcation did not cover them. This problem is called speciﬁcation coverage and will
not be considered in the following as we assume that a veriﬁcation is complete when
the speciﬁcation is satisﬁed by the DUV under any circumstances.
Analog veriﬁcation coverage has not yet been subject of extensive research and
only few approaches exist that try to transfer some of the digital coverage measures
784.2 Veriﬁcation Coverage
to mixed digital-analog veriﬁcation [BCMP06, HLSS08], or in the area of hybrid sys-
tems using sensitivity analysis for coverage-directed simulation [DM07]. In the digital
hardware domain, a taxonomy of veriﬁcation coverage already exists. Tools support-
ing veriﬁcation management methodologies, subsumed under the heading “coverage-
driven veriﬁcation”, have emerged for handling the veriﬁcation of large designs. Lan-
guages such as OpenVera [Syn03] and SystemVerilogAssertions [CVK05] include as-
sertion management and coverage assistance and tools like Cadence Incisive Enter-
prise Specman [Cad07] offer a systematic veriﬁcation coverage management within
the veriﬁcation ﬂow. The corresponding ideas will be outlined in the following in or-
der to motivate an analog veriﬁcation coverage concept.
In the ﬁeld of non-formal veriﬁcation, there are two main coverage metrics: struc-
tural/code coverage and functional coverage [GRW05]. The main observation of these
metrics is that only a subset is connected to direct speciﬁcation checking and most of
the coverage metrics are indirect, which means that they do not conclude speciﬁcation
conformance from their results but help to decide whether one can be conﬁdent in the
veriﬁcation results.
4.2.1 Structural Coverage
Structural coverage describes the implementation coverage of a veriﬁcation. The ob-
jective is to measure which parts of the implementation have been covered by veriﬁ-
cation. Depending on the type of implementation, this can be performed in different
ways. Structural coverage can vary from code statement coverage, including branch
coverage and path coverage for HDL-like implementations, to ﬁnite state machine cov-
erage, including state coverage and transition coverage in order to identify states and
transitions visited by the veriﬁcation.
While an automated evaluation of structural coverage can be obtained by applying
simple algorithms, the results are not always very meaningful. Checking that every
part of the implementation has been covered by a veriﬁcation run does not mean that
critical interactions of the parts have been covered. As an example, an abstract system
consisting of four parts with directed edges representing a signal ﬂow is illustrated in
Figure 4.3. Ina ﬁrst simulation run labeled“a”, parts 1, 3 and4 are covered. Thesecond
run “b” covers parts 1, 2 and 4. However, the connection between part 2 and 3 was not
covered by the veriﬁcation. Although 100% of the parts have been covered, a possible
problem in the interoperation of parts 2 and 3 would not have been detected by this
veriﬁcation. On the other hand, simulating all possible combinations is not feasible
for larger designs. Therefore, coverage of corner cases cannot be concluded from high
structural coverage metrics.
794 Veriﬁcation of Systems
1 2 3 4
a
a b
b
Figure 4.3: Illustration of structural coverage.
4.2.2 Functional Coverage
In contrast to the non-speciﬁc structural coverage, functional coverage is measured
by checking whether predeﬁned functional aspects have been part of the veriﬁcation
run. Therefore, explicit coverage points have to be speciﬁed that represent critical cor-
ner cases or requirements of the design, based on the knowledge of the veriﬁcation
engineer. Revisiting the example presented in the previous subsection, a veriﬁcation
engineer could consider the combination of parts 2 and 3 as important. Hence, a func-
tional coverage measure is speciﬁed that reports whether this path has been covered
by the veriﬁcation. By covering user-deﬁned functional requirements, the conﬁdence
in the veriﬁcation results is improved.
Functional coverage measures are closely related to the assertions speciﬁed for
assertion-based veriﬁcation approaches. By specifying the functional requirements
using such assertions and having all those assertions covered by the veriﬁcation, a
successful assertion-based veriﬁcation is obtained. On the other hand, passing of as-
sertions may not be confused with covering of assertions. While an assertion can pass
without ever being triggered, a covered assertion has to be evaluated and either passes
or fails. Moreover, additional information can be gathered by counting the evaluation
of assertions and the internal value combinations leading to these evaluations.
4.3 Formal Veriﬁcation
Formal veriﬁcation describes the veriﬁcation methods that are based on formal con-
cepts allowing to prove that propositions made about a system model are valid. Such
propositions can be in form of a declarative speciﬁcation or an operational specifying
system model as discussed in Section 3.3.
Deﬁnition 4.3.1 (Formal Veriﬁcation)
Formal veriﬁcation of a system proves that the performances satisfy the property spec-
iﬁcation for every possible input signal and internal state of the circuit:
∀f(S, P) : f(S, P) ￿ Pspec (4.2)
804.3 Formal Veriﬁcation
MC-Algorithms
Result
Property
Specification
System/Circuit
Model
R1
C1
C2
R2
R3
+
-
R4
R5
Vi n Vout
Counter-
example
Figure 4.4: Model checking ﬂow. The machine readable property speciﬁcation is
checked against the system model using a model checking tool. The result is either
true, i.e. the speciﬁcation is satisﬁed, or a counterexample is returned.
Historically grown, two classes of algorithmic approaches to formal veriﬁcation
are distinguished. The algorithmic approach of proving that a system model satisﬁes
a speciﬁed declarative speciﬁcation is called model checking. Proving the functional
equivalence of a system model under veriﬁcation and an operational specifying sys-
tem model is referred to as equivalence checking. In the terminology of the coverage
aspects of the previous section, formal veriﬁcation has complete structural and func-
tional coverage with respect to the speciﬁcation.
4.3.1 Model Checking
Model checking is an approach to formal veriﬁcation where a system model is com-
pared with a functional speciﬁcation [CGP99]. Hence, the task of model checking is to
verify whether a ﬁnite state system model represented by a type of Kripke structure M
as deﬁned in Section 2.2.1 and 2.4.1 satisﬁes a given speciﬁcation Pspec. The declarative
languages for denoting the speciﬁcation have been introduced in Chapter 3. There-
with, the veriﬁcation problem to be solved can be stated as:
M,σ ￿ Pspec for all σ ∈ Σ (4.3)
The model checking algorithm reports true if Pspec holds for every state of the system
model. Otherwise, states not satisfying the speciﬁcation are identiﬁed. A transition
path πce from a deﬁned initial state to a state identiﬁed as not satisfying the speciﬁca-
tion is called counterexample. Figure 4.4 illustrates the model checking approach.
While the foundations of using propositional temporal logics for specifying system
behavior originated in philosophy long before their application to algorithmic system
814 Veriﬁcation of Systems
veriﬁcation, the combination of CTL property speciﬁcation and a system model repre-
sented asan explicit state transition system in form of a Kripke structure made possible
the ﬁrst automated model checking of an abstract system model [CE82]. Before these
algorithms for model checking have been proposed, all veriﬁcation proofs were con-
ducted by manual calculations and hence were infeasible for real world applications.
4.3.2 Equivalence Checking
While model checking is applicable to prove that a machine-readable speciﬁcation of
system properties is satisﬁed by a model of the system implementation, the task of
equivalence checking is to compare two implementations of a system whether they are
functionally equivalent. Hence, equivalence checking does not verify that a system
conforms to a set of properties, but instead complete behavioral equivalence is proven.
In the digital domain, equivalence checking has a long history and there is a
very strict formal deﬁnition for functional equivalence of static combinatorial circuits
[MM04]:
Deﬁnition 4.3.2 (Boolean Equivalence of Combinatorial Circuits)
Given two representations df and dg of two Boolean functions f, g: {0,1}n → {0,1}m,
decide whether the Boolean functions f and g are equal, i.e. whether f(α) = g(α)
holds for all α ∈ {0,1}n.
The general case of the Boolean equivalence checking problem is co-NP hard [GJ79]
as it represents the complemented Boolean formula satisﬁability problem which is
known to be NP hard. The advances in the ﬁeld of digital equivalence checking were
made by ﬁnding representations of Boolean formulas such as reduced ordered binary
decision diagrams(BDDs)[Ake78]ormultiplicative binarymomentdiagrams(*BMDs)
[CB95] that reduce the actual equivalence checking problem down to constant time, at
the cost of creating the underlying representations.
For dynamic sequential circuits, the equivalence checking problem is related to
checking the equivalence of the ﬁnite automata representations of the circuits. Hence,
a state space traversal approach has to compare the reachable sequences of states of
both automata for deﬁned starting states [MM04].
In the scope of this thesis, the concept of functional equivalence of static and dy-
namic systems is generalized towards equal input/output behavior of analog systems
with the following deﬁnition.
Deﬁnition 4.3.3 (Input/Output Equivalence of Static/Dynamic Systems A and B)
Two systems A and B are considered as input/output-equivalent if for every possible
824.4 Existing Approaches to Non-Formal Analog Circuit Veriﬁcation
input signal u(t), the outputs of system A and B are equivalent with respect to the
dynamic output behavior deﬁned in Deﬁnition 2.4 in Section 2.1:
A ≡ B ⇔ yA(t) ≡ yB(t) for all u(t) (4.4)
with
yA(t) = SA(u(t),xA(t)); yB(t) = SB(u(t),xB(t)) (4.5)
Inaddition tothe question whethertwosystems are equal, which isa Boolean result
of true or false, equivalence metrics have to be developed for equivalence checking of
analog circuits. This is due to the fact that there is no total equivalence in real analog
circuits as it exists for the Boolean equivalence of digital systems. Hence, equivalence
of analog circuits is assumed when a given equivalence measure, reported by a metric
to be deﬁned, is above a given magnitude.
4.4 Existing Approaches to Non-Formal Analog Circuit
Veriﬁcation
While the presented general veriﬁcation concepts for non-formal veriﬁcation apply to
analog circuits, there are several differences that have to be discussed. Especially the
availability of automated tools for analog veriﬁcation is signiﬁcantly reduced com-
pared to digital circuit veriﬁcation. While there are mature veriﬁcation methodologies
for digital circuits that are already introduced in industrial design ﬂows, analog veriﬁ-
cation is mainly done by manual investigation of simulation runs. Due to the complex
properties of analog circuits, not only the speciﬁcation of the desired behavior of the
circuit is much more difﬁcult than in the digital domain, but also the veriﬁcation algo-
rithms are far more complex due to operating on continuous systems represented by
DAEs. Therefore, circuit simulations are the major tool for veriﬁcation of analog cir-
cuits, nowadays partially augmented by automated evaluation of veriﬁcation results.
Thissection addresses the concepts offormalizing non-formal veriﬁcation ofanalog
circuits, followed by a discussion of existing approaches to analog formal veriﬁcation
in the subsequent section.
4.4.1 Assertion-Based Approaches to Analog Veriﬁcation
The ﬁrst approaches to overcome the manual evaluation of analog simulation results
were introduced in the area of automated circuit characterization [HGT91, EGG98].
Therewith, by developing reusable templates for circuit class speciﬁc properties, auto-
mated performance evaluations have been introduced into the analog design ﬂow.
An emerging veriﬁcation approach attempts to formalize the property speciﬁca-
tion and evaluation of conventional simulation results introducing assertions. Derived
834 Veriﬁcation of Systems
from the digital domain, assertion-based veriﬁcation automates the evaluation of sim-
ulation results and hence enables regression testing. A recent approach to include ana-
log assertion-based veriﬁcation on commercial platforms proposes property speciﬁca-
tion implemented either as an analog extension to SystemVerilog Assertions (SVA) or a
library of analog assertion objects for the Open Veriﬁcation Library (OVL) [MPDG09].
The tool AMT proposed in [NM07] uses STL/PSL in order to verify properties on
transient simulation waveforms ofﬂine and online. However, due to the limited ex-
pressiveness of STL/PSL, only timing oriented veriﬁcations are possible.
In Section 5.3 a new assertion-based veriﬁcation methodology for complex analog
properties such as slew rate, oscillation and overshoot by application of the Analog
Speciﬁcation Language (ASL) to transient simulation waveforms will be introduced.
Due to the global evaluation methodology making possible the veriﬁcation of complex
properties on the waveforms, online monitoring is only reasonable for local properties.
4.4.2 Analog Veriﬁcation Coverage
While formal veriﬁcation methodologies automatically deliver complete coverage of
the investigated state space of the designs under veriﬁcation, the veriﬁcation gap of
today’s design ﬂows can simply be characterized by the idea of veriﬁcation cover-
age. Test bench-based simulation approaches try to ﬁnd critical input stimuli and
external parameters that bring the circuit in as many critical states as possible, but
the real veriﬁcation coverage of the state space is uncertain. Therefore, in the area of
post-production testing of analog circuits, several approaches to automatic test pattern
generation (ATPG) have emerged for a systematization of the test procedure. Their
common method is to start with a set of given faults and trying to compute a test stim-
ulus that covers every element of the fault set using either sensitivity analysis [Bur01],
controllability and observability computation [SHZ+01], or statistical distance compu-
tation [VdPG97]. In the area of hybrid systems, coverage-guided test generation is
emerging for linear systems, but applications to nonlinear analog circuits are not yet
available [DN09].
Shifting the perspective back to design-time veriﬁcation, automated approaches
are very rare. An approach [BCMP06] of generating constrained randomized stimuli
cannot guarantee to cover the complete state space of the design under veriﬁcation
(DUV). The same applies to another approach that simulates the system behavior with
statistical chaotic excitation signals [MZXA08].
In the scope of this thesis, analog veriﬁcation coverage can be connected to state
space coverage. If every state of a system was investigated during a veriﬁcation, the
veriﬁcation coverage is complete. Hence, in Section 5.5, an approach to complete state-
space covering input stimuli generation will be proposed, allowing transient simula-
844.4 Existing Approaches to Non-Formal Analog Circuit Veriﬁcation
Test bench-based
transient simulation
Formal 
verification
+ State of the art
+ Established in industry
+ Matches designers‘ way
of thinking
- Incomplete coverage
- Search for errors
- Error detection ս ս ս ս experience
+ Complete coverage
+ Proof of correctness
- Not established
- Different way of thinking
- Need for formal specification
- Complexity
Figure 4.5: Comparison of veriﬁcation coverage in the state space by test bench-based
transient simulation and formal veriﬁcation.
tion of nonlinear analog circuit blocks with guaranteed coverage of the reachable state
space of the system under veriﬁcation.
Figure 4.5 compares the state space coverage-characteristics of incomplete test
bench-based non-formal veriﬁcation to those of complete formal veriﬁcation.
4.4.3 Formalizing the Analog Veriﬁcation Flow
With the growing need for formalizing analog veriﬁcation in industrial design ﬂows
and analog formal veriﬁcation tools not yet being available, approaches that give up
formality in favor of delivering practical solutions have emerged. Systematic veriﬁ-
cation based on veriﬁcation plans that introduce a hierarchy of behavioral modeling
and veriﬁcation-oriented test benches target the problem in a conventional way by
changing the methodology how existing tools are used [CK07]. On block level, for-
mal methodologies could be introduced into industrial ﬂows quickly with the support
of EDA-vendors. However, increasing the complexity of the system under veriﬁca-
tion is continuously decreasing the applicability of formal methods, as presented in
[BGG+09]. In the RF-domain, sophisticated behavioral modeling and therewith mak-
ing possible more simulations within a given veriﬁcation time is already considered as
formalizing the veriﬁcation in this domain [WJWH09].
854 Veriﬁcation of Systems
As analog circuit simulators are the central tool all veriﬁcation ﬂows are based on,
in [TGP+09] a satisﬁability (SAT) solver-based approach to SPICE-type circuit simula-
tion for formal simulation results is presented in order to target the veriﬁcation prob-
lem from a different perspective. By formulating the simulation problem as an input
fora SAT-solver, thesimulator candiscover allpossible solutions foragiven simulation
task. Due to the NP-completeness of the SAT-problem, the approach can exhibit expo-
nential worst-case runtime complexity which is targeted by abstraction reﬁnement.
4.5 Existing Formal Approaches to Analog Veriﬁcation
In this section, existing formal approaches to analog veriﬁcation are discussed in order
to obtain an overview over the state of the art.
Depending on their scientiﬁc origin, the approaches to formal veriﬁcation of ana-
log circuits have very opposing basic principles. On the one hand, methods that have
been developed within the theory of logic reasoning and abstract system theories are
extended to the area of analog veriﬁcation. These approaches feature a consistent log-
ical and formal foundation but they share the problem of being far away from appli-
cability to real world analog circuit veriﬁcation problems. Often, complicated man-
ual modeling to abstract representations is necessary in order to apply the veriﬁcation
algorithms. Property speciﬁcation is forcing logic theory upon analog property spec-
iﬁcation instead of aligning to the semantical terminology of existing analog circuit
properties.
On the other hand, approaches coming from the background of electrical engineer-
ing and analog EDA-research are very practical and straight forward but often lack
formality, soundness and structuredness.
4.5.1 Reachability Analysis and Veriﬁcation of Analog Circuits
Reachability-based veriﬁcation approaches use state space exploration techniques in
order to formally compute the conservatively approximated reachable area in the state
space of a system represented by ODEs. In contrast to the discrete modeling presented
in Section 2.4, veriﬁcation approaches incorporating reachability analysis do not gen-
erate a complete model of the state space of the circuit that can be checked for more
complex properties. Therefore, compared to model checking, these approaches do not
offer a property evaluation methodology exceeding the question whether a speciﬁed
state is reachable from a given starting state.
Originating from the theory of hybrid systems, ﬁrst reachability veriﬁcation ap-
proaches targeted simple nonlinear control systems by linearization [HH95]. Reach-
ability analysis development towards nonlinear analog circuit veriﬁcation introduced
calculation ofhybrid polyhedral outerapproximations enclosingtheﬂowderivedfrom
864.5 Existing Formal Approaches to Analog Veriﬁcation
differential equation systems [GKR04] using the tool “Checkmate”. Investigated cir-
cuits were a simple tunnel diode oscillator and a Matlab model of a third-order delta-
sigma modulator.
Another hybrid system veriﬁcation approach for analog systems is based on the
“d/dt” tool, applied to different analog circuit examples such as a biquad lowpass
ﬁlter and the model of a delta-sigma modulator [DDM04, ADG07, DN09]. Specializing
on oscillator reachability veriﬁcation and stability computation without emphasis on a
structured speciﬁcation, approaches were presented in [FKR06, GY08].
4.5.2 Analog Model Checking
The ﬁrst approach to model checking of analog circuits introduced a discrete state
space model of the circuit to be checked against a property speciﬁcation given as ω-
automata. The circuit investigated was a transistor level representation of a digital in-
terlock, described using simpliﬁed transistor models implemented by a capacitor and
a voltage controlled current source [KM91]. Although the discretization into a ﬁnite
automaton is very rough, this is the ﬁrst approach to discrete modeling of the state
space of analog systems with application of an automata-based property veriﬁcation.
Derived from the successful property speciﬁcation of digital and software systems
with the Computation Tree Logic (CTL) [CE82], the ﬁrst approaches to CTL-based
model checking of analog systems applied CTL extended with an analog operator to
a discretized state space model of nonlinear analog circuits [HHB02a, HHB02b]. With
an adaptive state space discretization that controls the size of the enclosures of state
space regions depending on the level of homogeneity of the state space dynamics, as
described in Section 2.4.3, properties of nonlinear circuits such as the oscillation of a
tunnel diode oscillator, overshooting of a second-order lowpass ﬁlter and the switch-
ing behavior of a Schmitt-trigger circuit have been veriﬁed. The addition of time con-
straints to the CTL speciﬁcation allowed to ﬁrst time formally verify timed behavior of
analog circuits [GPHB05].
Weakeningthe formality of the approach, in [DC05, DC07] a veriﬁcation system ap-
plying an extended CTL derivative called AnaCTL to the transient response of analog
circuits is proposed. By higher level modeling of analog circuits using labeled hy-
brid petri nets, veriﬁcation of AMS-systems is introduced in [LSW+06, MHW+06], not
offering an automated translation of transistor level circuits to the petri net represen-
tation. The same limitation applies to the approach presented in [ASZT07], where a
stability veriﬁcation of a symbolic mathematical representation of a delta-sigma mod-
ulator using recurrence equations is introduced.
In contrast to the industrial application of model checking of digital hardware sys-
tems, the approaches to model checking of analog systems have not yet been intro-
duced into industrial ﬂows. There are several challenges that need to be solved in
874 Veriﬁcation of Systems
order to develop analog model checking towards industrial applicability. These chal-
lenges will be outlined in the following.
• The continuous system description originating from the differential equation sys-
tem of the analog BCEs can not be evaluated by direct theorem proving ap-
proaches. Therefore, abstractions have to be made that have to balance between
model complexity and model accuracy.
• The discretization of an analog system to a state model suffers from the state
space explosion problem. Due to the exponential growth of the number of states
with the number of state space variables, only block-level analog circuits can be
handled.
• The hyperbox discretization, which is part of the up to now most capable model
checking approach, is not rotation-invariant and massively over-approximates
the transition relation of the system. Hence, it does not deliver reliable results for
complex state space dynamics structures.
• Up to now, approaches to model checking of analog circuits are based on prop-
erty speciﬁcations closely related to the digital speciﬁcation with CTL syntax and
semantics. Even for digital speciﬁcation, approaches like PSL have been nec-
essary to facilitate the access to formal property speciﬁcation for the designers.
Moreover, the semantics of branching time temporal logics used in analog model
checking are not expressive enough for the precise speciﬁcation of complex ana-
log behavior.
• Corresponding to the lack of speciﬁcation expressiveness of analog CTL speciﬁ-
cation, the algorithmic evaluation of formal analog speciﬁcations needs a differ-
ent methodology compared to the digital domain. Digital speciﬁcations are very
time-oriented with abstract properties such as fairness and liveness that are easy
to specify and evaluate on digital state models. In contrast, analog properties
such as slew rate, oscillation, overshoot, etc. are based on the complex relation of
different internal state variables and speciﬁcations have to reason on the discrete
representations of their continuous magnitudes and their alteration over time.
Some of these challenges will be targeted by the ASL model checking approach pre-
sented in Section 5.2.
4.5.3 Analog Equivalence Checking
The basic goal of formal equivalence checking of nonlinear analog circuits is to verify
if both systems have the same input-output behavior for every possible input signal,
884.5 Existing Formal Approaches to Analog Veriﬁcation
corresponding to Deﬁnition 4.3.3. The existing approaches are discussed in the fol-
lowing. Moreover, in order to obtain a benchmark for the new equivalence checking
approach proposed in Section 5.6, the up to now only automated formal approach to
analog equivalence checking for nonlinear analog circuits that can directly operate on
transistor netlist representations and behavioral models in VHDL-AMS is outlined.
An approach to equivalence checking for linear analog circuits with parameter tol-
erances is proposed in [HB98]. Based on the computation of outer bounds of the trans-
fer functions using complex interval arithmetics, the over-estimated implementation
of the circuit is compared with the inner bounds of a therewith underestimated spec-
iﬁcation function. Hence, sound results are obtained. Another approach dealing with
linear circuits described by their frequency domain transfer functions considering pa-
rameter variations is presented in [SA01]. The phase and magnitudes over a deﬁned
frequency range are equivalence-checked using an envelope for the response compar-
ison. A restriction to linear circuits is however not suited for an universal application
to real-world problems.
Based on the PVS theorem prover, in [GV99] the functional equivalence of behav-
ioral descriptions in VHDL-AMS and their synthesized analog circuits is checked by
evaluating piecewise linear approximations of the analog behavior in the DC and low
frequency domain. Due to the simpliﬁcations, this approach is not a complete veriﬁca-
tion methodology.
A state space sampling based approach for equivalence checking of nonlinear ana-
log circuits was initially introduced in [HB95] with application to different CMOS in-
verters and extended in [HKH04] for application to a Schmitt-trigger, implemented as
transistor netlist and behavioral description, as well as to a bandpass transistor cir-
cuit. An extension to improve handling of strongly nonlinear circuits by introducing
structural recognition and mapping of eigenvalues to circuit elements and a reachabil-
ity analysis was presented in [SH10a]. This allowed to additionally apply equivalence
checking to the analog behavior of a NAND gate and a mixer circuit.
For both system implementations under veriﬁcation, using a local linear transfor-
mation for each sample point to a canonical representation (Kronecker’s canonical
form) and by numerically integrating these linear local transformations, an approx-
imation of the nonlinear transformation for the system is obtained. The numerical
differences between both internal transformed dynamics and the output variables give
a direct measure for the equality/difference of both systems.
While this approach can be successfully applied to behavioral models with an in-
ternal structure not too different from the modeled transistor block, strong abstraction
of the behavioral model can result in reporting complete inequality. This is due to
the need for an internal mapping of state variables which is only possible with certain
similarities in the systems’ structure.
894 Veriﬁcation of Systems
In the following subsection the VERA equivalence checking method from [HB95,
HKH04, SH10a] is outlined, as it is the benchmark the new equivalence checking
methodology developed in Section 5.6 will be compared to in Section 6.6.
4.5.3.1 The VERA Equivalence Checking Algorithm
The VERA equivalence checking algorithm focuses on circuit descriptions based on
a system of implicit differential algebraic equations (DAEs) as introduced in Section
2.3.2.
In order to verify the equivalence of two circuits A and B represented as a DAE
system, the following approach is conducted by the VERA algorithm:
• Sample the state space of both systems iteratively and perform the following
transformation on each sample point.
• Transform the dynamics f in the variable space spanned by x and u of each sys-
tem into a canonical state space spanned by a vector z(c)(t) of nc canonical state
variables z
(c)
i (t) with 1 ≤ i ≤ nc. The transformation is deﬁned by:
x = F(z(c))
z(c) = F−1(x)
(4.6)
• The dynamics will then be transformed according to:
h(z(c)(t), ˙ z(c)(t),u(t)) = f(F(z(c)(t)),
∂F(z(c)(t))
∂t ,u(t)) (4.7)
If the transformation is well chosen, the resulting system h will have only nz
nontrivial dynamic equations describing the system behavior. The remaining
algebraic equations should be trivial (e.g. 0 = 0).
Canonical State Space Comparison After obtaining a canonical state space repre-
sentation of both systems A and B, the transformed system functions hA and hB have
to be compared in the canonical state space z(c). This assumes that both circuits A
and B are transformed to canonical state space variables z
(c)
A and z
(c)
B with equal size
n
z
(c)
A
= n
z
(c)
B
= nc using dominant pole order reduction for the system with more state
space variables. The dynamics of the system functions can be compared by checking
the values of the state derivatives ˙ z
(c)
A , ˙ z
(c)
B to be equal for each state in the state space.
This comparison is performed numerically, resulting in an error value with an appro-
priate norm:
ǫ˙ z =  ˙ z
(c)
A − ˙ z
(c)
B   (4.8)
Obviously, this error will never be zero for analog circuits. Therefore, the user has to
deﬁne an error value limit. If the error is below this limit in the whole reachable state
904.5 Existing Formal Approaches to Analog Veriﬁcation
space, the circuits are regarded as equivalent. This error is very sensitive to differences
in the circuits under veriﬁcation. For example, a relative error limit of 10% can be
considered as appropriate. Besides the internal dynamics, using a selection matrix R,
the output variables of the systems
xo
A = RA   FA(z
(c)
A )
xo
B = RB   FB(z
(c)
B )
(4.9)
can be compared with a similar error measure:
ǫy =  xo
A − xo
B  (4.10)
Comparing the dynamics of the systems, as well as their output variables, assures
that the dynamic and static behavior of the systems under veriﬁcation have been con-
sidered for equivalence checking, resulting in high conﬁdence in the obtained results.
The described VERA equivalence checking methodology is summarized in Figure 4.6.
Behavioral
Description
Systems
under verification
State space
sampling
Transformation to
canonical state spaces
Determination of error by
comparison of canonical
state spaces
System A System B
Figure 4.6: Structure of the VERA equivalence checking methodology.
91925
Analog Formal Veriﬁcation
Methodologies
A framework of new analog formal veriﬁcation methodologies has been developed
around the newly introduced speciﬁcation language ASL and the corresponding ver-
iﬁcation algorithms. As will be described in this chapter, fundamental formal veri-
ﬁcation methods such as model checking and equivalence checking are enhanced by
the ASL veriﬁcation algorithms and the improved discrete model generation using the
newly introduced trajectory-directed discretization approach. Moreover, new veriﬁ-
cation concepts such as transient simulation with complete state space-covering in-
put stimuli will be introduced. In combination with the counterexample generation,
the application of ASL speciﬁcations to conventional transient simulation waveforms
and new visualization approaches for the veriﬁcation results, a set of new veriﬁcation
methodologies has been developed which will be combined into an analog veriﬁcation
framework (AVF).
5.1 New Veriﬁcation Methodologies for the Analog De-
sign Flow
Figure 5.1 illustrates the possibilities of the new AVF, offering several combinations
of different modeling and veriﬁcation approaches. The possible veriﬁcation method-
935 Analog Formal Veriﬁcation Methodologies
Figure 5.1: Analog veriﬁcation framework for different veriﬁcation methodologies.
ologies are outlined in the following and detailed in the subsequent sections of this
chapter.
5.1.1 Veriﬁcation Methodology Perspective
Starting from a behavioral or transistor netlist representation of an analog circuit, a
discrete state space model for eachcircuit underveriﬁcation isgeneratedusing the new
approach presented in Section 2.4.4. Alternatively, conventional transient simulation
results from test bench-based veriﬁcation can be transferred into a partial state space
representation which then can be processed by the veriﬁcation algorithms accordingly,
as will be described in Section 5.3. To the discrete state space model of the circuit, the
following veriﬁcation methodologies can be applied:
• The state space model can be checked against an ASL property speciﬁcation
which is the method of property checking or model checking (see Section 5.2).
• From identiﬁed state space regions that violate the speciﬁcation, counterexample
stimuli can be generated, which then in turn can be used in a test bench sim-
ulation environment to analyze the speciﬁcation-violating behavior (see Section
5.4).
• By a systematic traversal of the DATS model, complete state space-covering
piecewise linear input stimuli can be generated (see Section 5.5). Based on these
complete-coverage input stimuli (CCIS), three sub-methodologies are available:
945.1 New Veriﬁcation Methodologies for the Analog Design Flow
– The CCIScan be used in test bench-based simulation environments for man-
ual analysis of the transient response to these stimuli that guide the simula-
tor into every reachable state of the analog circuit.
– The transient simulation response to the CCIS can be re-transferred into a
state space representation for evaluation of assertions speciﬁed in ASL. This
is an alternative model checking approach with the advantage of not intro-
ducing a discrete modeling error due to directly operating on the results of
the transient simulation, providing high accuracy of measured values (see
Section 5.5.1).
– By generating CCIS for two circuits under veriﬁcation and then comparing
the deviation of the transient responses to the stimuli of both circuits using
a speciﬁc ASL speciﬁcation, a formal equivalence checking methodology is
given due to the transient responses of both circuits being directed to every
reachable state (see Section 5.6).
In order to interactively explore the state space dynamics of an analog circuit, an ap-
proach to multi-parallel particle simulation will be introduced in Section 5.7 which
complements the insight into acquired veriﬁcation results of the veriﬁcation examples
in Chapter 6.
5.1.2 Design Flow Perspective
Another perspective to application of the new veriﬁcation methodologies in the analog
circuit design ﬂowispresented by considering a top-down design ﬂowconsisting of an
ASL property speciﬁcation that is transferred into an abstract behavioral model for the
circuit design. Subsequently, a transistor circuit implementation for the circuit blocks
is developed. Finally, after layout, an extracted version of the circuit can be considered.
Within this ﬂow, the three major veriﬁcation concepts can be applied to different
design levels as illustrated in Figure 5.2. These concepts are assertion-based veriﬁca-
tion (ABV) by evaluating ASL speciﬁcations on transient simulation waveforms that
can either be generated by user-deﬁned input stimuli or CCIS, ASL model checking
and equivalence checking with CCIS. A connection between two abstraction levels in
the illustration corresponds to the possibility to apply the veriﬁcation methodology.
ASL evaluation on transient simulation waveforms can be used to automatically
check an ASL property speciﬁcation against every level of abstraction. ASL model
checking again can be applied to every level with the limitation that extracted blocks
have to be processable by the discrete modeling approach. If too many parasitic ca-
pacitances occur, an approach to constrain the state space variables by an eigenvalue-
based model order reduction, as discussed in Section 2.4.4.7, has to be applied. Equiv-
alence checking using the methodology of automatically comparing transient simula-
955 Analog Formal Veriﬁcation Methodologies
ASL Property
Specification
Extracted Circuit
Blocks from Layout
Transistor
Circuit Blocks
Behavioral
Models
ASL ABV on
Simulation
Waveforms
ASL Model
Checking
Complete-
Coverage
Stimuli-EC
Synthesis
Synthesis
Layout
Figure 5.2: New veriﬁcation methodologies in the analog design ﬂow.
tion waveforms that have been generated using CCIS can be applied to compare any
two levels of abstraction. However, at least one has to be modeled as a DATS for stim-
uli generation and both have to be processable by transient simulation.
5.2 ASL Property Speciﬁcation and Veriﬁcation Method-
ology
With the introduction of the trajectory-directed discretization generating DATS mod-
els of analog circuits with higher accuracy in Section 2.4.4 and the deﬁnition of ASL
in Section 3.5, a property speciﬁcation methodology for ASL shall be introduced in
the following. Therewith, methodologies for circuit overshoot, advanced oscillation
properties and for the startup time of autonomous circuits will be described. With
these speciﬁcation methodologies, the veriﬁcation algorithms can automatically com-
putethe modelcheckingresultswithout userinteraction, reporting theacquiredresults
in a veriﬁcation report which will be demonstrated in Chapter 6.
5.2.1 Speciﬁcation of Circuit Overshoot
For many types of circuits, the range of the output signal shall be constrained for a
deﬁned input range. However, there are circuits such as active ﬁlter circuits that tend
to overshoot. This means that, depending on the input signal shape and frequency,
output values higher than the expected output range can occur. Such a behavior is
illustrated in Figure 5.3 where the dotted trajectory starting in a DC-operating-point of
965.2 ASL Property Speciﬁcation and Veriﬁcation Methodology
Vin
X1
Vout
input range
o
u
t
p
u
t
 
r
a
n
g
e
overshoot
DC transfer function
Figure 5.3: Overshoot of the output voltage caused by a trajectory in the state space.
the circuit exceeds the output range of the DC transfer function for the deﬁned input
voltage range. In the following, an ASL speciﬁcation methodology for identifying such
overshoot in a circuit’s state space and measuringthe overshoot ratio will be described.
All veriﬁcation steps shall be conducted on the reachable states of the circuit under
veriﬁcation. Hence, the set of states reachable from DC-operating-points is identiﬁed:
reachable = on all reach from DCpoints;
On this set reachable of reachable states, the minimum and maximum of the input
and output voltages is assigned to number variables:
on reachable assign(%min_V_in,min) assign(%max_V_in,max) value(V_in);
on reachable assign(%min_V_out,min) assign(%max_V_out,max) value(V_out);
With these data, the overshoot ratio can be calculated by the division of the output
voltage range by the input voltage range:
%overshoot_ratio = (%max_V_out-%min_V_out)/(%max_V_in-%min_V_in);
Finally, an assertion can be formulated that checks that the overshoot ratio stays be-
tween user deﬁned speciﬁcation values %min_spec_value and %max_spec_value:
for %overshoot_ratio assert [%min_spec_value, %max_spec_value];
The result of the assertion as well as the measured voltage ranges are printed into the
veriﬁcation report for easy evaluation of the veriﬁcation run.
975 Analog Formal Veriﬁcation Methodologies
5.2.2 Speciﬁcation of Oscillation and Voltage Controlled Oscillator
Gain KVCO
For oscillator circuits, a speciﬁcation methodology for veriﬁcation of oscillation will be
introduced in the following. Additionally, for voltage controlled oscillators (VCOs), a
speciﬁcation methodology for veriﬁcation of the VCO gain KVCO will be presented.
In the time domain, oscillation is represented by a periodic behavior of a circuit
variable as shown in Figure 5.4(a). Transferred to the continuous state space, a cyclic
path between at least two state space variables can be identiﬁed as illustrated in Figure
5.4(b). This results in a set of states connected to a cycle in the DATS asshown in Figure
5.4(c).
(a) (b) (c)
Figure 5.4: Oscillation in the time domain (a), in the continuous state space (b) and in
the DATS (c).
The simple check whether there is an oscillation within a deﬁned oscillation period
range between %spec_min and %spec_max in the considered circuit model can be
formulated in ASL as follows:
assign(%oscillation_period_min, min) oscillation;
assign(%oscillation_period_max, max) oscillation;
for %oscillation_period_min assert [>= %spec_min];
for %oscillation_period_max assert [<= %spec_max];
Now, a systematic methodology for verifying the oscillator gain KVCO, represented by
the sensitivity relation between the control input voltage and the oscillation frequency
of a VCO, is introduced. Thus, the input voltage has to be constrained to different
values and at each of these input voltages the oscillation frequency is determined as
985.2 ASL Property Speciﬁcation and Veriﬁcation Methodology
Vin
X1
Vout
V 1 V 2 V 3 V 4
Figure 5.5: Schematic illustration of oscillations for different input voltages V1, V2, V3
and V4.
illustrated inFigure 5.5. Comparingeach twooscillation frequencies fosc ofconsecutive
input values to their input voltage difference, the sensitivity
KVCO =
∂fosc
∂Vin
(5.1)
can be determined. In the following methodology, only two different input values are
considered for the purpose of clarity. Considering more than two input values, the
deviation between the calculated local factors KVCO provides information about the
linearity of the VCO.
At ﬁrst, the constrained input voltage areas in the state space have to be assigned
to set variables as follows:
inp_set_1 = value(V_in)
[%inp_voltage_1 - %range_size/2, %inp_voltage_1 + %range_size/2];
%inp_voltage_2 = %inp_voltage_1 + %inp_step;
inp_set_2 = value(V_in)
[%inp_voltage_2 - %range_size/2, %inp_voltage_2 + %range_size/2];
On the selected state space slices, oscillation periods are determined. Although the
average oscillation period for a given input voltage is considered, this approach is
valid for the minimum or maximum oscillation period just as well:
995 Analog Formal Veriﬁcation Methodologies
osci_set_1 = on inp_set_1 assign(%osci_period_1, average) oscillation;
osci_set_2 = on inp_set_2 assign(%osci_period_2, average) oscillation;
Subsequently, the factor of change of the oscillation frequencies and the input voltages
are determined:
%frequency_delta = (1/%osci_period_2) - (1/%osci_period_1);
%input_delta = %inp_voltage_2 - %inp_voltage_1;
In the ﬁnal step, for the VCO gain property %K_VCO, calculated according to Equation
5.1, an assertion is speciﬁed. The gain is asserted to be within a percental range speci-
ﬁed by the number variable %tolerance around the speciﬁed value %K_VCO_spec:
%K_VCO = %frequency_delta / %input_delta;
for %K_VCO assert [%K_VCO_spec - %tolerance/2, %K_VCO_spec + %tolerance/2];
5.2.3 Speciﬁcation of the Startup Time of Autonomous Circuits
The startup time of a circuit is deﬁned as the time from applying the supply voltage
until the circuit reaches a desired output behavior, which isin the following considered
equivalent to reaching a certain output voltage range.
In the state space, the maximum startup time is deﬁned by the longest transition
time among all possible paths leading from the initial state area to the destination area.
Figure 5.6 illustrates the startup transition paths in a state space.
For a systematic speciﬁcation of the startup time property in ASL, we deﬁne the
initial conditions of the circuit. Hence, the corresponding start area in state space is
selected by constraining the considered state space variables V_out, X1 and X2. This
resulting start area is assigned to the set variable startarea:
startarea = value(V_out)[< 0.1] and value(X1)[< 0.1] and value(X2)[< 0.1];
The area reachable from the start area represents all possible system states for the given
initial condition. The states reachable from the set startarea are assigned to the set
variable reachable:
reachable = reach from startarea;
In practical applications, the minimum required output voltage for the destination area
could be directly assigned with a speciﬁcation parameter. For a worst-case analysis of
the startup time, 90% of the maximum output voltage within the reachable state space
area are assigned to the number variable %max_voltage instead. This is considered
as the worst-case upper bound for the steady state output behavior:
1005.3 ASL Property Veriﬁcation on Transient Simulation Waveforms
Figure 5.6: Schematic illustration of startup transition paths.
on reachable assign(%max_voltage, max) 0.9*value(V_out);
By calculating the maximum time needed for the transition from the start area to the
area with the maximum output voltage, an upper bound for the startup time of the
examined circuit is acquired:
assign(%startup_time, max) transition from startarea
to value(V_out)[>= %max_voltage];
The ﬁnal step asserts that the required output voltage is reached and that the startup
time for reaching this area never exceeds the speciﬁed upper bound:
for %max_voltage assert [>= %spec_parameter1];
for %startup_time assert [<= %spec_parameter2];
5.3 ASL Property Veriﬁcation on Transient Simulation
Waveforms
In order to obtain a wider ﬁeld of application for ASL property speciﬁcation and evalu-
ation, and to develop another formal property veriﬁcation methodology in Section 5.5,
1015 Analog Formal Veriﬁcation Methodologies
evaluation of ASL property speciﬁcations shall be extended from discrete state space
models to analog transient simulation waveforms. Therefore, the simulation wave-
forms have to be transferred into a state space representation as DATS to be introduced
into the ASL veriﬁcation toolchain.
Transient simulation data consists of data tuples containing a sequence of signal
values and their corresponding time points for every investigated node voltage or
branch current of the circuit under veriﬁcation. A transient waveform for such a single
signal si is a sequence si(t0),si(t1),...,si(tn).
Deﬁnition 5.3.1 (Path πtr in State Space generated from Transient Simulation Wave-
forms)
From a set of transient simulation waveforms for different signals, the sequence of
states is a path πtr in the DATS state space model determined by the vector of the m
signal values si(tj) with 1 ≤ i ≤ m for each time point tj:
πtr = σt0,σt1,...,σtn with LV(σtj) =


 

s1(tj)
s2(tj)
. . .
sm(tj)


 

for all 0 ≤ j ≤ n (5.2)
The transition relation is connecting consecutive states and the transition times are
determined by the time steps of the transient simulation waveforms:
T(R(σtj,σtj+1)) = tj+1 − tj (5.3)
The generation of a path πtr in the DATS is illustrated in Figure 5.7. Due to the
transition times now being deﬁned by the labels of the graph transitions, a time axis is
obsolete but plotted for better understanding.
As illustrated in Figures 5.8(a) and 5.8(b) for two periodic signals, their combined
state space representation in Figure 5.8(c) forms a circle by mapping both signals to a
plot over axis s1(t) and s2(t). For the state space representation of transient signals,
a detection of periodic behavior is necessary for creating closed cycles for oscillation
detection. With a deﬁned tolerance interval ǫ, for each vertex σtr it is checked whether
its coordinate vector p(tr) = LV(σtr) maps to the coordinate vector of another vertex
p(ts) = LV(σts):
σtr ≡ σts ⇔ ∀ 1 ≤ i ≤ m : |p
(tr)
i − p
(ts)
i | < ǫ (5.4)
In this case, the transitions from predecessors and to successors of σts are connected to
σtr:
R = R ∪ {(σts−1,σtr),(σtr,σts+1)} (5.5)
Finally, the transitions connecting σts are removed as well as σts:
R = R \ {(σts−1,σts),(σts,σts+1)} ∧ Σ = Σ \ σts (5.6)
1025.4 Counterexample Generation for Model Checking
t
Vin
t
Vout
Vin
Vout
t
Figure 5.7: Graph structure obtained by transient simulation waveforms.
t
s1(t)
t
(a) (b) (c)
s2(t)
s1(t)
s2(t)
Figure 5.8: Periodic transient signal waveforms s1(t) (a) and s2(t) (b). State space rep-
resentation of periodic signals s1(t) and s2(t) (c).
Figure 5.9illustrates theASLassertion-based veriﬁcation ﬂowforusewith transient
simulation waveforms.
As will be demonstrated by application to practical examples in Chapter 6, a joint
ASL property speciﬁcation can be used for automated transient signal evaluation as
well as for a formal veriﬁcation of the circuit’s properties, sharing the same veriﬁcation
algorithms. For analog designers, this offers the possibility to get used to formalized
property speciﬁcation without changing their familiar design environment, increasing
understanding and acceptance of a future application of formal veriﬁcation.
5.4 Counterexample Generation for Model Checking
The speciﬁcation of analog circuit properties using the ASL methodology introduced
in Section 5.2 allows to identify regions in the state space of an analog circuit that
violate the speciﬁcation. In order to understand how the circuit behavior reaches such
a region, a counterexample can be generated corresponding to the general concept of
counterexample paths in model checking as deﬁned in Section 4.3.1.
1035 Analog Formal Veriﬁcation Methodologies
Verification
Report
ASL Model 
Checker
DATS Model
Stimuli to DATS
Conversion
V
t
(t)V
t
(t)V
t
(t)
Simulation 
waveforms
Circuit
Simulator
V
t
(t)V
t
(t)V
t
(t)
Input Stimuli Analog Circuit
Transform waveforms
to DATS statespace
representation
ASL Property
Specification
Figure 5.9: ASL assertion-based veriﬁcation ﬂow for transient simulation results trans-
ferred to a state space representation.
Deﬁnition 5.4.1 (Counterexample on a DATS)
A counterexample for the analog circuit model represented as DATS is a path πce from
a deﬁned starting state σ0 to the set of states φ violating the speciﬁcation:
πce = σ0,...,σi : ∃ i ≥ 0 with σi ∈ φ (5.7)
On such paths, for every extended state space variable, the values of this variable
and the corresponding transition times can be recorded for every state transition on the
path due to the structure of the DATS. This yields a piecewise linear signal trace over
time which can then be visually inspected by the veriﬁcation engineer. Moreover, by
generating such a signal trace for every input variable of the circuit, piecewise linear
input stimuli are obtained which can be directly simulated in a circuit test bench.
The starting state for the counterexample input stimulus should be an initial con-
dition that can be easily implemented in the simulation test bench, which for most
circuit applications is provided by DC-operating-points. Given that the veriﬁcation al-
gorithms already checked the reachability of the states violating the speciﬁcation from
1045.4 Counterexample Generation for Model Checking
DC-operating-points, any transition path starting in a DC-operating-point and ending
in the destination set can be used for determining the piecewise linear signal trace. In
the DATS, more than one path between the starting state and the destination set can
exist. However, as the runtime of transient simulation increases with the time length
of the input stimulus to simulate as the counterexample, an efﬁcient counterexample
generation algorithm operating on the DATS should report the path with the shortest
overall path time. This path time is the sum of the individual transition times of the
transitions visited on the path.
The shortest path in the DATS can be determined by Dijkstra’s single source short-
est path algorithm [Dij59] which directly outputs the shortest path from the starting
state to every other reachable state of the graph structure. Hence, for every state of the
set of speciﬁcation violating states, a counterexample stimulus is generated with an
overall worst-case runtime complexity of O(n2) where n is the number of vertices in
the DATS. Algorithm 5 denotes the method of counterexample waveform generation.
Algorithm 5: Counterexample Generation Algorithm.
Input: DATS modeling the analog circuit,
vertex σi representing a DC-operating-point,
set φ of vertices identiﬁed as violating the speciﬁcation
Output: List of tuples (value, time) representing piecewise linear waveforms for
every input and state space variable of the circuit under veriﬁcation
1 foreach vertex σj in φ reachable from σi do
2 calculate shortest path σi → σj using Dijkstra’s algorithm;
3 foreach vertex σk visited on path σi → σj do
4 store value vector LV(σk) and accumulated transition path time;
5 end
6 end
The introduced counterexample generation algorithm on the one hand directly al-
lows to visually inspect the signal traces leading from DC-operating-points to states
violating the speciﬁcation. On the other hand, by using the piecewise linear wave-
forms for the input variables as input stimuli in a transient simulation test bench, the
results from model checking on an analog circuit modeled as DATS can be transferred
back into a conventional transient simulation-based veriﬁcation ﬂow. Therewith, the
conﬁdence in the obtained formal veriﬁcation results can be increased as they can be
examined in the framework the veriﬁcation engineer is used to.
1055 Analog Formal Veriﬁcation Methodologies
5.4.1 Counterexample Generation in the ASL Veriﬁcation Flow
In the ASL veriﬁcation ﬂow, the operation counterexample is used to generate a set
of piecewise linear signal traces. In the following example, the voltage over a capacitor
C1 shall be limited to 1 V. Hence, if there is an overshoot of the voltage, the input stim-
ulus shall be examined that leads to this set bad_states of states where the voltage
is above the speciﬁed value:
bad_states = select value(V_C1)[>1];
With this set, the counterexamples can now be generated by calling the operation
counterexample with the set DCpoints of DC-operating-points as starting set and
the set bad_states as destination set for the algorithm:
counterexample from DCpoints to bad_states;
5.5 Complete-Coverage Input Stimuli Generation
As has been discussed in previous sections, model checking proves the absence of
faults in every possible state of a system, regardless of the input conditions. However,
the need for a complete different way of thinking when dealing with model checking
and formal property speciﬁcation is a challenge that can only be overcome step by
step. While the introduction of designer-oriented methodologies for model checking
using ASL can facilitate the access to formal methods, gaining acceptance will be an
incremental process.
Consequently, there is a need for formal approaches that seamlessly integrate in
existent simulation-based design ﬂows. For this purpose, a novel algorithm for for-
mal automatic input stimuli generation will be proposed in this section. It is combin-
ing a formal approach and conventional transient circuit simulation into a veriﬁcation
methodology that overcomes the incompleteness of experiment-based transient sim-
ulation and the expected difﬁculties of analog designers to adapt to model checking
approaches.
Derived from the counterexample generation approach introduced in the previous
section, input stimuli covering the complete reachable area of the state space of the
analog circuit can be computed by traversing the graph modeling an analog circuit
as a DATS. Basically, the idea is to visit every reachable state of the graph structure
and recording the input values and accumulated times of traveled edges during graph
traversal. This concept corresponds to efﬁciently generating a piecewise linear coun-
terexample input stimulus for every reachable state of the DATS model.
Deﬁnition 5.5.1 (Complete State Space-Covering Input Stimulus on a DATS)
A complete state space-covering input stimulus for the analog circuit model repre-
1065.5 Complete-Coverage Input Stimuli Generation
sented as DATS is a path πis from a deﬁned starting state σ0 that visits every state of
the set of reachable states φ of the DATS. The set Πis consists of all πis satisfying this
requirement.
Πis = {πis |∃n : πis = σ0,...,σn ∧
 
0≤i≤n
σi = φ} (5.8)
πis ∈ Πis (5.9)
Moreover, depending on the veriﬁcation methodology where the complete state
space-covering input stimuli will be applied, it can be necessary not only to cover ev-
ery state of the DATS but also to cover every transition of the DATS. This corresponds
to the idea not only conducting a subsequent transient simulation that brings the sys-
tem under veriﬁcation into every reachable state but also allowing to simulate every
possibility how every state can be reached. In the following, the algorithm assumes
the goal of complete state and dynamic transition coverage. In order to do this more
efﬁciently than just generating a sequence of counterexamples, an algorithm is needed
which satisﬁes the following requirements:
• When the algorithm terminates, every reachable state and dynamic transition of
the circuit model, represented by the vertices and edges of the graph, must have
been visited at least once.
• The number of travelled edges on the paths covering the complete state space
shall be minimized as each timed transition taken between two vertices of the
graph results in an increment of the time length of the input stimulus and is
therefore affecting simulation time.
• During stimulus generation, if available, vertices representing DC-operating-
points shall be visited periodically. This ensures that the circuit can recover from
the traversal of corners of its dynamic behavior by starting and ending in its
steady states.
Combining the above requirements into an algorithm reveals the NP-hardness of the
optimization problem as it is a modiﬁcation of the traveling salesperson problem
[GJ79]. Accordingly, a heuristic approach is necessary for efﬁcient computation. Due
to the fact that any path that covers all reachable edges and states of the graph is a valid
solution, an efﬁcient algorithm using a heuristic approach will produce a valid solu-
tion with an assumed suboptimal path length. Algorithm 6 shows a possible efﬁcient
approach and is described in the following.
For a given DC-operating-point σi, the algorithm computes a list of tuples (value,
time) representing piecewise linear stimuli for every input variable covering the com-
plete state space. Initialization of variables includes setting the set open to all reachable
edges and initializing the set closed as empty in lines 1 and 2. Starting in line 3, for each
1075 Analog Formal Veriﬁcation Methodologies
Algorithm 6: Complete-Coverage Input Stimuli Generation Algorithm.
Input: DATS modeling the analog circuit,
vertex σi representing a DC-operating-point
Output: List of tuples (value, time) representing piecewise linear stimuli for
every input variable covering the complete state space
1 open = all reachable dynamic edges;
2 closed = ∅;
3 foreach edge j reachable from σi in open do
4 calculate path covering as many edges as possible from σi → j → σi avoiding
edges in closed;
5 foreach edge k visited on path σi → j → σi do
6 put k to closed;
7 remove k from open;
8 store value vector LV(σl) of visited vertices σl and path time;
9 end
10 end
edge j in the set open, a path covering as many edges as possible from σi → j → σi
is computed avoiding edges in the set closed in line 4. Line 5 iterates over each edge k
visited on the computed path σi → j → σi and puts k to the set closed in line 6, removes
it from set open in line 7 and stores the parameter tuple creating the piecewise linear
stimulus to a ﬁle in line 8.
The implicitly mentioned path ﬁnding algorithm in line 4 can be any form of a
modiﬁed longest path ﬁnding algorithm such as Dijkstra’s applied with negative edge
weights for longest path detection. Longest path detection is possible efﬁciently by
modifying the path detection algorithm not to travel loops more than once and hence
considering the DATS as an acyclic directed tree graph with the start vertex being
added as a leaf vertex for closing single loop runs. For obtaining the longest path with
respect to the number of vertices visited, edge weights have to be set to −1. Other
optimization criteria are possible, such as considering euclidean vertex distance or
the original edge weights containing transition time values. At ﬁrst, computing the
shortest time path might seem like an obvious solution, but as the goal of the stimuli
generation algorithm is complete edge and vertex coverage, the number of inevitably
revisited edges during single closed loop runs has shown to be high, resulting in worse
overall stimuli time length.
In order to avoid revisiting edges, all edges in the set closed have to be assigned
with a positive value. Trying to minimize the sum of edge weights, the path ﬁnding
algorithm will automatically avoid those edges that are contrary to the optimization
criterion.
1085.5 Complete-Coverage Input Stimuli Generation
The asymptotic runtime complexity of the stimuli generation algorithm for a graph
with n reachable edges is dominated by the loop over each edge in the set open and the
call to Dijkstra’s algorithm having quadratic complexity inside this loop. This results
in an asymptotic worst-case complexity of O(n3).
Figure 5.10(a) shows a possible traversal result generated by the stimuli generation
algorithm applied to the graph from Figure 2.6, starting from vertex 1. The ﬁrst loop
1 → 4 → 7 → 8 → 9 → 6 → 3 → 2 → 1 is created due to vertex 9 being the
most distant vertex from 1, thus covering the most edges of the graph. Vertex 5 is still
unvisited, therefore a second loop run is needed, traveling vertices 1 → 4 → 5 →
2 → 1. In order to cover the last uncovered dynamic transition between vertices 6
and 5, a third run visits vertices 1 → 4 → 7 → 8 → 9 → 6 → 5 → 2 → 1. The
input-output behavior representing the stimulus and a possible transient response is
illustrated in Figure 5.10(b). While any traversal policy covering the complete graph
is valid, further investigation of better strategies is necessary as they directly result in
shorter simulation times. The input stimuli generation and veriﬁcation ﬂow based on
discrete state space modeling is illustrated in Figure 5.11.
(a) (b)
Figure 5.10: Path generated by the stimuli generation algorithm (a) and the corre-
sponding input/output behavior (b).
5.5.1 Veriﬁcation Methodology
The experience of an analog circuit designer is not only necessary for developing the
circuit itself but for selecting the right test bench around the circuit for ensuring correct
future circuit behavior under all expected circumstances.
As there are no written rules for the selection of appropriate input stimuli for tran-
sient analysis, a DUV matching the speciﬁcation might just have not been simulated
1095 Analog Formal Veriﬁcation Methodologies
Circuit (Design Under Verification)
DAE System
DATS Model
MNA
Discrete Modeling
Complete-Coverage
Input Stimuli 
Generation Algorithm
Transient Simulation
Manual Inspection
or ASL Verification
on Waveforms
Output Waveforms
t
Vin
V
t
out
Vout < 3.3 V
Iout < 200mA
…
Complete-Coverage
Input Stimuli
Verification
Results
Figure 5.11: Complete-coverage input stimuli generation and veriﬁcation ﬂow.
with the critical stimuli that would have taken it to violate the speciﬁcation. Without
having any knowledge about state space coverage of the selected input stimuli, the
designer is searching for errors but can not be sure about how many are remaining
undiscovered.
With the input stimuli generation algorithm introduced in this section, a veriﬁca-
tion methodology for a simulation-based design ﬂow with guaranteed coverage of all
corner cases is given. The generated stimuli can now be processed by an analog cir-
cuit simulator, computing an output response for every internal state of the system
due to the special structure of the stimuli. With the system dynamics determining
the structure of the discretized state space, the stimuli are inherently covering the fre-
quency range of the system behavior at least up to the dynamics in the calculated state
space. A user-speciﬁable maximum edge steepness of the stimuli allows for lower-
ing the simulation effort caused by steep voltage steps. As assertion-based simulation
methods are emerging in the analog domain, the complete state space-covering stimuli
contribute to strengthen the signiﬁcance of those approaches.
With the results from transient simulation using complete state space-covering in-
put stimuli combined with the ASL property evaluation on transient simulation wave-
forms that was presented in Section 5.3, an alternative complete and therewith formal
property veriﬁcation methodology is given. The simulation results obtained from sim-
ulation with complete state space-covering input stimuli are representing the complete
dynamicbehavioroftheDUV.Hence, anyASL-speciﬁed assertion thatholdsduringan
1105.6 Equivalence Checking using Complete-Coverage Input Stimuli
evaluation on such waveforms is guaranteed to hold for any input condition and any
state the DUV can adopt. Therewith, a proof of correctness can be conducted which
makes the presented approach equally expressive as the ASL model checking on the
discrete state space model.
ASL veriﬁcation on results obtained from complete state space-covering simula-
tion has the overhead of stimuli generation and transient simulation compared to ASL
modelcheckingapplieddirectly tothediscrete state spacemodel. However, theadvan-
tage of this approach is given by being an add-on to the conventional test bench-based
simulation approach instead of being a replacement. Moreover, this stimuli-based ASL
veriﬁcation methodology is modular and it can be introduced incrementally into an ex-
isting design ﬂow.
5.6 Equivalence Checking using Complete-Coverage In-
put Stimuli
The simulation of a single circuit using complete state space-covering input stimuli can
reveal corner case behavior not identiﬁed by user-deﬁned input stimuli. However, an
equivalence checking methodology for analog circuits based on the new stimuli gener-
ation approach can be developed, giving certainty about the level of equality between
two circuit implementations. This new approach for equivalence checking of analog
circuits will retain formal completeness but, in contrast to previous approaches, will
work well with any kind of circuit abstraction. Due to the application of conventional
transient circuit simulation, each step of the equivalence checking process will be ob-
servable by the circuit designer and is mostly based on tools he already is used to.
The idea is to generate a stimulus for the system that covers the system’s complete
state space during a transient simulation. If another circuit is simulated using the same
input stimulus, the level of equivalence of the two systems is determined by the level
of deviation of the transient responses of the two circuits.
For each of the two circuits to compare, in the following referred to as circuit A and
circuit B, complete state space-covering input stimuli are generated for every input of
the circuit. Subsequently, four simulation runs are needed. Circuit A is simulated with
stimuli of A and B, followed by simulating circuit B with stimuli of A and B. The
simulation results are automatically compared using an error measure as described in
Section 5.6.1, reporting equivalence if a user-speciﬁable maximum error value is not
exceeded.
If circuits A and B show equivalent behavior when simulated with stimuli gener-
ated from circuit A, then the complete behavior of circuit A is included in circuit B:
A ⊆ B (5.10)
1115 Analog Formal Veriﬁcation Methodologies
Ifcircuit A and B show equivalentbehavior for simulation with stimuli generated from
circuit B, then the complete behavior of circuit B is included in circuit A:
B ⊆ A (5.11)
If both conditions (5.10) and (5.11) hold, circuit A and circuit B are considered as equiv-
alent with respect to the user-deﬁned maximum error, corresponding to the analog
equivalence deﬁned in Deﬁnition 4.3.3:
A ⊆ B ∧ B ⊆ A =⇒ A ≡ B (5.12)
Figure 5.12 illustrates the described equivalence checking methodology.
In practical applications, often only one direction of the proof is necessary. Es-
pecially for reduced models generated with model order reduction techniques, the
complete-coverage stimuli have to be generated only for the reduced model in order to
prove that the transistor netlist behaves equal for the limited state space of the model
during simulation. Of course, the other direction of the proof could fail as the reduced
model intentionally does not cover all aspects of the transistor netlist, such as behavior
above or below certain operating frequencies.
5.6.1 Error Measures for Waveform Comparison
For a complete automation of the equivalence checking ﬂow, the differences between
the simulation results of the two circuits under veriﬁcation have to be computed by
an error calculation algorithm. While there are several measures to calculate the error
between two waveforms like Frechet distance [HA92], modiﬁed Hausdorff distance
[PHHB98], etc., the most intuitive measure is the generation of a difference waveform
of the signals. Therefore, for each time point of the two waveforms A and B, the value
at this time point of the other waveform is calculated and the difference value is stored.
The maximum difference between the waveforms is the reported error value and the
results can be inspected by plotting the difference waveform. The difference error mea-
sure ǫdifference is deﬁned as:
ǫdifference = max
 
sA(ti) − sB(ti)
r
 
for all (sA(ti),sB(ti))
with:
r - maximum signal value range
sA(ti),sB(ti) - values at time point ti for each waveform
The error can be normalized with the range of all values to obtain a deviation be-
tween 0 and 1. As the time points of two simulation waveforms generated by different
simulation runs in general are not equal, an interpolation is necessary for obtaining the
error values of the corresponding waveform at an arbitrary time point.
1125.6 Equivalence Checking using Complete-Coverage Input Stimuli
Figure 5.12: Equivalence checking ﬂow using complete state space-covering input
stimuli.
5.6.2 Automation in the ASL Veriﬁcation Flow
In order to include this new equivalence checking methodology completely into the
automated ASL veriﬁcation ﬂow, the waveform comparison can be performed by the
ASL veriﬁcation algorithms, controllable from an ASL speciﬁcation. Therefore, the
simulation waveforms of both circuits under comparison are transferred into a state
space representation as described in Section 5.3. Now, ASL can be used for an auto-
mated error determination with respect to an user-speciﬁable error bound. A calcula-
tion template isdeﬁned which corresponds to the desired error measure of the absolute
difference error between the values of both waveforms at every time point:
calculation error_calc("abs(calc_par1-calc_par2)");
The maximum error is determined by applying this calculation template to Wave-
form 1 and Waveform 2 and storing the maximum value of the calculation to the num-
ber variable %max_error:
assign(%max_error, max) error_calc(Waveform_1, Waveform_2);
1135 Analog Formal Veriﬁcation Methodologies
Finally, an ASL assertion determines whether the value assigned to %max_error is
below a speciﬁed maximum error %spec_error_max:
for %max_error assert [<= %spec_error_max];
5.7 Multi-Parallel State Space Particle Simulation
Another perspective to the veriﬁcation methodologies presented in the previous sec-
tions which especially well suits periodic circuit analysis can be obtained by vi-
sual inspection of the state space dynamics. A visualization of the dynamics of a
n-dimensional vector ﬁeld representing the analog circuit’s behavior has not yet been
considered as a possible approach to support circuit veriﬁcation. However, this can
be another option to investigate the complete state space dynamics due to complete
coverage of the state space.
As dynamic structures can be difﬁcult to identify in such high-dimensional vector
ﬁelds originating from state space representation of analog circuits, the application of
visual aids is mandatory. Approaches such as line integral convolution (LIC) [And04]
or anaglyph stereo vision [McA93] facilitate the understanding of 2-D and 3-D visual-
ization but are not covering dynamic transient behavior. Therefore, a novel methodol-
ogy to consider analog circuits in a state space representation using visualized multi-
parallel vector ﬁeld particle simulation will be introduced in the following.
The dynamic behavior of a system under veriﬁcation can be analyzed by visualiz-
ing the vector ﬁeld of the system variable’s derivatives in the state space. Such a vector
ﬁeld visualization is only possible with a restriction to three dimensions, while state
space dimensions of common analog circuits can vary between two and more than
four. Therefore, a selection of the main dimensions has to be made to project to the
three-dimensional view.
Particle simulation is a common approach for vector ﬁeld visualization and mature
algorithms have been developed [DH96]. In contrast to a static approach such as line
integral convolution, time-dependent motion of the particles visualizes the transient
behavior of the circuit in an animation sequence.
Consider the vector ﬁeld V : Rnd → Rnd that was deﬁned in Section 2.4.2 on which
for the discrete set Q = {q1,...,qm} of m sample points qi in the state space, the discrete
vector ﬁeld VD : qi → vi is deﬁned:
VD(qi) = V(z(e) = qi) = vi (5.13)
In other words, the discrete vector ﬁeld VD is represented by position vectors qi de-
termining the sample points in the state space and the direction vectors vi = VD(qi)
giving the motion direction and speed within V at position qi.
1145.7 Multi-Parallel State Space Particle Simulation
q1
q2
q3
v1
v2
v3
p1
Figure 5.13: Determining nearest sample point q2 in state space for particle p1 within
discrete vector ﬁeld VD.
For the injected particles pi ∈ Rn, their direction vector V(z(e) = pi) has to be ap-
proximated with respect to the discrete vector ﬁeld VD. Hence, a mapping is necessary
which assigns a nearest sample point qj ∈ Q to each point pi representing a particle
from the set of particles, as illustrated in Figure 5.13:
M(pi) = {arg min
qj∈Q
 pi − qj } (5.14)
Therewith, for each particle pi, its next position can be calculated according to a time
step ∆t and the nearest direction vector vj = VD(M(pi)):
pi(t + ∆t) = pi(t) + vj   ∆t (5.15)
When starting the particle simulation, an equally distributed amount of particles is
inserted into the vector ﬁeld of the state space and for each particle, the nearest vector
regarding euclideandistance determinesits direction and speedof movement asstated
above. Algorithm 7 recapitulates the introduced particle simulation algorithm.
Algorithm 7: Particle Simulation Algorithm.
while animation running do
foreach each particle pi in state space do
detect nearest sample point qj = M(pi) with respect to euclidean
distance;
get direction vector vj = VD(qj);
pi = pi + vj   ∆t
end
end
Each of the particles represents an independent simulation run with the starting
position indicating its initial condition. While the visualization is projected to a three-
dimensional representation, the motion vector of the particles is calculated with full
1155 Analog Formal Veriﬁcation Methodologies
dimensionality. Thus, the motion is determined by all dimensions of the state space,
revealing additional information exceeding the three-dimensional plot.
An exemplary particle animation is illustrated in four steps in Figures 5.14(a) to
5.14(d) for a two-dimensional vector ﬁeld containing an oscillation.
x1
x2
(a)
x1
x2
(b)
x1
x2
(c)
x1
x2
(d)
Figure 5.14: Particle simulation for the two-dimensional state space of an oscillator
circuit with increasing time from (a) to (d).
1166
Experimental Results
In this section the algorithms altogether forming the proposed new formal veriﬁca-
tion methodologies are applied to circuit examples. Different properties and circuits
are analyzed in order to present practical results for all methodologies presented in
Chapter 5.
6.1 Implementation
The trajectory-directed discrete modeling algorithm has been prototypically imple-
mented using GNU Octave for the control ﬂow including the mathematical operations
such as the Gram-Schmidt orthogonalization. A prototypical implementation in C++
of a transient simulation back-end has been coupled with GNU Octave as a dynamic
library using the SWIG interface compiler.
The ASL syntax grammar was implemented by a C++ LEX/YACC parser. The ASL
veriﬁcation algorithms as wellas the other algorithms such asthe complete state space-
covering input stimuli generation and the transfer of transient simulation waveforms
to a DATS have been coded in C++.
The multi-parallel particle simulation and visualization environment also used for
all the vector ﬁeld pictures of the DATS models shown in this thesis has been imple-
mented in C++ using the open source 3D graphics engine (OGRE).
A common data interchange format serializing the DATS model including addi-
tional information such as state sets identiﬁed by the veriﬁcation algorithms to a ﬁle
has been implemented, allowing to transfer DATS models between the discrete model-
1176 Experimental Results
ing algorithm, the veriﬁcation algorithms and the visualization tool. Additionally, an
exporter to a DATS has been implemented into the VERA equivalence checking tool
in order to apply the new equivalence checking methodology using complete state
space-covering input stimuli to the same model data for comparison.
The runtimes of the experimental examples analyzed in the following have been
computed on a single core of an Intel Core 2 Quad with 2.83 GHz and 8 GB of RAM.
6.2 Veriﬁcation of Initial Conditions of a Ring Oscillator
The modiﬁed ringoscillator with an even numberofinverter stagesand cross-coupling
[JKK08] was already presented in Figure 1.3 of Section 1.4 as a motivating example.
The critical property to be veriﬁed of this circuit is the existence of initial conditions
that cause the circuit not to run into an oscillation for certain ratios of the transistor
sizes between the inverter chain and the bridges. While ﬁrst results of the ASL model
checking methodology were alreadydemonstrated in the motivating example, the ASL
property speciﬁcation methodology will be discussed in the following.
The properties to verify are the existence of oscillation and proving that the circuit
oscillates for every possible initial condition. Hence, the ASL speciﬁcation shown in
Listing 6.1 was developed.
Listing 6.1: ASL speciﬁcation for oscillator veriﬁcation.
# Assert that the circuit oscillates
osci_set=on all select oscillation;
for is_empty(osci_set) assert false;
# Assert that circuit has no non−periodic steady states
for is_empty(DCpoints) assert true;
# Which initial conditions lead into DCpoints?
bad_initial_conditions = reach DCpoints;
The macro is_empty() is checking if a set is empty, wrapping the following ASL
statements for better understandability of the syntax:
#macro is empty(set) −> returns 1 if assertion holds, 0 if not
macro is_empty
{
parameter2 = for parameter1 assert not all;
}
1186.2 Veriﬁcation of Initial Conditions of a Ring Oscillator
The simple property speciﬁcation in Listing 6.1 ﬁrst checks if there is a peri-
odic oscillation trajectory in the state space. The next assertion requires the oscilla-
tor’s state space not to contain any non-periodic steady states. If those exist, a set
bad_initial_conditions is assigned with the states that can reach these steady
states. Every state from the set bad_initial_conditionsrepresents an initial con-
dition that causes the circuit to run into a steady state instead into the oscillation tra-
jectory. The transient simulation in the motivating example, started with such a bad
initial condition identiﬁed by the ASL model checking algorithms, showed that the
circuit in fact does not oscillate.
Furthermore, ASL model checking has been conducted for the α/β-ratios 1.05, 1.35,
1.65 and 1.95 in order to systematically check the circuit properties and to prove the
consistency oftheASLmodel checkingon the DATSmodelgeneratedbythe trajectory-
directed discretization algorithm.
Table 6.1 summarizes the veriﬁcation results including the oscillation periods re-
ported by the ASL model checking algorithms as well as by transient analysis for
VDD = 3.3 V. If bad initial conditions were detected by model checking, a transient
analysis run was conducted with these conditions in order to prove that the circuit
shows the expected behavior. Additionally, information about modeling and model
checking runtimes are denoted in the table.
Table 6.1:Veriﬁcation results forthe modiﬁed ring oscillator with results obtained from
ASL model checking (MC) and transient analysis (TRA).
α/β-ratio 1.05 1.35 1.65 1.95
MC reports bad init. cond. - - - X
# States DATS 16036 15810 14680 13288
Discretization Runtime 13 : 22 m 12 : 42 m 11 : 24 m 10 : 30 m
MC Runtime 7.5 s 7.1 s 6.0 s 5.4 s
Oscillation period MC 1.494  s 1.224  s 1.055  s 0.961  s
Oscillation period TRA 1.415  s 1.159  s 1.014  s 0.936  s
Figure 6.1(a) shows the transition vectors between states of the detected oscilla-
tion set and the non-periodic steady states identiﬁed by ASL model checking for an
α/β-ratio of 1.95 projected to the state space dimensions VI, VII and VIII. Figure 1.5,
presented in the motivating example, already illustrated the state space trajectories
leading into the non-periodic steady states. Additionally, a multi-parallel state space
particle simulation with the methodology introduced in Section 5.7 was executed. A
snapshot of the dynamic motion ﬂow is shown in Figure 6.1(b), allowing to visually
obtain the same conclusions as from model checking.
1196 Experimental Results
VI
VII
VIII
(a)
VI
VII
VIII
(b)
Figure 6.1: Transition vectors between states of the detected oscillation set and non-
periodic steady states of the modiﬁed ring oscillator detected by model checking for
α/β-ratio 1.95 (a). Particle simulation visualizing the oscillation trajectory and the non-
periodic steady states (b).
6.3 Veriﬁcation of Active Lowpass Filter Overshoot
The Sallen-Key biquad lowpass ﬁlter shown in Figure 6.2 has a tendency to overshoot
beyond the designed passband gain of 1.05 which is the property to be veriﬁed in the
following. The overshoot around the cutoff frequency of 1 kHz may be a result of the
complex conjugate poles in the transfer function and could have been overlooked in
the design process. The parameters are C1 = 5 nF, C2 = 50 nF, R1 = R2 = R4 = 10 kΩ,
R3 = 500 Ω. The input voltage range is ±1 V and the operational ampliﬁerrepresented
by a behavioral model has a supply voltage of ±3 V.
The overshoot property shall be analyzed using the methodologies of:
1. ASL model checking with counterexample generation and
2. transient simulation controlled by complete state space-covering input stimuli
with the simulation results re-transferred to a DATS and evaluated by the ASL
veriﬁcation algorithms using the same ASL property speciﬁcation as used for
model checking.
1206.3 Veriﬁcation of Active Lowpass Filter Overshoot
Vin Vout
R2
+
-
R1
C1
C2
VC2
VC1
R3
R4
Figure 6.2: Circuit schematic of Sallen-Key biquad lowpass ﬁlter.
In order to apply the veriﬁcation algorithms, a DATS model for the state space di-
mensions Vin, VC1 and VC2 has been generated using the trajectory-directed discretiza-
tion approach. The DATS model in the following used for the results was generated
with 3702 vertices and model generation requiring 142 seconds. While generating a
higher number of states further increases modeling accuracy for model checking, the
complete state space-covering stimulus covers all corners of the reachable area already
with a signiﬁcantly lower number of states but at the cost of then decreasing the den-
sity of the internal trajectories. Table 6.2 summarizes the discretization runtimes for
different state counts. The number of states generated can be controlled in the dis-
cretization algorithm by constraining the length of transition vectors to a user deﬁned
interval.
The transient simulation steps needed for state space sampling have a constant
runtime for a given circuit. Hence, the overall simulation runtime scales linearly with
the number of generated states. However, the checking of the proximity criterion for
the n sampled states, although consuming substantially less time than the transient
step computation, has a runtime of O(nlogn) which can be identiﬁed in Table 6.2 by
the slow nonlinear growth of the runtimes.
Table 6.2: Runtimes of the trajectory-directed discretization algorithm for the Sallen-
Key lowpass ﬁlter.
Number of states 3702 6673 13288
Discretization Runtime 02 : 22 m 05 : 40 m 15 : 37 m
The set reachable of 1546 states reachable from DC-operating-points has been
identiﬁed using the ASL statement:
1216 Experimental Results
reachable = on all reach from DCpoints;
The reachable transition vectors between states of the state space, spanned by the input
voltage Vin and the voltages over the two capacitances VC1 and VC2, are visualized in
Figure 6.3.
Vin
VC1
VC2
Figure 6.3: Reachable state space of the Sallen-Key biquad lowpass ﬁlter.
6.3.1 Model Checking
The ASL speciﬁcation for the overshoot property is denoted in Listing 6.2, calculating
the minimum and maximum of the input and output valuesof the reachable states. For
the relation of the maximum and minimum output voltages to their respective input
voltages, the overshoot ratio is calculated and an assertion is formulated, allowing a
maximum overshoot ratio of 1.05 which represents the passband gain of the circuit.
The results calculated by the ASL model checking algorithms on the DATS are pre-
sented in Table 6.3, additionally giving the values for VC1 and VC2 that will be discussed
in connection with the veriﬁcation using the complete state space-covering input stim-
ulus. An overshoot ratio of 1.734 has been calculated by the veriﬁcation algorithms,
causing the assertion not to be satisﬁed. The overall runtime of the model checking
algorithms including reachability computation was 3.55 seconds.
1226.3 Veriﬁcation of Active Lowpass Filter Overshoot
Listing 6.2: ASL speciﬁcation for overshoot property.
on reachable assign(%max_V_in,max) value(V_in);
on reachable assign(%min_V_in,min) value(V_in);
on reachable assign(%max_V_out,max) value(V_out);
on reachable assign(%min_V_out,min) value(V_out);
%overshoot_ratio = (%max_V_out-%min_V_out)/(%max_V_in-%min_V_in);
for %overshoot_ratio assert [<= 1.05];
Table 6.3: Veriﬁcation results calculated by the ASL model checking algorithms on the
DATS for the Sallen-Key lowpass ﬁlter.
Value Minimum Maximum
Vout −1.714 V 1.754 V
VC1 −1.630 V 1.663 V
VC2 −0.562 V 0.512 V
6.3.2 Counterexample
Subsequently, a counterexample input stimulus shall be generated in order to analyze
the erroneous behavior violating the speciﬁcation in a transient simulation test bench
using the following ASL statement to create a piecewise linear waveform for Vin and
Vout:
counterexample from DCpoints to (reachable and V_out[< -1.5]);
While the piecewise linearsignal for Vin represents the inputstimulus that hasto be ap-
plied to the circuit to reach an output voltage < −1.5 V, the signal waveform generated
for Vout represents the expected behavior of the output voltage. Moreover, comparing
this expected output behavior, in the following referred to as V
expect
out , with the tran-
sient response Vsim
out to the counterexample input stimulus allows to rate the modeling
quality of the DATS and therewith the soundness of the veriﬁcation results. As can
be seen in Figure 6.4, the expected behavior from the DATS model and the transient
response match quite well with the counterexample, reliably reaching the desired out-
put voltage. The generation of the counterexample stimulus on the DATS took 0.65
seconds.
1236 Experimental Results
V
expect
out
Vsim
out
Vin
t [ms]
[
V
]
1.6 1.4 1.2 1 0.8 0.6 0.4 0.2 0
1.5
1
0.5
0
−0.5
−1
−1.5
−2
Figure 6.4: Transient response Vsim
out to the counterexample input stimulus Vin of the
Sallen-Key biquad lowpass ﬁlter with the expected response V
expect
out predicted by the
counterexample algorithm on the DATS.
6.3.3 Complete-Coverage Input Stimulus
As an alternative to the model checking methodology with counterexample genera-
tion, a complete state space-covering input stimulus as introduced in Section 5.5 was
generated with a computation time of 3.93 seconds. The input stimulus consists of
31951 time and value tuples with an overall stimulus time length of 891 milliseconds.
Figure 6.5 provides an impression of the complete state space-covering input stim-
ulus and the transient response of the circuit.
Figure 6.5: Complete generated input stimulus and transient output response of the
Sallen-Key biquad lowpass ﬁlter.
1246.3 Veriﬁcation of Active Lowpass Filter Overshoot
While the input stimulus generation algorithm is designed to cover every vertex of
the modeled circuit, which can easily be veriﬁed, it is necessary to prove that the gener-
ated stimulus really forces the circuit to adopt every reachable state of the system dur-
ing transient simulation. In order to prove complete coverage of the system variables,
in Figure 6.6 the transient circuit response to the input stimulus is plotted over VC1
and VC2, showing that the trajectories completely cover the reachable coordinate pairs
for VC1 and VC2. The differences in the concentration of the trajectories are caused by
the projection of the input variable’s axis into the two-dimensional plot. Additionally,
the number of sampled states of the state space discretization affects the density of the
trajectories. In Figure 6.7 an excerpt of the simulated transient response Vsim
out and the
signal V
expect
out computed on the DATS model generated by the new trajectory-directed
discretization approach is shown, clearly illustrating that the behavior computed on
the DATS model matches the transient response with high accuracy.
VC1 [V]
V
C
2
[
V
]
2 1.5 1 0.5 0 −0.5 −1 −1.5 −2
0.5
0.4
0.3
0.2
0.1
0
−0.1
−0.2
−0.3
−0.4
−0.5
Figure 6.6:Transient response to the generated input stimulus ofthe Sallen-Keybiquad
lowpass ﬁlter plotted over VC1 and VC2.
6.3.4 Comparison to Hyperbox Discretization
For comparison of the discretization quality, a DATS model with 3333 states of which
2060 are reachable from DC-operating-points has been generated using the hyperbox
discretization approach [HHB02a] with a computation time of 87 seconds. On this
model, a complete-coverage input stimulus was generated with an overall stimulus
time length of 1.89 seconds. The transient response Vsim
out and the predicted behavior
1256 Experimental Results
V
expect
out
Vsim
out
t [ms]
[
V
]
280 275 270 265 260 255
2
1.5
1
0.5
0
−0.5
−1
−1.5
−2
Figure 6.7: Excerpt of the transient response Vsim
out to the complete-coverage input stim-
ulus of the Sallen-Key biquad lowpass ﬁlter with the expected response V
expect
out pre-
dicted by the stimulus generation algorithm on the DATS, generated by the trajectory-
directed discretization approach.
V
expect
out , calculatedon theDATS,are shown inFigure 6.8. Incomparison tothe matching
waveforms computed by the trajectory-directed discretization, the results obtained by
the hyperbox discretization show an over-approximation of the reachable area. More-
over, as all transition steps in the state space can only be either in the input direction
or paraxial, the rectangular shape of the expected waveform V
expect
out does not equally
well conform to the transient response. Model checking results of 2.915 for the over-
shoot ratio property correspondingly exhibit an over-approximation of the reachable
area due to not matching the state space dynamics with the discrete transitions in the
DATS.
Acomparison ofthe successor relation error ǫsuc asdeﬁned inSection 2.4.2supports
the conclusion of a large improvement of the trajectory-directed discretization over the
hyperbox discretization. For the trajectory-directed discretization, ǫsuc is 5.11◦ with an
average out-degree of 0.94, compared to 29.58◦ for ǫsuc of the hyperbox discretization
with an average out-degree of 3.23.
6.3.5 ASL Veriﬁcation on Simulation Waveforms
For application of the same ASL overshoot property speciﬁcation that was introduced
in connection with application of the model checking approach in Section 6.3.1, the
transient simulation response to the complete state space-covering input stimulus was
1266.3 Veriﬁcation of Active Lowpass Filter Overshoot
V
expect
out
Vsim
out
t [ms]
[
V
]
975 970 965 960 955 950 945
3
2
1
0
−1
−2
−3
Figure 6.8: Transient response Vsim
out to the complete-coverage input stimulus of the
Sallen-Key biquad lowpass ﬁlter with the expected response V
expect
out predicted by the
stimulus generation algorithm on the DATS, generated by the hyperbox discretization
approach.
transferred back into a DATS state space representation with the approach described
in Section 5.3. The waveforms combined into a DATS model represent the signals Vin,
Vout, VC1 and VC2. The transfer to a DATS model took 59 seconds, resulting in 126337
states of the model, created from the 159052 simulation time steps. Table 6.4 compares
the results of the ASL evaluation on the simulation waveforms after transferring them
into a DATS (Min Sim, Max Sim) to the ASL model checking results on the discrete
state space model generated by the trajectory-directed approach (Min MC, Max MC).
The model checking on the DATS slightly over-approximates the reachable area com-
pared to the transient simulation with the complete-coverage stimulus. Such differ-
ences can be the result of zero time input signal changes in the discrete model, while
the complete-coverage stimuli have been restricted regarding their maximum signal
edge steepness.
As the transient response covers the complete reachable state space of the circuit
under veriﬁcation, another automated veriﬁcation methodology is given that can de-
tect the overshooting behavior of the Sallen-Key circuit.
1276 Experimental Results
Table 6.4: Veriﬁcation results calculated by the ASL model checking (MC) algorithms
on the DATS for the Sallen-Key lowpass ﬁlter compared to the ASL evaluation on the
transient simulation results (Sim) using a complete-coverage input stimulus.
Value Min Sim Min MC Max Sim Max MC
Vout −1.636 V −1.714 V 1.64212 V 1.754 V
VC1 −1.558 V −1.630 V 1.563 V 1.663 V
VC2 −0.489 V −0.562 V 0.447 V 0.512 V
6.4 Veriﬁcation of CMOS Charge Pump Startup Time
The charge pump circuit shown in Figure 6.9 is a clocked step-up voltage converter
allowing output voltages nearly twice the supply voltage. The parameters are VDD =
3 V, clk = 50 kHz, Rload = 1 MΩ, C1 = Cload = 1 nF.
C1 clk
VDD
Cload Rload
TP1
TN1
TN2
TN3
V VC1 Vclk cload
Figure 6.9: Circuit schematic of the CMOS charge pump.
A characteristic output waveform for VCload, as shown in Figure 6.10, is calculated
by a transient analysis starting from the initial condition of VC1 = VCload = 0 V, showing
the typical ripple of the clocked switching behavior.
6.4.1 Model Checking
A DATS model of the charge pump circuit shall be generated using the trajectory-
directed discretization method. The circuit has four state space dimensions: VC1, VCload
and two additional dimensions for a behavioral model of a clock generator that has to
be included in the DATS model in order to obtain veriﬁcation results for the deﬁned
clock frequency. If the clock was considered as an input, all possible clock frequencies
would be contained in the model, not allowing to obtain expressive results.
1286.4 Veriﬁcation of CMOS Charge Pump Startup Time
t [ s]
V
C
l
o
a
d
[
V
]
1000 800 600 400 200 0
6
5
4
3
2
1
0
Figure 6.10: Transient output waveform of the CMOS charge pump circuit.
The generated DATS model selected for further analysis consists of 13055 states
which consumed a model generation time of 18 minutes and 39 seconds. Table 6.5
summarizes the discretization times for other state numbers for comparison. While
a higher number of states hardly improves the accuracy of the veriﬁed properties, a
lower number of states, although well capturing the startup behavior, is not sufﬁcient
to model the periodic output ripple.
Table 6.5: Runtimes of the trajectory-directed discretization algorithm for the CMOS
charge pump.
Number of States 5533 13055 28892
Discretization Runtime [mm:ss] 05:08 18:39 61:07
On the DATS model, the ASL property speciﬁcation methodology for startup time
veriﬁcation of autonomous circuits presented in Section 5.2.3 is now applied. There-
fore, the start area for the startup time veriﬁcation has to be selected:
startarea = (value(V_C_load)[<0.1]) and (value(V_C_1)[>-0.1]);
The states reachable from this start area contain the dynamic startup behavior of the
circuit on which the maximum output voltage can be measured and assigned to the
number variable %max_V_C_load:
reachable = reach from startarea;
on reachable assign(%max_V_C_load,max) value(V_C_load);
The value assigned to %max_V_C_load is 5.15885 V. Within the states reachable from
the start area, the minimum and maximum startup time is measured using the transi-
tion operation, assigning the computed states of the startup paths to the set startup:
1296 Experimental Results
VCload
VC1
Vclk
Figure 6.11: Startup trajectory projected to VC1, VCload and Vclk, identiﬁed by evaluating
the ASL property speciﬁcation on the DATS of the charge pump.
startup = assign(%startup_time_min,min) assign(%startup_time_max,max)
transition startarea to value(V_C_load)[>= 0.9 * max_V_C_load];
The set startup contains 648 states and the minimum startup time reported is 114  s.
The maximum startup time assigned to the number variable %startup_time_max is
172  s.
By applying the ASL algorithms to the circuit model, the set startup is acquired
as visualized in Figure 6.11.
The periodic steady states where the circuit reaches its maximum output voltage
over VCload with a periodic signal ripple shall be analyzed. Therefore, these periodic
steady states, which form a cycle of transitions in the state space, are identiﬁed and
the minimum and maximum values of VCload are measured by the following ASL state-
ments:
periodic_output_set = on reachable select oscillation;
on periodic_output_set
assign(%min_V_C_load_ripple,min) assign(%max_V_C_load_ripple,max)
value(V_C_load);
The oscillation detection algorithm reports a ripple period of 22.0234  s which
slightly deviates from the clock cycle time of 20  s. The number variable
1306.4 Veriﬁcation of CMOS Charge Pump Startup Time
VCload
VC1
Vclk
Figure 6.12: Transient simulation waveforms of the charge pump for VC1, VCload and Vclk
transferred into a DATS representation for application of ASL veriﬁcation algorithms.
%min_V_C_load_ripple is assigned with 5.0889 V and %max_V_C_load_ripple
contains 5.15885 V.
The model checking algorithms for evaluating all the described properties have a
runtime of 18.28 seconds.
6.4.2 ASL Veriﬁcation on Simulation Waveforms
A transient simulation for the startup process wasconducted and the simulation wave-
forms for all four state space variables of the charge pump circuit were transferred into
a DATS model in order to apply the previously described ASL speciﬁcation on these
waveforms. The transient simulation contains 8424 time steps for a simulation time
of 1 millisecond. The transfer to a DATS model consisting of 3528 vertices and 4539
transitions took 0.35 seconds. The lower number of states compared to the simulation
time steps is due to the ripple behavior at the maximum output voltage mapping to
a periodic cycle of states. Figure 6.12 illustrates the DATS model generated from the
transient simulation data, showing a similar structure compared to the startup trajec-
tory identiﬁed in the DATS generated by the trajectory-directed discretization method
in Figure 6.11. The application of the same ASL speciﬁcation as used for model check-
ing takes 10.6 seconds and the ASL veriﬁcation results for model checking and ASL
property checking on transient simulation waveforms are summarized in Table 6.6. As
1316 Experimental Results
can be concluded from the comparison of the results, the model checking on a discrete
state space model can verify the speciﬁed properties with high accuracy.
Table 6.6: Comparison between ASL property evaluation on a DATS generated by
the trajectory-directed discretization (TDD) method and on simulation waveforms ob-
tained from transient analysis (TRA).
Property TDD TRA
Max. output voltage 5.1589 V 5.1503 V
Startup time [114  s, 172  s] 169  s
Periodic output ripple [5.0889 V, 5.1589 V] [5.1008 V, 5.1503 V]
6.5 Model Checking of VCO Gain KVCO
The considered VCO circuit illustrated in Figure 6.13 is an opamp-based CMOS design
for demonstrating the ASL model checking methodology for veriﬁcation of KVCO and
the linearity of the VCO that was introduced in Section 5.2.2. The circuit parameters
are VDD = 2.5 V, VSS = −2.5 V, g = 10−6, R1 = 20 kΩ, R2 = 1 MΩ, C1 = 100 nF, C2 =
1 nF. The oscillation of the circuit is caused by the inverter feedback loop alternately
charging C2. Thus, the oscillation period is controlled by the ideal voltage controlled
current source gVin determining the charge current of capacitor C2 via current mirrors.
gVin
C2 R2
R1
+
-
C1 VC2 VC1
Figure 6.13: Circuit schematic of the voltage controlled oscillator.
1326.5 Model Checking of VCO Gain KVCO
The considered input voltages for gain veriﬁcation are 0.66 V, 0.83 V, 1.00 V and
1.17 V. Figure 6.14 shows the corresponding oscillation areas in state space isolated by
applying the methodology from Section 5.2.2 to the DATS circuit model generated by
the trajectory-directed discretization algorithm. The DATS model consisting of 15660
states was generated in 16 minutes and 57 seconds. Although the circuit only has a
three-dimensional state space, such a high number of states is necessary in order to
accurately capture the oscillation period for gain veriﬁcation. The state space slices
contained in one single DATS with all state transitions for the four input voltage val-
ues are illustrated in Figure A.1 in Appendix A.1. From this transition structure, the
oscillation sets are identiﬁed by the ASL algorithms. The adaption of the trajectory-
directed discretization to the changed angles and dynamics of the transition structure
at the different input voltages can be registered clearly.
VC2
Vin
VC1
Figure 6.14: Oscillation areas of the voltage controlled oscillator at different control
voltages.
The ASL veriﬁcation run takes 14 seconds and the acquired results for the oscilla-
tion period of the VCO at the speciﬁed input voltage steps are summarized in Table
6.7 with a comparison to transient analysis results. In Table 6.8, the results for the gain
property of the VCO are detailed in comparison to transient analysis results.
1336 Experimental Results
Table 6.7: Comparison of the results between ASL model checking and transient anal-
ysis for the oscillation period of the VCO at different input voltages.
Vin ASL MC Transient Analysis
0.66 V 1391  s 1394  s
0.83 V 1139  s 1147  s
1.00 V 972  s 969  s
1.17 V 835  s 840  s
Table 6.8: Comparison of the results between ASL model checking and transient anal-
ysis for the gain KVCO of the VCO.
Vin Range ASL MC Transient Analysis
0.66 V, 0.83 V 959 Hz/V 931 Hz/V
0.83 V, 1.00 V 909 Hz/V 967 Hz/V
1.00 V, 1.17 V 1020 Hz/V 955 Hz/V
Compared to transient analysis, a small error of the values calculated by model
checking can be noticed. The deviation of the relative gain for the different input volt-
age tuples between model checking and transient analysis lieswithin the discretization
induced error range.
6.6 Equivalence Checking with Complete-Coverage
Stimuli
In this section, the new equivalence checking methodology based on complete-
coverage stimuli, in the following referred to as stimEC, is applied to example circuits
and corresponding behavioral models. Where possible, the obtained results for each
of the circuits are compared to a veriﬁcation that has been performed using the VERA
equivalence checking methodology [HKH04] described in Section 4.5.3.1. The VERA
methodology directly compares the dynamic behavior in the state spaces of the sys-
tems under veriﬁcation by mapping the state spaces using a nonlinear transformation
to a canonical representation for each system. This is only possible for implementa-
tions that do not differ substantially in their internal structure. Besides the comparison
of the two approaches with common circuit examples, the new stimEC approach will
1346.6 Equivalence Checking with Complete-Coverage Stimuli
be applied to a delta-sigma modulator circuit that cannot be processed by the VERA
tool due to the comparison to a highly abstracted behavioral model.
The DATS models needed for application of the stimEC stimuli generation algo-
rithm are directly exported from the state space sampled by the VERA algorithms in
order to compare the veriﬁcation methodologies based on equal input data. The DATS
export is implemented into VERA by exporting the sampled points in the state space.
The successor relation of the DATS is determined by a local search for each point pi
which selects an adjacent state pj as successor if a transient step vector vi starting in
pi points towards pj more than towards any other state. Although transition paths us-
ing this DATS modeling are not corresponding to state space trajectories equally well
as those generated by trajectory-directed discrete modeling, the transition structure is
sufﬁcient for covering the reachable area of the circuits under veriﬁcation.
The DATS model for complete-coverage input stimulus generation of the delta-
sigma modulator is generated using the trajectory-directed discretization approach.
The 8-dimensional state space is sufﬁciently captured to generate a stimulus that cov-
ers the reachable state space of the circuit.
6.6.1 Biquad Bandpass Filter
Theﬁrst examplecircuit considered isabiquadbandpassﬁlterillustrated inFigure 6.15
with C1 = C2 = 1  F, R1 = R2 = R4 = 10 kΩ, R3 = 30 kΩ, R5 = 20 kΩ, VDD = 2.5 V,
VSS = −2.5 V, Vin = ±0.7 V. The used op-amp is a simple 8-transistor CMOS design.
This transistor netlist representation shall be compared with a VHDL-AMS behavioral
model partially illustrated in Listing 6.3 in order to show that the behavioral model
can be used for faster system simulation. Therefore, for the transistor netlist of this
circuit, a complete-coverage stimulus containing 8648 time and value pairs with a time
length of 300 ms is created and the circuit netlist as well as the behavioral model are
simulated with this stimulus. The input stimulus and the simulation results are shown
in Figure 6.16. Using the difference error measure, an error value of 11% is reported.
The VERA equivalence checking method reports 1.32% of difference. The higher error
reported by the stimEC method is due to the differing high-frequency behavior in the
beginning of the simulation not equally being captured by the VERA method.
The state space of the biquad bandpass circuit transistor netlist is spanned by the
input and the voltages over the capacitors. Hence, a complete coverage of the state
space can be proven by plotting the transient response to the input stimulus over VC1
and VC2. As illustrated in Figure 6.17, the transient response is covering the reachable
states of the circuit.
1356 Experimental Results
R1
C1
C2
R2
R3
+
-
R4
R5
Vin Vout
Figure 6.15: Circuit schematic of the biquad bandpass ﬁlter circuit netlist.
Listing 6.3: Excerpt from VHDL-AMS behavioral model of the bandpass ﬁlter.
ENTITY bandpass IS
GENERIC( den0 : real := ... );
PORT( terminal inp, outp, gnd : electrical );
end BANDPASS;
ARCHITECTURE behave OF bandpass IS
QUANTITY uout ACROSS iout THROUGH outp TO gnd;
...
BEGIN
uint == 1E-3*i_uint’dot+4E-7*i_uint;
uint == 1.0/den1*(-den0*0.001*i_uint-den2*uint’dot+num1*uin);
uout == uint+Rout*iout;
...
END behave;
6.6.2 Second-Order Delta-Sigma Modulator
Due to the high clock frequencies of delta-sigma modulators, they require plenty of
simulation time. Hence, for fastersimulation ofmixed-signal systemscontaining delta-
sigma modulators, behavioral models are used. With the new stimEC approach, the
comparison of a transistor netlist implementation of a second-order delta-sigma mod-
ulator versus a simple unclocked behavioral model using an allpass ﬁlter as a delay
component is performed. Due to the massive abstraction differences between the two
implementations, the VERA approach cannot be applied to this task as it cannot iden-
tify common state space characteristics for mapping the transformation.
Figure 6.18 shows the transistor netlist implementation of the second-order delta-
sigma modulator with C1 = C2 = 200 pF, R1 = R2 = R5 = R6 = 100 kΩ, R3 = R4 =
5 kΩ, VDD = 1 V, fclk = 1 MHz. The sequential bitstream is directed into a lowpass
1366.6 Equivalence Checking with Complete-Coverage Stimuli
Figure 6.16: Complete generated input stimulus and transient output response of the
biquad bandpassﬁlter transistor netlist (Output A)and VHDL-AMSbehavioral model
(Output B).
VC1 [V]
V
C
2
[
V
]
0.6 0.4 0.2 0 −0.2 −0.4 −0.6
0.4
0.3
0.2
0.1
0
−0.1
−0.2
−0.3
−0.4
Figure 6.17: Transient response to the generated input stimulus of the biquad bandpass
ﬁlter plotted over VC1 and VC2.
ﬁlter for further processing. A simple behavioral model for this circuit is implemented
by an allpass as a delay circuit followed by the same lowpass ﬁlter as illustrated in
Figure 6.19 with C1 = 10 nF, R1 = R2 = R3 = 1 kΩ.
Thecompletestate spacecovering inputstimulus generatedfor thetransistor netlist
implementation of the delta-sigma modulator contains 32690 time and value pairs and
a system simulation time of 4.34 ms. After simulation of both circuit implementations
with the stimulus, the difference error measure is applied to the output voltage wave-
forms, reporting an output error of 10.67% when excluding the startup time of 0.1 ms
where the netlist implementation needs to lock to the feedback chain.
Although the model used for stimulus generation with 21001 states generated by
the trajectory-directed discretization algorithm in 3 hours and 29 minutes suffers from
1376 Experimental Results
Vin
C1
R4
R3
+
-
R1
R2
VDD +
-
Q
Q D
clk
C2
+
-
R6
R5
LP Vout
Figure 6.18: Circuit schematic of the second-order delta-sigma modulator.
+
-
R2 R1
C1 R3
LP Vout Vin
Figure 6.19: Simple behavioral model for the second-order delta-sigma modulator us-
ing an allpass ﬁlter for signal delay modeling.
the few states sampled for every of the 8 dimensions, the reachable state space of the
internal capacitors C1 and C2 of the netlist implementation is covered quite well. The
transient response to the input stimulus is plotted over VC1 and VC2 as depicted in
Figure 6.20. The trapezoidal appearance is caused by the correlation of the inverting
integrators, restricting the reachable value combinations of VC1 and VC2.
6.6.3 Further Circuit Examples
Table 6.9 summarizes the equivalence checking results including runtime information,
the number of state space dimensions and the number of states in the graph struc-
ture used for stimuli generation of the aforementioned biquad bandpass and the delta-
sigma modulator, comparing the new stimEC approach to the VERA approach where
applicable. In addition, three other circuit examples have been processed with stim-
uli generated for the transistor netlists. The results for a log domain ﬁlter, a Schmitt-
trigger and a transistor switch with enable and power down functionality all indicate
the feasibility of the newstimEC approach, producing results very similar to the VERA
method. Runtimes of the stimEC approach on the VERA-generated DATS are domi-
nated by the transient simulation runs with the generated stimuli, while the stimuli
1386.6 Equivalence Checking with Complete-Coverage Stimuli
VC2 [V]
V
C
1
[
V
]
0.04 0.02 0 −0.02 −0.04
0.4
0.2
0
−0.2
−0.4
Figure 6.20: Transient response to the generated input stimulus of the delta-sigma
modulator transistor netlist plotted over VC1 and VC2.
generation and the error computation on the waveforms only require a small fraction
of the overall runtime.
In order to compare the runtime results to the new stimEC approach, approximated
runtimes of a conventional systematic simulation have been calculated for the ﬁve ex-
ample circuits. While systematic simulation cannot guarantee the complete coverage
of the circuits’ behavior, it is a common approach for circuit characterization. For the
delta-sigma modulator with a clock frequency of 1 MHz, a systematic simulation with
sine waves over three decades with 10 amplitude levels and 10 samples per decade
starting at 100 Hz could be performed. A single sine wave at 100 Hz already needs a
system time of 10 ms with time steps being very small due to the high clock frequency.
Without having performed the remaining simulations for higher frequencies, the 10
amplitude levels result in a system time of 100 ms, which is already over 20 times the
length of the transient response generated by the stimEC approach. However, the high
modeling time for the delta-sigma simulator dominates the runtime of 3 hours and
29 minutes while the stimulus generation, transient simulation and automatic error
calculation for both circuit implementations is only consuming less than 3 minutes.
For the remaining circuit examples, performing such systematic simulations leads
to higher simulation times than those of the stimEC approach. Table 6.10 summarizes
the number of input time steps, the transient response time steps and the runtimes
of the stimEC approach compared to the approximated runtimes of a conventional
systematic simulation.
1396 Experimental Results
6.7 Assessment
The experimental results presented in this section showed the applicability of the for-
mal veriﬁcation methodologies developed in the scope of this thesis. Although the cir-
cuit examples are limited to block level, complex circuit properties have been veriﬁed.
With the detection of the ring oscillator circuit’s bad initial conditions, the advantage
of state space-based complete veriﬁcation methods could be emphasized. By applying
different methodologies to the same example circuit, the consistency and exchange-
ability of the new methodologies have been demonstrated. For property veriﬁcation,
the presented methodologies were model checking, counterexample generation, appli-
cation of the ASL speciﬁcation to transient simulation waveforms obtained by a sim-
ulation controlled by complete state space-covering input stimuli and multi-parallel
state space particle simulation.
The splitting of the veriﬁcation process into a systematic ASL property speciﬁca-
tion, followed by a completely automated formal veriﬁcation using the new veriﬁca-
tion algorithms, offers a structurized veriﬁcation ﬂow with minimal user interaction.
Hence, not only the formality of the veriﬁcation process but also its automation can be
enhanced by the new methodologies.
The new trajectory-directed discretization algorithm signiﬁcantly improves model-
ing accuracy, for the ﬁrst time allowing to capture the dynamics of the state space in
a discrete model with an accuracy that deviates less than 10% from transient analysis.
The presented runtimes of the discretization can be considered as acceptable, due to
a model checking run on a discrete model replacing a large number of conventional
transient simulation runs. However, the exponential growth in states with the number
of state space dimensions for generating models with a constant accuracy still limits
the applicability to larger than block level circuits.
Equivalence checking using transient simulation with complete state space-
covering input stimuli has proven to compare well with the state-of-the-art approach
of transformed state space comparison. The wider area of application is a result of
the stimuli generation being possible even for abstraction levels where the previous
approach cannot be applied. This, however, comes at the cost of slightly higher veriﬁ-
cation runtimes.
1406.7 Assessment
T
a
b
l
e
6
.
9
:
C o m p a r i s o n
o f
t h e
r e s u l t s
b e t w e e n
e q u i v a l e n c e
c h e c k i n g
b y
c o m p l e t e
s t a t e
s p a c e - c o v e r i n g
i n p u t
s t i m u l i
( s t i m E C )
a n d
t h e
t r a n s f o r m e d
s t a t e
s p a c e
c o m p a r i s o n
a p p r o a c h
( V E R A ) .
T h e
n u m b e r
o f
s t a t e
s p a c e
d i m e n s i o n s
a n d
t h e
n u m b e r
o f
d i s c r e t e
s t a t e s
o f
t h e
s t a t e
s p a c e
g r a p h
i s
g i v e n
f o r
t h e
t r a n s i s t o r
n e t l i s t
i m p l e m e n t a t i o n s .
C
i
r
c
u
i
t
(
C
o
m
p
a
r
e
d
i
m
p
l
e
m
e
n
t
a
t
i
o
n
)
#
D
i
m
e
n
s
i
o
n
s
#
S
t
a
t
e
s
E
r
r
o
r
s
t
i
m
E
C
R
u
n
t
i
m
e
E
r
r
o
r
V
E
R
A
R
u
n
t
i
m
e
B
i
q
u
a
d
B
a
n
d
p
a
s
s
(
N
e
t
l
.
v
s
.
V
H
D
L
-
A
M
S
)
3
2
7
5
6
1
1
%
4
8
.
1
3
s
1
.
3
2
%
1
6
.
2
8
s
D
e
l
t
a
-
S
i
g
m
a
M
o
d
u
l
a
t
o
r
(
N
e
t
l
.
v
s
.
s
i
m
p
l
e
b
e
h
.
m
o
d
e
l
)
8
2
1
0
0
1
1
0
.
6
7
%
3
:
3
2
h
n
.
a
.
n
.
a
.
L
o
g
D
o
m
a
i
n
F
i
l
t
e
r
(
N
e
t
l
.
v
s
.
t
r
a
n
s
f
e
r
f
u
n
c
t
i
o
n
)
2
1
3
8
6
6
5
.
7
3
%
1
9
.
6
4
s
7
.
2
6
%
9
.
4
9
s
S
c
h
m
i
t
t
-
t
r
i
g
g
e
r
(
N
e
t
l
.
v
s
.
V
H
D
L
-
A
M
S
)
2
7
5
4
3
.
3
7
%
1
8
.
1
9
s
3
.
5
1
%
5
.
5
0
s
T
r
a
n
s
i
s
t
o
r
S
w
i
t
c
h
(
N
e
t
l
.
v
s
.
b
e
h
.
m
o
d
e
l
)
5
3
2
0
0
.
8
8
%
1
4
.
3
2
s
0
.
6
1
%
8
.
4
7
s
1416 Experimental Results
T
a
b
l
e
6
.
1
0
:
I
n
p
u
t
t
i
m
e
s
t
e
p
s
,
t
r
a
n
s
i
e
n
t
s
i
m
u
l
a
t
i
o
n
r
e
s
p
o
n
s
e
t
i
m
e
s
t
e
p
s
a
n
d
r
u
n
t
i
m
e
s
o
f
t
h
e
s
t
i
m
E
C
e
q
u
i
v
a
l
e
n
c
e
c
h
e
c
k
i
n
g
a
p
p
r
o
a
c
h
c
o
m
p
a
r
e
d
t
o
t
h
e
a
p
p
r
o
x
i
m
a
t
e
d
s
i
m
u
l
a
t
i
o
n
r
u
n
t
i
m
e
s
o
f
c
i
r
c
u
i
t
c
o
m
p
a
r
i
s
o
n
b
y
s
y
s
t
e
m
a
t
i
c
s
i
m
u
l
a
t
i
o
n
.
C
i
r
c
u
i
t
(
C
o
m
p
a
r
e
d
i
m
p
l
e
m
e
n
t
a
t
i
o
n
)
I
n
p
u
t
t
i
m
e
s
t
e
p
s
S
i
m
u
l
a
t
i
o
n
t
i
m
e
s
t
e
p
s
s
t
i
m
E
C
S
y
s
t
e
m
a
t
i
c
S
i
m
u
l
a
t
i
o
n
B
i
q
u
a
d
B
a
n
d
p
a
s
s
(
N
e
t
l
i
s
t
v
s
.
V
H
D
L
-
A
M
S
)
8
6
4
8
1
4
4
2
9
5
4
8
.
1
3
s
≈
6
4
s
D
e
l
t
a
-
S
i
g
m
a
M
o
d
u
l
a
t
o
r
(
N
e
t
l
i
s
t
v
s
.
s
i
m
p
l
e
b
e
h
.
m
o
d
e
l
)
3
2
6
9
0
4
6
8
9
9
6
3
:
3
2
h
≈
8
0
0
s
L
o
g
D
o
m
a
i
n
F
i
l
t
e
r
(
N
e
t
l
i
s
t
v
s
.
t
r
a
n
s
f
e
r
f
u
n
c
t
i
o
n
)
1
3
9
1
0
6
5
9
2
6
1
9
.
6
4
s
≈
4
4
s
S
c
h
m
i
t
t
-
t
r
i
g
g
e
r
(
N
e
t
l
i
s
t
v
s
.
V
H
D
L
-
A
M
S
)
4
3
7
3
6
1
3
3
7
1
8
.
1
9
s
≈
4
4
s
T
r
a
n
s
i
s
t
o
r
S
w
i
t
c
h
(
N
e
t
l
i
s
t
v
s
.
b
e
h
.
m
o
d
e
l
)
7
9
8
3
2
2
1
4
.
3
2
s
≈
2
5
8
s
1427
Conclusions
Design veriﬁcation of analog circuits is lacking formal methodologies in order to keep
up with customer needs such as reducing the occurrence of redesigns, safety and relia-
bility issues. Hence, this thesis has the goal of contributing new formal methodologies
for analog circuit veriﬁcation to target this veriﬁcation gap.
7.1 Summary
The analog formal veriﬁcation methodologies for nonlinear analog circuits proposed
in this thesis consist of three areas:
• Discrete modeling
• Property speciﬁcation
• Formal veriﬁcation algorithms
To each of these areas, new approaches have been contributed in order to ﬁnally com-
pose a set of new formal veriﬁcation methodologies with the design goals of increasing
accuracy and usability as well as back-propagation of formal veriﬁcation results into
today’s test bench-based veriﬁcation ﬂows.
Discrete modeling Starting from the basics of system representation for veriﬁca-
tion, discrete modeling of analog circuits has been motivated in order to apply for-
mal veriﬁcation algorithms. The state of the art of state space discretization using a
1437 Conclusions
hyperbox-based state space partitioning exhibits downsides such as not being rotation
invariant to the state space dynamics ﬂow and therewith lacking accuracy and over-
approximating the successor relation of the states. Hence, by analyzing these down-
sides, the requirements for a new discretization approach have been discussed. This
resulted in the proposal of a trajectory-directed discretization algorithm, where the tra-
jectories of the state space dynamics control the partitioning of the state space. While
the geometric objects of the partitions are complex structures, a mapping to a discrete
analog transition structure (DATS) was possible on a dual representation of the par-
titioning structure. To this discrete model, analog formal veriﬁcation algorithms can
be applied, delivering results of higher accuracy than previous approaches. This has
been demonstrated by experimental evaluations, comparing the results of the new dis-
cretization approach to those of the hyperbox discretization and to transient analysis.
Property speciﬁcation Property speciﬁcation on discrete transition structures is orig-
inating from temporal logics which have been discussed in this thesis. Up to now,
there have been no approaches allowing to specify complex analog properties for for-
mal veriﬁcation in the state space and only few approaches for signal-based analog
speciﬁcation exist. In this thesis, after analyzing the existing approaches and develop-
ing requirements for improvements, this analog property speciﬁcation gap has been
targeted by the development of the Analog Speciﬁcation Language (ASL). ASL allows
new speciﬁcation methodologies for property veriﬁcation in the state space of ana-
log systems represented as a DATS. The feasibility of this model checking approach
has been demonstrated in the experimental results chapter by applying ASL speciﬁca-
tions for properties such as advanced oscillation, startup time of autonomous circuits
and overshooting behavior to example circuits. Counterexamples can be generated
for speciﬁcation-violating states and investigated in a transient simulation test bench.
Moreover, ASL speciﬁcations have been evaluated on transient simulation waveforms
without modiﬁcation, building a bridge for applying formal property speciﬁcation to
today’s simulation ﬂows in preparation of the future introduction of formal model
checking.
Formal veriﬁcation algorithms Besides the already mentioned model checking
methodology applying ASL speciﬁcations to a DATS generated by the new trajectory-
directed discretization algorithm, a set of additional formal veriﬁcation methodologies
has been developed in the scope of this thesis. Motivated by the introduced approach
of counterexamples for analog model checking, the generation of complete state space-
covering input stimuli by complete traversal of a DATS was presented. This offered to
simulate analog circuit blocks in conventional transient simulation environments with
guaranteed complete coverage of every reachable state the circuit can adopt. Based
on the new stimuli generation algorithm, a methodology of formal assertion-based
1447.2 Challenges and Future Work
veriﬁcation has been developed by evaluating ASL speciﬁcations on the waveform
results obtained from transient simulation with complete state space-covering input
stimuli. In addition, a formal equivalence checking methodology was introduced by
comparing the transient simulation responses of two circuit implementations to such
complete-coverage stimuli. The new state space particle simulation methodology aug-
mented the veriﬁcation insights gained by the introduced property veriﬁcation ap-
proaches.
7.2 Challenges and Future Work
While this thesis presents approaches how the analog veriﬁcation gap can be targeted
by new formal veriﬁcation methodologies, there are some challenges to solve until an
industrial application could be considered.
Enhancing the semantics of the discrete model The trajectory-directed discrete
modeling approach increased the accuracy of the state space discretization. However,
although this approach reduces the number of states needed for modeling a circuit
with equal discretization accuracy compared to previous approaches, the state space
explosion problem still persists. Hence, a higher circuit complexity than block level
could only be achieved by introducing modeling approaches that further decrease the
number of states and ﬁnally end up in a sub-exponential complexity with respect to
the number of state space variables. A possible approach could be giving up the ho-
mogeneity criterion for the state space partitioning and describing the ﬂow of the state
spacepartitions withadditional semanticssuchassimpliﬁedpolynomial ordifferential
equations. While the partitions could be signiﬁcantly larger due to more semantics put
into the symbolic description of a partition, such a symbolic approach would require
substantial changes to all veriﬁcation algorithms operating on the enriched semantics
of the discrete structure that no longer could be represented by a graph-based DATS.
Merging ASL with an established speciﬁcation language The introduction of ASL
showed how a minimal set of operations tailored to the purpose of analog prop-
erty speciﬁcation can be sufﬁcient for complex speciﬁcation tasks in the circuit’s state
space. Especially with the possibility of ASL speciﬁcation evaluation on transient sig-
nal waveforms, a future combination with established speciﬁcation approaches by ad-
justing the syntax for example to PSL could increase the acceptance.
Coupling with commercial simulator back-ends In the area of veriﬁcation algo-
rithms, the newly introduced veriﬁcation methodologies based on complete state
space-covering input stimuli generation are well suited for application to block level
1457 Conclusions
veriﬁcation in today’s non-formal veriﬁcation ﬂows without requiring the user to
adapt to the up to now unfamiliar state space-based speciﬁcation of analog properties.
However, besides the already discussed modeling complexity, an one-click applica-
tion of complete-coverage stimuli equivalence checking could be only made possible if
the discrete modeling algorithms were closely coupled to commercial transient circuit
simulators such as Cadence Spectre, requiring cooperation of the vendors to disclose
interface internals.
Extension to mixed-signal veriﬁcation While there are mature approaches to formal
veriﬁcation of digital systems, a challenge is posed by combining these approaches
with the methodologies for the analog domain. Even on block level, there can be
closely coupled feedback loops of digital and analog circuit parts, as found in delta-
sigma converters or phase-locked loops. While the complexity of such blocks can still
be handled by the analog discrete modeling, an abstraction of the digital circuit parts
as proposed in [JH08] can further extend the applicability of the approaches presented
in this thesis.
Considering parameter tolerances Although design veriﬁcation primarily targets
design ﬂaws that can be identiﬁed by a discrepancy between a speciﬁed property and
the implemented nominal functionality, the formal veriﬁcation methodologies could
be applied to verify implementations under consideration of parameter tolerances. On
the one hand, this could directly be achieved by the straightforward approach of sta-
tistically varying the circuit parameters using the Monte Carlo method [MU49] in ver-
iﬁcation runs after the nominal circuit has been successfully veriﬁed. On the other
hand, the parameter tolerances could be already introduced into the model to which
the veriﬁcation algorithms are applied using the concepts introduced in [GOB08].
Device macro-modeling using the trajectory-directed discretization Due to the in-
creased accuracy of the discrete models generated with the trajectory-directed dis-
cretization approach, their application as device macro-models can be considered. As
has been demonstrated in Section 6.3 by comparing transient analysis results to the
corresponding expected waveforms calculated on the discrete model, the modeling er-
ror is very small. Hence, by implementing a wrapper that maps arbitrary input signals
to a state sequence on paths and returns the sequence of state space variables of the vis-
ited states, a macro model for transient circuit analysis is given. The simulation times
for piecewise linear input signals can be expected to be signiﬁcantly lower than those
of a transient analysis due to a simple directed graph traversal needed to determine
the circuit response on the DATS model.
146A
Appendix
A.1 VCO State Space Slices
147A Appendix
VC2
VC1
(a)
VC2
VC1
(b)
VC2
VC1
(c)
VC2
VC1
(d)
Figure A.1: State space slices with all state transitions for input voltages 0.66 V (a),
0.83 V (b), 1.00 V (c) and 1.17 V (d) showing the adaption of the trajectory-directed
discretization to the changed transition structure.
148Bibliography
[ADG07] E. Asarin, T. Dang, and A. Girard. Hybridization methods for the analysis
of nonlinear systems. Acta Inf., 43(7):451–476, 2007.
[Ake78] S.B. Akers. Binary decision diagrams. IEEE Transactions on computers,
27(6):509–516, 1978.
[And04] O. Andreassen. Visualization of vector ﬁelds using seed lic and vol-
ume rendering. IEEE Transactions on Visualization and Computer Graphics,
10(6):673–682, 2004. Member-Anders Helgeland.
[APT03] P.J. Ashenden, G.D. Peterson, and D.A. Teegarden. The system designer’s
guide to VHDL-AMS. Morgan Kaufmann, 2003.
[ASZT07] G. Al-Sammane, M. H.Zaki, andS. Tahar. Asymbolic methodology for the
veriﬁcation of analog and mixed signal designs. In DATE ’07: Proceedings
of the conference on Design, automation and test in Europe, pages 249–254, San
Jose, CA, USA, 2007. EDA Consortium.
[BBDE+01] I. Beer, S. Ben-David, C. Eisner, D. Fisman, A. Gringauze, and Y. Rodeh.
The temporal logic Sugar. In Computer Aided Veriﬁcation, pages 363–367.
Springer, 2001.
[BCM+90] J.R. Burch, E.M. Clarke, K.L. McMillan, D.L. Dill, and L.J. Hwang. Sym-
bolic Model Checking: 1020 States and Beyond. In Proceedings of the Fifth
Annual IEEE Symposium on Logic in Computer Science, pages 1–33, 1990.
[BCMP06] G. Bonﬁni, M. Chiavacci, R. Mariani, and E. Pescari. A mixed-signal veriﬁ-
cation kit for veriﬁcation of analogue-digital circuits. In DATE ’06: Proceed-
ings of the conference on Design, automation and test in Europe, pages 88–93,
2006.
[Ben90] J. L. Bentley. K-d trees for semidynamic point sets. In SCG ’90: Proceed-
ings of the sixthannual symposiumon Computational geometry, pages187–197,
New York, NY, USA, 1990. ACM.
149Bibliography
[BGG+09] E. Barke, D. Grabowski, H. Graeb, L. Hedrich, S. Heinen, R. Popp, S. Stein-
horst, and Y. Wang. Formal approaches to analog circuit veriﬁcation. In
DATE ’09: Proceedings of the conference on Design, automation and test in Eu-
rope, pages 724–729, 2009.
[Bur01] B. Burdiek. Generation of optimum test stimuli for nonlinear analog cir-
cuits using nonlinear - programming and time-domain sensitivities. In
DATE ’01: Proceedings of the conference on Design, automation and test in Eu-
rope, pages 603–609, 2001.
[Cad07] Cadence. Incisive Enterprise Specman. 2007. URL: http://www.
cadence.com/rl/Resources/datasheets/specman_elite_ds.
pdf.
[CB95] Y.-A. Chen and R. E. Bryant. Veriﬁcation of arithmetic circuits with binary
moment diagrams. Design Automation Conference, 0:535–541, 1995.
[CE82] E. M. Clarke and E. A. Emerson. Design and Synthesis of Synchronization
Skeletons Using Branching-Time Temporal Logic. In Logic of Programs,
volume 131 of Lecture Notes in Computer Science, pages 52–71. Springer-
Verlag, London, 1982.
[CGP99] E.M. Clarke, O. Grumberg, and D.A. Peled. Model checking. Springer, 1999.
[CHHK98] M. Chan, K.Y. Hui, C. Hu, and P.K. Ko. A robust and physical BSIM3 non-
quasi-static transient and AC small-signal model for circuit simulation.
IEEE Transactions on Electron Devices, 45(4):834–841, 1998.
[CJL+97] Y. Cheng, M.C. Jeng, Z. Liu, J. Huang, M. Chan, K. Chen, P.K. Ko, and
C. Hu. A physical and scalable I-V model in BSIM 3 v 3 for analog/digi-
tal circuit simulation. IEEE Transactions on Electron Devices, 44(2):277–287,
1997.
[CK07] H. ChangandK. Kundert. Veriﬁcation ofcomplexanalogand rficdesigns.
Proceedings of the IEEE, 95(3):622–639, 2007.
[Con04] Accellera Consortium. Property Speciﬁcation Language Reference Man-
ual. Version 1.1, 2004. URL: http://www.eda.org/vfv/docs/
PSL-v1.1.pdf.
[CVK05] B. Cohen, S. Venkataramanan, and A. Kumari. SystemVerilog Assertions
Handbook:–for Formal and Dynamic Veriﬁcation. vhdlcohen publishing, 2005.
150Bibliography
[DAC98] M. Dwyer, G. Avrunin, and J. Corbett. Property Speciﬁcation Patterns for
Finite-State Veriﬁcation. In Proceedings of the 2nd Workshop on Formal Meth-
ods in Software Practice (FMSP-98), pages 7–15, 1998.
[DC05] T. Dastidar and P. Chakrabarti. A Veriﬁcation System for Transient Re-
sponse of Analog Circuits Using Model Checking. In VLSID’05: Proceed-
ings of the 18th International Conference on VLSI Design held jointly with 4th
International Conference on Embedded Systems Design, pages 195–200, 2005.
[DC07] T. R. Dastidar and P. P. Chakrabarti. A veriﬁcation system for transient
response of analog circuits. ACM Trans. Des. Autom. Electron. Syst., 12(3):1–
39, 2007.
[DDM04] T. Dang, A. Donz´ e, and O. Maler. Veriﬁcation of analog and mixed-signal
circuits using hybrid system techniques. In A. J. Hu and A. K. Martin,
editors, FMCAD, volume 3312 of Lecture Notes in Computer Science, pages
21–36. Springer, 2004.
[DH96] D. L. Darmofal and R. Haimes. An analysis of 3d particle path integration
algorithms. J. Comput. Phys., 123(1):182–195, 1996.
[Dij59] E.W. Dijkstra. A note on two problems in connexion with graphs. Nu-
merische mathematik, 1(1):269–271, 1959.
[DL09] W. Dong and P. Li. Final-value odes: stable numerical integration and
its application to parallel circuit analysis. In ICCAD ’09: Proceedings of
the 2009 International Conference on Computer-Aided Design, pages 403–409,
New York, NY, USA, 2009. ACM.
[DM07] A. Donz´ e and O. Maler. Systematic simulation using sensitivity analysis.
Lecture Notes in Computer Science, 4416:174–189, 2007.
[DN09] T. Dang and T. Nahhal. Coverage-guided test generation for continuous
and hybrid systems. Form. Methods Syst. Des., 34(2):183–213, 2009.
[EF06] C. Eisner and D. Fisman. A practical introduction to PSL. Springer-Verlag
New York Inc, 2006.
[EGG98] J. Eckmueller, M. Gropl, and H. Graeb. Hierarchical characterization of
analog integrated cmos circuits. In Proceedings of the conference on Design,
automation and test in Europe, pages 636–643. Citeseer, 1998.
[EMSS92] E. A. Emerson, A. K. Mok, A. P. Sistla, and J. Srinivasan. Quantitative
temporal reasoning. Real-Time Syst., 4(4):331–352, 1992.
151Bibliography
[ES00] D. Est´ evez Schwarz. Consistent initialization for index-2 differential algebraic
equations and its application to circuit simulation. PhD thesis, Humboldt-
Univ. Berlin, 2000.
[FKR06] G. Frehse, B. Krogh, and R. Rutenbar. Verifying Analog Oscillator Circuits
UsingForward/Backward Abstraction Reﬁnement. In DATE2006: Design,
Automation and Test in Europe, 2006.
[FMW05] H. Foster, E. Marschner, and Y. Wolfsthal. IEEE 1850 PSL: The
Next Generation. 2005. URL: http://www.pslsugar.org/papers/
ieee1850psl-the_next_generation.pdf.
[FSS06] M. Freibothe, J.Sch¨ onherr, andB.Straube. Formal veriﬁcation ofthe quasi-
static behavior of mixed-signal circuits by property checking. Electr. Notes
Theor. Comput. Sci., 153(3):23–35, 2006.
[GDWL92] D. D. Gajski, N. D. Dutt, Allen C.-H. Wu, and S. Y.-L. Lin. High-level syn-
thesis: introduction to chip and system design. Kluwer Academic Publishers,
Norwell, MA, USA, 1992.
[GJ79] M. R. Garey and D. S. Johnson. Computers and Intractability: A Guide to the
Theory of NP-Completeness. W. H. Freeman & Co., New York, USA, 1979.
[GKR04] S. Gupta, B. H. Krogh, and R. A. Rutenbar. Towards formal veriﬁcation of
analog designs. In ICCAD ’04: Proceedings of the 2004 IEEE/ACM Interna-
tional conference on Computer-aided design, pages 210–217, Washington, DC,
USA, 2004. IEEE Computer Society.
[GOB08] D. Grabowski, M. Olbrich, and E. Barke. Analog circuit simulation using
range arithmetics. In ASP-DAC ’08: Proceedings of the 2008 conference on
Asia and South Paciﬁc design automation, pages 762–767, Los Alamitos, CA,
USA, 2008. IEEE Computer Society Press.
[GPHB05] D. Grabowski, D. Platte, L. Hedrich, and E. Barke. Time Constrained Ver-
iﬁcation of Analog Circuits using Model-Checking Algorithms. In FAC
2005: Proceedings of the First Workshop on Formal Veriﬁcation of Analog Cir-
cuits, pages 37–52, 2005.
[GRW05] J. Goss, W.Roesner, and B.Wile. ComprehensiveFunctional Veriﬁcation. Mor-
gan Kaufmann Publishers, 2005.
[GV99] A. Ghosh and R. Vemuri. Formal veriﬁcation of synthesized analog de-
signs. In ICCD ’99: Proceedings of the 1999 IEEE International Conference on
Computer Design, page 40, Washington, DC, USA, 1999. IEEE Computer
Society.
152Bibliography
[GVL96] G.H. Golub and C.F. Van Loan. Matrix computations. Johns Hopkins Univ
Pr, 1996.
[GY08] M. R. Greenstreet and S. Yang. Verifying start-up conditions for a ring os-
cillator. In GLSVLSI ’08: Proceedings of the 18th ACM Great Lakes symposium
on VLSI, pages 201–206, New York, NY, USA, 2008. ACM.
[HA92] M. Godau H. Alt. Measuring the resemblace of polygonal curves. In
Proc. of the 8th Annual Symposium on Computational Geometry, pages 102–
109, 1992.
[Har03] W. Hartong. Ans¨ atze zum Model-Checking nichtlinearer analoger Systeme.
Fortschritt-Berichte VDI, Reihe 20 Nr. 364. VDI Verlag GmbH, Duessel-
dorf, 2003.
[HB95] L. Hedrich and E. Barke. A formal approach to nonlinear analog circuit
veriﬁcation. In ICCAD ’95: Proceedings of the 1995 IEEE/ACM international
conference on Computer-aided design, pages 123–127, Washington, DC, USA,
1995. IEEE Computer Society.
[HB98] L. Hedrich and E. Barke. Aformal approach to veriﬁcation of linearanalog
circuits wth parameter tolerances. In DATE ’98: Proceedingsof the conference
on Design, automation and test in Europe, pages 649–655, Washington, DC,
USA, 1998. IEEE Computer Society.
[HBKK94] B.J. Hosticka, W. Brockherde, R. Klinke, and R. Kokozinski. Design
methodology for analog monolithic circuits. Circuits and Systems I: Funda-
mental Theory and Applications, IEEE Transactions on, pages 387–394, 1994.
[HGT91] S.A. Huss, M. Gerbershagen, and G. Traenkle. Automatic performance
characterization of analog functional blocks. Analog Integrated Circuits and
Signal Processing, 1(4):277–286, 1991.
[HH95] Henzinger, T. A. and Ho, P. -H. . Algorithmic analysis of nonlinear hy-
brid systems. In P. Wolper, editor, Proceedings of the 7th International Con-
ference On Computer Aided Veriﬁcation, volume 939, pages 225–238, Liege,
Belgium, 1995. Springer Verlag.
[HHB02a] W. Hartong, L. Hedrich, and E. Barke. Model checking algorithms for
analogveriﬁcation. InProceedingsofthe 39thconferenceon Designautomation
(DAC ’02), pages 542–547, 2002.
[HHB02b] W. Hartong, L. Hedrich, and E. Barke. On discrete modeling and model
checking for nonlinear analog systems. In CAV ’02: Proceedings of the 14th
153Bibliography
International Conference on Computer Aided Veriﬁcation, pages 401–413, Lon-
don, UK, 2002. Springer-Verlag.
[HKH04] W. Hartong, R. Klausen, and L. Hedrich. Formal veriﬁcation for nonlinear
analog systems: Approaches to model and equivalence checking. 2004.
[HLSS08] W. Hartong, N. Luetke-Steinhorst, and R. Schweiger. Coverage Driven
Veriﬁcation for Mixed Signal Systems. GMM-Fachbericht-ANALOG’08,
2008.
[Hol99] A. Holt. Formal veriﬁcation with natural language speciﬁcations: guide-
lines, experiments and lessons so far. South African Computer Journal,
24:253–257, 1999.
[HRB75] C.W. Ho, A.E. Ruehli, and P.A. Brennan. The Modiﬁed Nodal Approach
to Network Analysis. IEEE Transactions on Circuits and Systems, 22(6):504–
509, 1975.
[JH08] A. Jesser and L. Hedrich. A Symbolic Approach for Mixed-Signal Model
Checking. In Proceedings of the 13th Asia and South Paciﬁc Design Automa-
tion Conference (ASP-DAC’08), pages 404–409, COEX, Seoul, Korea, Jan-
uary 2008.
[JKK08] K. D. Jones, J. Kim, and V. Konrad. Some ’real world’ problems in the
analog and mixed signal domains. In Gordon J. Pace and Satnam Singh,
editors, Seventh International Workshop on Designing Correct Circuits: Bu-
dapest, 29–30 March 2008: Participants’ Proceedings, pages 15–29. ETAPS
2008, March 2008. A Satellite Event of the ETAPS 2008 group of confer-
ences.
[JKN10] K. D. Jones, V. Konrad, and D. Niˇ ckovi´ c. Analog property checkers: a ddr2
case study. Form. Methods Syst. Des., 36(2):114–130, 2010.
[KB05] R.H. Katz and G. Borriello. Contemporary logic design. 2005.
[Kir47] G. Kirchhoff. ¨ Uber die Auﬂ¨ osung der Gleichungen, auf welche man bei
der Untersuchung der linearen Vertheilung galvanischer Str¨ ome gef¨ uhrt
wird. Annalen der Physik, 148(12):497–508, 1847.
[KM91] R. P. Kurshan and K. L. McMillan. Analysis of digital circuits through
symbolic reduction. IEEE Trans. on CAD of Integrated Circuits and Systems,
10(11):1356–1371, 1991.
[KZ04] K.S. Kundert and O. Zinke. The designer’s guide to Verilog-AMS. Springer,
2004.
154Bibliography
[Lam00] A. van Lamsweerde. Formal speciﬁcation: a roadmap. In ICSE ’00: Pro-
ceedings of the Conference on The Future of Software Engineering, pages 147–
159, New York, NY, USA, 2000. ACM.
[LSW+06] S. Little, N. Seegmiller, D. Walter, C. Myers, and T. Yoneda. Veriﬁcation
of analog/mixed-signal circuits using labeled hybrid petri nets. In ICCAD
’06: Proceedings of the 2006 IEEE/ACM international conference on Computer-
aided design, pages 275–282, New York, NY, USA, 2006. ACM.
[Mas83] W. S. Massey. Cross products of vectors in higher dimensional euclidean
spaces. The American Mathematical Monthly, 90(10):697–701, 1983.
[McA93] D. F. McAllister, editor. Stereo computer graphics: and other true 3D technolo-
gies. Princeton University Press, Princeton, NJ, USA, 1993.
[McM92] K. L. McMillan. Symbolic model checking: an approach to the state explosion
problem. PhD thesis, Pittsburgh, PA, USA, 1992.
[Men01] E. Mendelson. Introduction to mathematical logic. Chapman & Hall/CRC,
2001.
[MHW+06] C. J. Myers, R. R. Harrison, D. Walter, N. Seegmiller, and S. Little. The case
for analogcircuit veriﬁcation. Electr.NotesTheor.Comput. Sci., 153(3):53–63,
2006.
[Mir95] R. Miranda. Algebraic curves and Riemann surfaces. Amer Mathematical
Society, 1995.
[MM04] P. Molitor and J. Mohnke. Equivalence checking of digital circuits: fundamen-
tals, principles, methods. Kluwer Academic Pub, 2004.
[MNP08] O. Maler, D. Nickovic, and A. Pnueli. Checkingtemporal properties of dis-
crete, timed and continuous behaviors. In A. Avron, N. Dershowitz, and
A. Rabinovich, editors, Pillars of Computer Science, volume 4800 of Lecture
Notes in Computer Science, pages 475–505. Springer, 2008.
[MPDG09] R. Mukhopadhyay, S. K. Panda, P. Dasgupta, and J. Gough. Instrument-
ing ams assertion veriﬁcation on commercial platforms. ACM Trans. Des.
Autom. Electron. Syst., 14(2):1–47, 2009.
[MU49] N. Metropolis and S. Ulam. The monte carlo method. Journal of the Ameri-
can Statistical Association, 44(247):335–341, 1949.
[MZXA08] Hong-Guang Ma, Xiao-Fei Zhu, Jian-Feng Xu, and Ming-Shun Ai. Circuit
state analysis using chaotic signal excitation. Journal of the Franklin Insti-
tute, 345(1):75 – 86, 2008.
155Bibliography
[Nag75] L. W. Nagel. SPICE2: A Computer Program to Simulate Semiconductor Cir-
cuits. PhD thesis, EECS Department, University of California, Berkeley,
1975.
[NM07] D. Nickovic and O. Maler. Amt: A property-based monitoring tool for
analog systems. In J.-F. Raskin and P. S. Thiagarajan, editors, FORMATS,
volume 4763 of Lecture Notes in Computer Science, pages 304–319. Springer,
2007.
[PHHB98] R. Popp, W. Hartong, L. Hedrich, and E. Barke. Error estimation on sym-
bolic behavioral models of nonlinear analog circuits. In SMACD ’98: Pro-
ceedings of the 5th International Conference on Symbolic Methods and Applica-
tions to Circuit Design, pages 223–226, 1998.
[Pnu77] A. Pnueli. The temporal logic of programs. In Proceedings of the 18th IEEE
Symposium on the Foundations of Computer Science (FOCS-77), pages 46–57,
1977.
[Rap90] J. Raphson. Analysis Aequationum Universalis Seu Ad Aequationes Alge-
braicas Resolvendas Methodus Generalis, et Expedita, Ex nova Innitarum
Serierum Doctrina, Deducta Ac Demonstrata, London. Original in British
Library, London, 1690.
[SA01] S. Seshadri and J. A. Abraham. Frequency response veriﬁcation of analog
circuits using global optimization techniques. J. Electron. Test., 17(5):395–
408, 2001.
[SH08a] S. Steinhorst and L. Hedrich. A formal approach to complete state space-
covering input stimuli generation for veriﬁcation of analog systems. In
Analog 2008: 10. ITG/GMM-Fachtagung Entwicklung von Analogschaltungen
mit CAE-Methoden, 2008.
[SH08b] S. Steinhorst and L. Hedrich. Model Checking of Analog Systems using
an Analog Speciﬁcation Language. In Proc. of the Conference on Design,
Automation and Test in Europe 2008 (DATE’08), pages 3247–329, 2008.
[SH09] S. Steinhorst and L. Hedrich. Joint property speciﬁcation for transient sim-
ulation and formal veriﬁcation of analog circuits. In Proc. of the edaWork-
shop’09, pages 13–18, Berlin, 2009. VDE Verlag.
[SH10a] S. Steinhorst and L. Hedrich. Advanced methods for equivalence check-
ing of analog circuits with strong nonlinearities. Formal Methods in System
Design, 36(2):131–147, 2010.
156Bibliography
[SH10b] S. Steinhorst and L. Hedrich. Improving veriﬁcation coverage of analog
circuit blocks by state space-guided transient simulation. In Circuits and
Systems, 2010. ISCAS 2010. IEEE International Symposium on, May 2010.
[SHZ+01] M. Soma, S. Huynh, J. Zhang, S. Kim, and G. Devarayanadurg. Hierar-
chical ATPG for Analog Circuits and Systems. IEEE Des. Test, 18(1):72–81,
2001.
[SJH06] S. Steinhorst, A. Jesser, and L. Hedrich. Advanced Property Speciﬁcation
for Model Checking of Analog Systems. In Analog 2006: 9. ITG/GMM-
Fachtagung Entwicklung von Analogschaltungen mit CAE-Methoden, pages
63–68, 2006.
[SPH09] S. Steinhorst, M. Peter, and L. Hedrich. State space exploration of ana-
log circuits by visualized multi-parallel particle simulation. In ICSPS ’09:
Proceedings of the 2009 International Conference on Signal Processing Systems,
pages 858–862, Washington, DC, USA, 2009. IEEE Computer Society.
[ST00] D.E. Schwarz and C. Tischendorf. Structural analysis of electric circuits
and consequences for MNA. International Journal of Circuit Theory and Ap-
plications, 28(2):131–162, 2000.
[Syn03] I. Synopsys. OpenVera Language Reference Manual, 2003.
[SZDT07] G. Al Sammane, M. H. Zaki, Z. J. Dong, and S. Tahar. Towards assertion
based veriﬁcation of analog and mixed signal designs using psl. In FDL,
pages 293–298. ECSI, 2007.
[TGP+09] S. K. Tiwary, A. Gupta, J. R. Phillips, C. Pinello, and R. Zlatanovici. First
steps towards sat-based formal analog veriﬁcation. In ICCAD ’09: Proceed-
ings of the 2009 International Conference on Computer-Aided Design, pages
1–8, New York, NY, USA, 2009. ACM.
[Tis96] C. Tischendorf. Solution of index-2-DAEs and its application in circuit simula-
tion. PhD thesis, Humboldt-Univ. Berlin, 1996.
[Tsi03] Y. Tsividis. Operation and modeling of the MOS transistor. Oxford University
Press, USA, 2003.
[VdPG97] W. Verhaegen, G. Van der Plas, and G. Gielen. Automated Test Pattern
Generation for Analog Integrated Circuits. In VTS ’97: Proceedings of the
15th IEEE VLSI Test Symposium (VTS’97), pages 296–301, 1997.
[Vla94] A. Vladimirescu. The SPICE book. John Wiley & Sons, Inc. New York, NY,
USA, 1994.
157Bibliography
[Whi95] J.E. Whitesitt. Boolean algebra and its applications. Dover Pubns, 1995.
[WJWH09] Y. Wang, S. Joeres, R. Wunderlich, and S. Heinen. Modeling approaches
for functional veriﬁcation of rf-socs: limits and future requirements. Trans.
Comp.-Aided Des. Integ. Cir. Sys., 28(5):769–773, 2009.
[Ypm95] T.J. Ypma. Historical development of the Newton-Raphson method. SIAM
review, 37(4):531–551, 1995.
158Lebenslauf
Sebastian Steinhorst
geboren am 07. Februar 1980 in Mainz
Ausbildung
2006 - 2010 Promotionsstudium im Fachgebiet Informatik an der Goethe-
Universit¨ at in Frankfurt am Main.
2000 - 2005 Studium der Informatik mit Nebenfach Betriebswirtschaftsleh-
re an der Goethe-Universit¨ at in Frankfurt am Main. Abschluss
als Diplom-Informatiker im Dezember2005. Diplomarbeit an der
Professur f¨ ur Entwurfsmethodik: ”Entwicklung einer Speziﬁka-
tionssprache f¨ ur das Model Checking von Mixed-Signal Syste-
men“. (Betreuer: Prof. Dr.-Ing. Lars Hedrich).
1990 - 1999 Besuch des Gymnasialen Zweiges der Kopernikusschule Frei-
gericht, Abschluss Abitur (Allgemeine Hochschulreife) im Juni
1999.
Beruﬂiche T¨ atigkeiten
seit M¨ arz 2006 Wissenschaftlicher Mitarbeiter an der Professur f¨ ur Entwurfsme-
thodik (Prof. Dr.-Ing. Lars Hedrich) an der Goethe-Universit¨ at in
Frankfurt am Main.