Time Constrained Verification of Analog Circuits using Model-Checking Algorithms by Grabowski, Darius et al.
Time Constrained Veriﬁcation of Analog
Circuits using Model-Checking Algorithms
Darius Grabowski1
Institute of Microelectronic Systems
University of Hannover, Germany
Daniel Platte2
Inﬁneon Technologies AG
Munich, Germany
Lars Hedrich3
Institute for Computer Science
University of Frankfurt/Main, Germany
Erich Barke4
Institute of Microelectronic Systems
University of Hannover, Germany
Abstract
In this contribution we present algorithms for model checking of analog circuits enabling the spec-
iﬁcation of time constraints. Furthermore, a methodology for deﬁning time-based speciﬁcations is
introduced. An already known method for model checking of integrated analog circuits has been
extended to take into account time constraints. The method will be presented using three industrial
circuits. The results of model checking will be compared to veriﬁcation by simulation.
Keywords: Model Checking, Analog Circuits, CTL, Time Constraints
1
Email:darius.grabowski@ims.uni-hannover.de
2
Email:daniel.platte@infineon.com
3
Email:hedrich@informatik.uni-frankfurt.de
4
Email:barke@ims.uni-hannover.de
Electronic Notes in Theoretical Computer Science 153 (2006) 37–52
1571-0661  © 2006 Elsevier B.V. 
www.elsevier.com/locate/entcs
doi:10.1016/j.entcs.2006.01.026
Open access under CC BY-NC-ND license.
1 Introduction
Formal veriﬁcation methods are widely used in design validation of digital
circuits. In contrast to the digital domain formal veriﬁcation of analog circuits
is still under research. Some approaches in the area of hybrid systems are well
known: Linear or piecewise linear hybrid systems using ordinary diﬀerential
equations (ODE) can be analyzed in terms of reachability analysis [9]. Recent
approaches are also able to deal with nonlinear equation systems [5]. Analog
circuits described on transistor level have to be described with a strongly
nonlinear diﬀerential-algebraic equation system. Methods for these circuit
types can be divided into invariant set computations/reachability analyses [6]
and model checking approaches [7,8] enabling CTL-like property descriptions.
So far, the latter methods were not suitable for veriﬁcation of time con-
straints. As a major part of circuit speciﬁcations contains time criteria, an
extension of analog model checking towards consideration of time constraints
is essential for future use. There exits approaches to deﬁne and check real time
properties for example for timed automata: TCTL ([2]) and more dedicated
to delays of digital circuits: WQCTL ([4]). The extensions presented in this
paper are based on algorithms for analog circuits taking time behavior into
account during discretization of the state space and checking speciﬁcations in
an extended computation tree logic (CTL-AT).
The ﬁrst part of this publication focuses on algorithms for analog model
checking and a methodology for the veriﬁcation of time constraints. The
functionality of the new algorithms will be demonstrated in the second part
of the paper using three analog circuit blocks.
2 Model Checking
The presented method aims at the analysis of nonlinear dynamic analog cir-
cuits. Based on an extended modiﬁed nodal analysis [10] a system of nonlinear
diﬀerential-algebraic equations (DAE system) is set up for the circuit. The
state variables of the energy storing elements (voltages at capacitances, cur-
rents through inductors) are used as independent variables. These variables
and the input variables span an extended state space.
In [7,8] an analog model checking method was presented to compare a
speciﬁcation represented by a CTL expression to the circuit behavior. To
make this possible the continuous n-dimensional state space has to be mapped
to a ﬁnite discrete transition system.
Therefore, the state space is bounded and automatically divided into a
ﬁnite number of n-dimensional hyperboxes. Each of these hyperboxes repre-
D. Grabowski et al. / Electronic Notes in Theoretical Computer Science 153 (2006) 37–5238
sents a homogeneous part of the state space and is treated as a discrete state of
the simpliﬁed system. Figure 1a) shows the discrete state space of a damped
resonant circuit.
The ﬁnite set of discrete hyperboxes fully covers the limited state space.
To obtain successor relations between the discrete states a constant number
of randomly generated points is placed within each hyperbox of the state
space. Each of these points represents a combination of values for the input
and state variables by its coordinates. By numerically solving the nonlinear
DAE-system of the circuit solution vectors can be obtained for those points.
A vector can be transformed into a discrete state-transition by using an over-
estimating estimation. In Figure 1a) the solution vectors are shown as arrows.
Additionally, within the enlarged box the resulting state transitions of the
dark-grey hyperbox are visualized by the midpoint-to-midpoint connection.
Diﬀerent criteria take care of the resulting error during discretization and
try to automatically minimize the error by chosing a suitable subdivision of
the state space. The speciﬁcation of a circuit formulated in CTL-AT can then
be checked by using digital model checking algorithms.
2.1 Time Constrained Computation Tree Logic
The analysis of timing behavior is based on a computation tree logic (CTL)
as already used in digital circuit analysis [2,3,4]. With the aid of CTL it is
possible to deﬁne speciﬁcations for ﬁnite state machines. The compliance of
these CTL expressions with the system’s behavior can be proven automatically
by using model checking algorithms. CTL uses special operations that are
built of a so called path quantiﬁer (A, E) and a temporal operator (F -
ﬁnally, G - generally, U - until). The path quantiﬁer E deﬁnes that a temporal
operation has to be fulﬁlled by at least one path within the ﬁnite state machine.
The A quantiﬁer determines that the CTL condition has to be fulﬁlled on all
possible paths.
The temporal operators accept one (F , G) or two (U) sets of states as
arguments. All CTL operations result in a set of states that meet the speciﬁed
condition. Sets of states are marked with capital greek letters.
Using temporal operations the dynamic speciﬁcation of state machines can
be described. E.g. EF (Φ) results in a set of starting states of paths that ﬁnally
reach the set Φ. All states of a set Φ that do not have a path leaving the set
can be found by using the CTL formula AG(Φ).
However, this basic form of CTL is neither suitable for analyzing analog
circuits nor for specifying timing behavior. Hence, the logic was extended
by analog operators (>,<) that oﬀer the possibility to deﬁne sets of states
within the continuous state space of analog systems. To specify dynamic sys-
D. Grabowski et al. / Electronic Notes in Theoretical Computer Science 153 (2006) 37–52 39
a) b)
s

EF[t ,t ]low high 
s

AF[t ,t ]low high 
s

EG[t ,t ]low high 
s

AG[t ,t ]low high 
s

E( U[t ,t ]low high
s


A( U[t ,t ]low high

tlow thigh
tlow thigh
tlow thigh
tlow thigh
tlow thigh
tlow thigh
Fig. 1. a) Discrete State Space and b) CTL-AT Reference
tem behavior with a CTL syntax (CTL-AT) it was necessary to introduce
time-constrained temporal operators that additionally constrain the scope of
the operations. Further extensions concern the direction of state transitions.
Therefore, the time inversion has been introduced, described by the −1 oper-
ator.
Figure 1b) shows CTL-AT operations for analog circuits. S represents a
starting state of a path within an automata that fulﬁlls the CTL-AT condition
speciﬁed below each drawing. The cone-like form depicts the branching of
paths starting in S.
The usage of the time-constrained temporal operators F and U causes
a reduced result set in comparison to the unconstrained operations. The
resulting set of states only contains those states that reach the argumental set
of states on paths whose temporal length is within the time interval given with
the operation. In contrast, the time constraint of the G operation increases
the result set of the operation as the previous meaning of G is attenuated from
”generally” to ”during the time interval”.
2.2 Algorithms for Time Constrained Analyses
The identiﬁcation of delay times in the discretized state space is necessary
when taking into account time constraints. For modelling delay times in ﬁ-
nite automata there are two promising approaches – timed automata [1] and
delayed state transitions. The presented algorithms use delayed transitions to
model the time within the determined transition system as this is algorithmi-
cally easier to handle. Furthermore, they give a good approximation of analog
circuits’ behavior. The calculation of the delay times takes place during the
discretization of the state space. By evaluating the time steps of the equation
D. Grabowski et al. / Electronic Notes in Theoretical Computer Science 153 (2006) 37–5240
solver during the identiﬁcation of successing states a ratio of delay time and
length of the solution vector is obtained. Simultaneously, the delay time for
the resulting transition is corrected proportionally to the midpoint distance of
both states. If more than one solution vector leads to the same transition the
arithmetic mean of the corrected delay times is associated with the transition.
Determining the result sets of time-constrained CTL operations requires
the processing of temporal path lengths within the transition system. The
intention is e.g. to ﬁnd all states that reach a set of states on at least one
path within a given time interval (time-constrained EF operation). The end
of those paths is determined by the argument of the CTL-operation and may
consist of a set of discrete hyperboxes of the state space.
The calculation of CTL-operations can be reduced to two basic operations
EU and EG by using CTL theorems [8]. For processing the result sets of
the EF and EU operation the former algorithm was extended in a way that
it assigns a set of discrete delay times to each state. This set contains all
temporal lengths of paths starting in this state and ending within the target
set. The total delay time of a path is calculated by summing up all delay
times of transitions on its path. After ﬁnishing the algorithm the resulting
set of states is reduced by states that do not have a delay time within the
given time interval (usage of E-quantiﬁer) or by states having one delay time
outside of the time interval (usage of A quantiﬁer).
Exemplarily, we will discuss the algorithm for calculating the solution of
a time constrained EU operation. Afterwards, a simple example (Figure 2) is
shown to clarify the functionality.
The E(ΦU [tlow, thigh]Ψ) operation accepts two sets of states as arguments.
The resulting set is intended to contain all states that reach Ψ on at least one
path within Φ within the given time interval [tlow, thigh]. The algorithm starts
with the set Ψ which is copied into an intermediate set of states Ω. Next,
the previously introduced sets of delay times are initialised with zero for the
states Ψ.
Ω converges towards the resulting set by repeatedly adding previous states
that fulﬁll several conditions: The previous state has to reach Ω by one of
its transitions, it has to be part of Φ, it can not be added multiple times
to Ω and ﬁnally it has to satisfy the upper time constraint thigh. Adding a
state to the set Ω results in a propagation of its set of delay times to the
previous state after increasing all contained times by the transition time. The
algorithm terminates as soon as an invariant set Ω is found. The resulting set
is obtained by ﬁnally reducing Ω by all states that do not contain a delay time
greater than tlow.
D. Grabowski et al. / Electronic Notes in Theoretical Computer Science 153 (2006) 37–52 41
a)
E A B
D C
Ψ
Φ {3,5}
{1,3}{1}
{0}{1}
1 1
2
2
11
b)
E A B
D C

{3,5}
{1,3}{1}
{0}{1}
1 1
2
2
11
Fig. 2. a) Transition System and b) Resulting Set of Equation (3)
Ψ= {A,B,C,D} (1)
Φ= {A} (2)
Θ=E(Ψ U [1, 2] Φ) = {C,D} (3)
Figure 2a) depicts an exemplary transition system to illustrate the algo-
rithm to determine the result of a EU operation. Beside the transitions, the
according delay times are quoted. Each state node contains the set of possible
delay times when transitioning to state A. Equations (1) to (3) deﬁne two sets
of states and a CTL-AT operation. The result set is displayed in Figure 2b).
It contains only states that reach Ψ on at least one path within a delay interval
of 1 to 2 time units.
3 Methodology for Veriﬁcation of Time-Based Speciﬁ-
cations
In this section a methodology to verify time-based speciﬁcations like signal
edges and oscillations by using model checking will be presented. The ad-
vantage of using model checking instead of circuit simulation is that by using
model checking algorithms and CTL-AT formulas the compliance of a system
to its speciﬁcation can be proven.
3.1 Veriﬁcation of Time Constraints for Signal Edges
Figure 3a) shows the transient plot of a signal edge. The time-constrained F -
operation can be applied to prove a rise time using model checking algorithms.
For that purpose two areas Φhigh and Φlow of the state space have to be deﬁned.
Φhigh and Φlow contain the states at the upper and lower side of the threshold
values. Equations (4) and (5) are used to extract the sets of states by using
analog operators (>, <) and lower as well as upper threshold values. In
Figure 3b) the signal edge is plotted in the state space with a voltage U over
another state variable X which is not of interest for this evaluation.
Φhigh =U > Uhigh (4)
Φlow =U < Ulow (5)
D. Grabowski et al. / Electronic Notes in Theoretical Computer Science 153 (2006) 37–5242
A speciﬁed rise time TLH can be veriﬁed by Equation (6) and the sets of
states Φhigh and Φlow. After applying the model checking algorithm the result-
ing set of states ΩLH contains all states which reach the area Φhigh starting
from Φlow on all paths faster than constrained by TLH . If the result set is
empty, the speciﬁcation is not fulﬁlled by the circuit.
ΩLH = AF [0, TLH](Φhigh) ∧ Φlow (6)
a)
t
U
U
U
t t
80%
T
b)
Fig. 3. Positive edge: a) Transient Plot and b) Representation in the State Space
Based on the result for the rise time proof of a speciﬁed slew rate can also
be given using Equation (7). For falling edges the methodology can also be
applied in a slightly modiﬁed way by simply interchanging the sets Φhigh and
Φlow
SR =
Uhigh − Ulow
TLH
(7)
3.2 Oscillation Analysis
The basis for analyses of oscillating behavior is the extraction of the oscilla-
tion area Θ. Therefore, the state space is split in two sections Φlow and Φhigh.
In the next step we determine all states which ﬁnally lead to Φlow and Φhigh
respectively on all paths by applying the AF formula. Θ is part of the super-
position of the resulting sets. Applying the AG formula all states leaving the
selected area on at least one path are excluded. Finally, we use the inverted
EG-formula to exclude all states settling up into the oscillation. The resulting
formula is presented in Equation (8).
Θ = EG−1(AG(AF (Φhigh)) ∧AG(AF (Φlow))) (8)
Within Θ two sections Φ0 and Φ1 can be chosen splitting the oscillation
area into a positive and a negative half-space. In Figure 4 Θ, Φ0 und Φ1 are
D. Grabowski et al. / Electronic Notes in Theoretical Computer Science 153 (2006) 37–52 43
schematically displayed in a two-dimensional state space spanned by the state
variables X1 and X2.
Ω01 =E(Θ U [0, Thigh] Φ1) ∧ Φ0 (9)
Ω10 =E(Θ U [0, Tlow] Φ0) ∧ Φ1 (10)
By using model checking combined with the time-constrained EU opera-
tion shown in Equations (9) and (10), the delay times Thigh and Tlow for the
positive and the negative half space can be proven. The procedure is equal to
the analysis of a signal edge; the only diﬀerence is the additional restriction
of the paths to the oscillation area by using the EU operation instead of AF .
Fig. 4. Oscillation in the State Space
f =
1
T
=
1
Tlow + Thigh
(11)
DC =
Thigh
Tlow + Thigh
(12)
The compliance of the circuit to a speciﬁed oscillation frequency and duty
cycle can be derived from Equations (11) and (12).
4 Applications
The proposed CTL-AT approach was implemented as an extension of an ex-
isting model checking prototype tool called amcheck, developed at the IMS,
University of Hannover. The presented results were processed on a SUN server
with a sparcv9 processor. We use three circuits containing two respectively
three state variables.
At this point we should mention that processing time is a crucial problem,
because in principle it rises exponentially with the number of system states.
The main part of the runtime concerns the discretization of the state space
requiring the computation of transition vectors for each hyperbox. In the last
paragraph we give some information about runtime of the algorithm.
D. Grabowski et al. / Electronic Notes in Theoretical Computer Science 153 (2006) 37–5244
4.1 Schmitt Trigger
The ﬁrst example is an inverting Schmitt trigger shown in Figure 5a). The
extended state space of the circuit is spanned by the input voltage vin and
the voltage vout across the capacitance Cload. The operational ampliﬁer is
modelled in a static manner considering a voltage and current limitation at
the output node.
a)
R1
R2
+
-
VDD
VSS
Cload vout
vin
VDD
R3
R4
b)
Fig. 5. Schmitt Trigger: a) Schematic and b) Discretized State Space
Initially, we have to deﬁne the limits of the state space. Therefore, we eval-
uate the threshold voltages given by the resistances R1..4. Further restrictions
result from the supply voltages of the operational ampliﬁer given by VDD = 5V
und VSS = −5 V . Hence, we set the limits to Γ := [−7 V .. 7 V ]× [−7 V .. 7 V ].
The discretized state space is shown in Figure 5b). The state space contains
two quasi-stable areas represented by small hyperboxes at vout = ±5 V .
Using CTL-AT we determine some relevant quantities of the Schmitt trig-
ger like fall time, rise time and slew rate. Initially, we deﬁne the sets Φlow
und Φhigh representing starting and ending values for the voltage edges by
Equations (13) and (14). The set limits contain a tolerance of ±10%.
Φlow = vout < −4.5 V (13)
Φhigh = vout > 4.5 V (14)
The ﬁrst analysis concerns the rise time of the circuit. Applying the time-
constrained AF formula in Equation (15) we get all states which contain paths
with the given time interval ending in Φhigh. The corresponding analysis of the
fall time considers Φlow as the source set of theAF formula (see Equation (16)).
Figures 6a) and b) show the sets fulﬁlling the given criteria.
ΩLH =AF [0, 1.45 · 10
−6](Φhigh) (15)
ΩHL =AF [0, 1.65 · 10
−6](Φlow) (16)
D. Grabowski et al. / Electronic Notes in Theoretical Computer Science 153 (2006) 37–52 45
a) b)
Fig. 6. Analysis of a) Fall Time and b) Rise Time
Finally, we have to check if the resulting sets satisfying Equations (15)
and (16) intersect the respective sets containing the start values. Using the
∧-operator in Equations (17– 18) we evaluate all states performing a rising
edge with a given rise time of 1.45 · 10−6 s and on the other hand all states
performing a falling edge in 1.65·10−6 s. The time constraints were determined
in an iterative manner, however in practise, they are given by the circuit’s
speciﬁcation.
ΘLH =ΩLH ∧ Φlow (17)
ΘHL =ΩHL ∧ Φhigh (18)
Figures 6a) and b) show the resulting sets satisfying Equations (15) and
(16). The dark areas represent the sets ΘLH and ΘHL fulﬁlling Equations (17)
and (18).
Model Checking Simulation Diﬀerence
TLH < 1.45μs 1.4μs 3.5%
SRLH 6.21
V
μs
6.43 V
μs
3.4%
THL < 1.65μs 1.6μs 3.1%
SRHL 5.46
V
μs
5.63 V
μs
3, 0%
Table 1
Comparison of Simulation vs. Model Checking
Another quantity characterizing the behavior of a Schmitt trigger is the
slew rate. It is deﬁned as a ratio between voltage diﬀerence and time. The
results are shown in Table 1 containing the relations between both veriﬁcation
methods. The rise time measured by simulation is 1.4μs whereas the fall time
D. Grabowski et al. / Electronic Notes in Theoretical Computer Science 153 (2006) 37–5246
is about 1.6μs. The values conﬁrm the results achieved by model checking.
4.2 Operational Ampliﬁer
The second application presents the slew rate veriﬁcation of a transistor level
circuit. We use an industrial operational ampliﬁer shown in Figure 7. The
schematic contains the circuit itself (boxed part) and additionally a testbench
circuit controlling input and output behavior. The input voltage is a super-
position of a DC source VDC and the AC voltage vIn at the positive input of
the operational ampliﬁer. In order to measure the slew rate and the overshoot
we connect the output to the negative input. The power supply voltage VDD
is set to 1.5 V . The state space of the circuit is spanned by the input voltage
vIn as well as by the voltages vout and vcomp across the capacitances Cload and
Ccomp.
Ibias
VDD
Ccomp
In+
In-
P3 P2P4
P1P0
N2
N1N0
vout
VSS
Cload Rload
VDC
RIn+
VDD
vIn
Rout
Fig. 7. Operational Ampliﬁer
The operational ampliﬁer consists of two stages. The ﬁrst one is a diﬀer-
ential pair (P0, P1 ) with an active load (N0, N1 ) controlled by the current
source Ibias. The second stage is a driver stage built up by P2 and N2. To
improve the transient performance of the circuit the so called “Miller” capac-
itance Ccomp is added.
The ﬁrst test checks the slew rate of the operational ampliﬁer. It should
be at least 3.6 V
μs
. We use the assumption, that to perform such a slew rate,
a rising step in the output voltage has to be fulﬁlled in a predeﬁned time. In
this case we use an input step from 0.3 V to 0.5 V . Hence, the maximum time
spent for this step has to be 5.5 · 10−8 s. The formula is constructed for a
3-dimensional extended state space.
ΦUlow = EG
−1|vIn=const.(vIn > 0.29V ∧ vIn < 0.31 V ) (19)
ΦUhigh = EG
−1|vIn=const.(vIn > 0.49V ∧ vIn < 0.51 V ) (20)
ΨSR |=EF [0, 1 · 10
−20](AF [0, 5.5 · 10−8]|vIn=const.(ΦUhigh ∧ ΦUlow)) (21)
D. Grabowski et al. / Electronic Notes in Theoretical Computer Science 153 (2006) 37–52 47
vIn = const. means that the transitions due to input change are disabled.
In contrast, the expression EF [0, 1 · 10−20] is used to get an input jump to
the appropriate value without any change of other state variables. In the
very short time of 1 · 10−20 s the change of state variables is very small. Ex-
pressions (19–21) are generalized expressions of the manual steps in Equa-
tions (13–17). A run with this formula results in a non empty set of three
boxes showing that the slew rate speciﬁcation is fulﬁlled.
As an additional test the overshoot speciﬁcation is given:
ΓIn = (vIn > −0.2 V ∧ vIn < 0.2 V ) (22)
ΓOut = (vOut > 0.55V ∧ vOut < 0.95V ) (23)
ΘDC = EG
−1|vIn=const.(ΓIn) (24)
ΩOS |=E(ΓInU
−1ΘDC) ∧ ΓOut = ∅ (25)
The regions are deﬁned for the input and output voltage range for an oﬀset
voltage VDC = 0.75V . The resulting set of the overshoot expression is not
empty. Hence, the speciﬁcation does not hold. The reason for the overshoot
is the resistor Rout which in combination with the output capacitance leads to
a delayed feedback and ﬁnally results in an overshoot.
4.3 Voltage Controlled Oscillator
The third example is a voltage controlled oscillator (VCO) shown in Figure 8.
The corresponding state space is spanned by the voltages at the capacitances
C1 and C2. The input is modelled by an ideal voltage controlled current which
is mirrored by TN1, TP1, TN2, TP2, TN5 charging the capacitance C2.
Assuming the output voltage vC1 to be at VDD, C2 is charged up linearly
by the input current through the switch TN3, TP3 controlled by the inverter
(TN4, TP4). As vC2 exceeds the positive threshold voltage of the Schmitt trig-
ger, determined by the resistors R1 and R2, vC1 changes to VSS. Consequently,
C2 is discharged until the initial status is reached leading to an oscillation.
Based on CTL-AT we check two properties of the VCO. The ﬁrst property
is the oscillating frequency for some distinct input voltages. Using the results,
we check the frequency linearity as a function of the input voltage. Consid-
ering the supply voltages and the values of the resistances R1 and R2, the
state space is deﬁned by Γ := [−3.1 V .. 3.1 V ] ×[−0.08V .. 0.08V ]. Figure 9a)
shows the discretized state space of the VCO. It contains some horizontal
paths representing fast transitions between the maximum and minimum of
the output voltage. The oscillation time is dominated by the slow (vertical)
transitions at vC1 = ±2.5 V .
Using Equation (8) presented in Chapter 3.2 we compute all states of the
oscillation area. Therefore, we split the given state space into two parts using
D. Grabowski et al. / Electronic Notes in Theoretical Computer Science 153 (2006) 37–5248
TN5
gvin
TN2TN1
TP1
TP3
TN3
TP2
VDD
C2 R2
R1
+
-
TP4
TN4
VSS C1
VDD VDD VDD
VDD
VSSVSSVSSVSS
Fig. 8. Voltage Controlled Oscillator
a) b)
Fig. 9. VCO: a) Discretized State Space and b) Oscillation Area
knowledge about the circuit oscillating around vC1 = 0V :
Φlow = vC1 < 0 V (26)
Φhigh = vC1 > 0 V (27)
Figure 9b) shows the set of states representing the oscillation area at
vin = 1.7 V . Furthermore, it contains the trajectory (black curve) calculated
by a transient simulation. As it can be seen the oscillation area intersects the
trajectory.
As mentioned in Chapter 3.2, the methodology to determine the oscillation
time requires a partitioning of the oscillation area. Hence, we deﬁne two sets
with a small range. We choose a section with fast transitions to minimize the
discretization error. The two sets containing start areas for oscillation paths
are deﬁned by Equations (28) and (29).
D. Grabowski et al. / Electronic Notes in Theoretical Computer Science 153 (2006) 37–52 49
Φ0 = Θ ∧ (vC1 > 0) ∧ (vC1 < 0.05) ∧ (vC2 > 0) (28)
Φ1 = Θ ∧ (vC1 > 0) ∧ (vC1 < 0.05) ∧ (vC2 < 0) (29)
In contrast to the approach in Chapter 4.1, where we used the EF operation
to obtain path lengths, we now make use of the time constrained EU operation
in an iterative manner to get the appropriate time delays. Therefore, we
need an upper time bound to guarantee the resulting set of Equation (30)
overlapping Ω10 and vice versa.
Ω01 =E(Θ U [0, 0.64] Φ1) (30)
Ω10 =E(Θ U [0, 0.69] Φ0) (31)
a)
v
0.08
-0.08
2C
-3.1 3.1v
1C
b)
v
0.08
-0.08
2C
-3.1 3.1v
1C
Fig. 10. VCO: a) Left Oscillation Path and b) Right Oscillation Path
Figures 10a) and b) show the results of Equations (30) and (31). In this
example using vin = 1.7 V we get two diﬀerent time delays given by 0.64 s
resp. 0.69 s. We evaluate an oscillation time of about 1.33 s. It is important
to note that model checking gives an overestimation of time delay. However,
the inner path of the oscillation area permits faster oscillations than the outer
one. Recall that this eﬀect depends on the accuracy of the discretization.
We now focus on the linearity of input voltage and oscillation frequency. In
this example we estimate the oscillation frequencies applying three diﬀerent
input voltages given by vin = [1.7 V, 2.2 V, 2.7 V ]. In order to measure the
linearity we deﬁne the linearity error by using the diﬀerencial quotient of
frequency and input voltage: Δf/Δvin.
In Table 2 we present the model checking results in comparison to transient
simulation. The relative error of about 5% concerns frequency diﬀerences
and amounts. The relative linearity error is measured as 10.0% (transient
simulation) and 12.5% (model checking).
Finally, we give some information about the runtime of the presented ex-
amples. We take into account the number of circuit equations. The actual
D. Grabowski et al. / Electronic Notes in Theoretical Computer Science 153 (2006) 37–5250
Model Checking Simulation
vin period frequency period frequency rel. error
1.7 V 1.33 s 0.75Hz 1.27 s 0.79Hz 5.06%
2.2 V 1.01 s 0.99Hz 1.01 s 0.99Hz 0.00%
2.7 V 0.83 s 1.20Hz 0.85 s 1.17Hz 2.56%
Table 2
Comparison of Simulation vs. Model Checking
intersection depth of each box depends on the maximum predeﬁned intersec-
tion depth and the nonlinearity of the equation system. Table 3 shows the
runtimes. All circuits’ state spaces are discretized using ﬁve testpoints for
each hyperbox. Generally, the runtime of the algorithm is dominated by the
discretization of the state space, whereas the evaluation of the CTL opera-
tions has a negligible duration. Comparing the Schmitt trigger to the VCO
shows that the calculation of the transitions strongly depends on the number
of equations due to the numerical solver. As mentioned before the runtime
rises exponentially with the number of state variables which can be seen in
the operational ampliﬁer example. This circuit is described by 51 equations
which is similar to the VCO. The state space contains three state variables
producing 58962 hyperboxes which is about 60 times more than the VCO
circuit with two state variables.
Circuit Schmitt Trigger Operational Ampliﬁer VCO
Equations 11 51 55
Max. Intersection Depth 12 16 14
Hyperboxes 1229 58962 1267
Discretization Time 20 s 2873 s 414 s
Table 3
Model Checking: Runtime
5 Conclusion
In recent years, model checking was successfully applied to verify digital cir-
cuits making a nearly fully automated veriﬁcation possible. By the discretiza-
tion of the continuous state space of analog systems, model checking algo-
D. Grabowski et al. / Electronic Notes in Theoretical Computer Science 153 (2006) 37–52 51
rithms can also be applied to analog circuits.
Generally, the speciﬁcation of analog systems is based on time constraints.
Therefore, the discretization algorithm has been extended considering delay
times which are later on modelled as delayed state transitions. To apply
time constrained computation tree logic (CTL-AT) new algorithms have been
developed.
Furthermore, a methodology to perform time analyses as used in veriﬁca-
tion of signal edges and oscillations has been introduced. Three circuits were
presented as examples to show the practical results of the method. Comparing
the results of the model checking algorithm to simulations shows that model
checking is a good method to automatically verify analog circuits.
References
[1] Alur, R., Timed automata, CAV ’99: International Conference on Computer-Aided Veriﬁcation,
LNCS (1999), pp. 8–22.
[2] Alur, R., C. Courcoubetis and D. Dill, Model-Checking for Real-Time systems, LICS ’90:
Proceedings of the Annual IEEE Symposium on Logic in Computer Science 5 (1990), pp. 414–
425.
[3] Alur, R., C. Courcoubetis and D. Dill, Model-checking in dense real-time, Information and
Computation (1993), pp. 2–34.
[4] Chatterjee, K., P. Dasgupta and P. Chakrabarti, A Branching Time Temporal Framework for
Quantitative Reasoning, Journal of Automated Reasoning, 30 (2003), pp. 205–232.
[5] Dang, T., A. Douze and O. Maler, Veriﬁcation of analog and mixed-signal circuits using hybrid
system techniques, FMCAD 04: Formal Methods in Computer-Aided Design (2004).
[6] Dellnitz, M., G. Froyland and O. Junge, The algorithms behind gaio - set oriented numerical
methods for dynamical systems, Ergodic Theory, Analysis, and Eﬃcient Simulation of
Dynamical Systems (eds. B. Fiedler), Springer (2001), pp. 145–174.
[7] Hartong, W., L. Hedrich and E. Barke, Model checking algorithms for analog veriﬁcation,
DAC ’02: Design Automation Conference (2002), pp. 542–547.
[8] Hartong, W., L. Hedrich and E. Barke, On discrete modeling and model checking for nonlinear
analog systems, CAV ’02: International Conference on Computer-Aided Veriﬁcation, LNCS
2404 (2002), pp. 401–413.
[9] Henzinger, T. and P.-H. Ho, Algorithmic analysis of nonlinear hybrid systems, CAV ’95:
International Conference on Computer-Aided Veriﬁcation, LNCS 939 (1995), pp. 225–238.
[10] Ho, C., A. Ruehli and P. Brennan, The modiﬁed nodal approach to network analysis, IEEE
Transactions on Circuits and Systems 22 (1975), pp. 504–509.
D. Grabowski et al. / Electronic Notes in Theoretical Computer Science 153 (2006) 37–5252
