Full-chip verification requires one to check if the power grid is safe, i.e., if the voltage drop on the grid does not exceed a certain threshold. The traditional simulation-based solution to this problem is computationally expensive, because of the large variety of possible circuit behaviors that would need to be simulated; it also has the disadvantage that it requires full knowledge of the details of the circuit attached to the grid, thereby precluding early verification of the grid. We propose a power grid verification technique that can be applied before the complete circuit has been designed and without exact knowledge of the circuit currents. We use current constraints, which are upper bound constraints on the currents that can be drawn from the grid, as a way to capture the uncertainty about the circuit details and activity. Based on this, we propose two solution approaches. One approach gives an upper-bound on the worst-case voltage drop at every node of the grid. Another, less expensive approach, applies a sufficient condition (thus, this becomes a conservative approach) to check if the drop on the grid exceeds a given voltage threshold.
INTRODUCTION
As the supply and threshold voltages are decreasing with technology scaling, full-chip verification is becoming more and more challenging. In particular, checking the integrity of the voltage on the power grid is becoming crucial. With lower supply voltages, smaller voltage drops become more significant and can cause longer circuit delays and lead to soft errors. Thus, supply voltage integrity verification is an integral part of both timing verification and noise immunity checking.
Voltage drop on the grid is mainly due to IR drop and Ldi/dt drop. IR drop is due to the resistance of the metal lines of the power network. The Ldi/dt drop is due to the self and mutual inductances of the power lines. In practice, the effect of inductance in the power grid is only significant at frequencies above a GHz or so, and it can therefore be ignored in many circuits. In this paper, we will use an RC model of the power grid, ignoring the inductance effects and focusing on IR drop.
Power grid verification via traditional circuit simulation requires full knowledge of the current waveform drawn by every Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. circuit block attached to the grid. These current waveforms would be used to simulate the grid and get the voltage drop at every grid node. This drop is then compared to a maximum allowable voltage drop threshold to check if any node on the grid is unsafe (the voltage drop at this node is higher than the threshold). To verify the grid in this way requires a comprehensive set of current waveforms to make sure all the regions on the grid are simulated, and that the obtained voltage drop is a worst-case drop. Also, this method requires full knowledge of the circuit, which is a concern if one would like to verify the grid early in the design flow, before all the circuit details are available.
To overcome these problems, we will use the concept of current constraints [1] to capture the uncertainty about the circuit details and circuit behavior. These current constraints are a set of upper-bounds on the currents that would be drawn by the circuit. They can be obtained from simulations of the circuit or from knowledge of the overall power dissipation of the circuit blocks. Using these upper-bound constraints, we will show how to check if the maximum voltage drop on the power grid, under all possible transient current waveforms that satisfy the constraints, exceeds a certain voltage threshold.
A similar verification problem was previously formulated and solved in [1] , but under the assumption that the currents on the grid are DC, which can under-estimate the worst-case drop. In this paper, we present a general solution to the problem, in which the currents are allowed to be arbitrary transient waveforms. We will present two solution approaches. First, we present an algorithm that computes an upper bound on the worst-case drop at every node of the grid. We give empirical data that shows that the upper bound can be tight, and that therefore the pessimism in the first approach is not too significant. In the second approach, we will present a method to check if the grid is safe with respect to a given voltage threshold, without attempting to find the exact maximum drop on the grid. This method applies a sufficient condition to perform the check, thereby leading to a conservative approach by which some grids which are declared unsafe may actually be safe, but no unsafe grid would be declared safe. The method does provide an indication of the nodes that did not pass the safety check, which allows one to focus on specific regions of the grid to perform more detailed analysis.
The rest of the paper is organized as follows. In the next section, a standard RC model of the power grid is adopted and the system equations explained, followed by a brief section 3 that describes a time discretization of the system equations. Current constraints are introduced in section 4 and our first solution approach is then given in section 5, whereby the worst-case voltage drop at every node is sought. Section 6 describes our second solution approach, which efficiently provides a safety check of the grid, and is followed by our conclusion.
THE POWER GRID RC MODEL
We consider an RC model of the power grid, where each branch is represented by a resistor and where there exists a capacitor from every node to ground. In addition, some grid nodes have ideal current sources (to ground) representing the currents drawn by the circuits tied to the grid at those nodes, and some grid nodes have ideal voltage sources (to ground) representing the connections to the external voltage supply.
Let the power grid consist of n+p nodes, where nodes 1,2,. . . ,n have no voltage sources attached, and nodes (n+1), (n+2), . . . , (n+ p) are the nodes where the p voltage sources are connected. Let c k be the capacitance from every node k to ground. Let i k (t) be the current source connected to node k, where the direction of positive current is from the node to ground. We assume that i k (t) ≥0 and that i k (t) is defined for every node k = 1, . . . , n, so that nodes with no current source attached have i k (t) = 0, ∀t. Let i(t) be the vector of all i k (t) sources, k = 1, . . . , n. Let u k (t) be the voltage at every node k, k = 1, . . . , n, and let u(t) be the vector of all u k (t) signals, k = 1, . . . , n.
Applying Kirchoff's Current Law (KCL) at every node, k = 1, . . . , n, leads to:
where G and G 0 are n × n conductance matrices resulting from the application of the traditional modified nodal analysis formulation [2] (simplified by the fact that all the voltage sources in this case are from a node to ground), C is an n × n diagonal matrix of node capacitances, and V dd is a constant vector each entry of which is equal to V dd . If we set all i k (t) = 0, ∀t, then obviously u k (t) = V dd , ∀t, so that the above system equation becomes:
By replacing G 0 V dd by GV dd in (1), it can be re-written as:
If we now define v k (t) = V dd − u k (t) to be the voltage drop at node k, and let v(t) be the vector of voltage drops, then the system equation can be written as:
This is a revised system equation which we can use to directly solve for the voltage drop values. Comparing (4) to (1), it is easy to see that the circuit described by this equation consists of the original power grid, but with all the voltage sources set to zero (short circuit) and all the current source directions reversed.
TIME DISCRETIZATION
We will be working with a discrete-time version of the system equation, which can obtained by considering that, for small ∆t > 0, the derivative of a function x(t) can be approximated by:
Applying this tov(t) in (4), leads to:
It will be useful to think of this equation as capturing the space of voltage vectors v(t) and v(t − ∆t) that are allowed, given the current vector i(t). Define a matrix A as:
and let a ij be the entry of A at row i and column j. As in [3] , one can show that A is an M-matrix [4] because it satisfies the following:
where strict inequality comes from the addition of the positive diagonal matrix C/∆t to the conductance matrix G and the fact that every node has non-zero parasitic capacitance.
Among other things, being an M-matrix means that the inverse of matrix A consists of only non-negative values.
As indicated above, we will assume throughout that i(t) ≥ 0, so that currents flow only from the grid into the circuitry tied to it. If we further assume that v(t − ∆t) ≥ 0, then since C is a non-negative matrix, it is clear that (6) leads to Av(t) ≥ 0. Since A −1 is also non-negative, then this leads to the fact that:
By induction, if we assume that at some time in the past the voltage drops on the grid are non-negative (meaning that no grid node has a voltage higher than V dd ), then they will be non-negative for all time. This is a fairly mild requirement to make, because as we will see in section (6.2) it is possible to assume that at some time in the (distant) past, the grid voltages were all zero. Therefore, it will be implicitly assumed throughout this paper that:
so that voltage drop is never negative.
CURRENT CONSTRAINTS
As in [1] , we define two types of constraints, local constraints and global constraints. Local constraints are upper bounds on individual current sources, which may represent the current drawn by individual cells, or larger blocks. They can be fixed values (DC) or time-waveforms (transient). They can be expressed as:
where I L is a vector of fixed current values and i L (t) is a vector of current waveforms. These constraints are defined for every node on the grid; nodes that are not connected to a current source have
Local constraints, by themselves, are obviously insufficient for verification, because the chip components do not simultaneously draw their maximum currents. This is where global constraints come in. Global constraints are upper bounds on the sum totals of current drawn by groups of current sources, and they may also be either DC or transient. If there is a total of k global constraints, they may be expressed in matrix form as:
where S is a k × n matrix of 0s and 1s that define the groups of current sources included in every constraint, I G is a vector of fixed current values, and i G (t) is a vector of current waveforms. Local and global constraints can be combined as follows:
where U is an (n + k) × n matrix, whose first n rows form an indentity matrix, and whose last k rows are the S matrix. Notice that every entry of the matrix U is non-negative. Current constraints offer a useful abstraction for capturing the uncertainty of circuit behavior, given the large number of logic vectors that can propagate through the circuit. They also offer a way to capture uncertainty about the circuit details early in the design flow. For circuits that are completely determined, local constraints may be obtained from exhaustive simulation of individual cells, or from a simple count of the transistors in that cell that are tied to the supply. Global constraints are chosen based on some knowledge of the peak power dissipation of a block or a chip, if that information is available from previous design knowledge or from test-case simulations. When little or no information is available, such as early in the design process, the global constraints may simply be specified as possible values to drive a "what if" type of analysis, or may be based on an estimate of the target block area coupled with knowledge of the typical power density of that technology (power dissipation per unit area). Being a means of capturing uncertainty in cases of limited information about the circuit and/or its activity, we envision that in practice DC constraints (I L and I G ) would be easier to specify than transient constraints (i L (t) and i G (t)). Thus, in this paper we will perform the analysis under DC current constraints, although the work can be very easily extended to handle transient constraints.
In summary, the current constraints can be expressed as:
The currents are transient but their upper bounds are DC.
WORST-CASE VOLTAGE DROP
We now present our first solution approach. Given a set of current constraints we will show how to find the worst-case voltage drop at every node. In addition to checking if the grid is safe, this method gives information on the extent of the problem when the grid is unsafe. In sub-section 5.1, we will first see how one can set up a numerical optimization approach for solving this problem exactly, which will be seen to be too expensive. In the following sub-section, we then develop an efficient technique for finding an upper bound on the worst-case voltage drop on every node. We give empirical data to show that these bounds are tight and, therefore, useful in practice.
A starting point for the whole analysis is to assume that the current source currents are zero for all t ≤ 0, so that the grid is safe and has zero voltage drop at time 0, and to then examine how the system evolves over time for t ≥ 0. Given this, it is easy to see that the worst-case voltage at any node, over all possible currents that satisfy the constraints, is a non-decreasing function of time over t ≥ 0 and, because it is bounded, must therefore converge to some steady state value. We are, naturally, interested in the steady state condition, where the solution becomes independent of the initial condition (i(t) = 0, ∀t ≤ 0), because that represents the true general solution for the grid. However, it will also be instructive to see how we approach the steady state.
Exact worst-case
Consider a sequence of (fixed value) time steps ∆t, taken starting at time 0, and let t = k∆t, where k > 0 is an integer. Recall the discrete-time system equation (6) , which can be written as:
We can write the same equation at the previous time step as:
This is repeated until we get to time t − k∆t = 0, where we get: 
whereby we have enforced the current constraints (13) at every time point. The number of constraints is thus multiplied by the number of time steps, leading to a potentially very large problem, which can be prohibitively expensive in practice. For small grids, we can construct and solve the optimization problem, as we will show below, starting with k = 1, and gradually increasing k until we get the same result for two consecutive values of k, within some error tolerance . That steady-state result would be the worst-case voltage drop at every node in the general case, i.e., in the absence of a specific initial condition.
Upper bounds
We define a voltage vector v(t) to be feasible if there exist current source waveforms (with i(t) = 0, ∀t ≤ 0) that satisfy the current constraints and which can cause the grid to realize the voltage values in v(t) at time t (starting as always with v(0) = 0). We define V f (t) to be the set of all feasible voltage vectors at time t. We also define a voltage vector v opt (t) as the solution of the following optimization problem: Notice that v opt,i (t) is nothing but the solution of the exact worstcase problem described in the preceding section. Notice also that v opt (t) may not be a feasible voltage vector. Ideally, one would like to find v opt (t) for every t, and especially for t → ∞, but that can be very expensive, as we saw above. Instead, we will now propose an algorithm by which a vector v b (t) can be efficiently computed such that v b (t) ≥ v opt (t), ∀t. From (6), the space of voltages allowed by the current constraints can be expressed as:
Suppose that we know that, at a certain time t − ∆t, the voltage drop on the grid satisfies:
Since U and C are non-negative matrices, then (18) and (19) lead to:
Based on this, we can now present an algorithm to find the upperbound on v opt (t), as follows:
Step 1.
Step 2. t = t + ∆t
Step 3. For i = 1, . . . , n:
The algorithm is obviously much simpler than running the exact approach, because it involves an optimization across only one time step. The following claim proves the correctness of this algorithm. 
Define V b (t) to be the set of all vectors v(t) that satisfy (20). Notice that V b (t) is the solution space of the core optimization step in our algorithm, which gives v b (t), and which may be summarized as:
Consider any v(t) ∈ V f (t), then there exists another feasible voltage vector v(t − ∆t) such that v(t) and v(t − ∆t) satisfy (18). Since 0 ≤ v(t − ∆t) ≤ v opt (t − ∆t), due to (17), and assuming
consistent with (21), then (19) is true, leading to (20), so that that v(t) ∈ V b (t). This means that
Given the definition of v opt (t) in (17) and given (22), it then follows that v b (t) ≥ v opt (t), because maximizing over a superset of V f (t) must give a result that is at least as large as maximizing over V f (t). This completes the proof.
When the algorithm terminates, we exit with the values obtained at the last iteration, and we take these values as the upper bounds on the worst-case voltage drop at every node.
Experimental Results
It is clear that the optimization step in the above algorithm is a linear program (LP). To solve this LP, we have used a Primal-Dual Interior Point Method algorithm [5] , using the PCx package [6] . A number of tests were conducted on a set of randomly-generated test-bench power grids (as was done in [1] ) and simulated on a 1 GHz SUN machine with 4 GB of memory. For every grid, the number of nodes and the number of voltage sources (C4) are specified up-front and an initial uniform (regular) grid is generated. Then, a certain percentage of nodes are eliminated from the grid in order to make it somewhat non-uniform. Table 1 shows all the test cases. It also shows the number of sources that are connected to the grid (#C4s). These sources are randomly placed on the grid. For each test case, a single value is chosen as the local upper-bound constraint, as shown in the table, and a set of global constraints are specified. The simulation results, showing the number of iterations (time steps) before completion and the total CPU time required, are also shown in Table 1 . The results indicate that the number of time steps by which convergence is reached is fairly small.
For each grid, the table also shows statistics of the worst-case voltage drop values found at all the nodes: minimum, maximum, mean, and standard deviation. Notice how increasing the number of voltage supplies (C4s) on the grid decreases the maximum and other stats of the voltage drop. Fig. 1 shows a correlation plot with the exact maximum voltage drop on one axis and the upper bound on the drop on the other. The figure shows closely aligned points, which means that the upper bound is fairly tight, for all nodes in grids G1 and G2. Figs. 2 and 3 show the voltage drop versus time for a node in grid G1 and another in grid G2, respectively. The exact solution for G1 took 7 minutes while the upper bound algorithm took only 55 seconds, and the exact solution for G2 took 18 hours, while the upper bound algorithm took only 17 minutes. This obviously limits the size of the grids for which we can offer comparisons to the exact solution, and the comparison results for these two small grids were typical of what we saw. Finally, Fig. 4 shows a histogram of the node voltage drops in grid G17, obtained with the upper bound algorithm.
GRID SAFETY CHECK
We will now present our second solution approach. Given the set of current constraints and a maximum voltage drop threshold, we will show how one can check if the grid is safe, i.e., if the voltage drop is below threshold at all the nodes, under all possible transient currents that satisfy the constraints, without having to find the worst case voltage drop at every node.
Conditional safety
Let vmax be an (n × 1) vector, where v max,i is the maximum allowable voltage drop at node i, for i = 1, . . . , n, and suppose that we know that at a certain time (t − ∆t), the grid was safe, so that:
Since U and C are non-negative matrices, then (18) and (24) lead to:
Notice that the space of voltages v(t) captured by (25) is a superset of that captured by (18). We can now formulate the following conditional safety checking problem:
If the grid is safe at time (t − ∆t), check if it is safe at time t.
To solve this problem, it is sufficient to try and maximize every component of v(t), subject to the constraints (25), as follows:
Maximize:
If it turns out that the answer is yes, so that v(t) ≤ vmax, then by induction we can say that if the grid is safe at some previous time t 0 , it will be safe for all times t ≥ t 0 . If the answer is no, then the result is inconclusive. Those nodes that violate the threshold, leading to the no answer, are possibly unsafe, but one doesn't know for sure. Thus, the approach is conservative.
If we are seeking more accuracy, we can use an algorithm similar to the one used in the exact worst-case solution, but using only a few time steps, as follows. Suppose that we know that the grid was safe between time (t − k∆t) and (t − ∆t), so that:
We can formulate a new conditional safety checking problem as follows:
If the grid is safe at all times (t − q∆t), for q = 1, . . . , k check if it is safe at time t.
As in section 5, we can write the following inequality:
To find the maximum voltage drop at time t, we should maximize the drop at each node, given the two sets of constraints in (26) and (27), as follows:
Subject to: for q = 1, . . . , k:
In the next sub-section, we will show that the grid can always be assumed to have been safe prior to some time in the distant past. This will provide us with a base case that can be combined with the inductive step in Problems 1 and 2, to check if the sufficient condition for the grid safety is met at all time.
Initial condition
In order to guarantee that the grid was safe before some time t 0 in the past, it is sufficient to consider that the circuit currents are zero for all t ≤ t 0 , and then become possibly non-zero after that. This is such a trivial condition that one may want to simply assume it and move on. However, in order to satisfy the critical reader, we will show that even if nothing is known about the currents for all previous times (−∞, t], we can identify a previous time prior to which the grid may be assumed to have been safe. To see this, consider that the grid is a stable linear system with bounded inputs (the source currents) and bounded outputs (the 
Experimental Results
The optimization problems above were implemented using the same optimization package as before, for the same test cases in Table 1 . For each grid, we check the safety under three different voltage drop thresholds (vmax). Table 2 shows the number of nodes that violate every threshold and the number of nodes that are safe, using both a one-step only solution (k = 1) and a solution with 3 steps involved (k = 3). Notice how the number of unsafe nodes decreases with increasing threshold and how increasing the number of voltage sources on the grid decreases the number of unsafe nodes. Also notice how the solution including 3 time steps indicates a smaller number of unsafe nodes. Table 2 also shows the CPU time required.
Looking at the CPU time, we notice that a grid of just under 2,500 nodes takes just under an hour to be checked. Such a grid is of course extremely small compared to full-chip grids that contain millions of nodes. Nevertheless, our approach is important for at least two reasons: 1) it is the first approach to rigorously check the safety of the grid in a truly vectorless approach -remember that we are checking the grid over all transient currents that satisfy the constraints, 2) coupled with a hierarchical modeling approach, our method can be applied either to parts of the grid, or to the top-level main feeder network of the grid. The ability to test the main feeder network early in the design flow is a major advantage of our technique. We believe that these techniques can lead to practical methods for early vectorless grid verification.
CONCLUSION
Checking the safety of the power grid is an essential part of chip verification. To do this by circuit simulation requires gathering complete information about the circuit and doing expensive simulation. Instead, we propose a verification approach based on a set of current constraints (upper bounds on the current sources attached to the grid). We first gave a conservative algorithm to get an upper bound on the maximum voltage drop at every node of the grid, we then offered two simple safety check algorithms.
