Abstract-A method for design verification of power electronics systems is proposed. In this method, the system is described by a linear switched state-space representation, where some or all of the inputs may vary without control over some bounded range, e.g., load current and input voltage. The method relies on solving the reachability problem associated with this system, which is the computation of the set of all possible trajectories that arise from different initial conditions, uncontrolled inputs, and inherent switching. The method allows one to verify whether or not this set (called the reach set) remains within a region of the state-space defined by performance requirements, e.g., output voltage tolerance. Algorithms to solve the reachability problem for power electronics converters with both open-and closed-loop control are provided. The application of the method is illustrated in buck and boost converter examples.
I. INTRODUCTION
The operation of many power electronics systems is subject to uncertainty. This uncertainty can be classified into operational uncertainty and structural uncertainty. Operational uncertainty is usually associated with uncontrolled changes on the demand or the supply side. For example, in the buck converter of Fig. 1 , the current demanded by the load is not fixed but can change over time in an uncontrolled manner, and therefore this is regarded as operational uncertainty. Structural uncertainty is associated with undesired changes in the physical structure of the system. In the buck converter of Fig. 1 , a random fault in one component may be regarded as structural uncertainty.
During the design stage of a power electronics system, in order to verify the design against the performance requirements, it is necessary to carry out an extensive analysis to ensure the system behaves as expected for all possible operational conditions that arise due to operational and structural uncertainty. For example, the power supply specifications for the Intel R Pentium R 4 class of microprocessors require an extremely strict voltage regulation (±25mV from the defined load line) over the entire range of current (0A to 70A) capable of being drawn by the processor [1] . This design requirement is enforced for both static and transient operation of the power supply, which means that these bounds cannot be violated for any load or any step change in the load. In addition, the source feeding the supply is allowed to vary within +5% and -8% of 12V [1] . Violating these voltage regulation requirements may result in damage to or even failure of the microprocessor. The analysis required to verify the design against the requirements under such levels of uncertainty may seem overwhelming.
This analysis is usually conducted through time-domain simulations, where for each particular operational condition, a simulation is conducted to ensure the system behaves as expected [2] , [3] . For example, in [3] , Monte Carlo analysis is used to determine the effects of variations in component parameters (structural uncertainty) on system reliability. Depending on the size of the system and the different operational conditions, this simulation-based approach can be a daunting task.
This paper focuses on providing an analytically tractable method to quantify the effect of operational uncertainty on the behavior of power electronics systems. In this method, the system is described by a linear switched state-space representation, where some or all of the inputs may vary without control over some range, e.g., load current and input voltage. The method relies on solving the reachability problem associated with this linear switched system, which is the computation of the set of possible trajectories that arise from different initial conditions, uncontrolled inputs, and inherent switching. The method can be used to verify the converter design in nominal conditions. This problem was addressed before in [4] , where the reachability problem was formulated in terms of the linearized averaged model of the converter, without including the switching effects of the converter. Furthermore, the proposed solution to the reachability problem relied on the calculation of a bounding ellipsoid, which does not provide an exact solution. In this paper, both of these problems are solved by: 1) formulating the reachability problem in terms of the large-signal model of the converter (including switching); 2) providing a method to compute the exact solution to the reachability problem rather than providing an upper bound. Reachability methods recently proposed by Kurzhanski and Varaiya [5] , [6] are adapted to the particular problem of power electronics system design verification. These methods provide an exact solution to the reachability problem using ellipsoidal calculus, ideas introduced by Schweppe and others (see, e.g., [7] , [8] , [9] and the references therein). Algorithms for addressing the verification of both open-and closed-loop controlled power electronics systems are provided. A rough comparison of the simulation-based method to the proposed method is as follows. Considering only operational uncertainty, for each operational condition, with the simulation-based method, it would be necessary to solve n differential equations. Thus, if there are k operational conditions, it would be necessary to solve n differential equations k times. With the proposed method, it is only necessary to solve n(n+1)/2+1 differential equations to account for all possible operational conditions. Thus, for a small number of operational conditions, the simulation-based method may perform better. However, for large number of operational conditions (which is usually the case), the proposed method could provide an improvement over the simulation-based method.
The remainder of this paper is organized as follows. Section II presents the detailed mathematical formulation of the methodology for solving the reachability problem for power electronics systems, including systems operating with both open-and closed-loop control. In Sections III and IV, application examples of the methodology as applied to a buck and a boost converter respectively are presented. Concluding remarks are discussed in Section V.
II. MATHEMATICAL FORMULATION
The dynamics of a power electronics converter can be described, in general, by a linear switched state-space model of the formẋ
where x ∈ R n represents the converter state variables, w ∈ R p represents the uncontrolled input to the converter, the function σ : [0, ∞) → Q, called the switching signal, indicates the active converter configuration at every time, Q is called the "index set", and A q and B q with q ∈ Q define the matrices describing the converter dynamics for each switch configuration. An unknown-but-bounded uncertainty model for the converter input w, in which w ∈ Ω w , where Ω w is an arbitraryshaped set, is assumed [7] . For computational simplicity, Ω w is selected to be an ellipsoid that completely encloses the set of all possible inputs. This simplification will produce a solution that is an upper bound to the exact set of reachable states, unless the set of all possible inputs is an ellipsoid. Thus, Ω w is defined by
where w c is a vector in R n that defines the center of the ellipsoid Ω w and Q ∈ M p×p is positive definite. For example, the uncontrolled inputs to the buck converter of Fig. 1 
where V and I are positive constants, V c is the dc value of the source voltage, and I c is the nominal load current. Here, w c = [V c I c ] and Q is chosen such that Ω w completely contains the set of all possible realizations of the inputs V in and i out . Figure  2 in Section III provides an illustration of this.
The problem is to obtain the so-called reach set, i.e., the set containing all possible converter trajectories, for all possible realizations over time of the uncontrolled inputs. This problem is known in the control literature as reachability. While there are many methods to solve the reachability problem (see e.g., [10] , [11] , [12] , [13] ) the ellipsoidal methods proposed in [5] , [6] are adapted to the particular problem addressed in this paper, which is to obtain the reach set for the system in (1) given the input set defined by (2) .
The reach set, denoted by R(t) can be obtained as the intersection of a family of ellipsoids:
where Ψ 0 is the same for all η and is chosen such that R(0) contains the set of all possible initial conditions, and x c is defined by
Next, the algorithm to obtain the solution to (5), which depends on the converter control strategy, will be presented.
A. Open-Loop Control
Open-loop control of power electronics converters is carried out by operating the switching devices at fixed intervals of time in order to achieve the desired output voltage(s) and/or current(s). For example, the switching function for a power electronics converter with m configurations (i.e. q ∈ Q = {0, 1, · · · , m − 1}) could be given by
where k is a nonnegative integer, T is the switching period, and d i is the fraction of the switching period spent in the i th configuration. For a converter with only two configurations, d is typically referred to as the duty-ratio. The algorithm to obtain the reach set of a converter using the open-loop control specified in (7) is given by Algorithm 1, in which R(t) is computed in a piecewise manner from (4-6).
This method assumes that the duty ratios remain constant over each switching period. However, the duty ratios are permitted to vary from switching period to switching period. Thus, this method may be applied to control schemes in which the values of d i may vary over time, assuming these values change as a function of the switching period and this function is known. For example, a converter may have one set of d i values during the startup period and another set of d i values for steady-state operation.
B. Closed-Loop Control
Closed-loop control of power electronics converters is carried out by using state feedback to compute the value of the switching function. A general closed-loop control law for a power electronics converter is given by
where f is a function of the states of the converter and of time. The function f determines the switch actions required to drive the system to the desired operating point. All closed-loop control laws of the form given in (8) may be described by some switching surface (or guard) G in the converter state space. Even if the controller has some dynamics, e.g., a PID controller, it can be shown that the closed-loop converter state-space description can be rewritten such that the converter closed-loop dynamics can be described by (1) and (8), where x also includes the controller state variables. The position of the converter state variables in the state space in relation to the switching surface determines the necessary switch configuration. A switch action occurs when the state trajectory crosses the switching surface [14] . For example, a PWM controller for a converter with two possible switching configurations may have the form
where u is the Heaviside step function, x is a vector containing the converter state variables, x ref is the desired system operating point, K is a gain vector, and Δ tri (t) is a periodic triangle wave [14] . For this case, the switching surface is a linear surface that oscillates with time due to the periodic triangular wave component. This surface divides the state space into two regions. The region in which the converter state variables lie determines the active converter configuration. For simplicity, the formulation is limited to converters with two possible switching configurations and a closedloop control that uses only static (non-time varying) linear switching surfaces. In this case, the switching function is solely a function of the converter state variables:
The algorithm to obtain the reach set of a converter using the closed-loop control specified in (10) is given by Algorithm 2, in which a reach set R k (t) is computed from (4-6), with initial condition specified by Ψ η (0), for each time interval k between successive switch actions. The union of all of these reach sets gives R(t) at the end of the algorithm.
Algorithm 2 Closed-loop reach set computation
end Some controllers may use multiple switching surfaces, and in other cases, devices within the circuit (e.g. diodes) introduce additional switching surfaces. An example of this is the discontinuous conduction mode of operation. The methodology presented here may be extended to multiple switching surfaces. This will be presented by example in Sections III and IV.
III. BUCK CONVERTER ANALYSIS
Consider the buck converter of Fig. 1 . In this section, the algorithms introduced in Section II will be applied to compute the converter reach set for both open-and closed-loop control. For a buck converter operating in continuous mode, i.e. Q = {0, 1},
where q = 1 when SW 1 is closed and SW 2 is open and q = 0 when SW 1 is open and SW 2 is closed. As previously mentioned, the uncontrolled inputs to this converter are the source voltage V s and the load current i load . Suppose there is a need to design a converter that has an uncertain voltage input and uncertain load as specified by (3) . For example, the converter may have a variable load and may be supplied by a battery with some uncertain ripple. Let us also suppose that the design requires the output voltage be regulated with an acceptable tolerance specified by |v out − V out | ≤ λV out , where V out is the desired dc value of the output voltage.
A. Open-Loop Design Verification
Let us first consider the open-loop verification method as applied to the buck converter of Fig. 1 , with parameters given in Table I . Equation (3) describes the bounds on the converter inputs. The function of this converter is to step down the 12V dc input to an output value of 5V dc. The input space is twodimensional and the set of all possible realizations of the input is a rectangle. For computational simplicity, it was assumed that Ω w is the minimum volume ellipsoid that encloses this rectangle. This assumption yields a solution that is an upper bound to the set of reachable states of the converter. See Fig.  2 for a graphical depiction of the input space for the input parameters given in Table I . In this figure the exact set of all possible inputs is contained within the blue rectangle and the minimum volume ellipsoid that encloses this rectangle is shown in red. The switching function for this converter is given by
Equation (5) 
, R(t) = R(t − T ).
Computation was performed using the Ellipsoidal Toolbox for MATLAB R [15] . The open-loop reach set R(t) for the buck converter in steady-state operation is shown in Fig. 3 . During steady-state operation, the reach set oscillates around some fixed point over the course of each switching period. Two sets of ellipsoids, one for each η (η 1 shown in blue and η 2 shown in red), are shown. The center points of the ellipsoids are shown by the blue dots. Each ellipsoid in the two sets shown give the solution to (5) at selected points in time during one switching period of the converter's steady-state operation. An upper bound to the set of reachable states for the openloop buck converter at a given point in time is given by the intersection of the two ellipsoids (i.e. the ellipsoids for η 1 and η 2 at that point in time). The union of these intersections gives an upper bound to the set of reachable states over the entire switching period. Also shown in the figure, by the dotted black traces, is the output voltage tolerance as specified by the converter design requirements. It can be seen that the steadystate reach set for the open-loop converter remains within the acceptable voltage range for any possible realization of the input. 
B. Closed-Loop Design Verification
Next, the closed-loop verification method is illustrated by a buck converter that uses static linear switching boundary to control the switch actions in order to step down 12V dc to 5V dc. A linear switching boundary is given by (10 Here, the converter architecture was modified such that SW 2 is implemented by a diode. The diode will block negative current from passing through SW 2 and thus a third switching configuration (SW 1 and SW 2 both open) is possible for this type of buck converter. This configuration is known as the discontinuous conduction mode. This region of operation may be handled by introducing an additional switching surface on the zero current axis. From the topology of the circuit, it can be seen that once the converter is in the discontinuous conduction mode, the inductor current will remain at zero while the capacitor voltage will decrease as the capacitor discharges to supply the load. Thus, once the system state trajectory intersects the zero current axis, the trajectory will remain on the zero current axis and tend toward the origin. This behavior will continue until the state trajectory hits the switching surface G and SW 1 turns on. When computing the set of reachable states in this case, it is sufficient to simply remove the set of points that fall below the zero current axis from Y(τ ) at the end of each computational step. If the entire set of points in Y(τ ) is below the zero current axis, Y(τ ) may simply be set equal to the point in which the switching surface G intersects the zero current axis.
TABLE II CLOSED-LOOP BUCK CONVERTER PARAMETERS
The closed-loop reachability problem was solved for the buck converter of Fig. 1 with parameters and switching boundary given in Table II . Figure 4 contains the steadystate solution to the closed-loop reachability problem. The set of reachable states R(t) for this converter in steady-state operation is the region enclosed by the blue traces and the zero current axis. The switching surface G is shown by the diagonal red line in the figure. It is apparent that the set of reachable states violates the voltage regulation requirements. Thus, the design may need to be further modified to meet this requirement. In some cases, it is possible for the system to violate the performance bounds for a short period of time without jeopardizing the functionality of the system. These types of performance bounds are known as soft bounds (e.g. bounds imposed by component thermal limits). However, there also exist other cases in which if a certain performance bound were to be violated, the system would cease to operate. These performance bounds are known as hard bounds (e.g. a fuse that would operate if the current becomes too large). 
IV. BOOST CONVERTER ANALYSIS
The proposed methods may be applied to any converter architecture so long as the converter operation may be accurately modeled by a linear switched state-space model and the switching function is known. In this section, the proposed method is applied to verify the design of a boost converter. Consider the boost converter of Fig. 5 . The function of this converter is to produce an output dc voltage that is higher than the input dc voltage. The A and B matrices of the switchedlinear dynamics of a boost converter are given by
where q = 1 when SW 1 is closed and SW 2 is open and q = 0 when SW 1 is open and SW 2 is closed. The uncontrolled inputs to the boost converter are the source voltage V s and the load current i load .
A. Open-Loop Design Verification
Here, the open-loop verification method is applied to the boost converter shown in Fig. 5 , with parameters given in Table III . The function of this converter is to step up 12V dc to 48V dc. Equation (3) describes the bounds on the converter inputs. As before, for computational purposes Ω w is assumed to be the minimum volume ellipsoid that contains the true set of all possible inputs. The switching function for this converter is also given by (12) .
TABLE III OPEN-LOOP BOOST CONVERTER PARAMETERS
with parameters given in Table III . As before, two sets of ellipsoids, one for each η (η 1 in red and η 2 in blue), are shown for selected points in time during one switching period of the converter's steady-state operation. Also shown, by the dotted black traces is the output voltage tolerance as specified by the converter design requirements. The steady-state reach set of the converter is completely contained within the acceptable region. 
B. Closed-Loop Design Verification
Here, the closed-loop verification method is considered. To illustrate the method, it is applied to a boost converter that uses a static linear switching boundary to step up 12V dc to 48V dc. A practical problem with this type of control of power electronics converters is that as the converter trajectory converges to the switching surface, the switching frequency of the converter tends to infinity. This is commonly known as switch chattering [16] . One method that can be used to mitigate switch chattering is to add a hysteresis band (or dead band) around the switching surface. For a converter with two possible configurations, the hysteresis band may be represented in the converter state space as two separate switching boundaries G 1 and G 2 . Where G 1 lies below and to the left of G 2 in the state space. The converter then operates by activating one configuration when the state trajectory is below and to the left of G 1 and then switching to the other configuration when the state trajectory is above and to the right of G 2 . When the state trajectory is between the two switching boundaries the converter remains in its previous configuration. The switching function for a hysteresis-controlled converter is given by
where
for the boost converter, Δ is a constant that describes the width of the hysteresis band, and τ is the time delay between successive computations of the switching function σ(t). For simplicity, it was assumed that this time delay is zero.
The closed-loop reachability problem was solved for the boost converter with switching function given by (14) and converter parameters given in Table IV . Fig. 7 shows the reach set for both startup (a) and steady-state (b) operation. In both figures, the switching boundaries G 1 and G 2 are shown by the solid red lines and the set of reachable states R(t) is contained within the solid blue regions. Fig. 7 (b) also shows a sample converter trajectory in green.
It can be seen in Fig. 7(a) that the boost converter with this type of control will start up by first closing SW 1 to charge the inductor. Then, once the state trajectory reaches G 2 , a switch action will occur and the inductor current will be discharged into the capacitor and the load. Subsequent switch actions will occur to cause the converter state trajectory to slide down the guards to the steady-state operating region as shown in Fig  7(b) . The sample converter trajectory is completely contained within the steady-state reach set R(t) as shown in Fig. 7(b) . However, this converter design does not meet the voltage regulation design requirement.
V. CONCLUSION
In this paper, a method for design verification of power electronics systems subject to bounded uncertain inputs was proposed. The method relies on solving the reachability problem for the full switching model of such converters, whereas previous methods focused only on the linearized averaged Table IV. model. One of the advantages of this technique is that it provides an analytically tractable solution, which reduces the computational burden of other techniques that are based on simulating the system for every possible realization of the uncontrolled input. The analytically tractable solutions provided by the proposed method also give further insight into the influence of design parameters and control techniques on the overall system performance. In the buck and boost converter examples, it was shown that this methodology can be applied to any converter modeled as a linear switched system and any linear control.
