Analog-mixed signal (AMS) circuits are widely used in various mission-critical applications necessitating their formal verification prior to implementation. We consider modeling two AMS circuits as hybrid automata, particularly a charge pump phase-locked loop (CP-PLL) and a full-wave rectifier (FWR). We present executable models for the benchmarks in SpaceEx format, perform reachability analysis, and demonstrate their automatic conversion to MathWorks Simulink/Stateflow (SLSF) format using the HyST tool. Moreover, as a next step towards implementation, we present the VHDL-AMS description of a circuit based on the verified model. Category: academic Difficulty: medium
tool, to compute the over-approximated sets of reachable states 1 . This a classical fixed point computation tool that operates on symbolic states.
We also use HyST (Hybrid Source Transformer) [3] to automatically convert the hybrid automaton models developed in SpaceEx to MathWorks Simulink/Stateflow (SLSF) models 2 . It is a source-to-source translation tool that takes input in the SpaceEx model format, and translates it to the formats of HyCreate,Flow*, dReach, C2E2, Passel 2.0, and HyComp. Additional tool support is being added from time to time. Verification and validation research community may use HyST to automatically transform the hybrid automaton models in SpaceEx format to other formats and perform reachability analysis using aforesaid model checking tools. Finally, we present VHDL-AMS description of an FWR.
Hybrid Automaton Modeling of CP-PLL and FWR
In this section, we present the hybrid automaton modeling of CP-PLL and FWR.
CP-PLL Modeling
We consider a third-order CP-PLL as described in [1] . It consists of a reference frequency signal generator, a phase frequency detector (PFD), a charge pump, a proportional-integral (PI) controller, a voltage-controlled oscillator (VCO) and a frequency divider as shown in Figure 2 .1. The state variables are defined by the voltages across the capacitors C i , C p1 , and C p3 , i.e., v i , v p1 , and v p respectively. Two more state variables are defined by the dynamics of VCO and reference frequencies, i.e., φ v and φ ref , respectively. CP-PLL is designed such that φ v locks on to φ ref , that may constitute the property of CP-PLL to be verified. This locking is ensured by PFD using the phase difference of φ ref and φ v to generate 'UP' or 'DN' signal for the charge pump.
The ODEs from the CP-PLL circuit diagram can be readily formed using the traditional circuit analysis techniques, i.e., Kirchoff's voltage law (KVL) and Kirchoff's current law (KCL).
We apply KCL at node 1 of the circuit used to implemented the analog PI controller shown in Figure 2 .
We can write the above equation in terms of voltage across capacitor C i as
Rearranging the above equation, we obtainv
We apply KCL at node 2 of the the circuit used to implemented the analog PI controller in Figure 2 .1 to get
Replacing the current terms with voltage terms in right hand side of above equation, we get
Rearranging the above equation forv p1 , we geṫ
Next, we may apply KCL at node 3 to get
Re-writing the above equation in terms of voltages, we get
Rearranging the above equation leads tȯ
For the VCO, the output phase φ v is the integral of the frequency and the input voltages, i.e., v i , and v p [7] . We also include the frequency division factor N to obtain the ODE aṡ There is a design requirement to introduce a time delay, t d , required to switch off both the charge pumps. This is represented by the location Both 1 . Once the lagging signal reaches zero, the automaton jumps to this location and, once t = t d , the automaton transitions back to Both 0 .
FWR Modeling
We consider an FWR as described in [5] . It is basically a full-wave diode bridge, that consists of two diodes D 1 and D 2 , a capacitor C and the load resistor R as shown in Figure 2 
; input signal is supplied to the circuit through a center-tapped transformer. For the modeling purpose, and without the lack of generality, we use two AC sources as shown in Figure 2 .3. This circuit converts the input AC voltage V in to a DC voltage V o , at its output measured across R. We may need to verify that V o is stable within ±1%V max for the steady-state operation, where V max is the maximum value of the input AC signal. For modeling purposes, we consider R d as the forward resistance of each diode. Let the current through R d , C, and R be i Rd , i C , and i R , respectively. The input sinusoidal voltage be V in = V max sin(2πf t), and the output voltage across the load resistor R be V o , where, V max is the maximum amplitude of the sinusoidal signal and f is its frequency. For model checking purposes, we use SpaceEx that requires hybrid automaton model with linear dynamics, so we model the input AC signal using a second-order differential equation [5] . We define another state variable x 0 and model the AC input by ODEs defined aṡ
The solution of above system is V in = V max sin(2πf t) such that the initial conditions are both the diodes OFF when V in ≤ V o . There could be a fourth topological instance, i.e., both the diodes ON at the same time, but this is not practical due to the nature of the sinusoidal input. Therefore, we may consider three topologies one by one to form the ODEs and start with the topology with D 1 ON and D 2 OFF. The invariants for this topological instance are
Applying KCL at the node joining C and R in Figure 2 .3, we get
and we can express the above equation in terms of voltages as
Rearranging the above equation provideṡ 
For the topology when both D 1 and D 2 are OFF, the sinusoidal input signal is cut off from the entire circuit and the load voltage is only provided by the capacitor. The invariants for this topological instance are
Therefore, we geṫ
Accordingly, the hybrid automaton model of FWR is shown in Figure 2. 4. In addition, we consider the VHDL-AMS description of FWR in Section A, where the circuit is externally supplied by V in .
SLSF Simulations and Reachability Analysis
Formal verification of CP-PLL constitutes verifying its frequency-locking property, i.e., whether We also analyze the hybrid automaton using SpaceEx, and a comparison of the first few iterations for SpaceEx and SLSF is shown in Figure 3 .2. We show that SLSF simulation traces, and the over-approximated sets of reachable states computed using SpaceEx, match for the first five iterations. CP-PLL requires thousands of cycles to lock, hence there will be thousands of discrete transitions for the switching logic resulting inaccuracy due to SpaceEx overapproximations [1] . It is evident from comparing the first five iterations in Figure 3 .2 that SLSF simulation traces are contained within the over-approximated sets of reachable states. We also conclude that the SLSF traces exhibit stable limit cycles, and that frequency locking is achieved within 0.2 mSec.
As evident from this benchmark, the performance of reachability analysis tools is not satisfactory due to the high number of discrete transitions (practically being in order of thousands). It is pertinent to highlight that in [4] , the authors have used a variant of continuization [1] to address this problem for the design of a yaw damper system for a 747 jet aircraft. Continuization is a process whereby the abstraction of a hybrid system having large number of discrete transitions is obtained by a continuous system with an extra non-deterministic input. The authors use HyST to automatically transform the model and perform reachability analysis using Flow* and SpaceEx to display satisfactory results in [4] . A similar approach can be used for this benchmark so as to perform reachability analysis using SpaceEx and Flow*.
We perform the reachability analysis using SpaceEx under the steady-state conditions for FWR, i.e., V max = 4V , V o (0) = 4V , and f = 50Hz, as shown in Figure 3 .3. The steady-state SLSF time traces for the output voltage are contained within the over-approximated sets of reachable states computed using SpaceEx.
During conversion from SpaceEx to SLSF using HyST, the conversion time noted for CP-PLL is 1.633077 seconds and that for FWR is 1.936676 seconds. We used MATLAB Release 2015a on a Windows 7, 64 bit operating system with Intel Core i7-2600 CPU at 3.40 GHz and 16 GB RAM.
Key Observations
Hybrid automaton modeling and reachability analysis of CP-PLL using traditional model checking tools, such as SpaceEx, is an extensive challenge. This is due to the reason that CP-PLL requires thousand of cycles to lock, resulting in thousand of discrete transitions in the switching logic. Therefore, the SpaceEx analysis did not produce accurate reachability results if the analysis is run for an extended duration of time. This requires some advanced techniques, such as continuization [1] that is demostarted in [4] using HyST, SpaceEx, and Flow*. For FWR, SpaceEx produced a run-time error due to non-affine dynamics as the model had pure sinusoidal time-dependent signal as an input. Therefore, we have modeled the sinusoidal input signal using the second-order ODEs to successfully compute the reachability analysis results.
Benchmark Outlook
Overall, these verification benchmarks have medium difficulty level, and can serve as a first step towards a benchmark library to evaluate reachability and verification methods for AMS circuits.
These benchmarks are open to the continuous and hybrid systems verification community to evaluate their methods and tools.
A Appendix: VHDL-AMS Description of FWR
As discussed in Section 2, the FWR circuit behavior depends upon the state of the diodes being ON or OFF due to the input sinusoidal signal. We assume that this signal is supplied externally, and form the description as per Equation 2.16, Equation 2.17, and Equation 2.18. It should be mentioned that, in VHDL-AMS, we must minimize the use of the division operation. VHDL-AMS models are typically comprised of two sections, i.e., an entity and an architecture. Entity describes the model interface to the outside world, whereas, architecture describes the function or behavior of the model. A VHDL-AMS description is given below: library ieee; use ieee.electrical_systems.all; use ieee.math_real.all; entity fwr is port ( terminal input: electrical; terminal output: electrical ); end entity fwr; ----------------------------------------------------------------architecture dot of fwr is quantity vin across input to electrical_ref; quantity vout across output to electrical_ref; constant r : real := 1000; --load resistance constant rd : real := 0.1; --diode forward resistance constant cap : real := 0.001; --capacitance begin if vin >= vout and -vin <= vout use vin == vout'dot * r * rd + vout + vout * rd / r; --diode D1 ON elseif vin <= vout and -vin >= vout use -vin == vout'dot * r * rd + vout + vout * rd / r; --diode D2 ON elseif vin <= vout and -vin <= vout use vout == -vout'dot * r * cap; --Both OFF end if; end architecture dot;
