Abstract. Analog circuits are an increasingly critical component in embedded system designs. Traditionally, simulation is used for verification, but due to the infinite state space of analog components, the 100% correctness of a design cannot be guaranteed. Formal methods, based around applying mathematical expressions and reasoning to prove correctness, have been developed to increase the verification confidence level. This paper introduces and demonstrates a methodology for formally verifying safety properties of analog circuits. In the proposed approach, system equations are automatically extracted from a SPICE netlist by means of energy conservative bond graph models. Verification based on abstract model checking and constraint solving is then applied on the extracted equation models. Our methodology avoids an exhaustive and time demanding simulation that is normally encountered during analog circuit verification. To this end, we have used a set of tools to implement the proposed verification flow and applied it on tunnel diode, Chua and Colpitts oscillators as case studies.
Introduction
Analog circuits are an increasingly critical component in the verification flow of embedded system designs. Embedded devices are difficult to design and verify because of the interface between the digital (discrete) and analog (continuous) domains. Because of the unpredictable nature of the real world input, the devices are required to operate over a large number of different modes that can be particularly difficult to determine, isolate and verify. For safety critical systems, where complete verification is required to ensure that an accident will not occur, this situation is particularly problematic.
The standard method to verify analog designs is simulation. With the increasing complexity, simulations can take days or even weeks to terminate [1] . Unfortunately, the results obtained via lengthy simulations can still remain incomplete. This is because it is impossible to test the entire set of inputs and expected outputs due to the continuous nature of the external signals. Only a finite number of cases can be checked. Therefore simulation methods lack the rigor to ensure the complete correctness of a design.
To address the incomplete verification of designs via simulation, formal methods have been developed to increase the verification confidence level. Formal methods [2] are based around applying mathematical expressions and reasoning to prove the correctness of a design. A formal specification is constructed to verify a model using mathematical logic and formal reasoning. There have been several industry level applications developed for the formal verification of digital circuits [3] . However, there has not been the same amount of progress for analog circuits. This has severely limited the application of formal methods to embedded systems and other mixed signal devices. The current modelling methodologies used are not well suited for verifying several domains together. This requires that the verification of each part of a mixed signal design to be performed separately. It will be necessary to solve this problem before any significant progress will be made in the formal verification of embedded systems. One way to model the complex behaviour of the analog part of an embedded system is by using a system of differential equations. One challenge in the verification process is to have an adequate model that accurately represents the behaviour of the design.
Unfortunately, generating equations that accurately represent this dynamic behaviour but are also simple enough to verify automatically remains a non-trivial process.
A critical problem facing analog designs are the effects arising from the reduction in fabrication size. These effects include parasitics, current leakages and component variations that can drastically change the expected behaviour of a design. This can cause major problems for the verification engineer because it is time consuming to build an appropriate model that accounts for this additional behaviour. Additionally, a great deal of expertise is required by the designer to extract and verify the properties of interest from the newly defined models. It is therefore of great utility to both the designer and the verifier to have models at their disposal that preserve the required behaviour of a device, yet remain simple enough to be verified using tools that are available. This paper demonstrates a flow to verify functional properties of analog circuits.
The different steps of the proposed methodology are shown in Figure 1 . The methodology consists of two parts; namely modelling and verification. In the modelling phase, the circuit schematic is analyzed to obtain the system of ordinary differential equations (ODEs) necessary for the verification. The idea is to extract the circuit ODEs automatically from the corresponding analog circuit diagram, by means of bond graph transformations [4] . Two complementary approaches based on combining predicate abstraction and constraint solving are then applied to validate properties of interest during the verification phase. In particular, when the constraint solving based verification fails to return a result due to the complexity of the obtained ODE model, we can apply the predicate abstraction based method to obtain a result.
Bond graphs are a domain independent modelling formalism for physical systems based on the flow of energy between abstract objects. The benefit of using bond graphs for modelling is the ability to represents circuits using flow, effort and energy conservation. There are also switched bonds that can be used to represent discrete changes in behaviour. These properties allow for the universal treatment of different physical domains. This is particularly useful for representing the behaviour of mixed signal systems.
Predicate abstraction [5] is one of the most successful abstraction approaches for the verification of systems with an infinite state space. In this approach, the state space is divided into a finite set of regions and a set of rules is used to define the transition between these regions in a way that the generated state transition system can be verified using model checking. Model checking is defined as: given a finite state model and a property, determine automatically whether the model satisfies the property [2] .
Constraint solving [6] is concerned with verifying properties based on relations between the variables of a system. Problems are solved by forming constraints around a problem definition and by consequently finding solutions satisfying them all. For the constraint solving method, we use predicates to enhance the precision and computational cost of the state space exploration. However, in case that this method fails to provide an answer due to a state space explosion, an abstraction based verification is used. In this second approach, predicate abstraction is applied to generate an abstract state space that can be subsequently verified using model checking. In our approach, we validate the counterexample by again using constraint solving. In the case of a spurious counterexample, the abstract model can be refined [7] .
The proposed methodology has the advantage of avoiding exhaustive simulation usually encountered during verification. To this end, we have used a set of tools to implement the verification flow. The design equations necessary for the verification are extracted from SPICE models using Dymola [8] . These equations are further simplified using Mathematica [9] simplification rules. HybridSal [10] is then used to obtain an abstract model which is verified using the SAL symbolic model checker (SAL-SMC) [11] . The HSolver [12] constraint solver is used alternatively for property verification and as a refinement procedure for counterexamples generated by SAL-SMC. We illus-trate the methodology on several analog examples including Colpitts and tunnel diode oscillator circuits.
The rest of the paper is organized as follows: We start with an overview of the relevant work in Section 2. After that, we describe the different phases of the equation extraction process along with the theory behind bond graphs in Section 3. This is followed by an explanation of the proposed verification methodology in Section 4.
The experimental results are presented in Section 5, before concluding the paper with Section 6.
Related Work
The presented verification methodology spans many different research domains. Therefore we will only highlight the most important information including the work on bond graphs for the analysis of analog designs.
Modelling analog circuits for formal verification. One of the main challenges of the formal verification of analog designs, is the development of models that preserve the required behaviour. Extracting the system equations to be used in behavioural modelling is a challenging task in the analog design process. Nodal analysis techniques have been developed to this aim by extracting equations from the circuit netlist. However, the resulting equations are in general, very large and too complicated to be used for a behavioural analysis. For example, in the context of formal verification, the authors of [13] relied on the symbolic analysis toolbox AnalogInsydes to obtain the system equations necessary for the verification.
In comparison with conventional symbolic extraction methods [14] and the techniques mentioned above, bond graph based modelling allows for a symbolic extraction of the system equations. This is possible because of methods to automatically assign an input-output relation (causality) to each component, generating a compact computa-tional structure [15] , that can be used to obtain differential equations.
Analog design verification.
A common trend in analog verification is to use on-the-fly state space exploration techniques, where the set of reachable states correspond to an overapproximate solution of the system equations, over a bounded period of time. In an alternative approach, the entire state space is subdivided into regions where computational rules define the transitions between states. This model is generally described as a finite state automaton, verifiable using model checking techniques.
For instance, in the early work in [16] , the authors constructed a finite-state discrete abstraction of electronic circuits by partitioning the continuous state space into fixed size hypercubes and then computing the reachability relations between these cubes using numerical techniques. In [17] , the authors tried to overcome the expensive computational method in [16] , by combining discretization and projection techniques of the state space to reduce its dimension. Similarly, the model checking tools d/dt [18] , Checkmate [19] and PHaver [20] were adapted and used in the verification of a biquad low-pass filter [18] , a tunnel diode oscillator and a ∆Σ modulator [19] , and voltage controlled oscillators [20] . In [13] , the authors used intervals to construct the abstract state space, while using heuristics to identify possible transitions between adjacent regions.
The main difference with [16] , is that they allow variable sized regions. An exhaustive state of the art review of the formal verification of analog designs can be found in [21] .
Additionally, there exists work that is concerned with transforming the analog verification problem to one that can be solved with Boolean satisfiability (SAT) techniques.
In [22] , the authors have developed a methodology for formulating a SPICE style simulation into a format that can then be passed to a SAT solver. In particular, this technique can capture, at the transistor level, the non-linear behavior of the design under test.
Many of the surveyed formal methods limit the verification of the circuit to a predefined time bound because they depend on explicit state exploration. In contrast, we propose in this paper to use qualitative based methods for the construction and verification of abstract models, which overcomes the time bound requirement. In addition we extend the verification with a counterexample guided refinement procedure.
For a more in-depth review of related work and other viable methods for the modelling and formal verification of analog circuits see [23] .
Bond Graphs as a Model for Analog Circuits
Bond graphs were introduced by Paynter [24] who hypothesized that all physical systems and the interactions between them could be modeled using energy and power alone. His work was extended later on by Karnopp and Rosenberg [25] to enable the bond graph theory to be used in practice. They developed multi-port objects that could be used with power bonds to model the flow of energy and information [26] . The benefit of a modelling framework based on energy flow is that different domains can be analyzed using the same methodology. The necessary and sufficient set of bond graph primitives consist of five elements, but normally a more practical set of nine elements is used as shown in Table 1 . Example. The tunnel diode oscillator circuit in Figure 2 (a), which has been used by many researchers (e.g., [19, 13] ) as a benchmark in formal verification research, will be used as an example throughout the paper to demonstrate each step of our methodology. The next basic component is the junction, which represents a circuit node or mesh.
At the 0 or common-effort junction the efforts are equal, which is analogous to a node in a circuit. At the 1 or common-flow junction, the flows are equal, which is analogous to a mesh in a circuit.
Components. Using the bonds and junctions, it is possible to connect components together in a bond graph, as shown in Figure 2 Causality. Causality is the determination and representation of the directional relationship between an input and an output [25] preserving the computational structure of the design. The causal stroke is attached to the side of the bond that computes the flow vari-able [27] (Figure 2(d) ). In general, causality is applied automatically using a technique such as the sequential causality assignment procedures (SCAP) to produce a causal bond graph [15] . By assigning causality, computational information of the system is available so that the system equations can be automatically extracted.
The fact that causality (algebraic dependency) is defined explicitly before any equations are setup remains a great advantage over other multi-domain modelling methods.
Many practical analog circuits have a mathematical model that takes the form of a system of differential algebraic equations (DAE) with an index of one. It is well known that these models can be solved numerically for simulation purposes. For formal verification we require an analytical model and not a numerical approximation. Therefore it is generally necessary to use models that are available in state space form. Borutzky [28] has developed methods that use the causality information provided by bond graphs to identify tearing variables and equations to automatically reduce the DAE system into a state space model.
Analog Modelling Methodology
In the following, we present the methodology for automatically extracting the system of ODEs from an analog circuit. By using bond graphs we are able to conveniently model the topology of an analog circuit, which can aid at both the design and verification stages. The methodology is depicted in Figure 3 .
Based on what behaviour or functionality is required in the design, the analog circuit is first constructed by hand with a schematic capture program that uses common symbols to represent the necessary components. This high level abstraction is then automatically transformed into a SPICE circuit model by macros contained within the schematic capture program. Using the Dymola Modelling Laboratory [8] in conjunction with the BondLib library [4] , a bond graph is created directly from the SPICE model.
At this point, the bond graph is not in its simplified form. Using the simplification rules (see below), the bond graph is reduced. With the bond graph in its reduced form we are assured that the computational complexity is at a minimum. Next, the causality is automatically assigned by Dymola. Each bond graph component can have either a fixed, preferred or free causality assignment, determined by where the flow variable is calculated. For our verification task we want differential equations to be produced instead of integrals. This might take several iterations to complete since the overall causality assignment is constrained by the stating point of the SCAP algroithm and the resulting propagation of the choice through the bong graph.
Once the simplified and causal bond graph is formed, then Dymola is used again to automatically generate the Modelica description that contains the differential equations.
For smaller designs the equations can be easily read directly from it. In other cases, when the design is more complex, the Modelica description may contain redundant equations due to the conversion process from DAEs to ODEs.
Generally, the equations representing the circuits are differential algebraic equations. Here, Dymola applies symbolic manipulation techniques in order to generate automatically the corresponding ODEs from the DAEs as described in [29, 28] . However, this comes at the cost of introducing dummy algebraic equations that can be simplified or eliminated using simplification rules within Mathematica. In this case, the simplification rules in the algebraic system Mathematica are employed to automate the ODE extraction. This process is further aided by using MathModelica [30] , a Mathematica interface to the Modelica library.
The advantage of using BondLib is due to the symbolic nature of bond graphs.
The behaviour of the corresponding SPICE models of the electrical components is preserved using a black box abstraction. For instance, the current through a transistor can be represented by a function, e.g., I ds = f (l, w,V gs , ...). The internal details are chosen independently of the verification method. In general, the verification might begin with a simple model and then more complex models can be substituted when needed.
Construction of the Bond Graph
Example. The transformation from a circuit diagram to bond graph is comparable to the SPICE model given in Figure 2 (b). Each circuit diagram component is transformed into its bond graph counterpart. They are then interconnected by transforming nodes into 0 junctions and meshes into 1 junctions as shown in Figure 2 (c). This is performed according to the bond graphs rules described earlier.
Simplification. There exists two levels of simplification that can be performed automatically on bond graphs. First, there are equivalence rules for the junction object [26] .
These rules are used to reduce the number of bonds in a circuit and are based on the simplification of the underlying power equations. The equivalence rules can be performed automatically to a bond graph.
The second level of simplification is analogous to the concept of combining many parallel capacitances into one equivalent capacitor, which reduces the state space description. By choosing to combine certain bond graph elements, it is possible to reduce the complexity of the system without affecting the overall function. This can result in simpler ODEs that are extracted from the reduced bond graph model.
Example. There are several simplifications that can be made to the bond graph in Figure 2(c) . First, the bonds that are connected to ground can be deleted since the voltage at those nodes is zero, indicating that the power flow is zero. Then, since the flows at 1 junctions are equal, 1 junctions in series can be merged together. As a final step to the simplification process, any junction that has only two bonds connected is removed since no power that flows through a two port junction can divert to another component.
The next step in the conversion process is to add a causality stroke to each bond (a straight line added to one end of a bond). Since there are two variables associated with each bond, the stroke indicates at which end the flow (current in the analog circuit sense) variable is calculated. To allow for an automated extraction of system equations, causality is assigned so that differential equations are obtained. For capacitors, the causal stroke is drawn at the opposite end of the bond away from the capacitor. For inductors, the causal stroke is drawn at the inductor end of the bond. The final bond graph is defined as shown in Figure 2 (d).
Obtaining the System of Equations
Once the bond graph is built, the set of system equations can be extracted and simplified.
In the current project, we use rewriting techniques provided in Mathematica to remove redundant equations. This is a mostly manual process. The final system of equations are the computational model on which we apply the verification. In general, the analog design computational model is described as below: The analog design can then be described by the system of ODEs as follows:
An Analog Design Model is a tuple
A = (X , X 0 , U , F ), with X = V c 1 ×V c n × . . . × I l m ⊆ R d
Definition 2. System of ODEs
Consider a set of variables x k (t) ∈ R, i ∈ {1, . . . , d}, t ∈ R, an ODE is a system consist-ing of a set of equations of the form: The semantics of the analog model A = (X , X 0 , F ) over a continuous time period 
Analog Design Verification
This section will describe the methodology for verifying properties of analog designs using ODEs extracted from bond graphs. There are two issues that must be addressed.
First, we must determine what type of properties to verify. We have chosen to focus on verifying safety properties which indicate that some bad behaviour will never occur.
The second task is to determine how to verify the properties over a continuous-time ODE model. A direct analysis over the continuous domain is too computationally expensive for the available verification technologies. We have therefore chosen to use an abstraction based technique. The goal is to reduce the required computational effort while preserving critical model behaviours thus ensuring valid verification results.
Preliminaries
Examples of questions that often come up during analog verification include: "will the system's behaviour follow the design specification for the entire range of initial operating conditions?" and "considering component variations for a specific design technology will the transistors remain in the correct operating regions?". Such questions can be easily redefined as safety properties in a temporal logic. We cannot verify safety properties directly on the continuous time ODE model, due to its continuous nature. Therefore we must use an abstracted model. 
LTL (Linear

Abstracting a Model
where the concretization function: ϒ Ψ :
In general, the effectiveness of the predicate abstraction method depends on the choice of predicates and the precision of the transition relation between abstract states.
Several criteria are raised for the choice of appropriate predicates. For instance, basic ideas from the qualitative theory of continuous systems can be adapted within the predicate abstraction framework as proposed in [10, 33] .
Predicates related to the basic functionality of the design of interest can also be provided in a manual fashion. The conventional analysis of circuits can be an interesting direction for obtaining useful predicates. It is worth noting that the termination of the predicate generation phase is not necessary for creating an abstraction. We can stop at any point and construct the abstract model. A larger predicate set yields a finer abstraction as it results in a larger state space in the abstract model.
Given the analog model transition system T A representing the analog behaviour and a property ϕ expressed using LTL. The problem of checking that the property holds in this model written as T A |= ϕ can be simplified to the problem of checking that a related property holds on an approximation of the model T Ψ , i.e., T Ψ |= ϕ. More formally, the main preservation theorem is stated as follows [31] : 
If a property is proved on an abstract model T Ψ , then we are done. If the verification of T Ψ reveals T Ψ φ, then we cannot conclude that T A is not safe with respect toφ, since the counterexample for T Ψ may be spurious. In order to remove spurious counterexamples, refinement methods on the abstract model are applied [31] .
Verification Methodology
We have developed a verification methodology combining predicate abstraction and constraint solving to take advantage of the best parts of both techniques. Depending on the type of property, there are two complementary verification options to choose from.
Enhancing Constraints based Verification using Predicates.
If the property we want to verify can be described as some upper limit on a variable, then the best option is to use a constraint solver due to its precision in representing a variable's trajectory. On the left branch of Figure 4 , we strengthen constraint solving based verification with predicates that act as constraints on the state space. This is practical as the addition of useful constraints can limit the state space exploration by providing a means for pruning unreachable states.
In this approach, we apply HybridSal on the system equations to obtain an abstract state graph of the circuit behaviour. The satisfaction of properties is verified on these regions using constraint based methods. The abstract graph, along with the system equations and the property of interest are then used as an input to HSolver. The property verification provides the advantage of avoiding explicit computation of reachable sets.
If the property cannot be verified at this stage, refinement is needed only for the nonverified regions by adding more predicates using HybridSal. Verification is then applied on the newly generated abstract model.
HSolver has an internal abstraction refinement procedure. However, due to overapproximation, the refinement does not terminate unless there is a bound on it. When the bound is reached but verification does not terminate, a non conclusive answer is returned over an interval that violates the property. Refinement can be achieved by increasing the bound or choosing tighter constraints for the abstract states. In the case that the verification still fails even with refinement, the complementary approach that uses predicate abstraction can be used.
Predicate Abstraction based Verification. If the property under consideration is described using a temporal logic such a LTL, then the best option is the approach using abstract model checking. This is to take advantage of the significant number of advanced tools that can already prove properties on LTL formulas. On the right branch of Figure 4 , symbolic model checking using SAL-SMC is applied on the abstract state space generated from HybridSal. The constraint based solver HSolver is used as a counterexample validation procedure for the abstract model checking SAL-SMC. At first, the abstract model is built automatically using the predicate abstraction tool HybridSal.
If the property verification succeeds, the approach terminates, otherwise an abstract counterexample is generated.
In abstract model checking, when a property cannot be verified, a counterexample is generated identifying the reasons for the possible property violation. As the generated counterexample is an abstract one, due to the overapproximation, it is essential to validate the counterexample. In case it is spurious, the information from it can be used in order to refine the abstract reachable states. The predicates specifying the counterexample are turned into constraints that are provided to HSolver, along the property and the system of ODEs. HSolver tries to validate the property only in the regions described by the provided constraints. If the property is verified, then we deduce that the counterexample is spurious and a refinement procedure based on removing spurious transitions is applied on the abstract model and symbolic model checking is re-applied on the refined model. On the other hand, if HSolver fails to provide a decisive answer about the property validation, the abstract model is refined by abstract states splitting which results by adding more predicates.
Note. There is no guarantee that a spurious counterexample can be refuted and the procedure might therefore not terminate again. Technically, this happens if the approximation is too loose and not precise enough, resulting in impossible behaviour. To our knowledge no efficient solution exists for such problems for hybrid systems. However, other practical counterexample validation have been proposed in [31] .
Verification of a Tunnel Diode Oscillator
We use the predicate abstraction option (right branch of Figure 4 ) for the verification of the tunnel diode oscillator. Once the simplified system of ODEs has been extracted, they can be used to form a hybrid system definition in the HybridSal modelling language.
The variables of an analog circuit lie within a continuous state space and thus pose a problem for the formal verification tools that prove properties over a finite state space.
To decrease the computational complexity of the verification problem, HybridSal uses internal abstraction methods to encode the continuous state space into a discrete one defined by a set of predicates that are either greater than, less than or equal to zero. Ideally, the abstract model that is created should preserve enough of the critical behaviour of the design to verify the safety property under question [10] .
The tunnel diode circuit is first manually transformed into a HybridSal description This abstract model is checked using SAL-SMC to verify the non oscillation property. In this case, the SAL-SMC tool returns that the property is not proved and gives a counterexample (see Listing 3). The counterexample shows the values of the predicates as the model checker steps through each abstract state. The abstract property states that the predicate g1 must always be negative. However, the generated counterexample demonstrates a path to where the g1 predicate is zero. At this point, it is necessary to check whether the counterexample is spurious or not. The safety constraints of the system are defined in the UNSAFE section.
HSolver outputs "SYSTEM SAFE" which indicates the path to the abstract state of the counterexample produced by the SAL-SMC tool is never reached. We can therefore conclude the counterexample is spurious. Therefore, we manually remove from the SAL description all transitions from states where predicate g1= neg holds to states where g1= zero holds. This refinement is valid because by applying the cone of influence [34] 
6} / / P o s s i b l e u n s a f e s t a t e Listing 4. HSolver Description for the Counterexample Validation of the Tunnel Diode Example
on the SAL description, we find that g1 depends only on g0 and not g2 through the function ASSVP(g1, g0). This is the reason why the jump conditions implemented in the HSolver description is based only on the g0 and g1 predicates. The verification on the refined SAL description using SAL-SMC in that case succeeds, which means that no oscillation will occur.
Experimental Results
In this section we detail our experimental results that serve as extensions to the tunnel diode oscillator example that was developed progressively throughout the paper. In particular we apply the proposed verification methodology on a BJT Colpitts Oscillator using predicate abstraction and a Chua Circuit using constraint solving.
BJT Colpitts Oscillator
The Bipolar Junction Transistor (BJT) Colpitts oscillator ( Figure 5 ) is another example of an oscillator circuit that has a complex behaviour, which can be properly modeled with a piecewise linear approximation consisting of two modes.
In order to fully understand the behaviour of a circuit, it is important to verify its different modes of operation. In particular, transistors can be biased in different regions depending on the required application. It is particularly important to know the mode of operation when connected with other circuit components. This type of circuit analysis is usually done by hand as simulation data cannot always be used to conclusively determine the mode over all input values. We can apply the verification methodology to ensure that the transistor will never go into an unsafe mode of operation.
Another difficult issue that arises with verifying semi-conductor devices is the variation of component values due to fabrication tolerances. In the case of a BJT, one parameter that can change across a piece of silicon is the common-emitter current gain β.
For modern devices, β can vary between 50 to 1000 [35] .
Verifying Oscillation. When oscillating, the BJT of Figure 5 will never go into its saturation region. In fact, the BJT will either be in the cut-off mode or forward active modes [36] . The state space is subdivided into four regions according to the BJT modes From [36] , the differential equations describing the behaviour of the BJT Colpitts oscillator are
The BJT can be modeled as a two-segment piecewise-linear voltage-controlled resistor with
Consider the BJT Colpitts circuit with the following parameters, The INITFORMULA section contains constraints on the variables of the system as well as constraints on the initial conditions. The parameters of the system are defined at the beginning of the transition section.
With the system of differential equations described using the HybridSal syntax. We can run the abstraction algorithm. The generated abstract state description contains the predicates and abstract transition functions as shown in Listing 6. Now we take the abstract description and pass it to the SAL-SMC. As expected a counterexample is generated (see Listing 7). We then convert the predicates as described in Listing 6 into constraints. As well we express the counterexample path in terms of transitions in the HSolver format (see Listing 8) . By removing those predicates that do If the circuit is oscillating, we know from previous designs that the voltage across C1 will vary between 2 and 6 volts. If the voltage never passes the upper bound of 2 volts, then we can deduce that the circuit is not oscillating.
Taking as input Listing 9, HSolver responds with "INPUT SAFE". This indicates that for the new resistance choice, the voltage across capacitor 1 will never increase beyond the bound of 0.5 volts. This proves conclusively that the circuit does not oscillate.
Chua Circuit Example
We use the constraint based verification verification approach (left branch of Figure 4) described in Section 4 in order to verify the circuit shown in Figure 6 (a). This circuit was designed and implemented by Chua [37] to demonstrate the behaviour of chaos. This is illustrated with simulation as shown in Figure 6 (b). The important component of the circuit is the non-linear resistance that is the source of the chaotic behaviour.
The non-linear resistor has distinct operating modes which allow the state space to be divided up to three piecewise linear regions [38] . The capacitors are assumed to have initial voltage values, explaining the lack of a source in the circuit. 
We are interested in verifying the property that the chaos of the circuit is bounded for a given set of parameters. This can be specified using the safety property G[−6 ≤ V c 1 ≤ 6] on the voltage across the capacitor C 1 shown in Figure 6 (a).
In order to apply the proposed verification approach, the circuit diagram in Figure   6 (a) is transformed to the corresponding bond graph. Simplification rules are then applied to obtain a reduced bond graph as shown in Figure 6 (c). From the reduced bond graph, we obtain using the Dymola/Modelica tool a corresponding set of equations that are further processed by Mathematica in order to obtain the simplified set of equations.
The different abstract regions are formed by the predicates extracted using HybridSal.
The state space was split into three operating regions to define the different modes of operation of the non-linear resistor. The system equations and the safety property are then combined into the HSolver description (see Listing 10).
As with the Tunnel Diode example, the description contains four important sections.
First the STATESPACE section describes the environmental constraints. The FLOW section describes the simplified ODEs that determine the behavior in each mode. The JUMP section contains the transition rules and the UNSAFE section defines the constraints to check. The results from HSolver indicate that when the proper parameters are chosen for the components, the voltage across the conductance indeed remains bounded within −6 and 6 volts.
Conclusion
In this paper, we proposed a novel approach for the formal verification of analog circuits. The major contributions are the following: We demonstrated how bond graphs provide an efficient means for modelling analog circuits for formal verification. We have presented an example of a tunnel diode oscillator that was successfully translated into a bond graph, and had its ODEs automatically extracted.
For the verification, we combined predicate abstraction and constraint solving into one methodology, which does not require an explicit representation of the entire state space and relies on functions that prove or disapprove circuit properties.
To scale the methodology to larger designs will require further analysis and development of the tools that were used. In particular, even thought the Dymola Modelling
Laboratory can compile and generate Modelica code in seconds, a significant amount of computational effort is needed to extract the ODEs from the Modelica code and to remove redundant equations. As well HSolver, an experimental tool, is not suitable for the verification of large examples on its own due to its computationally expensive algorithm. This fact motivated its use primarily for counterexample refutation. There is ongoing development of efficient methods to address these specific limitations.
Comparing our formal verification methodology to simulation, we see that we can reduce the required effort while increasing the reliability of the results. In the case of trying to verify a range of parameters, with simulation it would be necessary to check several test-cases at the limits of the range and at several randomly chosen points. Even with positive results, there still remains a chance that an error remains, since each value has not been checked. With formal verification, we can say conclusively that all values within the range will result in correct operation of the design. More details about the analysis and formal verification of analog circuits can be found in [23] .
The greatest advantage of our methodology is the lack of the timed bound limitation associated with explicit reachability analysis methods commonly encountered in the formal verification of analog designs.
Future Work. Main future directions include the extension of the proposed approach to analog and mixed signal designs. This is a realistic goal since bond graphs are domain independent. A more recent addition to the bond graph methodology, the switched bond graph, could be used rather than the conventional one presented in this paper. The 
