Formal verification of analog and mixed signal circuits using deductive and bounded approaches by Ul Asad, H.
Ul Asad, Hafiz (2016). Formal verification of analog and mixed signal circuits using deductive and 
bounded approaches. (Unpublished Doctoral thesis, City University London) 
City Research Online
Original citation: Ul Asad, Hafiz (2016). Formal verification of analog and mixed signal circuits 
using deductive and bounded approaches. (Unpublished Doctoral thesis, City University London) 
Permanent City Research Online URL: http://openaccess.city.ac.uk/15185/
 
Copyright & reuse
City University London has developed City Research Online so that its users may access the 
research outputs of City University London's staff. Copyright © and Moral Rights for this paper are 
retained by the individual author(s) and/ or other copyright holders.  All material in City Research 
Online is checked for eligibility for copyright before being made available in the live archive. URLs 
from City Research Online may be freely distributed and linked to from other web pages. 
Versions of research
The version in City Research Online may differ from the final published version. Users are advised 
to check the Permanent City Research Online URL above for the status of the paper.
Enquiries
If you have any enquiries about any aspect of City Research Online, or if you wish to make contact 
with the author(s) of this paper, please email the team at publications@city.ac.uk.
Formal Verification of Analog
and Mixed Signal Circuits using
Deductive and Bounded
Approaches
Hafiz ul Asad
School of Mathematics, Computer Science and Engineering
City University London
A Thesis submitted in partial fulfilment of the requirements for the degree of
Doctor of Philosophy
in
Electrical Engineering
Jan 2016
To my mother, without her prayers this would have not been possible. To
my wife and son, for their emotional support during the course of this
Phd. To my late father, who would have been really proud of my Phd.
Acknowledgements
I would like to offer my deepest gratitude to my advisor Professor Kevin D.
Jones for offering me the opportunity to conduct this research. This PhD
was his brainchild, and I am indebted for his guidance, motivation, and
help throughout the course of this PhD. I believe, his way of conducting my
supervision has enabled me to become an independent researcher.
I would like to thank Dr. Peter Popov, for first agreeing to take over from
Kevin as my supervisor, and then making sure that I finished my PhD well
within time. I am also grateful to Dr. Frederic Surre for his support role as
a second supervisor.
I owe a big thank you to the whole academic staff of the Centre for Software
Reliability for their support and motivation. Specially, I would like to thank
Dr. Kizito Salako for the useful technical discussions we have had during
this period. I am also grateful to Professor Lorenzo Strigini for the support
that he provided for some of my publications.
I am thankful to Mentor Graphics and in particular to Dr. Robert Hun for
providing 50 % of the funding for this research.
Finally, this PhD work would have not been possible without the support
of my mother Noor Jehan. I am indebted to her for allowing me to come to
London and for being my strength emotionally. I am thankful to my wife
Shafqat and son Kumail Asad for their love and emotional support that
enabled me fulfilling my goal of completing this PhD.
Abstract
This thesis presents novel formal verification techniques to verify the impor-
tant property of inevitability of states in analog and mixed signal (AMS) cir-
cuits. Two techniques to verify the inevitability of phase locking in a Charge
Pump Phase Lock Loop (PLL) circuit are presented: mixed deductive-
bounded and deductive-only verification approaches. The deductive-bounded
approach uses Lyapunov-like certificates with bounded advection of sets
to verify the inevitability of phase locking. The deductive-only technique
uses a combination of Lyapunov and Escape certificates to verify the in-
evitability property. Both deductive-only and deductive-bounded verifica-
tion approaches involve positivity/negativity checks of polynomials over
semi-algebraic sets, which both belong to the NP-hard set of problems.
The Sum of Squares (SOS) programming technique is used to transform
the positivity tests of polynomials to the feasibility of semi-definite pro-
grams. The efficacy of the approach is demonstrated by verifying the in-
evitability of phase locking for a third and fourth order CP PLL. Similarly,
the inevitability of oscillation in ring oscillators (ROs) is verified using a
numeric-symbolic deductive approach. The global inevitability (of oscilla-
tion) property is specified as a conjunction of several sub-properties that
are verified via different Lyapunov-like certificates in different subsets of the
state space. The construction of these certificates is posed as the verification
of First Order Formulas (FOFs) having Universal-Existential quantifiers.
A tractable numeric-symbolic approach, based on SOS programming and
Quantifier Elimination (QE), is used to verify these FOFs. The approach
is applied to the verification of inevitability of oscillation in ROs with odd
and even topologies.
Furthermore, frequency domain properties specification and verification for
analog oscillators is presented. The behaviour of an oscillator in the fre-
quency domain is specified, while it operates in close proximity to the desired
limit cycle, employing finite Fourier series representation of a periodic signal.
To be sufficiently robust enough against parameter variations, robustness
of parameters is introduced in these specifications. These frequency domain
properties are verified using a mixed time-frequency domain technique based
on Satisfiability Modulo Ordinary Differential Equation (SMODE). The ef-
ficacy of the technique is demonstrated for the benchmark voltage controlled
and tunnel diode oscillators.
Contents
Contents iv
List of Figures viii
List of Tables x
1 Introduction 1
1.1 Background and Motivation . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.3 Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.4 Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2 Mathematical Background and Related Work 11
2.1 Continuous and Hybrid Systems . . . . . . . . . . . . . . . . . . . . . . 11
2.1.1 Continuous Dynamical Systems . . . . . . . . . . . . . . . . . . . 12
2.1.2 Hybrid Dynamical Systems . . . . . . . . . . . . . . . . . . . . . 13
2.2 AMS Device Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.3 Lyapunov Stability of Continuous and Hybrid Dynamical Systems . . . 18
2.3.1 Lyapunov Stability of Continuous Dynamical Systems . . . . . . 18
2.3.2 Lyapunov Stability of Hybrid Dynamical Systems . . . . . . . . . 20
2.4 Polynomials in Real Closed Fields . . . . . . . . . . . . . . . . . . . . . 23
2.4.1 Sum of Squares Polynomial . . . . . . . . . . . . . . . . . . . . . 23
2.4.2 SOS Programming . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.4.3 Positivstellensatz . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.4.4 S-Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.5 Formal Verification of Continuous and Hybrid Systems . . . . . . . . . . 28
2.5.1 Bounded Verification . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.5.1.1 Bounded Model Checking . . . . . . . . . . . . . . . . . 29
iv
CONTENTS
2.5.1.2 Bounded Advection of Sets . . . . . . . . . . . . . . . . 30
2.5.2 Deductive Verification . . . . . . . . . . . . . . . . . . . . . . . . 32
2.6 Formal Analog and Mixed Signal Circuits Verification . . . . . . . . . . 34
2.6.1 Equivalence Checking . . . . . . . . . . . . . . . . . . . . . . . . 34
2.6.2 Model Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
2.6.3 Deductive Methods (Theorem Proving) . . . . . . . . . . . . . . 38
2.6.4 Run Time Verification . . . . . . . . . . . . . . . . . . . . . . . . 39
2.6.5 Oscillator Verification . . . . . . . . . . . . . . . . . . . . . . . . 39
3 Verifying the Inevitability of Phase-Locking in CP PLL 41
3.1 Preliminaries of the Verification Methodologies . . . . . . . . . . . . . . 42
3.1.1 HDS Modelling of CP PLL . . . . . . . . . . . . . . . . . . . . . 42
3.1.2 Attractive Invariance of a Set and Escape of trajectories from a
Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.1.3 Bounded Advection of Level Sets in HDS . . . . . . . . . . . . . 49
3.2 Mixed Deductive-Bounded Verification Methodology . . . . . . . . . . . 51
3.2.1 Deductive Verification of ϕ1 . . . . . . . . . . . . . . . . . . . . . 52
3.2.2 Deductive-Bounded Verification of ϕ2 . . . . . . . . . . . . . . . 56
3.3 Deductive Verification of Inevitability in CP PLL . . . . . . . . . . . . . 61
3.4 Experimental Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
3.4.1 Mixed Deductive-Bounded Verification Methodology . . . . . . . 64
3.4.2 Deductive-only Verification Methodology . . . . . . . . . . . . . 66
3.5 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
3.6 Summary of the Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
4 Deductive Inevitability Verification of Ring Oscillators using the SOS-
QE Approach 71
4.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
4.1.1 Modelling of the Ring Oscillator . . . . . . . . . . . . . . . . . . 72
4.1.1.1 An Inverter Model . . . . . . . . . . . . . . . . . . . . . 74
4.1.1.2 Different Modelling Strategies for Odd and Even Topolo-
gies of RO . . . . . . . . . . . . . . . . . . . . . . . . . 77
4.1.2 RO CDS Properties Verification using Lyapunov-like Certificates 78
4.2 AGI Verification of RO . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
4.2.1 Formulation of the Verification Problem . . . . . . . . . . . . . . 81
4.2.2 The SOS-QE Approach to Verify AGI . . . . . . . . . . . . . . . 82
v
CONTENTS
4.2.2.1 Verification of ϕ1 . . . . . . . . . . . . . . . . . . . . . 83
4.2.2.2 Verification of ϕ2 and ϕ3 . . . . . . . . . . . . . . . . . 87
4.2.2.3 Verification of ϕ4 . . . . . . . . . . . . . . . . . . . . . 92
4.3 Experimental Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
4.4 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
4.5 Summary of the Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
5 Verifying Frequency Domain Properties of Oscillators using SMODE 99
5.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
5.1.1 Modelling of analog oscillators as HDS . . . . . . . . . . . . . . . 101
5.2 Frequency Domain Properties Specification of the Hybrid Limit Cycle . 107
5.2.1 Robust Specification of a Periodic Function in the Frequency Do-
main . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
5.2.2 Encoding Membership of the Limit Cycle in the Robust Power
Spectral Envelope . . . . . . . . . . . . . . . . . . . . . . . . . . 108
5.3 Verification of the Frequency Domain Properties . . . . . . . . . . . . . 110
5.3.1 Encoding the Frequency Domain Properties Verification as a BMC
Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
5.4 Experimental Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
5.5 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
5.6 Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
6 Conclusion and Future Work 123
6.1 Verifying the Inevitability of Phase-Locking in CP PLL . . . . . . . . . 124
6.2 Deductive Inevitability Verification of Ring Oscillators using the SOS-
QE Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
6.3 Verifying Frequency Domain Properties of Oscillators using SMODE . . 127
6.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
6.5 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Appendix A 131
A.1 Semi-definite Programming . . . . . . . . . . . . . . . . . . . . . . . . . 131
Appendix B 132
B.2 Lyapunov Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
B.2.1 Third Order CP PLL . . . . . . . . . . . . . . . . . . . . . . . . 132
B.2.2 Fourth Order CP PLL . . . . . . . . . . . . . . . . . . . . . . . . 133
vi
CONTENTS
B.3 Escape Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
B.3.1 Third Order CP PLL . . . . . . . . . . . . . . . . . . . . . . . . 134
B.3.2 Fourth Order CP PLL . . . . . . . . . . . . . . . . . . . . . . . . 136
B.4 Odd Stage RO Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . 141
B.5 Even Stage RO Certificates . . . . . . . . . . . . . . . . . . . . . . . . . 141
B.6 Odd Stage RO Attractive Invariant Set . . . . . . . . . . . . . . . . . . 142
References 143
vii
List of Figures
1.1 Thesis Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.1 Modelling Devices at Different Abstraction Levels . . . . . . . . . . . . . 16
2.2 Level Surfaces of Lyapunov Certificate . . . . . . . . . . . . . . . . . . . 20
2.3 Advection of Sets in Continuous Systems . . . . . . . . . . . . . . . . . 32
3.1 CP PLL, Left: Third Order CP PLL, Right: Fourth order LF . . . . . . 42
3.2 Piece-wise Continuous Behaviour of PFD, Cyan Solid: φV CO, Red Dot-
ted: φref . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.3 Hybrid Model of CP PLL . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.4 Simulation Plots of the CP PLL Hybrid System . . . . . . . . . . . . . . 47
3.5 Verification Methodology, Two Properties in Two Disjoint Subsets . . . 52
3.6 Deductive-Bounded Verification Methodology . . . . . . . . . . . . . . . 57
3.7 Deductive-Bounded Verification Methodology . . . . . . . . . . . . . . . 59
3.8 Deductive-Only Verification Methodology . . . . . . . . . . . . . . . . . 62
3.9 3-Order S1 Projected onto (v1, v2), and (v2, φD) . . . . . . . . . . . . . 64
3.10 4-Order S1 Projected onto (v2, v3), and (v2, φD) . . . . . . . . . . . . . 64
3.11 3-Order Advection Projected onto (v1, v2), and (v2, φD) . . . . . . . . . 65
3.12 4-Order Advection Projected onto (v2, v3), and (v2, φD) . . . . . . . . . 65
3.13 3-Order Derivative of Escape Certificates, Trajectory Trace, Projected
onto (v1, v2), and (v2, φD) . . . . . . . . . . . . . . . . . . . . . . . . . 66
3.14 4-Order Derivative of Escape Certificates, Trajectory Trace, Projected
onto (v2, v3), and (v2, φD) . . . . . . . . . . . . . . . . . . . . . . . . . 67
4.1 Ring Oscillators, Left: Even Stage, Right: Odd Stage . . . . . . . . . . . 73
4.2 (a)A CMOS Inverter (b) Internal MOS Transistor Circuit of an Inverter
(c) Effect of Transistor sizes on Inverter Response (d) Inverter Non-linear
Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
viii
LIST OF FIGURES
4.3 RO Inevitability Verification Methodology, S1, S2 Separated by the
Solid Blue circle; Dashed red circle: Limit cycle; Solid Straight line: Dead
Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
4.4 ODD RO Attractive Invariant Set, defined by {V <= 1}: Outer Solid
plots, Degree 4 and Degree 10, {V = r}: Inner Solid plot of degree 4,
Trajectories: Dashed plots . . . . . . . . . . . . . . . . . . . . . . . . . . 95
4.5 Even RO: Attractive Invariant Set, defined by {V = 1}: Outer Solid plot,
{V = r}: Inner Solid plot, Trajectories: Dashed . . . . . . . . . . . . . . 97
5.1 Frequency Domain Property Verification . . . . . . . . . . . . . . . . . . 100
5.2 Oscillators Circuit Diagrams, Left: TDO, Right: VCO . . . . . . . . . . 101
5.3 VCO eight possible modes of operation . . . . . . . . . . . . . . . . . . . 103
5.4 VCO Periodic Limit Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . 104
5.5 TDO Hybrid Automata . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
5.6 Robust Periodogram Specification . . . . . . . . . . . . . . . . . . . . . 109
5.7 Frequency Domain Specification . . . . . . . . . . . . . . . . . . . . . . . 110
5.8 Locating the Global Positive Limit Cycle . . . . . . . . . . . . . . . . . 112
5.9 Locating Limit Cycle in Hybrid State Space . . . . . . . . . . . . . . . . 116
5.10 Oscillators Hybrid Systems Simulation Traces . . . . . . . . . . . . . . . 117
5.11 Frequency Domain Properties Specifications . . . . . . . . . . . . . . . . 118
ix
List of Tables
3.1 PLL Parameters used in the Experimentation . . . . . . . . . . . . . . . 63
3.2 Computation Time of the Inevitability Verification . . . . . . . . . . . . 66
3.3 Computation Time of the Inevitability Verification . . . . . . . . . . . . 67
4.1 Inverter Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
4.2 ODD RO Inevitability Verification Time . . . . . . . . . . . . . . . . . . 96
4.3 Even RO Inevitability Verification Time . . . . . . . . . . . . . . . . . . 96
5.1 Benchmark Oscillator Parameters . . . . . . . . . . . . . . . . . . . . . . 115
5.2 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
x
Symbols and Abbreviations
β Positive Integer
λ Transconductance of a Transistor
N Set of all Natural Numbers
R Set of all Real Numbers
R≥0 Set of all Positive Real Numbers
S A Mathematical System
Z Set of all Integer Numbers
Z≥0 Set of all Positive Integer Numbers
C Cone Generated by real polynomials
I Ideal Generated by real polynomials
AP Almost Periodic
C Continuous flow sets
D Discrete Jump sets
H Hybrid Dynamical System
M Multiplicative Monoid
Pn Set of Positive Semidefinite Polynomials in n variables
Rn Set of Polynomials in n variables with real coefficients
Sn Set of SOS Polynomials in n variables
xi
Symbols and Abbreviations
T Hybrid time
Z Function returning 0-sub-level-set
Z(.) Zero Sub-level Set
∇ ∂
∂x
¬ Boolean Negation
∨ Boolean Disjunction
| | Cardinality
|| || Euclidean Norm
∧ Boolean Conjunction
bd boundary of a set
Cl Closure
Kp Conductance of a Transistor
L Length of a Transistor
W Width of a Transistor
AGI Almost Global Inevitability
AI Attractive Invariant
AMS Analog and Mixed Signal
BDD Binary Decision Diagram
BMC Bounded Model Checking
CAD Cylindrical Algebraic Decomposition
CDS Continuous Dynamical System
CP Charge Pump
CP PLL Charge Pump Phase Lock Loop
CTL Computational Tree Logic
xii
Symbols and Abbreviations
DAE Differential Algebraic Equation
Def Definition
DNF Disjunctive Normal Form
Eq Equation
Fig Figure
FOF First Order Formula
HDS Hybrid Dynamical System
KCL Kirchhoff Current Law
KVL Kirchhoff Voltage Law
LF Low Pass Filter
LHPN Labelled Hybrid Petri Net
LTL Linear Temporal Logic
MILP Mixed Integer Linear Programming
MOS Metal Oxide Semiconductor
ODE Ordinary Differential Equation
PFD Phase Frequency Detector
PSD positive-semidefinite
QE Quantifier Elimination
RO Ring Oscillator
SAT Satisfiability
SMODE Satisfiability Modulo Ordinary Differential Equation
SMT Satisfiability Modulo Theory
SOC System on a Chip
SOS Sum of Squares
xiii
Symbols and Abbreviations
TDO Tunnel Diode Oscillator
Th Theorem
VCO Voltage Controlled Oscillator
xiv
Chapter 1
Introduction
1.1 Background and Motivation
With the advent of system on a chip (SOC) technology more consumer electronic cir-
cuits are fabricated on chips of miniature sizes. Electronic devices making use of SOC
technology are ubiquitous in our lives. They range from automobiles, air planes, com-
puters, ATMs, medical devices, internet and mobile communication systems, banking
systems, stock marketing, satellite communication, railway communication networks,
security devices, smart grids, etc. Due to their enormous influence on human lives,
these devices need to be designed such that they are free from all bugs and are robust
enough against any process and parameter variations. SOCs being of a safety critical
nature, a bug—that goes unnoticed in their design, may result in the loss of human
lives. Furthermore, a huge amount of capital is involved in designing and fabricating
these devices and a bug at a later stage could result in financial loss to the manufac-
turer. These factors necessitate the need for a rigorous verification methodology at the
design stage of these devices so that potential design bugs are captured at an earlier
stage of the design cycle.
SOC designs contain pure digital, pure analog, and analog and mixed signal (AMS)
circuits. Conventionally, simulation and testing have been the tools validating the de-
sign of these circuits. Simulation is an approach where the mathematical model of a
circuit is checked for a small number of test vectors. The design is considered to be
accurate (inaccurate) if it works (does not work) for these limited test vectors, as-
suming it will work in all possible scenarios. Similarly, testing validates the design by
checking the functionality of a physical prototype for limited test vectors. It was not
until the mid-1990s that designers realized the deficiency of simulation based design
1
1. Introduction
validation. There are several issues related to simulation/testing based hardware ver-
ification. Though it takes less time to capture well known design errors, it however
does not cover the whole design space. It verifies circuits only for specific input stimuli,
states and operating conditions (parameters, temperature etc), and therefore might
not stimulate the hidden bugs at corners of the design space. Selection of these stimuli
(similarly states, parameters) largely depends on the designer experience and expertise
to manually select test benches. Clearly, lacking the coverage aspect of the design space,
large number of simulations are carried out to cover most of the design space. Even
then, the design can not be guaranteed to be free from bugs, and process variations at
a later stage may cause a drastic change in circuit behaviour. It has been observed in
industry that designs which were thought to be bug free, based on simulation results,
turned out to have bugs which went unnoticed during simulation. The ring oscillator
(RO) from Rambus [56], is a classic example where researchers found that for certain
initial conditions it failed to oscillate. The pentium FDIV is another example of a bug
in the floating point unit of the intel P5 processor that went unnoticed in the design
phase [25]. This costed the company $500M. Therac-25 [26], a radiation therapy ma-
chine, caused several accidents of radiation overdose to patients because design bugs
could not be captured by simulation. This emphasises the fact that electronic devices,
being safety critical and involve huge capital, need to be verified at the design stage
using rigorous verification techniques.
Complementary to simulation/testing is formal verification of a design. Formal
methods overcome the deficiencies of simulation/testing by verifying a design through
exhaustive checking of every possible scenario. Formal methods in hardware verification
model a circuit conservatively at different levels of abstractions. The model of the cir-
cuit is then verified automatically for all possible inputs, states, and parameters. There
are three well known formal techniques that have been used for hardware verification.
These are equivalence checking, model checking, and theorem proving (Deductive Ver-
ification). Formal hardware verification has been very successful in validating digital
hardware design, but their application in AMS circuit verification has been very lim-
ited. This is the reason that SPICE simulation has been the main verification tool for
AMS circuits validation. As mentioned earlier, SPICE simulation can not check the
complete design space since it takes a prohibitively long time to undertake this task.
Several days and months are spent to validate small circuits like ROs and Phase Lock
Loops (PLLs) using thousands of SPICE simulations. Even then, a design validated by
SPICE simulation can not be guaranteed to be 100% free from bugs and can not be
used in safety critical applications.
2
1. Introduction
There are several bottlenecks in applying formal methods to AMS circuit verifi-
cation. Being continuous in nature, it is very difficult to abstract the behaviour of
AMS circuits using formal methods owing to infinite state space. Secondly, interaction
between high dimensional continuous and discrete behaviours makes it difficult to for-
mally express AMS circuits. The sensitivity of AMS circuits to physical phenomena,
like temperature and process variations, can drastically modify the expected behaviour
of these circuits. Furthermore, formal AMS circuit verification requires a formal prop-
erty specification language to express properties of interest. Temporal logics have been
successfully used for digital circuits, but their extension to AMS circuits is challenging
due to the continuous time behaviour of these circuits. These difficulties mean that
there has been very slow progress of formal methods in AMS circuit verification over
the past two decades.
During the last decade, several works have been dedicated to the formal verification
of AMS circuits. Mostly, these works modelled AMS circuits as set of ordinary differen-
tial equations (ODEs), hybrid automaton, piecewise linear switched system, difference
equations, petri nets etc. Safety verification has been the well known problem taken
up in these works. Time domain reachability analysis has been the main analysis tool
in verifying the safety property. For most of these models, close form solutions of the
ODEs do not exist and the reachability analysis is faced with the problem of decidabil-
ity. Decidability has been the hardest barrier verifying the safety property using time
domain reachability for these models. To overcome this hurdle, conservative approxi-
mate approaches have been used in verifying safety property of AMS circuits. Towards
this goal, different set theoretic techniques have been used to approximate the solutions
of ODEs. Well known set representations used are, polytopes, ellipsoids, zonotopes, and
boxes. On the contrary, very little work has been dedicated to verify the inevitability
(Liveness) of states (Phase locking, Oscillation) property in AMS circuits. Start up
problems have been very common in AMS circuits such as ROs and PLLs. It has been
observed that these circuit often fail to start after their fabrication on an IC. It is
therefore very significant, from the designer point of view, to verify this property at an
early stage of the design. Previously, global start up property has been verified for RO
and CP PLLs. It has been verified using time domain reachability analysis. This time
domain reachability technique is faced with several issues, which restricts the efficacy
and scalability of the approach. The state space is partitioned and reachability of the
desired state is verified for each discrete partition. To reduce the conservatism, hun-
dreds of such partitions are used which makes the task of verifying the liveness property
computationally very expensive. For CP PLL, modelled as a hybrid automaton, hun-
3
1. Introduction
dreds of discrete jumps are required before the system reaches the locking state. This
is the reason that time outs of the reachability tool have been reported in [105]. To get
rid of these discrete transitions, [7] used a continuization technique to verify time to
lock for a CP PLL. Even then, the author had to use hundreds of reach set computa-
tions for each partition of the state space. Similar reachability problems have also been
reported in [66]. Furthermore, time domain reachability verifies a property for bounded
time and does not say anything about what happens when time approaches infinity.
The ODE equations are also explicitly solved, either exactly or approximately, and the
sets are propagated along the time axis. On the contrary, deductive verification, based
on certificates, verifies a property for infinite horizon with an additional advantage of
avoiding the expensive discretization of the space. Moreover, ODEs are not solved ex-
plicitly and rather are abstracted by theorems characterizing the long term behaviour
of their solutions.
In this dissertation, we have focussed on verifying the inevitability property for
various AMS circuits. Specifically, we verify inevitability of phase locking in CP PLL
and that of oscillations in ROs. A state of a system is said to be inevitable if it is
invariant (once it is attained the system remains there forever) and eventually ev-
ery possible system behaviour reaches this state. CP PLL are designed such that the
output phase/frequency follows the phase/frequency of the reference input. We verify
inevitability of phase locking in a CP PLL using an approach which is a combination of
deductive and bounded verification. Being difficult to verify, we use the divide and rule
strategy and split the inevitability in to the conjunction of two sub-properties. These
properties are specified in two disjoint subsets of the state space. The CP PLL AMS
circuit is a typical system consisting of discrete and continuous subsystems. For exam-
ple, the control circuitry responsible for pumping the charge in and out of the CP PLL
circuit operates in discrete steps, whereas the low pass filter, the Voltage Controlled
Oscillator (VCO), and the frequency divider are all examples of continuous systems. We
therefore model the CP PLL as a hybrid dynamical system, with continuous dynamics
represented by ODEs, and discrete dynamics by algebraic jump equations. The first of
the two sub-properties is specified such that there is a set where all system trajectories
converge to the locking state. This set is called an attractive invariant set. The second
sub-property is specified over the rest of the hybrid state space such that all trajectories
eventually reach the attractive invariant set. In this thesis, we present two approaches
verifying the inevitability property. These approaches differ in how the second sub-
property is verified whereas the first property is verified similarly in both techniques.
We use deductive verification to verify the attractive invariance of a set benefiting from
4
1. Introduction
Lyapunov stability certificates for hybrid systems. We construct multiple Lyapunov
certificates for each continuous subsystem of the CP PLL. The union of the sub-level
sets characterized by the maximized level surfaces is the attractive invariant set. Con-
vergence to this set from the set of states outside is verified following two different
approaches. The first approach is a mixed deductive-bounded verification whereas the
second is the deductive-only verification technique. The mixed deductive-bounded ap-
proach uses advection of sets for bounded time steps before the set of states reaches the
attractive invariant set. For all those set of states which are still outside the attractive
invariant set, we use the Escape certificate based deductive approach, and show that
trajectories can not stay there forever and will eventually reach the attractive invariant
set. The second approach is based on a pure deductive approach where we only use
the Escape certificate argument for the trajectories to eventually escape the outer set
and reach the attractive invariant set. Both deductive and bounded approaches involve
testing of the positivity of multi-variate polynomials over semi-algebraic sets. This be-
longs to a set of NP-hard problems and therefore can not be solved using a sound and
complete formal method. Therefore, we use the sound but incomplete Sum of Squares
(SOS) programming approach to construct certificates/polynomials needed for their
verification. The efficacy of our approach is demonstrated by verifying inevitability of
a third and fourth order CP PLL.
Similarly, we verify inevitability of oscillation in ROs using a deductive verification
methodology. We model ROs as continuous dynamical systems (CDS). Here too, we
split the almost global inevitability property (a periodic limit cycle is inevitable from
all but a negligible dead set of states) into the conjunction of several sub-properties.
These sub-properties are defined such that they specify attractive invariance of set,
Escape of trajectories from a set, eventuality of trajectories to reach a set, and global
convergence to an equilibrium state. We use certificate based deductive verification for
these properties. These certificates are structurally similar to the Lyapunov certificates
discussed earlier. We show that a set, which is a tight over-approximation of the set
enclosed by the periodic limit cycle, is attractive invariant in the sense that all trajecto-
ries outside eventually reach this set and no trajectory can ever escape this set. Within
this attractive invariant set, we show that all trajectories escape a ball around the dead
set and reach to within an arbitrarily small distance of the periodic limit cycle. We use
certificates of Escape and Eventuality for this purpose. We demonstrate the applicabil-
ity of our methodology by verifying inevitability property for odd and even stage ROs.
Benefiting from the physical layout of the even stage RO, we divide its operation in
differential and common modes. For the common mode of RO, we only verify that at
5
1. Introduction
the steady state, all common mode voltages converge to the zero equilibrium state. We
verify this using the Lyapunov certificate in an invariant differential state space. We
formulate the construction of these certificates as First Order Formulas (FOFs) hav-
ing polynomials, inequalities/equations and quantifiers (Universal/Existential). Though
there are QE solvers that can verify these formulas, they however are very expensive
for practical problems of more than two dimensions. We therefore resort to use of a
numerical-symbolic strategy, and use SOS programming followed by the application of
QE to construct feasible certificates in realistic computation time. SOS programming
transforms the verification of these FOFs to the feasibility of a semi-definite program,
which if feasible, returns a certificate within a limited numerical precision. To validate
these certificates further, we use a symbolic QE tool and verify FOFs which have uni-
versal quantifiers only (the SOS program fixes the coefficients or in other words removes
the existential quantifiers).
Besides time domain properties, AMS circuits designers are often interested in fre-
quency domain properties of these circuits, for instance, robust oscillation frequency of
oscillators, PLL lock up to the input frequency etc. Verifying AMS circuits in frequency
domain is a difficult task, and consequently frequency domain approaches are limited to
small signal AC analysis of approximate linearized models. Extension of these localized
methods to non-linear models needs further research.
In this thesis, we present a novel property specification technique in frequency do-
main. We specify the behaviour of an oscillator using robust frequency domain speci-
fication such that it oscillates with the desired frequency and does not have undesired
harmonics. Furthermore, with process and parameters variations, the oscillator circuit
still complies the specification with a certain degree of robustness. Towards this goal,
we use finite Fourier series approximation of the desired periodic signal. Taking care
of the approximation error, we conservatively under and over-approximate the desired
behaviour. To cater for parameter and process variations, we introduce a certain degree
of robustness such that the desired signal satisfies the frequency domain specification
with a certain degree of robustness. Instead of individual Fourier series coefficients, we
use the periodogram specification, the energy content of each frequency component.
The verification of frequency domain properties is not straightforward. There are
two options to perform this task. One is to carry out the verification in the frequency
domain by having both the system and properties in the frequency domain, and per-
forming the decision procedure in this domain. This is beyond the capabilities of the
current state of the art solvers/approaches. Therefore, we are left with the choice of
having a mixed time-frequency domain technique, where we have our properties speci-
6
1. Introduction
M.T T.Domain Property F.Domain Property AMS Circuit
CDS Inevitability ROs
HDS Inevitability Periodogram inequalities CP PLLs,Oscillators
M.T:=Model Type;T.Domain:=Time Domain;F.Domain:=Frequency Domain
Deductive
Bounded
Figure 1.1: Thesis Contribution
fied in the frequency domain and we carry out the verification task in the time domain.
Towards this goal, we use satisfiability modulo ODE (SMODE) technique for bounded
model checking (BMC) of hybrid dynamical systems (HDS), and verify frequency do-
main properties by checking the distance of the timed traces of the oscillator model
from the traces, generated from the frequency domain properties. If this distance is
less than an arbitrary small positive number, we conclude satisfaction of the frequency
domain property with a degree of robustness and vice versa.
In Summary, the objectives of this thesis are:
• To present novel deductive and deductive-bounded verification methodologies for
the verification of the time domain inevitability property for various AMS circuits.
• To utilize techniques from control theory in certificate based verification tech-
niques.
• To present various scalable and tractable relaxation methods, based on math-
ematical programming and symbolic analysis, for both deductive and bounded
approaches.
• To present novel frequency domain property specification and verification for
analog oscillators, using mixed time and frequency domain techniques.
1.2 Contributions
Contributions of this thesis are depicted in Fig. 1.1 and are listed below:
7
1. Introduction
• We present a scalable deductive-bounded approach to verify inevitability of phase
locking in CP PLL.
– The Circuit is modelled as a HDS.
– We formulate the inevitability property as a conjunction of two sub-properties,
defined in two disjoint subsets. Their specification is such that there is an at-
tractive invariant set where the first property is satisfied, whereas all outside
system trajectories eventually reach this set.
– While the first property is verified using a deductive-only approach, the sec-
ond property is verified by either a mixed deductive-bounded or a deductive-
only approach.
– The attractive invariance of a set is verified using a Lyapunov certificate,
by patching multiple Lyapunov functions, showing all trajectories in this
set eventually converge to the phase-locking state. The size of the set is
found from the union of the sets, which are the sub-level sets formed by the
maximized level surfaces of the individual Lyapunov functions.
– The verification of the second sub-property is concerned with showing that
trajectories reach the attractive invariant set from the set outside it. We ver-
ify this property using two methods: mixed deductive-bounded and deductive-
only. In the deductive-bounded approach, reachability of the attractive in-
variant set is verified by bounded advection of sets, followed by the appli-
cation of Escape certificates to the sets where the advection is inconclusive.
In the deductive-only approach, we only use the Escape certificate showing
that trajectories can not stay in a set forever and in fact escape the set in
bounded time.
– The problem of certificate construction and advection of sets, being NP-
hard, is solved through the numerical SOS programming technique. We verify
inevitability of a third and fourth order CP PLL.
• We also verify inevitability of oscillations in ROs with odd and even topologies.
Here we use a numeric-symbolic (SOS-QE) based deductive-only approach to
verify inevitability.
– We model an RO as CDS. Furthermore, due to its physical layout, we divide
the operation of the even stage RO into differential and common modes. This
reduces the dimension of the system as we have to deal with two systems of
smaller cardinalities.
8
1. Introduction
– The inevitability of oscillation is divided into several sub-properties, namely,
attractive invariance of a set, Escape of trajectories from a set, and Even-
tuality of trajectories to a target set. In addition, for the common mode of
the even stage RO, we specify that all common mode trajectories converge
to zero.
– The verification of these properties is formulated as FOFs over polynomial
inequalities/equation and universal and existential quantifiers.
– These FOFs are solved using a numeric-symbolic approach of SOS-QE, con-
sisting of the certificates construction using numerical SOS programming,
followed by their symbolic validation using the QE tool.
• We present a novel frequency domain properties specification and verification
technique for analog oscillators.
– We use finite Fourier series representation of the periodic limit cycle. To cater
for the approximation error due to finiteness of the series, we use the error of
approximation by under-over approximating the desired periodic limit cycle.
To specify this desired periodic limit cycle in the frequency domain, we use
the periodogram specification for each frequency component. This ensures
that we have a signal of desired fundamental and harmonic frequencies. To
be robust enough against the process and parameter variations, we introduce
the notion of “degree of robustness” in the periodogram specification. These
specifications are basically non-linear polynomial inequalities in the Fourier
series coefficients.
– We verify frequency domain properties using a mixed time-frequency domain
approach. Towards this goal, we model an analog oscillator as HDS and use
SMODE technique verifying, that the distance of the hybrid arcs from the
time domain trajectories, generated from the frequency domain specification,
is less than an arbitrary small distance.
1.3 Publications
Parts of this thesis have been published in [97],[98], [99]. The frequency domain property
specification and verification of Ch. 5 has been published in [99]. The mixed deductive-
bounded and the deductive-only methodologies of Ch. 3 have been published in [98]
and [97] respectively. The work on the inevitability verification of oscillation in ROs,
i.e. Ch.4, has been submitted to the DATE 2016 conference.
9
1. Introduction
1.4 Organization
This thesis is organized as follows:
• Chapter 2 discusses the related mathematical background necessary for the rest
of the thesis. This includes, mathematical modelling, Lyapunov stability theory,
polynomials in real closed fields, deductive and bounded verification techniques.
It also presents a literature review of previous works that has been done to verify
AMS circuits.
• Chapter 3 presents a novel mixed deductive-bounded approach for the inevitabil-
ity verification of phase locking in CP PLL. It discusses modelling of the CP
PLL as a HDS. It then presents the formalization of the inevitability property
as a conjunction of two sub-properties. It gives various algorithms, using SOS
programming, to verify these properties. It ends with the experimental results for
a third and fourth order CP PLL followed by a brief discussion of these results.
• Chapter 4 illustrates a deductive-only methodology for the inevitability verifica-
tion of oscillation in ROs. It presents modelling of these oscillators as CDSs. It
discusses the formulation of the inevitability property as a conjunction of several
sub-properties in different subsets of the state space. It then presents how to pose
the verification of these properties as FOFs followed by discussion of the numeric-
symbolic methodology for their verification. It illustrates an algorithm verifying
all sub-properties using SOS programming and QE. The chapter concludes with
the experimental results and a brief discussion of these results.
• Chapter 5 illustrates the frequency domain properties specification and verifi-
cation for analog oscillators. It starts with the modelling of these oscillators as
HDS‘s. This is followed by a detailed discussion of the frequency domain prop-
erties specification. It then gives a mixed time and frequency domain approach
to verify these properties. It presents an algorithm, based on SMODE, to verify
frequency domain properties in the time domain. Lastly, it presents experimental
results of our methodology for voltage controlled and tunnel diode oscillators.
• Chapter 6 concludes the results of the research that has been undertaken in this
thesis. It further gives future research directions that naturally stem from this
thesis.
10
Chapter 2
Mathematical Background and
Related Work
In this chapter, we discuss mathematical background of the modelling and verification
techniques we use in this thesis. Also, we give a brief review of the work done in the
area of AMS circuits verification.
2.1 Continuous and Hybrid Systems
An AMS circuit consists of sub-systems having continuous, discrete and a combination
of these two types of signals. To model these circuits, we use techniques from continuous
and hybrid dynamical systems.
Definition 2.1 (System). A mathematical system S is a tuple (X, O, U, Y), where
X is the set of variables, U is the set of inputs, O is the set of relations over X and
U, and Y is the set of outputs.
This definition is broad, and based on how variables X, inputs U, and outputs Y
are interpreted, a system can be classified as, i) continuous, ii) discrete, iii) hybrid
(continuous+discrete). Note that in this thesis we do not consider digital systems, where
variables, inputs and outputs are interpreted over the Boolean set. Before we formally
define continuous and hybrid systems, we define a signal which lays the foundation for
characterizing different systems.
Definition 2.2 (Signal). A real signal is a mapping r : D → R. Depending on the
domain D, a signal can be termed as continuous, discrete and hybrid. If the domain
11
2. Background
D = Z, then r is termed as a discrete signal, whereas, for D = R, it is called a
continuous signal. Furthermore, if D = R ∪ Z, then r is called a hybrid signal.
AMS circuits belong to the family of systems that change behaviour over time, in
response to the input as well as its current state in the state space. Concretely, we say
that AMS circuits have the property of memory and there is a time dependence of their
outputs on the internal states of the system.
Definition 2.3 (Dynamical System). A dynamical system DS is a tuple
(∆, X, W, Y, Φ) where ∆ ⊂ R≥0(Z≥0) is the time space, X is the set of state
variables, W is the set of inputs, Y is the set of outputs, and Φ : ∆ × X ×W → X
is the transition map. Here, X is the set of valuations over which the variables X are
interpreted, and W is the set of valuations over which the inputs W are interpreted.
This definition emphasises the fact that a dynamical system has the property of having
memory as oppose to the memoryless static systems, where the output is a function of
inputs only. In this thesis, we only consider continuous and hybrid dynamical systems.
We will also use a definition of dynamical systems where we replace the transition map
Φ by its generator. In that case the time space ∆ is considered implicit.
2.1.1 Continuous Dynamical Systems
In this thesis, besides other AMS circuits properties, we verify the inevitability property
of ROs. We model these oscillators as continuous dynamical system (CDS) which we
formally define below.
Definition 2.4 (Continuous Dynamical system (CDS)). A continuous dynamical sys-
tem CDS is a tuple (X, Xinitial, W, U, Y, f) where X is a set of state variables
interpreted over R, X = R|X| is the set of all possible valuations of the variables,
Xinitial ⊂ X is the set of initial conditions, W is the set of inputs interpreted over R
with W = R|W| is the set of all possible valuations of the inputs, U is the set of param-
eters interpreted over R with U = R|U| is the set of all possible parameter valuations,
Y is the set of outputs interpreted over R with Y = R|Y| is the set of all possible input
valuations and
f : X ×W × U → X (2.1)
is the vector field characterizing the CDS.
12
2. Background
By replacing X with Rn, W with Rk, and U with Rm, where n = |X|, k = |W|, m =
|U|, Rn = R|X|, Rk = R|W|, Rm = R|U|, we also have, f : Rn × Rk × Rm → Rn. Note
that here we use f , the generator of Φ, and the timing space is implicit.
Assumption 2.1. In this thesis, we assume that the vector field f is a polynomial
function of x ∈ X , called the polynomial vector field.
Definition 2.5 (Polynomial Continuous Dynamical system). A continuous dynamical
system CDS is called a polynomial continuous dynamical system PCDS, if the vector
field f = c0 + c1x+ ...+ cdx
d, i.e., f is a polynomial function of x ∈ X .
Assumption 2.2. We assume that f is Lipschitz in x ∈ X .
This assumption of f being Lipschitz ensures that the solution of Eq. 2.1 is unique
and has continuity in initial conditions [107, Ch. 8, p. 163]. Let denote by Φ(x0, t) the
set of solutions of Eq. 2.1 for all x0 ∈ Xinitial. The Lipschitz condition on f ensures
that Φ(x0, t) always exists, is unique and has a continuous dependence on the initial
conditions x0. Therefore, the semantics of PCDS is given by,
JCDSK :=
{
Φ(x0, t) : R≥0 × Rn → Rn
∣∣∣Φt(x0) = Φ(x0, t), f = d
dt
Φt(x0)
∣∣∣
t=0
,
∀x0 : x0 ∈ Xinit, ∀Φt(x0) : Φt(x0) ∈ X
}
.
(2.2)
Hereinafter, we use x(t) = Φ(x, t), and using a slight abuse of notation, we use x
representing the trajectory of the CDS until otherwise stated.
2.1.2 Hybrid Dynamical Systems
Briefly, a hybrid dynamical system is an indexed collection of dynamical
systems along with some map for “jumping” among them (switching dy-
namical system and/or resetting the state). This jumping occurs whenever
the state satisfies certain conditions, given by its membership in a specified
subset of the state space. Hence, the entire system can be thought of as
a sequential patching together of dynamical systems with initial and final
states, the jumps performing a reset to a (generally different) initial state
of a (generally different) dynamical system whenever a final state is reached
[16, page 27].
Hybrid models have different flavours that can be found in [68], [17], [2]. In this
thesis, we use the hybrid system formalism described in [42]. We believe that this is
13
2. Background
the most generalized formalism of hybrid systems and other formalisms can easily be
derived from it, as has been demonstrated in [35].
A hybrid dynamical system (HDS) is a tuple (C,F ,D,G). Here,
{C =
⋃
i∈IC
Ci} ⊂ Rn, and {D =
⋃
i∈ID
Di} ⊂ Rn (2.3)
are the flow set and jump set for i ∈ N, n ∈ N, respectively. IC and ID are finite
disjoint index sets and it is possible that Ci ∩ Di 6= ∅. The flow and jump maps are,
respectively,
F =
⋃
i∈IC
Fi, and G =
⋃
i∈ID
Gi, (2.4)
where each,
Fi : R
n × Rm → Rm+n, and, Gi = Rn → Rn (2.5)
These two mappings characterize the continuous and discrete evolution of the system,
whereas Ci andDi describe subsets of R
n where such evolution may occur. We represent
a hybrid system H as
H =
x˙ = Fi(x, u) ∈ F x ∈ C, u ∈ Ux+ = Gi(x) ∈ G x ∈ D (2.6)
Here u ∈ U(⊂ Rm) is a vector of uncertain parameters. The ODE part of Eq. 2.6 rep-
resents the continuous dynamics of the hybrid system, whereas the algebraic equation
characterises the discrete jumps exhibited by the HDS.
Definition 2.6. The set XH = C ∪ D is called the hybrid state space.
The semantics of the hybrid system can be described from its solutions. The state of
the hybrid system consists of alternate flows and jumps, through C and D, according
to Fi and Gi respectively. This hybrid phenomena can be described by the notion of
hybrid time and arc.
Definition 2.7 (Hybrid Time Domain). A set T ⊂ R≥0 × N is a hybrid time domain
14
2. Background
if
T =
j−1⋃
j=0
([tj , tj+1], j) (2.7)
where 0 = t0 ≤ t1 ≤ t2 ≤, ..., with the last interval possibly of the form [tj , tj+1] ×
{j}, [tj , tj+1)× {j}, or [tj ,∞)× {j}.
We describe the semantics of the hybrid system H by its solutions, called hybrid arcs.
Definition 2.8 (Hybrid Arc). A mapping ΦH : T → Rn is a hybrid arc if, T is a
hybrid time domain, and for each j ∈ IC , the function t 7→ x(t, j) is locally absolutely
continuous on the interval Ij = {t : (t, j) ∈ T }.
We denote by dom ΦH, the domain of hybrid arc which is the hybrid time domain. A
hybrid arc is called complete if dom ΦH is unbounded, i.e. if length (T ) =∞, and it is
called compact if dom ΦH is a compact set. A hybrid arc ΦH is a solution to the HDS
H, if ΦH(0, 0) ∈ Cj ∪Dj , and for each j ∈ IC such that Ij has a non-empty interior,
we have the semantics of H,
JHK :=
{
ΦH(t, j) : T → Rn
∣∣∣Φ˙H(t, j) = Fj(ΦH(t, j)), ∀t ∈ Ij , ∀j ∈ IC , ΦH(t, j) ∈ Cj ,
∀t ∈ [min Ij , sup Ij), ΦH(t, j + 1) = G(x(t, j)), ∀ΦH(t, j) ∈ Dj , ∀j ∈ ID
}
(2.8)
From the semantics JHK of H we note that the solution ΦH of H, flows according
to the ODE Φ˙H = F (ΦH), when it is in the set C, and it follows the jump rule
Φ+H = G(ΦH) when it belongs to the set D. Similar to CDS, hereinafter, we use x(t, j) =
ΦH(t, j), and using a slight abuse of notation, we use x representing the hybrid arc of
the HDS H until otherwise stated. To be able to use polynomial verification tools,
using exact/approximate methods, we use polynomial HDS modelling for AMS circuits
in this thesis.
Assumption 2.3. The flow maps Fi(x, u), and jump maps Gi(x) are polynomials.
Furthermore, sets Ci, and Di are represented by set of polynomial inequalities/equations,
also called semi-algebraic sets.
Definition 2.9 (Polynomial Hybrid systems). A hybrid system H is said to be a poly-
nomial HDS, if F, G are polynomials, and C, and D are semi-algebraic sets.
15
2. Background
Circuit 1
Circuit 3
Circuit 2
System
Top Down Approach
Figure 2.1: Modelling Devices at Different Abstraction Levels
2.2 AMS Device Models
In this thesis, we use Kirchhoff‘s circuit laws to find relations for currents (similarly
voltages) flowing through (similarly across) different devices in AMS circuits [60]. This is
followed by expressing these relations as systems of ODEs. These laws are respectively
called Kirchhoff‘s current law (KCL) and Kirchhoff‘s voltage law (KVL). The KCL
models the current passing through a node by taking the sum of all ingoing and outgoing
currents differentiating them by +/- signs. Similarly, KVL describes the voltage across
a circuit as the sum of voltage drops and rises in all loops of the circuit. These currents
and voltages across different devices are non-linear functions of currents/voltages. To
model these functions, we follow different strategies at different abstraction levels.
At system level we use behavioural modelling to model non-linear devices. On the
other side, we use transistor level modelling at the circuit level. This is illustrated in
16
2. Background
Fig. 2.1 ([103]). Here we consider an example of a CP PLL. At a system level, we
model the devices, Voltage Controlled Oscillator (VCO) and charge pump (CP), using
behavioural modelling. The non-linear behaviour of the CP is modelled as follows,
Ip =

∈ [IUp IUP ] UP=1, Down=0, 0 ≤ φV CO < 2π ≤ φref
∈ [IDp IDP ] UP=0, Down=1, 0 ≤ φref < 2π ≤ φV CO
∈ [0R 0R] UP=0, Down=0, 0 ≤ φV CO, φref < 2π
here Ip is the charge pump current, UP and Down are the controlled boolean signals
generated by the Phase Frequency Detector (PFD) of CP PLL, φV CO and φref are the
phases of the VCO output and the reference signal 1. Similarly, let fV CO, and fref ,
represent the frequencies of the VCO output and the reference signal respectively. If
Kp is the gain of the Low pass Filter (LF), then the behavioural model of the VCO is
as follows,
fV CO = Kpv2/2π + fO, φ˙V CO = 2πfV CO/N
where fO is the free running frequency of the VCO. We use similar behavioural mod-
elling to model ROs in Ch. 4.
At the circuit level, we use transistor level modelling to model the currents through
the circuits. We illustrate this by the example VCO circuit shown in Fig. 2.1. The
transistor is a non-linear system having complex behaviour which changes with voltage
variations across its terminals. Depending on how accurate and complex analysis is
performed, there are various flavours of non-linear models available for a metal oxide
semiconductor (MOS) transistor. They are mainly physical models, empirical models
and table models. Due to the simplicity and ease of analysis, we consider the physical
model of a PMOS transistor. Physical models are obtained by mathematical equations
describing the physical behaviour of the transistors. To increase the accuracy, more
and more physical parameters are added to the model but at the cost of making it
computationally expensive in analysis [96]. We use the Schichman-Hodges PMOS model
and represent the current IDS(VGS , VDS) through the transistor as a function of voltage
1A detailed description of the CP PLL modelling is given in Ch. 3
17
2. Background
across Drain-to-Source and Gate-to-Source [72].
IDS =

0 VGS > Vtp
−Kp
W
L
(VGS − Vtp)VDS − 12V 2DS
(1− λVDS) VGS ≤ Vtp ∧ VDG > −Vtp
−Kp
2
W
L
(VGS − Vtp)2(1− λVDS) VGS ≤ Vtp ∧ VDG ≤ −Vtp
(2.9)
As can be seen, this model consists of three regions defined as Cut-off where VGS > Vtp,
Linear where VGS ≤ Vtp∧VDG > −Vtp, and Saturation where VGS ≤ Vtp∧VDG ≤ −Vtp.
Here W and L are the transistor width and length respectively, and λ and Kp are
parameters representing transconductance and conductance respectively. This is a level
1 model, and higher order models can be derived by introducing more parameters
considering other physical effects.
2.3 Lyapunov Stability of Continuous and Hybrid
Dynamical Systems
Central to our deductive approach, this section discusses Lyapunov stability of polyno-
mial continuous and hybrid dynamical systems. Throughout the thesis, we use Lyapunov-
like certificates for the verification of properties like inevitability, eventuality, Escape
from a set, and asymptotic stability. Here we consider only the Lyapunov stability, and
other similar concepts will be discussed in later chapters.
2.3.1 Lyapunov Stability of Continuous Dynamical Systems
Though Lyapunov stability is a general concept and can be attributed to any set, in
this thesis, we restrict its application to the stability of the equilibrium state which is
defined below.
Definition 2.10 (Equilibrium State). A point xe ∈ X is called an equilibrium state, if
f(xe) = 0.
It is a convention that the equilibrium state xe = 0. However, practical systems converge
to states different from the zero equilibrium state. In that case, the equilibrium xe can
be shifted to zero by the introduction of a new variable x¯ = x − xe. This results in
18
2. Background
a new set of differential equations in x¯ with equilibrium at x¯ = 0 which is similar to
x = xe. Therefore, without loss of generality, we assume that xe = 0.
Definition 2.11 (Invariant Set). A set XI ⊂ X is called invariant, iff, ∀x : x ∈ XI,
x(t) ∈ XI ∀t : t ∈ R≥0.
Def. 2.11 implies that the equilibrium state xe is an invariant set. Unlike the safety
property, where the existence of an invariant set having an empty intersection with the
unsafe state is enough, in this thesis we are concerned with attractive invariant sets.
Definition 2.12 (Attractive Invariant Set). A set XAI ⊂ X , such that xe ∈ XAI, is
called an attractive invariant, if it is an invariant set (Def. 2.11), and limt→∞ x(t) =
xe.
The Def. 2.12 states that an attractive invariant set apart from being invariant, is
attractive in the sense that every trajectory in the set eventually converges to the
equilibrium state. For an equilibrium state xe = 0, we now define the asymptotic
stability.
Definition 2.13 (Asymptotic Stability [61]). A polynomial continuous dynamical sys-
tem PCDS is called stable if for every ǫ > 0, there exists a δ > 0 such that ∀x(.) :
x(.) ∈ X ,
‖x(0)‖< δ =⇒ ‖x(t)‖< ǫ, ∀t : t ∈ R≥0.
It is called attractive if,
‖x(0)‖< δ =⇒ limt→∞ x(t) = 0.
A system that is both stable and attractive is called an asymptotically stable system.
This definition of asymptotic stability states that, if a system starts in the δ neigh-
bourhood of the equilibrium, then it must stay in the ǫ neighbourhood forever. Now
the question is how to determine this asymptotic stability of a CDS. Towards this goal,
Lyapunov in 1892 introduced an abstract energy like function, called “Lyapunov func-
tion”, that can be used to determine the stability of a CDS. We state the Lyapunov
stability criterion in the following theorem called the Lyapunov stability theorem.
Theorem 2.1 (Lyapunov Stability [61]). For the polynomial continuous dynamical
system PCDS with an equilibrium {xe = 0} ∈ X , if there is a differentiable certificate
19
2. Background
c1
c2
V (x) = c3 c3 < c2 < c1
Figure 2.2: Level Surfaces of Lyapunov Certificate
V : X → R such that,
V (0) = 0 and V (x) > 0 ∀x : x ∈ X \ {0} (2.10)
∂V
∂x
(x)f(x) < 0 ∀x : x ∈ X \ {0} (2.11)
then the equilibrium xe is asymptotically stable. This function V (x) is called the Lya-
punov certificate.
An interesting property of the Lyapunov certificate V (x) is that the sub-level sets,
V (x) ≤ c, for all c > 0, are attractive invariant sets. This is illustrated intuitively in
Fig. 2.2. Once a trajectory enters a level surface, it can not get out of the corresponding
level set and eventually converges to the equilibrium state. It is this attractive invariance
property of the sub-level sets, described by the Lyapunov surfaces, that we use in the
verification of inevitability property of CP PLL in Ch. 3. Similarly, certificates in Ch. 3
and Ch. 4, are inspired in principle by the Lyapunov certificate.
2.3.2 Lyapunov Stability of Hybrid Dynamical Systems
Extension of the asymptotic stability concept to HDS needs to take in to account both
continuous solutions and discrete jumps. For continuous flows due to Fi, through flow
20
2. Background
sets Ci, for all i, asymptotic properties of HDS show what happens when time t ap-
proaches infinity. Similarly, for jumps Gi through Di, asymptotic properties describe
what happens when the number of discrete jumps j approaches infinity. Since asymp-
totic stability requires completeness of solutions of the HDS, we do not require that
both “t” and “j” approach infinity. Instead, we require that the domain “t+j” should be
unbounded [42]. Similar to the CDS, we assume here that the origin is the equilibrium
state.
Definition 2.14 (Equilibrium State). A point x(t, j) ∈ C ∪D is called an equilibrium,
if ∃t, ∃j, ∃u, Fj(x(t, j), u) = 0.
Definition 2.15 (Asymptotic stability of HDSs [42]). The hybrid system H defined in
Sec. 2.1.2, is called stable if for each ǫ > 0 there exists δ > 0 such that for each solution
ΦH of H with,
‖ΦH(0, 0)‖< δ =⇒ ‖ΦH(t, j)‖< ǫ, ∀(t, j) : (t, j) ∈ dom ΦH.
It is called attractive, if there exists δ > 0 such that for every complete solution ΦH
such that
‖ΦH(0, 0)‖< δ =⇒ lim(t+j)→∞ ΦH(t, j) = 0 ∀(t, j) : (t, j) ∈ dom ΦH.
A hybrid system H is asymptotically stable if it is both stable and attractive.
Similar to CDS, we use a Lyapunov certificate to parametrize the stability and at-
tractivity of a HDS. Extending the Lyapunov stability theorem to HDS, we need to
consider discrete jumps apart from the continuous flows. This is the reason that classical
Lyapunov theorems are not directly applicable to HDS owing to the continuity require-
ment of vector fields. However, two famous approaches have been used to parametrize
the stability of a HDS. These are, common Lyapunov certificates and multiple Lya-
punov certificates. In [65], the author introduced a common Lyapunov certificate for
all discrete modes of the HDS considering identity jump maps.
Theorem 2.2. For the hybrid system H having an equilibrium point xe = 0, let Gi(x) =
x, ∀i : i ∈ ID. Let there exist a continuously differentiable Lyapunov certificate V : C →
R, such that,
V (0) = 0 and V (x) > 0, ∀x : x ∈ C \ {0} (2.12)
21
2. Background
∂V
∂x
(x)Fi(x, u) < 0, ∀i : i ∈ IC ∀x : x ∈ C \ {0}, ∀Fi : Fi ∈ F , ∀u : u ∈ U . (2.13)
Then the equilibrium xe is asymptotically stable.
This approach of using the common Lyapunov certificate is very restrictive and discards
all knowledge about discrete jumps in the HDS. There are many stable HDSs that do
not allow such common Lyapunov certificates [55]. Alternatively, an approach using
multiple Lyapunov certificates, one for each continuous flow Fi, has been proposed by
[16]. The author in [16] introduced the idea of having multiple Lyapunov certificates
for each i ∈ IC such that every certificate, in addition to satisfying the conditions
stated in Th. 2.2, must have a decreasing trend at each entry point of the interval Ii,
during which Fi(x, u) is the active continuous dynamics. In [74], the author introduced
even stronger conditions for jump maps of a hybrid system that require the value of
a Lyapunov certificate after the jump to be less than the value of another Lyapunov
certificate before the jump. In this thesis we use this technique and restate it in the
following theorem.
Theorem 2.3. Let, I0 ⊆ IC be the set of indices that contain the equilibrium. For a
hybrid system H having an equilibrium point xe = 0, if there exist Lyapunov certificates
Vi such that,
Vi(0) = 0, ∀i : i ∈ I0, (2.14)
Vi(x) > 0, ∀i : i ∈ IC , ∀x : x ∈ C \ xe, (2.15)
∂Vi
∂x
(x)Fi(x, u) < 0, ∀i : i ∈ IC , ∀x : x ∈ C \ xe, ∀Fi : Fi ∈ F , ∀u : u ∈ U (2.16)
Vj(Gi(x))− Vj′(x) ≤ 0, ∀j ∀j′ : j, j′ ∈ IC , j 6= j′, ∀i : i ∈ ID, ∀x : x ∈ D \ xe,
∀Gi : Gi ∈ G, (2.17)
then xe is asymptotically stable. Furthermore, the set XAI = {
⋃
i(Vi ≤ cmax)} ⊂ XH
is an “attractive invariant” set.
This theorem, in addition to the conditions of positivity for each Lyapunov certificate
and negativity for their respective derivatives, introduces an additional constraint for
the jump maps. This constraint makes sure that after each jump, the corresponding
22
2. Background
Lyapunov certificate must be less than in value than the Lyapunov certificate before
taking the discrete jump.
2.4 Polynomials in Real Closed Fields
Several problems in the field of physics, mathematics and engineering can be formally
expressed as a finite number of polynomial equalities and inequalities. In this thesis,
we use deductive and bounded verification approaches which involve checking of poly-
nomial positivity/negativity over a real closed field.
Definition 2.16 (Monomial). A monomial mβ is a mapping mβ : R
n → R, β ∈ Z>0,
such that mβ(x) = x
β := xβ11 x
β2
2 ...x
βn
n . The degree d of a monomial is defined as,
d(mβ) :=
∑n
i=1 βi
Definition 2.17 (Polynomial). A linear combination of monomials is called a polyno-
mial, i.e. a polynomial p is,
p :=
∑
β
cβmβ , p(x) :=
∑
β
cβmβ(x) =
∑
β
cβx
β , cβ ∈ R ∀β : β ∈ Z>0 (2.18)
The degree d of the polynomial p is defined as, d(p) := maxβ d(mβ). A polynomial is
called homogeneous if all monomials have the same degree d. Also, for homogeneous
polynomials, p(λx) = λdp(x), λ ∈ R.
We denote the set of polynomials in n variables with real coefficients by Rn. A
subset of this set is the set of positive-semidefinite (PSD) polynomials in n variables
denoted by Pn and defined as, Pn := {q ∈ Rn|q(x) ≥ 0, ∀x ∈ Rn}.
2.4.1 Sum of Squares Polynomial
A set of polynomials Sn ∈ Rn, is called sum of squares (SOS) polynomials, if
Sn := {s ∈ Rn |s =
n∑
i
p2i , pi ∈ Rn, n ∈ Z>0} (2.19)
An interesting property of a SOS polynomial s ∈ Sn, is that s(x) ≥ 0, ∀x ∈ Rn. This
shows that Sn ⊆ Pn [73]. As shown in the Hilbert seventeenth problem, there are
subsets of polynomials for which the set of SOS polynomials Sn and PSD polynomials
Pn are equal. These are homogeneous polynomials, in one variable (n = 1), quadratic
(d = 2), and quartic in two variables (n = 2, d = 4). Generally, Sn ⊂ Pn. The Motzkin
23
2. Background
polynomial given below is one such example which is PSD but is not a SOS polynomial
[73].
M(x, y, z) = x4y2 + x2y4 + z6 − 3x2y2z2
2.4.2 SOS Programming
Our mixed deductive-bounded verification approach involves checking the
positivity/negativity of polynomials in semi-algebraic sets. Essentially, given a multi-
variate polynomial p(x), we are interested in verifying that,
p(x) ≥ 0, ∀x ∈ Rn (2.20)
As stated in [73], there are decision procedures, such as the Tarski-Sedenberg [93], which
provides exact solution of this positivity verification problem. However, the complexity
of these decision procedures is NP-hard (when the degree is at least 4), and with
large numbers of variables, the behaviour of these methods is unacceptable. Therefore,
to avoid the computational complexity barrier of these exact methods, and provide a
realistic scalable solution, a computable relaxed and sound approach has been proposed
in [78], [73].
A sufficient condition for a multivariate polynomial p(x) to be non-negative every-
where is that it can be decomposed as a sum of squares of polynomials. A polynomial
p(x) is a SOS, if there exist polynomials p1(x), ..., pm(x) such that,
p(x) =
m∑
i=1
p2i (x), pi(x) ∈ Rn (2.21)
Note that since SOS polynomials are always of even degree, we denote the set of SOS
polynomials by Sn,2d, d ∈ Z>0. In [19], the author presented a parametrization of the
SOS polynomials called “Gram-matrix” shown below,
p(x) = ZT (x)QZ(x), Z(x) = [1, x1, x2, ...xn, x1x2, ...., x
d
n] (2.22)
Here Q is a constant matrix and the vector Z is of length ( n+d
d
). If Q is positive
semidefinite, then p(x) is non-negative. It can easily be shown that the set of matrices
satisfying Eq. 2.22 is an affine subspace.
We can show that if Q  0, by the eigen value decomposition, then Eq. 2.22 holds
24
2. Background
[73],
Q = T TDT, D = diag{di}, di ≥ 0 =⇒ p(x) =
∑
i
di(TZ)
2
i (2.23)
It can easily be shown that the number of squares in the representation is equal to the
rank of the matrix Q. We borrow a theorem from [73] which shows that the decision
procedure for a polynomial to be a SOS can be formulated as a semidefinite program.
Theorem 2.4. The existence of a SOS decomposition of a polynomial in n variables of
degree 2d can be decided by solving a semidefinite programming feasibility problem. If
the polynomial is dense (no sparsity), the dimensions of the matrix inequality are equal
to ( n+d
d
)× ( n+d
d
).
From the above theorem, we notice that the size of the SDP problem is polynomial in
both d or n if one or the other is fixed. It is exponential if both are variable. We avoid
discussing semidefinite programming here and the reader can see Appendix A.1 for a
detailed discussion. We give an example from [73], and show how this process of SOS
decomposition works for a homogeneous polynomial.
Example 2.1. Consider the quartic form in two variables,
F (x, y) = 2x4 + 2x3y − x2y2 + 5y4
=
x
2
y2
xy

T q11 q12 q13q12 q22 q23
q13 q23 q33

x
2
y2
xy

= q11x
4 + q22y
4 + (q33 + 2q12)x
2y2 + 2q13x
3y + 2q23xy
3
Comparing coefficients of the monomials, the following linear equalities must hold,
q11 = 2, q22 = 5, q33 + 2q12 = −1, 2q13 = 2, 2q23 = 0. (2.24)
Using Semidefinite programming, a positive semidefinite Q can be found that satisfies
25
2. Background
the above linear equalities. One solution is,
Q =
 2 −3 1−3 5 0
1 0 5
 = LTL, L = 1√
2
[
2 −3 1
0 1 3
]
therefore, the SOS decomposition of the polynomial F (x, y) is,
F (x, y) =
1
2
(2x2 − 3y2 + xy)2 + 1
2
(y2 + 3xy)2.
A SOS feasibility program, as defined in [79], is of the form,
Find
pi(x) ∈ Rn, for i = 1, 2, ..., Nˆ
pi(x) ∈ Sn, for i = 1, 2, ..., Nˆ
such that
a0,j(x) +
N∑
i=1
pi(x)ai,j(x) = 0, for j = 1, 2, ..., Jˆ ,
a0,j(x) +
N∑
i=1
pi(x)ai,j(x) ∈ Sn for j = (Jˆ + 1), 2, ..., J.
Here ai,j ∈ Rn are known polynomials. An optimization SOS program is similar with
the addition of an objective function.
2.4.3 Positivstellensatz
In this thesis, we use a mathematical technique, called the S-procedure, to incorporate
the domain constraints in SOS programming. Before illustrating this procedure, we de-
scribe a theorem from real algebraic geometry which is the foundation of this technique
[73].
Definition 2.18. For a set of polynomials {g1, ..., gm} ∈ Rn, the Multiplicative Monoid
is the set of all finite products of gm‘s including 1. We denote this by M(g1, ..gm).
Definition 2.19. For a set of polynomials {h1, ..., hm} ∈ Rn, the cone generated by
26
2. Background
hi‘s is,
C(h1, ..hm) = {a0 +
N∑
i
aibi | N ∈ Z>0 ai ∈ Sn, bi ∈ M(h1, ..hm)}. (2.25)
Definition 2.20. For a set of polynomials {f1, ..., fm} ∈ Rn, the Ideal generated by
fk‘s is,
I(f1, ..fu) = {
∑
fkpk | pk ∈ Rn}. (2.26)
Theorem 2.5 (Positivstellensatz). For a set of sets of polynomials, {g1, ...gs}, {h1, ..ht},
{f1, ...fu} ∈ Rn, the following statements are equivalent:
• The following set is empty,

gj(x) ≥ 0, j = 1, ..., s
hk(x) 6= 0, k = 1, ..., t
fl(x) = 0, l = 1, ..., u

• There exists g ∈ C, h ∈M, f ∈ I, such that g + h2 + f = 0.
Proof. See [73].
2.4.4 S-Procedure
In this thesis, we encounter problems that involve checking positivity/negativity of
polynomials in a compact set. To incorporate these domain constraints, we use a math-
ematical technique, from [15] and generalized in [53], called the S-procedure.
Lemma 2.1. Given the set of polynomials, {pi}mi=0 ∈ Rn, if there exists a set of
polynomials, {ai}mi ∈ Sn such that,
p0 −
m∑
i=1
aipi = q, q ∈ Sn (2.27)
then,
m⋂
i=1
{x ∈ Rn | pi(x) ≥ 0} ⊂ {x ∈ Rn | p0(x) ≥ 0} (2.28)
27
2. Background
Proof. We prove this lemma by the set emptiness of a set defined by polynomial in-
equalities using Positivstellensatz [53]. The condition in the Lemma is true if the set,
S = {x ∈ Rn | p1(x) ≥ 0, ..., pm(x) ≥ 0,−p0(x) ≥ 0, p0(0) 6= 0}
is empty. We define the cone l generated by (−p0, pi) for i ∈ (1, ...m), as l = −qp0 −∑n
i=1 aip0pi, q ∈ Sn, and the Multiplicative Monoid w of p0 6= 0 as w = p0(x). Set S is
empty if l + w2 = 0. Therefore,
l + w2 = −qp0 −
n∑
i=1
aip0pi + p
2
0
= −(p0 −
m∑
i=1
aipi)p0 −
n∑
i=1
aip0pi + p
2
0 = 0
This proves emptiness of the set S.
For a polynomial q : Rn → R, differentiable scalar function, we define the 0-sub-
level-set of q as Z(q) = {x ∈ Rn | q(x) ≤ 0}. We present an important lemma to be
used for polynomial level set operations such as intersection, union, and set inclusion
[102].
Lemma 2.2. For polynomials p1, p2 ∈ Pn, if there exist SOS polynomials s0, s1 ∈ Sn
such that
s0− s1p1 + p2 = 0 ∀x ∈ Rn (2.29)
Then Z(p1) ⊂ Z(p2)
Proof. Follows directly from Lemma. 2.1. Also, see for example [102] and the references
therein.
2.5 Formal Verification of Continuous and Hybrid
Systems
After their successful application for the verification of discrete systems in software
and hardware design, researchers have been using formal methods for continuous and
hybrid systems verification for the last decade. Since a CDS can be treated as a HDS
with a single mode, here we discuss formal verification techniques for HDS. Bounded
and deductive verification are the two famous techniques that have been used for HDS.
28
2. Background
2.5.1 Bounded Verification
In this thesis, we use Bounded model checking and Bounded Advection of sets for
HDS verification. Here, we give a brief discussion on these two bounded verification
approaches.
2.5.1.1 Bounded Model Checking
In a model checking approach, the system (continuous, hybrid) is represented by a
transition system. A transition system T has a finite number of states with transition
rules from one state to another. The model checking algorithm exhaustively checks
all possible finite states of the transition system T, for a property which is specified in
LTL (Linear Temporal Logic) or CTL (Computational Tree Logic). We avoid discussing
these specification languages, and readers are referred to [76] and [22] for a detailed
discussion on LTL and CTL respectively. A transition system T is said to satisfy a
property P , if all possible runs Π of T are models of the property P [23].
Tπ |= P, ∀π : π ∈ Π. (2.30)
If there is a state in the transition system T that does not satisfy a property, the model
checking algorithm reports it as a counter example of the property P .
While model checking has been quite successfully used for temporal properties ver-
ification of finite state systems and time automata [10], it suffers from the problem of
state space explosion for practical infinite state systems. An alternate solution of BMC
has been proposed in [13] for infinite systems. In this approach, instead of searching for
violation of the property in the entire state space of a transition system, a more modest
approach is adopted, and the refutation of the property is checked for a bounded length
of runs of the transition system. Specifically, the refutation of the property P is reduced
to checking the satisfiability of the formula,
I(x0) ∧T(x0, x1) ∧ ......T(xk−1, xk) ∧ ¬P (xk). (2.31)
Here I(x0) is the predicate over the initial condition x0, T(xk−1, xk) is the transition
relation between the pre-state xk−1 and post-state xk. The bound k is successively
increased until we either get a counterexample or a pre-specified maximum bound of k
is reached.
BMC of hybrid systems involves predicate encoding of the sequential behaviour of
transition systems and the target formulas. This is followed by a decision procedure,
29
2. Background
e.g. SAT, to find a satisfying instantiation of the target formula. Formally, for a HDS
H, and a formula φ(LTL or CTL), we ascertain that φ holds in H by looking for a
counterexample on a k length trajectory. This can be reduced to the satisfiability of
the following formula,
JH,¬φKk = I(x(0)) ∧
k∧
i=0
Inv(x(i)) ∧
k∧
i=0
T(x(i), x(i+1)) ∧
k∨
i=0
¬φ(x(i)), (2.32)
Where I(x(0)) is a predicate for initial conditions, Inv(x(i)) is an invariant predicate at
step i, and T(x(i), x(i+1)) is a transitional relation from step i to step i+1. If JH,¬φKk
is satisfiable, we find a counterexample within k steps. In case of unsatisfiability of ¬φ,
we check its satisfiability for an increasing number of steps until a given limit is reached.
Andreas et al. in [33], presented an SMODE technique for the polynomial hybrid au-
tomata verification. Essentially, it is a technique based on the BMC of the polynomial
hybrid automata, encoded as a large number of constraints; involving boolean, linear
and non-linear semi-algebraic, and non-linear ODE constraints. The transition system
T is in the form of non-linear ODEs, which is then conservatively solved to find the set
of solutions in a particular unrolling k of the above FOF. We use this approach for the
verification of frequency domain properties in Ch. 5.
2.5.1.2 Bounded Advection of Sets
A technique similar but dual to BMC, is the reach set computation as described in
[69]. In this approach, starting from an initial set of states, the forward set of states
is computed for a HDS. Intersection of reachable sets is tested with the target set and
safety of the system is declared for an empty intersection set or otherwise. It is the dual
of BMC in the sense that while BMC searches for the refutation of a formula, reach
set computation checks that a property (safety) is verified in bounded steps. In this
thesis, we use a technique, first introduced in [102] for CDSs, called advection of sets.
We illustrate this technique for CDS and later in Ch. 3, we extend it to the verification
of HDS.
For the continuous flow map ψ : Rn × R≥0 → Rn of the polynomial continuous
dynamical system PCDS, a time t advection operator At is a map
At : C(R
n,R)→ C(Rn,R), t ∈ R≥0 (2.33)
30
2. Background
such that,
U = AtV for {U, V } ∈ C(Rn,R)
and
U(x) = V (ψ−t(x)) for all t ∈ R≥0.
Here C : Rn → R is a set of differential maps from euclidean space to the set of real
numbers. The advection operator has an important property of linearity. For polynomial
functions U1, U2 ∈ C(Rn,R), if
U2 = AtU1
then
Z(U2) = ψt(Z(U1)) (2.34)
This advection of level sets is shown in Fig. 2.3. For practical purposes, an approxi-
mation to the flow map ψh with time step h is used. For example, a first order Taylor
approximation yields the following advection of a set,
U = BhV, if U(x) = V (x)− h ∂
∂x
V (x)f(x) (2.35)
Here Bh : C(R
n,R)→ C(Rn,R) is the first order Taylor approximation to Ah. Higher
order advection maps result in more accurate results but at the cost of an increased
degree of polynomials and computation time. Furthermore, the product BhV results
in polynomials with a degree higher than V . Therefore, a conservative approximation
for advected level sets is used. Introducing an approximation parameter µ ∈ R≥0,
we conservatively approximate the zero sub-level set of a polynomial q by backward
advecting the polynomial p such that,
Z(q) ⊂ Z(B−hp) ⊂ Z(q − µ) (2.36)
To incorporate the truncation error due to Taylor approximation, let us introduce η
such that ‖∇2ph22 ‖≤ η. This requires that
Z(B−hp+ η) ⊂ Z(A−hp) ⊂ Z(B−hp− η) (2.37)
31
2. Background
x
ψt(x)ψt
At
V
U
Figure 2.3: Advection of Sets in Continuous Systems
This implies that,
Z(q) ⊂ Z(B−hp+ η) ⊂ Z(A−hp) ⊂ Z(B−hp− η) ⊂ Z(q − µ) (2.38)
We incorporate these set inclusions as SOS programs which will be discussed in Ch. 3.
The reader is further advised to see [102] for an in depth discussion on the technical
background of the advection of level sets.
2.5.2 Deductive Verification
In deductive verification, using a theorem prover, the correctness of a design is verified
based on some pre-defined inference rules. Using inductive invariants, safety verifica-
tion has been performed for discrete systems [8]. This involves identifying an invariant
property φ which holds for the initial set, a safe set, and all transitions of the discrete
system. Extending the concept of invariants to CDSs and HDSs, in [77], the author
introduced barrier certificates for CDSs and HDSs. For a continuous dynamical system
CDS with f as given in Eq. 2.1, initial set X0 ⊂ X , and unsafe set Xu, if there is a
barrier certificate Υ : X → R, satisfying
Υ(x) ≤ 0, ∀x : x ∈ X0 (2.39)
Υ(x) > 0, ∀x : x ∈ Xu (2.40)
∂Υ
∂x
(x)f(x) ≤ 0, ∀x : x ∈ X such that Υ(x) = 0 (2.41)
32
2. Background
then CDS is safe and there is no system trajectory starting in X0 that will end up in
Xu. The same concept has been extended to HDS. The concept of a Barrier certificate
has actually been borrowed from the Lyapunov certificate based stability verification
of CDS and HDS, discussed in Sec. 2.3. Deductive verification of CDS and HDS has
also been demonstrated in [91], and [90].
In certificate based deductive verification, the critical issue is how to find the cer-
tificate from an infinite set of feasible certificates of a given structure. Formally, the
existence of these certificates can be formulated as a FOF having polynomial equa-
tions, inequalities, quantifiers {∀, ∃} and boolean operators {∧, ∨, ¬, →, etc}. There
are algorithms that can in principle generate quantifier free formulas from a universal-
existential quantified FOF over the real numbers [89]. Let us denote these formulas by
Fi(Vq, Uf ), i = 1, ...k,, where Vq = (v1, v2, .., vn) ∈ Rn is a set of quantified variables,
and U = (u1, u2, .., um) ∈ Rm is a set of unquantified parameters [51]. A quantified
FOF is given as,
(Q1V1....QrVr)ψ(F1....Fk) (2.42)
where ψ(F1....Fk) is a quantifier free boolean formula such that Fi = Fi(Vq, Uf ) ∆ 0,
for i = 1, ...k, ∆ ∈ {=,≥,≤, 6=}, Vi is a block of qi quantified variables for (i = 1, ..., r)
from Vq such that (q1+ ...+ qr = n) and Vl ∩Vs = ∅ for all l and s (l 6= s, l = 1, ...r, s =
1...r), and Qi ∈ {∀, ∃}. For example, the conditions of the Lyapunov certificate in
Th. 2.1 can be formulated as a FOF as follows,
ψ0 := ∃pP : ψ1
ψ1 := ∀xX : ψ2
ψ2 :=
(x = 0 =⇒ V (p, x) = 0)∧
(x 6= 0 =⇒ V (p, x) > 0)∧
(x 6= 0 =⇒ ∂V
∂x
(p, x).f(x) < 0

A QE algorithm is used to replace such a quantified formula with another equivalent
but unquantified formula. A decision procedure is used to come up with a true/false
answer if there is no unquantified parameter in the formula. For a formula having
both quantified variables and unquantified parameters, the QE reduces the formula
to a quantifier free formula with only parameters. For example [89], in the following
33
2. Background
quantified formula,
∃x(ax+ b = 0)⇐⇒ a 6= 0 ∨ (a = 0 ∧ b = 0),
variable x has been eliminated by the QE with the right hand side formula now a
decision procedure to be either true or false depending on the value bounds of a and b.
Several techniques have been presented for QE, such as Cylindrical Algebraic De-
composition (CAD) [24] and Virtual Substitution [106]. However, while the virtual
substitution method is better for simple problems of an academic nature, CAD has
the doubly exponential worse-case complexity. Therefore, application of these QE tech-
niques to real world problems has shown very little progress. To reduce the compu-
tational workload of these QE techniques, a combination of SOS-QE and SOS-HOL
theorem proving has been used in [51],[85] and [47] respectively. In Chapter. 4, we use
the same SOS-QE approach for the verification of “inevitability of oscillation” in ROs.
The Gro¨bner basis has been used in [84] and [95] for the construction of invariants.
2.6 Formal Analog and Mixed Signal Circuits
Verification
As mentioned in the last chapter, the conventional way of verifying AMS circuits is
predominantly SPICE simulation. To improve its coverage, it was complemented by
symbolic simulation to analyze parameter variation effects, but was still not enough to
deal with non linear models. After successful use of formal methods in digital hard-
ware verification, researchers have recently started applying the same for AMS circuit
verification. A survey of different approaches can be found in [113]. Based on vari-
ous methodologies used, we divide them into, Equivalence Checking, Model Checking,
Runtime Verification, Deductive Methods.
2.6.1 Equivalence Checking
Equivalence checking is the art of checking whether two models of the same system, at
different levels of abstraction, are equal to each other with reference to some criterion.
In [12], Balivada et al. showed equivalence of a linear filter circuit and its specification.
Represented as Laplace transformed transfer functions, the method discretized these
using z-transform. Discrete domain binary decision diagrams (BDD) based equivalence
was established between the two discrete models. In [49], the author computed value
sets of an actual circuit and its specification transfer function for all possible parameter
34
2. Background
variations and for a range of frequencies using interval arithmetic. The author showed
by inclusion that value sets of actual circuit transfer function belong to the value sets
of the specification transfer function. Hartong et al. in [48], used discretization of the
state space and showed equivalence between vector fields of a behavioural model and
a model that was obtained from the real circuit. The equivalence was established by
showing that the modulus of the difference between the two vector field was bounded.
In [82], the author showed equivalence of two VHDL-AMS models using rewriting rules
and pattern matching to simplify models, and then using a SAT/BDD based approach
to show their equivalence.
2.6.2 Model Checking
Model checking of AMS circuits exhaustively explores whether a model of AMS circuits
satisfies a property. Models of the system could be discrete as well as continuous. In
[63], Kurshan and McMillan presented the first approach to formally verify a digital
circuit at a transistor level. They partitioned the state space in hypercubes as well
as continuous input signals in to high and low logic with the assumption that they
change values instantly. Time is similarly discretized in equal steps. They developed a
transition relation between discrete states, and verified the model using the COPSON
tool, against properties defined in ω-language. A similar discretization of state space
based approach has been adopted in [48]. The difference here is that they used variable
step based numerical integration, and adopted an automatic refinement of the discrete
partitions so as to make them uniform. This process of partitions uniformity is based on
the length and direction of the vector fields. Three types of transition relations between
the partitions have been given. In one they used interval arithmetic to over-approximate
the trajectories, whereas in the second type, they ran simulations at various points to
establish transition relations. In the third, they made use of Lipschitz constants for
non-linear functions. They implemented their approach in the tool AMCHECK and
verified the discrete transition system against CTL properties.
Model checking techniques in continuous domain are based on reach set computa-
tion (reachability). Starting in an initial set, reachability techniques in each iteration
compute the next set of points. To find the complete tube of trajectories, the pre and
post reachable sets are bloated up to get the convex hull of the set of points, comprising
pre, post and the sets between them. This way the tube of trajectories is conservatively
over approximated. In [81], Mark Greenstreet and Ian Mitchell presented a technique
showing reachable sets for a MOS circuit modelled as a system of ODEs. They showed
35
2. Background
correctness of analog circuits by reachability considering three cases. First they con-
sidered linear ODEs and reachability computation was done based on the convex set
representation. This was followed by computing reachable sets for linear ODEs with
regions as non convex sets, and for non-linear ODEs with non-convex sets represent-
ing state space regions. Safety properties of analog circuits were soundly verified by
conservatively over-approximating all reachable sets.
Modelling non-linear circuits as a HDS has gained tremendous interest in the re-
search community during the last decade. This is mainly due to the amount of research
that has been going on in formal verification of HDSs [9],[2]. HDSs consist of both
continuous and discrete domains, making their verification a difficult task. In [38],
Goran et al. verified time domain properties of a tunnel diode oscillator using the
tool PHAVER. They showed that variations in amplitude and jitter in the oscillator
behaviour are bounded. Modelling oscillator dynamics as a hybrid automata, having
modes with affine dynamics of the form x˙ = Ax + b, PHAVER conservatively over-
approximated this with a linear hybrid automata (LHA), where the affine dynamics
were replaced with differential inclusion alx ≤ x˙ ≤ aux. They successfully showed that
starting in close proximity to a limit cycle of a Tunnel diode oscillator (TDO), it os-
cillates with a specific fundamental period. A similar but improved approach involving
forward/backward reachability has been adopted in [36].
Gupta et al. used the CHECKMATE tool for hybrid systems analysis, and verified
time domain properties of the TDO [45]. A MATLAB based tool CHECKMATE can
handle hybrid automata having modes with continuous affine dynamics. It uses flow
pipe approximation (which is a sequence of polyhedra) and constructs sound abstraction
of continuous dynamics. Instead of discretizing the whole state space, it partitions the
state space only along the trajectory of the system for a set of its initial conditions.
Creating discrete transition systems from the polyhedral invariant hybrid automaton,
CHECKMATE uses bi-simulation based model checking and verifies ACTL properties
for the given hybrid system. The author in [45], showed oscillation in the state space of
the TDO for one set of parameters, and a counterexample for oscillation when a second
set of parameters was considered.
In [94] Thao et al, using Mixed Integer Linear Programming (MILP) for discrete
hybrid systems, showed worst case safety properties of a△−∑ modulator. Considering
the fact that reachability algorithms suffers from time and space explosion, they adopted
a bounded horizon reachability concept. Similar to boolean satisfiability for bounded
horizon reachability in digital systems, they used concepts of optimal control, and
looked for a worst input which induced bad behaviour. They proved safety by proving
36
2. Background
safety of the set of worst trajectories. In the same paper, they verified a low pass
filter modelled by differential algebraic equations (DAE). They transformed DAEs into
ODEs, and computed reachable sets for them on manifolds using the d/dt reachability
tool. Steinhorst et al. in [87] showed oscillations in a tunnel diode and a ring oscillator
using visualization techniques. Being only applicable to three dimensional space, circuits
with higher dimension were projected to three dimensions. Particles were injected in
the discrete state space and their tangent vectors were approximated with the nearest
point of the discrete vector field. The particles represented independent simulations,
and thus gave a picture of the complete state space.
Althoff et al. in [7] formally verified lock time of a CP PLL. They used HDSs the-
ory for the behavioural model of the CP PLL with parameter uncertainties. Faced with
the problem of very large numbers of mode switching, they approximated the hybrid
switched system with a continuous system, and used reachability computation to find
all possible sets of the PLL transient analysis and computed its locking time. Using La-
belled Hybrid Petri net (LHPN) analysis tools, Walter et al. in [100], verified switched
capacitor integrator circuits. LHPN models have been transformed in to symbolic mod-
els, and then these were verified using BDD based model checking. A similar procedure
has been adopted in [101], but the verification engine used an SMT solver to verify the
symbolic model.
For a given property, a model checking algorithm invokes a decision procedure to
traverse the state transition system, and verify whether or not the property is satisfied
by that system. To deal with the state explosion problem, the model checking technique
has been enhanced by bounded model checking (BMC) where the transition system is
verified for a bounded length of state sequences [20]. BMC of hybrid systems involves
predicate encoding of the sequential behaviour of transition system and the target
formulas, and a decision procedure, e.g. SAT, to find a satisfying instantiation of the
target formula. Using BMC, Zaki et al. in [112], proved properties of a△−∑modulator
and oscillator circuits. Representing continuous parts of AMS circuits by differential
equation and the digital part by event based models, they used a interval arithmetic
based Taylor approximation of the continuous state space to avoid unsoundness.
Recently Satisfiability Modulo Theory (SMT) based techniques have been used for
AMS circuit verification. This is because of the recent advancement of SMT solvers to
handle Boolean combinations of several thousand linear as well as non linear arithmetic
constraints. Thiwary et al. in [57], presented a SAT modulo theory based approach for
AMS circuits verification. Based on device (diodes, transistors) voltage current rela-
tionships, they tabulated these in the form of linear inequalities in their formulation.
37
2. Background
Given these and the KCL/KVL constraints on current and voltages of different nodes
in the circuit, they verified DC, steady state, and transient properties of circuits. They
used Euler integration method to solve differential equations, which makes their tech-
nique less accurate due to soundness issues. In [110], Yin et al. proposed a methodology
which is based on Nonlinear-SMT assisted by simulation. They used Bayesian inference
rule to trade off between the computational cost of simulation and the number of SMT
enquiries. Modelled as hybrid systems, they verified safety properties of PLL using
reachability of unsafe states. Ishii et al. in [52], presented a Sat Modulo ODE technique
for model checking of non linear hybrid automata, and verified oscillation property of
the TDO. They tightly integrated SAT solver with hybrid constraints using an inter-
val solver thus enabling it to deal directly with ODEs without approximating them.
Chao et al. in [27] proposed SMT based reachability analysis using implicit integration
methods to verify safety and liveness properties of arbiter circuits.
2.6.3 Deductive Methods (Theorem Proving)
Deductive methods, using a set of inference rules, establish proofs of mathematical theo-
rems. Though unlike model checking, they do not suffer from state explosion, deductive
methods require user assistance in formulating the problem.
In [41], Gosh et al. using higher order logic in a PVS theorem prover, verified
DC and small signal properties of analog circuits. Their methodology used piecewise
linearized models of devices, and VHDL for properties specification. They applied the
methodology to small circuits consisting of operational amplifiers, resistors and tran-
sistors. Hanna in [46], abstracted digital circuits at analog level, and conservatively
specified the circuit by rectilinear regions. He then verified the specification against im-
plementation using proof techniques. Al Sammane et al. in [83], converted the circuit
differential equations to system of recurrence equations (SRE) using rewriting rules,
and verified the circuit properties by an induction proof method. Denman et al, in [30],
used the meta Tarski theorem prover, and showed that for certain values of parameters,
a TDO does not oscillate if it does not cross certain thresholds of the state variables.
Though complete and sound, proof based methods suffer from several problems which
debars their use for AMS circuits. It needs extensive inputs from the user to use the
required axioms to be able to establish proofs. Secondly, because of the non-linear con-
tinuous nature of analog circuits, close form solutions can not be found, and therefore
approximate set theoretic methods have to be used.
38
2. Background
2.6.4 Run Time Verification
The above AMS circuit verification approaches have proved to be useful only for small
block level circuits of few dimensions. The computation time it takes for almost all of
these methods increases exponentially with the dimensionality of AMS circuits. There-
fore other lightweight verification methods have also been used for AMS circuit verifi-
cation.
In [28], Dastidar et al. presented a simulation method in which they generated a
finite state machine (FSM) from a set of simulation traces, where current, voltage, and
time are the state variables. Properties defined in the Ana CTL (CTL like logic) specifi-
cation language have been checked by simulating the FSM discrete model of the circuit.
In [70], Oded et al. presented signal temporal logic (STL) for specifying analog signal
temporal properties in dense time. In addition to that they presented a monitoring logic
for these properties to verify analog circuits. They implemented their work in AMT tool
and verified a flash memory DDR2 DRAM. In [54], Jesser et al. presented a property
assertion based approach to verify AMS circuits. Realizing the fact that there is a gap
between analog and digital assertions, they came up with a mixed analog-digital signal
assertions, and verified △−∑ circuit. Zaki et al. in [111], illustrated an interval arith-
metic based simulation approach to verify CTL (Computation Tree Logic) properties
for AMS circuits. In [5], Al Sammane et al. presented a monitoring algorithm for PSL
properties of analog circuits. Furthermore, probabilistic model checking has been used
in [21].
2.6.5 Oscillator Verification
An important property that has been verified for oscillator circuits is the global con-
vergence to a limit cycle. In [38], the authors verified time domain properties of a TDO
using the tool PHAVER. They showed that the variations in amplitude and jitter in
the oscillator behaviour are bounded. [30] used the meta Tarski theorem prover and
showed that for certain values of parameters, a TDO does not oscillate if it does not
cross certain thresholds of the state variables; finding such thresholds is difficult for a
nonlinear circuit model. A similar approach has been adopted in [45] for proving that
a TDO oscillates for all possible initial conditions using an ACTL specification and
CHECKMATE. Steinhorst et al, in [87], showed oscillations in TDO and ring oscilla-
tors using visualization techniques. Though complex behaviours in the state space can
be visualized, absence of higher harmonics in oscillation was not formally verified. The
RO start up problem, identified in [56], has been taken up in [44], [57]. They are based
39
2. Background
on finding absence of a stable DC equilibrium point. While the former uses small signal
analysis around the equilibrium point, the latter puts constraints on node voltages to
establish stability of equilibrium points. Both these approaches are very localized and
can not encapsulate the global behaviour of non-linear ring oscillator circuits. Chao et
al. [108] verified oscillator start up using techniques from dynamical system theory.
Frequency domain approaches on the other hand are limited to small signal AC
analysis of a more approximate linearized model around an equilibrium point. In [49],
the author computed value sets of a transfer function for parameter variations and
a range of frequencies using interval arithmetic. It was shown that the method was
computationally very expensive, and its extension to non-linear circuits modelled as
piece-wise affine would be a difficult task. Similarly, [64] derived amplitude and phase
envelopes of a family of interval rational transfer functions for continuous-time systems.
[30] used meta Tarski to prove that the magnitude of the transfer function of a small
operational amplifier is bounded for a range of frequencies.
40
Chapter 3
Verifying the Inevitability of
Phase-Locking in CP PLL
This chapter discusses a deductive-bounded verification approach for the inevitability
of phase-locking in a CP PLL. In the first part of the chapter, we propose a mixed
deductive-bounded methodology for the inevitability verification of a CP PLL. The
second part talks about a deductive-only verification methodology for the same purpose.
In the mixed deductive-bounded methodology, we verify the inevitability of phase-
locking in a CP PLL by adopting a two-pronged verification approach. Due to the
complexity of the property, we essentially divide the inevitability property in to the
conjunction of two sub-properties. These two properties determine the truth value of
the inevitability property in two disjoint subsets of the state space. The first property
specifies, that in a compact attractive invariant set, all system trajectories eventually
converge to the equilibrium locking state. The second property is specified such that the
set, where the first property holds, is reachable from the set of all outside states. The
first property is verified by determining an attractive invariant set utilizing the deduc-
tive Lyapunov certificate for the stability of the HDS. This is achieved by constructing
multiple Lyapunov certificates for different continuous flow maps of the CP PLL HDS.
The maximized level surfaces of these Lyapunov certificates characterize the sub-level
sets whose union is the attractive invariant set. We take advantage of both deductive
and bounded approaches to verify the second property. Using bounded advection of level
sets, introduced in Sec. 2.5.1.2, and a deductive Escape certificate, we show that the
attractive invariant set is reachable from every state outside it. The deductive-bounded
verification approach involves checking positivity/negativity of real polynomials, which
41
3. Inevitability of CP PLL
Figure 3.1: CP PLL, Left: Third Order CP PLL, Right: Fourth order LF
is an NP-hard problem. We therefore use the sound but incomplete SOS relaxation,
discussed in Sec. 2.4.2, for the verification of polynomial positivity/negativity.
The deductive-only verification methodology is a certificate based verification of the
inevitability of phase-locking in higher order CP PLL circuits. Similar to the deductive-
bounded approach, here too, we divide the inevitability property in to the conjunction
of two sub-properties. Verification of these two properties determines the truth value of
the inevitability property in two disjoint subsets of the state space. The first property is
verified using the Lyapunov certificate based deductive approach, similar to the mixed
deductive-bounded methodology. To verify the second property, we use the Escape
certificate showing that trajectories in the second set will eventually escape and reach
the set where the first property is satisfied.
3.1 Preliminaries of the Verification Methodologies
3.1.1 HDS Modelling of CP PLL
A PLL circuit is responsible for tracking the phase and frequency of the input. In its
simple form, a CP PLL circuit consists of a reference signal, a phase frequency detector
(PFD), a charge pump (CP), a loop filter (LF), VCO and a frequency divider. In this
thesis, we consider a single path higher order CP PLL, discussed in [103], and shown
in Fig. 3.1. Here we have shown a third order CP PLL; the fourth order CP PLL
is the same, having a fourth order LF instead. Furthermore, though we discuss HDS
modelling of a third order CP PLL, it however is applicable to CP PLL of any order.
Following the top down modelling strategy of Sec. 2.2, we use a behavioural model of
the CP PLL. We consider a linear model for the VCO, a linear model for the LF, and a
piece-wise continuous model for the PFD. Due to the low cut off frequency of the LF,
the overall bandwidth of the closed loop CP PLL system is very low as compared to the
operating frequency of the VCO. Therefore, the high frequency non-linear transients
42
3. Inevitability of CP PLL
2π 2π 2π 2π 2π 2π 2π
Figure 3.2: Piece-wise Continuous Behaviour of PFD, Cyan Solid: φV CO, Red Dotted: φref
of the VCO has a negligible effect on the overall behaviour of the CP PLL. Therefore,
our linear model assumption of the VCO is realistic and reduces the complexity of the
overall model. We denote by φref , and φV CO, the phases of the reference and VCO
output feedback signals respectively.
We model the CP PLL using the formal HDS model described in Sec. 2.1.2. This
is done such that the non-linearity of the PFD is modelled as a piecewise continuous
signal. Ignoring the cycle slip phenomena, the PFD output, in the form of the CP
current Ip is given by the following piecewise linear inclusion:
Ip =

∈ [IUp IUp ] UP=1, Down=0, 0 ≤ φV CO < 2π ≤ φref
∈ [IDp IDP ] UP=0, Down=1, 0 ≤ φref < 2π ≤ φV CO
∈ [0R 0R] UP=0, Down=0, 0 ≤ φV CO, φref < 2π
(3.1)
The three operating modes of the PFD are pictorially shown in Fig. 3.2. Here all
phases except 2π are normalized by 2π. The plot at the top shows φref is leading both
φV CO and the 2π threshold. Similarly, the middle plot is the case when φV CO leads
both φref and the 2π threshold, whereas the bottom plot shows both φV CO and φref
lagging the 2π threshold. We denote these three modes as mode1 (UP=0, Down=0),
mode2 (UP=1, Down=0) and mode3 (UP=0, Down=1). The transition from one mode
to another is based on the reference and feedback signals hitting the 2π threshold. Due
to the cyclic behaviour of the PLL, and to keep the analysis modulo 2π, we need to
43
3. Inevitability of CP PLL
Up=1, Down=0
Up=0, Down=0
Up=0, Down=1
φref ≥ 2pi
φref := 0
φV CO := φV CO − 2pi
φV CO ≥ 0
φV CO ≥ 2pi
φV CO := 0
φref := φref − 2pi
φref ≥ 0
Figure 3.3: Hybrid Model of CP PLL
ensure the phases remain in the range 0 ≤ φV CO, φref < 2π after resetting the PFD.
This is achieved by resetting the two phases such that,
φref := 0, φV CO := φV CO − 2π, (3.2)
φV CO := 0, φref := φref − 2π, (3.3)
while taking transitions from mode1 to mode2 and mode1 to mode3, respectively. Iden-
tity resets are used for transitions from mode2 to mode1 and mode3 to mode1. The
HDS model of the CP PLL is shown in Fig. 3.3. Our model consists of the state vari-
ables, φV CO, φref , voltage v1 across the capacitor C1, and the voltage v2 across the
capacitor C2 (fourth order has an additional voltage variable across the third capaci-
tor). Let fV CO, and fref , represent frequencies of the VCO output and the reference
signal respectively. If Kp is the gain of the LF, then,
fV CO = Kpv2/2π + fO (3.4)
where fO is the free running frequency of the VCO. Therefore,
φ˙V CO = 2πfV CO/N, φ˙ref = 2πfref (3.5)
By Kirchhoff’s current law, the two voltages v1 and v2 across C1 and C2 are given by
the following two equations,
v˙1 =
−1
RC1
v1 +
1
RC1
v2 (3.6)
v˙2 =
1
RC2
v1 − 1
RC2
v2 +
Ip
C2
(3.7)
44
3. Inevitability of CP PLL
Therefore, depending on the three modes of the PFD, we get the following HDS model
of the third order CP PLL (similarly fourth order),
H =

˙
v1
v2
φref
φV CO
 = A

v1
v2
φref
φV CO
+BIp + c x ∈ C,
x+ = Gi(x) x ∈ D
(3.8)
Here,
A =

−1/RC1 1/RC1 0 0
1/RC2 −1/RC2 0 0
0 0 0 0
0 Kp/N 0 0
, B =

0
1/C2
0
0
, c =

0
0
2πfref
2πfo/N
,
F = A

v1
v2
φref
φV CO
+BIp + c
F1(x, u) =
{
A

v1
v2
φref
φV CO
+BIp(∈ [0R0R])+c
∣∣∣∣∣ φref ∈ φref ≥ 0 or φV CO ∈ φV CO ≥ 0
}
,
F2(x, u) =
{
A

v1
v2
φref
φV CO
+BIp(∈ [IUp IUP ]) + c
∣∣∣∣∣ φref ∈ φref ≥ 2π
}
,
F3(x, u) =
{
A

v1
v2
φref
φV CO
+BIp(∈ [IDp IDP ]) + c
∣∣∣∣∣ φV CO ∈ φV CO ≥ 2π
}
,
45
3. Inevitability of CP PLL
C =
{
[v1 v2 φref φV CO]
∣∣∣∣ − 10 ≤ v1 ≤ 10 and − 10 ≤ v2 ≤ 10 and
− 2π ≤ φref ≤ 2π and − 2π ≤ φV CO ≤ 2π
}
,
D =
{
[v1 v2 φref φV CO]
∣∣∣∣ φref ≥ 2π and φV CO ≥ 0 and φV CO ≥ 2π and φref ≥ 0
}
,
G1(x) =
{
v1
v2
0
φV CO − 2π

∣∣∣∣∣ φref ∈ φref ≥ 2π
}
,
G2(x) =
{
v1
v2
φref − 2π
0

∣∣∣∣∣ φV CO ∈ φV CO ≥ 2π
}
,
G3 or 4(x) =
{
v1
v2
φref
φV CO

∣∣∣∣∣ φref ∈ φref ≥ 0 or φV CO ∈ φV CO ≥ 0
}
.
The desired behaviour of the CP PLL output is such that we have a periodic limit
cycle in the φref , φV CO plane. This is shown in the simulation traces in Fig. 3.4. Here
φref and φV CO, are normalized by 2π, and the simulation time is in micro-seconds. As
can be seen in Fig. 3.4, state variables φref and φV CO do not converge to zero, and
the system has a limit cycle like behaviour in the (φref , φV CO) plane. To apply the
Lyapunov certificate based stability analysis discussed in Sec. 2.3.2, we need to have
equilibrium at the origin. Therefore, we use transformation of axis and introduce a new
46
3. Inevitability of CP PLL
−2 0 2 4 6
−0.5
0
0.5
v1
φ r
e
f 
−
 
φ V
C
O
0 1 2 3
0
1
2
3
v1
v
2
−2 0 2 4 6
−0.5
0
0.5
v2
φ r
e
f 
−
 
φ V
C
O
−0.5 0 0.5 1
−1
0
1
φ
ref
φ V
C
O
0 50 100 150
0
5000
10000
time (micro−seconds)
N
o
. 
o
f 
T
ra
n
s
it
io
n
s
0 5 10 15 20
−0.5
0
0.5
time (micro−seconds)
φ r
e
f 
−
 
φ V
C
O
Figure 3.4: Simulation Plots of the CP PLL Hybrid System
variable, φD = φref − φV CO, such that the new HDS H′ has the equilibrium state,
xe =
 v1v2
φD

T
=
00
0

T
Note that this change of variable not only shifts the equilibrium to the origin for the
new HDS H′ , but reduces the number of system dimensions by one as well. This is a
by-product of this variable transformation which reduces the computation cost of the
verification. Accordingly, we also make the necessary changes in Ip, A, B, C, D, andGi.
Remark 3.1. This change of state variables transforms all jump maps Gi into identity
maps, i.e. Gi(x) = x, since the same constant 2π is subtracted from φV CO and φref ,
leaving their difference φref − φV CO before and after the jumps unchanged.
47
3. Inevitability of CP PLL
Let us denote by x(t, j) the solution of HDSH′ . We now define the inevitability property
for the HDS H′ in the following definition.
Definition 3.1 (Inevitability of Equilibrium). The equilibrium point xe is said to be
inevitable, if, limt+j→∞ x(t, j) = xe, ∀x(0, j) : x(0, j) ∈ XH′ .
For all practical purposes, the origin of the hybrid state space XH′ is not invariant, and
in fact it is a small ball, Br = {y ∈ XH′
∣∣∣ ‖y − xe‖≤ r}, around the origin, xe = 0,
which acts as an invariant equilibrium set for the system. In this thesis, we verify the
inevitability of the equilibrium state at the origin which can easily be extended to the
inevitability of a ball Br around the equilibrium.
3.1.2 Attractive Invariance of a Set and Escape of trajectories from
a Set
Contrary to the safety properties, where existence of an invariant set having an empty
intersection set with the unsafe state is sufficient for proving/dis-proving the property,
we use the concept of “attractive invariants” for an inevitability property. Furthermore,
we use another important concept which characterizes the escape of solutions of the
HDS from a compact set. For the HDS model H′ of the CP PLL, an attractive invariant
set is a compact semi-algebraic set where its solutions set remains forever and eventually
converge to the equilibrium locking state. Proving that a set is attractive invariant,
with respect to an equilibrium, is a difficult problem to solve. We use the Lyapunov
certificate, discussed in Sec. 2.3.2 for the HDS, and construct an attractive invariant
set with respect to the equilibrium state xe = 0.
Proposition 3.1. For the HDS H′ of the CP PLL, the set XAI ⊂ XH′ is called an
attractive invariant if there are multiple Lyapunov certificates Vi(x), ∀i ∈ IC , satisfying
the conditions of Th. 2.3, and the following condition holds,
XAI = {
⋃
i
(Vi ≤ cmax)} ⊂ XH, cmax > 0. (3.9)
Proof. Follows directly from Th. 2.3.
An another important characteristic of HDS solutions in a semi algebraic set is the
Escape from the set property. Escape from a set is the dual of invariance of a set such
that a set fulfilling this property can not be an invariant set, and all possible solutions of
the HDS escape from it in bounded time. Similar to the attractive invariance property
48
3. Inevitability of CP PLL
of a set, we verify the Escape property of a set using a Lyapunov like certificate called
the Escape certificate. This certificate is illustrated in the following proposition.
Proposition 3.2. For a compact set Xe ⊂ XH′ , if there is a differentiable Escape
certificate, E : Rn → R, and ǫ > 0, such that
∂E
∂x
(x)Fi(x, u) ≤ −ǫ, ∀x : x ∈ Xe, ∀u : u ∈ U , ∀i : i ∈ IC , (3.10)
then ∀x(t, i) : x(t, i) ∈ Xe, x(t+ T, i) /∈ Xe, for T > t.
Proof. Assume that there exists x0 ∈ Xe such that x(t, i) starting at x0 remain in Xe
as t→∞. From equation. 3.10,
E(x) =
∫ ∞
0
∂E
∂x
(x)Fi(x, u) ≤ −ǫ
As t →∞, E(x)→ −∞. This contradicts the assumption as E(x) should be bounded
from below if x(t, j) has to be in the bounded set Xe. Therefore, x(t, j) has to eventually
escape Xe in finite time.
While verifying inevitability of CP PLL, we make use of Prop. 3.2 and borrow a
lemma from [61, Lemma 4.1] extended for HDS. This is to show that if Escape of
solutions from a set is verified, they must eventually reach an invariant set. This is
stated in the following lemma for an HDS.
Lemma 3.1. If the hybrid arc x(t, j) is bounded and belongs to a set X ⊂ XH′ for the
hybrid time (t, j) ≥ 0, then x(t, j) approaches a compact invariant set as (t, j)→∞.
Proof. See [61, Lemma 4.1].
Proposition 3.3. Let XH′ = X1 ∪ X2, X1 ∩ X2 = ∅, and assume that X1 is an
invariant set. If there is an Escape certificate in the set X2 satisfying conditions of
Prop. 3.2, then ∀x(0, j) : x(0, j) ∈ X2, limt→b(≥0) x(t, j) ∈ X1.
Proof. Follows directly from Lemma. 3.1. Since the existence of an Escape certificate
guarantees that trajectories will leave the set X2, therefore, they must reach the in-
variant set X1.
3.1.3 Bounded Advection of Level Sets in HDS
In the mixed deductive-bounded verification methodology, we use bounded advection
of level sets, described in Sec. 2.5.1.2, to verify a sub-property of the inevitability. In
49
3. Inevitability of CP PLL
this section, we extend this advection of level sets for HDS. We assume the identity
reset maps as is the case for the transformed HDS model of the CP PLL.
Let us define a hybrid flow map Ψ : Rn × T → Rn for the CP PLL HDS H′ .
Furthermore, let us denote by C : Rn → R the set of all differentiable maps from
Euclidean space to the real number set. For polynomials, P1 ∈ C(Rn,R) and P2 ∈
C(Rn,R), an advection operator At, for t : (t, j) ∈ T , is a map
At : C(R
n,R) → C(Rn,R), t ∈ Ij : (t, j) ∈ T , j ∈ N (3.11)
such that,
P2 = AtP1 (3.12)
and
P2(x) = P1(Ψ−t(x)) for all x : x ∈ XH′ . (3.13)
This advection operator has an important property of linearity. For polynomial func-
tions U1, U2 ∈ C(Rn,R), if,
U2 = AtU1, t : (t, j) ∈ T
then
Z(U2) = At(Z(U1)), t : (t, j) ∈ T (3.14)
where Z(.) is the zero sub-level set as defined in Sec. 2.4.4. Similar to the advection of
level sets in the CDS discussed in Sec. 2.5.1.2, we use an approximation to the flow map
Ah with an exception, that for each i ∈ IC , we have different approximations to the
advection map Ah such that, h = t2 − t1, t1; (t1, j) ∈ T , t2 : (t2, j) ∈ T . For example,
a first order Taylor approximation yields the following advection of a set,
U = BihV, if U(x) = V (x)− h
∂
∂x
V (x)Fi(x, u), x ∈ Ci, i ∈ IC (3.15)
Here Bih : C(R
n,R)→ C(Rn,R) is the first order Taylor approximation to Aih. Similar
to the CDS, the product BihV results in a polynomial with a degree higher than V ,
therefore, a conservative approximation to the advected level sets is used. Introducing
an approximation parameter µi ∈ R≥0, we conservatively approximate the zero sub-
50
3. Inevitability of CP PLL
level set of a polynomial q by backward advecting the polynomial p such that,
Z(q) ⊂ Z(Bi−hp) ⊂ Z(q − µi), i ∈ IC (3.16)
To incorporate the truncation error due to Taylor approximation, let us introduce ηi
such that ‖∇2ph22 ‖≤ ηi. This requires that
Z(Bi−hp+ η) ⊂ Z(Ai−hp) ⊂ Z(Bi−hp− ηi) (3.17)
This implies that,
Z(q) ⊂ Z(Bi−hp+ η) ⊂ Z(Ai−hp) ⊂ Z(Bi−hp− η) ⊂ Z(q − µi) (3.18)
We incorporate these set inclusions as a SOS program which will be discussed later in
this chapter.
3.2 Mixed Deductive-Bounded Verification Methodology
The first approach that we present to verify the inevitability of the equilibrium of
the HDS model H′ is mixed deductive-bounded verification. The idea is to split the
verification task into two smaller tasks and verify them using deductive and mixed
deductive-bounded verification approaches. This helps in tractability of the problem
and reduces the overall computational cost of the verification. Essentially, we introduce
two compact sets S1, and S2, such that S1 ∩ S2 = ∅, and S1 ∪ S2 = XH′ . This is
pictorially depicted in Fig. 3.5. We define two sub-properties in these two sets such that
the verification of the inevitability of phase-locking is boiled down to the verification of
the conjunction of these two properties. These two sub-properties are formally defined
as follows,
Property 3.1. ∀x(0, j) : x(0, j) ∈ S1, limt→∞ x(t, j) = xe
Property 3.2. ∀x(0, j) : x(0, j) ∈ S2 = (XH′ \ S1), limt→b(∈R>0) x(t, j) ∈ S1.
If we denote the inevitability property by ϕ, Property. 3.1 by ϕ1 and Property. 3.2 by
ϕ2, then,
ϕ = ϕ1 ∧ ϕ2 (3.19)
A hybrid arc x satisfies ϕ, iff, it satisfies ϕ1 in S1 and ϕ2 in S2 i.e.,
51
3. Inevitability of CP PLL
S1Deductive
S2
Deductive-Bounded
−1.5 −1 −0.5 0 0.5 1 1.5
−1
0
1
Figure 3.5: Verification Methodology, Two Properties in Two Disjoint Subsets
∀x : x ∈ XH′ , x |= ϕ ⇐⇒ (x |= ϕ1 ∀x : x ∈ S1) ∧ (x |= ϕ2 ∀x : x ∈ S2) (3.20)
3.2.1 Deductive Verification of ϕ1
The property ϕ1 is essentially characterizing attractive invariance of the set S1. As
stated in Prop. 3.1, a set can be proven to be an attractive invariant by using multi-
ple Lyapunov certificates for HDS. Therefore, we verify ϕ1 for the CP PLL HDS H′
using the deductive Lyapunov certificate approach. The following theorem describes a
necessary condition for this purpose.
Theorem 3.1. For the HDS H′, If set S1 is an attractive invariant, then
x |= ϕ1, ∀x(0, j) : x(0, j) ∈ S1 (3.21)
such that
S1 =
⋃
i
(Vi ≤ γimax), γimax > 0, i ∈ {1, .., ℓ}. (3.22)
Proof. Follows directly from Prop. 3.1. Attractive invariance of set S1 ensures that
every hybrid arc x of the HDS H′ eventually converges to the equilibrium state xe, and
hence is the model of ϕ1.
52
3. Inevitability of CP PLL
Algorithm 1 Verification of Property ϕ1
INPUT: : HDS Model of CP PLL
OUTPUT: : ϕ1 Verified/No-answer, S1
1: S1← ∅
2: for i← 1 to i← ℓ do ; Here ℓ is the no. of discrete modes of the HDS
3: Vi ← Parametrize(Vi) ; Setting degree d and coefficients of Vi Polynomials
4: end for
5: if Vi, ∀i ∈ {1, .., ℓ}, are feasible (fulfilling Th. 4.1) then
6: Vmultiple ← {Vmultiple, Vi}, ∀i ∈ {1, .., ℓ}
7: S1← ⋃i(Vmultiple(i) ≤ (γi)max), (γi)max > 0, i ∈ {1, .., ℓ}
8: x |= ϕ1, ∀x ∈ S1
9: else
10: Vi ← Infeasible
11: Increase Degree d of Vi ; d is incremented by 2
12: Goto Line(2) if d < b ; Here b is a user-defined upper bound on degree d
13: end if
14: if d = b & x 6|= ϕ1, ∀x ∈ S1 then
15: No Answer about ϕ1
16: end if
17: return S1 and Truth value of ϕ1
Therefore, to verify property ϕ1, we search for multiple Lyapunov certificates satisfying
the conditions of Th. 2.3. Formally, the conditions of Th. 2.3 can be formulated as a FOF
in the non-linear polynomials over real numbers with universal-existential quantifiers.
Though there are techniques to eliminate quantifiers from the quantified FOFs, their
worst-case complexity is however doubly exponential in the number of variables and
they work for problems of trivial complexity (low dimension). Therefore, we make use
of SOS programming and numerically search for feasible Lyapunov certificates.
We verify ϕ1 following the steps underlined in Alg. 1. The truth value of ϕ1 depends
on the existence of the attractive invariant set S1. The set S1 is computed from the
maximized level sets characterized by the level surfaces of the candidate Lyapunov
certificates Vi, i ∈ {1, .., ℓ}. Alg. 1 is encoded as two separate SOS programs. The
input of the algorithm is the HDS model H′ of the CP PLL, whereas its output is the
truth value of the property ϕ1 and the set S1. The algorithm starts with initializing
the set S1 and parametrizing Lyapunov certificates Vi by setting up their degrees and
coefficients Line 2-3. Degree d is initially set up to be 2, and it is incremented by 2 in
each iteration of the algorithm. This is followed by searching for candidate certificates
53
3. Inevitability of CP PLL
Vi, Line-5. We encode this search as a SOS program following the S-procedure discussed
in Sec. 2.4.4. A similar procedure for constructing multiple Lyapunov certificates has
been given in [78]. Before illustrating the SOS program, we outline how flow sets defined
by Ci, and jump sets defined by Di are represented as semi-algebraic sets.
The Ci of the HDS H′ can be represented as a semi-algebraic set given below,
Ci(x) = {x ∈ Rn : gik(x) ≥ 0, for k ∈ {1, .., nCi}, i ∈ {1, .., ℓ}}. (3.23)
Here gik(x) is a vector of polynomials, and the inequality conditions are held entry wise.
For example, for the three dimensional hypercube of the third order CP PLL HDS H′ ,
gik(x) is given as,
gik(x) =
 (v1 − v
L
1 )(v
U
1 − v1)
(v1 − vL1 )(vU1 − v1)
(φD − φLD)(φD − φUD)

Similarly, we represent jump sets Di by the following semi-algebraic set,
Di(x) = {x ∈ Rn : hik(x) ≥ 0, hi0(x) = 0, for k ∈ {1, .., nDi}, i ∈ {1, .., ℓ
′}}. (3.24)
Here apart from the inequality constraints hik(x) ≥ 0, we have equality constraints
hi0(x) = 0. Both these constraints are vectors of polynomials and are held entry wise.
We also represent the interval bounds on the parameters by the following vector of
polynomials,
{aj(u) ≥ 0, for j ∈ {1, ..,m}} (3.25)
The SOS program that implements Line-5 of Alg. 1 is given below,
Vi(0) = 0, ∀i ∈ I0 (3.26)
Vi(x)− ǫ− nCi∑
k=1
s
(ik)
1 (x)gik(x)
 ∈ Sn, ∀x 6= 0, i ∈ {1, .., ℓ}, ∀k ∈ {1, .., nCi},
s
(ik)
1 ∈ Sn, ǫ > 0,
(3.27)
54
3. Inevitability of CP PLL
− ∂Vi∂x (x)Fi(x, u)− ǫ−
nCi∑
k=1
s
(ik)
2 (x)gik(x)−
m∑
j=1
sj3(x)aj(u)
 ∈ Sn,
∀i ∈ {1, .., ℓ}, ∀k ∈ {1, .., nCi}, ∀j ∈ {1, ..,m}, (s(ik)2 , sj3) ∈ Sn, ǫ > 0,
(3.28)
Vj(x)− Vj′(Gi(x))− s(i0)4 (x)hi0(x)− mDi∑
k=1
s
(ik)
5 (x)hik(x)
 ∈ Sn, ∀j∀j′ ∈ {1, .., ℓ},
j 6= j′, ∀i ∈ {1, .., ℓ′}, ∀k ∈ {1, .., nDi}, s(i0)4 ≥ 0, s(ik)5 ∈ Sn.
(3.29)
Here Vi(x), Vj(x), Vj′(x), s
(ik)
1 , s
(ik)
2 , s
(j)
3 , s
(i0)
4 , s
(ik)
5 , are polynomials of degree d, and
I0 ⊆ IC is the set of indices having the equilibrium.
In this SOS program, every constraint is a sound implementation of a condition in
Th. 2.3. Equality constraints in Eq. 3.26 make sure that Vi(x) is zero at the origin.
Constraints in Eq. 3.27 enforce positive definiteness on Lyapunov certificates, whereas
Eq. 3.28 ensures negative definiteness of their Lie-derivatives. Following the S-procedure
technique of Sec. 2.4.4, additional flow set constraints have been added to both Eq. 3.27
and Eq. 3.28. Also in Eq. 3.28, we have additional parameter constraints. Constraints
in Eq. 3.29 ensure that Lyapunov certificates Vj(x) decrease along the discrete jumps in
the set Di through the mappings Gi(x)‘s. SOS polynomials s
(ik)
1 , s
(ik)
2 , s
(j)
3 , s
(i0)
4 , s
(ik)
5
are used to enforce domain constraints through the S-procedure. A feasible solution of
the above SOS program results in Lyapunov certificates Vi.
Proposition 3.4. If the SOS program of Eq. 3.27, Eq. 3.28, and Eq. 3.29 is feasible,
then the Lyapunov certificates Vi(x), i ∈ IC satisfy the conditions of Th. 2.3.
Proof. Eq. 3.26 is trivial. In Eq. 3.27, the multipliers s
(ik)
1 (x) are SOS and gik(x) ≥ 0.
Also expressions Vi(x)− ǫ−
∑nCi
k=1 s
(ik)
1 (x)gik(x) are SOS. Therefore,
Vi(x)−
nCi∑
k=1
s
(ik)
1 (x)gik(x) ≥ ǫ.
Since ǫ > 0, we have Vi(x) > 0, for x 6= 0, which is the second condition, Eq. 2.15, of
Th. 2.3. Similar proof can be given for other conditions as well.
If this SOS program is infeasible, then either the program is repeated for an increased
55
3. Inevitability of CP PLL
degree d of the polynomials, or we conclude, if d is equal to the user defined upper
bound b, that the truth value of the property ϕ1 can not be established (Line 10-17).
The next step in Alg. 1 is to compute the set S1 (Line 7). This is computed from
the maximized level surfaces of Lyapunov certificate Vi(x) and to perform this maxi-
mization, we use the following SOS program for every Vi ≤ γi.
maximize: γi
subject to s5(x) +
nCi∑
k=1
s6ik(x)(−gik)(x)− (Vi(x)− γi) + ǫ = 0,
(s5, s6ik) ∈ Sn, γi > 0, ǫ > 0, i ∈ {1, .., ℓ}, k ∈ {1, ..., nCi}. (3.30)
Proposition 3.5. If the SOS optimization program in Eq. 1 is feasible, then,
Z(Vi − (γi)max) ⊂ Z(−gik), for k ∈ {1, .., nCi} (3.31)
Proof. Follows directly from Lemma. 2.2.
For the maximized level curves of the Lyapunov certificates, we compute the set S1 by
S1 =
ℓ⋃
i=1
(Vi ≤ (γi)max) (3.32)
The non-emptiness of the set S1 shows that, x |= ϕ1, ∀x : x ∈ S1 (Line 8). As men-
tioned earlier, if for a maximum degree bound b of d, we are unable to find feasible
Lyapunov certificates Vi(x), we conclude inconclusiveness about the truth value of ϕ1.
This is because the Lyapunov certificate criterion of Th. 2.3 is a sufficiency condi-
tion, and it is possible that we get feasible certificates for an even higher degree d
parametrization of these certificates.
3.2.2 Deductive-Bounded Verification of ϕ2
To verify ϕ2, we need to show that all hybrid arcs x, starting in set S2, eventually
reach the attractive invariant set S1. Towards this goal, we use a mixed deductive-
bounded verification approach benefiting from the advection of sets and certificate
based deductive verification. Essentially, we use advection of sets for HDS, presented
in Sec. 3.1.3, and check whether the advected sets fully submerge in to the set S1
56
3. Inevitability of CP PLL
S1
S2
−1.5 −1 −0.5 0 0.5 1 1.5
−1
0
1
Figure 3.6: Deductive-Bounded Verification Methodology
after bounded iterations, as depicted in Fig. 3.6. After a bounded number of advection
steps, for a set which is not a proper subset of set S1, we apply the deductive Escape
certificate criterion showing trajectories starting in this set will eventually escape and
reach S1. This happens when the advection of sets is asymmetrical and submerge in
to set S1 from one direction while its progression from another side is very slow. For
example, in fourth order CP PLL, we notice that the set advection is inconclusive as
sets do not submerge fully in to S1. This scenario is illustrated by the level set of the
red dotted curve in Fig. 3.6. We notice that on the right side of set S1, the advected
set enclosed by the red curve is fully immersed in S1, its progression however from the
left hand side (shown by the double-sided arrow) is stopped after bounded advection
steps. This shows that trajectories starting in the left part of the set jump to the right
hand side before reaching the set S1. For this part of the set, bounded advection is
inconclusive, and we use the deductive Escape certificate criterion.
Following the deductive-bounded approach illustrated above, we verify the property
ϕ2 using Alg. 2. The inputs of the algorithm are the sets S2, S1, and the HDS model
of the CP PLL. The algorithm determines the truth value of ϕ2 by a combination of
deductive Escape certificate and bounded advection of set S2. After initializing different
sets, the advection of set S2advect is performed in Line 5. Following the advection of
level sets for HDS, discussed in Sec. 3.1.3, the function “Advect” in Line 5 is performed
57
3. Inevitability of CP PLL
Algorithm 2 Verification of Property ϕ2
INPUT: : HDS Model of CP PLL, Sets S1, S2
OUTPUT: : ϕ2 Verified in Bounded Time/No-answer
1: S2next ← ∅
2: S2advect ← ∅
3: S2advect ← S2
4: for j ← 1 to j ← m do
5: S2next ← Advect(S2advect)
6: if S2next 6⊂ S1 then
7: S2advect ← S2next
8: else
9: x |= ϕ2, ∀x ∈ S2
10: break
11: end if
12: end for
13: Try a large value of m
14: if S2next 6⊂ S1 then
15: For S2next \ (S2′next = S1 ∩ S2next) find the Escape Certificate E.
16: if E exists then
17: x |= ϕ2, ∀x ∈ S2
18: break
19: else
20: No Answer about ϕ2
21: end if
22: end if
by the following SOS program.
minimize ηi
s.t. Pnext(0) < 0,
∂Pnext
∂x
.(v1, v2, φD)
T > 0,
s1i − s2iPInitial +Bi−hPnext + ηi +
mCi∑
k=1
s3ikgik +
m∑
j=1
s4j(x)aj(u) = 0,
s5i + s6i(PInitial − µi)−Bi−hPnext + ηi +
mCi∑
k=1
s7ikgik +
m∑
j=1
s8j(x)aj(u) = 0,
s9i − s10i(PInitial − µi) +
mCi∑
k=1
s11ikgik +
∂2Pnext
∂x2
h2
2
− ηi = 0,
s12i − s13i(PInitial − µi) +
mCi∑
k=1
s14ikgik − ∂
2Pnext
∂x2
h2
2
− ηi = 0,
(s1i, s2i, s3ik, s4j , s5i, s6i, s7ik, s8j , s9i, s10i, s11ik, s12i, s13i, s14ik) ∈ Sn.
(3.33)
58
3. Inevitability of CP PLL
Z(PInitial − µ)
Z(Bi−hPnext − η)
Ψ−h(Pnext)
Z(Bi−hPnext + η)
Z(PInitial)
Z(Pnext)
Bi−h
Figure 3.7: Deductive-Bounded Verification Methodology
Here Pnext is of degree dr, µi > 0, ηi > 0, h > 0, u ∈ [L U ], and s1i, s2i, s3ik, s4j , s5i,
s6i, s7ik, s8j , s9i, s10i, s11ik, s12i, s13i, s14ik, are polynomials of degree d.
Let S2 = Z(PInitial), S1 = Z(P1) and S2next = Z(Pnext). Here, PInitial, P1, and
Pnext are differentiable polynomials belonging to the set C(R
n,R). Similar to the SOS
program for Lyapunov certificates, the SOS program for the advection of sets utilizes
the S-procedure discussed in Sec. 2.4.4. The first two constraints of this SOS program
ensure the advected level sets are closed and connected (see [102] and the references
therein). The next two constraints search for a polynomial Pnext, such that when the
set Z(Pnext) is backward advected by the first order Taylor advection map Bi−h, we
obtain a set such that,
Z(PInitial) ⊂ Z(Bi−hPnext + ηi) ⊂ Ψ−h(Z(Pnext)) ⊂ Z(Bi−hPnext − ηi)
⊂ Z(PInitial − µi)
(3.34)
Here µi is used as a precision parameter determining how closely we want the set
Z(PInitial) to be approximated by the set Z(Bi−hPnext+ ‖ηi‖). Constraints for Ci have
been added by using SOS multipliers s3ik, s7ik and the vector inequality gik(x) ≤ 0.
Furthermore, parameter constraints are added by using SOS multipliers s4j and s8j
with the vector inequality aj(u) ≤ 0. This advection of zero sub-level sets is illustrated
in Fig. 3.7. The last two constraints enforce the truncation error of the first order
Taylor approximation such that, ‖∂2Pnext
∂x2
h2
2 ‖≤ ηi, for all x in the set Z(PInitial − µ).
59
3. Inevitability of CP PLL
The next step in Alg. 2 is checking the intersection of sets S2next and S1 Line-6.
To be conservative, and use an over-approximation to the set Ψh(Z(PInitial)), the set
membership is encoded as a SOS program utilizing Lemma 2.2 for the sets Z(Pnext−ηi)
and S1, i.e.,
s0− s1(Pnext − ηi) + P1 = 0, s0, s1 ∈ Sn (3.35)
If there are feasible SOS polynomials s1, and s2, then, Z(Pnext − ηi) ⊂ Z(P1).
Remark 3.2. For the transformed CP PLL HDS, H′, we have identity jump maps,
there is therefore no need for constraints on the level sets due to discrete jumps.
After each iteration of the advection of level sets, if the set inclusion S2next ⊂ S1
is true, then property ϕ2 is verified. Alternatively, the algorithm keeps on advecting
the set S2next for a user defined bounded number of iterations (Line 7-13). If the
property ϕ2 is still not verified (this can happen when the advection of the level sets is
asymmetrical and a subset of the set S2next is not fully immersed in S1), we compute
the Escape certificate E for the set, S2next \ S2′next(= S1 ∩ S2next). A feasible Escape
certificate in the set S2next \ S2′next shows that trajectories in this set will eventually
leave and reach S1 by Prop. 3.3 (Line 14-18). This either results in the verification
of property ϕ2 (respectively ϕ) in set S2, or we conclude inconclusiveness about the
truth value of ϕ2 (respectively ϕ). In Line 15, the Escape certificate is searched by the
following SOS program,
−∂Ei
∂x
(x)Fi(x, u)− s1(x)g2(x) + s2(x)g2′(x)−
m∑
j=1
s3j(x)aj(u)− ε ∈ Sn,
(s1, s2, s3j) ∈ Sn.
(3.36)
where, S2next := g2(x) ≥ 0, and S2′next := g2
′
(x) ≥ 0.
Proposition 3.6. If the SOS program of Eq. 3.36 is feasible, then the Escape certificates
satisfy the condition in Prop. 3.2.
Proof. The expression in Eq. 3.36 being SOS is therefore,
−∂Ei
∂x
(x)Fi(x, u)− s1(x)g2(x) + s2(x)g2′(x)−
m∑
j=1
s3j(x)aj(u)− ε ≥ 0
Multiplier s1, s2, s3j all being SOS, and g2(x) ≥ 0, g2′(x) ≥ 0, aj(u) ≥ 0, therefore
60
3. Inevitability of CP PLL
every product term is positive semi-definite. Therefore,
∂Ei
∂x
(x)Fi(x, u) ≤ −ε.
If there is a feasible Escape certificate for the set S2next \ S2′next, then we conclude
x |= ϕ2, ∀x : x ∈ S2 Line 17. In case we do not find an Escape certificate of some
maximum bounded degree, we declare inconclusiveness about the truth value of ϕ2
Line 20.
3.3 Deductive Verification of Inevitability in CP PLL
In this section, we discuss the certificate based deductive-only verification methodology
for the verification of the CP PLL inevitability property. Principally, this methodology
is similar to the deductive-bounded verification in that it too uses the divide and rule
strategy to verify the complex inevitability property. The difference is that it is purely
a certificate based deductive approach and does not use bounded verification. Similar
to the mixed deductive-bounded approach, we introduce two compact sets, S1 and S2,
such that S1 ∩ S2 = ∅, and S1 ∪ S2 = C ∪ D. We define two properties ϕ1 and ϕ2 in
sets S1 and S2 respectively. In this methodology, we use a certificate based deductive
approach for the verification of both ϕ1 and ϕ2 as shown in Fig. 3.8. Notice that in both
sets S1 and S2, we use the deductive-only approach to verify ϕ1 and ϕ2 respectively.
Here we use an approach, similar to that of the deductive-bounded methodology, using
Lyapunov certificates to verify property ϕ1. We further show the attractive invariance
of S1 from the level curves of the Lyapunov certificates. The difference here is the way
we verify property ϕ2 using only the Escape certificates. Therefore, in this section, we
only discuss the verification of ϕ2.
Theorem 3.2. If in a compact set S2, such that S1 ∪ S2 = XH′ , where S1 is an
attractive invariant set, we have Escape certificates, Ei(x), ∀i ∈ {1, .., ℓ}, ∀x : x ∈ S2,
then, ∀x(t, j) : x(t, j) ∈ S2, limt+j→∞ x(t, j) ∈ S1.
Proof. Follows directly from Lemma. 3.3. The boundedness of x(t, j) is guaranteed by
the supply voltage and ground of the CP PLL circuit. Existence of an Escape certificate
for x(t, j) ∈ S2 (Prop. 3.2), guarantees that trajectories will eventually leave S2, and
being the only invariant set, they will eventually reach S1.
61
3. Inevitability of CP PLL
S1Deductive
S2
Deductive
−1.5 −1 −0.5 0 0.5 1 1.5
−1
0
1
Figure 3.8: Deductive-Only Verification Methodology
Following Th. 3.2, we verify property ϕ2 utilizing Alg. 3. We search for ℓ Escape
certificates (Prop. 3.2) in ℓ disjoint sets S2i, i ∈ {1, .., ℓ}, such that S2 = ∪i∈1,..,ℓS2i.
The inputs of Alg. 3 are the set S2 and the CP PLL HDS. After parametrizing these ℓ
Escape certificates, by setting their degrees d and coefficients, we establish the feasibility
of these Escape certificates by the following SOS program (Line 4),
−∂Ei
∂x
(x)Fi(x, u)−
nCi∑
k=1
s
(ik)
1 (x)g2ik(x)−
m∑
j=1
s
(j)
2 (x)aj(u)− ε ∈ Sn,
s
(ik)
1 , s
(j)
2 ∈ Sn, ε > 0
(3.37)
Note that d is initially set up to be 2 and is incremented by 2 in each iteration. This
SOS program ensures that Lie-derivatives of Ei are strictly negative in sets, S2i = {x ∈
Rn : g2ik ≥ 0, for k ∈ {1, .., nCi}, i ∈ {1, .., ℓ}}. The second constraint in this SOS
program is such that the parameters u belong to the set, {a(u) ≥ 0, for j ∈ {1, ..,m}}.
Here ε is a small positive real number. Feasibility of the SOS program in Eq. 3.37
indicates existence of the Escape certificates for each mode of the CP PLL HDS, and
consequently the property ϕ2 is verified, Line(4-6). Alternatively, if the SOS program
in Eq. 3.37 is infeasible, we increase the degree d of each Escape certificate by 2 and
repeat the process, Line(8-10). If the property ϕ2 is still not verified for a maximum user
defined degree b, we conclude inconclusiveness about the truth value of ϕ2 (respectively
ϕ), Line 13.
62
3. Inevitability of CP PLL
Algorithm 3 Verification of Property ϕ2
INPUT: : Hybrid System Model of CP PLL, Set S2 = ∪i∈1,..,ℓS2i
OUTPUT: : ϕ2 Verified/No-answer
1: for i← 1 to i← ℓ do ; Here ℓ is the no. of discrete modes of the HDS
2: Ei ← Parametrize(Ei) ; Setting degree d and coefficients of Ei Polynomials
3: end for
4: if Ei, ∀i ∈ {1, .., ℓ}, are feasible (fulfilling Prop. 3.2) then
5: Emultiple ← {Emultiple, Ei}, ∀i ∈ {1, .., ℓ}
6: x |= ϕ2, ∀x ∈ S2 = ∪i∈1,..,ℓS2i
7: else
8: Ei ← Infeasible
9: Increase Degree d of Ei‘s ; d is incremented by 2
10: Goto Line(1) if d of Ei < b ∀i ∈ {1, .., ℓ} ; Here b is a user-defined upper bound on degree d
11: end if
12: if d = b & x 6|= ϕ2, ∀x ∈ S2 then
13: No Answer about ϕ2
14: end if
15: return Truth value of ϕ2
Parameters Third Order Fourth Order
C1 [1.98 2.2]e− 12F [31 29]e− 12F
C2 [6.1 6.4]e− 12F [3.2 3.4]e− 12F
C3 [1.8 2.2]e− 12F
R [7.8 8.2]e3Ω [48 52]e3Ω
R2 [7 9]e3Ω
fref 27MHZ 5MHZ
fO 27e3MHZ 5MHZ
Ip [495 505]e-6A [395 405]e-6A
Kp [198 202] [495 502]
Table 3.1: PLL Parameters used in the Experimentation
3.4 Experimental Evaluation
We have verified the inevitability of phase locking for a third and fourth order CP PLL.
The CP PLL parameters we have used are listed in Table 3.1 ([7]), with all phases
normalized by 2π. For all experiments, we used the YALMIP [67] and SeDuMi [88]
solvers within MATLAB for the verification of the inevitability property (respectively
sub-properties) on a 2.6 GHZ Intel Core i5 machine with 4 GB of memory.
63
3. Inevitability of CP PLL
−8 −6 −4 −2 2 4 6 8
−8
−6
−4
−2
2
4
6
8
v1
v2
−10 −5 5 10
−2
−1
1
2
v2
Phi_ref − Phi_VCO
Figure 3.9: 3-Order S1 Projected onto (v1, v2), and (v2, φD)
−8−7−6−5−4−3−2−1 1 2 3 4 5 6 7 8
−1.0
−0.5
0.5
1.0
v2
Phi_ref −Phi_VCO
−8 −6 −4 −2 2 4 6 8
−8
−6
−4
−2
2
4
6
8
v2
v3
Figure 3.10: 4-Order S1 Projected onto (v2, v3), and (v2, φD)
3.4.1 Mixed Deductive-Bounded Verification Methodology
In this section results of the inevitability verification, using the mixed deductive-
bounded approach, are presented. For a third order CP PLL, we constructed degree-6
multiple Lyapunov certificates while verifying property ϕ1, Appendix B.2.1. Similarly,
we found degree-4 multiple Lyapunov certificates for the fourth order CP PLL verify-
ing sub-property ϕ1, Appendix B.2.2. The corresponding attractive invariant sets S1
generated by these Lyapunov certificates are depicted in Fig. 3.9, and Fig. 3.10 for
the third and fourth order CP PLL respectively. Note that only projections of the set
S1 on different planes have been shown in Fig. 3.9 and Fig. 3.10. This was followed
by the verification of the sub-property ϕ2 using advection of sets. This was performed
by computing advection of sets using sets S1 as target sets. We considered a circular
starting set S2 around the set S1 for both benchmarks. The corresponding results of
the advection of sets are shown in Fig. 3.11 and Fig. 3.12 for third and fourth order
CP PLL respectively. Note that due to space constraints, we have shown projections
on only two planes for each benchmark. The outer set plotted in solid is the initial set
inside which we aim to prove the inevitability of the phase-locking in the CP PLL. The
64
3. Inevitability of CP PLL
−8 −7 −6 −5 −4 −3 −2 −1 1 2 3 4 5 6 7 8
−8
−6
−4
−2
2
4
6
8
v1
v2
−10 −8 −6 −4 −2 2 4 6 8 10
−2
−1
1
2
v2
Phi_ref − Phi_VCO
Figure 3.11: 3-Order Advection Projected onto (v1, v2), and (v2, φD)
−8 −7 −6 −5 −4 −3 −2 −1 1 2 3 4 5 6 7 8
−1.0
−0.8
−0.6
−0.4
−0.2
0.2
0.4
0.6
0.8
1.0
v2
Phi_ref − Phi_VCO
−8 −7 −6 −5 −4 −3 −2 −1 1 2 3 4 5 6 7 8
−8
−6
−4
−2
2
4
6
8
v2
v3
Figure 3.12: 4-Order Advection Projected onto (v2, v3), and (v2, φD)
advected level curves are shown in dotted. We used the time step h = 1e− 3 seconds,
and µi = 1e − 4 in the computation of advected sets. It can be observed that for the
third order, the advected zero sub-level sets were eventually symmetrically immersed
in the central attractive invariant set S1 after bounded number of iterations. However,
for the fourth order CP PLL, the advection of zero sub-level sets is unsymmetrical and
the progress in one direction is more abrupt than the other. We therefore have the
level sets immersed in the attractive invariant set S1 from one direction, but the advec-
tion is inconclusive for a subset in the other direction shown by the pink shaded area
in Fig. 3.12. For the inconclusive subset, we searched degree-4 Escape certificates for
mode-1 and mode-3 and a degree-2 Escape certificate for mode-2, showing convergence
of the trajectories to the attractive invariant set S1 (Appendix B.3.2). The correspond-
ing computation times for different steps of our verification methodology are given in
Table 3.2.
65
3. Inevitability of CP PLL
Verification Step 3-Order Time(Sec) 4-Order Time(Sec)
Attractive Invariant 1381.7(Degree 6) 1002.1(Degree 4)
Max.Level Curves 15.5 12
Advection 106.8487 (14 iterations) 140.678 (7 Iterations)
Checking Set Inclusion 13 10.2
Escape Certificate 21.6 (3 Certificates)
Table 3.2: Computation Time of the Inevitability Verification
v2
-4 -2 0 2 4 6
Ph
i re
f -
 
Ph
i V
CO
-1
-0.5
0
0.5
v1
-4 -2 0 2 4 6
v
2
-2
0
2
4
6
Escape Derivative
Hybrid Trajectory
Figure 3.13: 3-Order Derivative of Escape Certificates, Trajectory Trace, Projected onto
(v1, v2), and (v2, φD)
3.4.2 Deductive-only Verification Methodology
In this section, we present the results of our deductive-only verification methodology.
Since the verification of the sub-property ϕ1 is similar to that of the deductive-bounded
approach, we followed the same procedure and computed degree-6 multiple Lyapunov
certificates for the third order, and degree-4 multiple Lyapunov certificates for the
fourth order CP PLL respectively. Their attractive invariant sets S1 as projected onto
different planes are shown in Fig. 3.9 and Fig. 3.10 respectively. This was followed by the
verification of the sub-property ϕ2 using deductive Escape certificates. We constructed
three Escape certificates for each mode of the third order and fourth order CP PLL HDS
models, Appendix B.3.1, Appendix B.3.2. For both benchmarks, we computed degree-2
Escape certificates for mode2 and mode3, whereas for mode1, we computed degree-
12 and degree-10 Escape certificates for third and fourth order CP PLL respectively.
We chose ε = 1e − 4 for the construction of all Escape certificates. We noticed that
66
3. Inevitability of CP PLL
v2
0 5 10
Ph
i re
f -
 
Ph
i V
CO
-2
-1.5
-1
-0.5
0
0.5
v2
0 5 10
v
3
0
5
10
Escape Derivative
Hybrid Trajectory
Figure 3.14: 4-Order Derivative of Escape Certificates, Trajectory Trace, Projected onto
(v2, v3), and (v2, φD)
Verification Step 3-Order Time(Sec) 4-Order Time(Sec)
Attractive Invariants 1381.7(Degree 6) 1002.1(Degree 4)
Max.Level Curves 15.5 12
Escape Certificates 100 900
Table 3.3: Computation Time of the Inevitability Verification
decreasing the value of ε resulted in higher degree Escape certificates being needed
for both benchmarks. However, this is at the cost of higher computation time. We
therefore opted for the value 1e − 4. A simulation trace along with the derivative of
the Escape certificate patched up from the three Escape certificates of each benchmark
are depicted in Fig. 3.13 and Fig. 3.14 respectively. Note that due to space constraints,
we have shown projections on only two planes for each benchmark. These two figures
show the value of the derivative of the Escape certificates in blue for the trajectories
of the CP PLL shown in red. Simulation traces show that the derivative of the Escape
certificates is negative for the entire duration of the two trajectories while they reach
the zero locking state (equilibrium), which is the required condition on these Escape
certificates. Computation time for different steps of our verification methodology is
given in Table 3.3. Though the maximum degree of certificates (Lyapunov,Escape) for
the fourth order is less than that of the third order, the dimensionality factor is however
dominant as far as the computation time is concerned.
67
3. Inevitability of CP PLL
3.5 Related Work
Lyapunov theory has been used for an analog PLL design in [1]. The author has used
LaSalle‘s theorem, which is the generalization of the Lyapunov theorem, and designed
parameters for a purely “analog” PLL. Our work is in many ways different from what
has been done in [1]. While [1] considered an approximate non-linear continuous model
with a “sin” non-linearity in the loop, we consider a CP PLL which is naturally a
HDS due its discrete and continuous behaviour. Secondly, the problem tackled in [1]
is a design problem, where an analog PLL has been designed such that it is almost
globally stable. On the other side, we have worked on an inevitability property which is
theoretically completely different from the stability property. Lastly, the construction
of the Lyapunov function has been done analytically in [1] as oppose to our SOS based
algorithmic approach. While Lyapunov certificate can be found analytically for such
simple PLL models, as that in [1], it is generally impossible to be found, analytically,
for CDS/HDS like CP PLL. In [66], the authors conservatively converted a digitally
extensive PLL into a continuous model using a machine learning technique. They di-
vided the state space into linear and non-linear regions and used hybrid reachability for
linear and SMT based reachability for non-linear regions respectively. [105] presented
a similar technique to an all digital PLL, where they approximated the behaviour of
the PLL with a continuous time piecewise linear hybrid automata to which the quan-
tization effects were added as uncertain parameters. They also divided the state space
into linear and non-linear regions, and applied linear Lyapunov stability theory (us-
ing Quadratic Lyapunov certificates) for linear and reachability analysis for non-linear
regions respectively. In order to reduce the complexity of the model, they neglected a
few sub-systems of the PLL circuit. As these neglected sub-systems have a substantial
effect on the stability of the overall system, the accuracy of their technique was greatly
reduced. [105] also used an SMT solver and computed coefficients of a quadratic Lya-
punov certificate without considering the quantifiers alternation we discussed earlier.
The approach seems to guess the coefficients of the quadratic Lyapunov certificate, and
then check the feasibility of Lyapunov stability constraints over the region of interest
using universal quantification. This approach clearly lacks the automation aspect of
computing Lyapunov certificates. Though for linear stable systems the existence of a
quadratic Lyapunov certificate is a sufficient and necessary condition, for general stable
hybrid systems such certificates do not exist and higher order Lyapunov certificates are
required. Furthermore, quadratic Lyapunov stability certificates are very conservative
and need further splitting of the state space to reduce conservativeness. The authors
68
3. Inevitability of CP PLL
in [105], also reported time-outs of the reachability tool SpaceEx [39] while computing
reachable sets starting from some remote regions. This is due to the large number of
mode transitions needed in PLL systems before trajectories reach the equilibrium state.
To avoid discrete jumps, [7] presented a continuization technique and verified the ‘time
to locking’ property of a CP PLL. They have used reachability to verify the time to
locking property in a third order CP PLL.
3.6 Summary of the Chapter
In this chapter, we have proposed scalable and computationally tractable methodologies
for the verification of an important yet complex inevitability property of a CP PLL. We
have come up with two methodologies benefiting from both deductive and bounded ver-
ification paradigms. In Sec. 3.1.1, we have given a comprehensive HDS modelling of the
higher order CP PLL covering its hybrid discrete and continuous behaviour. We have
divided the verification task in to two sub-properties in Sec. 3.2 and proposed deduc-
tive and deductive-bounded verification approaches for their verification in Sec. 3.2.1
and Sec. 3.2.2 respectively. We used Lyapunov certificates for the verification of one
sub-property in Sec. 3.2.1, and used advection of level sets and an Escape certificate
for the verification of the second property in Sec. 3.2.2. A deductive-only verification
for both sub-properties was presented in Sec. 3.3. Results show the effectiveness of our
approach to the verification of the inevitability property of a complex real circuit. We
have proved the inevitability property avoiding hundreds of discrete transitions as well
as the complex continuization as in [7]. Computation time is comparable to [7], and
in fact is less by an order of at least half considering their approach using gridding of
the state space for a third order PLL only. Though user input is needed in the formal-
ization of the problem, our Lyapunov and Escape certificate based deductive methods
are applicable to infinite domain (as oppose to bounded) and avoid approximating
(under or over) solutions of the differential equations. Furthermore, our bounded ad-
vection of level sets has the advantage of dealing with larger sets in a single iteration
as compared to the existing bounded model checking approaches. Comparing the two
techniques, computation time of the mixed deductive-bounded approach is clearly less
than the deductive-only approach. However, considering the number of iterations in
the advection of level sets, in the deductive-bounded approach, more user input is re-
quired as compare to the deductive-only approach. Furthermore, the computation time
of the deductive-only approach can be reduced by dividing the outer set into several
subsets, and compute lower degree Escape certificates for these subsets. The whole
69
3. Inevitability of CP PLL
process of the certificate computation can further be automated by delegating the task
of parametrization and other initializations to a software program with the additional
call to a semi-definite program solver.
70
Chapter 4
Deductive Inevitability
Verification of Ring Oscillators
using the SOS-QE Approach
Ring oscillators are an integral part of most modern SOC designs. They are used for
various purposes — from reference clock generation, data clock recovery to phase mod-
ulation etc. They are designed hoping that they will start from all possible voltage
conditions on their nodes. Unfortunately, it is practically impossible for an RO to have
global start-up property and will start from every possible state of voltages on its nodes.
In [56], researchers at Rambus identified start up failure in an even stage RO for a sub-
set of initial conditions and parameters. Recently, several works have been dedicated to
the verification of the start-up property mainly based on reachability analysis. These
approaches are faced with several issues. Reachability verifies the property for bounded
time, and nothing can be established about the behaviour of an RO over the infinite
horizon. Secondly, reachability tools rely on over-approximating solutions of the differ-
ential equations describing an RO circuit, and are thus subjected to erroneous results.
Furthermore, to reduce conservatism, a large number of discrete partitions of the state
space is performed, resulting in increased computational complexity.
A periodic set of states is said to be almost globally inevitable, if an RO even-
tually reaches this set, from all but a negligible dead set of voltages on its nodes. In
this chapter, we propose a deductive verification methodology and verify the almost
global inevitability of oscillations in ROs. We consider two different topologies of ROs,
namely, odd stage and even stage ROs. Due to its layout, the stages of an even RO
71
4. Inevitability Verification of Ring Oscillators
operate in differential pairs. This allows division of its operation into differential and
common modes. Since oscillations are manifested in the differential mode, we verify the
inevitability property for this particular mode of the even RO. Furthermore, we show
that its common mode settles to around zero voltage. We treat the odd stage RO similar
to the differential mode of even RO. Dividing the even stage RO into differential and
common modes reduces the dimensionality of the system by an order of half. Verifying
inevitability, we adopt a divide and rule approach and split it into the conjunction of
various sub-properties. Verification of these sub-properties determines the truth value
of the inevitability property in two disjoint subsets of the state space. We use certifi-
cate based deductive verification to verify all these sub-properties. We formulate the
construction of these certificates as FOFs having Universal-Existential quantifiers over
polynomial inequalities/equalities. Due to the high computational cost of QE in real
algebraic theory1, we present a SOS-QE approach to verify truth values of these FOFs.
SOS programming solves these quantified formulas using semi-definite programming
in a realistic computational time (utilizing a numerical interior point method), within
the limits of numerical precision. To overcome these numerical imprecisions and estab-
lish the validity of these certificates, we further verify these certificates (having a fixed
structure now) using the symbolic QE approach. This is done by verifying FOFs having
only the universal quantifiers.
4.1 Preliminaries
This section discusses the mathematical modelling of RO and the necessary background
for the certificate based deductive verification of the inevitability.
4.1.1 Modelling of the Ring Oscillator
We model an RO shown in Fig. 4.1 as a polynomial CDS discussed in Sec. 2.1.1. Let us
denote by x the vector of node voltages at inverter outputs. Therefore, the CDS model
of an RO is a tuple (X, Xinitial, U, f). Note that since there are no inputs in ROs we
drop the set of inputs W. The vector field f characterising an RO is given by,
x˙ = f(x, u), f : Rn × Rm → Rn, x ∈ X , u ∈ U (4.1)
1works only for low dimension low complexity problems and is doubly exponential in number of
variables
72
4. Inevitability Verification of Ring Oscillators
Figure 4.1: Ring Oscillators, Left: Even Stage, Right: Odd Stage
where X ⊂ Rn is the state space of the RO. This set is invariant as trajectories of an
RO never leave this set. Let us denote by Φ(x0, t), x0 ∈ Xinit, the solution vector of
the system of differential equations Eq. 4.1 (also called trajectory in some literature).
Definition 4.1 (Equilibrium state). A state xe ∈ X is called an equilibrium of the
CDS model of an RO, if f(xe) = 0.
Definition 4.2 (Limit Cycle). A set γ ⊂ X is called a Limit cycle, if ∀x0 : x0 ∈ γ,
Φ(x0, T ) = x0, for T > 0, and ∀t : 0 < t < T , Φ(x0, t) 6= x0. This is an invariant set.
Definition 4.3 (Inevitability of the Limit cycle). The Limit cycle γ is said to be
inevitable if, ∀x0 : x0 ∈ Xinitial, y ∈ γ, r > 0, b ∈ R≥0,
lim
t→b
‖Φ(x0, t)− y‖≤ r (4.2)
Assumption 4.1. In this work, we assume that location of γ in the state space X is
known.
ROs are designed so that on power up, they start to oscillate with the desired
frequency from all possible voltages on their nodes. In other words, considering an RO
as a CDS, its limit cycle γ is globally inevitable. However, in a practical RO, there
are states in Rn from where it fails to start and reach the limit cycle γ. For example,
equilibrium is one such state from where an RO can not start. We call the set of all
such states the “dead set”.
Definition 4.4 (Dead Set). A set of states is called a dead set denoted by Xdead, such
that ∀x : x ∈ Xdead, limt→∞ ‖Φ(x, t)− xe‖ = 0. Here xe is an equilibrium state.
73
4. Inevitability Verification of Ring Oscillators
Since the dead set, though of a lower dimension, is unavoidable in an RO state space,
we modify the definition of global inevitability and introduce the notion of “almost
global inevitability”.
Definition 4.5 (Almost Global Inevitability (AGI) of Oscillation in ROs). The Limit
cycle γ ⊂ X , is said to be “AGI”, if, ∀x0 : x0 ∈ X \ Xdead, y ∈ γ, r > 0, b ∈ R≥0,
lim
t→b
‖Φ(x0, t)− y‖≤ r (4.3)
4.1.1.1 An Inverter Model
While modelling an RO as CDS the main problem is how to derive the expression for
the vector field f(x, u) in Eq. 4.1. Apart from parameters, the vector field f(x, u) is a
function of node voltages on capacitors at the output of each inverter. These voltages,
if modelled at the transistor level, are non-linear functions of the currents through the
transistors. To understand this, we have shown in Fig. 4.2, a CMOS inverter with a
capacitor at the output and the internal details of CMOS transistors. We can see that
an inverter consists of two MOS transistors, a PMOS and an NMOS with a capacitor
at the output. A current model at the transistor level is seemingly very complex due
to the non-linear behaviour of a transistor covering three (Linear, Saturation, Cut off)
regions of operation. One option is to model this current as a piecewise polynomial
function, resulting in a HDS model for the inverter. This will require nine modes in the
HDS for a single inverter. Therefore, to reduce the complexity of the model and make it
amenable to formal verification, we avoid modelling the inverter at the transistor level.
This is in accordance with the top-down modelling strategy we discussed in Sec. 2.2.
However, while considering an abstract model for the inverter, we still need to take in
to account the non-linearity inherited by the inverter due to its constituent transistors.
Therefore, we use an inverter model based on a“tanh(.)” non-linearity presented in
[40][34]. This non-linear model of the inverter has a “tanh(.)” non-linearity connected
with a low pass filter as shown by its transfer function G(s) in Fig. 4.2(d). If Vin is
the input to the “tanh(.)” non-linearity block and Vn its output, then we have the
non-linear “tanh(.)” block represented by the following equation,
Vn = Vsat × tanh(Vin/Vs) (4.4)
Here Vsat is the saturation voltage and Vs is a parameter adjusting the slope of the
inverter output response. Both these parameters are very important and can be used
to have the effect of transistor level parameter variations. For example, [29] has shown
74
4. Inevitability Verification of Ring Oscillators
≡
tanh(.) G(s)
Vin Vout
(a)
(b)
(c)
(d)
Figure 4.2: (a)A CMOS Inverter (b) Internal MOS Transistor Circuit of an Inverter (c)
Effect of Transistor sizes on Inverter Response (d) Inverter Non-linear Model
in Fig. 4.2(c) how transistor sizes can affect the slope of the inverter response. Here the
“good” device has a smaller oxide thickness (-3nm), a smaller length (-25nm), a higher
width (+30nm), and a smaller threshold (-60mV). For a bad device, the opposite of
these is true. To cater for the change in the slope due to device variations, we use the
parameter Vs in Eq. 4.4. Similarly, bounds on the parameter Vsat represents how noise
effects change in the saturation voltage. We use a linear model for the low pass filter
75
4. Inevitability Verification of Ring Oscillators
described by the transfer function G(s).
G(s) =
1
1 + Ts
(4.5)
Here, T = CL×Rinverter, is the time constant of the low pass filter with Rinverter being
the inverter output resistance.
The above model of the inverter, a combination of “tanh(.)” non-linearity and a low
pass filter, results in a non-polynomial expression for f(x) in Eq. 4.1. To work around
this, we use least-square polynomial approximation of the “tanh(.)” non-linearity. This
approximation has a maximum error of 0.1% over the range [−2, 2]. The input and
output of an inverter is thus related by the following equation,
Vn(
1
1 + Ts
) = Vout =⇒ Vn = Vout + T ˙Vout (4.6)
Here we have used the Laplace transform property sVout = ˙Vout. By rearranging Eq. 4.6
and replacing Vn by Eq. 4.4, we get the following ODE for a CMOS inverter.
˙Vout = −Vout
T
− Vsat
T
tanh(Vin/Vs) (4.7)
˙Vout = −ξVout − ζtanh(ρVin), ξ = 1
T
, ζ =
Vsat
T
, ρ = 1/Vs (4.8)
Let us denote by p˜(.), the polynomial approximation of the “tanh(.)” non-linearity.
Then we have,
˙Vout = −ξVout − ζp˜(ρVin) (4.9)
Let us denote the voltages on the nodes of the odd RO by xi, i = 1, ...n, and that on
the nodes of the even RO by x(0, j), x(1, j), j = 0, 1...n. Here n is the number of stages
of an RO. Using Eq. 4.9 and applying KCL at each node of the RO, we obtain Eq. 4.10
and Eq. 4.11, representing ODEs for the odd and even stage ROs respectively.
x˙i = −ξixi − ζip˜(ρixn), i = 1 (4.10a)
x˙i = −ξixi − ζip˜(ρix(i−1)), i 6= 1 (4.10b)
76
4. Inevitability Verification of Ring Oscillators
˙x(0, j) = −ξf(0,j)x(0, j)− ζf(0,j)p˜(ρf(0,j)x(1, n− 1))− ξc(0,j)x(0, j)− ζc(0,j)p˜(ρc(0,j)x(1, j))
(4.11a)
˙x(1, j) = −ξf(1,j)x(1, j)− ζf(1,j)p˜(ρf(1,j)x(0, n− 1))− ξc(1,j)x(1, j)− ζf(1,j)p˜(ρf(1,j)x(0, j))
(4.11b)
Note that for the even stage RO, in addition to the path subscripts representing upper
and lower paths, we use the f and c superscripts differentiating between the forward
and cross-coupled inverters supplying the currents at a particular node.
4.1.1.2 Different Modelling Strategies for Odd and Even Topologies of
RO
In this thesis, we consider two different topologies of ROs: odd stage RO and even
stage RO as shown in Fig. 4.1. For an odd stage RO, we use the standard modelling
approach considering every node voltage as a state variable. On the other hand, for an
even stage RO we use the strategy suggested in [109], and instead of individual voltages
on the oscillator nodes, we consider the differential and common mode operation. This
is useful since it reduces the dimensionality of the system by an order of half and allows
the analysis of the two modes to be performed in isolation.
Node voltages x(0, j) and x(1, j) of the even stage RO form differential pairs for all
j = 0, 1...n. The differential component of the differential pair is x(0, j) − x(1, j), and
the common mode component is x(0, j) + x(1, j). The even stage RO, while operating
normally, has its oscillation manifested in the differential mode, whereas its common
mode settles to the constant zero value. While we treat these two modes separately in
the verification process, the overall verification depends on their combined verification.
Note further that, while treating these two modes separately, we work with a system
of half the dimension of the full even stage RO system. This greatly eases the verifica-
tion process and reduces the overall computational time. If we assume that inverters
are identical then, ∀j ∈ [0, n − 1], ∀x : x ∈ X such that x(0, j) = x(1, j), we have,
limt→∞ Φ(x, t) = xe. This means that the set,
{x(0, j) = x(1, j), ∀j ∈ [0, n− 1]} ∈ Xdead. (4.12)
Similarly, for odd stage RO, if x1 = x2 = x3, then, limt→∞ Φ(x, t) = xe.
77
4. Inevitability Verification of Ring Oscillators
S1
S2
Br
−1.5 −1 −0.5 0 0.5 1 1.5
−1
0
1
Figure 4.3: RO Inevitability Verification Methodology, S1, S2 Separated by the Solid Blue
circle; Dashed red circle: Limit cycle; Solid Straight line: Dead Set
4.1.2 RO CDS Properties Verification using Lyapunov-like
Certificates
We have seen in Chapter 3 the usefulness of Lyapunov certificates in verifying the
attractive invariance of a compact set. Furthermore, an Escape certificate offers its
usefulness in disproving invariance of a set. Lyapunov-like certificates have also been
used for other interesting properties of CDS such as eventuality, avoidance, instability
etc [80]. In this chapter, we use several Lyapunov-like certificates verifying the almost
global inevitability of the limit cycle γ. These certificates are used to verify properties of
different natures defined in various subsets of the CDS state space as shown in Fig. 4.3.
The standard Lyapunov certificate can not be used for showing the attractive invariance
of a set containing a limit cycle. Instead, in order to show invariance of a set containing
a limit cycle, we use a Lyapunov-like certificate presented in [92].
Definition 4.6. A set XAI ⊂ X is called an attractive invariant (AI) with respect
to a limit cycle γ ⊂ XAI, iff, ∀x0 : x0 ∈ XAI, ∀t Φ(x0, t) ∈ XAI and ∀x0 : x0 6∈
XAI, limt→∞ Φ(x0, t) ∈ XAI.
The lemma used in [92] shows not only invariance of a set, but convergence of outside
trajectories to the invariant set as well. This lemma is stated below.
Lemma 4.1. If there exists a polynomial with real coefficients V : Rn → R, ǫ > 0 and
78
4. Inevitability Verification of Ring Oscillators
a minimum η > 0 such that,
V (x) > 0, ∀x : x ∈ Rn \ 0 (4.13a)
{V (x) ≤ 1} ⊆ {q(x) ≤ η} (4.13b)
{V (x) ≥ 1} ⊆ {∂V
∂x
(x) · f(x, u) ≤ −ǫ} (4.13c)
then the set S2 := {V (x) ≤ 1} is an invariant set for Eq. 4.1, and it is contained in the
set {q(x) ≤ η}. Furthermore, ∀x0 : x0 ∈ {V (x) > 1}, limt→∞Φ(x0, t) ∈ {V (x) ≤ 1}.
Proof. [92]. Trajectories starting inside the set S2 (Fig. 4.3) can not leave this set as
the derivative of V (x) is strictly negative on the boundary of this set. That shows that
the set S2 is an invariant set. For trajectories starting in the set, S1 := {V (x) > 1},
suppose V (x(0)) = k, k > 0, then from the condition,
∂V
∂x
(x) · f(x, u) ≤ −ǫ,
we have,
V (x(t)) ≤ V (x(0))− ǫt
This shows that the value of V (x(t)) will decrease to 1 in a time interval of (0, (k−1)/ǫ].
This implies that all trajectories starting in the set V (x) ≤ k, for k ≥ 1, will eventually
enter the set V (x) ≤ 1.
Inside the set S2, trajectories may end up either belonging to the dead set Xdead, or
reach to within a small distance of the limit cycle γ. Let us define a set, Br = V (x) ≤
r, 0 < r < 1, as shown by the pink circle in Fig. 4.3. This figure also shows sets S1, S2,
Xdead, and the limit cycle γ. To show trajectories starting in the set Br \ Xdead are not
trapped in the dead set Xdead, and eventually escape to the set S2 \ Br, we introduce
an Escape certificate similar to the Chetaev’s instability certificate [61].
Lemma 4.2. For a compact set Br ⊂ S2, if there is a differentiable Escape certificate,
E : Rn → R, such that
E(x) = 0, ∀x : x ∈ Xdead (4.14a)
E(x) > 0, ∀x : x ∈ Br \ Xdead (4.14b)
∂E
∂x
(x) · f(x, u) > 0, ∀x : x ∈ Br \ Xdead (4.14c)
79
4. Inevitability Verification of Ring Oscillators
then ∀x0 : x0 ∈ Br, limt→∞Φ(x0, t) /∈ Br.
Proof. Assume that there exists x0 ∈ Br \ Xdead, such that x(t) = Φ(x0, t) starting at
x0 remain in Br as t→∞. From Eq. 4.21b of Lemma 4.2,
E(x) =
∫ ∞
0
∂E
∂x
(x) · f(x, u) > 0,
lim
t →∞
E(x) =∞.
This contradicts the assumption as E(x) should be bounded if x(t) has to be in the
bounded set Br. Furthermore, x(t) can not reach the set Xdead, since E(x) = 0, ∀x :
x ∈ Xdead. Therefore, x(t) has to escape the set Br in finite time and reach the set
S2 \ Br.
Corollary 4.1. Assuming the RO does not have a chaotic behaviour, the set S2 \ Br
must have a limit cycle.
Though in this thesis, we assume the location of γ is given, we can use Cor. 4.1 to find
a set where there must be a limit cycle.
To show that trajectories in the set S2 \ Br reach to a set, in close proximity to
the limit cycle γ, we use the Eventuality certificate presented in [80]. Let us have a set
XLC , such that, ‖y − x‖ ≤ α, ∀x : x ∈ XLC , y ∈ γ, α > 0.
Theorem 4.1. If there exists a differentiable certificate of eventuality, E : Rn → R,
satisfying the following conditions
E(x) ≤ 0, ∀x : x ∈ (S2 \ Br) \ Xdead (4.15a)
E(x) > 0, ∀x : x ∈ Cl(bd (S2) \ bd (XLC)) (4.15b)
∂E
∂x
(x) · f(x, u) < 0, ∀x : x ∈ Cl(S2 \ XLC) (4.15c)
then for all initial conditions x0 such that x0 ∈ S2 \ Br, the trajectory x(t) satisfies,
x(T ) ∈ XLC for some T ≥ 0, and for all t ∈ [0, T ] x(t) ∈ X . Here Cl and bd denote
closure and boundary of a closed set respectively.
Proof. [80]. Let us assume x0 ∈ (S2 \ Br) \ Xdead. The corresponding trajectory x(t)
starting at x0, must leave S2 \ XLC in finite time due to Eq. 4.15c being strictly
negative and E(x) is bounded from below in this set. Let us suppose x(t) leaves S2
without reaching XLC . Eq. 4.15b of the theorem states that E(x) is strictly positive at
80
4. Inevitability Verification of Ring Oscillators
the boundary of the set (bd(S2) \ bd(XLC)), which is a contradiction to the assumption
as E(x) has to be non-positive. Therefore, x(t) must reach XLC before leaving S2.
We use these three certificates to verify the almost global inevitability of the limit
cycle γ, for the odd and the differential mode of the even stage RO. For the common
mode of the even stage RO, we further show that common mode voltages settle down
to zero in the steady state. We verify this using the Lyapunov certificate restated for
the common mode in Th. 4.2.
Theorem 4.2. For the CDS of the RO with a vector field given in Eq. 4.1, and with the
state vector replaced by x = {x(0, 0)+x(1, 0), x(0, 1)+x(1, 1), .., x(0, n−1)+x(1, n−1)},
let us assume an invariant set Xcom, which we call a common mode state space. Note
that the assumption of this set being invariant is true since the node voltages can not
go beyond the supply and ground voltages. If there exists a Lyapunov certificate L(x)
such that,
L(0) = 0 (4.16a)
L(x) > 0, ∀x : x ∈ Xcom \ {0} (4.16b)
∂L
∂x
(x)f(x, u) < 0, ∀x : x ∈ Xcom \ {0} (4.16c)
then the set {x = 0} is asymptotically stable, and ∀x ∈ Xcom, limt→∞Φ(x, t) = 0.
We avoid giving proof of Th 4.2 and readers are directed to [61, Ch.4].
4.2 AGI Verification of RO
4.2.1 Formulation of the Verification Problem
An exhaustive search of the complete state space is necessary to verify the almost
global inevitability property. This search can not be formulated as a single deductive
certificate query. Therefore, we use the divide and rule strategy and split the property
in to several sub-properties. Every sub-property is verified in a subset of the state space,
thus making the verification task less complex. We introduce two compact sets S1, and
S2, such that S1 ∩ S2 = ∅, and S1 ∪ S2 = X . We further define the set Br ⊂ S2.
These sets along with the limit cycle γ and the dead set Xdead are shown in Fig. 4.3.
For illustration purposes, we have shown the projection of an RO vector field on a
two dimensional space. In an actual three/four dimensional space, the dead set does
not intersect the limit cycle and in the differential mode it is shifted to the origin. We
81
4. Inevitability Verification of Ring Oscillators
formulate verification of the AGI property as the conjunction of several sub-properties
defined below.
Property 4.1. ∀x0 : x0 ∈ S1, limt→b Φ(x0, t) ∈ S2, b ∈ R≥0 ∧ ∀x0 : x0 ∈
S2, limt→∞ Φ(x0, t) ∈ S2.
Property 4.2. ∀x0 : x0 ∈ Br \ Xdead, limt→∞ Φ(x0, t) 6∈ Xdead ∧ limt→∞ Φ(x0, t) ∈
S2 \ Br.
Property 4.3. ∀x0;x0 ∈ S2 \ Br, limt→b ‖y − Φ(x0, t)‖ ≤ α, y ∈ γ, b ∈ R≥0, α > 0.
We define the last property characterizing the common mode behaviour of the even
stage RO in the invariant set Xcom.
Property 4.4. ∀x0 : x0 ∈ Xcom, limt→∞ Φ(x0, t) = 0.
If we denote the almost global inevitability property by ϕ, Property 4.1 by ϕ1 Prop-
erty 4.2 by ϕ2 , Property 4.3 by ϕ3, and Property 4.4 by ϕ4, then we have
ϕ = ϕ1 ∧ ϕ2 ∧ ϕ3 (4.17)
for the odd stage RO, and,
ϕ = ϕ1 ∧ ϕ2 ∧ ϕ3 ∧ ϕ4 (4.18)
for the even stage RO. A trajectory x(t) of the odd stage RO satisfies ϕ, iff, it satisfies
ϕ1 in S1, ϕ2 in Br, and ϕ3 in S2 \ Br, i.e.,
∀x : x ∈ X , x |= ϕ ⇐⇒ (x |= ϕ1 ∀x : x ∈ S1) ∧ (x |= ϕ2 ∀x : x ∈ S2)
∧ (x |= ϕ3 ∀x : x ∈ S2 \ Br). (4.19)
Similarly, for an even stage RO,
∀x : x ∈ X , x |= ϕ ⇐⇒ (x |= ϕ1 ∀x : x ∈ S1) ∧ (x |= ϕ2 ∀x : x ∈ Br)
∧ (x |= ϕ3 ∀x : x ∈ S2 \ Br) ∧ (x |= ϕ4 ∀x : x ∈ Xcom). (4.20)
4.2.2 The SOS-QE Approach to Verify AGI
In what follows, we formulate the properties stated in Sec. 4.2.1 as quantified FOFs
over real polynomials. We verify these FOFs by numerically searching for a feasible
82
4. Inevitability Verification of Ring Oscillators
certificate satisfying the conditions of these formulas. Having numerical imprecisions,
we verify, using symbolic QE, the validity of these certificates by checking falsification
of the negation of the universally quantified formulas. We represent the set X by the
semi-algebraic set, gk(x) ≥ 0, k = 1, .., n, where gk(x) is a vector of polynomials,
gk(x) =

(x1 − xL1 )(xU1 − x1)
(x2 − xL2 )(xU2 − x2)
.
.
(xn − xLn)(xUn − xn)

Here xn = xn for the odd stage RO, and xn = x(0, n)−x(1, n) for the differential mode
of the even stage RO. Similarly, the parameter space U is represented by the inequality
aj(u) ≥ 0, j = 1, ..,m.
4.2.2.1 Verification of ϕ1
The description of the Property ϕ1 states that the set S2 is invariant and that trajec-
tories in the set S1 are bound to reach S2. To verify this property, we use Lemma 4.1
and encode its conditions as a FOF ψ0, given below.
ψ0 := ∃pP : ψ1
ψ1 := ∀xX : ψ2
ψ2 :=
(x 6= 0 =⇒ V (p, x) > 0) ∧ {(1− V (p, x) ≥ 0) =⇒ (η − q(x)) ≥ 0}∧
{(V (p, x)− 1 ≥ 0) =⇒ (∂V
∂x
(p, x) · f(x, u) ≤ −ǫ)}

Here p ∈ (P ⊂ R) represents the coefficients of the certificate V . A sufficient condition
for the verification of the property ϕ1 is stated in the following theorem.
Theorem 4.3. If there is a feasible certificate V (x), fulfilling the conditions in
Lemma 4.1, then, (x |= ψ0 ⇐⇒ x |= ϕ1), ∀x0 : x0 ∈ (S1 = (V (p, x)−1 ≥ 0)∩(gk(x) ≥
0)), and ∀x0 : x0 ∈ (S2 = V (p, x) ≤ 1).
Proof. Follows directly from Lemma. 4.1. Existence of V (x) fulfilling the conditions in
Lemma. 4.1 verifies ψ0. Therefore, we have, ∀x0 : x0 ∈ (V (p, x)− 1 ≥ 0),
limt→∞ Φ(x0, t) ∈ (V (x) ≤ 1). Also, ∀x0 : x0 ∈ (V (p, x) ≤ 1), limt→∞ Φ(x0, t) ∈
83
4. Inevitability Verification of Ring Oscillators
Algorithm 4 Verification of Property ϕ1
INPUT: : RO CDS
OUTPUT: : ϕ1 Verified/No-answer, S2
1: S2← ∅
2: V ← Parametrize(V ) ; Setting degree d and Parameters p of the Polynomial V
3: if V is feasible (fulfilling Lemma 4.1) then
4: if x 6|= ¬ψ1, ∀x : x ∈ (V ≥ 1), ∀x : x ∈ (V ≤ 1) then
5: S2← (V ≤ 1)
6: S1← (V ≥ 1) ∩ (gk(x) ≥ 0)
7: (x |= ϕ1 ⇐⇒ x |= ψ0)
8: break
9: else if d of V < b then ; Here b is a user-defined upper bound on degree d
10: Increase Degree d of V ; d is incremented by 2
11: Goto Line(2)
12: else
13: break
14: end if
15: else if d of V < b then
16: Increase Degree d of V
17: Goto Line(2)
18: else
19: break
20: end if
21: if d = b & x 6|= ϕ1 then
22: No Answer about ϕ1
23: end if
24: return S2 and Truth value of ϕ1
(V (p, x) ≤ 1). Since we have S1 = (V (p, x)− 1 ≥ 0)∩ (gk(x) ≥ 0), and S2 = V (x) ≤ 1,
therefore, x |= ϕ1.
The verification of ϕ1 is associated with the existence of a certificate V (x) that fulfils
the condition of Lemma 4.1. Therefore, we start by searching for a feasible certificate
V (x) using Alg. 4. The search for V (x) is performed following a numeric-symbolic
approach utilizing two algebraic geometry tools, i.e. SOS programming and QE. The
input of the algorithm is the CDS representing the RO and its output is the truth
value of the property ϕ1 and the set S2. The algorithm starts by initializing the set
S2 (Line-1). This is followed by parametrizing the certificate V (x) setting its degree d,
84
4. Inevitability Verification of Ring Oscillators
and declaring the coefficient parameters p (Line-2). Note that d is initially set up to be
2. The feasibility of the certificate V (x) is checked in Line-3 of the algorithm. If there
are SOS multipliers, {sk1, s2, s3, sk4, sj5} ∈ Sn, ∀k ∈ {1, .., n}, ∀j ∈ {1, ..,m}, a positive
number ǫ > 0 and a minimum η > 0, then, ∀x ∈ X , x 6= 0, we can check the feasibility
of V (x) using the following SOS program.
V (x)− ǫ− n∑
k=1
sk1(x)gk(x)
 ∈ Sn, (4.21a)(η − q(x))− s2(x)(1− V (x))
 ∈ Sn, (4.21b)(−ǫ− ∂V∂x (x) · f(x, u))− s3(x)(V (x)− 1)−
n∑
k=1
sk4(x)gk(x)−
m∑
j=1
sj5(x)aj(u)
 ∈ Sn,
(4.21c)
Here V (x), sk1, s2, s3, s
k
4, s
j
5, are polynomials of degree d.
In this SOS program, constraint 4.21a enforces positive definiteness on the certificate
V (x) by introducing a small positive number ǫ. This constraint has to be satisfied in the
state space X defined by the inequality gk(x) ≥ 0, for k ∈ {1, .., n}}. Constraint 4.21b
ensures that {V (x) ≤ 1} ⊆ {q(x) ≤ η}. Constraint 4.21c incorporates the set inclusion
{V (x) ≥ 1} ⊆ {∂V
∂x
(x)·f(x, u) ≤ −ǫ}. This constraint has additional constraints of state
space and parameters defined by gk(x) ≥ 0 and aj(u) ≥ 0 respectively. The domain and
parameters constraints are incorporated using the S-procedure discussed in Sec. 2.4.4.
Note that, due to product terms, s2(x)(1− V (x)), and s3(x)(V (x)− 1), the above SOS
program is non-convex and can not be solved by convex semi-definite programming.
To work around this, we use an iterative convexification process; fixing s2(x), s3(x),
finding V (x) and vice versa.
Proposition 4.1. If the the SOS program in Eq. 4.21 is feasible, then the certificate
V (x) satisfies conditions of Lemma. 4.1.
Proof. Eq. 4.21a being SOS, therefore, V (x) − ǫ −∑nk=1 sk1(x)gk(x) ≥ 0. Since sk1(x)
is SOS for all k = 1, ..n, gk(x) ≥ 0 for all k = 1, ..n, and ǫ > 0, we have, V (x) >
0, ∀x : x ∈ X , x 6= 0. Similarly, Eq. 4.21b being SOS, s2 is SOS, and η > 0, therefore,
(η − q(x)) ≥ (1− V (x)). This shows {V (x) ≤ 1} ⊂ {q(x) ≤ η}. Lastly, since Eq. 4.21c
85
4. Inevitability Verification of Ring Oscillators
is SOS, therefore,
(−ǫ− ∂V
∂x
(x) · f(x, u))− s3(x)(V (x)− 1)−
n∑
k=1
sk4(x)gk(x)−
m∑
j=1
sj5(x)aj(u) ≥ 0.
Since, ǫ > 0, s3(x), s
k
4(x), s
j
5 being SOS for all k = 1, ..n, for all j = 1, ..m, gk(x) ≥
0 for all k = 1, ..n, aj(u) ≥ 0 for all j = 1, ..m, we have, (V (x)−1) ≤ −∂V∂x (x)·f(x, u))−
ǫ. This shows {V (x) ≥ 1} ⊂ {∂V
∂x
(x) · f(x, u) ≤ −ǫ}
The above SOS program, if feasible, returns a certificate of invariance V (x) with its
parameters p fixed within a limited numerical precision. The numerical inaccuracies,
caused by the numerical SOS programming, may change the validity of the certificate
V (x) for ill-posed systems. Therefore, adopting a conservative approach, we further
verify this certificate using symbolic QE. Note that in QE, coefficients are represented
in Qn. Using QE, we check the falsification of the negation of the formula ψ1, a boolean
combination of polynomial inequalities with universal quantification only. We use the
formula ψ1 and not ψ0, since the certificate V (x) returned by the SOS program has a
fixed structure and can be encoded as a FOF which is only universally quantified. We
verify the disjunctive normal form (DNF) of the formula ¬ψ11 shown below.
¬ψ1 := ∀xX : ¬ψ2
¬ψ2 :=
V (p, 0) 6= 0 ∨ (x 6= 0 ∧ V (p, x) < 0) ∨ {(1− V (p, x) ≥ 0) ∧ (η − q(x)) < 0}∨
{(V (p, x)− 1 ≥ 0) ∧ (∂V
∂x
(p, x) · f(x, u) > −ǫ)}

On the refutation of ¬ψ1, we conclude, (x |= ϕ1 ⇐⇒ x |= ψ0), ∀x ∈ S1, ∀x ∈ S2,
(Line 4-7). If either the SOS program for a certificate V (x) of degree d is infeasible,
or the QE tool returns a true valuation of the formula ¬ψ1, we repeat the process
by increasing the degree d of the certificate V (x) (Line 9-15). Note that degree d is
incremented by 2 until it reaches a user-defined upper bound b. If a desired certificate
V (x) can not be found, the algorithm concludes inconclusiveness about the truth value
of ϕ1 (Line 17-18). For a valid certificate V (x), the algorithm returns the invariant set
S2 = (V (x) ≤ 1) (Line-5, Line-22). Since our certificate based deductive approach is
a sufficient criterion for the verification of property ϕ1, inconclusiveness of the result
1J =⇒ K = ¬J ∨K, ¬(¬J ∨K) = J ∧ ¬K
86
4. Inevitability Verification of Ring Oscillators
does not imply falsification of the property. It is still quite possible, by searching for an
even higher degree certificate V (x), that we are able to verify the property ϕ1.
4.2.2.2 Verification of ϕ2 and ϕ3
The description of ϕ2 and ϕ3 states that no trajectory in the set Br \ Xdead can be
trapped in the set Xdead, and that every trajectory will eventually escape the set Br \
Xdead. Furthermore, all trajectories in the set S2 \Br eventually reach to a set within a
small distance of the limit cycle γ. These characteristics of trajectories can be described
by the Escape certificate of Lemma 4.2, and by the Eventuality certificate of Th. 4.1.
Therefore, to verify properties ϕ2 and ϕ3, we use Lemma 4.2, Th. 4.1 and encode their
conditions by FOFs Θ0 and θ0 respectively.
Θ0 := ∃pP : Θ1
Θ1 := ∀xX : Θ2
Θ2 :=
{(x ∈ Xdead) =⇒ E(p, x) = 0} ∧ {(x ∈ Br \ Xdead) =⇒ E(p, x) > 0)}∧
{(x ∈ Br \ Xdead) =⇒ (∂E
∂x
(p, x) · f(x, u) > 0)}
.
θ0 := ∃pP : θ1
θ1 := ∀xX : θ2
θ2 :=
{(x ∈ (S2 \ Br) \ Xdead) =⇒ E(p, x) ≤ 0}∧
{(x ∈ Cl(bdS2 \ bdXLC)) =⇒ E(p, x) > 0}∧
{(x ∈ Cl(S2 \ XLC)) =⇒ (∂E
∂x
(p, x) · f(x, u) < 0)}

A sufficient condition for the verification of properties ϕ2, and ϕ3 is stated in the
following theorem.
Theorem 4.4. If in the set (Br \ Xdead) ⊂ S2, there is an Escape certificate E(x)
satisfying the conditions of Lemma 4.2, and there is an Eventuality certificate E(x) in
the set S2\Br, satisfying the conditions of Th. 4.1, then (x |= Θ0 ⇐⇒ x |= ϕ2), ∀x0 :
x0 ∈ Br \ Xdead, and (x |= θ0 ⇐⇒ x |= ϕ3), ∀x0 : x0 ∈ S2 \ Br.
87
4. Inevitability Verification of Ring Oscillators
Proof. Existence of the Escape certificate fulfilling conditions in Lemma 4.2 verifies Θ0.
Therefore, from conditions of Θ0, we have ∀x0 : x0 ∈ Br \ Xdead, ∀t, Φ(x0, t) 6∈ Xdead,
and, limt→∞ Φ(x0, t) ∈ (S2\Br). This implies, x |= ϕ2, ∀x0 : x0 ∈ Br \Xdead. Similarly,
an Eventuality certificate obeying conditions of Th. 4.1 verifies θ0, which consequently,
by the same argument as that of Θ0, verifies ϕ3, ∀x0 : x0 ∈ S2 \ Br.
From Th. 4.4, we see that while verifying ϕ2 and ϕ3, we require an Escape certificate
in the set Br, and an Eventuality certificate in the set S2 \ Br. We search for these two
certificates using Alg. 5. The inputs of the algorithm are the RO CSD model and the
set S2 = (V (x) ≤ 1). The algorithm starts with parametrizing polynomials E, E and
initializing the set Br = (V (x) ≤ r), 0 < r < 1 (Line 1). Similar to Alg. 4, we use the
numeric-symbolic combination of SOS-QE for the implementation of Alg. 5 (Line 2-5).
We search the Escape certificate E(x) in the set Br using the SOS program followed by
its validation through QE. The SOS program is given in Eq. 4.22.E(x) + n∑
k=1
sk6(x)g
dead
k (x) = 0
 (4.22a)E(x)− ǫ− s7(x)(r − V (x)) + n∑
k=1
sk8(x)g
dead
k (x)
 ∈ Sn (4.22b)∂E∂x (x) · f(x, u)− ǫ− s9(x)(r − V (x)) +
n∑
k=1
sk10(x)g
dead
k (x)−
m∑
j=1
sj11(x)aj(u)
 ∈ Sn
(4.22c)
∀x ∈ Br, {s7, s9, sj11} ∈ Sn, {sk6, sk8, sk10} ∈ Rn, ǫ > 0, 0 < r < 1, ∀k ∈ {1, .., n}, ∀j ∈
{1, ..,m}. Here, E , {sk6, s7, sk8, s9, sk10, sj11} are polynomials of degree d.
The constraint in Eq. 4.22a of the above SOS program ensures, E(x) = 0, in the
dead set represented as Xdead = {x ∈ Rn : gdeadk (x) = 0, for k ∈ {1, .., n}}. The
positive-definiteness of the certificate E(x), in the set (Br = V (x) ≤ r) \ Xdead, is
ensured in the second constraint of Eq. 4.22b. The last constraint of Eq. 4.22c ensures
positive-definiteness of the derivative of E(x) in the set Br \ Xdead. The domain and
parameters constraints are incorporated using the S-procedure discussed in Sec. 2.4.4.
Proposition 4.2. If the the SOS program in Eq. 4.22 is feasible, then the certificate
E(x) satisfies the conditions of Lemma. 4.2.
Proof. Eq. 4.22a is E(x) +∑nk=1 sk6(x)gdeadk (x) = 0. Since, gdeadk (x) = 0, ∀k ∈ {1, .., n},
we have E(x) = 0 ∀x : x ∈ Xdead. The condition Eq. 4.22b is SOS, therefore, E(x) −
88
4. Inevitability Verification of Ring Oscillators
Algorithm 5 Verification of Property ϕ2 and ϕ3
INPUT: : System of ODEs for RO, Set S2
OUTPUT: : ϕ2 and ϕ3 Verified/No-answer
1: Br ← V (x) ≤ r ; 0 < r < 1
2: E ← Parametrize(E) ; Setting degree d and parameters p for E
3: if E is feasible (fulfilling Lemma. 4.2) then
4: if x 6|= ¬Θ1, ∀x ∈ Br then
5: (x |= Θ0 ⇐⇒ x |= ϕ2), ∀x ∈ Br
6: E ← Parametrize(E) ; Setting degree d and parameters p for E
7: if E is feasible (fulfilling Th. 4.1) then
8: if x 6|= ¬θ1, ∀x ∈ (S2 \ Br) then
9: x |= θ0 ⇐⇒ x |= ϕ3, ∀x ∈ S2 \ Br
10: break
11: else if d of E < b then ; Here b is a user-defined upper bound on degree d
12: Increase Degree d of E ; d is incremented by 2
13: Goto Line(6)
14: else
15: break
16: end if
17: else if d of E < b then
18: Increase Degree d of E
19: Goto Line(6)
20: else
21: break
22: end if
23: else if d of E < b then ; Here b is a user-defined upper bound on degree d
24: Increase Degree d of E ; d is incremented by 2
25: Goto Line(2)
26: else
27: break
28: end if
29: else if d of E < b then
30: Increase Degree d of E
31: Goto Line(2)
32: else
33: break
34: end if
35: if 6∃ E of d ≤ b in Br then
36: No Answer about ϕ2
37: end if
38: if 6∃ E d ≤ b in S2 \ Br then
39: No Answer about ϕ3
40: end if
41: return Truth value of ϕ2 and ϕ3
89
4. Inevitability Verification of Ring Oscillators
ǫ− s7(x)(r − V (x)) +
∑n
k=1 s
k
8(x)g
dead
k (x) ≥ 0. Since, ǫ > 0, s7(x) ≥ 0, and gdeadk (x) =
0, ∀k ∈ {1, .., n}, we have, E(x) ≥ (r−V (x))−∑nk=1 gdeadk (x)+ ǫ. Therefore, {(V (x) ≤
r) \ (∑nk=1 gdeadk (x) = 0)} ⊂ (E(x) > 0). The last constraint in Eq. 4.22b is also SOS,
therefore,
∂E
∂x
(x) · f(x, u)− ǫ− s9(x)(r − V (x)) +
n∑
k=1
sk10(x)g
dead
k (x)−
m∑
j=1
sj11(x)aj(u) ≥ 0.
Since s9, s
j
11 ∀j ∈ {1, ..,m} are SOS multipliers, and gdeadk (x) = 0 ∀k ∈ {1, .., n},
aj(u) ≥ 0 ∀j ∈ {1, ..,m}, ǫ > 0, we have, ∂E∂x (x) · f(x, u) ≥ (r− V (x))−
∑n
k=1 g
dead
k (x).
Therefore, we have, {(V (x) ≤ r) \ (Xdead)} ⊂ (∂E∂x (x) · f(x, u) > 0).
The numerically constructed Escape certificate E(x) is further validated by checking
the falsification of the formula ¬Θ1 using the symbolic QE (Line 4-5). The QE checks
the falsification of the DNF of ¬Θ1 given below.
¬Θ1 := ∀xX : ¬Θ2
¬Θ2 :=
{(x ∈ Xdead) ∧ (E(p, x) 6= 0)} ∨ (x ∈ Br \ Xdead ∧ E(p, x) < 0)
∨{(x ∈ Br \ Xdead) ∧ (∂E
∂x
(p, x) · f(x, u) < 0)}

On falsification of the formula ¬Θ1, we conclude that x |= ϕ2, ∀x : x ∈ Br, Line
5. If either the SOS program results in an infeasible certificate, or the QE returns a
“true” answer for the formula ¬Θ1, we repeat the process for an increased degree d
of the certificate E(x) (Line 26-27, Line 21-22). Note that d is incremented by 2 in
each iteration until it reaches a user defined upper bound b. Similarly, the structure of
the Eventuality certificate E(x) is identified through the SOS programming, followed
by checking its validity using symbolic QE (Line 6-20). The SOS program for the
90
4. Inevitability Verification of Ring Oscillators
construction of E(x) is given below.− E(x)− s12(x)(1− V (x)) + s13(x)(r − V (x)) + n∑
k=1
sk14(x)g
dead
k (x)
+
n∑
k=1
sk15(x)g
LC
k (x)
 ∈ Sn (4.23a)E(x)− ǫ− s16(x)(1− V (x))
 ∈ Sn (4.23b)− ǫ− ∂E∂x (x) · f(x, u)− s17(x)(1− V (x)) +
n∑
k=1
sk18(x)g
LC
k (x)−
m∑
j=1
sj19(x)aj(u)
 ∈ Sn
(4.23c)
∀x ∈ X , {s12, s13, sk15, s17, sk18, sj19} ∈ Sn, sk14 ∈ Rn, ∀k ∈ {1, .., n}, ∀j ∈ {1, ..,m}, ǫ > 0.
Here, E(x), s12, s13, s
k
15, s17, s
k
18, s
j
19, s
k
14, are polynomials of degree d.
The first two constraints of the SOS program in Eq. 4.23 ensure positive-definiteness
of −E(x) and E(x) in sets, (S2\Br)\Xdead\XLC , and, ∂S2 = (V (x) = 1), respectively.
The last constraint is responsible for ensuring negative-definiteness of the derivative of
E(x) in the set S2 \ Xdead. Again, the domain and parameters constraints are incorpo-
rated using the S-procedure discussed in Sec. 2.4.4.
Proposition 4.3. If the the SOS program in Eq. 4.23 is feasible, then the certificate
E(x) satisfies conditions of Th. 4.1.
Proof. Constraint in Eq. 4.23a is SOS, therefore, −E(x)−s12(x)(1−V (x))+s13(x)(r−
V (x)) +
∑n
k=1 s
k
14(x)g
dead
k (x) +
∑n
k=1 s
k
15(x)g
LC
k (x) ≥ 0.
Since, gdeadk (x) = 0 ∀k ∈ {1, .., n}, s12, s13, sk15 ∀k ∈ {1, .., n} are SOS, therefore,
−E(x) ≥ 0, ∀x : x ∈ {((V (x) ≤ 1) \ Xdead) \ (gLCk ≥ 0 ∀k ∈ {1, .., n})). The con-
straint in Eq. 4.23a is SOS, therefore, E(x) − ǫ − s16(x)(1 − V (x)) ≥ 0. Since s16
is SOS, ǫ > 0, (1 − V (x)) ≥ 0, therefore, E(x) > 0 ∀x : x ∈ (V (x) ≤ 1). The
last constraint in Eq. 4.23c as well as s17, s
k
18 ∀k ∈ {1, .., n}, sj19 ∀j ∈ {1, ..,m}
are SOS. Furthermore, ǫ > 0, (1 − V (x)) ≥ 0, gLCk (x) ≥ 0, aj(u) ≥ 0, therefore,
∂E
∂x
(x) · f(x, u) < 0 ∀x : x ∈ {(V (x) ≤ 1) \ (gLCk (x) ≥ 0)}.
To verify the validity of the Eventuality certificate E(x), constructed by the SOS
91
4. Inevitability Verification of Ring Oscillators
program, we check the truth value of the formula ¬θ1 given in its DNF below.
¬θ1 := ∀xX : ¬θ2
¬θ2 :=
{(x ∈ S2 \ Br \ Xdead \ XLC) ∧ E(p, x) > 0)} ∨ {(x ∈ ∂S2) ∧ E(p, x) ≤ 0)
∨{(x ∈ S2 \ XLC) ∧ (∂E
∂x
(p, x) ≥ 0)}

Failing to either construct the Eventuality certificate E(x) numerically, using the SOS
program, or getting a “True” model of the formula ¬θ1, we repeat the process for an
increased degree d of E(x) (Line 16-17, 11-12). If for a maximum degree d, the SOS-QE
approach is not able to construct validated certificates E(x) or E(x) in their respective
sets, the corresponding property ϕ2 or ϕ3 is declared inconclusive (Line 31-36). Note
that d is incremented by 2 in each iteration until it reaches a user defined upper bound
b.
Remark 4.1. The small positive number ǫ in the above SOS programs relaxes the strict
positivity/negativity conditions conservatively, and does not contradict the validity of
our results. Multipliers s of the polynomial equalities are not constrained to be Sn.
4.2.2.3 Verification of ϕ4
Property ϕ4 is concerned with showing that in the common mode of the even stage
RO, all trajectories converge to the zero common mode voltage. This property is closely
associated with the Lyapunov stability theorem which has been stated in Th. 4.2 for
the common mode of the even stage RO. Therefore, we verify ϕ4 by searching for a
Lyapunov certificate L satisfying the conditions of Th. 4.2. We follow a similar proce-
dure as that for property ϕ1, and search for the Lyapunov certificate using the SOS-QE
approach. The FOF encoding of the conditions of Th. 4.2 is given below.
Ψ0 := ∃pP : Ψ1
Ψ1 := ∀xX : Ψ2
Ψ2 :=
{(x = 0) =⇒ L(p, x) = 0} ∧ {(x 6= 0 ∧ x : x ∈ Xcom) =⇒ L(p, x) > 0}∧
{(x 6= 0 ∧ x : x ∈ Xcom) =⇒ (∂L
∂x
(p, x) · f(x, u) < 0)}

92
4. Inevitability Verification of Ring Oscillators
We state the sufficient condition for the verification of property ϕ4 in the following
theorem.
Theorem 4.5. If in the invariant set Xcom ⊂ Rn there is a Lyapunov certificate L(x)
satisfying the conditions of Th. 4.2, then, x |= Ψ0 ⇐⇒ x |= ϕ4, ∀x : x ∈ Xcom, where
x = {x(0, 0) + x(1, 0), x(0, 1) + x(1, 1), .., x(0, n− 1) + x(1, n− 1)}.
Proof. A feasible Lyapunov certificate L(x) according to Th. 4.2 is a true model of the
FOF Ψ0. Since the set Xcom is invariant, we have, ∀x0 : x0 ∈ Xcom, ∀t, Φ(x0, t) ∈ Xcom.
Furthermore, since, ∂L
∂x
(p, x) · f(x, u) < 0, L(p, x) > 0, ∀x : x ∈ Xcom, x 6= 0, therefore,
limt→∞ Φ(x0, t) = 0. This shows x |= ϕ4.
The above theorem illustrates that the sufficient condition for the verification of
property ϕ4 is the existence of a Lyapunov certificate in the common mode invariant
state space Xcom. We use an algorithm, similar to to that of Alg. 4, and search for
the certificate L following the numeric-symbolic approach. A SOS program numerically
constructing the Lyapunov certificate is given below.
L(0) = 0 (4.24a)L(x)− n∑
k=1
sk20(x)g
k
diff (x) + ǫ
 ∈ Sn (4.24b)− ǫ− ∂L∂x (x) · f(x, u)−
n∑
k=1
sk21(x)g
k
diff (x)−
m∑
j=1
sj22(x)aj(u)
 ∈ Sn (4.24c)
∀x ∈ Xcom, {sk20, sk21, sj22} ∈ Sn, ∀k ∈ {1, .., n−1}, ∀j ∈ {1, ..,m}, ǫ > 0. Here, L(x), sk20,
sk21, s
j
22, are polynomials of degree d.
The constraints in Eq. 4.24b and Eq. 4.24c, ensure the positive and negative definite-
ness of the Lyapunov certificate L(x) in the set Xcom \ {0}. The domain and parameter
constraints have been added following the S-procedure. If the above SOS program is fea-
sible, then the constructed Lyapunov certificate L(x) satisfies the conditions of Th. 4.2.
Since the certificate constructed by the above SOS program suffers from numerical
inaccuracies, we further validate it using symbolic QE. This is done by checking the
falsification of the formula ¬Ψ1 as previously discussed for all other certificates. This
alternating application of SOS-QE is performed until either a valid Lyapunov certificate
L(x) is found, or we reach a point where we conclude inconclusiveness of the approach
to find the truth value of ϕ4 for a maximum degree d of L(x).
93
4. Inevitability Verification of Ring Oscillators
Parameters Values
Rinverter [0.98 1.2]e3Ω
CL [0.98 1.2]e− 12F
Vsat [0.98 1.2]V
Vs [0.23 0.27]
Table 4.1: Inverter Parameters
4.3 Experimental Evaluation
We have demonstrated the applicability and effectiveness of our approach by applying
it to three stage odd and two stage even ROs. The parameters we have used for an
inverter model are given in Table. 4.1. Note that we have ranges of values for different
parameters. Furthermore, these ranges have been chosen randomly and can be adjusted
by the designers according to their needs of checking the design for various ranges
of different parameters. We used the YALMIP [67] solver within MATLAB for SOS
programming, and REDLOG [31] for QE, on a 2.6 GHZ Intel Core i5 machine with 4
GB of memory.
For an odd RO, we were able to compute a degree-4 AI certificate, Appendix B.4.
The AI set, marked by the level set V (x) ≤ 1, is shown in Fig. 4.4 (see this set in three-
dimension in Appendix B.6). For the purpose of illustration, we have also shown an
invariant set generated from a degree-10 AI certificate. This emphasises that higher de-
gree certificates have the ability to closely over-approximate the set containing the limit
cycle as it has higher degree of freedom and align itself along the limit cycle, however
at a high computation/verification cost. Inside the AI set, we showed that trajectories
escape the set V ≤ r, by computing a degree-2 Escape certificate. Similarly, further
convergence of the trajectories, to within a small distance of the limit cycle, has been
shown by computing a degree-4 Eventuality certificate in the set {V ≤ 1∧V ≥ r}. Time
taken by the SOS solver to compute these certificates is listed in the second column
of Table. 4.2. Verification of these certificates in REDLOG, given how large a formula
it can handle, has been divided in to the verification of the individual clauses of the
FOFs benefiting from its DNF. Since we were interested in the negation of FOFs in the
DNF, we verified whether each clause was “false”. The verification times of the QE are
listed in the third column of Table 4.2. For AI and Escape certificates, REDLOG suc-
cessfully verified the negation of their universally quantified FOFs. Derivatives of these
94
4. Inevitability Verification of Ring Oscillators
V1
-1 -0.5 0 0.5 1
V
2
-1
-0.5
0
0.5
1 Degree 4 Attractive Invariant Set
Degree 10 
Attractive Invariant Set
Figure 4.4: ODD RO Attractive Invariant Set, defined by {V <= 1}: Outer Solid plots, Degree
4 and Degree 10, {V = r}: Inner Solid plot of degree 4, Trajectories: Dashed plots
certificates were symbolically calculated using the MATLAB symbolic toolbox before
verifying it using QE. A time out was reported by the REDLOG tool for all clauses of
the eventuality FOF of the odd RO. The reason for these time outs is the set, an inter-
section of two level curves of the AI certificate, that puts an additional burden on the
solver resulting in its time out. To overcome this issue, we instead conservatively over-
under approximate the set {V ≤ 1∧V ≥ r}, by a quadratic polynomial, and construct
the Eventuality certificate for this new set. This solved our problem and REDLOG has
been able to verify the Eventuality certificate in this conservative approximation of the
set {V ≤ 1∧ V ≥ r}. Similarly, for the even stage RO, we computed a degree-10 AI, a
degree-4 Escape, a degree-6 Eventuality and a degree-4 Lyapunov certificate (Appendix
B.5). Their SOS computation times are listed in the second column of Table 4.3. The
AI set, represented by the level curve V (x) ≤ 1, is shown in Fig. 4.5. Three trajectories
in different sets have also been shown. Though of degree-10, from the QE point of view,
the AI certificate has fewer monomials, and was thus easily verified by the REDLOG.
All clauses of the AI, Escape and Lyapunov certificates were verified by the QE. For
the Eventuality certificate, we followed the same procedure as we did for odd stage,
over-under approximating the set {V ≤ 1 ∧ V ≥ r} with quadratic polynomial level
curves, and verified the negation of the corresponding FOF. The QE verification times
for these certificates are reported in the third column of Table 4.3.
95
4. Inevitability Verification of Ring Oscillators
Certificate YALMIP-SOS Time(Sec) REDLOG-QE Time(Sec)
Attractive Invariants 824.8 (Degree 4) Clause 1 =0.219
Clause 2 =0.047
Clause 3 =8.222
Escape 6.3 (Degree 2) Clause 1 = 0.060
Clause 2 = 0.026
Clause 3 = 0.320
Eventuality 31.5 (Degree 4) Clause 1 = 0.070
Clause 2 = 0.025
Clause 3 = 0.636
Table 4.2: ODD RO Inevitability Verification Time
Certificate YALMIP-SOS Time(Sec) REDLOG-QE Time(Sec)
Attractive Invariants 6127.6 (Degree 10) Clause 1 =5.24
Clause 2 =0.33
Clause 3 =1.56
Escape 320.6757 (Degree 4) Clause 1 = 0.01
Clause 2 = 0.30
Clause 3 = 2.50
Eventuality 4128.8 (Degree 6) Clause 1 = 0.349
Clause 2 = 0.300
Clause 3 = 0.615
Lyapunov 55.24(Degree 4) Clause 1 = 0.02
Clause 2 = 0.75
Clause 3 = 0.57
Table 4.3: Even RO Inevitability Verification Time
Results show the effectiveness of our approach to verify the complex inevitability
property of a real world AMS circuit. Though it needs user input, formalizing the prob-
lem as SOS and then as QE, our approach offers a comparable computation time to
[109]. It is in fact less by an order of at least half when considering their approach using
partitioning of the state space in to boxes. We have proved the inevitability property
avoiding hundreds of reachability computations as was done in previous approaches.
Secondly, our approach is less conservative compared to other reach set computation
methods, where ODEs are explicitly solved and trajectories are conservatively approx-
imated. Our certificate based deductive method is applicable to infinite horizon (as
opposed to bounded) and avoids approximating solutions of the differential equations.
SOS based relaxation, in addition to solving the NP-hard problem of positivity check,
offers an easy way of incorporating parameter variations as well. Given the existing
state of the art QE tools, we have further provided formal proofs of these numerically
96
4. Inevitability Verification of Ring Oscillators
x(0,0)- x(1,0)
-2 -1.5 -1 -0.5 0 0.5 1 1.5 2
x
(0
,1)
-x
(1
,1)
-2
-1
0
1
2
Figure 4.5: Even RO: Attractive Invariant Set, defined by {V = 1}: Outer Solid plot, {V = r}:
Inner Solid plot, Trajectories: Dashed
calculated certificates. We believe that in future, foreseeing advancements in the QE of
FOF over non-linear polynomials, the accuracy and efficiency of our methodology can
be furthered.
4.4 Related Work
In [43], the authors attempted to show start-up by finding the DC equilibria and show-
ing its instability. Their approach did not take in to consideration convergence to the
limit cycle. A SAT based approach has been used in [57]. They showed stable DC equi-
libria using a crude approach which can not be generalized. A particle visualization
approach has been discussed in [87]. Though the approach could show a broad range
of circuit behaviour, it however can easily neglect the failure set from where the circuit
fails to start. In [86], the authors showed a model checking approach, where the state
space has been discretized, and temporal properties have been verified for the discrete
transition system. The most comprehensive work on an even stage RO has been pre-
sented in [109]. In this work, the authors showed convergence to the oscillation with
probability one. They showed zero measure probability for the failure set using a cone
argument. They further showed convergence to the desired limit cycle using reachabil-
ity analysis. While the approach is comprehensive, it has two disadvantages. They used
97
4. Inevitability Verification of Ring Oscillators
an expensive paper-pencil argument about the zero measure probability of the failure
set. Secondly, they used approximate but sound reachability computations, which apart
from being of a bounded time nature, need partitions of the state space and are thus
intractable for higher dimensional systems. A SOS-QE approach has also been used
for non-linear gain analysis in [51]. In [47], the author used SOS in a HOL theorem
prover to verify positivity of polynomials which are universally quantified. In [85], the
authors used a SOS-QE approach for stability analysis of the switched hybrid system.
Inevitability of an invariant set is closely related to the global asymptotic stability of
a dynamical system. [104] used QE for stability of equilibrium point analysis of non-
linear differential equations. In [92], the author introduced various convex/non-convex
programs for stability of equilibrium and other invariant sets in non-linear dynamical
systems using SOS programming. In the last decade, SOS programming has been the
major tool used in the algorithmic construction of Lyapunov certificates for continuous
as well as hybrid systems [77]. Deductive verification of continuous and hybrid systems
has been demonstrated in [91], [90].
4.5 Summary of the Chapter
We have presented a scalable deductive verification methodology for the inevitability
verification of the RO. We have benefited from Lyapunov-like certificates, from non-
linear continuous dynamical systems theory, and have come up with some interesting
local properties. By verifying these local properties using a combination of SOS-QE,
we have successfully verified the global inevitability property of an RO with two dif-
ferent topologies. Experimental results show the effectiveness of our approach avoiding
expensive discretization and reach set computations.
98
Chapter 5
Verifying Frequency Domain
Properties of Oscillators using
SMODE
A non-linear oscillator can have multiple limit cycles with different frequencies. It is of
great importance to verify that an oscillator oscillates with the desired frequency and
does not have undesired harmonics. In this chapter, we introduce a robust frequency
domain properties specification for the behaviour of the oscillator in close proximity
to the limit cycle. We make use of the frequency domain periodogram, and specify the
behaviour of the oscillator such that it oscillates with the desired frequency despite
parameter and process variations. Towards this goal, we use a robust periodogram
specification allowing lower and upper bounds on the sum of squares of Fourier series
coefficients for the desired limit cycle.
The verification of frequency domain properties is not straightforward. There are
two options to perform this task. One is to carry out the verification in the frequency
domain by having both the system and properties in the frequency domain and perform-
ing the decision procedure in this domain. This is beyond the capabilities of the current
state of the art solvers/approaches. Therefore, we employ a mixed time-frequency do-
main technique, where we have our properties specified in the frequency domain and
we carry out the verification task in the time domain. This approach is illustrated in
Fig. 5.1. As shown, frequency domain properties are verified by checking the distance of
the timed traces of the oscillator model from the traces, generated from the frequency
domain properties. If this distance is less than a user defined small number, we conclude
99
5. Frequency Domain Properties
Frequency
Domain
Properties
Oscillator
model
Conversion to
Time Domain
f
p(f)
t
xs(t)
t
xm(t)
Their Eu-
clidean
Distance
≤ b(∈ R>0) ?
Yes No
f0f1f2f3
Figure 5.1: Frequency Domain Property Verification
satisfaction of the frequency domain with a degree of robustness and vice versa.
5.1 Preliminaries
This section discusses the mathematical modelling of analog oscillators at the device
level. Furthermore, we give background of the frequency domain concept used for the
frequency domain properties specification.
100
5. Frequency Domain Properties
Figure 5.2: Oscillators Circuit Diagrams, Left: TDO, Right: VCO
5.1.1 Modelling of analog oscillators as HDS
In this chapter, we model analog oscillators as HDS, as discussed in Sec. 2.1.2. The
HDS model of an oscillator is a tuple, H = (C,F ,D,G). Let us denote by x, the vector
of continuous variables. In this chapter, we consider two types of oscillators: Voltage
Controlled Oscillator (VCO) and Tunnel Diode Oscillator (TDO) as shown in Fig. 5.2.
To find C, F , D, and G, we model these oscillators at the device level by treating their
input-output responses as piece-wise polynomials.
The VCO consists of an LC tank energised by currents through two PMOS tran-
sistors. The non-linearity in the circuit is predominately caused by the non-linear
PMOS transistors, and non-linearities due to capacitors and inductors are assumed
negligible. To get a HDS model of the VCO, we model the PMOS transistor using the
Schichman-Hodges PMOS model [72] given in Eq. 2.9. This model describes the current
IDS(VGS , VDS) through each PMOS as a function of drain-to-source and gate-to-source
voltages. This is a piece-wise polynomial model of the current spanning three different
regions of transistor operation: cut off, active, and saturation. The state variables are,
VD1, VD2, and IL1 or IL2. To get the HDS for VCO, we have nine possible combinations
of the three regions of the two PMOS transistors. Let us denote these three regions for
each transistor by C1(C2), L1(L2), S1(S2), where C stands for cut off, L for linear and
101
5. Frequency Domain Properties
S for saturation region respectively. We denote VGS = VD2 − VDD, VDG = VD1 − VD2
for transistor 1, and VGS = VD1−V DD, VDG = VD2−VD1 for transistor 2 respectively.
Accordingly, following are the nine possible regions in the (VD1, VD2) plane based on
the IDS model of current through each transistor.
C1/C2 = VD2 − VDD > Vtp ∧ VD1 − VDD > Vtp
S1/C2 = VD2 − VDD ≤ Vtp ∧ VD1 − VD2 ≤ −Vtp ∧ VD1 − VDD > Vtp
L1/C2 = VD2 − VDD ≤ Vtp ∧ VD1 − VD2 > −Vtp ∧ VD1 − VDD > Vtp
C1/S2 = VD2 − VDD > Vtp ∧ VD1 − VDD ≤ Vtp ∧ VD2 − VD1 ≤ −Vtp
C1/L2 = VD2 − VDD > Vtp ∧ VD1 − VDD ≤ Vtp ∧ VD2 − VD1 > −Vtp
S1/L2 = VD2 − VDD ≤ Vtp ∧ VD1 − VD2 ≤ −Vtp ∧ VD1 − VDD ≤ Vtp ∧
VD2 − VD1 > −Vtp
S1/S2 = VD2 − VDD ≤ Vtp ∧ VD1 − VD2 ≤ −Vtp ∧ VD1 − VDD ≤ Vtp ∧
VD2 − VD1 ≤ −Vtp
L1/S2 = VD2 − VDD ≤ Vtp ∧ VD1 − VD2 > −Vtp ∧ VD1 − VDD ≤ Vtp ∧
VD2 − VD1 ≤ −Vtp
L1/L2 = VD2 − VDD ≤ Vtp ∧ VD1 − VD2 > −Vtp ∧ VD1 − VDD ≤ Vtp ∧
VD2 − VD1 > −Vtp
It can easily be shown that the L1/L2 mode is infeasible, and we are left with eight pos-
sible combinations of the two transistor operating modes. The region in the (VD1, VD2)
plane corresponding to different operating modes of the two transistors is shown in
102
5. Frequency Domain Properties
−2.5 −2.0 −1.5 −1.0 −0.5 0.5 1.0 1.5 2.0 2.5
−2
−1
1
2
V_D1
V_D2
C1/C2
S1/C2
C1/S2
L1/C2
S1/S2
L1/S2
S1/L2
C1/L2
VD1 − VDD = Vtp
VD2 − VDD = Vtp
VD1 − VD2 = −Vtp
VD1 − VD2 = Vtp
Figure 5.3: VCO eight possible modes of operation
Fig. 5.3.
Applying KVL to the VCO circuit, we get the following ODE equations for each
state VD1, VD2 and IL1.
V˙D1 =
−1
C
(IDS1(VD2 − VDD, VD1 − VDD) + IL1) (5.1)
V˙D2 =
−1
C
(IDS2(VD1 − VDD, VD2 − VDD) + Ib − IL1) (5.2)
I˙L1 =
1
2L
(VD1 − VD2 −R(2IL1 − Ib)) (5.3)
Here currents IDS1 and IDS2 are piece-wise polynomials depending on which eight
modes the two transistors operate in. Accordingly, the HDS H of the VCO based on
transistor currents IDS1 and IDS2 is,
H =

˙
VD1
VD2
IL1
 =

−1
C
(IDS1(VD2 − VDD, VD1 − VDD) + IL1)
−1
C
(IDS2(VD1 − VDD, VD2 − VDD) + Ib − IL1)
1
2L(VD1 − VD2 −R(2IL1 − Ib))
 x ∈ C,
x+ = Gi(x) x ∈ D
(5.4)
Here,
103
5. Frequency Domain Properties
L1/C2
L1/S2 S1/S2 S1/L2
C1/L2
Figure 5.4: VCO Periodic Limit Cycle
F =

−1
C
(IDS1(VD2 − VDD, VD1 − VDD) + IL1)
−1
C
(IDS2(VD1 − VDD, VD2 − VDD) + Ib − IL1)
1
2L(VD1 − VD2 −R(2IL1 − Ib))
 ,
Fi(x, u) =

−1
C
(I iDS1(VD2 − VDD, VD1 − VDD) + IL1)
−1
C
(I iDS2(VD1 − VDD, VD2 − VDD) + Ib − IL1)
1
2L(VD1 − VD2 −R(2IL1 − Ib))
 , ∀i ∈ {1, .., 8},
C =
{
[VD1 VD2 IL1]
∣∣∣∣ − 2 ≤ VD1 ≤ 2 and − 2 ≤ VD1 ≤ 2 and − 1 ≤ IL1 ≤ 1
}
,
D =
{
[VD1 VD2 IL1]
∣∣∣∣ VD2 − VDD = Vtp and VD1 − VDD = Vtp and VD1 − VD2 =
−Vtp and VD2 − VD1 = −Vtp
}
, Gi(x) := x, ∀x ∈ D, ∀i ∈ ID. IiDS1 and IiDS2 are as
given by Eq. 2.9.
Note that we have identity reset maps for all jumps and we have not shown every
jump map explicitly. As will be shown in the next section, the limit cycle of the VCO
periodically visits only five modes (regions) of the (VD1, VD2) plane, and therefore only
these five modes are considered for frequency domain properties verification. The HDS
formed by these five modes is shown in Fig. 5.4.
Similarly, we model the TDO as HDS using the piece-wise polynomial model of the
tunnel diode [38]. This model represents the current Id through the tunnel diode as a
104
5. Frequency Domain Properties
Vd Below 0.055
Vd Between 0.055-0.35
Vd Above 0.35
Figure 5.5: TDO Hybrid Automata
function of voltage Vd across it given in Eq. 5.5.
Id =

6.01V 3d − 0.992V 2d + 0.0545Vd Vd ≤ 0.055,
0.0692V 3d − 0.0421V 2d + 0.004Vd + 8.96.10−4 0.055 ≤ Vd ≤ 0.35,
0.263V 3d − 0.277V 2d + 0.0968Vd − 0.0112 0.35 ≤ Vd.
(5.5)
Therefore, the HDS for the TDO has three modes of operation as shown in Fig. 5.5.
Considering Vd and IL as state variables and applying KVL to the TDO circuit (Fig. 5.2),
we get the following ODEs for the circuit,
V˙d =
1
C
(−Id(Vd) + IL) (5.6)
I˙L =
1
L
(−Vd + IL.R+ Vin) (5.7)
Therefore,
H =

˙Vd
IL
 =
 1C (−Id(Vd) + IL)
1
L
(−Vd + IL.R+ Vin)
 x ∈ C,
x+ = Gi(x) x ∈ D
(5.8)
Here,
105
5. Frequency Domain Properties
F =
(
1
C
(−Id(Vd) + IL)
1
L
(−Vd + IL.R+ Vin)
)
,
F1(x, u) =
(
1
C
(−(6.01V 3d − 0.992V 2d + 0.0545Vd) + IL)
1
L
(−Vd + IL.R+ Vin)
)
,
F2(x, u) =
(
1
C
(−(0.0692V 3d − 0.0421V 2d + 0.004Vd + 8.96.10−4) + IL)
1
L
(−Vd + IL.R+ Vin)
)
,
F3(x, u) =
(
1
C
(−(0.263V 3d − 0.277V 2d + 0.0968Vd − 0.0112) + IL)
1
L
(−Vd + IL.R+ Vin)
)
C =
{
[Vd IL]
∣∣∣∣ 0 ≤ Vd ≤ 1 and − 10 ≤ IL ≤ 10
}
,
D =
{
[Vd IL]
∣∣∣∣ Vd = 0.055 and Vd = 0.35
}
, Gi(x) := x, ∀x ∈ D, ∀i ∈ ID.
Similarly, Ci can be easily found.
Let us define the flow map ΨH : T × XH → XH. We now define hybrid limit sets
and hybrid limit cycles.
Definition 5.1 (Hybrid Limit Sets). A point z ∈ XH is called an Ω-limit point of
y ∈ XH if, lim(t+j)→∞ΨH((t, j), y) = z. The set of all such points z is the hybrid
Ω-limit set.
Definition 5.2 (Hybrid periodic Orbits). An orbit Γ is a closed hybrid periodic orbit
if it is not an equilibrium, and for some j and t ΨH((T, j), x) = x, for some smallest
T 6= 0. T ∈ [tj , tj+1] is called the fundamental period of Γ.
Definition 5.3 (Hybrid Limit cycle). A closed hybrid orbit Γ is called a hybrid limit
cycle if, ∀x : x ∈ XH \ Γ, y ∈ Γ, α > 0, lim(t+j)→∞ ‖ΨH((t, j), x)− y‖≤ α.
106
5. Frequency Domain Properties
Lemma 5.1. If Z is a compact set of states that constitute a periodic orbit and its
close proximity, then for any Y ⊂ Z, we have Q = ⋃k Reach(Y ), such that for an
arbitrary point x ∈ Q, and y ∈ Γ, α > 0, either lim(t+j)→∞ ‖ΨH((t, j), x)− y‖≤ α, or
lim(t+j)→b ‖ΨH((t, j), x)− y‖= 0, for an arbitrary small b > 0.
Proof. Clearly for x ∈ Q, if also x ∈ Γ, then lim(t+j)→b ‖ΨH((t, j), x) − y‖= 0, b > 0
as every state on Γ is reachable from every other state on it. For x ∈ Q, and x 6∈ Γ ,
lim(t+j)→∞ ‖ΨH((t, j), x)−y‖≤ α, since a stable Γ attracts every trajectory to its close
proximity.
5.2 Frequency Domain Properties Specification of the
Hybrid Limit Cycle
This section introduces the robust frequency domain properties specification of the
hybrid limit cycle, using a periodogram-based power spectral envelope.
5.2.1 Robust Specification of a Periodic Function in the Frequency
Domain
A function g is periodic with period T if g(t) = g(t+mT ), ∀t : t ∈ R and ∀m : m ∈ Z.
We denote by P the set of all functions which in addition to being T periodic, also have
the property of square sumability over a period T , i.e., P ⊂ L2[0, T ]. All such periodic
functions g(t) ∈ P can be represented by the sum of an infinite number of T -periodic
sinusoids as,
g(t) =
∞∑
k=0
(ak cosωkt+ bk sinωkt) (5.9)
where ωk = 2πk/T , ak, bk ∈ R. Instead of an infinite series representation of exact
periodic functions, we use the notion of almost periodic functions [62]. These are the
functions which are represented by at most a countable number of sinusoids. We denote
such sets of almost periodic functions by AP, and therefore g(t) ∈ P is represented by
its approximation Sk(t) ∈ AP,
SK(t) =
∑
ωk∈ΩK
(ak cosωkt+ bk sinωkt), k ∈ {1, ...K}. (5.10)
107
5. Frequency Domain Properties
where ΩK is the set of K ∈ N frequencies. The finite series representation SK(t) is
the best approximation of g(t), and it has a least mean square error property. Let
εK = max(‖g(t)− SK(t)‖) represent the maximum approximation error, then g(t) can
be conservatively represented by
SK(t)− εK ≤ g(t) ≤ SK(t) + εK (5.11)
Let us F = {(a0, b0), ...(ak, bk)}, the set of all k+1 pairs of Fourier coefficients. This set
F is called the frequency domain representation of an almost periodic function SK(t).
Instead of specifying a periodic function SK(t) in the frequency domain in terms of the
set F , we use the periodogram specification which is defined below.
Definition 5.4 (Periodogram). The energy content of a signal at each frequency ωk
is called a periodogram, and is given by pk = (a
2
k + b
2
k), pk ∈ R≥0. We denote by
P = {p0, .....pK}, the set of all periodograms at frequencies ωk ∈ ΩK .
To cater for parameter variations, temperature and uncertainty in initial conditions,
we introduce the idea of robust periodogram specification.
Definition 5.5 (Robustness of Periodogram). We specify P such that pairs of the
Fourier series coefficients (ak, bk) ∀k ∈ {1, ...K}, for all ωk ∈ ΩK , result in the function
SK(t) (Eq. 5.10) which is the approximate representation of the periodic function g(t),
and satisfies the inequality constraint of Eq. 5.11. We say that pk ∈ P has ǫk degree of
robustness, if it can tolerate an ǫk amount of perturbation such that, ∃p′k : ||pk−p′k||≤ ǫk
(Fig. 5.6), without altering the validity of the condition in Eq. 5.11.
5.2.2 Encoding Membership of the Limit Cycle in the Robust Power
Spectral Envelope
Let there exists a periodic hybrid arc PH : T → XH. Let us define a power spectral
envelope, H(ωk) : ΩK → R≥0, which maps each discrete frequency ωk ∈ ΩK to a
periodogram pk for all k ∈ {1, ..,K}. The set APǫk of almost periodic functions belongs
to the power spectral envelope H(ωk) with ǫk degree of robustness, if the Fourier series
coefficients of Eq. 5.10, representing the set APǫk in the frequency domain, satisfy the
following constraints [18],
• for k > K, (ωk > ωK) =⇒ pk = 0,
• ∀k : k ∈ {1, ..,K}, H(ωk)− ǫk ≤ pk ≤ H(ωk) + ǫk, such that 0 ≤ ωk ≤ ωK .
108
5. Frequency Domain Properties
ωk
pk
ωk
pk
p
′
k
Figure 5.6: Robust Periodogram Specification
We require that for SK(t) ∈ cl(APǫk) the hybrid periodic orbit PH satisfies the con-
straint
SK(t)− εK ≤ PH(t, j) ≤ SK(t) + εK (5.12)
Here cl(APǫk) denotes closure of APǫk . We encode this by introducing the following
set of constraints for the hybrid periodic arc PH,
ψ1 :=
n∧
ℓ=1
 K∧
k=0
(Hℓ(ωk)− ǫℓk ≤ pℓk ≤ Hℓ(ωk) + ǫℓk)
, (5.13)
ψ2 :=
n∧
ℓ=1
∀t : t ∈ [tmin, tmax]
SℓK(t) = K∑
k=0
(aℓk cosωkt+ b
ℓ
k sinωkt)

, (5.14)
ψ3 :=
n∧
ℓ=1
∀t : t ∈ [tmin, tmax]
SℓK(t)− εℓK ≤ P ℓH(t, j) ≤ SℓK(t) + εℓK

. (5.15)
Here the constraint ψ1 puts upper and lower bounds on the periodograms at K
frequencies in the presence of ǫℓk perturbations. Note that here n is the dimension of
the system. The second constraint ψ2 ensures that for all time t, each N periodic
scalar variable is approximated by K sinusoids. The last constraint ψ3 conservatively
109
5. Frequency Domain Properties
f
H (f )± ǫk
t
SK(t)± εK
PH(t, j)
(ak cosωkt+ bk sinωkt)
f0 f1 f2 f3 fmax
Figure 5.7: Frequency Domain Specification
over-approximates the periodic function PH(t, j) taking in to consideration the error
generated by the almost approximate periodic function SK . This encoding of the fre-
quency domain specification of a periodic hybrid arc is pictorially shown in the Fig. 5.7.
5.3 Verification of the Frequency Domain Properties
The task of verification of the frequency domain properties has two parts. In the first
part, we verify the existence of a unique limit cycle in the hybrid state space of the
oscillator. The second part verifies membership of the limit cycle in the robust frequency
domain envelope.
To verify the frequency domain properties discussed in the last section, we need to
identify the location of the limit cycle in the oscillator hybrid state space. This search of
the limit cycle is performed utilizing BMC following the Pseudo code given in Alg. 6. In
order to show that there is a unique limit cycle in the hybrid state space of the oscillator
HDS, we show the presence of a periodic arc in the hybrid state space and show its
reachability from all but the equilibrium state. The input of the Alg. 6 is the HDS model
of an oscillator whereas its output is the set of all boxes constituting a limit cycle. We
divide the hybrid state space in boxes [xl, xu]1 × [yl, yu]1, ......, [xl, xu]n × [yl, yu]n. The
search starts from a box with the equilibrium state xe and goes radially outward as
110
5. Frequency Domain Properties
Algorithm 6 Locating Limit Cycle
INPUT: : HDS model of Oscillator
OUTPUT: : Hybrid Limit Cycle
1: Bperiodic ← ∅
2: BRlimit ← ∅
3: Γ← ∅
4: for i = 0→ i = imax do
5: Binitial ← [xl, xu]i × [yl, yu]i
6: repeat
7: Bnext ← ReachHt (Binitial)
8: until (Bnext ∩Binitial 6= ∅ ∧ t > 0) ∨ (t = tmax)
9: if (Bnext ∩Binitial 6= ∅ then
10: Bperiodic ← Binitial
11: else
12: Bperiodic ← ∅
13: end if
14: if Bperiodic 6= ∅ then
15: break
16: end if
17: end for
18: if Bperiodic 6= ∅ then
19: repeat
20: Blimitnext ← ReachHt (Bperiodic)
21: BRlimit ← {Bperiodic, Blimitnext}
22: until Blimitnext ∈ BRlimit
23: for k = 0→ k = kmax do
24: repeat
25: Bnext ← ReachHt (Bk); Bk /∈ BRlimit
26: until (d(y ∈ Bnext, z ∈ (B ∈ BRlimit)) ≤ ǫ) ∨ (t = tmax)
27: end for
28: end if
29: Γ← BRlimit
30: return Γ
111
5. Frequency Domain Properties
x
y
Box with Equilibrium Point
Search Direction
Trajectories Spiral towards Γ
Figure 5.8: Locating the Global Positive Limit Cycle
depicted in Fig. 5.8. An arbitrary small box which does not contain an equilibrium
point, and is part of a closed orbit, should satisfy ΨH((t, j), x) = x for some x ∈
([xl, xu]n × [yl, yu]n) and t > 0. Following this strategy, we start in Binitial and check
if the reachable sets, ReachHt (Binitial), have a non-empty intersection with Binitial for
t > 0 (Lines 4-8). If there is a box Bperiodic with the periodicity property, the search
is stopped (Lines 9-15), otherwise all imax boxes are searched for periodicity for a
maximum time tmax (Line 4-16). Utilizing Lemma 5.1, the algorithm finds all boxes
that are reachable from Bperiodic through a series of reachability operations (Lines 18-
22). This results in the set of all boxes BRlimit, which contains set of states constituting
a T periodic closed orbit and it’s close proximity. From Lemma 5.1, the set of boxes
BRlimit contains all states that are either part of the periodic limit cycle, or are in close
proximity of it. To show that BRlimit is the global positive limit set, we further show
that those trajectories that start in the set of boxes (BR \BRlimit) converge to BRlimit
for t → ∞. Here, BR denotes the set of all boxes. This can formally be verified by
showing that,
limt→md(ΨH(T , x), z) ≤ β
∀x ∈ BR \ BRlimit, and ∃z ∈ B(∈ BRlimit). Here d is the distance from the hybrid
trajectory ΨH(T , x) to the nearest point z ∈ B(∈ BRlimit). This is performed by the
reachability of a box in close proximity of BRlimit, from all non-periodic boxes Bk
(Lines 24-27). This procedure is repeated for all kmax non-periodic boxes. Note that
this reachability is not performed for the equilibrium state as the limit cycle is non-
112
5. Frequency Domain Properties
reachable from it. Note that to verify the frequency domain properties, we need to have
a single box with the periodicity property and which is part of the unique limit cycle Γ.
However, to reduce the time of the reachability queries for all outside boxes, we need
to find all boxes with the periodicity property so that to be able to use the closest box
of a limit cycle as a target box.
To verify that the unique limit cycle Γ satisfies frequency domain properties of
Eq. 5.13, Eq. 5.14, and Eq. 5.15, the euclidean distance of Γ from the specified periodic
arc PH(t, j), must be less than an arbitrary small positive number σ. This is performed
by introducing the following constraint,
‖PH(t, j)−ΨH(T , x)‖≤ σ, x ∈ B(∈ BRlimit) (5.16)
5.3.1 Encoding the Frequency Domain Properties Verification as a
BMC Problem
We use SMODE, discussed in Sec. 2.5.1.1, to implement the reachability instances in
Alg. 6. Predicative encoding is used to define the state space by bounding variables
x := {x1, ...xn}, such that x ∈ ([xL, xU ]× [yL, yU ]). At step 0, of the K unwindings of
the transition system, and for an initial i ∈ IC , x can be set to be in an initial box,
i.e. (i ∈ IC) =⇒ x ∈ Binitial. Each Ci is defined by a set {c1, ....cn} of invariants on
the real variables and this can be added as a constraint Ci =⇒
∧
n cn, ∀i ∈ IC . In a
flow set Ci when time elapses, the real variables xn update according to the set of flow
maps Fi := {f1, ....fn} for n variables respectively. For each Ci we add the constraint
(Ci ∧ telapse) =⇒
∧
n fn. For each jump set, Di, i ∈ ID, Di := {d1, ....dn}, the jump
from Cj to Cj+1 is encoded as a predicate, jump∧(Cj , Cj+1) =⇒
∧
n dn. For each jump
set, we add identity jump maps, i.e. jump∧(Cj , Cj+1) =⇒
∧
n g
j+1
n (xn) = x
j
n. The first
property that we verify is the existence of periodicity for a certain initial box Binitial. We
encode this as a target predicate, time > 0∧x /∈ Binitial. This property essentially states
that, starting in Binitial and after some time, trajectories traversed by the continuous
valuation of variable x, do not return to the box Binitial. A counterexample of this
formula shows that, time > 0 ∧ x ∈ Binitial is true. Consequently, this shows that
trajectories starting in Binitial are periodic. All other reachability queries are encoded
similarly. This results in a constraint system Π consisting of the following constraints,
• x := {x1, ...xn} ∈ [xL, xU ]× [yL, yU ]
• Ci =⇒ x ∈ Binitial
113
5. Frequency Domain Properties
• Ci =⇒
∧
n cn
• (Ci ∧ telapse) =⇒
∧
n fn
• jump ∧ (Cj , Cj+1) =⇒
∧
n dn
• jump ∧ (Cj , Cj+1) =⇒
∧
n g
j+1
n (xn) = x
j
n
• time > 0 ∧ x /∈ Binitial
The decision of the BMC problem to check periodicity/reachability is reduced to the
satisfaction of the Π constraint system.
Similarly, we determine membership of the periodic hybrid arcs of the oscillator
HDS, in the robust power spectral envelope, by incorporating the additional set of
constraints ψ1, ψ2, ψ3, in a transition system similar to Π. The initial conditions
of the BMC is given in the form of a box Binitial ∈ BRlimit. Apart from the ODE
constraints, we add the set of constraints ψ1, ψ2, , ψ3 for each scalar variable xn to the
BMC algorithm. As a ‘Target’ state of the BMC, we introduce the following predicate,
¬(time > 0 ∧ time <= tmax ∧ xn ∈ Binitial) ∨ ¬(‖PnH(t, j)− xn(t, j)‖≤ σ) (5.17)
This target predicate is a disjunction of two predicates. The predicate, ¬(time > 0 ∧
time <= tmax∧xn ∈ Binitial), ensures that starting in the box Binitial, trajectories will
return to the same box before the maximum time limit is elapsed. A satisfiable valuation
of this predicate is a counterexample of the periodicity property. The second predicate,
¬(‖PnH(t, j) − xn(t, j)‖≤ σ), ensures that for all time, the distance of the hybrid arc
x(t, j) from the specified time domain periodic hybrid arc PnH(t, j), obtained from the
frequency domain specification, must be less than an arbitrary small positive number σ.
A satisfiable valuation of this predicate indicates the violation of the frequency domain
specification implicitly.
5.4 Experimental Evaluation
We have verified frequency domain properties for TDO and VCO benchmarks. The list
of parameters with their ranges are given in the Table 5.1 [37]. We used the SMODE
solver, iSAT-ODE [33], for the verification of BMC-based reachability/periodicity and
frequency domain properties. We used Matlab to compute periodogram specifications
for both benchmarks [71]. We used a 2.6 GHZ Intel(R) Core(TM) i5 machine with 4
GB of memory for all experiments.
114
5. Frequency Domain Properties
Parameters VCO TDO
C 3.43nF ± 2%
L 2.85mH ± 2%
Vctr 0
R 3.7Ω± 2%
Vtp −0.69
Kp 86µA/V
2
W 240µm
L 0.25µm
λ −0.07V −1
VDD 1.8V
Ib 18mA
C 1nF ± 2%
L 1mH ± 2%
R 0.2Ω± 2%
Table 5.1: Benchmark Oscillator Parameters
To find all boxes with equilibrium states, we used Z3 SMT solver [50] to find the
roots of the right hand side of Eq. 5.6 and Eq. 5.7. The equilibrium point analysis
for the TDO shows that there are two equilibrium points, i.e. xe ∈ [0.34, 0.35] and
xe ∈ [0.35, 0.38]. Note that these two boxes belong to different continuous flow sets.
To determine the location of the limit cycle in the TDO hybrid space, we divided the
space (Vd ∈ [0, 1], IL ∈ [−10, 10]), into 400 boxes. Starting from the box(es) having
equilibrium states, we performed our search in an arbitrary direction keeping the axis
IL fixed and varying Vd iteratively checking each box for the periodicity property.
Once we identified such a box, we found all boxes which were reachable from this box.
To show that this is the unique limit cycle, we verified that the boxes, being part of
the periodic arc, are reachable from all other boxes. This resulted in an isolated limit
cycle in the hybrid state space of the TDO HDS as depicted in Fig. 5.9a. Note that,
to verify the frequency domain properties, we needed only a single isolated box having
periodicity and global reachability properties. However, to reduce the computation time
for reachability queries, we found all boxes belonging to the periodic arc and reachability
were verified for a nearest box for different regions. The processes of splitting intervals
and formulating SMODE properties have been done manually, supported by around
5500 seconds of CPU time. This includes approximately 100 SMODE enquiries for
periodicity and approximately 380 reachability properties. The given time is for all those
formulas, Periodicity/Reachability, for which a “Satisfiable” result was given by iSAT-
115
5. Frequency Domain Properties
Vd(volts)
0 0.1 0.2 0.3 0.4 0.5 0.6
I L
(m
A
)
-10
-5
0
5
10
(a) TDO Limit Cycle Simulation
-0.1
2
2
0
I L
(m
A
)
1
VD2(volts)
0
VD1(volts)
0
0.1
-1
-2 -2
(b) VCO Limit Cycle Simulation
Figure 5.9: Locating Limit Cycle in Hybrid State Space
ODE, and does not include the instances when a property was declared “Unsatisfiable”
by the solver for a particular box.
116
5. Frequency Domain Properties
(a) TDO Limit Cycle Simulation
(b) VCO Limit Cycle Simulation
Figure 5.10: Oscillators Hybrid Systems Simulation Traces
We have used a similar procedure for locating the isolated limit cycle in the VCO
hybrid state space. However, while performing the periodicity and reachability verifi-
cation of boxes using iSAT-ODE, we needed to transform some of the flow sets, where
there were multiple variables, e.g. VD1 − VD2 ≤ −Vtp, to simpler inequalities involv-
ing a single variable. This is because encoding of hybrid systems in iSAT-ODE requires
simple bounds on the variables as elaborated by Andreas et al. in [33]. Therefore, for
the VCO HDS, we have introduced an auxiliary variable, V = VD1 − VD2, with its
derivative with respect to time t given below,
V˙ =
∂V
∂VD1
˙VD1 +
∂V
∂VD2
˙VD2 = ˙VD1 − ˙VD2 (5.18)
117
5. Frequency Domain Properties
(a) TDO Robust Periodogram Specification
(b) VCO Robust Periodogram Specification
Figure 5.11: Frequency Domain Properties Specifications
From the equilibrium point analysis, we have found two boxes with equilibrium in the
VCO hybrid state space. These are, VD1 ∈ [0.62, 0.67], VD2 ∈ [0.62, 0.67], IL ∈ [0, 0],
118
5. Frequency Domain Properties
Depth Decision Time(Seconds)
0 Unsatisfiable 0
1 Unsatisfiable 81.07
2 Unsatisfiable 83.22
3 Unsatisfiable 304.37
4 Unsatisfiable 352.44
5 Unsatisfiable 1299.64
6 Unsatisfiable 1448.71
7 Unsatisfiable 26779.75
8 Unsatisfiable 27096.21
(a) TDO Verification Results
Depth Decision Time(Seconds)
0 Unsatisfiable 0
1 Unsatisfiable 6.13
2 Unsatisfiable 206.45
3 Unsatisfiable 538.39
4 Unsatisfiable 947.10
5 Unsatisfiable 2237.89
6 Unsatisfiable 3457.43
7 Unsatisfiable 11672.11
8 Unsatisfiable 15892.13
(b) VCO Verification Results
Table 5.2: Experimental Results
and VD1 ∈ [1.5, 1.7], VD2 ∈ [1.5, 1.7], IL ∈ [0, 0]. We have divided the hybrid state
space of the VCO, VD1 ∈ [−2, 2], VD2 ∈ [−2, 2], IL ∈ [−0.1, 0.1]), in to 1000 boxes
and followed the same procedure as we did for the TDO limit cycle identification.
Starting from the boxes with the equilibrium state, we have searched the state space for
periodicity in an arbitrary direction, this time fixing two axis and varying the third one,
identifying the box satisfying the periodicity property. Furthermore, all boxes reachable
from the box with the periodicity property have been found and later reachability of
these from all others was ensured. The isolated limit cycle for the VCO is depicted in
3-D in Fig. 5.9b. The computation time for this limit cycle identification was noted
to be approximately 11500 seconds of CPU time. Note that we have recognized that
the limit cycle of the VCO spans over five regions of the VD1, VD2 plane. Consequently,
for the frequency domain properties of VCO (discussed later), we have used a hybrid
system having five continuous flow sets as shown in Fig. 5.4.
To specify robust frequency domain properties, we have used simulation traces as
119
5. Frequency Domain Properties
shown in Fig. 5.10a and Fig. 5.10b. The corresponding periodogram specifications for
these traces are depicted in Fig. 5.11a, and Fig. 5.11b, for TDO and VCO respectively.
Here we have only shown specifications for the fundamental frequency of the variables
(Vd for TDO, and V D1 for VCO). The upper and lower bounds on these periodograms
have been found based on designer judgement, i.e. we chose random values in the pa-
rameter spaces and correspondingly varied the “power spectral envelope” and arrived at
these bounds. Considering the box, as shown in red in Fig. 5.9a, as the initial conditions
for the state variables, we model checked the TDO HDS for eight unwindings of the
BMC formula. We got “Unsat” results for the formula for all unwindings showing the
satisfaction of the frequency domain properties. Verification results with computation
times are given in Table 5.2a. Similarly for VCO, we considered the box shown in red
in Fig. 5.9b as initial conditions, and verified the frequency domain property for eight
unwindings of the BMC formula. We obtained “Unsat” for eight unwindings showing
that the frequency domain property is satisfied by the VCO for the given ranges of pa-
rameters. Results have been given in Table 5.2b. These results show that the distance
between the traces from the HDS models and that from the robust frequency domain
specification has been less than the user defined bound for atleast eight unwindings
of the BMC formula. Note that in a BMC algorithm, one unwinding corresponds to
one discrete jump of the HDS model. Since BMC is a bounded approach, the results
show that the model meets the robust frequency domain properties specification for a
bounded time, corresponding to the eight unwindings.
5.5 Related Work
In [38], the authors verified time domain properties of a tunnel diode oscillator using
the tool PHAVER, showing that the variations in amplitude and jitter in the oscillator
behaviour are bounded, but it did not show that there are no undesired harmonics in the
behaviour. [30] used the meta Tarski theorem prover, and showed that for certain values
of parameters, a tunnel diode oscillator does not oscillate if it does not cross certain
thresholds of the state variables; finding such thresholds is difficult for a nonlinear
circuit model. A similar approach has been adopted in [45] proving that a TDO oscillates
for all possible initial conditions using an ACTL specification and CHECKMATE. It
does state that the presence of an unstable equilibrium point in the state space shows
the presence of a limit cycle; this work however does not talk about the period or
the frequency of the periodic orbit. Steinhorst et al. in [87], showed oscillations in
TDO and ROs using visualization techniques. Though complex behaviours in the state
120
5. Frequency Domain Properties
space can be visualized, absence of higher harmonics in oscillation was not formally
verified. The Ring oscillator start up problem has been taken up in [44], [57]. They
are based on finding absence of a stable DC equilibrium point. While the former uses
small signal analysis around the equilibrium point, the later puts constraints on node
voltages to establish stability of equilibrium points. Both these approaches are very
localized and can not encapsulate the global behaviour of non-linear ring oscillator
circuits; neither prove the absence of higher harmonic oscillations. Chao et al. [108]
verified oscillator start up using techniques from dynamical system theory. Donze et al.
[32] demonstrated time and frequency logic (TFL) for monitoring properties of music
signals, but its extension to set based AMS circuit analysis needs further research.
Frequency domain approaches on the other hand are limited to small signal AC
analysis of a more approximate linearized model around an equilibrium point. In [49],
the author computed value sets of a transfer function for parameter variations and
a range of frequencies using interval arithmetic. It was shown that the method was
computationally very expensive, and its extension to non-linear circuits modelled as
piece-wise affine would be a difficult task. Similarly, [64] derived amplitude and phase
envelopes of a family of interval rational transfer functions for continuous-time systems.
[30] used meta Tarski to prove that the magnitude of transfer function of a small
operational amplifier is bounded for a range of frequencies.
5.6 Chapter Summary
In this chapter, we have shown frequency domain property specification and its veri-
fication using the SMODE technique for BMC of hybrid systems. Dynamical systems
(continuous/hybrid) are generally verified for their frequency domain properties by
linearizing these systems and transforming them in to frequency domain Laplace trans-
forms. While this is theoretically simple, the loss of the non-linear behaviour of systems
like oscillators is however significant. Furthermore, limit cycle is an inherent behaviour
of non-linear systems and can not be approximated by any linearisation. For exam-
ple, a non-linear system with a stable limit cycle when perturbed from its limit cycle,
will always attain its state of oscillation with the same frequency. On the other side,
a linear system when disturbed from its state of oscillation will start to oscillate with
a different frequency. We therefore use an approach, borrowing techniques from both
time and frequency domains, to specify properties in the frequency domain and verify
them in the time domain. We have used a robust periodogram to specify the oscillatory
behaviour of the analog oscillator for any parameter and process variations. Since ver-
121
5. Frequency Domain Properties
ifying non-linear systems in the frequency domain is intractable, we have used a time
domain BMC for the verification of these properties. Membership of the limit cycle in a
set of the time domain trajectories generated from the power spectral envelope (defined
by the periodogram specifications) have been shown using SMODE. Results are sound
for bounded time and has been shown to be practical for simple circuits. In the future,
as tools continue to develop and are capable of providing more efficient solvers and
deduction methods giving improvements in computation time, we are confident that
this approach will scale to more significant real world examples of AMS circuits. We
have shown a successful first step in developing property-based formal verification in
the frequency domain. In the future we intend to extend this methodology to cover
transient region of circuits by using Fourier transform and short time Fourier trans-
form. We also intend to extend the work to allow deduction directly in the frequency
domain.
122
Chapter 6
Conclusion and Future Work
In this thesis, we have verified time and frequency domain properties of AMS circuits.
Inevitability property has been the main focus of this thesis as oppose to the safety
property in previous works. Proving Inevitability is somewhat more difficult than the
safety property, as long term behaviour of the AMS circuit needs to be considered for
the verification of Inevitability. Moreover, convergence to a “particular set” by all possi-
ble system trajectories has to be verified. Therefore, verifying Inevitability is intractable
using the explicit time domain reachability analysis, where the continuous/hybrid state
space is divided in to small partitions and reachability of the desired state is verified
iteratively. Reachability being undecidable, for general continuous/hybrid systems, gen-
erates less accurate results. This is because conservative over-approximation is used to
counter the undecidability issue. To reduce conservatism, the partitioning of the state
space is refined to obtain more accurate results. However, no matter how high the gran-
ularity of these partitions is, reachability, being of an approximate nature, they can not
give exact results to verify the Inevitability property.
In this thesis, we have presented mixed deductive-bounded and deductive-only veri-
fication methodologies benefiting from the exact certificate based deductive verification
approach and improving upon what we can achieve with the bounded only verification
approach. There are two major advantages of the deductive verification approach. It ver-
ifies a property for infinite time as oppose to the bounded time nature of the bounded
reachability analysis, such as BMC of the continuous/hybrid systems. Secondly, for
systems modelled as continuous/hybrid dynamical systems, deductive methods do not
explicitly solve the ODEs encountered in these models, and consequently are free from
any approximations of the trajectories. Certificate based deductive methods are an
abstract way of deducing the long term behaviour of systems from the existence of
a certificate having certain properties in semi-algebraic sets. We have used Lyapunov
123
6. Conclusion and Future Work
theory and came up with some interesting local properties which were verified by dif-
ferent flavours of Lyapunov-like certificates. Involving quantifiers (both Universal and
Existential), construction of Lyapunov-like certificates is an NP-Hard problem. Though
there are symbolic tools (such as QEPCAD, Redlog) which can solve these formulas
exactly, their computation time is such that they are not practically useful for realistic
problems. Therefore, we have used numeric and numeric-symbolic approaches to deal
with this complexity issue. On the numeric side, we have used SOS programming for
numerically verification of positivity of polynomial functions in realistic computational
time. Associated with numerical errors, results of the SOS programming are further val-
idated in the symbolic QE tool. We have also used SOS programming based bounded
advection of sets for partial verification of the Inevitability property.
Lastly, realizing the significance of verifying AMS circuits in the frequency domain,
we have proposed frequency domain property specification. This has been followed by
the verification of these frequency domain properties using a mixed time and frequency
domain approach. We have verified two types of circuit in this thesis: pure analog (RO,
TDO, VCO) and AMS circuits (CP PLL).
6.1 Verifying the Inevitability of Phase-Locking in CP
PLL
In Chapter 3, we verified the Inevitability of phase locking in CP PLL AMS circuits.
We have modelled the CP PLL as a HDS taking in to account both the continuous and
discrete behaviours of the circuit. We have proposed two approaches for the verification
of the Inevitability property of the CP PLL circuit. These are mixed deductive-bounded
and deductive-only approaches. The Inevitability property has been divided into two
sub-properties. One of the properties is verified by the deductive-only approach us-
ing Lyapunov stability certificates, and it is how we verify the second property that
differentiates the two approaches from each other. The mixed deductive-bounded ap-
proach benefits from both deductive and bounded verification approaches, whereas the
deductive-only approach uses an Escape certificate to verify the inevitability property.
The first property essentially specifies the long term behaviour of the CP PLL HDS
to converge to the locking state in a sub-set of the hybrid state space. Verification of
this property is equivalent to verifying attractive invariance of a set with respect to the
equilibrium locking state. We have shown attractive invariance of a set by construct-
124
6. Conclusion and Future Work
ing multiple Lyapunov certificates and using their maximized level curves. The second
property ensures that eventually all trajectories in the outer space converge to the at-
tractive invariant set. This convergence to the attractive invariant set has been verified
following two different approaches of mixed deductive-bounded and deductive-only. In
the mixed deductive-bounded approach, convergence to the attractive invariant set has
been partly verified by using Bounded advection of sets and partly using Escape certifi-
cate. Only the Escape certificate has been used showing convergence to the attractive
invariant set in the deductive only approach. We have used semi-algebraic sets defined
by polynomial inequalities to represent sets. Furthermore, our Inevitability verification
involves FOFs with quantifiers (Universal and Existential). Verification of these formu-
las belongs to the set of NP-Hard problems, and though there are few symbolic tools
available to eliminate these quantifiers, they work only for low dimension academic
problems. We have therefore used numeric SOS programming technique to solve the
problem in realistic computation time. We have verified the Inevitability property of a
third and fourth order CP PLL.
Results show valuable insight in to the idea of using mixed deductive-bounded and
deductive-only approaches to the verification of AMS circuits like CP PLL. Compu-
tation time is comparable to previous reachability based approaches with the added
advantage of being applicable to an infinite horizon. Comparing deductive-bounded
and deductive-only approaches, we have noticed that although the deductive-only ap-
proach is simple in the number of SOS programming queries, it is computationally more
expensive than the deductive-bounded approach. Since the difference is in how we ver-
ify the second property in the set outside the attractive invariance, it clearly indicates
that finding a single Escape certificate for a large set is more expensive than having
one for a small set. However, due to the iterative nature of the bounded advection
of sets using Euler maps for ODEs, large numbers of SOS programming queries have
been used in the deductive-bounded approach. We therefore conclude that, where it is
possible, deductive-only verification offers more accurate results with less user effort.
We have also observed that higher the order of the CP PLL, a Lyapunov certificate
with a lower degree is needed as has been demonstrated in the case of fourth order
CP PLL. We therefore conclude that our approach, though it needs some expertise in
the formulation of SOS programming, is more accurate and comparable in computa-
tion time to previous reachability based approaches. On the modelling side, we have
observed that at the system level (CP PLL), it is more tractable to use an abstract
model of sub-systems while conserving the significant non-linear behaviour of the real
circuit.
125
6. Conclusion and Future Work
6.2 Deductive Inevitability Verification of Ring
Oscillators using the SOS-QE Approach
In Chapter 4, we extended the deductive-only verification methodology to the verifica-
tion of inevitability of oscillations in ROs. To keep the verification task tractable, we
modelled the RO at an abstract level, where we have ignored the circuit behaviour at
the transistor level. To cater for the transistor parameters’ (Length,width) effect on
the system, we have introduced parameters such that they reflect these changes. We
modelled the RO as a CDS. Recognizing the fact that the inevitability of an RO is a
complex property, we divided it into several sub-properties defined in different subsets.
We used a certificate based deductive approach for the verification of all these proper-
ties. Theoretically, these certificates are similar in nature to the Lyapunov certificate
irrespective of the fact that they have been used for different purposes. Three differ-
ent certificates have been used in three subsets showing attractive invariance of a set,
Escape of trajectories from a set, and Eventuality of trajectories to reach to within an
arbitrary small distance of the limit cycle. We have verified inevitability of ROs with
even and odd topologies. Benefiting from the structural layout of the even stage RO,
we have treated its differential and common modes separately. For the common mode
operation, we have only used a Lyapunov certificate showing convergence of common
mode trajectories to zero.
We have formulated the construction of these certificates as FOFs over polynomial
inequalities, equations, and universal/existential quantifiers. Recognizing the fact that
QE tools work only for problems of low dimensions, we have used a numeric-symbolic
approach for the construction of different certificates needed to verify various sub-
properties. We have used SOS programming, which uses semi-definite programming at
the back end, and soundly constructed the certificates needed for the verification of
different properties. The results of the numerically generated SOS polynomials, being
error prone, have been further validated by using symbolic QE tool. Therefore, we
can claim that as oppose to the results of Chapter 3, results of Chapter 4 are exact.
However, this has been possible at a cost. The polynomial certificates resulting from
the SOS programmer have been generally of degree higher than 4, and the resulting
FOFs were of a length not possible to be given as an input to the QE tool. Therefore,
we have had had to use some heuristics to verify these formulas in the symbolic QE
tool, mainly by representing them in DNF and verifying each clause separately.
Results of the deductive-only verification methodology for the verification of in-
126
6. Conclusion and Future Work
evitability in ROs has been very encouraging. In fact they have been better than pre-
vious approaches in several aspects. They are less conservative as compared to the
reachability analysis as we do not need to solve ODEs and over-approximate their so-
lutions. We do not use any partitioning of the state space and this reduces the compu-
tation time. Our results are for infinite horizon as oppose to the bounded time nature
of the reachability approach. Lastly, computation times are comparable to previous
approaches considering their iterative discretization of the state space and verifying
reachability for each location.
6.3 Verifying Frequency Domain Properties of
Oscillators using SMODE
In Chapter. 5, we have proposed a novel technique of robust frequency domain specifica-
tion and verification. We modelled oscillators as CDS considering devices at transistor
level. Recognizing the fact that the limit cycle is an inherent non-linear characteris-
tic, we avoided linearization and Laplace transform techniques. Instead, we specified
the non-linear behaviour of oscillators operating in close proximity to the periodic limit
cycle. Towards this goal, we used a Fourier series based periodogram specification repre-
senting the energy content of each discrete frequency as a sum of squares of the Fourier
series coefficients. To show that the oscillator has a particular frequency, and does not
have undesired harmonics, we considered harmonic frequencies as well. Furthermore,
catering for changes in frequency response of the oscillator as a result of parameter and
process variations, we used robust periodogram specifications.
We verified frequency domain properties using a mixed time and frequency domain
approach. This is because of the fact that verifying a non-linear system in the frequency
domain is practically intractable with existing state of the art solvers. Therefore we
verified, using the time domain SMODE technique for BMC of hybrid systems, that
the distance of the hybrid arcs from the time domain periodic arcs, generated from the
frequency domain specifications, is less than a user defined positive number for all time.
We have verified frequency domain properties for benchmark TDO and VCO circuits.
Results of our analysis are promising and a step in a novel direction of frequency domain
properties specification and verification. Though computation times are relatively large,
state of the art solvers could have only provided these results. We believe, as progress is
being made in SMT solvers to be able to solve instances with transcendental functions,
127
6. Conclusion and Future Work
in future, our research will make a considerable contribution in the formal verification
of frequency domain properties.
6.4 Conclusion
We have successfully verified the inevitability property for various AMS circuits by
proposing a divide and rule strategy, and divided the property in to several sub-
properties. These properties were verified using deductive-bounded and deductive-only
verification methodologies. The deductive technique made use of the Lyapunov control
theory, and verified different properties via Lyapunov-like certificates. The task of the
construction of these certificates was delegated to solving various SOS programs, fol-
lowed by symbolic analysis. The results are very encouraging and are better than the
previous reachability based approaches, in terms of accuracy and scalability.
Similarly, we have come up with a novel technique of expressing the behaviour of
analog oscillators when they operate near to their limit cycles. We have proposed a
methodology of how to take in to account the effects of changing parameters on the
oscillator frequency. We have successfully verified frequency domain properties using
a mixed time-frequency domain approach, employing the recent SMODE solver. This
is a significant and novel step and as these tools progress, we expect to improve upon
these results in future.
6.5 Future Work
Several research directions stem from the work presented in this thesis. In Chapter 3, we
presented Lyapunov certificate-based attractive invariance of a set. The size of the set
depends on the level surfaces of these certificates. Certificates with different structures
can be found to enlarge the area of the attractive invariant set. For example, in [92],
the author presented various techniques for enlarging this area using multiple Lyapunov
functions. Similar technique can be used in AMS circuit verification of the inevitability
property. The techniques we proposed for the inevitability verification of the CP PLL
can be extended to digital extensive PLLs. This can be done by difference equation
based modelling techniques for which Lyapunov theory has already been used in [3].
The use of an Escape certificate in verifying “Escape from a set property” can be
improved such that several such certificates are computed for a decomposition of the
large set where we verify convergence to the invariance set. The numerically generated
128
6. Conclusion and Future Work
certificates in Chapter 3 can be symbolically validated similar to Chapter 4. The only
difficulty is the size of the FOF representing Boolean combination of the conditions
of these certificates. To reduce the size of these formulas, and reduce the size of the
certificates themselves, lower degree certificates can be used such as proposed in [92]
and [4].
While verifying the inevitability of ROs, we faced the problem of dealing with FOFs
of sizes such that it was not possible for the symbolic tool to solve it as a single query.
We had to split these FOFs in to clauses and verify them individually. We intend
to improve these results of the SOS-QE technique in Chapter 4 by using lower de-
gree certificates (piecewise or point wise maximum) as proposed in [92] and [4]. Using
certificates (may be more in number) of lower degrees lend themselves to symbolic ver-
ification. One interesting direction that we aim to pursue in a future research project
is the formalization and automation of our SOS-QE procedure, similar to [47], [6], [11].
We aim to extend our work, specifically for AMS circuit verification, and come up with
an automatic decision procedure in a theorem proving engine dealing with non-linear
polynomial optimization. As has been described in [4], SOS programming, relying on
semi-definite programming, suffers from scalability issues as the programs are expo-
nential in the dimension n and degree d of the certificate. To overcome this issue, and
apply our methodology to higher order PLLs/ROs, an interesting direction is to use a
combination of linear programming (LP) and second order cone programming (SOCP),
discussed in [4]. This can greatly reduce the degree and overall size of certificates which
are more amenable to symbolic analysis. Similarly, instead of using a numeric-symbolic
approach, a research direction could be to identify feasible certificates with coefficients
in the rational number set [75], [59], [58]. This eliminates the need for re-validating the
numerically calculated certificates with floating point coefficients.
We suggest several future extensions to our research on frequency domain proper-
ties specification and verification. This technique can be extended to verify frequency
domain properties of transients in AMS circuits. Towards this goal, we can use a Fourier
transform to specify the complete behaviour of an AMS circuit in the frequency domain
such that the circuit will not have a frequency content higher than a specified cut off.
The other extension is to carry out the complete verification process in the frequency
domain. Other circuits such as PLLs can be verified in the frequency domain to verify
their frequency variations around a nominal value for variations in parameters. Lastly,
we have considered fixed fundamental and harmonic frequencies, and to consider phase
noise in our analysis, we can add constraints on the frequencies. This can be done in the
existing methodology but at the cost of additional computation time by the SMODE
129
6. Conclusion and Future Work
solver.
130
Appendix A
A.1 Semi-definite Programming
A semi-definite program is an optimization problem of the following form [14],
minimize: cTx
subject to x1F1 + ..+ xnFn +G  0,
Ax = b, (1)
where G, Fi ∈ Rm×m, for i = 1, ..n, A ∈ Rm×n. The inequality in the above optimiza-
tion program is affine in x, and therefore this problem is also termed Linear Matrix
Inequality (LMI). An important property of the SDP feasibility problem is its convex-
ity which can be efficiently solved using numerical methods, such as the interior point
method.
131
Appendix B
B.2 Lyapunov Certificates
B.2.1 Third Order CP PLL
0.0045x16−0.0287x15x2+0.0856x14x22−0.1482x13x23+0.1585x12x24−0.0986x1x25+
0.0274x26 − 0.0094x15x3 + 0.0441x14x2x3− 0.0949x13x22x3 + 0.1147x12x23x3
−0.0761x1x24x3+0.0209x25x3+0.0290x14x32−0.0933x13x2x32+0.1480x12x22x32−
0.1188x1x23x32+0.0419x24x32− 0.0306x13x33+0.0538x12x2x33− 0.0344x1x22x33+
1.8004e− 04x23x33 + 0.0492x12x34 − 0.0771x1x2x34 + 0.0442x22x34 − 0.0561x1x35 −
0.0204x2x35 + 0.9642x36.
0.001341331582−9.1670e−04x1−0.0099x3+1.8925e−04x12+0.0016x22+0.0589x32+
9.1968e−05x1x2+0.0048x1x3−8.2196e−04x2x3−7.1721e−04x13−8.3907e−04x12x2+
8.6911e−04x1x22+1.1350e−04x23−0.0019x12x3+9.7889e−05x1x2x3−0.0090x22x3−
0.0294x1x32 − 0.0011x2x32 − 0.1495x33 + 4.9324e − 04x14 − 4.9549e − 04x13x2 +
8.4285e− 04x12x22+0.0011x1x23+6.1185e− 04x24+0.0037x13x3+0.0052x12x2x3−
0.0019x1x22x3−7.0112e−04x23x3+0.0015x12x32−9.1061e−04x1x2x32+0.0209x22x32+
0.0713x1x33 + 0.0141x2x33 + 0.1583x34 − 1.7346e − 04x15 − 5.3615e − 04x14x2 −
5.8522e−04x13x22−1.3701e−04x12x23−5.3559e−05x1x24−0.0014x14x3+6.8525e−
04x13x2x3 + 0.0011x12x22x3− 0.0012x1x23x3− 7.1250e− 04x24x3− 0.0074x13x32 −
0.0126x12x2x32 + 0.0011x1x22x32 + 0.0012x23x32 + 0.0075x12x33 + 0.0046x1x2x33 −
0.0152x22x33 − 0.0665x1x34 − 0.0213x2x34 − 0.0580x35 + 0.0045x16 − 0.0287x15x2 +
0.0856x14x22−0.1482x13x23+0.1586x12x24−0.0986x1x25+0.0274x26−0.0094x15x3+
0.0442x14x2x3− 0.0947x13x22x3 + 0.1147x12x23x3− 0.0761x1x24x3 + 0.0209x25x3 +
0.0290x14x32−0.0947x13x2x32+0.1448x12x22x32−0.1185x1x23x32+0.0415x24x32−
0.0264x13x33+0.0622x12x2x33−0.0342x1x22x33−3.2896e−04x23x33+0.0411x12x34−
132
0.0813x1x2x34 + 0.0450x22x34 − 0.0357x1x35 − 0.0116x2x35 + 0.9629x36.
0.00134023928+9.1689e−04x1+0.0097x3+1.8505e−04x12+0.0016x22+0.0576x32+
8.7490e−05x1x2+0.0047x1x3−9.3516e−04x2x3+7.1432e−04x13+8.3253e−04x12x2−
8.8106e−04x1x22−1.1727e−04x23+0.0019x12x3−1.3486e−04x1x2x3+0.0090x22x3+
0.0290x1x32+7.1032e− 04x2x32+0.1470x33+4.9454e− 04x14− 5.0103e− 04x13x2+
8.5568e− 04x12x22+0.0011x1x23+6.1944e− 04x24+0.0037x13x3+0.0052x12x2x3−
0.0020x1x22x3−7.0485e−04x23x3+0.0015x12x32−9.9430e−04x1x2x32+0.0208x22x32+
0.0709x1x33 + 0.0137x2x33 + 0.1574x34 + 1.7553e − 04x15 + 5.4016e − 04x14x2 +
5.9084e−04x13x22+1.4129e−04x12x23+5.4219e−05x1x24+0.0014x14x3−7.1054e−
04x13x2x3− 0.0011x12x22x3 + 0.0012x1x23x3 + 7.4397e− 04x24x3 + 0.0075x13x32 +
0.0127x12x2x32 − 0.0012x1x22x32 − 0.0012x23x32 − 0.0075x12x33 − 0.0046x1x2x33 +
0.0150x22x33 + 0.0668x1x34 + 0.0213x2x34 + 0.0594x35 + 0.0045x16 − 0.0287x15x2 +
0.0856x14x22−0.1482x13x23+0.1586x12x24−0.0986x1x25+0.0274x26−0.0094x15x3+
0.0442x14x2x3− 0.0947x13x22x3 + 0.1147x12x23x3− 0.0761x1x24x3 + 0.0209x25x3 +
0.0290x14x32−0.0948x13x2x32+0.1448x12x22x32−0.1185x1x23x32+0.0415x24x32−
0.0264x13x33+0.0623x12x2x33−0.0343x1x22x33−3.5304e−04x23x33+0.0412x12x34−
0.0813x1x2x34 + 0.0449x22x34 − 0.0354x1x35 − 0.0114x2x35 + 0.9638x36.
B.2.2 Fourth Order CP PLL
0.0032x14 + 2.7182e − 05x13x2 + 5.8767e − 05x12x22 + 4.1039e − 05x24 − 2.1590e −
04x13x3−1.7776e−04x12x2x3−2.0303e−05x1x22x3−1.7521e−04x23x3+1.3634e−
04x12x32+8.1972e−05x1x2x32+4.5238e−04x22x32−8.3780e−05x1x33−5.1037e−
04x2x33 + 2.3540e − 04x34 + 5.1681e − 04x13x4 − 1.4012e − 04x12x2x4 + 1.2315e −
05x1x22x4 − 1.1398e − 04x23x4 − 1.4829e − 04x12x3x4 + 1.0921e − 05x1x2x3x4 +
2.6429e−04x22x3x4+5.4511e−05x1x32x4−3.2835e−04x2x32x4+7.7165e−05x33x4+
0.0039x12x42 + 3.7459e − 05x1x2x42 + 4.0877e − 04x22x42 − 2.4536e − 04x1x3x42 −
3.4247e− 04x2x3x42+4.2323e− 04x32x42+2.4831e− 04x1x43− 2.4512e− 04x2x43−
1.9282e− 04x3x43 + 0.0016x44.
6.679107934e−05−5.7263e−05x2+1.1257e−05x3−3.8488e−04x4+5.5263e−05x12+
1.2369e−05x22+9.2214e−05x32+0.0011x42+1.2009e−05x1x3+3.5790e−05x2x3−
1.6631e−05x1x4+2.5997e−04x2x4+4.1801e−05x3x4−5.7937e−05x12x2−3.0019e−
05x23−2.4677e−05x12x3−2.5902e−05x22x3−2.5371e−05x2x32−1.7793e−05x33−
1.1448e− 04x12x4 + 1.5853e− 05x1x2x4− 1.3636e− 05x22x4− 5.7279e− 05x1x3x4 +
8.2492e − 05x2x3x4 − 1.2598e − 04x32x4 + 3.0465e − 05x1x42 − 6.0710e − 04x2x42 −
2.0224e−04x3x42−0.0011x43+0.0032x14+2.7346e−05x13x2+6.3534e−05x12x22+
133
4.1430e− 05x24 − 2.1497e− 04x13x3− 1.7448e− 04x12x2x3− 2.3497e− 05x1x22x3−
1.8607e−04x23x3+1.3684e−04x12x32+8.2992e−05x1x2x32+4.4749e−04x22x32−
8.1842e−05x1x33−5.0485e−04x2x33+2.3848e−04x34+5.1769e−04x13x4−5.3379e−
05x12x2x4−8.9272e−05x23x4−1.1457e−04x12x3x4+2.7328e−04x22x3x4+5.0106e−
05x1x32x4 − 2.8968e − 04x2x32x4 + 9.8729e − 05x33x4 + 0.0039x12x42 + 1.9440e −
05x1x2x42+2.4539e−04x22x42−1.8283e−04x1x3x42−5.4663e−04x2x3x42+4.2292e−
04x32x42 + 2.3680e− 04x1x43 + 1.1141e− 04x2x43 − 3.7303e− 05x3x43 + 0.0019x44.
6.646611473e−05+5.7376e−05x2−1.1035e−05x3+3.8929e−04x4+5.6130e−05x12+
1.2645e−05x22+9.2813e−05x32+0.0012x42+1.2057e−05x1x3+3.5138e−05x2x3+
2.6132e−04x2x4+4.6449e−05x3x4+5.7592e−05x12x2+2.9821e−05x23+2.4456e−
05x12x3+2.5912e−05x22x3+2.5411e−05x2x32+1.7738e−05x33+1.1901e−04x12x4−
1.5425e− 05x1x2x4+1.5139e− 05x22x4+5.8450e− 05x1x3x4− 8.4558e− 05x2x3x4+
1.2776e− 04x32x4+6.0917e− 04x2x42+2.1249e− 04x3x42+0.0011x43+0.0032x14+
2.7378e−05x13x2+6.3099e−05x12x22+4.1232e−05x24−2.1497e−04x13x3−1.7435e−
04x12x2x3−2.3380e−05x1x22x3−1.8564e−04x23x3+1.3627e−04x12x32+8.2980e−
05x1x2x32+4.4725e− 04x22x32− 8.1890e− 05x1x33− 5.0490e− 04x2x33+2.3820e−
04x34 + 5.1698e − 04x13x4 − 5.3947e − 05x12x2x4 − 8.9342e − 05x23x4 − 1.1532e −
04x12x3x4 + 2.7342e − 04x22x3x4 + 4.9577e − 05x1x32x4 − 2.8976e − 04x2x32x4 +
9.8389e−05x33x4+0.0039x12x42+1.9872e−05x1x2x42+2.4707e−04x22x42−1.8213e−
04x1x3x42−5.4883e−04x2x3x42+4.2503e−04x32x42+2.6135e−04x1x43+1.1198e−
04x2x43 − 3.1518e− 05x3x43 + 0.0019x44.
B.3 Escape Certificates
B.3.1 Third Order CP PLL
1.69e+03x12+971.57x1x2+289.91x22−0.30x1x3−0.10x2x3−0.25x32+692.37x14+
693.57x13x2 + 410.51x12x22 + 115.45x1x23 + 88.27x24 − 2.13x13x3 − 2.41x12x2x3 −
0.841x1x22x3−0.10x23x3+803.18x12x32+362.79x1x2x32+170.45x22x32−0.33x1x33−
0.09x2x33 − 0.67x34 + 394.27x16 + 508.80x15x2 + 439.31x14x22 + 190.89x13x23 +
129.13x12x24 + 50.41x1x25 + 59.55x26 − 1.07x15x3 − 1.86x14x2x3 − 1.30x13x22x3 −
0.5087x12x23x3 − 0.1413x1x24x3 − 0.0351x25x3 + 383.52x14x32 + 277.21x13x2x32 +
177.07x12x22x32 + 50.12x1x23x32 + 74.59x24x32 − 2.74x13x33 − 3.01x12x2x33 −
0.98x1x22x33−0.11x23x33+664.43x12x34+267.71x1x2x34+152.25x22x34+2.16x1x35+
134
0.71x2x35 − 1.18x36 + 263.73x18 + 385.50x17x2 + 426.48x16x22 + 254.81x15x23 +
173.64x14x24 + 78.86x13x25 + 83.07x12x26 + 37.48x1x27 + 44.65x28 − 0.69x17x3 −
1.24x16x2x3− 1.55x15x22x3− 0.61x14x23x3− 0.69x13x24x3 + 0.002x12x25x3−
0.22x1x26x3 + 0.01x27x3 + 261.19x16x32 + 245.66x15x2x32 + 205.46x14x22x32 +
70.71x13x23x32 + 84.25x12x24x32 + 35.97x1x25x32 + 54.66x26x32 − 1.92x15x33 −
2.64x14x2x33 − 1.93x13x22x33 − 0.60x12x23x33 − 0.22x1x24x33 − 0.0260x25x33 +
351.07x14x34 + 232.19x13x2x34 + 153.67x12x22x34 + 43.55x1x23x34 + 73.39x24x34 −
4.11x13x35 − 4.10x12x2x35 − 1.28x1x22x35 − 0.09x23x35 + 698.87x12x36 +
281.88x1x2x36 + 160.40x22x36 + 1.13x1x37 + 0.37x2x37 − 2.51x38 + 199.36x110 +
332.14x19x2 + 448.63x18x22 + 342.81x17x23 + 254.37x16x24 + 135.76x15x25 +
111.64x14x26 +63.52x13x27 +69.80x12x28 +30.84x1x29 +35.4981x210 − 0.41x19x3−
0.9725x18x2x3− 1.43x17x22x3− 0.9982x16x23x3− 0.90x15x24x3− 0.39x14x25x3−
0.41x13x26x3− 0.09x12x27x3− 0.16x1x28x3− 0.03x29x3 + 210.97x18x32 +
248.60x17x2x32 + 256.68x16x22x32 + 125.32x15x23x32 + 106.05x14x24x32 +
52.71x13x25x32 + 75.47x12x26x32 + 35.03x1x27x32 + 44.25x28x32 − 1.35x17x33 −
2.38x16x2x33 − 2.53x15x22x33 − 1.22x14x23x33 − 0.84x13x24x33 − 0.10x12x25x33 −
0.23x1x26x33 − 0.03x27x33 + 270.01x16x34 + 254.29x15x2x34 + 211.24x14x22x34 +
72.89x13x23x34 + 87.55x12x24x34 + 37.54x1x25x34 + 55.90x26x34 − 3.02x15x35 −
4.44x14x2x35 − 3.08x13x22x35 − 0.89x12x23x35 − 0.37x1x24x35 − 0.02x25x35 +
411.29x14x36 + 297.49x13x2x36 + 190.23x12x22x36 + 53.71x1x23x36 + 79.27x24x36 −
5.52x13x37 − 5.89x12x2x37 − 1.86x1x22x37 − 0.07x23x37 + 881.67x12x38 +
415.43x1x2x38 + 180.79x22x38 − 4.81x1x39 − 1.57x2x39 − 6.02x310 + 480.72x112 +
735.96x111x2 + 1.1e+ 03x110x22 + 989.85x19x23 + 841.38x18x24 + 467.31x17x25 +
398.69x16x26 + 243.35x15x27 + 291.64x14x28 + 175.85x13x29 + 205.99x12x210 +
96.90x1x211 + 118.56x212 − 1.88x111x3− 0.59x110x2x3− 1.96x19x22x3−
0.13x18x23x3− 1.27x17x24x3 + 0.38x16x25x3− 0.93x15x26x3 + 0.60x14x27x3−
0.30x13x28x3 + 0.76x12x29x3− 0.0370x1x210x3 + 0.68x211x3 + 224.54x110x32 +
323.88x19x2x32 + 429.14x18x22x32 + 296.36x17x23x32 + 235.93x16x24x32 +
117.22x15x25x32 + 120.10x14x26x32 + 63.64x13x27x32 + 84.67x12x28x32 +
35.93x1x29x32 + 47.27x210x32 − 1.35x19x33 − 2.13x18x2x33 − 3.60x17x22x33 −
2.23x16x23x33 − 2.15x15x24x33 − 0.66x14x25x33 − 0.87x13x26x33 +
0.05x12x27x33 − 0.32x1x28x33 + 0.13x29x33 + 275.49x18x34 + 353.87x17x2x34 +
384.16x16x22x34 + 203.99x15x23x34 + 157.70x14x24x34 + 73.31x13x25x34 +
95.54x12x26x34 + 40.79x1x27x34 + 54.29x28x34 − 3.11x17x35 − 4.97x16x2x35 −
5.46x15x22x35 − 2.44x14x23x35 − 1.67x13x24x35 − 0.22x12x25x35 −
0.61x1x26x35 + 0.11x27x35 + 396.45x16x36 + 455.06x15x2x36 + 370.07x14x22x36 +
135
146.94x13x23x36 + 129.66x12x24x36 + 60.56x1x25x36 + 70.00x26x36 − 5.22x15x37 −
8.18x14x2x37−5.35x13x22x37−1.54x12x23x37−0.53x1x24x37−0.11x25x37+658.88x14x38+
586.84x13x2x38 +339.031x12x22x38 +107.50x1x23x38 +101.76x24x38 − 6.97x13x39 −
8.56x12x2x39 − 2.30x1x22x39 − 0.01x23x39 + 1.53e + 03x12x310 + 822.51x1x2x310 +
283.09x22x310 + 4.73x1x311 + 1.63x2x311 − 13.84x312.
−1.1170x1−0.6735x2+0.0102x3+0.1212x12−0.2695x1x2+0.1365x22+0.0161x1x3+
0.0145x2x3− 1.3295e− 04x32.
1.1346x1+ 0.6416x2− 0.0105x3+ 0.1035x12− 0.2350x1x2+ 0.1183x22+0.0165x1x3+
0.0136x2x3− 1.3840e− 04x32.
B.3.2 Fourth Order CP PLL
Deductive-Bounded Verification:
0.5716x12−1.8978x1x2+0.5970x22−1.2771x1x3+0.5142x2x3+0.3226x32+6.0960x1x4+
0.6704x2x4+0.4063x3x4+1.2297e−04x42+1.2343x14−1.8361x13x2−0.4136x12x22−
0.2727x1x23+0.3537x24−1.2257x13x3−0.6465x12x2x3−0.5960x1x22x3+0.6499x23x3−
0.1219x12x32−0.4352x1x2x32+0.6644x22x32−0.1134x1x33+0.3196x2x33+0.1341x34+
4.9357x13x4 + 2.6858x12x2x4 + 0.5378x1x22x4− 0.1053x23x4 + 1.6851x12x3x4 +
0.6833x1x2x3x4− 0.2173x22x3x4 + 0.2305x1x32x4− 0.1527x2x32x4− 0.0390x33x4 +
0.7354x12x42 − 1.5554x1x2x42 + 0.5123x22x42 − 1.0560x1x3x42 + 0.4251x2x3x42 +
0.2784x32x42 + 5.0210x1x43 + 0.5525x2x43 + 0.3349x3x43.
−0.1048 ∗x1− 0.6358 ∗x2− 0.6033 ∗x3+0.0074 ∗x4+1.9974 ∗x12+0.0032 ∗x1 ∗x2+
0.0223 ∗ x22 − 0.0253 ∗ x1 ∗ x3 − 0.0511 ∗ x2 ∗ x3 + 0.0238 ∗ x32 + 0.1682 ∗ x1 ∗ x4 +
0.0081 ∗ x2 ∗ x4 + 0.0116 ∗ x3 ∗ x4− 3.7127e− 04 ∗ x42.
0.0061x1 + 0.1893x2 + 1.4139x3 + 0.0011x4 + 0.0061x12 + 0.0052x1x2 + 0.1709x22 +
0.0103x1x3− 0.3438x2x3+0.6271x32− 7.9986e− 04x3x4+0.0857x13+0.2965x12x2+
0.0392x1x22+0.0719x23+0.6592x12x3+0.0623x1x2x3+0.4477x22x3−0.0015x1x32+
0.0441x2x32 − 0.0743x33 − 4.0447e− 04x12x4− 1.2140e− 04x22x4− 0.0017x1x3x4 +
3.0000e−04x2x3x4−0.0011x32x4+0.0062x1x42+0.2591x2x42+0.8073x3x42+0.0016x43+
3.1308x14 − 0.0022x13x2 + 0.0684x12x22 + 0.0048x1x23 + 0.0393x24 − 0.0853x13x3 −
0.1137x12x2x3−0.0064x1x22x3−0.0724x23x3+0.0557x12x32+0.0051x1x2x32−0.0122x22x32+
0.0097x1x33+0.0373x2x33+0.0873x34+0.0194x13x4+4.6850e−04x12x2x4+1.4614e−
04x23x4+9.0770e−04x12x3x4+8.3574e−04x1x2x3x4+4.6533e−04x2x32x4+1.6312e−
04x33x4 + 0.1540x12x42 − 2.9423e − 04x1x2x42 + 0.1027x22x42 − 0.0207x1x3x42 −
0.1627x2x3x42 + 0.2086x32x42 − 6.7642e− 04x1x43 + 8.9842e− 04x3x43.
136
Deductive-Only Verification:
218.2054x12−724.2974x1x2+225.8941x22−487.4403x1x3+194.7218x2x3+122.1302x32+
2.3142e+ 03x1x4 + 254.5501x2x4 + 154.2719x3x4 + 0.3149x42 + 274.8406x14 −
408.1116x13x2 − 62.9006x12x22 − 130.2242x1x23 + 130.3355x24 − 271.3946x13x3 −
158.3718x12x2x3− 275.7396x1x22x3 + 201.3793x23x3 + 0.4527x12x32 −
197.3733x1x2x32 + 209.9656x22x32 − 50.8696x1x33 + 98.6859x2x33 + 55.4381x34 +
810.3546x13x4 + 461.0312x12x2x4 + 112.8572x1x22x4− 27.7462x23x4 +
292.5319x12x3x4 + 143.5278x1x2x3x4− 56.4005x22x3x4 + 49.9083x1x32x4−
40.1189x2x32x4− 10.7445x33x4 + 175.5234x12x42 − 349.4142x1x2x42 +
135.6410x22x42 − 237.1636x1x3x42 + 79.5019x2x3x42 + 78.5147x32x42 +
1.3522e+ 03x1x43 + 148.7329x2x43 + 90.1417x3x43 − 0.5151x44 + 331.5602x16 −
289.7337x15x2− 44.5056x14x22 − 148.9686x13x23 + 24.8828x12x24 − 22.3955x1x25 +
76.3346x26−198.9197x15x3−131.0286x14x2x3−289.4706x13x22x3−61.2132x12x23x3−
84.7176x1x24x3 + 138.0442x25x3 + 10.5631x14x32 − 193.7018x13x2x32 −
46.9663x12x22x32 − 128.6070x1x23x32 + 208.3036x24x32 − 48.0819x13x33 −
21.9327x12x2x33 − 104.2390x1x22x33 + 162.2451x23x33 + 31.5554x12x34 −
45.6940x1x2x34 + 117.1682x22x34 − 10.6668x1x35 + 48.1018x2x35 + 34.6423x36 +
575.4837x15x4 + 404.1483x14x2x4 + 189.7930x13x22x4 + 65.0483x12x23x4−
0.4517x1x24x4− 13.4718x25x4 + 252.2362x14x3x4 + 233.8666x13x2x3x4 +
118.1129x12x22x3x4− 1.8981x1x23x3x4− 41.6152x24x3x4 + 80.5990x13x32x4 +
80.3749x12x2x32x4− 1.1124x1x22x32x4− 56.0022x23x32x4 + 21.0157x12x33x4 +
0.9352x1x2x33x4−40.5361x22x33x4+0.4200x1x34x4−16.6576x2x34x4−3.7262x35x4+
199.6751x14x42 − 178.3625x13x2x42 − 13.7995x12x22x42 − 76.7466x1x23x42 +
88.6200x24x42 − 120.1260x13x3x42 − 96.4895x12x2x3x42 − 161.2453x1x22x3x42 +
99.2932x23x3x42 + 13.8720x12x32x42 − 114.2433x1x2x32x42 + 104.5764x22x32x42 −
29.2313x1x33x42 + 49.0719x2x33x42 + 43.5367x34x42 + 549.3334x13x43 +
298.8656x12x2x43 + 69.3973x1x22x43 − 20.5004x23x43 + 189.9144x12x3x43 +
87.5125x1x2x3x43 − 40.7043x22x3x43 + 31.1981x1x32x43 − 28.7995x2x32x43 −
7.9001x33x43 + 169.3557x12x44 − 299.3768x1x2x44 + 112.5971x22x44 −
204.0243x1x3x44 + 49.6121x2x3x44 + 67.5033x32x44 + 1.0978e+ 03x1x45 +
120.8098x2x45 + 73.2190x3x45 + 0.3335x46 + 476.3272x18 − 260.7127x17x2−
42.6157x16x22 − 161.3527x15x23 − 3.5140x14x24 − 51.2348x13x25 +
38.4569x12x26 − 1.7833x1x27 + 51.7535x28 − 190.2391x17x3− 127.5069x16x2x3−
317.0168x15x22x3− 124.1348x14x23x3− 167.6342x13x24x3 + 3.5474x12x25x3−
18.5926x1x26x3 + 96.6752x27x3 + 14.0310x16x32 − 209.2511x15x2x32 −
101.9569x14x22x32 − 222.1974x13x23x32 − 8.9005x12x24x32 − 47.5353x1x25x32 +
137
183.5610x26x32 − 49.3684x15x33 − 43.8805x14x2x33 − 157.9611x13x22x33 −
33.5924x12x23x33 − 72.9076x1x24x33 + 198.0452x25x33 + 27.3078x14x34 −
61.4988x13x2x34 + 7.9665x12x22x34 − 68.5388x1x23x34 + 182.6346x24x34 −
11.9509x13x35 + 11.8897x12x2x35 − 42.8518x1x22x35 + 112.3370x23x35 +
27.7625x12x36 − 17.9673x1x2x36 + 77.0185x22x36 − 4.7233x1x37 + 32.8676x2x37 +
26.2538x38 + 618.2642x17x4 + 490.0785x16x2x4 + 253.1415x15x22x4 +
112.6347x14x23x4 + 33.2777x13x24x4− 4.3474x12x25x4− 18.9821x1x26x4−
14.2245x27x4 + 300.2779x16x3x4 + 310.5358x15x2x3x4 + 202.5881x14x22x3x4 +
77.0198x13x23x3x4− 12.9004x12x24x3x4− 65.3111x1x25x3x4− 56.0309x26x3x4 +
102.3173x15x32x4+135.5875x14x2x32x4+76.9260x13x22x32x4−13.5137x12x23x32x4−
100.4228x1x24x32x4− 105.4344x25x32x4 + 35.1780x14x33x4 + 41.2020x13x2x33x4−
3.6048x12x22x33x4− 86.4994x1x23x33x4− 119.0832x24x33x4 + 10.3238x13x34x4 +
2.3025x12x2x34x4− 44.5137x1x22x34x4− 87.7610x23x34x4 + 1.1315x12x35x4−
14.0371x1x2x35x4− 44.1023x22x35x4− 2.6123x1x36x4− 15.5330x2x36x4−
3.5153x37x4 + 262.3711x16x42 − 126.4232x15x2x42 + 4.7792x14x22x42 −
89.9603x13x23x42 + 23.4212x12x24x42 − 21.1358x1x25x42 + 61.1843x26x42 −
89.5554x15x3x42−74.3173x14x2x3x42−170.4745x13x22x3x42−55.4967x12x23x3x42−
72.3507x1x24x3x42 + 85.5217x25x3x42 + 24.3410x14x32x42 − 114.8027x13x2x32x42 −
42.1625x12x22x32x42−101.0906x1x23x32x42+120.8688x24x32x42−30.9054x13x33x42−
23.2906x12x2x33x42− 79.1370x1x22x33x42+82.6234x23x33x42+28.3436x12x34x42−
34.7211x1x2x34x42 + 72.6219x22x34x42 − 8.2703x1x35x42 + 33.2024x2x35x42 +
31.0307x36x42 + 474.7801x15x43 + 326.5877x14x2x43 + 152.3460x13x22x43 +
54.6197x12x23x43 + 2.9068x1x24x43 − 8.6576x25x43 + 204.3578x14x3x43 +
186.8368x13x2x3x43 + 96.6558x12x22x3x43 + 6.4647x1x23x3x43 − 26.2066x24x3x43 +
65.3455x13x32x43 + 65.8111x12x2x32x43 + 6.5228x1x22x32x43 − 35.0387x23x32x43 +
17.5726x12x33x43 + 4.1005x1x2x33x43 − 25.4951x22x33x43 + 0.8266x1x34x43 −
10.7606x2x34x43−2.5383x35x43+214.0616x14x44−168.8956x13x2x44−12.8639x12x22x44−
82.9423x1x23x44 + 82.1409x24x44 − 114.3588x13x3x44 − 95.7791x12x2x3x44 −
168.6399x1x22x3x44 + 82.5304x23x3x44 + 14.3646x12x32x44 − 118.8212x1x2x32x44 +
87.8279x22x32x44−31.5465x1x33x44+40.4057x2x33x44+41.5105x34x44+509.9118x13x45+
277.3872x12x2x45 + 74.0394x1x22x45 − 6.1597x23x45 + 174.9528x12x3x45 +
93.8800x1x2x3x45−13.2903x22x3x45+32.4891x1x32x45−9.8985x2x32x45−3.0093x33x45+
200.6662x12x46−353.5433x1x2x46+126.4191x22x46−241.5683x1x3x46+65.1974x2x3x46+
74.1257x32x46 + 1.0773e + 03x1x47 + 118.4684x2x47 + 71.7986x3x47 − 0.0548x48 +
1.0471e+03x110−294.8721x19x2−131.8876x18x22−284.2325x17x23−53.9646x16x24−
95.5097x15x25 + 15.0800x14x26 − 20.2359x13x27 + 41.8349x12x28 + 6.1929x1x29 +
138
44.0009x210−246.1546x19x3−239.9259x18x2x3−557.5429x17x22x3−257.7532x16x23x3−
313.0259x15x24x3− 80.5002x14x25x3− 94.6854x13x26x3 + 51.2696x12x27x3 +
20.4916x1x28x3+83.5515x29x3−11.6017x18x32−363.2798x17x2x32−221.5096x16x22x32−
411.5605x15x23x32 − 140.2560x14x24x32 − 188.6823x13x25x32 + 80.4621x12x26x32 +
41.2416x1x27x32+183.8698x28x32−82.3559x17x33−83.9296x16x2x33−279.9516x15x22x33−
139.6142x14x23x33 − 223.4046x13x24x33 + 56.4809x12x25x33 + 42.3207x1x26x33 +
256.0967x27x33 + 26.2092x16x34 − 100.2571x15x2x34 − 40.6189x14x22x34 −
169.8808x13x23x34 + 49.6966x12x24x34 + 16.4174x1x25x34 + 297.9395x26x34 −
17.3955x15x35+1.6346x14x2x35−87.5979x13x22x35+25.7888x12x23x35−15.0604x1x24x35+
245.0054x25x35+26.5451x14x36−30.9394x13x2x36+35.9868x12x22x36−26.9544x1x23x36+
181.8587x24x36−7.0820x13x37+19.9245x12x2x37−21.5624x1x22x37+102.9701x23x37+
23.6190x12x38 − 10.6197x1x2x38 + 68.7360x22x38 − 3.1702x1x39 + 31.2975x2x39 +
24.3983x310 + 1.3118e+ 03x19x4 + 1.2451e+ 03x18x2x4 + 749.3986x17x22x4 +
416.1998x16x23x4 + 209.3495x15x24x4 + 94.4972x14x25x4 + 29.5292x13x26x4−
0.8553x12x27x4−11.1397x1x28x4−7.0368x29x4+753.2963x18x3x4+915.4588x17x2x3x4+
759.6865x16x22x3x4+501.3879x15x23x3x4+273.9288x14x24x3x4+101.7762x13x25x3x4−
3.4506x12x26x3x4− 50.1737x1x27x3x4− 34.3754x28x3x4 + 285.6347x17x32x4 +
484.0426x16x2x32x4+476.9220x15x22x32x4+341.1515x14x23x32x4+155.4489x13x24x32x4−
5.6380x12x25x32x4 − 107.6696x1x26x32x4 − 84.2270x27x32x4 + 109.8593x16x33x4 +
219.4084x15x2x33x4+235.8187x14x22x33x4+142.1727x13x23x33x4−1.0916x12x24x33x4−
138.2233x1x25x33x4 − 129.8647x26x33x4 + 43.1603x15x34x4 + 94.8470x14x2x34x4 +
85.8055x13x22x34x4+8.2611x12x23x34x4−115.3366x1x24x34x4−137.2496x25x34x4+
18.8001x14x35x4 + 32.6346x13x2x35x4 + 10.2701x12x22x35x4− 65.3080x1x23x35x4−
104.1004x24x35x4 + 5.9441x13x36x4 + 4.5918x12x2x36x4− 26.5151x1x22x36x4−
58.8889x23x36x4+0.6512x12x37x4−8.3669x1x2x37x4−26.0781x22x37x4−1.9016x1x38x4−
9.2209x2x38x4−2.1612x39x4+479.7409x18x42−129.7670x17x2x42+41.8244x16x22x42−
106.3779x15x23x42 + 17.0831x14x24x42 − 46.7454x13x25x42 + 34.2367x12x26x42 −
5.6784x1x27x42 + 51.0936x28x42 − 104.8584x17x3x42 − 44.6854x16x2x3x42 −
222.0849x15x22x3x42−84.7276x14x23x3x42−148.5037x13x24x3x42−12.7304x12x25x3x42−
35.1080x1x26x3x42 + 86.1585x27x3x42 + 49.2890x16x32x42 − 147.3796x15x2x32x42 −
72.7719x14x22x32x42−193.7191x13x23x32x42−32.7166x12x24x32x42−75.4965x1x25x32x42+
155.1909x26x32x42−33.7770x15x33x42−27.1517x14x2x33x42−137.9635x13x22x33x42−
53.8955x12x23x33x42−99.6789x1x24x33x42+156.4952x25x33x42+32.5209x14x34x42−
55.0190x13x2x34x42−2.5629x12x22x34x42−84.7448x1x23x34x42+145.9554x24x34x42−
11.7232x13x35x42 + 8.7647x12x2x35x42 − 49.3078x1x22x35x42 + 90.4472x23x35x42 +
27.4737x12x36x42 − 19.8454x1x2x36x42 + 69.1798x22x36x42 − 5.0018x1x37x42 +
139
31.4284x2x37x42+26.7792x38x42+621.6310x17x43+505.8009x16x2x43+275.4191x15x22x43+
141.2129x14x23x43+61.6971x13x24x43+19.6650x12x25x43+2.1155x1x26x43−0.1963x27x43+
307.2358x16x3x43+336.1259x15x2x3x43+250.7507x14x22x3x43+143.8505x13x23x3x43+
58.9071x12x24x3x43 + 8.0781x1x25x3x43 − 0.8110x26x3x43 + 108.1374x15x32x43 +
162.8151x14x2x32x43+135.7852x13x22x32x43+72.9916x12x23x32x43+11.8475x1x24x32x43−
1.9416x25x32x43 +39.7125x14x33x43 +65.5018x13x2x33x43 +51.2702x12x22x33x43 +
10.2407x1x23x33x43 − 2.9254x24x33x43 + 13.1411x13x34x43 + 20.2786x12x2x34x43 +
6.2636x1x22x34x43 − 2.0849x23x34x43 + 3.0535x12x35x43 + 1.7441x1x2x35x43 −
0.9082x22x35x43−0.0105x1x36x43−0.5683x2x36x43−0.2265x37x43+354.5270x16x44−
173.9076x15x2x44 + 20.9055x14x22x44 − 109.4406x13x23x44 + 33.0015x12x24x44 −
23.5176x1x25x44 + 76.4197x26x44 − 124.5860x15x3x44 − 72.5904x14x2x3x44 −
216.7772x13x22x3x44−53.2677x12x23x3x44−88.4653x1x24x3x44+122.9875x25x3x44+
39.4904x14x32x44−145.3118x13x2x32x44−45.0424x12x22x32x44−132.7526x1x23x32x44+
174.4420x24x32x44−37.1420x13x33x44−18.2266x12x2x33x44−105.1766x1x22x33x44+
125.8199x23x33x44 + 34.9956x12x34x44 − 44.4952x1x2x34x44 + 100.9224x22x34x44 −
10.4051x1x35x44+45.5495x2x35x44+36.3399x36x44+498.2646x15x45+341.4446x14x2x45+
165.2771x13x22x45 + 69.7009x12x23x45 + 19.4615x1x24x45 + 4.0135x25x45 +
208.5187x14x3x45+202.7438x13x2x3x45+126.0987x12x22x3x45+48.8458x1x23x3x45+
12.6267x24x3x45 + 67.1793x13x32x45 + 82.3780x12x2x32x45 + 47.1103x1x22x32x45 +
16.4851x23x32x45 + 19.6988x12x33x45 + 21.8505x1x2x33x45 + 11.7089x22x33x45 +
3.6219x1x34x45+4.5499x2x34x45+0.7144x35x45+313.5899x14x46−286.1430x13x2x46−
2.6618x12x22x46 − 107.3658x1x23x46 + 133.6331x24x46 − 194.4420x13x3x46 −
106.5621x12x2x3x46− 235.0333x1x22x3x46+187.9999x23x3x46+27.5339x12x32x46−
168.5253x1x2x32x46 + 191.0340x22x32x46 − 42.7780x1x33x46 + 92.4147x2x33x46 +
58.9857x34x46+547.8917x13x47+292.0432x12x2x47+89.5708x1x22x47+8.0896x23x47+
180.4107x12x3x47 + 115.4957x1x2x3x47 + 14.7312x22x3x47 + 38.9382x1x32x47 +
9.4980x2x32x47+1.9467x33x47+304.2022x12x48−630.2108x1x2x48+232.7135x22x48−
431.0513x1x3x48+195.4685x2x3x48+125.1845x32x48+1.2033e+03x1x49+132.3637x2x49+
80.2202x3x49 − 0.0139x410.
−0.1048x1− 0.6361x2− 0.6036x3 + 0.0074x4 + 1.9981x12 + 0.0032x1x2 + 0.0223x22 −
0.0253x1x3−0.0511x2x3+0.0238x32+0.1683x1x4+0.0081x2x4+0.0116x3x4−3.7141e−
04x42.
0.1048x1 + 0.6361x2 + 0.6036x3 − 0.0074x4 + 1.9981x12 + 0.0032x1x2 + 0.0223x22 −
0.0253x1x3−0.0511x2x3+0.0238x32+0.1683x1x4+0.0081x2x4+0.0116x3x4−3.7151e−
04x42.
140
B.4 Odd Stage RO Certificates
Attractive Invariant:
0.9203860029+0.0190x12+0.0190x22+0.0190x32+0.0751x34+0.0751x14+0.0751x24+
0.0065x1x2+0.0065x1x3+0.0065x2x3+0.0046x13x2− 0.0423x12x22− 0.0143x1x23−
0.0143x13x3− 0.0231x12x2x3−
0.0231x1x22x3 + 0.0046x23x3− 0.0423x12x32 − 0.0231x1x2x32 − 0.0423x22x32 +
0.0046x1x33 − 0.0143x2x33.
Escape:
13.4165x12 + 13.4165x22 + 13.4165x32 − 13.4165x1x2− 13.4165x1x3− 13.4165x2x3.
Eventuality:
2.8838x12+2.8836x22+2.8979x32+2.9322x34+3.1808x14+3.2589x24−2.1068x1x2−
2.0682x1x3−2.0671x2x3+29.7895x13x2−23.0744x12x22+24.1883x1x23+24.0572x13x3−
35.3446x12x2x3−35.3397x1x22x3+29.8880x23x3−22.6803x12x32−34.9999x1x2x32−
22.9830x22x32 + 29.8238x1x33 + 23.7623x2x33.
B.5 Even Stage RO Certificates
Attractive Invariant:
0.9990128927 + 1.8133e − 04xp12 + 1.8134e − 04xp22 − 3.3157e − 04xp14 + 2.3598e −
04xp13xp2 − 0.0017xp12xp22 − 2.3591e − 04xp1xp23 − 3.3158e − 04xp24 + 4.4111e −
04xp16−4.4058e−04xp15xp2+0.0071xp14xp22+0.0071xp12xp24+4.4052e−04xp1xp25+
4.4113e−04xp26−2.1259e−04xp18+1.1636e−04xp17xp2−0.0084xp16xp22+8.0223e−
05xp15xp23 − 0.0200xp14xp24 − 8.0579e − 05xp13xp25 − 0.0084xp12xp26 − 1.1639e −
04xp1xp27−2.1260e−04xp28+5.5367e−05xp110+4.3193e−05xp19xp2+0.0031xp18xp22+
8.1649e − 05xp17xp23 + 0.0129xp16xp24 + 0.0129xp14xp26 − 8.1366e − 05xp13xp27 +
0.0031xp12xp28 − 4.3166e− 05xp1xp29 + 5.5368e− 05xp210.
Escape:
0.0124xp12 + 0.0124xp22 + 0.0034xp14 + 0.0034xp24.
Eventuality:
60.15925038+0.0152xp12+0.0149xp22− 0.0140xp14− 0.0318xp12xp22− 0.0139xp24+
0.0259xp14xp22 + 0.0258xp12xp24.
Lyapunov:
0.0430xp12 + 0.0430xp22 − 0.0024xp14 − 0.0024xp24.
141
B.6 Odd Stage RO Attractive Invariant Set
142
References
[1] Daniel Y Abramovitch. Lyapunov redesign of analog phase-lock loops. IEEE
Transactions on Communications, 38(12):2197–2202, 1990. 68
[2] Thomas A.Henzinger, Pei-Hsin Ho, and Howard Wong-Toi. Algorithmic anal-
ysis of nonlinear hybrid systems. IEEE Transactions on Automatic Control,
43(4):540–554, Apr 1998. 13, 36
[3] Amir Ali Ahmadi. Algebraic relaxations and hardness results in polynomial op-
timization and Lyapunov analysis. PhD thesis, Massachusetts Institute of Tech-
nology, 2011. 128
[4] Amir Ali Ahmadi, Pablo Parrilo, et al. Towards scalable algorithms with formal
guarantees for lyapunov analysis of control systems via algebraic optimization.
In Decision and Control CDC, 2014 IEEE 53rd Annual Conference on, pages
2272–2281. IEEE, 2014. 129
[5] G. Al-Sammane, M. H. Zaki, Z. J. Dong, and S. Tahar. Towards assertion based
verification of analog and mixed signal designs using PSL. In Proceedings of
Languages for Formal Specification and Verification, Forum on Specification and
Design Languages (FDL), pages 293–298, 2007. 39
[6] Xavier Allamigeon, Ste´phane Gaubert, Victor Magron, and Benjamin Werner.
Formal proofs for nonlinear optimization. CoRR, abs/1404.7282, 2014. 129
[7] Matthias Althoff, Akshay Rajhans, Bruce H. Krogh, Soner Yaldiz, Xin Li, and
Larry Pileggi. Formal verification of phase-locked loops using reachability analysis
and continuization. In Proceedings of the International Conference on Computer-
Aided Design ICCAD, pages 659–666. IEEE, 2011. 4, 37, 63, 69
143
REFERENCES
[8] Rajeev Alur. Formal verification of hybrid systems. In Embedded Software (EM-
SOFT), 2011 Proceedings of the International Conference on, pages 273–278.
IEEE, 2011. 32
[9] Rajeev Alur, Costas Courcoubetis, Nicolas Halbwachs, Thomas A. Henzinger,
Pei-Hsin Ho, Xavier Nicollin, Alfredo Olivero, Joseph Sifakis, and Sergio Yovine.
The algorithmic analysis of hybrid systems. Theoretical Computer Science,
138(1):3–34, February 1995. 36
[10] Rajeev Alur and David L Dill. A theory of timed automata. Theoretical Computer
Science, 126(2):183–235, 1994. 29
[11] Michae¨l Armand, Germain Faure, Benjamin Gre´goire, Chantal Keller, Laurent
The´ry, and Benjamin Werner. A modular integration of SAT/SMT solvers to
Coq through proof witnesses. In Certified Programs and Proofs, volume 7086 of
Lecture Notes in Computer Science, pages 135–150. Springer, 2011. 129
[12] Ashok Balivada, Yatin Hoskote, and Jacob A.Abraham. Verification of transient
response of linear analog circuits. In Proceedings 13th IEEE VLSI Test Sympo-
sium, pages 42–47, April-May 1995. 34
[13] Armin Biere, Alessandro Cimatti, Edmund Clarke, and Yunshan Zhu. Symbolic
Model Checking without BDDs, volume 1579 of Lecture Notes in Computer Sci-
ence. Springer, 1999. 29
[14] Stephen Boyd and Lieven Vandenberghe. Convex optimization. Cambridge uni-
versity press, 2004. 131
[15] Stephen P Boyd, Laurent El Ghaoui, Eric Feron, and Venkataramanan Balakrish-
nan. Linear matrix inequalities in system and control theory, volume 15. SIAM,
1994. 27
[16] Michael S Branicky. Studies in hybrid systems: Modeling, analysis, and control.
Technical report, DTIC Document, 1995. 13, 22
[17] M.S. Branicky. Stability of switched and hybrid systems. In Decision and Control
CDC, Proceedings of the 33rd IEEE Conference on, volume 4, pages 3498 – 3503,
1994. 13
[18] Aleksandar Chakarov, Sriram Sankaranarayanan, and Georgios Fainekos. Com-
bining time and frequency domain specifications for periodic signals. In Runtime
144
REFERENCES
Verification, volume 7186 of Lecture Notes in Computer Science, pages 294–309.
Springer, 2012. 108
[19] Man-Duen Choi, Tsit Yuen Lam, and Bruce Reznick. Sums of squares of real
polynomials. In Proceedings of Symposia in Pure mathematics, volume 58, pages
103–126. American Mathematical Society, 1995. 24
[20] Edmund Clarke, Armin Biere, Richard Raimi, and Yunshan Zhu. Bounded Model
Checking Using Satisfiability Solving. Kluwer Academic Publishers, 2001. 37
[21] Edmund Clarke, Alexandre Donze´, and Axel Legay. On simulation-based prob-
abilistic model checking of mixed-analog circuits. Formal Methods in System
Design, 36:97 – 113, 2010. 39
[22] Edmund M Clarke and E Allen Emerson. Design and synthesis of synchronization
skeletons using branching time temporal logic, volume 131 of Lecture Notes in
Computer Science. Springer, 1982. 29
[23] Edmund M Clarke, Orna Grumberg, and Doron Peled. Model Checking. MIT
press, 1999. 29
[24] George E Collins. Quantifier elimination for real closed fields by cylindrical alge-
braic decomposition, volume 33 of Lecture Notes in Computer Science. Springer,
1998. 34
[25] Wikipedia contributors. Pentium fdiv bug. Wikipedia, The Free Encyclopedia. 2
[26] Wikipedia contributors. Therac- 25. Wikipedia, The Free Encyclopedia., Febru-
ary 2007. 2
[27] C.Yan, M.Greenstreet, and Jochen Eisinger. Formal verification of an arbiter
circuit. In IEEE Symposium on Asynchronous Circuits and Systems (ASYNC),
pages 165 – 175, May 2010. 38
[28] T. R. Dastidar and P. P Chakrabarti. A verification system for transient response
of analog circuits using model checking. In VLSI Design (VLSID), pages 195–200.
IEEE Computer Society Press, 2005. 39
[29] Thomas A DeMassa and Zack Ciccone. Digital integrated circuits. Wiley New
York, 1996. 74
145
REFERENCES
[30] William Denman, Behzad Akbarpour, Sofiene Tahar, Mohamed H Zaki, and
Lawrence C Paulson. Formal verification of analog designs using metitarski. In
Formal Methods in Computer-Aided Design, 2009. FMCAD 2009, pages 93–100.
IEEE, 2009. 38, 39, 40, 120, 121
[31] Andreas Dolzmann and Thomas Sturm. Redlog: Computer algebra meets com-
puter logic. ACM SIGSAM Bulletin, 31(2):2–9, 1997. 94
[32] Alexandre Donze´, Oded Maler, Ezio Bartocci, Dejan Nickovic, Radu Grosu, and
Scott Smolka. On temporal logic and signal processing. In Automated Technology
for Verification and Analysis, pages 92–106. Springer, 2012. 121
[33] Andreas Eggers, Martin Fra¨nzle, and Christian Herde. SAT modulo ODE: A
direct SAT approach to hybrid systems. In Automated Technology for Verification
and Analysis, volume 5311 of Lecture Notes in Computer Science, pages 171–185.
Springer, 2008. 30, 114, 117
[34] Ahmed S Elwakil and Khaled N Salama. On the nonlinear modeling of ring
oscillators. Journal of Circuits, Systems, and Computers, 18(04):681–696, 2009.
74
[35] Fulvio Forni. Analysis of Hybrid Systems and Design of Hybrid Controllers. PhD
thesis, Universita` di Roma, 2010. 14
[36] Goran Frehse, Bruce H Krogh, and Rob A Rutenbar. Verifying analog oscillator
circuits using forward/backward abstraction refinement. In Proceedings of the
conference on Design, automation and test in Europe: Proceedings, pages 257–
262. European Design and Automation Association, 2006. 36
[37] Goran Frehse, Bruce H Krogh, and Rob A Rutenbar. Verifying analog oscillator
circuits using forward/backward abstraction refinement. In Proceedings of the
conference on Design, automation and test in Europe: Proceedings, pages 257–
262. European Design and Automation Association, 2006. 114
[38] Goran Frehse, Bruce H Krogh, Rob A Rutenbar, and Oded Maler. Time do-
main verification of oscillator circuit properties. Electronic Notes in Theoretical
Computer Science, 153(3):9–22, 2006. 36, 39, 104, 120
[39] Goran Frehse, Colas Le Guernic, Alexandre Donze´, Scott Cotton, Rajarshi Ray,
Olivier Lebeltel, Rodolfo Ripado, Antoine Girard, Thao Dang, and Oded Maler.
146
REFERENCES
SpaceEX: Scalable verification of hybrid systems. In Computer Aided Verification,
volume 6806 of Lecture Notes in Computer Science, pages 379–395. Springer,
2011. 69
[40] Xiaoqing Ge, Murat Arcak, and Khaled Nabil Salama. Nonlinear analysis of
ring oscillator and cross-coupled oscillator circuits. Dynamics of Continuous,
Discrete and Impulsive Systems Series B: Applications and Algorithms, pages
959–977, 2010. 74
[41] A. Ghosh and R Vemuri. Formal verification of synthesized analog designs. In
Proceedings of International Conference on Computer Design ICCD, pages 40–45.
IEEE Computer Society Press, 1999. 38
[42] Rafal Goebel, Ricardo G Sanfelice, and Andrew R Teel. Hybrid dynamical sys-
tems: modeling, stability, and robustness. Princeton University Press, 2012. 13,
21
[43] Mark R Greenstreet and Suwen Yang. Verifying start-up conditions for a ring
oscillator. In Proceedings of the 18th ACM Great Lakes symposium on VLSI,
pages 201–206. ACM, 2008. 97
[44] M.R. Greenstreet and S. Yang. Verifying start-up conditions for a ring oscillator.
In 18th Great Lakes Symposium on VLSI (GLSVLSI’08), pages 201–206. ACM,
May 2008. 39, 121
[45] S. Gupta, B.H. Krogh, and R.A. Rutenbar. Towards formal verification of analog
designs. In International Conference on Computer Aided Design ICCAD, pages
210–217, San Jose,CA (USA), November 7-11 2004. IEEE/ACM. 36, 39, 120
[46] K Hanna. Reasoning about real circuits. In Higher Order Logic Theorem Proving
and Its Applications TPHOLs, volume 859 of Lecture Notes in Computer Science,
pages 235–253. Springer, 1994. 38
[47] John Harrison. Verifying nonlinear real formulas via sums of squares. In Theo-
rem Proving in Higher Order Logics, volume 4732 of Lecture Notes in Computer
Science, pages 102–118. Springer, 2007. 34, 98, 129
[48] Walter Hartong, Ralf Klausen, and Lars Hedrich. Formal Verification for Non-
linear Analog systems:Approaches to Model and Equivalence Checking, chapter 6,
pages 205–243. Kluwer Academic Publishers, Netherland, 2004. 35
147
REFERENCES
[49] Lars Hedrich and Erich Barke. A formal approach to verification of linear analog
circuits wth parameter tolerances. In Proceedings of the conference on Design,
automation and test in Europe, pages 649–655. IEEE Computer Society, 1998.
34, 40, 121
[50] http://z3.codeplex.com. 115
[51] Hiroyuki Ichihara and Hirokazu Anai. An SOS-QE approach to nonlinear gain
analysis for polynomial dynamical systems. Mathematics in Computer Science,
5(3):303–314, 2011. 33, 34, 98
[52] Daisuke Ishii, Kazunori Ueda, and Hiroshi Hosobe. An interval-based SAT mod-
ulo ODE solver for model checking nonlinear hybrid systems. Software Tools for
Technology Transfer, 13:449–461, 2011. 38
[53] Zachary William Jarvis-Wloszek. Lyapunov based analysis and controller syn-
thesis for polynomial systems using sum-of-squares optimization. PhD thesis,
University of California, 2003. 27, 28
[54] Alexander Jesser, Stefan Laemmermann, Roland Weiss, Alexander Pacholik, Lars
Hedrich, Juergen Ruf, Thomas Kropf, Wolfgang Fengler, and Wolfgang Rosen-
stiel. Analog simulation meets digital verification-a formal assertion approach for
mixed-signal verification. In Synthesis And System Integration of Mixed Infor-
mation Technologies, 2007. 39
[55] Mikael Johansson and Anders Rantzer. Computation of piecewise quadratic lya-
punov functions for hybrid systems. IEEE transactions on automatic control,
43(4):555–559, 1998. 22
[56] Kevin D Jones, Jeha Kim, and V Konrad. Some real world problems in the analog
and mixed signal domains. In Designing Correct Circuits, 2008. 2, 39, 71
[57] Saurabh K Tiwary, Anubhav Gupta, Joel R Phillips, Claudio Pinello, and Radu
Zlatanovici. First steps towards SAT-based formal analog verification. In Inter-
national Conference on Computer-Aided Design, pages 1–8, San Jose, California,
USA, November 2009. 37, 39, 97, 121
[58] Erich Kaltofen, Bin Li, Zhengfeng Yang, and Lihong Zhi. Exact certification of
global optimality of approximate factorizations via rationalizing sums-of-squares
with floating point scalars. In Proceedings of the twenty-first international sym-
posium on Symbolic and algebraic computation, pages 155–164. ACM, 2008. 129
148
REFERENCES
[59] Erich L Kaltofen, Bin Li, Zhengfeng Yang, and Lihong Zhi. Exact certification
in global polynomial optimization via sums-of-squares of rational functions with
rational coefficients. Journal of Symbolic Computation, 47(1):1–15, 2012. 129
[60] Gustav Kirchhoff. Ueber die Auflo¨sung der Gleichungen, auf welche man bei
der Untersuchung der linearen Vertheilung galvanischer Stro¨me gefu¨hrt wird.
Annalen der Physik, 148(12):497–508, 1847. 16
[61] Hassan K.Khalil. Nonlinear Systems. Prentice Hall, third edition, 2002. 19, 49,
79, 81
[62] Kenneth S Kundert and Alberto Sangiovanni-Vincentelli. Finding the steady-
state response of analog and microwave circuits. In Custom Integrated Circuits
Conference, 1988., Proceedings of the IEEE 1988, pages 6–1. IEEE, 1988. 107
[63] Robert P. Kurshan and K. L. McMillan. Analysis of digital circuits through
symbolic reduction. IEEE Transaction on Computer Aided Design of Integrated
Circuits and Systems, 10(11):1356–1371, November 1991. 35
[64] Avraham Levkovich, Ezra Zeheb, and Nir Cohen. Frequency response envelopes
of a family of uncertain continuous-time systems. Circuits and Systems I: Fun-
damental Theory and Applications, IEEE Transactions on, 42(3):156–165, 1995.
40, 121
[65] Daniel Liberzon. Switching in systems and control. Springer Science & Business
Media, 2012. 21
[66] Honghuang Lin, Peng Li, and Chris J Myers. Verification of digitally-intensive
analog circuits via kernel ridge regression and hybrid reachability analysis. In
Proceedings of the 50th Annual Design Automation Conference, page 66. ACM,
2013. 4, 68
[67] Johan Lofberg. Yalmip: A toolbox for modeling and optimization in matlab. In
Computer Aided Control Systems Design, 2004 IEEE International Symposium
on, pages 284–289. IEEE, 2004. 63, 94
[68] John Lygeros, Karl Henrik Johansson, Slobodan N. Simic´, Jun Zhang, and
S. Shankar Sastry. Dynamical properties of hybrid automata. IEEE TRANS-
ACTIONS ON AUTOMATIC CONTROL, 48(1):2–17, January 2003. 13
149
REFERENCES
[69] Oded Maler. Algorithmic Verification of Continuous and Hybrid Systems, volume
140 of EPTCS, pages 48–69. 2014. 30
[70] Oded Maler and Dejan Nickovic‘. Monitoring properties of analog and mixed-
signal circuits. Software Tools for Technology Transfer, 15(3):247–268, June 2013.
39
[71] MATLAB. Version 8.2 (R2013b). The MathWorks Inc., 2013. 114
[72] Paolo Nenzi and Holger Vogt. Ngspice users manual version 23, 2011. 18, 101
[73] Pablo A Parrilo. Structured semidefinite programs and semialgebraic geometry
methods in robustness and optimization. PhD thesis, California Institute of Tech-
nology Pasadena, California, 2000. 23, 24, 25, 26, 27
[74] Stefan Pettersson and Bengt Lennartson. Stability and robustness for hybrid sys-
tems. In Decision and Control, 1996., Proceedings of the 35th IEEE Conference
on, volume 2, pages 1202–1207. IEEE, 1996. 22
[75] Helfried Peyrl and Pablo A Parrilo. Computing sum of squares decompositions
with rational coefficients. Theoretical Computer Science, 409(2):269–281, 2008.
129
[76] Amir Pnueli. The temporal logic of programs. In Foundations of Computer
Science, 1977., 18th Annual Symposium on, pages 46–57. IEEE, 1977. 29
[77] Stephen Prajna and Ali Jadbabaie. Safety verification of hybrid systems using
barrier certificates. In Hybrid Systems: Computation and Control, volume 2993
of Lecture Notes in Computer Science, pages 477–492. Springer, 2004. 32, 98
[78] Stephen Prajna and Antonis Papachristodoulou. Analysis of switched and hybrid
systems-beyond piecewise quadratic methods. In American Control Conference,
2003. Proceedings of the 2003, volume 4, pages 2779–2784. IEEE, 2003. 24, 54
[79] Stephen Prajna, Antonis Papachristodoulou, Pablo Parrilo, et al. Introducing
sostools: A general purpose sum of squares programming solver. In Decision
and Control, 2002, Proceedings of the 41st IEEE Conference on, volume 1, pages
741–746. IEEE, 2002. 26
[80] Stephen Prajna and Anders Rantzer. Convex programs for temporal verification
of nonlinear dynamical systems. SIAM Journal on Control and Optimization,
46(3):999–1021, 2007. 78, 80
150
REFERENCES
[81] Mark R. Greenstreet and Ian Mitchell. Integrating projections. In First Interna-
tional Workshop, HSCC’98, pages 159–174, 1998. 35
[82] A. Salem. Semi-formal verification of VHDL-AMS descriptions. In IEEE Inter-
national Symposium on Circuits and Systems ISCAS., volume 5, pages 333–336,
2002. 35
[83] Ghiath Al Sammane, Mohamed H. Zaki, and Sofie´ne Tahar. A symbolic method-
ology for the verification of analog and mixed signal designs. In DATE, pages
249–254. ACM, 2007. 38
[84] Sriram Sankaranarayanan, Henny B Sipma, and Zohar Manna. Constructing
invariants for hybrid systems. In Hybrid Systems: Computation and Control,
volume 32, pages 539–554. Springer, 2004. 34
[85] Zhikun She and Bai Xue. Algebraic analysis on asymptotic stability of switched
hybrid systems. In Proceedings of the 15th ACM international conference on
Hybrid Systems: Computation and Control, pages 187–196. ACM, 2012. 34, 98
[86] S. Steinhorst and L. Hedrich. Trajectory-directed discrete state space modeling
for formal verification of nonlinear analog circuits. In Computer-Aided Design IC-
CAD, 2012 IEEE/ACM International Conference on, pages 202–209, Nov 2012.
97
[87] S. Steinhorst, M. Peter, and L. Hedrich. State space exploration analog circuits
by visualized multi-parallel particle simulation. In International Conference on
Signal Processing Systems (ICSPS’09), pages 858–862, Washington, DC, USA,
May 2009. IEEE Computer Society. 37, 39, 97, 120
[88] Jos F Sturm. Using SeDuMi 1.02, a matlab toolbox for optimization over sym-
metric cones. Optimization methods and software, 1999. 63
[89] Thomas Sturm. Real Quantifier Elimination in Geometry. Fak. fu¨r Math. und
Inf., 1999. 33
[90] Thomas Sturm and Ashish Tiwari. Verification and synthesis using real quantifier
elimination. In Proceedings of the 36th international symposium on Symbolic and
algebraic computation, pages 329–336. ACM, 2011. 33, 98
[91] Ankur Taly and Ashish Tiwari. Deductive verification of continuous dynamical
systems. In LIPIcs-Leibniz International Proceedings in Informatics, volume 4.
Schloss Dagstuhl-Leibniz-Zentrum fu¨r Informatik, 2009. 33, 98
151
REFERENCES
[92] Weehong Tan. Nonlinear Control Analysis and Synthesis using Sum-of-Squares
Programming. PhD thesis, University of California, Berkeley, 2006. 78, 79, 98,
128, 129
[93] Alfred Tarski. A decision method for elementary algebra and geometry. 1951. 24
[94] Dang Thao, Alexandre Donze´, and Oded Male. Verification of analog and mixed-
signal circuits using hybrid system techniques. In Alan J. Hu and Andrew
K.Martin, editors, FMCAD, volume 3312 of Lecture Notes in Computer Science,
pages 21–36. Springer, 2004. 36
[95] Ashish Tiwari and Gaurav Khanna. Nonlinear systems: Approximating reach
sets. In Hybrid Systems: Computation and Control, volume 2993 of Lecture Notes
in Computer Science, pages 600–614. Springer, 2004. 34
[96] Yannis P.. Tsividis and Colin McAndrew. Operation and Modeling of the MOS
Transistor. Oxford University Press, 2011. 17
[97] Hafiz Ul Asad and Kevin D Jones. Inevitability of phase-locking in a charge pump
phase lock loop using deductive verification. In Proceedings of the 25th edition
on Great Lakes Symposium on VLSI, pages 295–300. ACM, 2015. 9
[98] Hafiz Ul Asad and Kevin D Jones. Verifying inevitability of phase-locking in a
charge pump phase lock loop using sum of squares programming. In Proceedings
of the 25th edition on Great Lakes Symposium on VLSI, pages 295–300. ACM,
2015. 9
[99] Hafiz Ul Asad, Kevin D Jones, and Frederic Surre. Verifying robust frequency
domain properties of non linear oscillators using smt. In Design and Diagnostics
of Electronic Circuits & Systems, 17th International Symposium on, pages 306–
309. IEEE, 2014. 9
[100] D. Walter, S. Little, N. Seegmiller, C. J. Myers, and T Yoneda. Symbolic model
checking of analog/mixed-signal circuits. In Proc. of Asia and South Pacific De-
sign Automation Conference ASPDAC, pages 316–323. IEEE Computer Society,
2007. 37
[101] David Walter, Scott Little, and Chris Myers. Bounded model checking of analog
and mixed-signal circuits using an SMT solver. In Kedar S. Namjoshi, Tomohiro
Yoneda, Teruo Higashino, and Yoshio Okamura, editors, Proceedings of the 5th
152
REFERENCES
international conference on Automated technology for verification and analysis
ATVA, volume 4762 of Lecture Notes in Computer Science, pages 66–81, Berlin,
2007. Springer-Verlag. 37
[102] T Wang, Sanjay Lall, and Matthew West. Polynomial level-set method for poly-
nomial system reachable set estimation. Automatic Control, IEEE Transactions
on, 58:2508 – 2521, 2013. 28, 30, 32, 59
[103] Zuoding Wang. An analysis of charge-pump phase-locked loops. Circuits and
Systems I: Regular Papers, IEEE Transactions on, 52(10):2128–2138, 2005. 17,
42
[104] Andreas Weber. Quantifier elimination on real closed fields and differential equa-
tions. Algebra, Logic, Set Theory–Festschrift fu¨r Ulrich Felgner zum, 65:291–315.
98
[105] Jijie Wei, Yan Peng, Ge Yu, and Mark Greenstreet. Verifying global convergence
for a digital phase-locked loop. In Formal Methods in Computer-Aided Design
FMCAD, 2013, pages 113–120. IEEE, 2013. 4, 68, 69
[106] Volker Weispfenning. A new approach to quantifier elimination for real algebra.
Springer, 1998. 34
[107] Moris W.Hirsch and Stephen Smale. Differential Equations, Dynamical Systems,
and Linear Algebra. Academic Press, INC., San Diego, CA, 1974. 13
[108] C. Yan and Mark Greensreet. Oscillator verification with probablity one. In
FMCAD, 12, pages 165–172, Cambridge, October 2012. 40, 121
[109] Chao Yan, Mark R Greenstreet, and Suwen Yang. Verifying global start-up for a
Mo¨bius ring-oscillator. Formal Methods in System Design, 45(2):246–272, 2014.
77, 96, 97
[110] Leyi Yin, Yue Deng, and Peng Li. Verifying dynamic properties of nonlinear
mixed-signal circuits via efficient smt-based techniques. In International Confer-
ence on Computer-Aided Design ICCAD, pages 436–442. IEEE, November 2012.
38
[111] M. H. Zaki, S. Tahar, and G. Bois. A practical approach for monitoring analog
circuits. In In ACM Great Lakes Symposium on VLSI (GLS-VLSI), pages 330–
335, 2006. 39
153
REFERENCES
[112] M. H. Zaki, S. Tahar, and G. Bois. Combining symbolic simulation and interval
arithmetic for the verification of ams designs. In Formal Methods for Computer
Aided Design FMCAD, pages 207–215. IEEE Computer Society Press, 2007. 37
[113] Mohamed H Zaki, Sofie`ne Tahar, and Guy Bois. Formal verification of analog
and mixed signal designs: A survey. Microelectronics Journal, 39(12):1395–1404,
2008. 34
154
