Techniques for the formal verification of analog and mixed- signal designs by Hussein, Mohamed Hamed Zaki
Techniques for the Formal Verification of Analog and 
Mixed- Signal Designs 





Electrical and Computer Engineering 
Presented in Partial Fulfillment of the Requirements 
for the Degree of Doctor of Philosophy at 
Concordia University 
Montreal, Quebec, Canada 
2008 
© Mohamed Hamed Zaki Hussein, 2008 
1*1 Library and Archives Canada 
Published Heritage 
Branch 
395 Wellington Street 





Patrimoine de I'edition 
395, rue Wellington 
Ottawa ON K1A0N4 
Canada 
Your file Votre reference 
ISBN: 978-0-494-45663-7 
Our file Notre reference 
ISBN: 978-0-494-45663-7 
NOTICE: 
The author has granted a non-
exclusive license allowing Library 
and Archives Canada to reproduce, 
publish, archive, preserve, conserve, 
communicate to the public by 
telecommunication or on the Internet, 
loan, distribute and sell theses 
worldwide, for commercial or non-
commercial purposes, in microform, 
paper, electronic and/or any other 
formats. 
AVIS: 
L'auteur a accorde une licence non exclusive 
permettant a la Bibliotheque et Archives 
Canada de reproduire, publier, archiver, 
sauvegarder, conserver, transmettre au public 
par telecommunication ou par Plntemet, prefer, 
distribuer et vendre des theses partout dans 
le monde, a des fins commerciales ou autres, 
sur support microforme, papier, electronique 
et/ou autres formats. 
The author retains copyright 
ownership and moral rights in 
this thesis. Neither the thesis 
nor substantial extracts from it 
may be printed or otherwise 
reproduced without the author's 
permission. 
L'auteur conserve la propriete du droit d'auteur 
et des droits moraux qui protege cette these. 
Ni la these ni des extraits substantiels de 
celle-ci ne doivent etre imprimes ou autrement 
reproduits sans son autorisation. 
In compliance with the Canadian 
Privacy Act some supporting 
forms may have been removed 
from this thesis. 
Conformement a la loi canadienne 
sur la protection de la vie privee, 
quelques formulaires secondaires 
ont ete enleves de cette these. 
While these forms may be included 
in the document page count, 
their removal does not represent 
any loss of content from the 
thesis. 
Canada 
Bien que ces formulaires 
aient inclus dans la pagination, 
il n'y aura aucun contenu manquant. 
ABSTRACT 
Techniques for the Formal Verification of Analog and Mixed- Signal 
Designs 
Mohamed Hamed Zaki Hussein, Ph. D. 
Concordia University, 2008 
Embedded systems are becoming a core technology in a growing range of electronic 
devices. Cornerstones of embedded systems are analog and mixed signal (AMS) designs, 
which are integrated circuits required at the interfaces with the real world environment. 
The verification of AMS designs is concerned with the assurance of correct functionality, 
in addition to checking whether an AMS design is robust with respect to different types 
of inaccuracies like parameter tolerances, nonlinearities, etc. The verification framework 
described in this thesis is composed of two proposed methodologies each concerned with 
a class of AMS designs, i.e., continuous-time AMS designs and discrete-time AMS de-
signs. The common idea behind both methodologies is built on top of Bounded Model 
Checking (BMC) algorithms. In BMC, we search for a counter-example for a property 
verified against the design model for bounded number of verification steps. If a concrete 
counter-example is found, then the verification is complete and reports a failure, other-
wise, we need to increment the number of steps until property validation is achieved. 
In general, the verification is not complete because of limitations in time and memory 
needed for the verification. To alleviate this problem, we observed that under certain con-
ditions and for some classes of specification properties, the verification can be complete 
if we complement the BMC with other methods such as abstraction and constraint based 
in 
verification methods. To test and validate the proposed approaches, we developed a pro-
totype implementation in Mathematica and we targeted analog and mixed signal systems, 
like oscillator circuits, switched capacitor based designs, Delta-Sigma modulators for our 
initial tests of this approach. 
IV 
To my parents and my sister 
v 
ACKNOWLEDGEMENTS 
I have been very fortunate to have Dr. Sofiene Tahar and Dr. Guy Bois as my su-
pervisors. I would like to express my deep and sincere gratitude to both of them. With the 
enthusiasm, inspiration, sound advice and guidance they provided throughout my Ph.D's 
studies, I was able to finally write this thesis. I would also like to thank them for support-
ing me financially which facilitated me to actively concentrate on research. 
Dr. Tahar gave me the freedom to pursue this research. His continuous support and 
great effort were a corner stone in my research, and his great personality has shaped my 
research interest. 
I would like to thank Dr. Bois for his patience with me delivering the research con-
tribution he was expected and for providing the necessary feedback during the thesis. 
It has been a great opportunity for me to work with Dr. Ghiath Al Sammane. I am 
greatly grateful to him also for the inspiring ideas and the long discussions. Without his 
help, I could not have completed this work. 
I also wish to express my gratitude to my Ph.D committee members, Dr. Peyman 
Gohari and Dr. Ibrahim Hassan for their invaluable feedback throughout the Ph.D and for 
giving their limited time for reviewing my thesis. I am specially grateful to Dr. Glenn 
Cowan for accepting to be on my examination committee. I also like to thank Dr. Mark 
Greenstreet for taking time out of his busy schedule to serve as my external examiner. I 
really appreciate having an expert of high caliber like him in my committee 
My colleagues from the Hardware Verification Group (HVG), at Concordia Univer-
sity supported me in my research work. I want to thank them for providing a stimulating 
and fun environment. 
I would like to reserve my deepest thanks to my parents and my sister for their per-
petual love and encouragement. Their life time support and encouragement have provided 
the basic foundation of any success I will ever achieve. 
Everything I have is given by God, and my gratitude would always be due to Him. 
vi 
TABLE OF CONTENTS 
LIST OF TABLES xi 
LIST OF FIGURES xii 
LIST OF ACRONYMS xiv 
1 Introduction 1 
1.1 Motivation 1 
1.1.1 AMS Computer-Aided Design 3 
1.2 AMS Designs as Hybrid Systems 8 
1.2.1 Hybrid Systems Modeling 9 
1.2.2 Hybrid System Approaches 10 
1.2.3 Hybrid Systems Verification 12 
1.2.4 Model Checking Hybrid Systems 13 
1.3 Scope of the Thesis 17 
1.3.1 AMS Formal Verification 17 
1.3.2 State of the Art 18 
1.3.3 Basic Verification Concepts 20 
1.3.4 Proposed Verification Methodology 22 
1.4 Thesis Contribution 25 
1.5 Thesis Organization 27 
2 Literature Overview 30 
2.1 Introduction 30 
2.2 Equivalence Checking 31 
2.2.1 Relevant Work 31 
2.2.2 Discussion 34 
2.3 Proof Based and Symbolic Methods 35 
2.3.1 Relevant Work 35 
vii 
2.3.2 Discussion 36 
2.4 Run-Time Verification 36 
2.4.1 Relevant Work 38 
2.4.2 Discussion 39 
2.5 Model Checking and Reachability Analysis 40 
2.5.1 Relevant Work 41 
2.5.2 Discussion 44 
2.6 Summary 46 
3 Preliminaries 48 
3.1 Basic Concepts 49 
3.1.1 Generalized If-Formula 49 
3.1.2 Taylor Approximation 51 
3.1.3 Interval Arithmetics 52 
3.1.4 Taylor Models 54 
3.1.5 Symbolic Simulation 57 
3.2 Modeling AMS Designs 60 
3.2.1 Discrete-Time AMS Designs 61 
3.2.2 Continuous-time AMS Designs 62 
3.2.3 Approximating the Behavior of CT-AMS Designs 66 
3.2.4 Interval Abstraction 70 
3.3 Specification Languages 73 
3.3.1 MITL 74 
3.3.2 \/CTL 77 
3.4 Symbolic Simplification 79 
4 Bounded Model Checking for CT-AMS Designs 82 
4.1 Reachability Analysis 85 
4.1.1 Taylor Model Based Reachability 86 
via 
4.1.2 Sufficient Discretization Conditions 90 
4.1.3 Checking Switching Condition 95 
4.2 Bounded Model Checking 98 
4.2.1 Interval Based Bounded Model Checking 100 
4.2.2 BMC Algorithms 101 
4.3 Finding Counter-example 109 
4.3.1 Counter-example Generation and Validation I l l 
4.4 Applications 115 
4.4.1 Tunnel Diode Circuit 115 
4.4.2 Schmitt Trigger 117 
4.4.3 Continuous-Time A£ Modulator 119 
4.5 Summary 120 
5 Qualitative Abstraction for CT-AMS Verification 122 
5.1 Overview 122 
5.1.1 Predicate Abstraction 124 
5.1.2 Abstraction Based Verification 125 
5.1.3 Invariants 126 
5.2 Invariants Based Verification 128 
5.2.1 Safety Properties 129 
5.2.2 Switching Properties 130 
5.2.3 Reachability Verification 131 
5.3 Predicate Abstraction 135 
5.3.1 Abstract State Space 135 
5.3.2 Computing Abstract Transitions 138 
5.3.3 Abstract Model Refinement 139 
5.4 Applications 140 
5.4.1 BJT Colpitts Circuit 140 
5.4.2 Non-Linear Analog Circuit 141 
IX 
5.4.3 RLC Circuit Oscillator 141 
5.5 Summary 142 
6 Verification of DT-AMS Designs 144 
6.1 The Verification Algorithms 146 
6.1.1 Interval based BMC 146 
6.1.2 Constrained Induction based Verification 150 
6.2 d-Induction BMC Methodology 154 
6.2.1 d-induction 155 
6.2.2 Combining d-induction and Interval based BMC 158 
6.3 Applications 160 
6.3.1 Third-order AE Modulator 160 
6.3.2 Non-Linear Voltage Switching Circuit 161 
6.3.3 Discussions 163 
6.4 Summary 164 
7 Conclusion 166 
A Mathematica Implementations 170 
A.l Mathematica Functions 170 
Bibliography 174 
x 
LIST OF TABLES 
1 Equivalence Checking Techniques 35 
2 Theorem Proving 37 
3 Run-time Verification Techniques 40 
4 Model Checking Techniques 45 
1 Oscillator Verification Results 109 
1 Interval Based BMC Verification Results for A£ Modulator in Example 
6.1.1 150 
2 Induction based Verification Results for AZ modulator in Example 6.1.2 . 155 
3 d-induction BMC Verification Results for A£ modulator 162 
4 d-induction BMC Verification Results for Analog Computer 164 
XI 
LIST OF FIGURES 
1.1 Embedded System 2 
1.2 AMS Bottom-up Design Methodology 6 
1.3 Hybrid System Modeling 10 
1.4 Verification Methodology for Continuous-Time AMS Designs 24 
1.5 Verification Methodology for Discrete-Time AMS Designs 26 
3.1 Emitter Collector Differential Stage 57 
3.2 First-order AI Modulator 62 
3.3 Colpitts Circuit Diagram 64 
3.4 Switched Analog Circuit 67 
3.5 Third-order A£ Modulator 79 
4.1 CT-AMS BMC Verification Methodology 84 
4.2 Switching Condition Satisfaction 98 
4.3 Oscillation Behavior for Circuit in Example 3.4 (Chapter 3) 108 
4.4 Behavior Violation for Circuit in Example 3.4 114 
4.5 Behavior Analysis for Circuit in Example 3.4 114 
4.6 Tunnel Diode Oscillator 116 
4.7 Oscillator Behavior 117 
4.8 Schmitt Trigger Oscillator 118 
4.9 Schmitt Trigger Oscillator Behavior 118 
4.10 Continuous-Time AI Modulator 120 
4.11 DSM Modulator 120 
5.1 Qualitative Abstraction based Verification Methodology 124 
5.2 Illustrative Non-linear Circuit 128 
5.3 Safety Verification (Example 5.2.1) 130 
xii 
5.4 Switching Verification (Example 5.2.2) 132 
5.5 Reachability (Example 5.2.3) 135 
5.6 Predicates for the Circuit in Figure 5.2.a 137 
5.7 BJT Colpitts Circuit 141 
5.8 Non-Linear Oscillator 143 
6.1 DT-AMS Verification Methodology 145 
6.2 Overview of the Verification Algorithm 156 
6.3 Digitally Controlled Analog Computer 163 
xin 






























Analog and Mixed Signal 
Analog Specification Language 
Abstract State Transition Graph 
Binary Decision Diagram 
Bipolar Junction Transistor 
Bounded Model Checking 
Computer Aided Design 
Counter-Example Guided Abstraction Refinement 
Complementary MOSFET 
Continuous-Time Analog and Mixed Signal 
Computational Tree logic 
Digital-to-Analog Converter 
Differential Algebraic Equation 
Direct Current 
Difference Equations 
Discrete-Time Analog and Mixed Signal 
Finite State Machine 
Hardware Description Language 
Interval Arithmetics 
Intellectual Property 
Initial Values Problem 
Labeled Hybrid Petri Nets 




























Mixed-Integer Linear Programming 
Metric Timed Linear Temporal Logic 
Metric Interval Temporal Logic 
Metal Oxide Semiconductor 
MOS Field-Effect Transistor 
Mean Value Theorem 
n-channel MOSFET 
Ordered Binary Decision Diagram 
Ordinary Differential Equations 
Phase-Locked Loop 
Property Specification Language 
Prototype Verification System 
Radio Frequency 
Boolean Satisfiability Problem 
System on Chip 
Satisfiability Modulo Theories 
Symbolic Model Verifier 
System of Recurrence Equations 
Signal Temporal Logic 
Timed CTL 
Threshold-Event-Driven Hybrid Systems 









Embedded systems are becoming a core technology in a growing range of electronic de-
vices. Generally, embedded systems are characterized by their reactive and real-time 
dynamical behavior in response to their environment. Such interaction is often facilitated 
through sensors to capture the state of the environment and actuators to change or update 
the environment (Figure 1.1(a)). Cornerstones of embedded systems are the analog and 
mixed signal (AMS) System on Chip (SoC) building blocks [67]. Typically, SoC refers to 
the integration of different electronic intellectual property (IP) and custom design blocks 
into a single integra-ted chip as depicted in Figure 1.1(b). Among the important func-
tions of AMS designs are the processing of analog signal on the front and back ends of 
the system. Other functionalities include converting between analog and digital data rep-
resentation, frequency synthesis and generating timing references. In addition, analog 
circuits are used for biasing which is necessary for correct and stable operations of the 
system. In summary [42], AMS designs are needed for: 
• Analog front-end circuits: On the front-end of the embedded system, signals from 
sensors or antenna (in Radio Frequency (RF) designs) must be sensed, received, 







•<$= Mechanical/Dynamics KH 
Continuous System 









L ! DSP 
AMS 






Figure 1.1: Embedded System 
noise ratio. In addition, in case of RF, a down-conversion mixer performs frequency 
translation by multiplying the RF signal with local oscillator generated signal. 
• Analog back-end circuits: At the back-end of the system, signals are re-converted 
from digital to analog. Among the analog circuits at the back-end are filters, oscil-
lators and buffers. For RF, the analog signal is upconverted to the desired RF band 
for transmission. 
• Mixed circuits: Data processing components like analog to digital (A/D) and digi-
tal to analog (D/A) converters encode and/or transform the data between analog and 
digital representations. These include sample and hold circuits, which are usually 
used to take snapshots (samples) of the analog signal; in phase locked loops (PLL); 
and frequency synthesizers for generating timing references. 
• Biasing and reference circuits: These circuits produce stable absolute current and 
voltage references insensitive to temperature, power supply and load variations that 
are necessary for correct operations and meeting the challenge arising from reduced 
supply voltages. 
2 
• High Performance digital circuits: The largest analog circuits today are high per-
formance (high-speed, low-power) digital circuits. Typical examples are state-of-
the-art microprocessors, which make extensive use of full custom design including 
custom sized transistors as in analog circuits, to push speed or power limits. Also, 
a critical part in the development of such electronic systems is high-speed inter-
chip signalling. Many of the timing problems related to high-speed signalling are 
mitigated through the use of phase-interpolating circuits to generate precise clock 
phases. 
• Optoelectronics and electromechanical devices: Optoelectronics include inte-
grated optical circuit, photodetectors, photodiodes and phototransistors, photoresis-
tors and photoconductor. Electromechanical devices are those that combine electri-
cal and mechanical parts. 
1.1.1 AMS Computer-Aided Design 
Computer-aided design (CAD) tools have been proposed and developed to overcome chal-
lenges in the development process of AMS design circuits. For instance, the full-custom 
design of analog integrated circuits is very time-consuming and needs experienced de-
signers. In addition the necessity to design and improve the quality of more complex 
integrated systems with the tight constraints of increasingly shorter time-to-market and 
productivity increase, led to the awareness of the importance of computer-aided and au-
tomated design tools for AMS designs. Such CAD tools and concepts are then needed to 
provide unique insights into the behavior and characteristics of the integrated circuits, to 
help the designer select the best design strategies. Finally, CAD tools should tackle the 
crucial aspects of real designs to correctly and efficiently model these circuits as well as 
analyzing the corresponding behaviors. In recent years, some breakthroughs have been 
made in different aspects of the CAD procedure, especially in the development of hard-
ware description languages (HDL) suitable to describe the different AMS behaviors [91]; 
3 
e.g., VHDL-AMS [110], Verilog-AMS [109] and SystemC-AMS [108]. Other advances 
have been made in the design procedure, namely analog synthesis and topology selections 
(in top-down methodologies), design related optimizations like design centering and de-
vice sizing and analog layout automation [96]. One important constituent of the CAD 
framework is the verification task which subsumes several challenging aspects that re-
quire extensive expertise and deep understanding of the AMS behavior. 
Classification of AMS Designs 
Unlike digital designs, the functionality of analog circuits is defined directly in terms of 
continuous electrical quantities and is usually sensitive to environment factors like signal 
noise, current leakage, temperature, etc., in addition to higher order physical effects when 
designing in deep submicron, such as increased parasitics and current leakage which pose 
a challenge in the design process. 
AMS designs are usually classified based on a variety of criteria and/or the type 
of analysis applied on the designs [17]. For instance, we can differentiate between AMS 
designs based on the type of signals processed within the design components. A sig-
nal can be described as continuous-time when it can assume any analog value over a 
continuous-time range, whereas a discrete-time signal is an analog signal defined only for 
discrete values of time. In general a discrete signal can be obtained by taking samples of 
a continuous-time analog signal at discrete instants of time. 
Therefore, for each class of AMS designs, i.e., continuous-time AMS (CT-AMS and 
discrete-time AMS (DT-AMS), we provide mathematical models capturing the relevant 
behavior at the different levels of design abstraction. For example, differential equations 
capture the physical characteristics of the designs, appropriately. On the other hand, cer-
tain families of AMS designs (e.g., A/D converters) are composed of digital components 
that can be adequately modeled at higher levels of abstraction interfaced by threshold 
event generators components (e.g., comparator circuits). Such systems are typically mod-
eled using piecewise based equations. 
4 
To sum up, a key for a sound verification of the different classes of AMS designs 
is an adequate model that captures both the analog and digital behaviors while being 
amenable for algorithmic analysis. We will propose in this thesis a computational model 
which is general enough to represent the different behavioral aspects of CT-AMS and 
DT-AMS designs. 
AMS Abstraction Levels 
In general, the verification challenges arise throughout each of the phases of the design 
process. For a consistent design flow, a compliance certificate approving the correspon-
dence between different design levels (or different designs at a specific level) is required to 
ensure correctness of the end product and its conformity to the specification. For instance, 
in the bottom-up design methodology as illustrated in Figure 1.2, the process starts with 
the design of the individual blocks, which are verified individually and then combined 
to form the system. However, such verification can be quite expensive as the entire sys-
tem is represented at the transistor level. A solution to this problem lies in modeling at 
a higher level than the implementation level, such that an analysis for the whole design 
can be performed. This is achieved by the development of symbolic analysis which are 
simplification methods applied to obtain simplified models (e.g., macromodel, behavioral 
models) preserving the properties of interest. To ensure correctness of the methodology, 
some notion of equivalence needs to be verified between the implementation and the gen-
erated models. Moreover, we want to ensure that the extracted models when combined 
preserve specification properties. 
A wide range of properties and requirements exist for the different classes of AMS 
designs. In the following, we highlight some of the design and verification challenges at 
the different levels of abstraction [42]: 
• Circuit Level: Analysis at the circuit level can be conducted in the time or fre-
quency domain. It includes DC and operating point analysis, small signal analysis; 
5 
Layout — 
Place and Route \ 
Verif ication 
Post Layout Veri f icat ion/ 
Parasitic Extraction 
Oircuit Netlist 
'—I Circuit t q u a l i o n s p— 
Mode l Reduct ion 
HC 
Verif ication 
J L— Integration I Mode l Reduct ion / 
t_ Simplification 
Ver i f icat ion—IJ | " ^ M o d e l s ' " 1 ] ?r~ Integration 
I Verif ication 
I "I 
Specif ication 
Figure 1.2: AMS Bottom-up Design Methodology 
i.e. AC, noise and distortion analysis and transient analysis used to predict the 
nonlinear behavior of a circuit and periodic steady state analysis. 
• Macromodel Level: Macromodels are design models with more ideal circuit ele-
ments, which approximate the behavior of the original circuit. For example, simpli-
fied but convenient approaches for discrete-time circuits such as switched-capacitor 
oversampling converters use difference equations to model the circuit behavior. 
• Functionality Level: Many nonlinear blocks of interest like switches, comparators, 
etc., are intended to switch abruptly between two states. While such operation is 
obviously natural for purely digital systems, the strongly nonlinear behavior is also 
exploited in analog blocks such as sampling circuits, switching mixers, analog-to-
digital converters, etc. 
• System Level: Challenges arise not only in the AMS design process, but also dur-
ing the integration of analog and RF IP designs in SoC platforms. Problems range 
from correct functionality of the integrated analog and digital parts through confor-
mance to system specification like area and power consumption. 
6 
AMS Verification 
While AMS components constitute only a small part of the whole SoC (between 5 - 1 0 
percent as noted in [10]), the AMS blocks' design and their integration account for 40 — 50 
percent of the overall design time [16]. Of this design time, 70 — 80 percent are spent on 
verification [16]. Traditionally, simulation is used to verify the designs at abstraction 
levels from circuit level using Spice based simulators through behavioral level where 
design are written in programming languages like VHDL-AMS, SystemC-AMS and up 
to system level. However, simulation is often done manually in an informal fashion and 
the search of the state space is not complete. As a consequence, simulation methods 
lack the rigor needed to ensure correctness of the design. Besides, it does not provide 
the guarantees needed for correct correspondence between the implementation and the 
approximate models at subsequent design levels, or two models at the same level where 
robustness and parameter tolerances are considered. In addition, such method falls short 
to validate interesting properties of the design behavior such as temporal requirements. 
Another problem is caused by the fact that while a design defined in advance, one 
cannot ensure a priori that the desired properties will exactly be met during manufacturing 
of the actual circuit. Component tolerances will always lead to large variations of a cir-
cuits properties, which may result in effects not expected from the results of the numerical 
simulation. This latter problem cannot be overcome within a single numerical simulation. 
Therefore more sophisticated methods are usually used as complementary to simulation 
to raise confidence in the end product1. For instance, simulation is complemented by 
symbolic techniques [96], where the effect of parameter variations on the system behav-
ior is analyzed. Although successful, challenging problems like non-linear effects make 
these techniques only suitable for simple designs. 
The last decade saw the emergence of a new engineering field known as hybrid sys-
tem theory where researchers have developed formal techniques for the automatic design 
'Monte Carlo simulation serves as a standard solution for circuits verification in the presence of pa-
rameters imprecision. However, it inherits the coverage limitation drawbacks from standard simulation 
methods. 
7 
and analysis of systems with real-time and continuous behavior and which are described 
by a composition of continuous-time systems and discrete-time systems. 
Boosted by the successful application of formal methods in hybrid designs verifi-
cation, formal methods became a serious candidate for the verification of AMS systems. 
This growing interest is due to the fact that such methods promise a complete verification, 
therefore, increasing the level of confidence in the verification results. In particular, one 
is interested in global properties connected to the dynamic behavior of the AMS systems. 
For example, we might be interested in properties like "will the circuit oscillate for a given 
set of parameters, and for all sets of constant input voltages?", "will switching occur in 
less than a specific amount of time?". 
In this thesis, we aim at the development of methods and techniques tackling such 
challenges in the verification process of AMS designs using methods from hybrid system 
research. 
1.2 AMS Designs as Hybrid Systems 
The analysis of the behavior of AMS designs with mixed domains heterogeneity and at 
different levels of abstraction requires formal tools that cut across existing disciplinary 
boundaries: the analog part of which is usually modeled as continuous-time or discrete-
time dynamical system while the digital part's dynamics are modeled as discrete systems. 
Moreover, at each level of abstraction, an appropriate model should always be set for 
the analysis phase. The levels of abstraction for these models include simple algebraic 
equations, ordinary and partial differential equations, up to block diagram level depending 
on the level of details needed. In this respect, AMS models have to meet two contradicting 
demands. On the one hand, they have to describe the physical behavior of a circuit as 
accurately as possible. On the other hand, the models should be simple enough to keep 
the computing time for verification reasonably small. For example, complex elements 
such as transistors can be modeled by small circuits containing basic network elements 
8 
described by algebraic and ordinary differential equations only. 
1.2.1 Hybrid Systems Modeling 
Hybrid systems theory [4] was developed to deal with systems with heterogeneous be-
havior. Specifically, to fully understand the system's behavior and meet high performance 
specifications, the designer needs to model all of the dynamics together with their interac-
tion, which is very important when the different parts of the system are tightly integrating 
or strongly interacting. For instance, at the specification level, the embedded system archi-
tecture illustrated in Figure 1.1(a) can be modeled in an abstract way as shown in Figure 
1.3. The digital controller is modeled by finite state machines (FSMs), while the dynam-
ical environment is described using systems of ordinary differential equations (ODEs) or 
difference equations (DE). In addition, the sensor and A/D interface can be modeled as a 
threshold detector and an event generator respectively, while the actuator and D/A com-
ponents can be modeled as switches that choose between different system of ODEs and 
set the initialization and reset conditions necessary for correct functionality. 
The unified analysis of such systems results in the development of complex dynam-
ical systems is called hybrid systems. Hybrid systems theory is a general theory dealing 
with the different aspects of modeling, analysis and verification of systems composed of 
discrete and continuous components interacting together in a specific manner. Formally, 
these systems are characterized by the interaction of continuous dynamics models (gov-
erned by differential or difference equations), and of logic rules and discrete event systems 
(described by temporal logic, finite state machines, etc.). Examples of continuous models 
include analog behavior of electronic components, while examples of discrete dynamics 




CoDEs Selector J 
(_ Reset/Initialization J 
Voi.V Input Events 
Analog System 
(ODEs/DE) 
f Threshold Detector 1 
( Event Generator ] 
Flow Solution (x) 
Figure 1.3: Hybrid System Modeling 
1.2.2 Hybrid System Approaches 
A look at the literature shows that there are many approaches to modeling, analysis and 
synthesis of hybrid systems. They can be characterized and described along several di-
mensions. In broad terms, approaches differ with respect to the emphasis on or the com-
plexity of the continuous and discrete dynamics, and on whether they emphasize analysis 
and synthesis results or analysis only or simulation only. The multi-disciplinary research 
in hybrid system theory led to different points of view when dealing with issues related to 
modeling and verification: 
• On one end of the spectrum there are approaches to hybrid systems that represent 
extensions of system theoretic ideas for systems (with continuous-valued variables 
and continuous time) that are described by ordinary differential equations to include 
discrete time and variables that exhibit jumps, or extend results to switching systems 
like piecewise affine and mixed logical dynamical models [95, 12]. Typically these 
approaches are able to deal with complex continuous dynamics and are amenable 
to symbolic analysis. 
• On the other end of the spectrum there are approaches to hybrid systems that are 
embedded in computational models and methods, that represent extensions of ver-
ification methodologies from discrete systems to hybrid systems. Typically these 
10 
approaches are able to deal with complex discrete dynamics described by finite au-
tomata and emphasize analysis results (verification) and simulation methodologies. 
The approach pursued by computer scientists is to extend traditional finite-state au-
tomata by introducing progressively more complex continuous dynamics. Several 
models along these lines are hybrid automata [61] and its variants, e.g., piecewise-
constant derivative systems [81,31]. 
• There are additional methodologies spanning the rest of the spectrum that combine 
concepts from continuous control systems described by linear and nonlinear differ-
ential/difference equations, and from supervisory control of discrete event systems 
that are described by finite automata and Petri nets among these models is switch-
ing models [15] and threshold-event-driven hybrid systems (TEDHS) [18]. For 
instance, hybrid Petri Nets proposed by Bail et al. [71] is a combination of ordi-
nary and continuous Petri nets. It inherits all the modeling facilities of Petri nets 
such as the ability to capture concurrency, synchronization and conflicts, allowing 
the modeling of systems with continuous flows and linear evolutions in an intuitive 
way. Allam and Alia [2] present a procedure for constructing the hybrid automaton 
associated with a hybrid Petri net, in order to benefit from the modeling power of 
the latter and the analysis power of the former. 
In summary, the benefits of a unified hybrid system modeling for AMS designs are 
numerous: 
• It provides a unified view of the many behavioral aspects of the AMS designs in-
volving continuous and discrete event dynamics. Consequently, it paves the way to 
a reasoning mechanism on the global properties of the design. 
• By taking into consideration the different dynamics and their interactions at the 
same time, we can capture the behavior of the system more accurately. 
• From the design point of view, through a more complete study of such systems, 
advanced design and verification methodologies can be developed. 
11 
• Since the behavior of AMS systems are very rich and their hybrid nature makes their 
mathematical models quite complex, research in hybrid systems presents significant 
challenges; on the other hand, it offers significant promises. 
Central to the AMS verification is an adequate model that captures both the analog 
and digital behavior meanwhile amenable for algorithmic analysis. In this thesis, we 
provide a modeling framework which is amenable to formal verification. 
1.2.3 Hybrid Systems Verification 
The goal of formal verification is to prove that a representation of the actual system satis-
fies the desired and anticipated behavior. More specifically, in formal methods, a decision 
procedure checks whether a mathematical model for the design satisfies some given prop-
erties in the specification; this can be applied using several techniques such as model 
checking [22, 66] or theorem proving [66]. Another verification problem is to check 
the correspondence between two mathematical model representing different levels of the 
same design; this is known as equivalence or compliance checking [66]. In addition, hy-
brid semi-formal techniques combining simulation and formal based methods have been 
developed as way to benefit of the advantages of these methods, where logical models are 
used to analyze the simulation results [116]. 
Model checking [22] is a powerful technique developed initially for the algorith-
mic verification of digital systems, with the dynamic properties expressed using temporal 
logics [22]. Model checking has several advantages when compared to other verification 
approaches. It can automatically provide a complete coverage of the state space, while 
returning sound verification results. Furthermore, the nature of model checking makes it 
adequate for the verification of several interesting properties that characterize the behav-
ior of hybrid systems. In the following, we will review the major works done in adopting 
model checking for hybrid systems. 
12 
1.2.4 Model Checking Hybrid Systems 
In model checking, the model of the design under verification is a kind of transition sys-
tem describing all its possible behaviours while the specification property is a temporal 
logic formula that is interpreted over the model by exhaustive exploration of the state 
space. This exploration can be either explicit or implicit [22]. In general, extending 
model checking techniques for the verification of hybrid systems is not a trivial task as 
explained below: 
• Modeling: Unlike the discrete models used in conventional model checking, the 
system under verification is modeled in some computational hybrid system formal-
ism, which incorporates the discrete and continuous behavior. 
• Specification: Desired properties are expressed as temporal logic formulas. How-
ever, it is very important to reason about the real-time behavior as well as con-
tinuous states behavior of the system. This requires extending the conventional 
temporal logic to support such constraints. 
• Analysis: The main challenge in hybrid system model checking algorithm is to ob-
tain information about the continuous behavior of the system. This is manifested 
with the solution of system of equations. More precisely, this involves the compu-
tation of flow pipes, that is, the collection of continuous-time trajectories emanating 
from a set of initial continuous states. 
Several techniques for model checking of hybrid systems have been proposed. They 
can be (roughly) classified into three categories; algebraic, on-the-fly and abstract model 
checking. Literature touching the different aspects of the model checking verification is 
quite wide and spans through many different research domains. We will highlight in the 
following the most relevant work while in depth investigations can be found in references 
therein. 
13 
• Algebraic Methods: The application of algorithmic verification like model check-
ing is based on the existence of analytic solutions to the differential equations and 
the representation of the state space in a decidable theory of the real numbers. This 
direction was initiated with the work of Pappas et.al [115, 70] and further extended 
with the work of Rodrguez-Carbonell et.al[94] and Mishra et.al [87]. Another di-
rection was described by Henzinger et. al [59] where he proposed analyzing non-
linear hybrid systems by first translating the system to a linear hybrid automata 
counterpart, and then using automated model-checking algorithm on the simplified 
system. 
While the approach allows a precise and sound verification, it is not attractive in 
terms of practicality as the linearization method proposed in [59] is restrictive and 
finding a closed form solution is not possible for most classes of systems of ordinary 
differential equations (ODEs). 
• On-the-fly Model Checking: This approach computes a set of reachable states 
that corresponds to an over-approximation of the solution of the system equations, 
which is obtained for a bounded period of time. In this approach only a partial 
state space is explored; hence, this can be referred to as bounded model checking 
(BMC). The basis of the methods is combining a numerical based integration of 
the differential equations and numerical representations of approximations of state 
space typically using (unions of) polyhedra. These techniques provide the algorith-
mic foundations for the tools that are available for computer-aided verification of 
hybrid systems [69, 4] like Checkmate [19], d/dt [8], PHaver [35], etc. 
For instance, in [51], Halbwachs et.al used convex approximation of linear equa-
tions to describe the solution flow. The work is latter implemented in HyTech [61]. 
HyTech supports several abstract-interpretation operators [25, 60], including the 
14 
convex-hull operator and the extrapolation operator [24, 51]. Clarke et. al [20], ex-
tended the Checkmate verification toolbox with an abstraction refinement method-
ology [20]. 
The on-the-fly approach is the most widely investigated model checking technique 
for hybrid system. Nevertheless, two main issues can be associated with the meth-
ods developed. First, the nature of the approach is bounded in time and therefore 
a complete verification cannot be guaranteed. Nevertheless a property like oscil-
lation behavior can be verified by showing an inclusion fixpoint. The other issue 
is with the precision of the abstraction. The numerical over-approximation of the 
reachable states can lead to loose results that are trivial for the verification. There-
fore a suitable abstract domain must be carefully chosen. Moreover, such method 
should always be supported with a refinement procedure to avoid spurious counter-
examples. 
• Abstract Model Checking: The whole state space is subdivided into regions and 
then heuristic rules define the transitions between states. Conventional model check-
ing algorithms are applied on the new abstract model of the system, which is gen-
erally described as a finite state automaton. 
Alur et. al [5] used the algorithms for solving flow problems to help generate pred-
icate for the predicate abstraction methodology. However, this work was limited to 
specific systems such as simple linear systems. In [59], Henzinger et. al consid-
ered linear hybrid automaton where the continuous environment is partitioned into 
a finite number of classes such that within each class, the continuous variables are 
governed by constant polyhedral differential inclusions. Other work in this direc-
tion is the work by Stursberg [103, 102] and the work of Ratschan, where they used 
the concept of predicate abstraction at the core of a constraint solver algorithm for 
hybrid systems [93]. 
15 
In [106] a qualitative based approach was developed for abstract model genera-
tion for hybrid systems, based on higher derivative analysis. This work was later 
extended in [107] by using invariance to obtain more precise abstract models. A 
similar invariant based approach was proposed in [98], where more general invari-
ants are constructed for the whole system. In [92], the authors proposed a similar 
framework using the idea of barrier certificates. Barrier certificates if they exist, are 
invariants that separate system behavior from a bad state. Hence, they can verify 
safety properties. 
The a priori abstraction of the whole state space allows an unbounded verification 
of the results, hence contributing to the confidence in the verification results. On the 
other hand, such abstraction is only suitable for checking a small class of properties 
(i.e., safety properties) and therefore, it limits the capability of the model check-
ing. Due to the over-approximation inherent in this methods, it should always be 
supported with a refinement procedure to avoid spurious counter-examples. 
We present in this thesis, a novel on-the-fly model checking approach for AMS 
designs, which provides tight bounds for the reachable states by using non-convex over-
approximation. In addition, the symbolic nature of the chosen representation of the reach-
able states using polynomials terms, has the advantage of minimizing the risk of state ex-
plosion. However, as this kind of verification is not complete in general as stated earlier, 
we complement the verification with an abstract model checking approach, in order to 
provide a complete verification framework. 
16 
1.3 Scope of the Thesis 
1.3.1 AMS Formal Verification 
Using formal methods, two types of properties are frequently distinguished in temporal 
logic: safety properties state that something bad does not happen, while liveness proper-
ties prescribe that something good eventually happens. In the context of AMS designs, 
examples of safety properties can be about voltages at specific nodes not exceeding cer-
tain values throughout the operation. Such properties are important when designing AMS 
circuits, as a voltage exceeding a certain specified value can lead to failure of functionality 
and ultimately to a breakdown of the circuit which can result in undesirable consequences 
for the whole design. On the other hand, occurrence of oscillation or switching are good 
examples of liveness properties. A bounded liveness property specifies that something 
good must happen within a given time, for example, switching must happen within n 
units of time, from the previous switching occurrence. 
Obviously, the AMS design process must ensure, with a high degree of confidence, 
the proper functionality in all possible situations and that the design will meet its per-
formance requirements. Therefore, precise constraints and properties identification along 
with verification from the behavioral level through functional and circuit levels is needed. 
This motivates the necessity of using formal verification methodologies throughout the 
design process. An extensive state of the art survey of the different research directions 
will be provided in the next chapter of the thesis. 
The rich and diverse ideas that were developed in the hybrid systems community 
provided a fertile environment for exploring and adopting the application of formal meth-
ods to new domains. One such domain is analog and mixed signal design, which as 
outlined earlier poses many challenges in terms of analysis and verification. On the other 
hand, the diversity of the AMS modeling and representation as well as the objective prop-
erties needed to be checked make the development of a unified formal verification tech-
nique a very difficult task to achieve. Nevertheless, a formal verification framework that 
17 
subsumes the different classes of designs and addresses a variety of functional and timing 
specifications will alleviate the verification problem. Therefore, the research presented 
in this thesis is concerned with the development of a formal verification framework for 
AMS designs. However, before we present the proposed methodology, we will review the 
main research activities in the application of formal methods for the verification of AMS 
systems. We will emphasize techniques of interest to the work presented in this thesis. A 
more thorough investigation of related work will be provided in Chapter 2 
1.3.2 State of the Art 
Model checking and reachability analysis were proposed for validating AMS designs over 
a range of parameter values and a set of possible input signals. Common to the proposed 
methods is the necessity for the explicit computation of the reachable sets corresponding 
to the continuous dynamics behavior. Such computation is usually approximated due to 
the difficulty of obtaining exact values for the reachable state space (e.g., closed form 
solutions for ODEs cannot be obtained in general). 
Several methods for approximating reachable sets for continuous dynamics have 
been proposed in the open literature. They rely on the discretization of the continuous 
state space by using over-approximating representation domains like polyhedra and hy-
percubes. In [76], the authors construct a finite-state discrete abstraction of analog circuits 
by providing a partitioning of the continuous state space into fixed size hypercubes. They 
use numerical techniques to compute the reachability relations between these cubes before 
applying conventional model checking on the abstract model. In contrast to the work in 
[76], the authors in [57] used variable sized hypercubes to model the abstract state space, 
while they used heuristics to identify possible transitions between adjacent regions. The 
a priori abstraction of the state space developed in [76, 57] is usually computationally 
expensive to apply. Moreover, such exploration techniques are not practical in general as 
for a given set of initial conditions, only some parts of the state space need to be explored. 
In this thesis, we evaluate an alternative approach where we partition the state space into 
18 
non-linear regions and use qualitative characteristics of the state space in order to define 
the transitions between the regions. Such qualitative based partitioning is usually more 
precise and also leads to a smaller abstract model. 
On-the fly algorithms have been proposed with the development of the Hytech tool 
[61] for the verification of hybrid systems with simple dynamics using polyhedral over-
approximations. To deal with the complex behavior of the circuits, the authors of [49,117] 
proposed combining discretization and projection techniques of the state space, hence 
reducing its dimension. Variant approaches of the latter analysis were proposed. For in-
stance, the model checking tools d/dt [28], CheckMate [50] and PHaver [37] were adapted 
and used in the verification of a biquad low-pass filter [28], a tunnel diode oscillator [50], 
and voltage controlled oscillators [37]. Petri net based models and algorithms have been 
developed also for the reachability analysis of AMS designs in [74, 73]. 
The bounded verification for continuous-time designs we present in this thesis is in 
the same spirit as the above mentioned works in terms of requirement for state exploration. 
However, we can identify two distinct features of our approach. First, we rely on func-
tional based modeling form as a way to model the hybrid behavior design rather than a 
computational model like an automaton. Such modeling provides us with a more compact 
representation amenable to the rich application of symbolic analysis, hence leveraging the 
verification. Second, we apply the verification over Taylor model forms [13, 77] which 
provide tight bounds for the reachable states by using non-convex over-approximation. In 
addition, Taylor models allow the symbolic representation of the reachable states using 
polynomials terms, therefore minimizing the risk of state explosion and providing a way 
for scalability. Apart from these features, the fact that polynomial formulas reside at the 
heart of modeling different classes of AMS designs is an incentive to explore different 
verification problems within a unified framework. 
Few works were concerned with the verification of discrete-time AMS designs. For 
instance, in [50] a discrete version of the Checkmate tool was used to verify the stability 
19 
of a AZ modulator. In [28], the authors proposed to reformulate bounded time reacha-
bility analysis as a hybrid constrained based optimization problem that can be solved by 
techniques such as mixed-integer linear programming [12]. The verification idea is to 
compute a set of worst case trajectories whose safety implies the safety of all the other 
trajectories. In [38], the authors proposed a bounded model checking approach for the 
verification of the static behavior of AMS designs. The idea is based on validity checking 
of first-order formulae over a finite interval of time. The authors trade-off accuracy with 
efficiency by basing the analysis on rational numbers rather than real numbers, hence 
affecting the soundness of the verification. In addition, the method is only limited for 
designs with linear dynamics. 
In contrast to the above discussed work, we apply bounded model checking for 
discrete-time AMS designs supported with an induction theorem prover engine and a 
counter-example refinement procedure, allowing in some cases, the complete property 
verification of the designs as will be demonstrated throughout the thesis. The superiority 
of the approach is derived from the fact that we overcome the time bounded verification 
of current methods by extending bounded model checking with a mathematical induc-
tion engine that allows unbounded time verification. In the following, we describe the 
proposed methodology preceded by a brief introduction of the basic concepts of formal 
verification. 
1.3.3 Basic Verification Concepts 
A model checking algorithm determines whether a mathematical model of a system meets 
a specification that is given as a temporal-logic formula. More formally, the model check-
ing problem is defined as follows: Given a model M of a design and a property P expressed 
in temporal logic, check M\=P, i.e., check if P holds in the model M. 
In reality, it is not always possible to generate a computational model representing 
all possible executions (behavior) of a design. Hence, properties in questions about the 
20 
concrete behavior of the design are most often hard or even impossible to answer. In gen-
eral, the size of the state graph can be exponential in the description of the system (leading 
to the state explosion problem), and infinite state systems cannot be handled without fur-
ther measures. Consequently, a significant amount of research in model checking has 
been devoted to both problems. 
One possible solution is to limit the explored state space. Bounded model checking 
(BMC) was first put in practice in [14]. BMC aims at solving the same problem as tradi-
tional model checking, however, it has a unique setting for the verification problem. The 
user has to provide a bound on the number of cycles (time steps in case of analog models) 
that should be explored, which implies that the method is incomplete if the bound is not 
high enough. It then uses constraint satisfiability techniques [14] to verify the properties 
for the bounded steps. 
As another approach, many researchers consider model abstraction as one of the 
most powerful tools to combat the state explosion problem. The main idea of model ab-
straction is to find a map between the actual set of values of state variables and a small set 
of abstract values such that a simulation relation (a mathematical relation) exists between 
the original transition system and the newly created one. The model checking problem 
thus becomes the following: given a model M and a temporal logic property P , compute 
an abstraction M* of the model and an abstraction P* of the property and check whether 
M* \= P*. Of interest in this thesis are two forms of this abstraction concept, i.e., the 
abstraction refinement framework and the predicate abstraction technique. 
Abstraction refinement is a methodology to try to alleviate the complexity of the 
verification problem by starting with a coarse abstraction and subsequently refining it 
based on information from unsuccessful verification attempts [21]. On the other hand, 
predicate abstraction is a technique to obtain a finite approximation of infinite state sys-
tem [45]. Given a concrete infinite state system and a set of abstraction predicates, a 
conservative finite state abstraction is generated. Model checking is then applied on the 
21 
generated system. If the property is verified then it holds in the concrete system. Other-
wise an abstract counter-example trace is generated and analyzed according to an abstrac-
tion refinement framework. An in depth classification of abstraction concepts have been 
discussed in the overview paper [27]. 
Additionally, in some cases the verification can be achieved without the need to ex-
plore or to abstract the state space. For instance, invariant checking [118] is a technique in 
which a property is verified to always hold true over the structure of the system equations. 
Another method is induction verification [118], which is suitable to prove properties for 
discrete-time designs. In both approaches, the verification can be done through theorem 
proving or constraint solving. While incomplete in general (a negative verification an-
swer is not conclusive), these methods are usually adequate as preprocessing steps for 
more complex verification tasks such as abstract model checking. 
1.3.4 Proposed Verification Methodology 
The verification framework described in this thesis is composed of two proposed method-
ologies each concerned with a class of AMS designs, i.e., continuous-time AMS designs 
and discrete-time AMS designs. The common idea behind both methodologies is built 
on top of Bounded Model Checking (BMC) algorithms. The BMC is achieved using 
symbolic simulation and constraint solving. 
Briefly, the idea behind constraint solving is to solve problems by stating constraints 
about the problem area and consequently finding solutions satisfying all the constraints. 
On the other hand, symbolic simulation is a form of simulation where many possible 
executions of a system are considered simultaneously. This is typically achieved by ab-
stracting the domain over which the simulation takes place. The symbolic simulation is 
generally based on algebraic rewriting rules that are applied on the design equations. 
In general, the verification is not complete because of limitations in time and mem-
ory needed for the verification. To alleviate the problem, we observed that under certain 
22 
conditions and for some classes of specification properties, the verification can be com-
plete if we complement the BMC with other methods like abstraction and constraint based 
verification approaches. 
Continuous-time AMS Verification 
The proposed verification methodology for continuous-time AMS designs is shown in 
Figure 1.4. For continuous-time AMS designs, bounded model checking is applied on 
an over-approximation of the system model based on the concept of Taylor model arith-
metics. Taylor model arithmetics were developed by Berz et. al [13, 77] as an interval 
arithmetics extension to Taylor approximations allowing the non-linear approximation of 
system reachable states using non-convex enclosure sets. In the proposed approach, state 
space exploration algorithms are handled symbolically with Taylor model arithmetics to 
verify timed temporal logic properties. Such modeling allows the computation over con-
tinuous quantities while avoiding the unsoundness inherent in the conventional numerical 
Taylor approximation. If there exits a path for which the property evaluates to false, then 
we provide a counter-example that is subject to a validation procedure to check whether it 
is spurious or not. If it is not spurious, then the counter-example is a concrete one and the 
design is proved faulty, otherwise a refinement procedure is used to remove the spurious 
counter-example and the verification is repeated. If all paths give true, then we say that 
the design satisfies the property for a bounded time. 
In some cases, an unbounded verification of continuous-time can be achieved us-
ing the concept of lazy abstraction. We propose a qualitative abstraction approach for 
Continuous-Time AMS designs represented such that the satisfaction of the property in 
the abstract model guarantees its satisfaction in the circuit-level model. This is done in 
two stages. In invariant checking, the state space is initially partitioned based on the 
qualitative properties of the AMS model and symbolic constrained based methods are 
applied to check for invariant property validation. In case of failure, an iterative verifi-






















-»• Proved True for 
bounded time 




Property is Proved 
True 







Figure 1.4: Verification Methodology for Continuous-Time AMS Designs 
using the concept of predicate abstraction and symbolic model checking is applied for 
the property validation. The extraction of the predicates is incremental in the sense that 
more precision can be achieved by adding more information to the original construction 
of the system. When the property is marked violated, one possible reason is because of 
the false negative problem due to the over-approximation of the abstraction. In this case, 
refinement techniques are introduced. 
Discrete-time AMS Verification 
For the discrete-time AMS designs, the proposed verification algorithm is based on com-
bining induction and bounded model checking to generate a correctness proof for the sys-
tem as shown in Figure 1.5. Given an AMS described using standard recurrence equations 
and a set of properties, the bounded model checking is applied using interval analysis [85] 
24 
over the normal structure of the recurrence equations. Interval analysis is used to simulate 
the set of all input conditions with a given length that drives the discrete-time system from 
given initial states to a given set of final states satisfying the property of interest. If for 
all time steps, the property is satisfied, then verification is ensured otherwise we provide 
counter-examples for the non-proved property. Due to the over-approximation associated 
with interval analysis, divergence can occur leading to false negative. To overcome this 
drawback, unbounded verification can be achieved using the principle of induction over 
the structure of the recurrence equations. A positive proof by induction ensures that the 
property of interest is always satisfied, otherwise a witness can be generated that identifies 
a counter-example. One drawback of this method is the requirement of predefined con-
straints to achieve the verification. In order to find a suitable set of constraints, we resort to 
the d-induction verification method. The method is an algebraic version of the induction 
based bounded model checking developed recently for the verification of digital designs 
[6]. We start with an initial set of states encoded as intervals. Then iteratively the possible 
reachable successors states from the previous states are evaluated using interval analysis 
based computation rules over the system equations. If there exists a path for which the 
property evaluates to false, then we search for a concrete counter-example. Otherwise, if 
all paths give true, then we transform the set of current states to constraints and we try to 
prove by induction that the property holds for all future states. If a proof is obtained, then 
the property is verified. Otherwise, if the proof fails then, the BMC step is incremented; 
we compute the next set of interval states and the operations are re-executed. 
1.4 Thesis Contribution 
The main contribution of the thesis is the development of a formal verification frame-
work that brings together a set of mathematical and computational tools for reasoning 



























Proved True for *N 
bounded time \ 
Counter-Exam pie 
Provided 
Property is Proved 
True/ Counter-
Example Provided 





Figure 1.5: Verification Methodology for Discrete-Time AMS Designs 
• We provide an extensive survey of the research activities in the AMS formal verifi-
cation [Bio:Jr-02, Bio:Cf-12]. 
• We introduce a functional modeling method for AMS designs, which allows the 
hybrid representation of the digital and continuous part of the designs [Bio:Jr-03, 
Bio:Jr-05, Bio:Cf-10]. 
• For CT-AMS systems, we propose a bounded model checking algorithm extended 
with counter-example analysis and refinement procedure. The algorithm is based 
on Taylor model arithmetics and symbolic simulation [Bio:Jr-05, Bio:Cf-05]. 
• We propose a bounded model checking algorithm for DT-AMS. The underlying 
idea of the BMC is based on combining symbolic simulation, and interval analysis 
26 
[Bio:Jr-03, Bio:Cf-06]. 
• We develop an induction based verification engine for unbounded properties of DT-
AMS, which extends the BMC to form the d-induction bounded model checking 
algorithm [Bio:Jr-03, Bio:Cf-10, Bio:Cf-09]. 
• We develop a qualitative based predicate abstraction for checking unbounded prop-
erties of CT-AMS designs. The idea is based on using constraint solving to check 
for invariants. Additionally, qualitative predicates are extracted from the system 
equations to construct an abstract state space in a lazy abstraction fashion [Bio:Jr-
01, Bio:Jr-04, Bio:Cf-l 1, Bio:Cf-08]. 
• We implemented the proposed algorithms and techniques in the computer algebra 
system Mathematica [Bio:Jr-01, Bio:Jr-03, Bio:Jr-04, Bio:Jr-05]. The advantage 
of using Mathematica over other systems is the availability of numerous built-in 
functions and proof capabilities that allows the implementation of the verification 
algorithms proposed in the thesis. 
• We applied the verification on a variety of AMS designs at several levels of design 
abstraction. We checked different types of functional and timing properties. Among 
the examples are oscillator circuits [Bio:Jr-01, Bio:Jr-04, Bio:Jr-05], switched ca-
pacitor based designs [Bio:Jr-03] and Sigma-Delta modulators [Bio:Jr-03, Bio:Jr-
05]. 
1.5 Thesis Organization 
In this thesis, we propose a formal verification methodology for AMS designs. The dis-
sertation is divided into seven chapters with each chapter beginning with an introductory 
paragraph and a section in which the subject of the chapter is informally introduced. A 
chapter is devoted to each central contribution. We conclude each chapter with a sum-
mary. In addition, experimental studies are provided whenever is needed to support the 
27 
corresponding theoretical development. 
A sketch of the content of the next chapters is given in the following: 
Chapter 2 provides a literature overview on the relevant work on formal verification 
of AMS designs, along with a critical review of the various schemes used in the modeling 
and analyzing. We provide summary tables comparing the different techniques based on 
several criteria relevant to the thesis. We also highlight the pros and cons of the surveyed 
approaches 2. 
After having surveyed through the prior research in Chapter 3, we recall some basic 
definitions, fundamental analysis concept and results used throughout the thesis. The 
remainder of Chapter 3 is devoted to the modeling portion of the verification flow. We 
introduce the modeling and specification approaches used to represent the behavior and 
the properties of AMS designs. The modeling framework is built upon a discrete-time 
representation. We also present for the case of continuous-time AMS, an approximation 
criteria and establish a formal relation ensuring that the devised model preserves the main 
behavioral aspects of the AMS design under verification. 
In the next two chapters, we address the verification problem for continuous-time 
designs using two complementary approaches. In Chapter 4, we present the bounded 
model checking approach developed for continuous-time AMS designs. After providing 
background material related to the verification, a detailed description of a new symbolic 
verification algorithm is provided. A counter-example refinement procedure is also intro-
duced to enhance the verification results. We end the chapter with an application section, 
where we experimented with the verification of basic circuits. Invariant checking and 
predicate abstraction are described in Chapter 5. In this chapter we explain the method 
for representing the verification as constraint based problem in a way that allows un-
bounded verification. After introducing the technical background we describe in detail 
the verification steps before we provide illustrative results for the proposed approach. We 
2
 An expert of the field may pass directly from Chapter 1 to Chapter 3. 
28 
also show how such a verification approach can complement the bounded model check-
ing to provide a complete verification framework. This is illustrated with the tunnel diode 
oscillator circuit. 
In Chapter 6, we focus on the verification problem of discrete-time designs. We 
present a bounded verification algorithm based on interval analysis. To enhance the ver-
ification, we extend the verification with an induction engine in order to prove safety 
properties of the system. We apply the technique on several classes of discrete-time AMS 
designs. 
Chapter 7 summarizes the results of this thesis, where a critical analysis of the 
contributions of the thesis is presented. The successes and limitations of this approach to 
verifying AMS circuits are discussed. Finally, we propose perspectives for future work, 





During the last two decades, formal verification has been applied to digital hardware and 
software systems. Recently, however, formal verification techniques have been adapted 
and applied to the verification of AMS systems as a way to tackle the limitations of con-
ventional simulation techniques [57]. In addition, hybrid semi-formal techniques combin-
ing simulation and formal based methods have been developed as a way to benefit from 
the advantages of these methods, where logical models are used to analyze the simulation 
results. 
In this chapter, we provide a survey and comparison of the research activities in the 
field of formal verification of AMS design with the proposed approaches in this thesis. 
We point out the different strengths and weaknesses of the methods and compare to our 
proposed model checking approaches. In the remaining of this chapter we overview of 
equivalence checking methods applied to AMS designs, followed by deductive methods 
and run-time verification. We devot the last part of the chapter for a survey of the different 
research directions in model checking and reachability techniques for AMS designs. 
30 
2.2 Equivalence Checking 
Equivalence checking is a problem where we are given two system models and are asked 
whether these systems are equivalent with respect to some notion of conformance, or 
functionally similar with respect to their input-output behavior [66]. Verification can 
be based on specific properties like transient or steady state response properties, in time 
domain or frequency domain. Such correspondence relation between designs is classically 
done through exhaustive testing by proving that two expressions are equivalent, which can 
be a difficult task for any reasonably large circuit. Instead, symbolic reasoning methods 
can prove or disprove equivalence using decision procedures over the whole range of 
inputs described symbolically. 
An important requirement in behavior equivalence is the specification of tolerance 
or bounds on parameters and signals which may be needed. A failure occurs if the com-
parison finds that the results of both design levels are different or different beyond a 
certain tolerance. In the rest of this section, we survey the relevant work dealing with the 
equivalence checking problem. A comparison between these work is outlined in the end 
of the section. 
2.2.1 Relevant Work 
In [9], the authors proposed a method for applying equivalence checking between two 
designs (e.g., specification and implementation) of analog systems described by their lin-
ear transfer function. The verification idea is based on the discretization of the transfer 
functions to the Z-domain using bilinear transformation, thereby, the design can be rep-
resented in terms of discrete-time components and encoded into FSM representation like 
Binary Decision Diagrams (BDDs). The verification problem can be stated as follows: the 
transient behavior of the implementation mimics that of the specification iff for any initial 
state of the specification, there exists a state in the implementation such that the FSMs 
representing the two circuits produce identical output sequences for all input sequences. 
31 
The discretization of the behavior raises issues like the error analysis which must 
account for tolerance between the output sequences for both models must be specified. 
Another issue is state space explosion when the inherited discretization of the design is 
encoded. This is largely due to the large word size used to encode real signals. Finally, 
the methodology is only practical for linearized systems as transfer function generation 
for non-linear circuits is very difficult in general. 
Realizing the coefficient of a transfer function exactly using actual components and 
devices is not always possible as the tolerance region around nominal characteristic must 
be taken into account. The ideas in [9] have been extended in [99] in the following way. 
Given the transfer function description of both the specification and implementation, ver-
ify the conformance of the magnitude and phase response of the implementation against 
the specification over a desired frequency range. The equivalence verification problem is 
modeled in [99] as an optimization problem by ensuring that the implementation response 
is bounded within an envelope around the specification under the influence of parameter 
variation. 
The conformance in [99] is defined using the notion of different frequency bands 
product response functions of both design models and which serve as objective functions 
for the global optimization routine. Such definition allows s-domain verification, hence 
avoiding loss of precision due to the bilinear transformation used in [9]. 
Conformance checking with parameters variation was also investigated in [63], 
where the authors present an equivalence checking for linear analog circuits to prove that 
an actual circuit fulfills a specification in a given frequency interval for all parameter vari-
ations. Linear analog circuits can be described by transfer functions, extracted from the 
netlist by symbolic analysis methods (in case of implementation), resulting in a parame-
terized description of the circuit behavior. The main idea of the procedure is to compare 
by inclusion the value sets of the transfer functions of specification and implementation. 
To ensure soundness, the authors chose an over-approximation for the implementation 
transfer function while an under-approximation is chosen for the specification transfer 
32 
function. 
Comparing [9] with [63], we see that in the first work, the authors trade-off accu-
racy for practicality. They adapt the developed technology based on BDD equivalence 
checking for verification of analog systems. This comes at the cost of precision which 
is affected by the discretization process. In contrast, the authors in the second work in-
sist on soundness by checking that the implementation of the behavior is included in the 
specification behavior. 
While the above-mentioned work are concerned with frequency domain verifica-
tion, others tend to focus on verification in time domain. For instance, in [62], the authors 
proposed an equivalence checking approach based on qualitative comparison between 
two representations of the non-linear analog system. However, direct comparison of vec-
tor fields for non-linear systems is usually not possible. Therefore, the authors propose 
to apply non-linear transformations on the sample state spaces to make the comparison 
possible. The difference between the evaluations of the sampled equations is then cal-
culated allowing the identification of behavior similarity between the two designs under 
verification by giving an explicit error measure. Unfortunately, finding the correct trans-
formations is a non trivial task and automation is not possible, leading to the introduction 
of some heuristics to analyze and approximate qualitative behaviors of the circuits, but 
affecting the soundness of the methodology. The authors applied their methodology for 
comparison verification of two CMOS inverters with different parameters as well as the 
verification of an Opamp against its specification. 
Another equivalence checking verification approach was proposed in [97] for veri-
fying VHDL-AMS designs. The idea is based on combining equivalence checking, rewrit-
ing systems and simulation into one verification environment. The verification method-
ology consists of partitioning the specification and implementation codes into digital, 
analog and data converter components. Digital components are verified using classical 
equivalence checking, while analog specification and implementation are simplified us-
ing rewriting rules and pattern matching. Furthermore, the outputs are fed to comparators 
33 
to be verified using simulation. This syntactic method can only be performed on simple 
designs where rewriting techniques can be easily applied. While the presented methodol-
ogy is practical, it ignores the coupling between the analog and digital parts. 
Such syntactic verification for analog circuits can only be applied when the designs 
are treated at higher level (architectural or behavioral and functional levels) as at low level, 
non-linear behavior makes such approaches impractical for verification. Instead of direct 
simulation, advanced verification techniques mentioned earlier can be used to compare 
analog model behaviors. 
2.2.2 Discussion 
In general, the nature of analog circuits, most notably the presence of tolerance mar-
gins, makes equivalence verification a difficult problem. However, with careful definition 
of bounds on the parameters as well as the signals, certain compliance relations can be 
checked. In addition, in contrast to equivalence checking for digital systems where a 
canonical representation allows easy comparison of two functions representation, no such 
form exists for analog systems and all the methods presented are design driven in the 
sense that a priori knowledge of the qualitative and quantitative properties of the design 
under verification is a requirement for the methodology application. Table 6.2 draws a 
brief comparison among the above mentioned projects. The table describes the class of 
system verified, the models used, the analysis regions and domains, the adopted analysis 
techniques, the tool used, and the case studies verified. 
In summary, equivalence checking as it currently stands is premature and is compu-
tationally expensive. The extensive use of over-simplification of the designs cast doubts 
on the soundness of the proposed approaches. A trade-off between automation and sound-
ness was explored using deductive methods as shown next. 
34 
Table 2.1: Equivalence Checking Techniques 







































































2.3 Proof Based and Symbolic Methods 
Theorem provers are formal systems that were developed to prove design properties us-
ing formal deduction based on a set of inference rules [66]. Even though these deductive 
methods are not constrained by any decidability frontiers, their application requires exper-
tise and significant human intervention which makes their application to complex systems 
very difficult. A lot of research has been focusing on extending theorem provers with 
decision procedures for verification assistance and automation, as well as formalizing im-
portant theories like the real analysis theory. Some primary efforts on verifying AMS 
systems using theorem provers started recently. In addition to deductive based methods, 
induction and symbolic based methods were also proposed to prove properties of some 
classes of AMS designs. 
2.3.1 Relevant Work 
In [41], the authors used the PVS theorem prover to formally prove the functional equiv-
alence between behavioral specification of VHDL-AMS designs and approximated lin-
earized models of their synthesized netlist. The verification was applied for DC and small 
signal analysis. The ideas presented can be considered as a starting point for a method-
ology to verify analog designs, yet important extensions should be studied more, like 
35 
avoiding informal linearization, in addition to tackling more complex verification issues 
especially related to AC analysis. 
Similar but more elaborate research was done in [54]. The author proposed an ap-
proach for specifying and reasoning about implementations of digital systems that are 
described at the analog level of abstraction. The approach relies upon specifying the be-
haviors of analog components (such as transistors) by conservative approximation tech-
niques based on piecewise-linear predicates on voltages and currents. Theorem proving 
was initially used to check for the implication relation between the implementation and 
the specification [52]. In order to automate the verification process, the author proposed 
afterwards the usage of constraint based techniques instead [53]. 
2.3.2 Discussion 
In Table 2.2, we highlight the main points of the work surveyed. The table describes 
the class of system verified, the models used, the analysis domains, the adopted analysis 
techniques, the tools used, and the case studies verified. 
Comparing with the equivalence checking methods proposed earlier, theorem prov-
ing provides a sound answer to the verification problem. However, verifying complex 
behavior of the designs is a laborious and challenging task and only primitive properties 
of the designs can be checked. In order to verify more complex properties, and to make 
the verification process more efficient, run-time verification approaches were proposed as 
discussed in the next section. 
2.4 Run-Time Verification 
Run-time verification (logic based monitoring) methods were developed where no com-
putational model is needed prior to the verification, avoiding state space explosion [116]. 
By employing logical monitors, an efficient analysis of the results is achieved, avoid-
ing exhaustive inspection, by testing whether a given behavior satisfies a property [104]. 
36 
Table 2.2: Theorem Proving 



















set of predicates 
over real 
Time 
Deduction and constraint 
solving 
N / A 
TTL 
Monitors for hybrid systems have been developed in [104], where the authors developed 
tools for monitoring real-time and hybrid systems. Timed and linear hybrid automata can 
be used to monitor real-time and hybrid behavior, respectively. 
Property monitoring of AMS designs is performed in general using assertions and 
tests. The monitoring can be described in general as follows: the AMS design under ver-
ification is simulated by attaching it to a testbench which provides the inputs necessary 
to drive while monitoring its output. Assertions have the property that they are always 
checked, regardless of what tests are running. An assertion is a piece of code that contin-
ually observes one or more signals and raises a fault when it detects an error condition. 
They can be placed in the models or in the circuit where they check that the design is 
being used correctly. The monitor could be as simple as observing a current or voltage, 
or could be more complicated, taking several signals, processing them and then compare 
against the expected results. 
The main challenges in this technique is the development of adequate monitors. 
This process can be performed in two different fashions: namely, Offline and Online 
monitoring [79]. Offline monitoring starts after the whole sequence is given. Online mon-
itoring is interleaved with the process of reading the sequence and is similar to the way 
the sequence is read by an automaton. The two types of monitoring have their strengthes 
and weaknesses. Offline monitoring allows the verification of more complex properties 
37 
like those described backward in time (e.g., using past operators). However, offline mon-
itoring requires the gathering of simulation or execution data in advance which can cost 
lots of time and memory resources. In addition, violations are not detected as soon as 
they happen but only after simulation is finished. On the other hand online monitoring is 
more practical when simpler properties are needed to be verified and violations are iden-
tified as soon as they occur. In the following we survey the main projects concerned with 
monitoring AMS designs 
2.4.1 Relevant Work 
In [78], the authors proposed an offline methodology for monitoring the simulation of 
continuous signals described by differential equations. This work is based on extending 
the PSL (Property Specification Language) [1] logic to support monitoring analog signals, 
by defining the syntax and semantics of metric timed linear temporal logic (MTL) [105] 
and extending it with predicates over reals to define the signal temporal logic (STL) [78]. 
STL is then synthesized into timed automata [80, 79] which monitor simulation traces to 
check for property violation in an online fashion. The approach was implemented in [90], 
No techniques for test case generation is proposed. 
A different effort for using PSL properties to monitor AMS designs was proposed 
in [Bio:Cf-04], where the authors generated observers from PSL properties to monitor the 
simulation behavior of discrete-time designs using symbolic methods. While the approach 
is applicable only to discrete-time circuits, it has the advantage of using the standard PSL 
language making it attractive to be incorporated in the design flow. 
In [29, 30], the authors use an extended temporal logic, AnaCTL (CTL for analog 
circuit verification), for monitoring the transient behavior of non-linear analog circuits. 
The transient response of a circuit under all possible input waveforms is represented as an 
FSM created by means of repeated SPICE simulations, bounding and discretizing the con-
tinuous state space of an analog circuit. Exhaustive simulation is again a drawback as the 
created FSM is not guaranteed to cover the total transient behavior leading to soundness 
38 
problem. 
An online monitoring technique was proposed in [36], where the authors used linear 
hybrid automata as template monitors for time domain features of oscillatory behaviors, 
such as bounds on signal amplitude and jitter. For the automata with an error state, the 
reachability computation can be stopped as soon as this state is reachable. The moni-
tors are used within the PHAver tool where nonlinear circuit equations are modeled with 
piecewise affme differential inclusions. 
In [Bio:Cf-13], the authors propose an online monitoring methodology for ana-
log systems. They present a run-time verification methodology based on monitoring the 
behavior (solution flow) of analog circuits validated using interval analysis. Given the 
system description and its specification described by non-linear differential equations and 
timed computational temporal logic (T-CTL) formulas, respectively, the authors build a 
timed automata monitor which can detect bad behavior within a specified time period of 
the interval arithmetics simulation. 
2.4.2 Discussion 
Run-time verification, although considered only a partial verification technique, combines 
desirable properties from simulation and formal verification while avoiding the undesir-
able ones. No computational model needs to be generated prior to the verification, avoid-
ing state space explosion. By employing logical monitors, an efficient analysis of the 
results is achieved, avoiding exhaustive inspection by engineers. 
Table 2.3 summarizes the main characteristics of the described projects. The table 
describes the class of systems verified, the models used, the monitors language, the mon-
itoring methods, analysis regions and domains, the adopted analysis techniques, the tools 
used, and the case studies verified. 
Run-time verification is considered an enhancement of simulation methods. It al-
lows the detection of faulty properties that are usually hard to detect by simple observation 
39 














































































of simulation results. Yet, run-time verification suffers from the major problems of simu-
lation which lacks the exhaustive machinery needed to gain confidence in the verification 
results. We believe that model checking techniques stand at a middle ground between 
the above mentioned approaches. Model checking offers the rigors needed in verification 
while allowing the automatic verification of complex properties. 
2.5 Model Checking and Reachability Analysis 
Model checking was initially developed for discrete finite state systems and has been 
successful in validating communication protocols and hardware circuits. In recent years 
[61], model-checking algorithms have also been developed for real-time systems that are 
described by discrete programs with real-valued clocks as well as for hybrid systems. 
Model checking and reachability analysis of AMS designs have the potential of validat-
ing designs over a range of parameters and for all possible input signals all at once such 
that none of them drives the system into a bad state. An important issue is the solution of 
the system of differential equations; that is, the collection of continuous time trajectories 
starting from a set of initial states where in practice the initial conditions are usually not 
known exactly but only known to lie within some range. However, the effectiveness of 
model checking is severely constrained by the state space explosion problem and even 
40 
undecidability limitations when systems are described by differential equations [65]. It 
is not always possible to generate a computational model representing all possible execu-
tions (behaviors) of a program as well as all its possible execution environments. In such 
cases, abstraction techniques are usually required in order to achieve the verification task 
[68]. 
2.5.1 Relevant Work 
The first effort in applying model checking for electronic designs is the work in [76], 
where the authors proposed verification of digital designs at the transistor level. Given 
a circuit, they construct a finite-state discrete abstraction by partitioning the continuous 
state space representing the characteristics of transistors into fixed size multidimensional 
cubes. Heuristics methods are then used to predict possible transitions between these 
cubes. The final constructed model is then encoded into an automata that is verified 
subsequently against some properties using conventional model checking techniques. 
In a series of papers [48, 47, 117], the authors proposed overcoming the expensive 
computational method in [76], by using discretization and projection techniques of the 
state space into category of geometric polygons called projectahedra (projected polyhe-
dra) [49]. Such models have the property of reducing the dimension of the state space, 
while maintaining an over-approximation of the dynamic behavior of the design. While 
this method results in less precise analysis due to projection, it still allows sound verifi-
cation. Such approach proved useful for the verification of designs with high dimension 
state space as reported in [117]. Variant approaches of polyhedral based analysis were 
adapted in [28, 50]. 
In [28], the authors used techniques developed for hybrid system verification to 
verify AMS designs. For systems described using differential equations, they use the 
tool d/dt [8] to overapproximate the reachability analysis. In [50], the authors use the 
Checkmate tool for the verification of AMS designs. The tool is based on constructing 
41 
abstractions of the continuous dynamics, using flow pipes approximations, which are se-
quences of polyhedra that follow the natural contour of the vector field. Therefore, the 
state space is partitioned along the waveforms that the system can generate for the given 
set of initial conditions and there is no need to discretize the entire state space. Checkmate 
specifications to be verified can be provided as ACTL formulas. For the verification of 
systems like A-E modulator, which is described by discrete time components, a modifica-
tion of the tool to support discrete time analysis was proposed [50]. 
The work in [50] has been extended further in [37] for the PHAver tool. In this 
work, the authors proposed a refinement process for the state space, which is carried out 
using iterations between forward and backward reachability. Such technique as claimed 
in [37] allows generating more precise bounds for the reachable states. 
In [74], the authors proposed modeling analog designs using timed hybrid petri 
nets (THPN), which is an extension of petri nets for real-time and hybrid systems. They 
proposed two methods for the generation of the THPNs verification model. In the first 
method, they translate the circuits differential equation into THPNs. This is done by 
first discretizing the state space as in [55, 56] and then encoding the state space into 
THPNs. Additionally, they developed an algorithm in [75], to generate THPNs from 
simulation data. Over-approximation based analysis is applied on the generated model. In 
[86], the authors compared verification using their methodology in [74] against simulation 
results, by examining the effect of variable delays caused by parasitic capacitances and 
interconnect capacitances on the performance and functionality of the circuits. In [73], 
they enhanced their methodology in [74] by using a variant of petri nets named labeled 
hybrid petri nets (LHPNs), that offer a more efficient representation. BDD based symbolic 
algorithms and satisfiability modulo theories (SMT) [82] techniques are then applied in 
[112, 113] to check for properties of the design. 
The bounded verification for continuous-time designs we present in this thesis is 
in the same spirit as the above mentioned works in terms of requirement for state explo-
ration. However, we identify two distinct points. First, we rely on a functional based 
42 
modeling form as a way to model the hybrid behavior design rather than a computational 
model like an automata. Such modeling provides us with more compact representation 
amenable to the rich application of symbolic analysis, hence leveraging the verification. 
Second, we apply the verification over Taylor model forms which provide tight bounds for 
the reachable states by using non-convex over approximation. In addition, Taylor mod-
els allow the symbolic representation of the reachable states using polynomials terms, 
therefore minimizing the risk of state explosion. 
In contrast to the on-the-fly techniques mentioned above, a priori state space di-
vision have been explored as a way to obtain abstractions of the analog behavior of the 
systems. In [55, 56], the authors proposed to use an automatic state space subdivision 
method, by discretizing the whole continuous state space into variable sized regions where 
each of these regions represents a homogeneous part of the state space and is treated as a 
discrete state of the simplified system. Some kind of estimation techniques are then pro-
posed to describe possible transitions between partitions under the condition of retaining 
the essential nonlinear behavior of the analog system. Different criteria take care of the 
resulting error during discretization and try to automatically minimize the error by choos-
ing a suitable subdivision of the state space. The discretized state space is then encoded 
and CTL based model checking is applied. The proposed approach was implemented in 
a tool called Amcheck [57]. 
In [44], the authors proposed extending their previous work for the verification of 
time constraints of analog signals like rise and fall time. The presented extensions are 
based on developing the analog specification language ASL [100] tailored to represent 
properties of interest in analog circuit design, such as offset, gain, rise time, and slew 
rate. 
The a priori abstraction of the state space developed in [76, 57] is computationally 
expensive to apply. Moreover, such exploration technique is not practical in general as for 
a given set of initial condition, only some parts of the state space needs to be explored. In 
this thesis, we try an alternative approach where we propose to partition the state space 
43 
into non-linear regions and use qualitative characteristics of the state space in order to 
define the transition between the regions. Such qualitative based partitioning is usually 
more precise and also leads to smaller abstract models. 
In order to tackle the state explosion problem for the class of discrete time AMS 
designs, they proposed to use techniques from optimal control (i.e., hybrid constrained op-
timization) in order to find bounds of the reachability. The idea is to reformulate bounded 
time reachability analysis as a hybrid constrained based optimization problem that can be 
solved by techniques such as mixed-integer linear programming (MILP)[12]. The basic 
idea is to compute a set of worst case trajectories which implies the safety of all other 
trajectories. 
In [38], the authors developed a bounded model checking tool (Property-Checker) 
for the verification of the quasi-static behavior of AMS designs. The basic idea is based 
on validity checking of first order formulas over a finite interval of time steps using SMT. 
In contrast to other approaches, the work presented in [38] trades-off accuracy with effi-
ciency by basing the analysis on rational numbers rather than real numbers. 
The approach used in [38], while it avoids the overapproximation issue, is limited 
to simplified models of AMS design. In fact, the approach does not support systems 
described using differential equations, however, it is more suitable for systems described 
using difference equations. 
2.5.2 Discussion 
Tables 2.4(a) and 2.4(b) give a comparison between the work presented in this section. 
They describe the class of system verified, the models used, the analysis regions and 
domains, the adopted analysis and state space partitioning techniques, the tools used, and 
the case studies verified. 
Unlike the presented works, in this thesis we provide a methodology that combines 
several model checking techniques in an effort to enhance the verification results. We pro-
vide a novel on-the-fly model checking approach for AMS designs, which provides tight 
44 
Table 2.4: Model Checking Techniques 
(a) Comparisons Table 
Project 







































Van der Pool 
oscillator, toggle circuit 
[50] 
Non-Linear 


























Low pass filter 
A - £ m o d . 
(b) Comparisons Table (Conf) 
Project 
















































































bounds for the reachable states by using non-convex over-approximation. In addition, the 
symbolic nature of the chosen representation of the reachable states using polynomials 
terms, have the advantage of minimizing the risk of state explosion. However, as this 
kind of verification is not complete in general as stated earlier, we complement the verifi-
cation with abstract model checking approach, in order to provide a complete verification 
framework. 
2.6 Summary 
In this chapter, we provided a summary of the research activities in the application of 
formal methods for the verification of AMS systems. We tried to be as exhaustive as 
possible in collecting the different related work as well as giving comparisons among the 
research proposed. 
As the field of research did not reach the maturity phase yet, standard aspects for 
comparisons of the various projects are not well defined and there is a lack of a coherent 
framework and criteria that allows a theoretical analysis and comparison of the methods. 
We made some efforts in this direction by categorizing and comparing the available state-
of-art projects in several aspects which we believe are important to identify the qualitative 
strengths and weaknesses of each project. 
One drawback of our comparison is the lack of testing of the several approaches. 
This is due to different reasons. First the public unavailability of the prototypes developed 
in the various projects. Second the lack of benchmarks required for comparison. We hope 
that in the future, these two obstacles could be overcome so that more insights can be 
gained about the available methodologies for AMS formal verification. 
In the next chapter, we will provide the necessary theoretical concepts required for 
the development of the verification methodologies proposed in this thesis. We will also 
tackle one of the main challenges of the verification, which is the development of an 
adequate model that preserves the required behavior. In this respect, we will provide a 
46 




During the AMS analysis and verification phase, we usually provide mathematical mod-
els that capture the relevant behavior of the designs at different levels of abstraction. For 
instance, continuous-time models can express a designs' behavior in great details and can 
thus be seen as residing at the lower end of the abstraction scale. Such models are gener-
ally based on differential equations that capture the corresponding functional behavior of 
the given design as well as its physical characteristics. 
Typically, an AMS design can be seen as a composition of two main components, 
i.e., a continuous-time or a discrete-time analog component and a discrete event con-
troller (digital component) connected through signal interfaces. The analog component 
is usually composed of circuits built from basic passive and active components (resistors, 
capacitance, inductance, transistors, etc), connected to various current and voltage sources 
in a certain topology, achieving a specific desirable behavior (e.g., filtering, amplification, 
etc.). The digital component is generally modeled at higher level of abstraction (i.e., reg-
ister level or behavioral model). An interface converting between the components signals 
(analog and digital signals) can be of the form of a threshold event generator based on 
comparator circuits. An interface can be also a set of electronic switches that choose be-
tween different dynamics based on applied signals at their input. We can therefore view 
AMS designs as a class of hybrid systems described generally using piecewise modeling, 
48 
with piecewise constraints (threshold detection and/or switching conditions) to determine 
the choice of the appropriate analog dynamics. In case of continuous-time AMS designs, 
the dynamics of the analog circuits are usually described using differential algebraic equa-
tions (DAEs) or system of ordinary differential equations (ODE), while for discrete-time 
AMS designs, the dynamics of the analog circuits are usually described using system of 
difference (recurrence) equations (DE). 
In this chapter, we provide a unified modeling framework for both continuous-time 
and discrete-time AMS designs. Such modeling can be seen as a generalization of piece-
wise modeling which is suitable for symbolic analysis and formal verification. How-
ever, due to the difficulty of obtaining a closed form solution for the system of ODEs of 
continues-time AMS [111], for practical analysis, we also provide necessary condition 
for obtaining precise approximation of the design models, hence, ensuring the soundness 
of the verification. 
The first part of this chapter reviews some basic definitions and concepts that will 
be used through the thesis. We will define the concept of generalized If-formula, overview 
the basics of symbolic simulation and interval arithmetics and Taylor approximation the-
ory. Next, we provide a modeling scheme for AMS designs based on generalized If-
formulas, followed by an abstraction approach preserving the behavior of the continues-
time designs. After that, we introduce the specification languages necessary for repre-
senting the properties of interest. Following these introductory materials, we show how 
symbolic simulation can be used to obtain a simplified form of the design equations. 
3.1 Basic Concepts 
3.1.1 Generalized If-Formula 
Conditional constructs like (if — then — else) statements are features of many program-
ming languages which perform selected actions depending on whether a specified condi-
tion evaluates to true or false. In the context of functional programming, these constructs 
49 
are referred to as conditional expressions (if expressions) as the outcome of the selection 
is usually evaluated expressions [3]. Moreover, a conditional expression can be seen as 
an algorithmic generalization of piecewise modeling, where nested expressions can be 
allowed. 
In the context of hardware modeling and verification, the concept of generalized If — 
formula expression was defined by Moore [84] and subsequently used by Al-Sammane 
in order to model VHDL designs [3]. In this thesis, generalized If - formula expres-
sions extend piecewise expressions to describe hybrid behavior of AMS designs. A 
generalized If — formula is formally defined as follows: 
Definition 3.1.1. Generalized If-formula. 
Let K be a numerical domain (N,Z,Q, M or 1), a generalized If-formula is one of the 
following: 
• A variablexi(n) E x(n), with i 6 {1 , . . . ,d}, n 6 N or n e l and x(n) = {x\(n),..., 
xd{n)}. 
• A constant C € K 
• Any arithmetic operation <>€{+, —,-r,x} between x,(«) 6 K 
• A comparison formula: any expression constructed using a set of xt(n) e K and 
comparison operator a € {=, ^ , < , < , > , > } . 
• A logical formula: any expression constructed using a set of x,(n) € B and logical 
operators: not,and,or,xor,nor,,.., etc. 
• An expression IF(X,Y,Z), where X is a logical formula or a comparison formula 
and Y,Z are any generalized If-formula. Here, IF(x,y,z) : B x K x K —> IK sat-
isfies the axioms: 
(1) IF(True,X,Y)=X 
(2) IF(False,X,Y) = Y 
50 
Note: When modeling continuous-time AMS designs, continuous-time If-formula de-
notes generalized If-formula where n is interpreted as the continuous time variable and 
we will refer to the index n by t € R. Otherwise for a discrete-time description we under-
stand that the index n € N refers to the discrete-time variable. 
3.1.2 Taylor Approximation 
Classical numerical approaches for solving an initial value problem consider a sequence 
of discrete points to,h,...,tm for which the solution is approximated. At each new point 
tt+\, the solution x(/,-+i) is approximated by a value xt+\ computed from the approxi-
mated values at the previous points. Taylor series methods [39] are single-step methods 
that use the Taylor series expansion of the solution function around a point, to obtain an 
approximation of its value at the next point. This series is computed up to a given order, 
requiring the evaluation of higher order derivatives of the function. The basic idea is to 
use the approximation x[^+i] = f(x[tk]) + %m of the ODE x = /(x) as a truncated Taylor 
series for x(t), expanded about time instant tk, with a remainder term %m. 
Theorem 3.1.1. Taylor Approximation [39]. 
Suppose a function / : Rrf —> R over state vector x € Rd is m + 1 time partially differen-
tiable on the interval [a, b]. Assume xo € [a, b], such that a, b € Rrf, then for each x € [a, b], 
3XeR, 0 < X < 1, such that: 
where V = ii ^ . + . . . + irf J ^ and A = x0 + A,(x - x0) 
One way of defining solutions is to specify how to generate a future behavior x{t) of 
the system from any initial state. This approach is closely related to providing a simulation 
algorithm, in a specific discrete location, integration of the equation gives the unique 
51 
solutions inside this location. In general, to obtain an approximate solution of the ODE 
system, we consider a sequence of discrete time points to, t\,..., tm for which the solution 
is approximated, with hi — f,+i — r,-. If the solution \(t) of an ODE system x = /(x) is 
a function which is p+ 1 times continuously differentiable on the open interval (?,-..f;+i), 
then, from the Taylor approximation theorem, we have: 
P uk up+l 
x(ti+i) = x(ti) + £ (^xW(r»)) + (jj^Ty*(p+1)®) 
with h = ti+i -ti and £ = [?,-,f;+i] and VA: € [ l , p+ l].xW = f(k~l\x(t),t), where the 
vector function / is composed by d elementary functions fq(x\,...,Xd), q & {1,•. • ,d}, 
such that: 
Jq {x\,---,Xd)= 2 ^ 1 5 fm{xi,...,Xd)) 
m=\ aXm 
3.1.3 Interval Arithmetics 
Interval domains make it possible to extend the notion of real numbers by introducing a 
sound computation framework [85]. In fact, the computer representation of real numbers 
suffers from the problem of a precision approximation due to limited digits. However, in 
interval arithmetics, we deal with domains, represented by their endpoints. Thus, compu-
tation is carried over intervals that include the real number with full precision. The basic 
interval arithmetics is denned as follows: 
Let I\ and h be two real intervals (bounded and closed), the basic arithmetic oper-
ations on intervals are defined by: 
h®h = {n®r2\ri ehAr2eh) 
with <3>e{+, - ,x , /} except that I\ jh is not defined if 0 e h as shown below [85]: 
52 
' [a,bf = M 
[a,b]+'[a',b'} 4 [a + a',b + b'} 
[a,b]-l[a',b'} 4 [a-b',b-a'} 
< [a,b] x l [a',b'] = [min(ad,ab',ba', bb'), 
max(aa',ab', ba',bb')] 
l+l[a,b] ± [l-r&,l-ra]//0^[a,6] 
^ M - M ^ ' ] = [a,b]x[l + W,b>]] 
In addition, other elementary functions can be included as basic interval arithmetic 
operators. For example, exp may be defined as exp(\a,b}) = [exp{a),exp{b)}. The fun-
damental property of interval analysis that ensures soundness of the analysis is described 
using the following definition: 
Definition 3.1.2. Inclusion Function [85], 
Let / : Rd —> R be a continuous function, then F: ld —* I is an interval extension (inclusion 
function) of / if 
{/(xi,.. .,xd)\xi EXu...,Xd€Xd}C F(Xi,... ,Xd) 
where I is the interval domain and X,- 6 I, i € {1 , . . . ,d}. 
In order to deal with the discrete part of the AMS design, as a generalization of 
the inclusion function, interval analysis provides efficient and safe methods for checking 
truth values of Boolean propositions over intervals by using the notion of an inclusion test. 
Definition 3.1.3. Inclusion Test. 
Given a constraint c : Rd —» B, we define Q : Id —> Bj to be an inclusion test of c, with a 
boolean interval domain defined with three values set; Bn = {0,1, [0,1]}, where 0 stands 
53 
for false, 1 for true and [0,1] for indeterminate, iff: 
{c(x\,...,xd)\x\ eX\,...,xdeXd} CQ(X\,...,xd) 
whereX; e I, i € {l,...,d}. 
Inclusion test can be used during the verification algorithm to prove whether the 
reachable interval states satisfy a given property, or not. We define the inclusion test as 
follows: Q(X) = 1 =*• Vx G X,c(x) = 1 and Q(X) = 0 =• Vx 6 X,c(x) = 0. 
Let xj = [a,b] and yj = [a',b'] be two real intervals. Boolean intervals will be used 
to extend predicates over reals to intervals. For instance: 
x\ < l yi = 1 •& b<a' 
< xi G l yi = 1 <£> x i G vi 
<^ - a>a' and b <b' 











{max(a, a'), min(b, b1)} 




3.1.4 Taylor Models 
Taylor model arithmetics were developed by Berz et. al [13, 77] as an interval exten-
sion to Taylor approximations allowing the non-linear approximation of system reachable 
states using non-convex enclosure sets. Formally, a Taylor model Tf := pn(x) +1 for a 
given function / consists of a multivariate polynomial pr(x) of order r in d variables, 
54 
and a remainder interval /, which encloses the Lagrange remainder of the Taylor approx-
imation. Hence, the Taylor model arithmetics use interval computation to obtain reliable 
enclosures not only for the error term but also for every term of the series, allowing the 
computation of an over-approximation of the solution function at each time point. In 
addition, symbolic simplifications are applied at each step, hence reducing the interval 
calculations and consequently delaying divergence problems, usually, associated with in-
terval based techniques. 
Definition 3.1.4. Taylor Model. 
Tf :— (Prj,Irj) is called a Taylor model of order r of a function / <$• \/x 6 X : f(x) € 
Prj{x — xo) +Ir,f, where X is an interval, Prj(x — XQ) is a Taylor approximation polyno-
mial of order r around the point XQ. An interval Irj is called a remainder bound of order r 
of / on X o Vx <E X : Rrj{x-x0) € Irj-
The basic arithmetic rules on Taylor models are defined as follows [13, 77]: 
• Addition: TrJ+g = Trj + Tr# = (Pr,f + Pr,g,Ir,f + Ir,g) 
• Scalar multiplication: Tr<af = oTrj = (ctPri/, cc/rj), (a € R) 
• Multiplication: Trjg = TrjTr>g — {PrjgJrjg) 
with: 
- Pr,fPr,g = Prjg + Pe 
- Pe e iPe 
~
 P
r,8 € IPr,g 
~ Jrjg - lPe + IprJIr,g + Irj{Iprig + Ir,g) 
55 
where Iprf and Iprg are the interval evaluations of Prj and Png respectively. Ipe is the 
interval evaluation of Pe, which is a polynomial composed of terms with order greater 
than r. 
Similar to interval arithmetics, algorithms supporting such Taylor models are used 
to produce bounded envelopes for the reachable states not only at some discrete time 
points but also for all continuous ranges of intermediate states between any two consecu-
tive time discrete points. The fact that the generated bounds provide a sound abstraction 
for the reachable states, makes it attractive for use with formal verification techniques. 
Based on the above rules, the Taylor model method extends mathematical operations and 
functions to Taylor models such that the inclusion relationships are preserved. This is 
demonstrated by the following theorem: 
Theorem 3.1.2. [77] Let / : Rd —> M. be a continuous function, F be an inclusion function 
of / as in Definition 3.1.3 and / € T, where T is the Taylor model of / , then T C F. 
Moreover, for two functions fa e T\ and fa e T%, we have (fa +fa) E Ts and (fa .fa) € 7>, 
where 7s and Tp are Taylor models for the sum and product of T\ and 72, respectively. 
In practice, the evaluation of a function is transformed to symbolically computing 
the Taylor polynomial pr(x) of the function, which will be propagated throughout the 
evaluation steps. Only the interval remainder term and polynomial terms of orders higher 
than r, which are usually small, are bounded using intervals as described by the rules 
mentioned above and are processed according to the rules of interval arithmetic. This will 
be demonstrated by the following example: 
Example 3.1.1. In non-linear analog circuits, voltages and currents can be described us-
ing analytic functions. For example, in the differential stage shown in Figure 3.1 [46], the 
BJT transistor collector current is described as ic — Ise~*r (1 + -^£) , where 1$ is the satu-
ration current, VV is the thermal voltage, VCE is the output voltage of a differential stage 





i— Q i 
Vcc 
"& 





Figure 3.1: Emitter Collector Differential Stage 
£?4> VCE — tanh(y) + K, where K is an arbitrary voltage, y = ^-, with V\ = V2 = ^ . Con-
sider the Taylor models 7i and r2 of the functions eK, and tanh(y), respectively, where 
x = ^
£
, the multiplication e?tarih{y) can be done using Taylor model arithmetic of two 
Taylor models of order 3. 
Let*,y€ W = [-0.693,0.693] and7i(;c) := 1 + * + y + [-0.11,0.11] and72(y) := 
y- ^ + [-0.108,0.108]. It holds that: 
7i(*)r2()0€ (l+x+4)(y-4) + (l+x + 4) 
[-0.108,0.108] + ( j - 4 ) [ - 0 . H , 0.11] + 
[-0.11,0.11][-0.108,0.108] 
( l + W + ^)[-0.108,0.108]+ 
(W-3f)[-0.11,0.11] + [-0.218,0.218] 
- ~i + ^+xy + y+ [-0.62,0.54] 
3.1.5 Symbolic Simulation 
Symbolic simulation is a form of simulation where many possible executions of a sys-
tem are considered simultaneously. This is typically achieved by abstracting the domain 
57 
over which the simulation takes place. A symbolic variable can be used in the simula-
tion state representation in order to refer to multiple executions of the system. For each 
possible valuation of these variables, there is a concrete system state that is being indi-
rectly simulated. The symbolic simulation described in this section rely on rewriting rules 
based on the algorithms developed in [3] for digital systems. In the context of functional 
programming and symbolic expressions, we define the following functions. 
Definition 3.1.5. Substitution. 
Let u and t be two distinct terms, and x a variable. We call x —»• t a substitution rule. We 
use Replace(u,x —• t), read "replace in u any occurrence of x by f", to apply the rule x —* t 
on the expression u. 
The function Replace can be generalized to include a list of rules. ReplaceList takes 
as arguments an expression expr and a list of substitution rules %,= { ^ 1 , ^ , . . . , % } . 
It applies each rule sequentially on the expression. The symbolic simulation function 
ReplaceRepeated(Expr,HQ shown in Definition 3.1.6 below is based on rewriting by 
repetitive substitution, which applies recursively a set of rewriting of rules %. on an ex-
pression Expr until a fixpoint is reached. 
Definition 3.1.6. Repetitive Substitution. 




exprt = ReplaceList(expr, %) 
expr = expr, 
Until FP(exprt,2Q 
End 
ReplaceRepeated(expr, HQ applies a set of rules %. on an expression expr until a 
fixpoint is reached, as shown in Definition 3.1.7. 
58 
Definition 3.1.7. Substitution Fixpoint. 
A substitution fixpoint FP(expr, HQ is obtained, if: 
Replace(expr,R) = Replace(Replace(expr, %), $Q 
Depending on the type of expressions, we distinguish the following kinds of rewrit-
ing rules: 
Polynomial Symbolic Expressions RMMK- are rules intended for the simplification of poly-
nomial expressions (R"[JC]). 
Logical Symbolic Expressions RLogic' are rules intended for the simplification of Boolean 
expressions and to eliminate obvious ones like (and(a,a) —> a) and (not(not(a)) —> a). 
If-formula Expressions RIF: are rules intended for the simplification of computations 
over If-formulae. The definition and properties of the IF function, like reduction and 
distribution, are defined as follows (see [84] for more details): 
• IF Reduction: IF(x,y,y) —>y 
• IF Distribution: f(A\,.. .,IF(x,y,z),... ,An) —> 
IF{xJ{A\,..., y,... ,An),f(A\,... ,z, . . . ,An)) 
Interval Expressions Rjnt: are rules intended for the simplification of interval expressions. 
Interval-Logical Symbolic Expressions Rim-Logic'- a r e r u l e s intended for the simplifica-
tion of Boolean expressions over intervals. 
Taylor expressions: Rnr are rules intended for the simplification of Taylor model ex-
pressions (Trj) 
59 
Example 3.1.2. Horner Form Rules. One interval expressions Rim simplification rule 
we use is the Homer form transformation [85] of a polynomial. For instance, for the 
univariate p{x) = ao + a\x + a2*2 + • • • + a***, the horner form is a polynomial q(x) = 
ciQ+x(ai + .. .+x(aic-i +ajcx)). The interval evaluation of q{x) is often more precise than 
the one of p{x). This property is a direct consequence of the subdistributivity property of 
interval arithmetics. For example, let x € [—1,1], we have x4 € [0,1] C [—1,1] Bxxx3 
The symbolic computation uses the repetitive substitution ReplaceRepeated(Expr, 
HQ (Definition 3.1.6) over the set of rules defined above as follows: 
Definition 3.1.8. Symbolic Computation. 
A symbolic computation over an expression X;(n) is defined as: 
Symbolic-Comp(Xi(n)) = ReplaceRepeated(Xi(n),RSimp) 
where Rsimp — RMath U Rlogic U RlF U RTW U Rint U Rlnt-Logic 
The correctness of this algorithm and the proof of termination and confluence of the 
rewriting system formed by all above rules are discussed in [3]. 
Example 3.1.3. The objective of the symbolic computation is to obtain a normal form 
(as defined in [84]) for cases like a + IF(x > 0,b,a). This expression will be normalized 
using two rules: 
• IF Distribution : a + IF(x > 0,b,a) —* IF(x > 0,b + a,a + a) 
• Polynomial Addition: IF(x> 0,b-\-a,a + a) —>IF(x > 0,b + a,2a) 
3.2 Modeling AMS Designs 
The dynamical behavior of AMS designs is usually represented through equations de-
scribing the progressive change of the state variables. These state variables can be re-
garded as memory elements that are able to preserve previous states for a certain time 
60 
interval. For instance at the circuit level capacitance can be seen as a voltage storage 
element while inductance as a current storage element1. At higher level of design abstrac-
tion, a delay element can be used to affect the notion of state. In digital design, sequential 
logic circuits are clocked designs that have memory characteristic. An AMS model can 
be defined formally as follows: 
Definition 3.2.1. AMS Model. 
An AMS Model is a tuple &MS = (X,XQ, £>, Do, Zl, f), with X C Rd is the analog state 
space with ^-dimensions, where d is the total number of state variables in the design. 
XQ C X is the set of initial states (e.g., initial voltages on the capacitances and initial 
currents through the inductance). (D C Kd2 are discrete variables (i.e., K is a numerical 
domain (B or N))2, with initialization (DQ C (D. UEW is the set of possible input signal 
to the AMS design and 7 : X x <D x 11 -> Rd is the vector field. 
3.2.1 Discrete-Time AMS Designs 
The notion of recurrence equation was extended in [3] to describe digital circuits using 
what is called generalized If - f ormula. 
Definition 3.2.2. A System of Recurrence Equations (SRE). 
Consider a set of variables x,-(n) € K, i € {1 , . . . ,d}, n € N, an SRE is a system consisting 
of a set of equations of the form: 
•*<(") = Mxj(n - y)), (;',Y) G £«, V« € Z 
where fi(xj(n — y)) is a generalized If-f ormula. The set £, is a finite non-empty subset 
of 1,... ,d x N, with j G {1 , . . . ,d}. The integer yis called the delay. 
'it is worth noting that a resistance is a memoryless element. 
2We refer to variables with discrete amplitudes as discrete variables. This should not be confused with 
discrete-time variables which are variables that are assigned values at discrete time points. For example, 
if the discrete domain is (0,1), then the variable is called boolean variable. In addition, in here, discrete 
variables are not states, rather they can be thought of as discrete locations such that we assign to each 
location a set of continuous states based on a predefined (switching ) conditions. 
61 





Figure 3.2: First-order AE Modulator 
Example 3.2.1. Figure 3.2 shows a first-order AE of one-bit with two quantization levels, 
+ 1V and —IV. The quantizer (input signal y(n)) should be between —2V and +2V in 
order to not be overload. The SRE of the AE is : 
y(ri) = y(n — 1) + u(n) — v(n — 1) 
v(n-l)=IF(y(n-l)> 0,1,-1) 
3.2.2 Continuous-time AMS Designs 
Continuous-time AMS (CT-AMS) designs can be simplified to the composition of ba-
sic analog components, connected to some digital components, i.e., sequential logic and 
combinational logic. In this thesis, we will restrict our focus to the class of AMS, whose 
memory constituents are only capacitance (voltage storage) and inductance (current stor-
age). In other words, we will assume that the digital parts can be only composed of 
combinational logic. The reason for such restriction is the requirement to restrict the 
notion of time over which the states evolve to only continuous time. 
The behavior of a CT-AMS design, is governed by a system of generalized differ-
ential equations. A generalized differential equation is a non-linear equation of the form 
x = jF(x,u,f), whose right hand side is a generalized!f — formula. More formally, the 
behavior of a CT-AMS design is described as follows: 
Definition 3.2.3. Generalized System ofODEs. 
Consider a set of variables jc*(r) € R, i 6 {1 , . . . ,d}, t e R, a Generalized System of ODEs 
is a system consisting of a set of equations of the form: 
4 = -^=*=5*(x(0,u(0,0 
62 
where \(t) is a vector of analog state variables defining the voltage across the capacitance 
and the current through the inductance. u(r) € W are variables defining the input signal. 
The vector field % is defined as continuous-time If-formula. 
For example, the discrete behavior of the CT-AMS can be due to a change in the 
input signal amplitude u, or abrupt changes in design parameters or even changes in the 
function jF based on some control logic or switching conditions. The most common situ-
ation, however, is when the system equations are piecewise in the system states x. Such 
a model arises for example in the linearization of the nonlinear system around different 
operating points. 
The semantics of the AMS model3. AMS = (X,XQ, £>, (Do, U,7) over a continu-
ous time period Tc — [xo,Xi] C R+ (t\ = oo in case of complete behavior) can be described 
as a trajectory &x : Tc —• X for* € XQ such that &x(t) is the solution of x\ = 7k{x\ > • • • >•*«/)> 
with initial condition ^ ( 0 ) = x and t € Tc, is a time point. 
Example 3.2.2. One of the interesting circuits used in RF designs is the Colpitts oscillator. 
The circuit diagram for the Colpitts circuit is shown in Figure 3.3 [33]. The circuit is 
composed of a MOS transistor with a constant Vg = 0.6, Vcc = 1.2, two capacitors C\ and 
C2, an inductor L, a resistance Ri and a current source Iee connected to the source of the 
transistor. 




i.2-(vCi+vc2) /, ids 
R*Ci "•" Ci C, 
-lee 1 l.Z-(Vci+Vc2) . 7; 
C2 + R*C2 "+" C2 
1.2-(Vci+Vc2) 
3Throughout the thesis, we refer to the AMS model in Definition 3.2.1 as CT-AMS model and DT-AMS 
model if the vector field !f is defined using ODEs and SREs respectively. 
63 
with 
Ids '• — / / [ (Vc 1 +Vc2>0.3AV C 2 <0.3) ,^*f*(0 .3 -Vc 2 ) 2 ) , 
/ / [ (Vci+Vc2<0.3AVC 2<0.3) , 
Ap*¥*((0.3-Vc2)*(Vci)-0.5*(Vci)2),0]] 
where w is the gate width, / is the gate length, \Vt\ = 0.3 is the threshold voltage of the 
device and Kp is a constant depending on the physics of the device. 
V c c 1 
RL: 
vg—| 
l e e 
? 
V c l 
Vc2 
Figure 3.3: Colpitts Circuit Diagram 
Note: We assume that we have correct initial conditions that are consistent with the laws 
of voltages and currents in the circuit [111]. We also assume that the generalized differ-
ential equation has a unique solution for each initial value (see [7] for more information 
about existence and uniqueness of solutions for piecewise systems). 
We can model explicitly the possible trajectories of the AMS model using the notion 
of timed state sequence, which we refer to as CT-AMS Trace. 
Definition 3.2.4. CT-AMS Trace. 
Given a sequence of time stamps x, a trace of an AMS model is an extended timed state 
64 
sequence (c,x,X), where: 
• c = Co, 0 1 , . . . , on is a sequence of states, for every n G N, G; G Krf 
• X = fo, ^ l, • • •, tn is an increasing sequence of time intervals with the following con-
dition: 
VJ G N, 37} G K+ such that there exists a trajectory ^>x(7}) = a, and 7} = r,- and 
JceAh4 
• ?i» is a mapping function described as X : M^ —> W, which is a function associating 
each analog state with a set of predicates B such that X,(a,) = B iff B(4> (^7})) = 
7>we. 
Note: It is clear from the above definition that the behavior of a CT-AMS design 
can be described using analog states. In here, the discrete/digital part of the design is 
reduced to some predicates that control the switching between the different analog behav-
iors of the design. We can think of a CT-AMS trace as a concatenation of simple analog 
traces for which the initial state of an analog trace is in fact the final state of the previous 
analog trace in the concatenation. We assume that there is no ambiguity in switching 
conditions, meaning that each switching condition leads to only one new analog dynamic, 
thus avoiding non-determinism. 
The complete behavior of the CT-AMS design can be specified as the set of all pos-
sible CT-AMS traces which can be used to construct the corresponding transition system: 
Definition 3.2.5. CT-AMS Transition System. 
The transition system for CT-AMS model SVM.S is described as a tuple T^MS ~ (2 ' 2o, 0, 
L) where q G Q is a configuration (x, z, T), x € X, z € W and set of time intervals T where 
Ui>oti C R+, ti G T. We have t\,t2 G T for 3v(/i) = 4>y/(?2) = x and xf\x" e XQ. q G Qo, 
when to e T and fo is the singular interval (to = 0), L is an interpretation function such that 
4Note that we slightly abused the definition of a trajectory, where we assume that the domain is a set of 
time intervals rather than a set of time points, i.e., <&x{Ti) = {®x{T{)\Ti e Tt,l G N,x; e I}. 
65 
L: Q->R" x 2W x 2R . Finally, oCQxQisatransition relation such that (q„,qm) G c 
iff Btn G r„, 3?m G Tm. f„ < fm and lim,B_,B 4>2"(^) = *Im(fm). xG^b, where trajectory 
<£* : Tc —• X for x G XQ over a continuous time period Tc — [TO^I] Q R+ (?I — °° m c a s e 
of complete behavior), such that <E>*(f) is the solution of x\ = ^lt(xi,... ,*</), with initial 
condition ^ ( 0 ) = x and t € Tc, is a time point. 
3.2.3 Approximating the Behavior of CT-AMS Designs 
Obtaining the complete behavior of CT-AMS designs is often a hard problem as it requires 
finding a closed form solution of the system equations. Such a solution is hard to get in 
practice for the general equations. Therefore, an approximation that guarantees preserving 
the behavior of the system must be used instead. One possible methods to approximate 
the continuous behavior is by using Taylor approximation described in Section 3.1.2. 
Example 3.2.3. Consider the analog circuit in Figure 3.4, composed of a network of 
passive components (capacitors and conductances), along with non-linear current sources 
and two switches. The switches can be designed using CMOS transistors working in 
saturation mode as shown in the figure. This circuit exhibits an oscillatory behavior when 
the initial capacitor voltages are within a specified range, based on the switches positions. 
The voltages across the capacitors can be described using ODEs as follows: 
v'c\ = vc2 or Vci = vc2 + vl2 
< 
v^'c2 = -v c i + v j^ or v'c2 = -v c \ + (1 /2)v^j 
Suppose that we specify the switching conditions as 
Condi = Cond.2 \— vc\ (n — 1) < vain — 1) 
For illustration purposes and for clarity, we use Taylor approximation limited to order 2 
to obtain the corresponding SREs: 
vci(n):=IF(CondhXi,X2) and vc2(n) :-IF(Cond2,Yl,Y2) 
66 
vcl vc2 
il=fl<vcl,vc2)Q Q ir=Jl(vcl,vc2) J 
Electronic Switch 
cl = 1 
i2=f2(vc!,vc2) 
fl=vcl 
Jl = vcl+(vc2)A3 
"X 




J2 = -2(vcl)+0.5(vcl)"3+2(vc2) 
Figure 3.4: Switched Analog Circuit 
with: 
. X 1 : = y - ^ + vci(«-l) + M"-l)+^iWl 
.
 X 2 : = ^v i^z i l i + | ^ 2 V c 2 ( n _ 1 ) 2 v c l ( „ _ 1 ) 3 _ ^ M f r l i _ f^v^Cn - l)2vcl (n -
\) + vc\{n-\) + hvC2{n-\f + hvc2{n-\) + %m2[v7\,Vdi) 
• YX :=hvcx{n-\f + \h2vc2{n-\)vcx{n-\)2- hvcX{n-\) - ^ f ' 1 ? + v c 2 ( « -
• F 2 ; = ^ ^ - l ) 3 + 3 / l 2 V c 2 ( w _ 1 ) 3 V c l ( n _ 1 ) 2 + 3 ^ 2 V c 2 ( n _ 1 ) v c l ( ? z _ 1 ) 2 _ ^ c l ( w _ 
where !^ /n,- [v£i, v^] are the Taylor approximation remainders, i = {1 , . . . ,4} and ft is the 
time step. 
However, in order to ensure the correctness of the analysis, we must define a suffi-
cient condition for an adequate approximation. In order to define a notion of abstraction 
precisely, we establish a correspondence between a discrete 9 : N H-» X and a continuous 
trajectories &x : [0,°°) i—• X. This is done using discrete sampling. 
67 
Definition 3.2.6. Sufficient Trajectory Discretization. 
A discrete evolution 9 : N i—• X is a sufficiently complete discretization of a continuous 
evolution <&x '• [0>°°) •-> JC if there exists a strictly increasing sequence of reals in the 
interval [0,°°) such that to = 0, 4>x does not change in either the domain (?;,f|+i] or the 
domain [ti,ti+\), that is either \\®x(t)-&x(t')\\ < e f o r a l l f / e (UA+i] or t,t' € [ti,ti+i), 
where e is the sampling error and 0(i) = ®x{u) for all i. 
Intuitively, a sufficiently complete discretization captures all the different continu-
ous states in the continuous evolution. In general, we have ||6(/) — <&JC(?;)|| < £ for all i, 
where £ is the discretization error and exact valuation cannot be achieved. We can ex-
plicitly model the possible trajectories of the sampled AMS model as a Sampled CT-AMS 
Trace. 
Definition 3.2.7. Sampled CT-AMS Trace. 
A timed state sequence (G',X',)J) is a sampled CT-AMS trace of a CT-AMS model such 
that: 
• If (CT,T) is a CT-AMS trace of a continuous evolution <bx and 9 : N »-» X is a suf-
ficiently complete discretization of <&x : [0, <») i—> X, then there exists a trajectory 
such that:Vi € N, 0(0 = o< with ||o, - a-|| < £ and t[ e {ti,ti+\} or t\ e [ti,ti+\). 
• V is a mapping function described as X': Rdl —> B ; , which is a function associating 
to each analog state a set of predicates B such that A/(c,-) = B iff B(<E>^ (7])) = True. 
We can then view the sampled behavior of an CT-AMS model as a transition system, 
which can be constructed from the set of all possible sampled traces (trajectories). We 
define a sampled CT-AMS transition system as follows: 
Definition 3.2.8. Sampled CT-AMS Transition System. 
A Sampled CT-AMS Transition System % is a tuple (Q',Q'Q,5',L'), q e Q' is a con-
figuration (x,z,Ax), x e X, z € W and set Ax where Uvti2 G A* if 0(i'i) = 0(12) = x. 
Q'o Q Q' is the set of all initial configurations. L' is an interpretation function such that 
68 
L' : Q! -> W x 2B x 2N. Finally, S ' C Q ' x Q' is a transition relation such that such 
that 0 : N w I satisfying initial condition: 9(0) € Q'0 and discrete evolution Vz e N, 
(e(«),e(j+i))6 8/. 
Statement 1. We say that a Sampled AMS Transition System Tj is an approximation of 
a CT-AMS Transition System " T ^ j , denoted 1$ 2 ^ 5 ^ 5 . if the discrete evolution in the 
former and the continuous evolution of the latter are related according to Definition 3.2.6. 
It is thus natural to look for a model that gives a sufficiently accurate answer to 
the analysis. In practice, it is hard to fulfill such condition; however, some approxima-
tion techniques under certain conditions can lead to a model that preserve the original 
behavior of the system but with the cost of introducing more (undesirable) behaviors. 
Such approximations are referred to in formal methods literature as over-approximation 
techniques [25]. 
In practice, to ensure the sufficient approximation criteria, the goal of a numerical 
approach (like Taylor approximation) for solving an initial value problem (IVP) over an 
interval range of? is to approximate as accurately as possible its solution at some discrete 
points placed along that interval. Usually, by starting at point to (whose solution value is 
known: x(?o) — xo) an increasing (decreasing) sequence of discrete points is considered 
by adjusting the step size (the gap between two consecutive discrete points) as the calcu-
lation proceeds. The purpose of this adaptive step size policy is to keep some control over 
the accuracy of the approximation. However, a common source of errors is the discretiza-
tion error (also known as truncation error), which is partially due to propagation of errors 
made at previous steps (from to to ti) along with the current step. To preserve the inherited 
behavior of the actual solution, the remainder term should not be discarded and instead 
bounds must be specified. Interval approaches attempt to produce bounds for the solution 
flow not only at some discrete points of t but also for all the continuous range of interme-
diate values between any two consecutive discrete points. In this case, we can allow for 
over-approximation of behavior, but guaranteeing the sufficient approximation required 
69 
to ensure sound construction of approximate model of the CT-AMS designs. Having at-
tained this goal, we can claim that achieved recurrence equations can be suitable under 
certain conditions for modeling continuous-time AMS systems, hence allowing a unified 
modeling framework for discrete-time and continuous-time AMS designs. In the remain-
der of this section, we will provide a procedure to obtain such approximation based on 
Taylor theorem and interval arithmetics. 
3.2.4 Interval Abstraction 
As outlined earlier, to preserve the inherited behavior of the actual solution, the remainder 
term of the Taylor approximation should not be discarded and instead bounds must be 
specified. Interval approaches [85] attempt to produce bounds for the solution flow not 
only at some discrete points of / but also for all the continuous range of intermediate 
values between any two consecutive discrete points. In this case, we can allow for over-
approximation of behavior, but guaranteeing a sufficient approximation requires a sound 
construction of the approximate model of the AMS design. 
Interval domains are numerical domains that enclose the original states of a system 
of equations at each discrete step [85]. Interval methods produce boundeding envelopes 
for the reachable states not only at some discrete time points but also for all continuous 
ranges of intermediate states between any two consecutive time discrete points. Solution 
methods for ODEs based on Interval arithmetics, also known as validated methods[%5], 
are an attractive tool to use in the verification of the behavior of systems with uncertainty 
on the design parameters or initial conditions as they allow sound discretization. 
Interval Abstraction for the Traces. Given a Taylor based approximation of a system of 
ODEs, we can describe its trajectories starting from a set of initial conditions by the notion 
of interval analog traces. 
Definition 3.2.9. Interval AMS Trace. 
An interval AMS trace of a CT-AMS design is a timed state sequence (d,T, %), such that: 
70 
• c = cfo, G\, • • •, <5n is a sequence of states for every n e N, c, e Id. 
• x — to, t\,..., tn is a sequence of time intervals stamps with the following condition: 
Vi G N, there exists an interval evaluation of a Taylor approximation trajectory 
x(7}) = dl,-with?l- = (7i-i,2}]. 
• 51 is a mapping function described as X : Mrfl —> B-', which is a function associating 
to each analog state a set of predicates B such that X(c,) = B iff B(x(7})) 7^  False. 
The concepts of inclusion function and inclusion test can be used to define an ab-
straction from the concrete traces to corresponding interval traces as follows: 
Definition 3.2.10. Trace Abstraction. 
Let Tra = (a,x,X) be a CT-AMS trace and Tri = (a,T, A.) be an Interval AMS trace. We 
say Tri is an abstraction of tra if there exists a map abs: X —>• Id such that abs(oo) C OQ 
and for every o", € 0, if o"£ is a sufficiently complete discretization of o,-, then abs(Gj) — 
abs(a'i) e a' 
We can argue that for each concrete trace, we can find an associated interval trace 
that over-approximates it, in a way that preserves its properties and that for a given ab-
straction, the set of all possible concrete traces is a subset of the set of interval based 
traces that can be generated by the system. 
Lemma 3.2.1. Existence of Trace Abstraction. 
Given a bounded time CT-AMS trace, we can always find an interval AMS trace which is 
an abstraction of that trace. 
Proof. By Weierstrass Approximation [39] and existence of solution for validated meth-
ods [85]. 
Weierstrass Approximation ensures that any continuous function on a closed and bounded 
interval can be uniformly approximated on that interval by polynomials to any degree of 
71 
accuracy. Validated methods provide techniques to construct such approximation. 
We can represent the AMS design behavior over intervals using a state transition 
system as follows: 
Definition 3.2.11. Interval based State Transition System. 
An Interval based State Transition System is a tuple % = (Si,Sifi,—>§,), where 5/ is the 
interval state space, S/,o C 5/ is the set of initial interval states, —>s,C Si x 5/ is a relation 
denned using SRE forms 5/ and capturing the abstract transition between interval states 
such that: 
{s —*s; s'\3a € s, 3b € s': b — 8/(a) and 8 € 8/} 
where a,be Rd, s, s' € Si, 8 = {f\,..., fd} with f: Rd —> M is an if-formula, i£{l,...,d}, 
8/ = {/(,..., fd} and f e fj, where / / is the interval extension of the if-formula /,. 
Statement 2. We say that an Interval based State Transition System Ti is an abstraction 
of a CT-AMS State Transition System 1^ if Abs(Tjn) C T,, and we denote it as T^ ^ % 
Unfortunately, due to the over-approximation nature of interval analysis, a quick 
divergence in the reachability calculation generally happens. This is mainly due to the 
following issues [85]: 
• The dependency problem which is the inability of interval arithmetic to identify 
different occurrences of the same variable. For example, x — x = 0 holds for each 
x€ [1,2], bu tX-Xfo rX = [1,2] yields [-1,1]. 
• The wrapping effect which appears when the results of a computation are overes-
timated when enclosed into intervals, hence leading to error accumulation at each 
time step. 
The undesirable properties associated with interval analysis can be partially avoided 
if instead of relying on interval traces with loose accuracy (large overapproximation), 
72 
we search for tighter enclosures that still preserve the original traces. This goal can be 
guaranteed with the following lemma: 
Lemma 3.2.2. Let Trset{Tra) be the set of all AMS traces and Trset{Tri) be the set of all 
Interval AMS traces of a given analog systems, then Abs(Trset(Tra)) C Trset(Trj) 
Proof. This lemma is a direct consequence of Definition 3.2.10. 
In more concrete sense, Taylor models described in Section 3.1.4 satisfies these proper-
ties; moreover, they have been proved to be the best available interval based approxima-
tion [88]. 
3.3 Specification Languages 
In order to reason about the functional properties of the designs under verification, we 
need a language that describes the temporal relations between the different signals of 
the system, including input, output and internal signals. Temporal logics are a special 
kind of modal logics that include operators (modalities) to reason about the truth values 
of assertions at different times during the execution of a program. There are two basic 
types of temporal logic: Linear time (e.g., Linear Temporal Logic (LTL)) and branching 
time (e.g., Computational Tree Logic (CTL)). Temporal logics distinguishing a linear 
and a branching view on time respectively. In the linear view, each point in time has 
exactly one future. A specification is interpreted over a linear structure, i.e., a computation 
is a sequence of events. In the branching view, there is a (non-deterministic) choice 
between several potential futures at each point in time. This results in a tree of potential 
computations. Neither view can, on its own, express all properties that the other can, 
however, there are subset of properties that can be supported by both kind of logics. In 
general temporal logic formulas are interpreted over state sequences of labeled transition 
systems called Kripke structures. The semantics of formulas is formally defined for a 
model (state sequence) and a formula (|> by means of the satisfaction relation f=. a f= (|> 
73 
denotes that the formula (|) holds for the state sequence a. A survey on temporal logic is 
available in [32]. 
For the verification purposes in this thesis, we provide the basics of two types of 
temporal logic; namely MITL which is timed linear temporal logic and \/CTL which is 
a subset of the standard CTL. The motivation for choosing two different logics in the 
proposed verification methodology is based on the following. For BMC verification, we 
are interested in checking properties over a set of traces for a given amount of time. The 
verification idea is based on encoding each property as a set of constraints to be satisfied. 
In particular, LTL has been shown to be practical for such verification technique [14]. 
As we are extending BMC for AMS designs, which are characterized by their real-time 
behavior, choosing MITL as specification logic provides us with an intuitive formalism 
to express the required properties as will be demonstrated below. On the other hand, the 
predicate abstraction proposed in the thesis is based on the qualitative analysis of the AMS 
design state space rather than particular traces. Therefore, an untimed logic like VCTL 
suffices for describing the desired properties. 
3.3.1 MITL 
We use a variant of Metric Interval Temporal Logic (MITL) which is an extension of LTL 
tailored for specifying desired timed properties of real-time designs. In MITL, temporal 
modalities are restricted to intervals of the form / = [a,b] with a,b e Q>o- The benefit 
of bounding the temporal properties is to restrict the verification for a specific amount 
of time avoiding the non-termination. To specify analog behavior of the AMS designs, 
the logic is augmented with a mapping from continuous domains into propositions. We 
extended the MITL language with predicates over real constants and real variables. We 
can define atomic properties as follows: 
Definition 3.3.1. Atomic Property. 
An atomic property X(x\,...,x„) is a logical formula defined as follows: X(x\,...,xn) = 
74 
%oc, where o € {< ,< ,> ,> ,= , ^} ,%i san arithmetic formula over the design state vari-
ables x and c is an arbitrary value (c € R) 
The main temporal operators describing properties of a trace: 
• F ("eventually or in the future") asserts that a property will hold at some states on 
the path. 
• G ("always or globally") specifies that a property holds at every state on the path. 
The syntax of MITL is defined by the following grammar: 
Syntax of MITL. The basic formulae of the MITL are defined by the following 
grammar: 
9 := X(xi,...,*»)h<p|<Pi V(p2|F/9|G/(p|frae 
where A. belongs to a set of atomic properties over the design state variables and XJ is a 
term (that is a constant or a variable). 5 G and F are temporal operators and I is an interval 
/ = [a, b] with 0 <a< b and a, b € Q>o and a^b. 
Semantics of MITL. We define the Kripke structure which is a transition system 
as in Definition 3.2.5 T&MS = (<2>Qo,0",L), extended with an interpretation function [.], 
written as K = {T^MS, \-\). The semantics of the language is provided by the interpreta-
tion [.] as follows: 
• For a constant C, [C] is an element of R 
• For a state variable x € x (where x is the set of state variables), \x\ is a function 
M + ->R 
• For an n-ary predicate X,n> 1, the meaning [A,] is a function R" —> B. 
The interpretation [.] extends to arbitrary terms, inductively: 
lX(xu...xn)} = m(lx,l...lxnj) 
5To describe properties on analog signals like current and voltages, atomic propositions, X(x\ ,,..,xn)(n), 
are predicates (inequalities) over reals, with time index n. The provided propositions are algebraic relations 
between signals (variables) of the system. 
75 
In addition, we have the concretisation function Y^ : B —>• 2R such that Y(|X(x)]) = 
Tx(b) = {x € R"|X-(x) = b}. Intuitively, T^ is a set of states, where X holds with the 
condition Y^ D Y_,^  = 0 
In general in real-time temporal logic, observations have to be extended with in-
formation about their timing. This is done by representing a the timed state sequence as 
a timed word over state observations. Thus, it is a pair E = (c , r ) , consisting of a state 
sequence O" and an interval sequence /. We use the notations s(L) and T(E) for the states 
and respectively of timed part of the timed state sequence. 
Let E = (a,/) be a state sequence associated with the Kripke structure, with / = 
[a,b], the satisfaction relation E (= cp, indicating that a state sequence satisfies a property 
cp starting from position To and To S r is defined inductively as follows: 
• a |= true 
. o\=X(yh...yn)iffLx(o0)emx(yh---yn)]) 
• a |= ->(p iff a y= (p 
• a |= 91 V 92 iff o (= <Pi or a |= 92 
• a |= F/(p iff starting from position t_, where ? = [t,t] and ? e To, 3t' e [f -+- a,£ + 
fc].of=<p 
• a |= G/(p iff starting from position f, where t = [i,T\ and t € To, V?' € [l + a,t_ + 
b].o\=y 
Note: The verification algorithms in this thesis consider abstract models overap-
proximating the original behaviors. Therefore, correctness must be proved for all pos-
sible abstract behaviors. In fact, MITL has implicit universal quantifiers in front of its 
formulas. For example, M \= V/ means that M satisfies / over all initialized paths. Such 
property makes MITL an adequate for writing specifications. 
76 
3.3.2 \/CTL 
In Chapter 5, we will be using temporal logic to verify properties on discrete abstractions 
of AMS designs. For the purpose of verification, we need a temporal logic for reasoning 
over the possible behaviors of the design. We use a subset of CTL which only allows the 
use of the universal path quantifier V. We refer to this subset as VCTL [72]. VCTL formu-
las are specified and evaluated over the semantic model of the system; usually modelled 
as a Kripke structure. Beside boolean connectives, VCTL provides linear time operators 
and path quantifier. The linear time operators allow expressing properties of a particular 
behaviour of the system given by a series of events in time. Path quantifiers used with 
time operators account for the possible existence of multiple future scenarios starting at a 
given state at a point in time. 
The main temporal operators describing properties of a path through the tree are : 
• F ("eventually or in the future") asserts that a property will hold at some states on 
the path. 
• G ("always or globally") specifies that a property holds at every state on the path. 
Based on the path quantifiers and temporal operators, we can define state formulas 
and path formulas as follows. 
Syntax of VCTL. Let AP be the set of atomic propositions. The VCTL is the set of 
state formulas on AP inductively defined as follow: 
• Any boolean formula over atoms from AP using the connectives V, Aand-< is a pure 
state formula. 
• If (|> and cp are state formulas, then <p A cpand <|) V 9 are state formulas. 
• If (j) and (p are state formulas, then F(|>, Gcp are path formulas. 
• If (]) is a path formula, then A((p) is a state formula. 
77 
The semantic of a discrete model ° under verification is usually represented by a 
Kripke structure. 
Semantics of VCTL. The Kripke structure of a discrete model is a tuple M — 
(C, Co, R, L), where C is the set of all possible states for the model, Co C C is the set of ini-
tial states, R is a transition relation between two states such that R C C x C. L : C, —> 2AP 
is a labeling function associating each state with a non-empty set of atomic propositions 
(AP). 
Definition 3.3.2. A path n of a Kripke structure M is a finite sequence of states n — 
[CQ, C\ ,...., q] such that z > 0. Given an integer i > 0 and a path 71, we denote by 7t,- the f-th 
state of 7t. 
Definition 3.3.3. Let c and % be a generic state and path respectively in the Kripke struc-
ture of discrete model M. Then the satisfaction relation (= for state and path formulas is 
defined as follow : 
• c (= p iff p G L(c) where L(c) is the labelling function of state c 
• c |= -i/7 iff -i/7 G L(c) 
• c|=(pA\|/iffc|=(p and c \= \|A 
• c |= (p V \|/ iff c |= (p or c (= \|/. 
• c |= A(G(p) iff for every path % starting at the state c, for all states 7t,- along the path 
such that %i (= (p 
• c j= A(F(p) iff for every path % starting at the state c, there is some states 7t; along 
the path such that 7i,- f= (p 
6In here, a discrete model is model representing the approximation of an AMS design using predicate 
abstraction as described in Chapter 5. 
78 
Figure 3.5: Third-order AE Modulator 
3.4 Symbolic Simplification 
The AMS description is composed in general of a digital part and an analog part. The 
analog part can be approximated using recurrence equations. The digital part can be 
described using event driven models. The properties that we verify are temporal relations 
between signals of the system. Starting with an AMS description and a set of properties, 
the symbolic simulator performs a set of transformations by rewriting rules in order to 
obtain a normal mathematical representation called a generalized system of recurrence 
equations (SRE) [3]. These are combined recurrence relations that describe each property 
blended directly with the behavior of the system. 
Given a model representing the behavior of the design and a property of interest 
expressed in LTL, the symbolic simulation defined in Section 3.1.5 is used to obtain a 
unified representation adequate for applying the verification methods developed in the 
subsequent chapters (mainly in Chapter 4 and Chapter 6). This is illustrated with the 
following example. 
Example 3.4.1. Data converters are needed at the interface of analog and digital pro-
cessing units. The AE architecture uses several stages to make rough evaluations of the 
signal, measure the error, integrate it and then compensate for that error. Higher-order sin-
gle stage modulators have been proposed to increase the converter's resolution by adding 
more integral and feedback paths. The number of integrators, and consequently, the num-
bers of feedback loops, indicates the order of a AE modulator. Consider the third-order 
79 
discrete-time A£ modulator illustrated in Figure 3.5. Such class of AE design can be 
described using the vector recurrence equations: 
X(k+\)=CX(k)+Bu(k)+Av(k) 
where A, B and C are matrices providing the parameters of the circuit and u(k) is the input 
signal, v(k) is the digital part of the system and b^ = 1. In more detail, the recurrence 
equations for the analog part of the system are: 
xi(k+l) = x\(k) + b\u(k) + a\v(k) 
X2(k+l) = c\x\(k)+X2(k) + b2u(k) + ci2v(k) 
xi(k+\) = C2X2(k)+x^(k) + b^u(k) + a3v(k) 
The condition of the threshold of the quantizer is computed to be equal to c3x3 (k) + 
u(k). The digital description of the quantizer is transformed into a recurrence equation 
using the approach defined in [3]. Thus, the equivalent recurrence equation that describes 
v(k) is 
v(k) = IF(csxs(k) + b^u(k) > 0,—a,a) 
Applying symbolic simulation (Definition 3.1.6) for the AZ modulator, we obtain 
the following unified modeling for both the analog and discrete parts. 
x\(k+l) = if(c?,X's(k) + u>=0,x\(k)+b\u — a\a, 
x\(k) + b\u-\-a\d) 
X2{k+\) — if(c^X3(k) + u>=0,c\xi(k)+X2(k) + b2u(k) 
—a2d, c\x\ (k) +X2(k) + b2u(k) + <X2a) 
X2,{k+\) = if(cj,x-s{k) + u >= 0,C2X2(k)+X'i(k) + bj,u(k) 
—a^a,C2X2(k) + xs(k) + bj,u{k) + a^a) 
The modulator is said to be stable if the integrator output remains bounded under 
a bounded input signal, thus avoiding overloading of the quantizer. This property is of 
80 
a great importance since the integrator saturation can deteriorate circuit performance. If 
the signal level at the quantizer input exceeds the maximum output level by more than 
the maximum error value, a quantizer overload occurs. The quantizer in the modulator 
shown in Figure 3.5 is a one-bit quantizer with two quantization levels, +1V and —IV. 
Hence, the quantizer input should be always between —2V and +2V in order to avoid 
overloading [50]. 
The stability property of the AE modulator is written as GP(k + 1), where 
P(k+ 1) = (*3(*+1) > - 2 Ax3(fc+ 1) < 2) 
Applying Symbolic simulation (Definition 3.1.6), the state variable x^(k+ 1) is re-
placed by its corresponding expression and the expression of the property is defined as: 
P(k+1) = if(c3x3(k) + u>=0, 
—2 < C2X2(k) + xs(k) + bzu{k) — a^a, 
C2Xi(k) +xj,(k) + b'iu(k) +asa < 2) 
The techniques for verifying the AE modulator will be presented in Chapter 4. 
In this chapter, we presented the necessary concepts required for the verification 
approaches described in the thesis. In the next chapter, we will present a bounded model 
checking algorithm for continuous-time AMS designs. The basic idea will be to combine 
symbolic simulation and Taylor model arithmetics to verify properties on the SRE model. 
81 
Chapter 4 
Bounded Model Checking for CT-AMS 
Designs 
Model checking was initially developed as a method of complete verification through 
the exploration of the whole state space of the given design. But with the limited space 
(memory) and time resources, such complete exploration was severely limited with the 
state space explosion problem. The bounded model checking (BMC) [14] approach has 
been advocated recently as means to combat this problem, by limiting the explored state 
space. This is done by providing bounds on the number of cycles that should be explored. 
In BMC, the transition relation and the property are unwound up to a given depth 
(number of cycles) to obtain a formula, which is then checked using constraints satisfia-
bility techniques. If a counter-example is found or a fixpoint is reached, the verification 
task is achieved, else the number of steps can be increased for further verification. This 
implies that the method is incomplete in general as a priori calculation of the maximum 
cycles (depth) needed to ensure the verification is not always possible. Hence, BMC is 
typically used for refutation of a property rather for ensuring safety and reachability prop-
erties. Nevertheless, BMC can be an attractive tool for verification rather than refutation 
if some limitations are to be imposed on the type of properties to verify (e.g., bounds on 
the temporal operator as in the MITL language described in Chapter 3, Section 3.3). 
82 
As a matter of fact, AMS designs are usually characterized by a bounded state space 
(i.e., voltages and currents across a circuit are always confined within a specific ranges 
denned through the connection settings of the circuit components as well as the voltages 
applied across it.). Furthermore, many properties related to the characteristics of the 
designs are associated with its time bounded functionality. For instance, one interesting 
property is to check whether a switching will occur within a specific amount of time. In 
this perspective, we propose in this chapter, an approach for CT-AMS designs based on 
bounded model checking [14]. 
The proposed methodology as shown in Figure 4.1 is composed of two distinct 
phases: a modeling phase and a verification one. In the modeling phase, continuous-time 
based analog components are described using ordinary differential equations, while the 
digital parts of the AMS design are described using event based models. In order to ob-
tain the verification model, which is a formed of a set of recurrence equation (Chapter 
3, Section 3.2.3), the differential equations are approximated using the Taylor Approxi-
mation Theorem (Chapter 3, Section 3.1.2 ). Therefore the recurrence model gives the 
possibility of handling continuous behaviors like that of current and voltages, but in dis-
crete time intervals, which cover a non-trivial class of mixed behaviors. In the next step, 
the AMS description and the MITL property of interest are input to a symbolic simulator 
that performs a set of transformations by rewriting rules in order to obtain the system of 
generalized recurrence equations (SREs). 
The next phase is to prove the desired property using a verification engine that per-
forms the state space exploration and BMC over Taylor model forms. The Taylor model 
form is a combined symbolic-numerical representation of the system equations using 
polynomials and interval terms that ensure enclosure of the reachable states. Such arith-
metics allows the computation over continuous quantities while avoiding the unsoundness 
inherent in the numerical Taylor approximation by providing an overapproximation of the 
possible reachable states of the system. The BMC is composed of two sequential steps. 
In the first step, rules are applied on the SREs to set up the Taylor model forms (See 
83 
CT- AMS Design 
I Continuous- Digital 
| Time Analog Components Temporal Property 
Taylor Recurrence Symbolic 






Ta'ylbtModei 'based BMC 
Symbolic Rewriting Ptwso 
lul Tirr*" 
*** 









Figure 4.1: CT-AMS BMC Verification Methodology 
Chapter 3, Section 3.1.4) for the current cycle, in the verification step, constraint solving 
approaches are applied to check for property satisfaction. In case the property could not 
be verified a counter-example is generated. A validation and refinement procedure is then 
applied to identify spurious counter-examples and discard them, while returning concrete 
ones. 
The verification procedure terminates into one of the following cases: 
• Complete verification: 
- Fixed point is reached and the timed property is proved True. 
- The property is false and a concrete counter-example is found. 
• Bounded Verification: 
- The resource limits have been attained (memory or CPU) as the verification is 
growing exponentially with increasing number of reachability analysis steps. 
- The constraints extracted from the interval states are divergent with respect to 
some pre-specified criteria (e.g., width of computed interval states). 
84 
In the remaining of this chapter, we will also describe the main verification algo-
rithms based on Taylor models reachability analysis. We will also provide a counter-
example analysis and refinement used in order to enhance the bounded verification. We 
will end the chapter by applying the verification to different AMS examples, including 
oscillator circuits and a continuous-time AZ modulator. 
4.1 Reachability Analysis 
In Chapter 3, we defined the reachable behavior of the AMS design as a set of traces repre-
senting the possible solution of a system of ODEs. We also proposed interval traces as an 
overapproximating abstraction of the reachable behavior. However, no specific way has 
been proposed to build such trace. In this chapter, we will explicitly tackle the issue of ob-
taining such traces. Several techniques have been proposed in literature to obtain abstract 
traces (See Chapter 2 for an overview of the methods used), mainly based on techniques 
inspired from computational geometry and optimization. In this chapter, we are taking 
a different approach based on symbolic simulation and rewriting techniques. Obtaining 
the set of traces and applying bounded reachability analysis is based on the concept of 
the semi-symbolic Taylor models. In the remaining, we will be giving an overview to the 
problem of reachability in general, followed by an exposition to Taylor models and in-
terval arithmetics, before presenting our reachability analysis algorithm based on Taylor 
model symbolic simulation. We will also show how to enforce the sufficient approxima-
tion condition necessary to ensure the correctness of the results. 
The set of reachable states from given states Xo at time t can be defined as the set 
of all states visited by the trajectories starting from states Xo. 
Definition 4.1.1. CT-AMS Model Reachable States. 
The set of reachable states Reach can then be defined as: 
Reach = {x1 e X\3x E Reach0 such that ®x(t) = x'} 
85 
where Reach0 — XQ. The set of reachable states in less than k steps (0 < / < k), from a 
given set of XQ of states, is denoted by ^<k(Xo), and is defined as: 
Kk 
with *Rl is the set of states reached during one step. 
Obtaining the exact set of reachable states is not possible unless a closed form so-
lution of the design equations is known. The goal is to construct an over-approximation 
that includes the original behavior. We propose a novel approach for reachability analysis 
using Taylor model arithmetics. As explained in Chapter 3, Taylor model arithmetics use 
interval methods allowing the computation of an over-approximation of the solution func-
tion at each time point. Furthermore, symbolic simplifications are applied at each step, 
thereby reducing the interval calculations and consequently delaying divergence problems 
that are typically associated with interval based techniques. 
4.1.1 Taylor Model Based Reachability 
We describe now the reachability analysis algorithm based on Taylor model arithmetics. 
The image computation is the set of states reachable during one execution step. 
Definition 4.1.2. Taylor Model State Machine. 
A Taylor Model State Machine is a tuple T\ = (Si, Sifl, —*T/), where Si is the interval state 
space, 57,0 Q Si is the set of initial interval states, —>7yC Si x 5/ is a relation defined using 
Taylor model forms Tf and capturing the abstract transition between interval states such 
that: 
{s ->7y s/\3a G s,3b e s': b = f(a) and f £ T/} 
where a,beRd, s,s'eSi, / = { / i , . . . , fd},T = {Tfv...,Tfd} with/;-: R ^ ^ R is a con-
tinuous function, i € {1 , . . . ,d} and ft € Tjp where Tf. is the Taylor model of ft. 
86 
Definition 4.1.3. 1-Step Image Computation. 
The set of reachable states in 1-step from a given set of states Sk C Id, is denoted by 
% (Sk) and is defined as: 
where S*+i CI r f , F = (Fi,... ,Fd), with F; : Id —> I is an interval evaluation of of the 
if-formula fi: Rd -> R, i 6 {1 , . . . ,rf}. 
Definition 4.1.4. k-Step Image Computation. 
The set of reachable states in less than k steps (0 < / < k), from a given set of SQ of states, 
is denoted by 4(.<k(So), and is defined as: 
/<* 
The advantage of using Taylor model arithmetics over Interval arithmetics is based 
on the following points: first, Taylor model avoids or minimize common issues inherited 
in the interval arithmetics like the dependency problem and the wrapping effect. Second, 
Taylor model provides a non-convex enclosure of the concrete reachable states, hence 
tighter abstract reachable states leading to more precise verification results as demon-
strated by Lemma 4.1.1 below. Another advantage lies in the generation and validation of 
counter-examples. The structure of the Taylor models allows an efficient way to analyze 
counter-examples as will be shown in more detail in Section 4.3.1. 
Starting from the initial conditions, the reachable states of the system of recurrence 
equations are an overapproximation of the reachable states of the system of piecewise 
equations. 
Statement. Given a set Xo Q Rd of initial states which is described as an interval of di-
mension d, a final time t/ and a corresponding CT-AMS Trace Reach, compute an interval 
AMS Trace Reach = abs{Reach), where abs(.) is described as in Definition 3.2.10. 
87 
Lemma 4.1.1. A Taylor Model Transition System T^M is a refinement of Interval Tran-
sition System "T/, such that 1/ £= ' Z ^ £= T^, where "T^  is the original CT-AMS Transition 
System. 
The Taylor model based reachability analysis is illustrated with Algorithm 1. The 
function TMJleach(.) accepts as input the SREs representing the CT-AMS behavior, the 
maximum duration of the reachability Tf, the order Ot of the Taylor model approximation, 
the initial time step Ao and the initial time 7b. If the reachability terminates successfully, 
then 1'M Jteach(.) returns the set of reachable states $J, where / index denotes the 
analysis termination index, otherwise it returns the reachable states 3^" up to time step 
n < f. There are two possible reasons for early termination of the algorithm; either an 
inclusion fixed point is reached, therefore no new states will be explored. The other reason 
if the precision of the approximation cannot capture accurately the complete behavior of 
the design equations. This is generally when the time step reaches a lower bound 
The details of the algorithm are described as follows. At the beginning, the algo-
rithm initializes the index n and the time step Tn-\. Initial conditions are provided as 
intervals written as a combination of two terms; a numerical term and symbolic term 
representing the variations. For example if x[0] = [1,2], then this can be represented as 
x[0] = 1.5 + a, where a = [—0.5,0.5]. In this way, symbolic terms can be propagated 
through the different cycles, without being evaluated, unless it is required1. This is more 
efficient than representing the initial condition with a single term with interval width, 
which is larger when evaluated. Additionally, the set of reachable states $(? are initial-
ized, the time step A is set to the initial time step Ao and the corresponding recurrence 
equations are generated from the ODEs system using the SRE(.) function as described in 
Section 3.2 (Chapter 3). 
1
 The choice of the evaluation of a symbolic term by its original interval value is done according the 
Taylor model rules Rnr described in Chapter 3, Section 3.1.4. 
88 
The reachability algorithm is applied for a maximum time Tf (Line 3) and if suc-
cessful, returns the updated set of reachable states (Lines 9, 16 and 19). For each reacha-
bility step, we start by generating the Taylor model polynomial form with order Ot from 
the SRE equation (Line 4). Due to over-approximation nature of the method, imprecise 
results might be obtained, in this case a flag Flag-Reachability-Imprecise (Line 23) is set 
indicating a problem with the reachability and only reachable states up till the current 
cycle are returned. Otherwise, the reachability algorithm proceeds (Lines 5- 23). We 
check the accuracy of the reachable states using the sufficienMppwx{.) function (Line 5) 
if accuracy is bad 2, we end the reachability as stated before, otherwise we continue the 
algorithm. We define the intermediate Taylor model forms; i.e., x[n] where the time step 
is evaluated (Line 6) and x[n] which is the interval based evaluation of the Taylor model 
(Line 7). The evaluation is done by the function eval(.) which takes a Taylor model form 
and the parameters to evaluate. If an inclusion fixed point is reached (Lines 8 -10), the 
algorithm stops as all reachable states have been visited. 
The next part of the algorithm (Lines 12-20) is concerned with checking for pos-
sible changes in the switching conditions using the function EvaLCond(.). A trajectory 
of the CT-AMS design in the continuous state space can be though of as a sequence of 
continuous trajectories segments with discrete components describing the switching con-
ditions defined using predicates. The valuation over interval domains of the predicates 
hence lead to a three valued logic; the image of EvalJOond{.) is {T, F,X}. Therefore, 
starting from an initial state, there could me more than on trace as some switching con-
ditions might not be evaluated to either true or false. If EvaLCond(.) is evaluated to F, 
then the dynamics of the design are unchanged (Line 18), and the set of reachable states 
is updated (Line 19) before proceeding to the next time step. However, if EvaLCond(.) is 
evaluated to T (Line 14), then a new initialization of the dynamics is needed (Line 15-17), 
2We say the accuracy of the approximation is bad, if the minimum delta time step used is insufficient to 
capture the changes in the behavior, this is explained in more derails in Algorithm 2. 
89 
which is the states at the intersection of the last reachable states and the threshold con-
dition 3. When EvaLCond(.) is evaluated to X (Line 12), a function Switch-Check(.) is 
called in order to enhance the precision of the reachability and remove spurious nondeter-
minism (Line 13). the function SwitchJCheck{.) is described in more detail in Algorithm 
3. 
Note. Concerning the termination of the algorithm, setting bounds on the maximum 
number of iterations ensures that the algorithm will eventually terminate in one of the 
possibilities described earlier. However, this is only guaranteed under the condition that 
each of the functions called by the algorithm (e.g., Suffic_Approx(.), Switch_Check(.)) 
will eventually terminate. 
4.1.2 Sufficient Discretization Conditions 
Time discretization is employed as a means to allow the formal verification of CT-AMS 
designs. Hence, the discretization must capture correctly the behavior of the CT-AMS 
design (See Chapter 3 for more details). In general, for the case where the time step x is 
fixed, to ensure a precise coverage approximation of the reachable states, the assumption 
can be made that a switching condition is satisfied only at fixed instant defined in terms 
of X. 4 In practice, for CT-AMS designs, a switching condition can be satisfied anywhere 
during the continuous trajectory. Consequently, the continuous evolution must be relaxed 
by allowing the time-step to change in the range [0, T] to capture all the required behaviors 
in a more precise manner. 
On the other hand, interval methods for solving the initial value problem (IVP) of 
ODEs provides a simple form for the error term of the discrete methods which can be 
bound as long as some enclosure of the actual solution function is provided. Moreover, 
the step size may be easily modified during the approximation process. One advantage of 
3This is done using the interval-logical rules Rim-Logic described in Chapter 3, Section 3.1.3 
4This constraints is similar to the constraints in the verification of DT-AMS which will be described in 
Chapter 6 
90 
Algorithm 1 Taylor Model Bounded Reachability: TfWJ?eac/i(x[«],7/,0,,Ao,7b) 
Require: n = 1 
Require: Tn-\ = TQ 
Require: x[n - 1] = j + a, with y € Nd, a € Irf 
Require: ^°*-x[n-l] 
Require: Tf and A <— Ao 
Require: x[n}= SRE(x(t)) 
1: x[n-l] = x[n-l] 
Tn = IncJStep(Tn-i, A0) 
while r„ < 7/ do 
x[n] = T ^ i X H ( 5 [ n - l ] ) 
if Swj^ c_A/?prax:(x[n],x[ra — l],Ao) is Good then 
x[n] — eval(x[n],{A}) 
x[n] = eva/(x[«],{a,A}) 
if x[n] C !/(,"-2 then 
<t>n _ n?n—\ 
Return FlagJ'ix-Point-Reached = Trae 
end if 
if EvaLCond(x[n],x[n— 1]) = = X then 
Call SwitchJCheck(x[n],x[n-l],3C) 
else if EvaLCond(x[n],x[n — 1]) = = T then 
x[n] =x[n] n ||SvWfcA/|| 
^,
n
 = UpdateJieach{^n-\x[n}) 
x[n]=j + a' 
else 
^." = UpdateJteach(3C-\x[n]) 
end if 
inc{n) 
Tn «- IncJStep(Tn-\, A0) 
else 
Return Flag-Reachability-Imprecise = 7>we 
end if 
end while 
Return FlagJieachability-Done = True 
91 
interval based methods over conventional numerical methods is that a validation proce-
dure for the existence of a unique solution is applied before finding the adequate enclosure 
of this solution between the two time steps. Usually the validation and enclosure of so-
lutions of an ODE system between two discrete points u and ti+\ is based on the Banach 
fixed-point theorem [89] and the application of the Picard operator [89]. 
Moreover, we need to guarantee the sufficient discretization to ensure not only 
that the reachability guarantees covering all the reachable states, but also that it cap-
tures the main qualitative aspects of the trajectory. Enclosing the original trajectories 
using interval methods is sound (See Chapter 3, Section 3.1.3), but due to the associated 
over-approximation, the qualitative aspects of the behavior might be lost thus rendering 
verification of certain properties intractable. Accordingly, complementary methods are 
necessary in order to capture the desired qualitative properties. 
An essential qualitative criterion is to guarantee that monotonicity is preserved dur-
ing a time step %. In order to check this condition, we use the generalized mean value 
theorem, which is an extension of the mean value theorem (MVT) for n-dimension that 
was proposed in [40]: 
Theorem 4.1.1. Generalized Mean Value Theorem. Given x(r) that is continuous on a 
time interval a<t <b, and differentiable on a < t < b, assume that there exists a vector 
V orthogonal to x(a) and to x(b). Then 3tc : a < tc < b such that V is orthogonal to \(tc) 
For instance in the case of a 2-dimensional system, x = (x(t),y(t)), the generalized 
MVT is reduced to the standard Cauchy MVT [39]: 
*(tcMb)-y(<*)] = y(tc)[x(b) -*(«)] 
For a 3-dimensional system, x = (x(t),y(t),z(t)), we have [40]: 
x(a)\y(b)i(tc)-z(b)y(tc)} + z(a)[x(b)y(tc) -y(b)x(tc)\ = y(a)[x(b)i(tc) -z(b)x(tc)] 
Practically, we use quantified constraint based methods [11] and symbolic algebraic tech-
niques [83] in order to simplify (e.g., eliminate quantifiers) and decide the satisfiability 
92 
of formulas representing the mean value theorem. The procedure to check for sufficient 
discretization is described in Algorithm 2. 
The function SufficApproxQ is a recursive function that accepts as input the Tay-
lor model forms x[n] and x[n - 1] with the last chosen time step A and returns one of the 
two possible values {Good, Bad} and when possible a time step that ensures capturing the 
qualitative behavior. The algorithm requires the index n of last reached state and e > 0, 
the smallest allowed time step. In order to ensure the termination of the algorithm, we add 
a limit to the minimum possible value of A = e, beyond which the verification process is 
stopped. If monotonicity is preserved (Line 16), then we do not chose a smaller time step 
and the algorithm terminates. However, in case the monotonicity property is violated, 
we get x' which violates the monotonicity criteria and refine the time step (Line 1-7 and 
8-15). This is done in a recursive fashion until an adequate time step is chosen or the time 
step e is reached. In such case, Suffic-Approx(.) will be evaluated to Bad and the verifi-
cation stops as the accuracy might not lead to a precise result. This means that a sufficient 
approximation for the reachability cannot be found. The function Sign(Slope(.)) returns 
the sign of the vector field; whether it is increasing or decreasing on the boundaries of the 
time interval [0,x']. 
We use T!ft(j(x,%) to denote the Taylor polynomial of degree j relative to the solu-
tion x(t) centered in x(0) with a step size of x. For instance, TM\ (x(0),x) is the vector 
expression x(0) +/(x(0))x + 7. 
Note. The termination of this algorithm can be ensured if the recursion depth is not 
infinite. In this respect, we choose a lower bound for the time step as a main criteria to 
avoid such problem. Additionally, we assume the non existence of a Zeno behavior 5 
when looking for an adequate time step. 
informally, a Zeno behavior leads to an execution that takes an infinite number of discrete computations 
during a finite time interval [4]. 
93 
Algorithm 2 Sufficient Approximation: SufficJ\.ppwx(x[n],x[n — 1],A) 
Require: n € N 
Require: e € E 
Require: A = Ao 
Require: x[n] = TfW0(iX[n](x[n- 1]) 
Require: x[n] =eva/(x[«],{A}) 
Require: x[n] = eva/(x[n],{a,A}) 
Require: x[n — 1] = eva/(x[«- 1], {a,A}) 
1: if [3x'.x[/t] = eval(x[n],{a,x'}) AO < x' < AA5/gn(5/ope(i[n])) 7^  Sign(Slope(x[n-
1]))]== True then 
2: if T' > e then 
3: A = X1 
4: Call SM//z'cA/?/?rax:(x[n|, x[n — 1], A) 
5: else 
6: Return Bad 
7: end if 










if 1' > e then 
A = x' 







4.1.3 Checking Switching Condition 
Due to the overapproximation nature of Taylor model evaluation, the evaluation of switch-
ing conditions in the AMS model might not be decided in a precise way. More specifi-
cally, there could be more than one successor for a given state if the decision on which 
switching condition holds at a given instant cannot be uniquely identified. In order to 
guarantee correct verification results, all possible reachability paths must be explored. On 
the other hand, from a correct design point of view, nondeterminism cannot exist in AMS 
models. In other words, we have a valid assumption that at any instant, in reality, only 
one switching condition (or its compliment condition) can be satisfied. 
In order to check whether a switching condition occurs between two time steps, we 
apply the intermediate value theorem. In the context of abstraction, a transition between 
two abstract states exists if a predicate valuation changes during the execution over an 
interval domain. We check for such conditional abstract transitions between two states by 
means of the intermediate value theorem (IVT) [39] as follows: 
Theorem 4.1.2. Intermediate Value Theorem. Given a predicate X, two states S\ and 
52 = differing only on the valuation of X and a time step interval solution I : {a\ < 
x < a2}, there is a transition between S\ and 52 if 5i f= |[X,|fll (i.e., X(a\) € abs~x(Si)), 
$2 (= lXja2 (i.e., X(a2) e abS-1{S2)) and [k]fll / [X]a2 + 0, 3x such that fXjx = 0, with 
the interpretation function | . | : W1 —> {+, —,0} 
To check for the above condition, we use interval analysis to guarantee that the solu-
tion is reliable; the real solutions are enclosed by the computed intervals. Such guarantee 
is derived from the fundamental theorem of interval analysis [85]. 
The procedure for checking the switching conditions evaluation is described in Al-
gorithm 3. The main function Switch-Check(.) is called whenever EvaLCond(.) evaluates 
to X in Algorithm 1, in an effort to obtain more precise results concerning the evaluation 
of the switching conditions. The function accepts as input the Taylor model forms x[n] 
95 
and x[n — 1] with the updated set of reachable states ${? and returns one of the two possi-
ble values {Switching_Occurs, No_Switching} or call the function RefineJSwitch{.) for 
more precise analysis. The function Switch-Check(.) requires the initial time step Ao, the 
current time Tn as well as the Taylor models evaluations x[n] and \[n — 1] 
Suppose that there exists a switching condition Switchn at cycle n, which is eval-
uated to X, then we make a temporary assumption that switching did not occur and we 
check for the reachable states at the next time step n + 1 using the TM-ReachStep(.) 
function(Line 1), which is a simplified version of the function l!MJteach(.), with the 
assumptions that SufficJipprox{.) = = Good and Switchn is set to F. We have the op-
tions shown below, where || Switchn || denotes the set of all states that evaluate Switchn to 
T. 
• if Switchn+\ = T (Lines 2-5), then indeed the switching occured at the previous 
time tn. The reachable states are updated (Line 3) and an initialization is set for the 
newly selected dynamics (Line 4). 
• if Switchn+\ = F (Lines 6-7), then indeed switching did not occur. This follows 
from the interval evaluation property that ensures that the evaluation at step n + 1 
encloses all previous states up to time after tn. 
• if Switchi+i = X (Lines 9), then we allow checking with robustness, whether or not 
the switching occurs by calling the function Refine_Switch. Informally speaking, 
given a robustness measure e, check the distance between the switching condition 
and the current state. If its is less than e, then we say that there is fragile switching 
|| Switch% || nXn+i ^ 0 
Note. The algorithm will eventually terminate in one of the possibilities described earlier. 
However, this is only guaranteed under the condition that each of the functions called by 
the algorithm (e.g., EvaLCondQ, Refine_Switch(.)) will eventually terminate. 
96 
Algorithm 3 Checking Switching Condition: SwitchjCheck(x[n),\[n — 1]), ^ " 
Require: A <— Ao 
Require: Tf = Tn-\-A 
Require: x[n] = T0i{Ot(x[n\,x[n — 1]) 
Require: x[n] — eval(x[n], {A}) 
Require: x[n} = eval(x[n],{a,A}) 











x[n + 1] = TM-ReachJStep(x[n],Tf,Ot,Tn) 
if EvaLCond(x[n+ 1]) = = T then 
^,
n
 = Update Jieach^'1 ,x[»]) 
x[n] = x[n] n ||Swzfc/in|| = ;' + a 
Return Switching. Occurs 
else if EvaLCond(x[n+ 1]) = = F then 
Return No_ Switching 
else 
Call RefineSwitch(x[n],A, \\ Switch* ||) 
end if 
Example 4.1.1. Consider the circuit in Figure 3.4, with the voltages across the capacitors 
described using ODEs as follows: 
Model: v'c\ = vC2 and v'C2 = —vc\ + v ^ 
Model: v'c\ = v^x + 2vc\vc2 + 3v^2 and v'c2 = 4vcivC2 + 2v^2 
and the switching conditions as 
Condi = Cond2 = —0.5vci («) 4- vC2(n) < 4 
Suppose that the circuits starts at Mode 2, with initial conditions vc\ = —10 +a , where 
a = [—0.3,0.3] and vC2 = 5 + b, where Z? = [—0.3,0.3]. The switching condition threshold 
is satisfied at voltage values vc\ — —6.6+a' with a' = [—0.16361,0.125] and vC2 = 0.5+b' 
with 6' = [0.118195,0.2625], which are in turn the initial states for the dynamics at mode 
1. The trajectory of the circuit with the switching condition are illustrated in Figure 4.2. 
97 
0.5 Vc1 + Vc2 <= 4 
Figure 4.2: Switching Condition Satisfaction 
4.2 Bounded Model Checking 
Given an AMS system, an initial set Xo, and a bad set Bx, the verification problem is 
to determine if there is an execution of AMS, starting in Xo and ending in Bx. If the 
system is safe (i.e., Bx is unreachable), a complete verification strategy should be able to 
demonstrate this. In such a case, the bounded model checking (BMC) technique is often 
used. 
The general BMC problem can be encoded as follows [14]: 
k-\ 
BMC{P,k) 4 /(JO) A / \ T(Si - si+l) - P(sk) 
i=0 
where I(so) is the initial valuation for the state variables, S( is the state variable valuation 
at step i, T defines the transition between two states and P{s^) is the property at step 
k. In practice, the inverse of the property (->P) under verification is used in the BMC 
algorithm. When a satisfying valuation is returned by the solver, it is interpreted as a 
counter-example of length k and the property P is proved unsatisfied (->P is satisfied). 
However, if the problem is determined to be unsatisfiable, the solver produces a proof (of 
unsatisfiability) of the fact that there are no counter-examples of length k. For instance, 
the BMC problem for safety properties P(k) = Gp(k) can be encoded as follows [14]: 
98 
j f c - 1 k 
BMC(P,k) 4 /(,0) A f\ T(Si - J / + 1) A V -P te ) 
i'=0 i'=0 
while the BMC problem for liveness properties P{k) = Fp(&) can be encoded as follows 
[14]: 
k-\ k 
BMC(P,k) 41(S0) A / \ tffo -> s,-+1) A / \ -npfo) 
i=0 i=0 
Bounded model checking is then defined as follows: 
Definition 4.2.1. Bounded Model Checking. 
Given a natural number k > 0, a state transition machine (Si,Sjfi, —>Tf) as defined above, 
and a property P, we say that property P is verified for k steps if: 
V J € & * ( S 0 ) : S | = P 
where So is the set of initial states. 
Generally, a symbolic algorithm that computes the set of reachable states from XQ 
by iteratively computing the set of states reachable in discrete (or continuous steps) can-
not be guaranteed to terminate after a bounded number of iterations. In addition, unlike 
BMC for discrete systems, it is not possible to calculate an upper bound on the number 
of future/past iterations for which the formula should be checked in order to guarantee 
that the property holds. However, incorporating time constraints into the temporal logic 
property can overcome such problems, i.e., we ask if a property holds until we are no 
longer in the time-frame of interest, as opposed to asking if the property holds forever. 
In the bounded version of the model-checking task, we are only interested in the system 
evolution over a bounded time horizon or a bounded number of steps. This is achieved 
using timed temporal logic MITL as the property languages. 
99 
4.2.1 Interval Based Bounded Model Checking 
In this section, we present a BMC algorithm for AMS designs. We explore a solution 
relying on symbolic and interval computational methods. Our BMC approach is based 
on modeling the transition function as SREs over the Taylor model forms. We proceed 
on the SREs traces using a time step h which implies that our answer is relative to a 
limited time interval. For recurrence equations, we have h — \. For differential equations, 
we approximate them using Taylor model with h € K+, ensuring the accumulated error 
due to /i-approximation is confined in the Interval part of the Taylor model. We consider 
properties specified in a MITL like language. 
According to the standard semantics for temporal logic, the satisfaction of a formula 
with unbounded modalities can be hard to determine. In fact, given an atomic proposition 
p only the satisfaction of Fp or violation of Gp can be detected in finite time. By using 
bounded modalities we avoid the problems arising from the ambiguity of \=. We restrict 
ourselves to traces which are sufficiently long. The necessary length associated with a 
formula $, denoted by ||(|>||, is inductively defined on the structure of the formula. 
Nil = 11*11 
|^iV(h||=max(||<h||,||(|>2||) 
|GM<|>i|| = ||<M| + 6 
|F[a,fc]<MI = IMI+2> 
We now have that a |= <|> is well defined whenever |a| > 11<|>| | 
Example 4.2.1. The interpretation of the MITL properties in a bounded model checking 
context can be made clear with the examples below. 
Case 1: xis fixed 
100 
• G<iooF<5/> := A " U V S P A ("i x x < 100) A (n2 x x < 5) 
• F<100G<5p := V : ; = 0 A S M ( « I x x < 100) A (n2 x x < 5) 
. G<ioo(<7 -+ F<5P) := A " U ( ^ V F < 5 P ) = A « , U ( ^ V V S p) A («, x x < 
100) A (n2 x x < 5) 
Case 2: x is Variable 
. G<100F<5P := A £ U V S 1 P A (IS1 ^ < 100) A (E^2 x„2 < 5) 
. F<100G<5p := V:,U A S 1 P A (I^1 x„, < 100) A ( ^ 2 T„2 < 5) 
. G < , w ( ^ F < 5 / » ) : = A : U ( ^ F < j p ) = A : U ( ^ v f f i 1 i ' ) A ( E S 1 X k 1 < 
1 0 0 ) A ( E S 2 ^ < 5 ) 
As n,- G N, x G IR+ and the clock constraint is in N, then in the general case, we can 
only have n,- and ny such that j — i + 1 and («,• x x < C) and (nj x x > C). We need to 
add the notion of time tolerance, where we check for properties with clocks C + e, where 
e < X and C + e < nj xx. It is worth noting that Q<rf is equivalent to Q[o,7V]> where Q 
is a quantifier F or G and Tf is the maximum time length associated with the temporal 
quantifier. 
4.2.2 BMC Algorithms 
The bounded timed safety verification is illustrated with Algorithm 4. The function 
GJVerify(.) accepts as input the SREs representing the CT-AMS behavior, the order Ot 
of the Taylor model approximation, the initial time step Ao and the property predicate p. 
The verification terminates successfully, if the time steps chosen captures the necessary 
behavior of the design. This is ensured using the function Suffic-Approx(.) (Line 4). In 
this case, either the property is verified to True (Lines 5 - 8), otherwise an abstract counter-
example is generated (Lines 9-11) demonstrating the violation of the property. The func-
tion Generate-CE(.) (Line 11) is used to generate and validate the counter-example. In 
101 
case the function SufficApprox(.) cannot capture the behavior correctly, the verification 
stops in a failed state (Line 21). 
The details of the algorithm are described as follows. The algorithm starts by re-
setting the index n and the time step Tn~\. Initial conditions described as intervals are 
written as a combination of two terms; a numerical term and symbolic term representing 
the variations. The next step is the generation of the corresponding recurrence equations 
from the ODEs system using the SRE{.) function and the time step A is set to the initial 
time step Ao- The maximum time length of the verification is measured according to the 
rules in Section 4.2.2. The loop (Lines 4-13) describes the verification procedure for a 
period of time equal to the length of the property under verification. 
The function Prop .Check is described as follows: Given the Taylor model forms 
representing the transition function and the property -iPropQ, apply symbolic algebraic 
techniques [83] to check for satisfiability. The safety verification at a given step n can be 
defined with the following formula: 
PropJOheck = (x[n\ = T0l^n](x[n - 1])) A ^Prop(x[n}) A x[n - i] 6 ld 
Note. The algorithm will eventually terminate in one of the possibilities described earlier. 
However, this is only guaranteed under the condition that each of the functions called by 
the algorithm (e.g., Suffic_Approx(.), Prop_Check(.) and TfW_Reach(.)) will eventually 
terminate. 
The bounded timed liveness verification for checking F<7/p properties is illustrated 
with Algorithm 5. The function F.Verify(.) accepts as input the SREs representing the 
CT-AMS behavior, the order Ot of the Taylor model approximation, the initial time step 
Ao and the property predicate p. The loop (Lines 4-13) describes the verification pro-
cedure for a period of time equal to the length of the property under verification. The 
verification terminates successfully, if the time steps chosen captures the necessary be-
havior of the design. This is ensured using the function Sufficj\pprox(.) (Line 4). In 
this case, either the property is verified to True (Lines 10 -11), or is verified to false at the 
current verification step (Lines 5 - 8) and the time step is incremented. 
102 
Algorithm 4 Bounded Timed Safety Verification G<r//?: G-Verify(p,x[n],Ot,Ao, TQ) 
Require: n = 1 
Require: Tn-\ = TQ 
Require: x[n - 1] = ;' + a, with j 6 Nd, a € Irf 
Require: ^"_ 1 <- x[n - 1] 
Require: x[«] = SRE(x(t)) 
Require: A <— Ao 
Require: Tf — Length(G<Tfp) 
Require: G-Verify-flg —= 1 
x[n — 1] =x[n— 1] 
x[n] = TfW0, iXH(5[n-l]) 
Praj9[n] = Symfro/JC-Com/^j/^xfrc]}) 
while T„ < 7/ and Flag-Fix-Point-Reached == False and Sw//jC-A/?/?rox(x[n],x[n — 
1]) is Good do 
if Pra^_C/iec^(Prop[n],x[n],^n_1) = = 7>Me then 
^ " = (TiWJ?eac/i(x[/i],rn_i +A,0,,A,7'B_i) 
inc(n) 
t„ = IncStep(tn-i,A) 
else 




if Flag-Reachability-Imprecise == False then 
if G-Verify-flg == 1 then 








If the maximum time step is reached or an inclusion fixpoint occurs having reached 
no state satisfying the property, then an abstract counter-example is generated (Lines 15 
- 16) demonstrating the violation of the property. The function Generate-CE(.) (Line 
16) is used for the generation and validation of the counter-example. In case the function 
Suffic-Approx(.) cannot capture the behavior correctly, the verification stops in a failed 
state (Line 23). Other details concerning the algorithms are the following. The algorithm 
starts by resetting the index n and the time step Tn-\. Initial conditions described as 
intervals are written as a combination of a numerical and symbolic terms. The time step A 
is set to the initial time step Ao- The maximum time length of the verification is measured 
according to the rules in Section . 
Note. Similar to Algorithm 4, the liveness algorithm will eventually terminate in one of 
the possibilities described earlier. However, this is only guaranteed under the condition 
that each of the functions called by the algorithm (e.g., Suffic_Approx(.), Prop_Check(.) 
and <ZJi^_Reach(.)) will eventually terminate. 
The Algorithms 4 and 5 define the procedures for checking basic properties of CT-
AMS designs. However, the verification approach we propose supports properties that 
can be written using the MITL subset defined in Section 3.3 (Chapter 3). For instance, 
general time bounded safety property can be described using the Algorithm below. 
In Algorithm 6. The function GJVerifyjty(.) accepts as input the SREs represent-
ing the CT-AMS behavior, the order Ot of the Taylor model approximation, the initial 
time step Ao and the property (j). Similar to Algorithm 4, the verification terminates suc-
cessfully, if the time steps chosen captures the necessary behavior of the design. This 
is ensured using the function SufficApprox(.) (Line 3). In this case, either the prop-
erty is verified to True using the function §_Verify(.)(Lines 4 - 7), otherwise an abstract 
counter-example is generated (Lines 9-10) demonstrating the violation of the property. 
The function Generate JOE _<)>(.) (Line 10) is used for the generation and validation of 
the counter-example. In case the function SufficApprox(.) cannot capture the behavior 
correctly, the verification stops in a failed state (Line 17). 
104 
Algorithm 5 TimedLiveness Verification F<7yp: F.Verify(p,x[n],Ot,Ao,TQ) 
Require: n — 0 
Require: Tn-\ — TQ 
Require: x[0] = j + a, with ;' e N ^ a e ld 
Require: H^n~l <— x[n — 1] 
Require: x[n}= SRE(x(t)) 
Require: A <— Ao 
Require: FJ/erify-flg = 0 
Require: Tf = Length(¥'<rfp) 
x[n — 1] —x[n— 1] 
x[n] = <TM0tAn]&[n-l]) 
Pwp[n] = Symbolic jComp({p,x[n]}) 
while T„ < Tf and FlagJFix-Point-Reached == False and 5M//j'cj4pprox(x[n],x[n — 
1]) is Good do 
if Pro/? J ^ e c ^ P r o p ^ x H ^ " - 1 ) = = F a t e then 
2(" = TfWj?eac/i(x[«],r„_1 +A,Or,A,T„_i) 
inc(n) 
tn = Inc-Step(tn-\, A0) 
else 
F-Verify-fig = 1 
return Property Js_ True 
end if 
end while 
if FlagJReachability-Imprecise == False then 
if (Flag-Fix-Point-Reached == False or Tn > Tf) & F .Verify-fig = 0 then 
Call GenerateJCE{x[n\) 
else 
if F-Verify-fig = = 1 then 







The functions §J/erify(.) and Generate JOE J§{.) are functions that are chosen 
based on the property $. For example, if the main property to verify is Gp, then (|) refers 
to p and §J/erify(.) corresponds to GJVerify(.), while Generate JOE _<])(.) corresponds 
to Generate JOE (.) which be described in the next section. 
Algorithm 6 Bounded Timed Safety Verification G<r/(|): G-Verifyjy(§,x[n},Ot,Ao,To) 
Require: n = 1 
Require: Tn-\ = TQ 
Require: x[n - 1] = j + a, with ;' e N ^ a e ld 
Require: <R?~X < -x [n - l ] 
Require: x[n] = SRE(x{t)) 
Require: A *— Ao 
Require: 7/ = Length(G<Tf§) 
Require: GJ/erify.flgJf — 1 
1: x[n-\] = x [ n - l ] 
x[n] = T ^ ) X [ B ] ( x [ n - l ] ) 
while T„ < Ty and FlagJFix-Point-Reached == False and SufficJipprox(x{n])x[n — 
1]) is Good do 
if ty-Verify(x(n),Ot,A,Tn-i) = = 7>we then 
5L" = r!MJieach(x(n),Tn^+A,Ot,A,Tn-\) 
inc{n) 




11: end if 
12: end while 
13: if Flag^Reachability-Imprecise == False then 
14: if G-Verify JlgJf == 1 then 
15: return Property is True 
16: else 
17: return Verification Failed 
18: end if 
19: end if 
Note. Similar to Algorithm 4, the general safety algorithm will terminate in one of the 
above mentioned possibilities under the condition that the functions called by the algo-
rithm (e.g., Suffic_Approx(.), (|)_Verify(.)) will eventually terminate. 
106 
Example 4.2.2. Oscillators play a critical role in communication systems, providing the 
periodic signals needed for the timing of digital circuits and for frequency translation. 
While an oscillator can mean anything that exhibits periodically time-varying character-
istics, we are concerned with the type that provides an electrical signal (voltage or current) 
at a specific frequency when supplied only with DC power. An electrical oscillator gen-
erates a periodically time-varying signal when only supplied with DC power 
For instance, consider the circuit in Example 4.1.1, with one of the dynamics is 
described by v'c\ — v& and v'& — —vc\ + v^j. The oscillation property can be formally 
described as: 
Propx : G[0i7e-3](F[0i2e-3]p2) AG[o)7e-3](F[0i2e_3]Pi) 
where p\ = ->p2 := Vc\ < Vc2. 
Applying the Algorithm 1 for building the Taylor models based reachable states, 
we can observe the oscillation behavior as illustrated in Figure 4.3. Where the reachable 
states are bounded by the corresponding Taylor model polynomials. 
In order to check the satisfaction of the oscillation property, we apply the Algorithm 
6. 
We also checked several safety properties, e.g., 
Propi: G(-0.5 < VcX < 0.5) A (-0.5 < Vc2 < 0.5) 
and 
P r a / 7 3 : G ( - l < y c 2 < l ) 
which are verified by applying Algorithm 4. 
For the illustration purposes, we provided two different sets of initial states x[0] and 




1.1 -0.05 0.05 0.1 
Figure 4.3: Oscillation Behavior for Circuit in Example 3.4 (Chapter 3) 
Parameters\ 
Parametersz • 
a -)• [-0.03,0.03] b -» [-0.03,0.03] 
A-+0.01 
x[0]=0.3 + a y[0] = -03 + b 
a -* [-0.03,0.03] b - • [-0.03,0.03] 
/i-*0.01 
x[Q] = l+a y[0] =0.2 + b 
The verification algorithms we implemented in Mathematica and applied on the design. 
The verification results for the two possible switching cases of this circuit (we refer to 
these as circuit 1 and circuit 2) are shown in Table 4.1. For the first set of initial condi-
tions shown above, we find that the circuit is behaving in accordance with the properties, 
hence the properties are satisfied. For the second set of initial conditions, the safety prop-
erties Prop2 and Prop^ are violated while divergence prevents us from checking whether 
the circuits are oscillating or not6. 
When a property is not verified, a counter-example is generated to help identify the 
reasons for the property violation. Due to the over-approximation of the BMC algorithms, 
the generated counter-example is an abstract one. Therefore, the counter-example must 
6The experiments were performed on Intel Core2 1900 MHz processor with 2GB of RAM 
108 
Table 4.1: Oscillator Verification Results 
Circuit & 
Properties 

















for k — 0 to Nmax Steps 




Nmax = 700 
Not Verified (Divergence) 
Proved False at k — 18 
Proved False at k = 18 




Nmax = 1200 
Not Verified (Divergence) 
Proved False at k = 4 
Proved False at & = 9 










be validated and when possible, in case it is a spurious one, use the information from it in 
order refine the abstract reachable states. In this respect, we extend the BMC algorithm 
with a counter-example analysis engine as shown in Figure 4.1. 
4.3 Finding Counter-example 
This section present the counter-example analysis for safety properties. In the verifica-
tion approach, safety of an over-approximation implies safety of the actual system. On 
the other hand, if the over-approximation is unsafe, it is not necessarily the case that 
the design is faulty; in this case, the generated counter-examples might be spurious. A 
counter-example is defined as follows: 
Definition 4.3.1. Counter-example. 
A trace Q. = (a, x, X) of the AMS system is called an abstract counter-example with respect 
109 
to the property Gp, if onDT(p) ^ 0, where Y is the concretization function abs~'. Q, 
is a corresponding abstract counter-example of a concrete one if 3p G Y(o") and p = 
Y(CTO),Y(CT)I, ... ,Y(a)„ is a real trajectory of the system and p„ ClY(p) ^ 0. 
The validation algorithm as proposed has two possible outcomes: either it is proved 
that a forbidden state cannot be reached within the time limit considered or that there 
exists a counter-example that cannot be refuted. Since the validation procedure relies on 
over-approximations, it cannot be guaranteed that this abstract counter-example corre-
sponds to a concrete one. An abstract counter-example is true if it includes a concrete 
one, otherwise it is spurious. This fact is due to the over-approximation of the abstrac-
tion. Informally speaking, a concretization of a counter-example adds more trajectories 
that might not correspond to real ones. We say that a counter-example is spurious accord-
ing to the following definition: 
Definition 4.3.2. Spurious Counter-example. 
A trace Q = (0, x, X) of the AMS system is a spurious counter-example with respect to 
the property Gp, if a„ n T(p) ^ 0 but ^p e T(o) and pn n T(p) ^ 0. 
When using over-approximations, there is no guarantee that a spurious counter-
example can be refuted. Technically, this happens if the approximation is too coarse 
because the current bounds are too large and permit behaviors that are impossible in real-
ity. It is indicative of a very slim error margin separating the reachable states from the bad 
ones. The likelihood of refuting spurious counter-examples can be increased, however, 
by using tighter approximations. Hence, refining the over-approximation is necessary 
until the system is proven safe after closer analysis, or the system is considered fragile 
because it is unsafe for a sufficiently small value of bound tolerance e. In other words, 
if a counter-example that reaches a bad state with a distance < 8 has been found, we say 
that the concrete system is unsafe with fragility [20], 
Definition 4.3.3. A counter-example is called fragile if any disturbance of arbitrarily 
110 
small positive tolerance level of its states makes it safe. 
Such property is of great importance in the termination of the counter-example re-
finement as proposed in [34] and hinted in [20]. If we have a trace of counter-example, 
before going to refinement procedure, we measure the fragility of the trace, if it is fragile, 
then we conclude that the design is overall fragile with respect to the safety property and 
therefore we need to redesign the parameters. 
4.3.1 Counter-example Generation and Validation 
The straightforward method to obtain tighter enclosure of the reachable flow is to increase 
the order of the Taylor polynomial expansion of the dynamics. Starting from an abstract 
initial set of states and with increased polynomial order check the validity of the trace. If 
bad states are not reachable, then we are done and verification terminates. If bad states 
are reached, a counter-example is generated. If the counter-example is a valid one then 
verification terminates; otherwise, a refinement procedure is applied, and verification is 
re-applied. 
Inevitably, increasing the order of the Taylor expansion, will require the symbolic 
analysis algorithms to deal with more polynomial terms which can be expensive in terms 
of memory and time resources. Instead, we propose a counter-example procedure that 
takes advantage of the symbolic representation of the structure of Taylor models in order 
to generate counter-examples and validate them. 
As was described before, at any time instant, the system of equations are func-
tions only of the initial states represented symbolically using first order polynomial terms. 
Thus, we are not obliged to generate a whole trace for the counter-example, it is only 
sufficient to identify the initial states that might cause the bad behavior. A validation pro-
cedure validates whether those initial states will eventually lead to bad states violating the 
property of interest or that the counter-example was spurious due to over-approximation. 
The AMS behavior can be described using a concatenation of continuous traces ac-
cording to switching rules (discrete) as described in Chapter 3. Thus showing that any 
111 
one of the discrete transitions in the counter-example is spurious is a sufficient condition 
for the non-existence of a corresponding concrete trace. This is clear from the fact that 
given an initial condition, if a state cannot be reached using the Algorithm 1, then no trace 
can exists that includes this state and starting from the same initial condition. Technically, 
two procedures for the refinement of the discrete and continuous dynamics can be used to 
implement this observation. Refinement of the discrete dynamics is is based on checking 
whether a switching condition changes from X to F. If this is the case, then the counter-
example is refuted. The refinement of the continuous dynamics first subdivides of the the 
initial states and then calls the Liveness Verification F<7yp function FJVerify(.) for vali-
dation. If the function returns True, then the counter-example is a concrete one, otherwise 
we call a procedure to check wether the counter-example is spurious or fragile. 
The counter-example procedure is described in Algorithm 7. Given the reachable 
states that are a subset of the bad states (Line 1), we identify the corresponding initial 
interval states V € a (Line 2). Next, we verify whether those initial states will truly lead 
to a bad behavior or not (Lines 3 -16). This can be done through two complementary 
methods. First, we check the switching conditions (Lines 6 - 8). If the valuation of 
a switch is proved not satisfied, then we conclude that no trajectory initiated from the 
selected initial condition will lead to a property violation. Otherwise, we construct the 
corresponding trajectory starting(Lines 12 - 13). If the bad region is reached (Line 12), 
then we have a concrete counter-example. Otherwise a fragility based refinement and 
analysis of the trace is applied (Lines 17-19). 
Note. Counter-example generation and validation for Fp can be obtained by val-
idating the dual property G->p. If G-ip if True, then the reachable states form a non-
spurious counter-example, this is due to the over-approximation of the reachable states. 
If the property is False, then get a counter-example. If the counter-example is proved not 
spurious, then Fp is True, otherwise, the counter-example is refined to check its validity. 
Example 4.3.1. Consider the circuit in Figure 3.4, where we would like to check the 
safety property that the voltage will never go below a certain value GVc2 > —0.60 for 
112 
Algorithm 7 Counter-example Generation and Refutation for Safety Properties: 
CE _Analysis{p, x[k], tk) 
Require: X[n] = {x[n]\n € N & n < &} 
Require: x[k] = eval(x[k], {a, A}) 
Require: B =|| p \\ 
Bk = \[k]nB 
Q = {*a\ 3*a.x[k] C B t A a " e a } 
for m = | Q,| Down To 1 do 
for n = 0 to k - 1 do 
XC£[n] = eval(x[n],{*nm}) 





if ^m € Othen 
if F„Verify(p,xcE[n},Ot,Ao,To) == True then 





if OT^ ©then 




- 0 . 1 0 .1 0.2 0.3 0.4 
Figure 4.4: Behavior Violation for Circuit in Example 3.4 
a given set of initial condition a e [-0.03,0.05] and b € [-0.03,0.03]. We see that the 
property is violated as shown in Figure 4.4. 
By applying the counter-example algorithm, we can identify that the property is 
verified for a € [—0.03,0.04034[ (See Figure 4.5(a)). Left is to check whether counter-
examples in a € [0.04034,0.05] are spurious or not. Using the notion of fragility, by mea-
suring the distance from the bad states, we find that the initial constraint a € [0.04034,0.05] 
leads to a counter-example as shown in Figure 4.5(b). 






0.1 0.2 0.3 0.4 
Vcl 
(a) Safe Behavior (b) Counter-Example 
Figure 4.5: Behavior Analysis for Circuit in Example 3.4 
In general the efficiency of the counter-example validation depends on the algo-
rithms used in order to minimize the possible counter-example candidates. In this chapter, 
114 
we propose a validation algorithm based on checking fragments of the provided counter-
example. If one can refute a fragment of a counter-example, e.g., a single transition, then 
the entire counter-example is spurious. 
4.4 Applications 
We have implemented the algorithms described in this chapter in Mathematica (See Ap-
pendix A for more details). We have applied the proposed verification methodology to 
different classes of AMS designs representing various design levels, e.g., continuous-time 
AZ modulator at the behavioral level, Schmitt trigger at the macro-level and oscillators at 
the circuits level. 
4.4.1 T\innel Diode Circuit 
The tunnel diodes exploit a phenomenon called resonant tunneling to provide interesting 
forward-bias characteristics, due to its negative incremental resistance characteristic at 
very low forward bias voltages. This means that for some range of voltages, the current 
decreases with increasing voltage. This is in contrast with conventional diodes that have 
a non-linear I-V characteristic, but the slope of the curve is always positive. This char-
acteristic makes the tunnel diode useful in oscillator circuits. When a small forward-bias 
voltage is applied across a tunnel diode, it begins to conduct current. As the voltage is 
increased, the current increases and reaches a peak value called the peak current. If the 
voltage is increased a little more, the current actually begins to decrease until it reaches 
a low point called the valley current. If the voltage is increased further yet, the current 
begins to increase again, this time without decreasing into another valley. 
We focus on the current II and the voltage Vc across the tunnel diode in parallel 
with the capacitor of a serial RLC circuit (see Figure 4.6). The state equations of the 




v. 4- ¥ V 
in 
1 ^ - ^ 
Figure 4.6: Tunnel Diode Oscillator 
and 
4 = ^(-Vc-^/z. + ViB) 
where IdiVc) describes the non-linear tunnel diode behavior. We analyze the circuit in two 
modes. The first when the circuit is in stable oscillation for a given set of parameters, the 
other case when this oscillation dies out. We chose these two different sets of parameters 
values of the oscillator circuit {C = 1000<T12, L = le~6, G = 5000*r3, Vin = 0.3} 
and {C = lOOOe-12, L = le~6, G = 2000<T3, Vin = 0.3} along with the set of initial 
values of voltages [0.8 V, 0.9 V] and currents 0.04 mA and the analysis region of interest 
— IV < Vc < 1 V and 0.01 mA<Ii< 0.9 mA. Suppose we want to verify the following 
property on the set of trajectories [50]: 
S , W F [ o , 6 ^ ] ( 4 < 0 . 0 2 ) ) A G[0)le-«,(F[0i6e-7](/t>0.06)) 
which can be understood as within the time interval [0, le~6] on every computation path, 
the Ii amplitude will always reach 0.02 within the time interval [0,0,6e~7], the same goes 
for the II amplitude 0.06. This property checks for oscillation behavior of the circuit. 
By applying Algorithm 6, with the first set of parameters, we have the property 
satisfied, which means that the circuit is oscillating for the given set of initial conditions, 
within the specified time interval. The Taylor model based reachable states are shown in 
Figure 4.7.a. 
By following the same procedure for the system with the second set of parameters, 
but with the same initial conditions, we can find out that the circuit is non oscillating. 
116 
Physically, when the circuit starts up, the energy of the system is lost due to the positive 
circuit resistance. Starting from any point in the analysis region, the oscillations die down 
to the equilibrium point as illustrated in Figure 4.7.b. 
0.2 0.4 0.6 0.B 
a. Oscillations 
0.2 0 .4 0 . 6 O.i 
b. No Oscillation 
Figure 4.7: Oscillator Behavior 
4.4.2 Schmitt Trigger 
In electronics, a Schmitt trigger is a comparator circuit that incorporates positive feed-
back. When the input is higher than a certain chosen threshold, the output is high; when 
the input is below another (lower) chosen threshold, the output is low; when the input is 
between the two, the output retains its value, until the input changes sufficiently to trigger 
a change. This dual threshold action is called hysteresis, and implies that the Schmitt 
trigger has some memory. Schmitt trigger can be used as an oscillator as shown in Figure 
4.8 with the following configuration (The state equations): 
dvCl _ vout - vCl vCx Cv dt Ri /?i 
and 
where 
„ dVc2 Vout ~ VC2 C2- "~ 
dt Rs 




Figure 4.8: Schmitt Trigger Oscillator 
Vc2 
Figure 4.9: Schmitt Trigger Oscillator Behavior 
with Vmax = 5 and VT = 0.025. 
Similar to the tunnel diode, we check for the oscillation property: 
G[o,2,-3](F1o,o.2,-3](K2 < -4)) A G[oi2e-3](F[0>o.2e-3](K2 > 4)) 
which can be understood as within the time interval [0,2e~3] on every computation path, 
whenever the VC2 amplitude will reach —4 Volts, it will reach this value again within 
the time interval [0,0.2e~3], the same goes for Vci reaching this amplitude 4 Volts. By 
applying Algorithm 6, we have the property satisfied, which means that the circuit is 
oscillating for the given set of initial conditions, within the specified time interval. The 
possible Taylor model based reachable states are shown in Figure 4.9. 
118 
4.4.3 Continuous-Time AE Modulator 
Data converters are needed at the interface of analog and digital processing units. The 
principle of the AZ architecture is to make rough evaluations of the signal over several 
stages, to measure the error, integrate it and then compensate for that error. 
A AE modulator is said to be stable if the integrator output remains bounded under 
a bounded input signal, thus avoiding overloading the quantizer in the modulator. This 
property is of a great importance since the integrator saturation can deteriorate circuit 
performance, hence leading to instability. The quantizer in the modulator is a one-bit 
quantizer with two quantization levels, +1V and —IV. Hence, the quantizer input should 
be between —TV and +2V in order to avoid overloading. The Continuous-time AE shown 
in Figure 4.10 can be represented by the following equations: 
dxQ pxo(t-x) 
—-— = 00*1 — ko*o — boaoMtanh — dt M 
and 
^ * i i i \ i i ,* i Px\ ( f _ T ) 
—— — b\u[t) — k\x\ — b\a\Mtann 
at M 
Stability criteria can be formalized as a safety property ensuring that the integrators' 
output voltage will never exceed certain bounds. The property can be stated as follows: 
G - K V C 2 < 3 . 5 
The reachable states for different initial conditions and input voltages are shown in Figure 
4.11. 
As illustrated in Figure 4.11(a), the voltage VC2 will be confined with the region 
specified in the property and applying Algorithm 4, we find that the property will be 
satisfied. Increasing the input signal voltage leads to instability and the property is not 
verified as illustrated in Figure 4.11(b). 
119 




(a) Stability (b) Instability 
Figure 4.11: DSM Modulator 
4.5 Summary 
In this chapter, we have defined a bounded model checking approach for AMS systems 
modeled using a combination of SREs and differential equations. We have proposed a 
symbolic-interval modeling of the state space using the principle of Taylor models which 
provide a way for representing a combination of representation using a combination of 
polynomials and interval terms. The main advantage of such modeling is the fact, that the 
polynomial representation helps slowing the divergence due to the over-approximated in-
tervals, while the interval part provides an important abstraction to handle the continuous 
behavior. In order to enhance the methodology, we extended the verification is a counter-
example generation/refinement procedure. We have implemented our methodology using 
libraries for symbolic computation available in Mathematica. Experimental results have 
shown the feasibility and the utility of the approach. 
120 
The proposed BMC algorithm can verify properties for only a bounded time, how-
ever, confidence in the verification process would be increase by removing this constraint. 
To this end, in the next chapter, we complement the BMC algorithm by an abstraction 
methodology based on using invariant checking and predicate abstraction. 
121 
Chapter 5 
Qualitative Abstraction for CT-AMS 
Verification 
5.1 Overview 
Bounded model checking is an attractive method for verifying properties by partial explo-
ration of the state space for a finite time period. This approach was shown in the previous 
chapter to be successful in proving properties such as oscillatory behavior. Neverthe-
less, confidence in the verification is limited due to the incompleteness of the verification. 
Consider for instance, the proof of nonexistence of oscillatory behavior. Such an exam-
ple among others, motivate the development of a complementary methods to increase 
confidence in the verification process. 
Predicate abstraction is one of the most successful abstraction approaches origi-
nally developed in [45], for the verification of systems with infinite state space. In this 
approach, the state space is divided into a finite set of regions and a set of rules is used to 
build the transition relation between these regions in a way that the generated state transi-
tion system can be verified using model checking. Among the proposed enhancements of 
predicate abstraction is the lazy abstraction approach [58]. The basic idea here is instead 
of generating the entire abstract model, a region is abstracted only when it is needed in 
122 
the verification step. Refinement is applied starting from the earliest state at which the 
abstract counterexample fails to have a concrete counterpart. 
Inspired by the concept of lazy abstraction, we propose a qualitative abstraction 
approach for continuous-time AMS designs, such that satisfaction of the property in the 
abstract model guarantees its satisfaction in the original design. In the proposed abstrac-
tion, the state space is initially partitioned based on the qualitative properties of the analog 
behavior and symbolic constrained based methods are applied to check for property vali-
dation. In case of failure, an iterative verification/refinement process is applied where the 
regions violating the property are refined and symbolic model checking is applied for the 
property validation. 
The verification methodology we propose is illustrated in Figure 5.1. Starting with a 
circuit description as a system of ODEs (See Definition 3.2.3, Chapter 3), along with spec-
ification properties provided in computational temporal logic (VCTL) (See Section 3.3.2, 
Chapter 3), we symbolically extract qualitative predicates of the system. The abstract 
model is constructed in successive steps. In the basis step, we only consider predicates 
that define the invariant regions for the system of equations based on the Darboux theory 
of integrability [43]. Informally, the Darboux theory is concerned with the identification 
of the different qualitative behaviors of the continuous state space of the system. We make 
use of this idea to divide the analog behaviors of the design into qualitatively distinct re-
gions where no transition is possible between states of the different regions. Satisfaction 
of properties is verified on these regions using constraint based methods, which rely on 
qualitative properties of the system, by generating new constraints that prove or disprove 
a property. The property verification hence provides the advantage of avoiding explicit 
computation of reachable sets. 
If the property cannot be verified at this stage, refinement is needed only for the non-
verified regions by adding more predicates. Conventional model checking is then applied 
on the newly generated abstract model. The extraction of the predicates is incremental in 
the sense that more precision can be achieved by adding more information to the original 
123 
construction of the system. When the property is marked violated, one possible reason is 
because of the false negative problem due to the over-approximation of the abstraction. 






















Proof Fails 1 
r l Predicate 
i Abstraction 
: i!" 










Figure 5.1: Qualitative Abstraction based Verification Methodology 
5.1.1 Predicate Abstraction 
In the abstraction method, we start first by defining the abstract states and the maps from 
concrete to abstract states. An abstract transition system is then created by constructing 
the abstract initial states and abstract transition relations. In order to fulfill these steps a 
sound relationship between the concrete and abstract domain should be defined. 
Predicate abstraction is a method where the set of abstract states is encoded by a set 
of Boolean variables representing each a concrete predicate. Based on [5], we define a 
discrete abstraction of the CT-AMS model with respect to a given n-dimensional vector of 
predicates 4* = (\\fi,..., \|/„), where \)/n : Rd —> B, with 1 = {0,1} and d is the dimension 
of the system of ODEs. A polynomial predicate is of the form \\f(x) := £(x\ ,...,Xd) ~ 0, 
124 
where ~G {<, >} . Hence, the infinite state space X of the system is reduced to 2" states 
in the abstract system, corresponding to the 2" possible Boolean truth valuations of ¥ . 
Definition 5.1.1. Abstract Transition System. 
An abstract transition system is a tuple %> — (Qy, ~->, Qy,o), where: 
• Qy C L x B" is the abstract state space for a n-dimensional vector predicates, where 
an abstract state is defined as a tuple (/,£>), with / G L is a label and b G B". 
• -wC Qy x Qy is a relation capturing abstract transitions such that {b ~> b'\3x e 
Yy(b),t € R+ : x' == <J>^ (?) G T(V(&') Ax —> V}, where the concretization function: Y>j/: 
B" - • 2R" is defined as Tv(b) := {* G Rd|V; G {1,,. . . ,n} : y;-(*) = bj}. 
• 2^,0 := {(^ b) € Q*I/|3JC € Yvi<(£>),jt G ^b} is the set of abstract initial states. 
We define the set of reachable states as: Reach^ — {J^QReach^,', where Reachiy = 
Qyfi,Reach%+X) =Postc(Reach§), Vz >0andPostc(l,b) := {(/',&') G £&!(*,&) ~* ( /> ' )}• 
We can then deduce the following property between concrete and abstract reachable 
states. 
Statement. Given a CT-AMS transition system (See Definition 3.2.5) and an abstract 
transition system with a vector of predicates \P, the following holds: Reach C {q G 
Q\3(l,b) G Reachy : x G Yy{b)/\Lx{q) =x} 
5.1.2 Abstraction Based Verification 
Given a CT-AMS model transition system 'TsaMs anc* a ProPerty 9 expressed in VCTL, the 
problem of checking that the property holds in this model written as T^MS H 9 c a n ^ e 
simplified to the problem of checking that a related property holds on an approximation 
of the model %>, i.e., %> (= (p, with (j> = /u(cp), where /u is a mapping function: ^ : Rrf —> B 
which is a function associating to each predicate X(x\,... ,xa) an atomic proposition P. 
The main preservation theorem can be stated as follows [20]: 
125 
Theorem 5.1.1. Suppose %> is an abstract model of t^^y then for all V CTL state 
formulas describing %; and every state of T^MS* w e n a v e •? |= 9 => S h= 9> w n e r e s € y{s). 
Moreover, Ty \= 9 =4> Tsi'Ms H <P-
If a property is proved on an abstract model Ty, then we are done. If the verification of %> 
reveals %< ¥• 9, then we cannot conclude that T^MS *S n o t safe w i m respect to 9, since the 
counterexample for %> may be spurious. In order to remove spurious counterexamples, 
refinement methods on the abstract model can be applied [20]. 
5.1.3 Invariants 
Usually, a system with continuous dynamics (e.g., an AMS design) has a behavior that 
varies in different regions of the phase space whose boundaries are defined by special 
system solutions known in the literature as Darboux invariants [43]. These invariants 
partition the concrete state space into a set of qualitative distinctive regions '. 
Definition 5.1.2. Given the system of ODEs ^ = (Pk(xi(t),... ,xd(t)), with k = l,...d 
(w = **(x)' x e ^-d anc* ** = ( ^ 1 > • • • > ^ r f ) ) *s a polynomial vector field, we define the 
corresponding vector field as (Dp = P.3X = Y&=\ ^k^~-
The correspondence between the system of ODEs and the vector field 2?p is ob-
tained by defining the time derivative of functions of x as follows. Let Q be a function 
of x: g : Rk -> R, then ^ := g = (D?(g) - V.dxg. The time derivative is called the 
derivative along the flow since it describes the variation of function g of x with respect to 
t as x evolves according to the differential system. When Dp(g) = 0, Vx e R*, we have 
a time independent first integral of Dp. Several methods were developed recently based 
on Darboux integrability theory [43], which is a theory concerned with finding closed 
form solutions of system of ODEs, to tackle the problem by looking for a basis set of 
invariants, i.e., Darboux invariants. Rather than looking at functions which are constant 
]We will focus on the analog part of the AMS design. Therefore, from now on, when we mention ODEs, 
we will assume a system of equation with no discrete part. 
126 
on all solutions, we look at functions which are constant on their zero level set. Darboux 
polynomials J7,- provide the essential skeleton for the phase space from which all other 
behaviors can be qualitatively determined. 
Definition 5.1.3. Darboux Polynomials [43]. 
d 9 
Given a vector field ©^ = £ ^ v ~ associated with the system ^ = P(x), a Darboux 
polynomial is of the form J/(x) = 0 with J G M[x], with DJ7 = %3, where % = 3C(x) is a 
polynomial called the cofactor of J = 0. 
Lemma 5.1.1. [43] Given a system of ODEs and a vector field (Df, J is an invariant of the 
system if J divides (D{, more formally, if there exists %_ e K[x] such that £V(J7) = %J. 
The solution set of the system vanishes on the curve of J. 
Proof. We can always represent the system by the associated vector field at each 
point !F(x) = P(x) and VJ7 • 7 = kJJ, where Vj7 denotes the gradient vector related to J7(x) 
and • is the scalar product. When J — 0, Vj7 • f — 0, meaning that Vj? is orthogonal to 
the vector field jF at these points. Therefore 7 is tangent to 3 = 0. 
In the context of abstraction, we define the invariant regions as conjunctions of 
Darboux invariant predicates. An invariant region can be considered as an abstraction of 
the state space that confines all the system dynamics initiated in that region: 
Definition 5.1.4. We say that a region V is an invariant region of a CT-AMS model 
such that !P(x(0)) =sQ\=V, $(*{<;)) = ss |= V and Vf e [0,3,«P(x(f)) =st\=V. Let 
V — {x € M.k\x (= T}, be an invariant region, where T is a conjunct of Darboux predicates 
(each is of the form p(x) ~ 0, where p is a polynomial function and ~ € {<, >}). If x(0) 
is some initial state, then V = 1^(x(0)) denotes an over-approximation of the set of states 
reachable from x(0). 
Example 5.1.1. Consider the non-linear circuit shown in Figure 5.2.a, where the non-
linearity comes from the voltage controlled current sources that produce currents 7c^ i and 
ICS2 , respectively, with f\ = — x\ + x\ —xi and fa = — x\ + 2x2. The voltages across 
127 
the capacitors c\ and c% can be described using ODEs, respectively, as follows: x\ = 
—x\ and x'2 = x\ — x\. We identify the corresponding invariants: j \ = \—x\—x\ and 
72 = 1 — x\ -\-x\, which are used to form three invariant regions: R\ — j \ > 0 A 72 > 0, 
R2 = 71 < 0 A 72 < 0 and R3 = j \ < 0 A 72 > 0 as shown in Figure 5.2.b. Note that 
71 > 0 A 72 < 0 is infeasible and therefore discarded. 
Icsl= fl(xl,x2) 
cl = 1 
g l = l 
82 = 1 
t2(xl,x2) 
c2 = l 
(a) Circuit Schematic (b) Darboux Invariants 
Figure 5.2: Illustrative Non-linear Circuit 
5.2 Invariants Based Verification 
In this section, we propose a qualitative verification approach for the AMS designs using 
constraint based methods. The basic idea is to apply quantified constraint based tech-
niques to answer questions about qualitative behaviors of the designs, by constructing 
functions that validate or falsify the property. The idea is different from conventional ap-
proaches as it does not require an explicit reachable states computation. We consider two 
types of properties that can be verified using this approach, namely safety and switching 
properties. 
128 
5.2.1 Safety Properties 
Safety properties can be expressed in CTL [22] as \/Gp; meaning that always on all execu-
tions the constraint predicate p is satisfied for a set of initial conditions. The verification 
starts by getting the negated property 3F->p (which means that there is an execution fal-
sifying the constraint p) and applies constraint solving on the dual property within the 
invariant regions of interest. In case of unsatisfiability, we conclude that the original 
property is satisfied in the region, otherwise we cannot conclude the truth of the property 
and a refinement model providing more details of the region is constructed. 
Proposition 5.2.1. Safety Property Verification. 
VG!P is always satisfied in an invariant region V, if its dual property 3F-i!P is never 
satisfied in that region. 
Proof. The proof is straightforward as 3¥~i(P is the complement of VG!P. One and only 
one of both properties can be satisfied in a given invariant region. 
Example 5.2.1. Consider the circuit in Example 5.1.1, with initial conditions JCI(O) G 
[-1.1, -0.7] and x2(0) G [0.5,0.9]. Suppose the property to check is VG P^ :=x\ +x2 - 3 < 
0 (see Figure 5.3 for details), meaning that all flows initiated from x(0) = (JCI (0),;c2(0)), 
will be bounded by x\ -\-X2 — 3. The following regions satisfy the initial conditions R\ — 
j \ > 0 A 72 > 0 and /?3 = 71 < 0 A 72 > 0. We check whether 3¥(P := x\ + x2 - 3 > 
0 is satisfiable in the invariant regions R\ and R3. By applying constraint solving in 
Mathematica, we find that for the region R^, the constraints system is satisfiable, hence 
the original property cannot be verified, and the state space of the region needs to be 
refined. For the region R\, the constraints system is infeasible, therefore we conclude that 
the safety property is satisfied. 
It is worth noting that the barrier-certificate method developed in [92] can be applied as 
complementary to our method. In fact, Darboux predicates used as basis of invariant 
regions can be considered as natural barrier certificates that are constructed without the 
129 
Figure 5.3: Safety Verification (Example 5.2.1) 
need of initial and final constraints. Therefore the main advantage is that they can be used 
in the verification for several initial and properties, hence reducing computational efforts. 
5.2.2 Switching Properties 
A special case of the reachability verification 3FQ,is the switching condition verification, 
i.e., starting from a set of initial conditions, the system will eventually cross a threshold, 
triggering a switching condition. Such property is of great importance, for instance, a 
MOS transistor acting as switch changes states based on the voltage condition applied on 
its gate. We consider here a restricted form of the switching property, where we assume 
that threshold predicates divide the invariant region by intersecting the invariant region 
boundaries (at least two Darboux predicates). Given an invariant region V, a predicate 
k 
Q, is a switching condition if f\ 3x.(Q,(x) = 0) A (ij(x) — 0), where k < 2 and I is a 
;=o 
Darboux invariant. The switching verification can be stated as follows: 
Proposition 5.2.2. Switching Property Verification. 
3FQ, is satisfied in a region V, if Q,(x(0)) < 0 and <Dp(Q) > 0 or if Q,(x(0)) > 0 and 
'Dp(Q) < 0, in the region V. If these conditions are satisfiable, we conclude that the 
property is verified and switching occurs. 
130 
Proof, proof by contradiction. Suppose that: 
k 
1. The condition that f\ 3x.(Q,(x) = 0) A (7,(x) = 0) holds 
;=o 
2. QJx(O)) < 0 and©t>(Q) > 0 is satisfied 
3. 3FQ,is not satisfied. 
From the condition in (1) and the vector field behavior in (2), we deduce that there 
exists a trajectory starting from a state x(0) to a state x(/) such that x(/) |= Q,. Therefore, 
contradicting assumption (3). The proof is similar for a vector field with the following 
behavior: Q,(x(0)) > 0 and £>P(Q.) < 0. 
Example 5.2.2. Consider the circuit shown in Figure 5.2.a, where the voltages across the 
capacitors c\ and C2 are described, respectively, as follows: x\ — x\ + 2xiX2 + 3x| and X2 — 
Ax\X2 + 2x\. Suppose that the switching condition property to check is 3Fxi + X2 — 5 = 0, 
meaning that switching occurs when a certain trajectory will cross the threshold Q\ :— 
x\ +X2 — 5 = 0 (see Figure 5.4). We construct the Darboux functions: j \ := X2, h '=x\ + 
X2J3 :=x\ —X2. The region/?] — j \ >0AJ2 >0AJ3 > 0 satisfies the initial conditions. In 
addition, the predicate x\ +X2 — 5 < 0 satisfies the initial condition and 1>p(xi +X2 — 5) > 
0 because (Dp(x\ +X2 — 5) = (x\ +^2)(-^i + 5x2) is always positive in R\. Consider the 
initial conditions X(0)i := (xi(0) e [-10,-8] andx2(0) G [4,5]) and X(0)2 := (xi(0) € 
[-0.5,-1] andx2(0) G [0.3,0.5]) in the invariant region R2 = j \ > OAJ2 < 0A;3 < 0. For 
the switching condition Q2 := — x\ +X2 — 5 = 0, we find that the initial condition X(0)i 
satisfies -xi +x2 — 5 > 0, and X(0)2 satisfies —x\ +x2 — 5 < 0 while <Dp(—x\ +X2 — 5) = 
— (xi — X2)2 will be always negative in region R2, therefore we conclude that the switching 
will occur for the initial condition X(0)i but not for X(0)2. 
5.2.3 Reachability Verification 
A failure in safety verification does not guarantee that the final set is reachable from 
the initial set. This is the problem of reachability verification, which is concerned with 
131 
V V V 
W \ \ K K \; \; s 
\ \ \ \ \ "Q: 
llkMXitfiu-
S///&\/ / 
/////// ///// ///// ///// //// ' /// " /// 
/// 
/////// ///// ¥//// ////// ////// ?///ss 
• \ w w w 
W W W W W W W 
Figure 5.4: Switching Verification (Example 5.2.2) 
proving that at least one trajectory of the system starting from a set of initial states will 
reach another given set of states in a finite time. The reachability property is expressed as 
3F(P, which means, eventually, there exists an execution that will satisfy the constraint P. 
The main idea of the verification is to find bounds that include a trajectory from an initial 
to a final state. Reachability can be verified using the following proposition: 
Proposition 5.2.3. Sufficient Condition for Reachability. 
Given initial (S,-„) and reachable (S/„) states bounded by convex functions, B,-„ and B/„ 
such that 
Vs e Sin.Bin(s) < 0 with <D(Bin) > 0|Bi„=o 
and 
Vs £ Sfn.Bfn(s) < 0 with 2>(B/„) < 0|B/„=o 
respectively, construct two functions Bri and Br2, such that their existence implies the 
existence of trajectory <E>: 3SQ € 5m3*i € S/„.3>(fo) = SQ and <l>(f/) = s\, where to and tf 
are time points with to <tf, bounded by 
Bri < 0 A B r 2 > 0 or Brl > 0 A B r 2 < 0 
with the following conditions: 
132 
1. (Bri = 0) n (Bin = 0) ^ 0 and (Brl = 0) D (B /n = 0) ^ 0 
2. (Br2 = 0) n (Bin = 0) ^ 0 and (Br2 = 0) n (B/„ = 0) ^ 0 
3. 2>(Brl) > 0|Brl=o A©(Br2) < 0|Br2=o or £>(Br2) > 0|Br2=o A©(Brl) < 0|Brl=o-
Proof. Assume that there exists functions Br\ and B r2 satisfying the conditions 
(1 — 3), while at the same time there are no reachable states from B,„ to B/n . We have 
four cases: 
1. 2?(Bri) > 0|BH=O A2)(Br2) < 0|Br2=o and all the flow crossing Bri and B r2 is going 
out of the bounded region Br\ < 0 A B r2 > 0. 
2. ®(Bri) > 0|BH=O A©(Br2) < 0|Br2=o and all the flow crossing Bri and B r2 is going 
inside the bounded region Bri > 0 A B r2 < 0. 
3. !Z>(Br2) > 018^=0 A 2)(Bri) < 0 | B H = O and all the flow crossing Bri and B r2 is going 
out of the bounded region Bri < 0 A B r2 > 0. 
4. 2>(Br2) > 0|Br2=o A D(Br\) < 0|Br]=o and all the flow crossing Bri and B r2 is going 
inside the bounded region Bri > 0 A B r2 < 0. 
Assume that all flows crossing Bri and B r2 are going inside a bounded region and 
that this bounded region does not include a fixpoint, then, we will have at least a function 
with (D(Br^) = £fir3, confined in the region and connecting the initial and final regions, 
hence leading to contradiction. Similar argument for the case where all flows are going 
outside the bounded region. 
It is worth noting that this method gives sufficient condition to prove the existence 
of a reachable flow. This is a loose condition for the sufficient condition which states 
that a reachable flow exists in the confined region if there exists 2?(F) = 0 in that region. 
However, this latest condition is hard to implement as such a condition corresponds to 
finding a first integral as discussed in Section 5.1.3. We limit ourselves in this thesis to 
the first sufficient condition only. 
133 
Example 5.2.3. Consider the non-linear circuit shown in Figure 5.2(a), connected to dif-
ferent current sources with the voltages across the capacitors c\ and c% described using 
ODEs, respectively, as follows: 
x\ — 3(x2 — 4) and ±2 = 3 +x\X2—x\ 
Suppose we provide the initial condition B,„ := ( -1 + xi )2 + ( -4 + X2)2 < 0.5. We want 
to verify the following property 
3FB / n 
where 
B / n := (2 + x,)2 + (-1.8 + x2)2 < 0.5 
Using quantified constraint solving capabilities in Mathematica, we constructed the fol-
lowing bounds: 
Bi :=2.4 + 89x2 + 235.8x2 = 1000 
and 
B 2 : = - 7 4 x i + 1.3x^ = 130 
Therefore, we can deduce that the reachability property will indeed be satisfied (a sample 
reachable trajectory is shown inside the region Figure 5.5). 
Sometimes constraint based verification fails to provide answers for the verification 
problem due to several reasons: 
1. The above mentioned verification methods are not complete in general. 
2. Sometimes the constraint solver fails to provide an answer (e.g., not able to con-
struct bounds for reachability). 
3. More complex properties like oscillation cannot be proved using the above method. 
We complement the approaches described in this section, by the predicate abstrac-
tion method allowing conventional model checking to be applied. In the next section, we 
134 
Figure 5.5: Reachability (Example 5.2.3) 
will describe how to find useful predicates of the abstract states to refine the regions of 
interest, and to identify rules to build transitions between the abstract states. Symbolic 
model checking can then be applied on the constructed model. 
5.3 Predicate Abstraction 
5.3.1 Abstract State Space 
In general, the effectiveness of the predicate abstraction method depends on the choice 
of predicates. In addition to using Darboux predicates as described in Section 5.1.3, we 
choose predicates identified in the properties of interest. In addition to temporal property 
predicates, basic ideas from the qualitative theory of continuous systems can be adapted 
within the predicate abstraction framework. The termination of the predicate generation 
phase is not necessary for creating an abstraction. We can stop at any point and construct 
the abstract model. A larger predicate set yields a finer abstraction as it results in a larger 
state space in the abstract model. 
We define first the notion of critical point as follows: 
Definition 5.3.1. A fixed point is a point at which the vector field vanishes. For the ODE 
135 
system x = P(x(f)), we look for solutions x(t) = v ,veK" such that P(v) = 0. 
A set of predicates can be constructed using the notion of critical forms, which are 
special functions along which, the vector field direction is either vertical or horizontal. In 
between these forms, there can be no vertical nor horizontal vectors. In a region (abstract 
state) determined by the critical forms, all vectors follow one direction. These predicates 
can be obtained easily by setting x = 0. 
A generalization of critical forms is the concept of isoclines. Isoclines are functions 
over which the system trajectories have a constant slope. 
Definition 5.3.2. A predicate n is an isocline of ODEs system if and only if 3a,- G M with 
i = 1,... d such that 
Ef=1a^-(x)U = 0 
Isocline and critical forms provide qualitative information about the system be-
havior. Hence, such information can be used in refuting certain behavior that is shown 
unreachable. For instance by knowing different constants a,-, we deduce the direction 
of the flow crossing the isoclines and therefore we decide how to build transitions be-
tween abstract states. Finding different isocline predicates within an invariant region can 
be achieved by solving constraints on the parameters of predefined forms of an isocline 
predicate. 
Another kind of predicate, we propose, is referred to as a conditioned predicate. 
These predicates have the property that under specific conditions, they provide certain 
information about the solution flow. For instance, consider the 3-dimensional system 
with the state variables x,y,z. and the property predicate z > 1. We can construct another 
predicate that intersects z > 1 at a specific condition, say | = 0. Then, the new predicate 
is of the form 
y-(z-l)x = 0 
These kind of predicates are important during refinement, when an abstract state needs 
to be subdivided into a new set of abstract states. The conditioned predicates are defined 
136 
formally as follows: 
Definition 5.3.3. A predicate 71 is a conditioned predicate of an ODEs system with con-
ditions T\,..., Fd, if it is of the form 
E { L I W 0 | W = O 
where the conditions T,- are polynomials with i=l,...d and d is the system dimension. 
Example 5.3.1. Consider the analog circuit in Example 5.1.1. The critical forms pred-
icates are p\ := x\, P2 := x%, pj, := l—x\ and P4 :— I +x\, as shown in Figure 5.6.a. 
For illustration purposes, we choose two isocline predicates ps :— x\ — x\ -\-x\ and pe := 
x\ —• x^ — x\ as shown in Figure 5.6.b. Suppose, we wish to verify a property includ-
ing the predicate p~j :— x^ — x\ > 0.3. We can construct the conditioned predicate p% := 
x'2 — (x2 — x\ —0.3)^i = 0 as shown in Figure 5.6.c. To build the abstract state space, 
we have three invariant regions and eight predicates. As certain combination of predi-
cates are infeasible, the number of abstract states is < 28 abstracts states. In fact, region 
R\ = j \ > 0 A J2 > 0 is subdivided into 29 abstract states. 
(a) Critical Forms Predicates (b) Isocline Predicates (c) Conditioned Predicates 
Figure 5.6: Predicates for the Circuit in Figure 5.2.a 
Other methods for finding useful predicates were developed in [106], where the 
authors proposed a way to extract predicates from polynomial ODEs by looking at higher 
137 
derivatives. If p 6 P, then add p, the derivative (with respect to time) of p, to the set P 
unless p is a constant or a constant factor multiple of some existing polynomial in P. 
5.3.2 Computing Abstract Transitions 
One main issue in constructing abstract state transition systems is the identification of the 
possible transitions. As we divide the state space into invariant regions, we need only to 
construct transitions between abstract states within a region. Therefore, we do not need 
to construct an abstract model for the whole state space. In general, information from 
the solution of the ODEs is required to describe transitions between abstract states. In 
practice, the abstract transition relation is initialized to the trivial relation relating all states 
and then stepwise refined by eliminating unfeasible transitions. This guarantees that any 
intermediate result represents an overapproximating abstraction and the refinement can 
be stopped at any point of time. In the remainder of this section, we use a set of different 
rules to construct transitions between abstract states. 
The simplest rule to use is the Hamming distance rule [106]. The Hamming dis-
tance (HD) is the number of predicates for which the corresponding valuations are differ-
ent in different abstract states. For instance, the Hamming distance between state s\ := 
(p\ = 1 Ap2 = 0A/?3 = 1 Ap4 = 1) and s ta tes := (pi = 1 /\p2 = 0A/?3 = 0Ap4 = 1) 
is 1, written HD(si,S2) = 1. Given two abstract states s\ and S2, we say that a transition 
can exist between two abstract states only if HD{s\,S2) = 1. The next rule we apply is 
based on the generalized mean value theorem [40], which is an extension of the mean 
value theorem (MVT) for n-dimension (See Definition 4.1.1, Chapter 4). 
We use quantified constraint based methods to check whether the MVT condition 
is satisfied between two abstract states. If the MVT is not satisfied, we deduce that no 
transition exists between the two states. The above rules give an over-approximation of 
the transition system as no information about the vector field direction is used. In order 
to remove such redundant transitions in the region of interest, we complement the above 
rules by applying the intermediate value theorem (See Definition 4.1.2, Chapter 4) as a 
138 
way to identify the flow direction. In the context of abstraction, a transition between two 
abstract states exists if a predicate valuation changes during the execution over an interval 
domain. This can be checked using the intermediate value theorem. 
5.3.3 Abstract Model Refinement 
In general, if the abstract model is not suitable for the property analysis, then a global 
refinement procedure is required in order to increase the precision of the model. In fact, 
the refinement procedure is applied iteratively until verification reveals whether or not the 
property in question is satisfied. Practically, this is based on the abstract counter-example 
validation and refinement as explained in Section 4.3. 
The main task for the counter-example validation procedure is the computation of 
the exact successor states starting from the initialization of the counter-example. The 
outcome of the procedure is either that a bad state is reached or a transition is determined 
to be spurious. Unfortunately, the required concretization of the given counterexample 
adds more trajectories that might not correspond to real ones. Therefore, only an over-
approximation of the exact set of states can be defined. 
The intuitive method to validate a counter-example is based on applying the bounded 
reachability analysis described by Algorithm 1. 
Statement. Given an abstract counter-example trace Q, = (o,x,X) (See Definition 4.3.1, 
Chapter 4) 2 and the trace corresponding to the set of reachable states D. = (a, x, X). Q. is 
a concrete counterpart of £1 if both traces are related according to Definition 4.3.1. 
Because the applied reachability analysis (using Algorithm 1) is time bounded, 
therefore it is not always possible to validate an abstract counter-example. In this case, a 
refinement procedure is required. 
The reachability based validation cannot always establish the nonexistence of an 
abstract transition. However, we propose a practical method to remove redundant transi-
tions by considering a transition across the boundary of two abstract states as a switching 
2In the current definition, x is sequence of steps n € N 
139 
condition problem as described in Section 5.2.2. 
5.4 Applications 
In Chapter 4, most of the properties we were interested in verifying were positive behav-
iors (e.g., something good will eventually happens like occurrence of oscillation). In this 
chapter we are interested in verifying safety properties (e.g., something bad will never 
happen such as transistor will never go to a certain mode of operation). In this respect, 
we apply the verification methodology proposed in this chapter to a variety of circuits 
including a BJT Colpitts circuit, a Tunnel diode oscillator in addition to other basic RLC 
circuits. Implementation details are described in Appendix A. 
5.4.1 BJT Colpitts Circuit 
In order to understand the circuit behaviour, it is important to identify the different modes 
of operations of the transistor when connected with other circuit components. Circuit 
analysis is usually done by hand as simulation data is not conclusive. We can apply con-
straint solving to ensure that the transistor will never go into a specific mode of operation. 
Consider the BJT based Colpitts oscillator shown in Figure 5.7. Correct function-
ality ensures that the BJT will never go into saturation region [64]. In fact, the BJT will 
either be in the Cut-off mode or Forward active mode. The state space is subdivided into 
four regions according to the BJT modes of operations (Cut-off, Reverse active, Forward 
active and Saturation) with threshold voltage Vth — 0.75. For instance, the property that 
no transition can occur from Forward active (m\) to Saturation (m^), can be validated by 
proving that VG Vc2 < 0.75 A Vcr + Vc2 < 0 is False, where Vc, and Vq, are voltages across 
the capacitors C\ and C2. 
140 
Vcc 
Figure 5.7: BJT Colpitts Circuit 
5.4.2 Non-Linear Analog Circuit 
Consider the circuit in Example 5.1.1, with initial conditions x\(0) € [—0.7,-1.1] and 
*2(0) <E [0.5,0.9]. We want to verify the following VCTL property on the set of trajecto-
ries: 
V F f P : = x ? + x 2 - 3 > 0 
which can be understood given the set of initial conditions, on every computation path, 
in the future the vector field will always cross a threshold condition. We already verified 
in Example 5.2.1 that this cannot happen for the initial conditions inside Region R\, but 
with the invariant checking method used, we could not deduce information regarding the 
behaviour in region R3. After providing the required set of predicates, we only construct 
corresponding abstract state transition graphs (ASTG) for regions R\ ,Rs. Using the SMV 
model checker [22], we find that given the initial conditions such property will be indeed 
satisfied in region Rj. 
5.4.3 RLC Circuit Oscillator 
Checking for occurrence of oscillation is not always possible using predicate abstraction, 
due to the difficulty of generating an abstract model with no spurious transitions. In some 
141 
cases we succeeded in accomplishing the verification. 
We verified the oscillation property for the circuit shown in Figure 5.8(a), with 
non-linear voltage source vs and non-linear current source cs described using ODEs, re-
spectively, as follows: 
/; = -Vc ~ \v? and Vc = -27, -lf + if 
After that we generate using Mathematica the following invariants: 
jl = i-sif-isif+v! + ^  + ^ 
We can therefore construct two invariant regions Rl := j \ < 0 and R2 := j \ > 
0. Given the state space and invariant regions as shown in Figure 5.8(b), we verify the 
following VCTL property on the set of trajectories: 
VG(VF(VC > /,)) A VG(VF(VC < /,)) 
which can be understood as on every computation path, whenever the capacitor voltage Vc 
value exceeds the inductor current value //, it will eventually decrease below 7/ again and 
vise-versa. This property checks for oscillatory behaviour of the circuit. We constructed 
the abstract transition graph for each region and verified the property using SMV. We 
found indeed that the circuit will always oscillate only inside the bounded regions as 
illustrated in Figure 5.8. 
5.5 Summary 
In this chapter, we developed a qualitative verification approach of continuous-time AMS 
designs circuits. The approach is based on abstracting and verifying the qualitative be-
havior of the circuits using a combination of techniques from predicate abstraction and 
constraint solving along with model checking. The principle novelties in this work are: 
142 
Vvs= 








(a) Circuit Schematic 
nv. 
\ \\ 
\ \ \-~ 
1 \-M 
(b) Phase Portrait and Invariant Regions 
Figure 5.8: Non-Linear Oscillator 
• We adapted the concept of lazy abstraction for the verification of CT-AMS designs. 
To this aim, we identified a set of basic qualitative predicates (Darboux polyno-
mials) as invariance predicates which helps avoid the construction of an abstract 
model for the whole state space. 
• We proposed a constraint solving approach for the verification of safety and reach-
ability properties. This method does not require explicit representation of the state 
space but relies on generating functions that prove or disapprove the properties. 
Our methodology overcomes the time bound limitations of exhaustive methods de-
veloped in related work. 
Up till now, we addressed the verification of CT-AMS designs using a variety of 
model checking techniques. The remaining contribution in the thesis which will be pre-
sented in next chapter, is devoted to the verification of another important class of AMS 
designs, that is the discrete-time(DT) AMS. 
143 
Chapter 6 
Verification of DT-AMS Designs 
In this chapter, we are concerned with the class of AMS designs described using discrete-
time models. This category of designs are usually developed as simulation models at 
a high level of abstraction in order to gain insight at the main properties of the AMS 
systems. In addition, discrete-time models are used to describe the behavior of switched 
capacitor based designs or clocked AMS designs. 
In this chapter, we define a bounded model checking algorithm on the SRE model 
by means of an algebraic computation theory based on Interval Arithmetics [85]. We 
associate the bounded model checking with a powerful and fully decidable equational 
theorem proving method to verify properties for unbounded time using induction. We 
applied the verification on several AMS designs including AZ modulators and switched 
capacitor circuits. 
Our methodology aims to prove that an AMS description satisfies a set of properties. 
This is achieved in two phases: modeling and verification, as shown in Figure 6.1. 
Starting with an AMS description and a set of properties, the symbolic simulator 
performs a set of transformations using rewrite rules in order to obtain the generalized 
system of recurrence equations (SREs). These are combined recurrence relations that 
describe each property blended directly with the behavior of the system. The next step 
is to prove these properties using an algebraic verification engine that combines Bounded 
144 
Model Checking over Interval Arithmetic [85] and induction over the normal structure of 







. Recurrence ; Symbolic 
• Equations... '• Simulation T 
... . ^ . .... 
I Combined SRE 
,, „ . ~ . Interval based Bounded ' 
Validation/ . , _ , , - , _ , ... i 












Figure 6.1: DT-AMS Verification Methodology 
In summary, the verification loop terminates in one of the following situations: 
• Complete verification: 
- The property is proved by induction for all future states. 
- The property is false and a concrete counterexample is found. 
• Bounded Verification: 
- The resource limits have been attained (memory or CPU) as the verification 
can grow exponentially with the number of reachability analysis steps. 
- The constraints extracted from the interval states are divergent with respect to 
some pre-specified criteria (e.g., width of computed interval states). 
In the following, we will describe the two main verification engines we propose, 
namely bounded model checking using interval arithmetics and inductive verification. 
145 
We will also provide an algorithmic view of how to combine both of them together as 
proposed in our methodology. 
6.1 The Verification Algorithms 
6.1.1 Interval based BMC 
Interval arithmetics based algorithms are an attractive tool to use in the verification of 
the behavior of systems with uncertainty on the design parameters or initial conditions. 
Interval arithmetics as explained before provide an overapproximation of the possible 
reachable states of the system, hence guaranteeing the soundness of the verification re-
sults. In this section, we propose a BMC verification algorithm for DT-AMS design. The 
algorithm is based on modeling the transition relation as an SRE and modeling the state 
space using intervals. The recurrence model makes it possible to handle continuous be-
haviors like those of current and voltages, but in discrete time, which cover a non-trivial 
class of mixed behaviors. The basics of BMC have already been discussed in Chapter 4, 
Section 4.2. In the following, we will introduce the verification algorithm1. 
The image computation is the set of states reachable during one execution step. 
Definition 6.1.1. Image Computation. 
The set of reachable states in one step from a given set of states Sk C ld, is denoted by 
^i (Sk) and is defined as: 
% (Sk) ± {s' G Sk+l \3se Sk : F (s) = s'} 
where Sk+i C ld, F = (Fh...,Fd) and Ft : ld -»• I is an interval evaluation of the if-
formula ft: Rd - • R, i G {1, . . .,</}. 
'For compactness purposes, in the remaining of the chapter, we will deal with properties of the form 
Gp{k). Verifying properties of the form Fp(k) can be easily derived. This is due to the duality of the G and 
F operators [23]. 
146 
The bounded forward reachability algorithm starts at the initial states and at each 
step computes the image, which is the set of reachable interval states. This procedure 
is continued until either the property is falsified in some state or no new states are en-
countered. We evaluate the reachable states over interval domains, at arbitrary time steps, 
according to the following definition: 
Definition 6.1.2. The set of reachable states in less than k steps (0 < / < k), from a given 
set SQ of states, is denoted by ${,<k(So), and is defined as: 
i<k 
The bounded model checking over interval domains is then defined as follows: 
Definition 6.1.3. Interval based Bounded Model Checking. 
Given a natural number k > 0, an interval based state machine 1/ = (5/,5/,o,—>S/) (See 
Definition 3.2.11, Chapter 3), and a property Prop, we say that Prop is verified for k steps 
if: 
Vse2(.k(So):s\=Prvp 
where So is the set of initial states and 9(.k(So) is the set of states reachable from SQ in k 
steps. 
The verification steps for safety properties are shown in Algorithm 8. The AMS 
modeling described as a set of recurrence equations is provided along with the (negated) 
property -iProp[n] under verification. Initial and environment constraints Env-Const are 
also defined prior to the verification procedure described in lines (1-12) as a loop for 
Nmax time steps. At each step n, we check whether the property is satisfied or not (Line 
2). If ->Prop[n] is satisfied then a counterexample is generated (Line 9), if not, then we 
check if fixpoint inclusion is reached (Line 3), otherwise, we update the reachable states 
(Line 11) and go to the next time step of the verification. The functions Pro p.Check, 
Find -Counterexample and Update-Reach are described below. 
147 
Algorithm 8 Safety BMC 
Require: x[n] 
Require: -iProp(x[n]) 














for n — 1 to Nmax do 
if PropjCheck(-iProp[n},x[n)) —— False then 
if Reach[T0tAn]] C f^T1 then 




 = Update Jleach{$in-2,Reach[x[n-\}}) 
end if 
else 
FindJCounterexample(~iProp{n] ,x[n], EnvJConst) 
end if 
end for 
Prop.Check: Given the property -iPropQ, apply algebraic decision procedures to check 
for satisfiability. The safety verification at a given step n can be defined with the following 
formula: 
PropJCheck = \[n] = f(x[n - 1]) A -uPrap(x[n]) Ax[n - 1] € Id 
Practically, this can be done using equational theorem proving capabilities as will 
described in Appendix A. 
Update JReach(/?i, R2): This function returns the union of the states in the sets R\ and Ri-
Reach[x[n]] evaluates the reachable states over interval domains at an arbitrary time step. 
Find_Counterexample(-iProp[n],x[n],£nv_Coni,0: This function returns a counterex-
ample indicating a violation of the property within the environment constraints (cf. Ap-
pendix A). 
148 
Setting bounds on the maximum number of iterations ensures that the algorithm 
will eventually terminate with one of the following possibilities. If at a given time step 
" < Nmax, n o n e w interval states are explored, then fixpoint inclusion guarantees that the 
property will be always satisfied; otherwise, if the property is proved to be incorrect, 
then a counterexample is generated. If we reach the maximum number of steps n — Nmax, 
and no counterexample is generated, then the property is verified up to bounded step Nmax. 
Example 6.1.1. Given the AS design and the safety property in Example 3.4.1, we apply 
Algorithm 8. For instance, the correctness of the property P(k+ 1) depends on the param-
eters A,B and C shown in Figure 3.5, the values of variables x\ (k), X2(k) and x^(k), the 
time k, and the input signal u(k) (See Table 6.1). Using an implementation of the Algo-
rithm 8 in Mathematica, we verify the AZ modulator for the following set of parameters 
inspired from the analysis in [50]: 
I a = \ a\= 0.044 a2 = 0.2881 a3 = 0.7997 
b\= 0.07333 b2 = 0.2881 fc3 = 0.7997 
C\ = \ C2 = 1 C3 = 1 
The initial constraints define the set of test cases over which interval based simu-
lation is applied. If the property is false, as in the first and third cases in Table 6.1, then 
the verification is completed and a counterexample is generated from the simulated in-
tervals. On the contrary, when the property is True, we have a partial verification result 
as it is bounded in terms of simulation steps. The second case in Table 6.1 illustrates 
this limitation. Counter-examples on the third column are generated using the function 
Find-Counterexample^.). 
Unfortunately, we note that in some cases (last row in Table 6.1), divergence hap-
pens quickly, so we cannot deduce useful information on the property. We tackle this 
problem by extending the bounded model checking with an induction engine as proposed 
in the methodology. 
149 
Table 6.1: Interval Based BMC Verification Results for AE Modulator in Example 6.1.1 
Initial 
Constraints 
0.028 <* i (0 )< 0.03 
-0.03 < x 2 ( 0 ) < - 0 . 0 2 
0.8<*3(0) < 0.82, u:= 0.8 
0.012 < x i ( 0 ) < 0.013 
0.01 < x2(0) < 0.02 
0.8<*3(0) < 0.82, u := 0.54 
0.163 < * i ( 0 ) < 0.164 
-0.022 < *2(0) < -0.021 
0.8<x3(0) < 0.82, u:= 0.6 
0.012 < x i ( 0 ) < 0.013 
0.01 <x 2 (0 )< 0.02 
0.8 < x3(0) < 0.82, 0.58 < u < 0.6 
Property Evaluation 
for n = 0 to Nmax Cycles 
Nmax = A0 
« = 0tol5True 
n > 15 False 
Nmax = 38 
True 
Nmax = 40 
« = 0to 17 True 
n > 17 False 
Divergent at 
Timestep 4 
CPU Time Used 
Counter-Example 
1.5 sec 
x\ [16] t-> 0.263 
*2[16]t-> 1.25, *3[16]i-> 2.42 
31 sec 
0.8 sec 
xx [19] t-4 0.163 
*2[19]i-* 0.88, *3[19] t->2.47 
0.5 sec 
6.1.2 Constrained Induction based Verification 
In formal verification, induction has been used to prove a property P in a transition sys-
tem by showing that P holds in the initial states of the system and that P is maintained 
by the transition relation of the system. In the following, we will define an induction en-
gine over SREs for the safety property verification of AMS designs. The inductive proof 
for verifying a safety property P(n) = Gp(n) can be derived by checking the formula 
JndpWof = Vfbase A yindue* where ytbase is the induction base and \\fi„duc is the induction 
step defined as follows: 
Vbase - Vs € SQ : I (so) =*> p(s0) 
and 
Vindue - Vsk,sk+\ € S : T(sk,Sk+\)Ap(sk) => p(sk+i) 
The core of the induction engine is a decision procedure function that checks satis-
fiability of algebraic formulas under certain constraints on quantified state variables. 
150 
Definition 6.1.4. The Prove Function. 
Prove(quant(X,cond,expr)) = 
If(Prop-Verify(quant (X, cond ,expr))) = True, 
True, 
Find-Counterexample(cond A -*expr) 
The decision procedure function Prove tries to prove a property of the form quant (X, 
cond,expr), using PropJ/erify, otherwise it gives a counterexample using the function 
Find-Counterexample, where quant € {V, 3} define quantifiers over a set of state vari-
ables x, cond is a logical combination of comparison formulae constructed over the vari-
ables x describing initial and environment constraints and expr is an If-formula expression 
representing the property of interest, obtained after applying the symbolic rule outlined 
earlier. 
Similar to PropJCheck, PropJ/erify applies algebraic decision procedures to check 
for satisfiability, but for all time steps n. The safety verification can be defined with the 
following formula: 
Prop-Verify = Vn.(x[/i] = SRE(x[n})) AProp(x[n}) 
The Prove Function uses Find-Count erexampie (cond A -^expr) to generate a counterex-
ample if the property of interest cannot be proved to hold. If a proof cannot be obtained, 
then we may need to find a particular combination of inputs and local signals values for 
which the property is not satisfied. 
The properties verification using Prove starts by checking the validity at time t — 1, then 
at time t — n assuming the properties are satisfied at time t = n — 1. Case splitting divides 
the property into subproperties for which validation results are conjuncted to check the 
validation of the original property. 
Let P be a property of the form quant(X, cond, expr). We define the function Split-
Prove that depending on the If-formula structure of expr, applies the function Prove or 
151 
splits the verification. SplitProve is defined recursively as follows: 
Definition 6.1.5. The SplitProve Function. 
According to the nature of expr, SplitProve can be one of the following: 
• expr is a comparison formula C, SplitProve(quant(X, cond,C)) — 
Prove(quant(X, cond, C)) 
• expr is a logical formula of the form aob, with • € {->, A, V,©,...} and a,b are 
If-formulae that take values in B 
SplitProve (P)) ^ 
SplitProve(quant(X,cond, a)) 
o 
SplitProve{quant{X, cond, b)) 
• expr is an expression of the form IF(q, I, r) SplitProve(P) — 
SplitProve(quant(X, cond /\q,l)) 
V 
SplitProve(quant(X, cond A -iq, r)) 
According to algebraic laws of the quantifiers, we have the following four cases: 
• For a A b and quant := 3 
Split Prove(P)) => 
SplitProve(3(X, cond, a)) 
A 
Split Prove (3(X, cond, b)) 
• For a A b and gwanf := V 
SplitProve{P)) <& 
152 
SplitProve(V(X, cond, a)) 
A 
SplitProve(V(X, cond, b)) 
• For a V b and quant := 3 
SplitProve(P)) 4$ 
SplitProve(3(X, cond, a)) 
V 
Spl it Prove (3(X, cond ,b)) 
• For a V b and quant := V 
Split Prove (P)) =^ 
SplitProve(V(X, cond, a)) 
V 
SplitProve(V(X,cond, b)) 
Let P(n) be the recurrence equation of the property P written as an If-formula. Let 
condno be the initial condition at time no, condn the constraints that are true for all n > no, 
and X the set of dependency variables of P{n). The proof by induction over n is defined 
as follows: 
Definition 6.1.6. Proof by Induction. 
Split Prove(ForAll(Xno, cond^, P(no))) 
A 
SplitProve{ForAll{n > no/\X„,n € Nt\condn AP(n),P(n+ 1))) 
153 
Example 6.1.2. We verify the AZ modulator in Example 3.4.1 for two sets of parameters 
inspired from the analysis in [50]: 
Param\ 
a=\ ax= 0.044 a2 = 0.2881 a 3 = 0.7997 
bx = 0.044 b2 = 0.2881 b3 = 0.7997 
C\ = 1 C2 = 1 C3 = 1 
Parami • 
a=\ a\= 0.044 a2 = 0.2881 a 3 = 0.7997 
fei = 0.07333 fc2 = 0.2881 fc3 = 0.7997 
Cl = 1 C2 = 1 C3 = 1 
We apply the induction implemented in Mathematica, in order to verify the AE 
modulator stability for the above sets of parameters and for two cases of conditions (state 
space constraints). Table 6.2 summarizes the verification results. The property is True if 
it is proved under the set of conditions and the set of parameters for all k > 0. If there is 
no k for which the property is valid then it is False, and a counterexample is provided. 
When the property is valid for some values of k and not for other values, we say that the 
property is not proved and counterexamples are provided. 
6.2 d-Induction BMC Methodology 
The proposed verification algorithm is based on combining induction and bounded model 
checking to generate a correctness proof for the system. This method is an algebraic 
version of the induction based bounded model checking developed recently for the ver-
ification of digital designs [6]. We start with an initial set of states encoded as intervals 
as shown in Figure 6.2. Then iteratively the possible reachable successor states from 
the previous states are evaluated using interval analysis based computation rules over the 
SREs, i.e., the output of this step is an If-formula where all variables are substituted by 
intervals. If there exits a path that evaluates the property to false, then we search for a 
154 





Values at t=0 
0 < * i ( 0 ) < 0.01 
- 0 . 0 1 < x 2 ( 0 ) < 0 
0.8 <x 3 (0 )< 0.82, u:= 0.6 
Values at t=n 
-0.1 <*i( / i )<0.1 
- 0 . 5 < x 2 ( « ) < 0 . 5 
0.5<x3(«) < 1 . 5 , K : = 0 . 6 
Values at t=0 
0 < x i ( 0 ) < 0 . 0 2 
-0.03 <x2(0)< -0.01 
1 <*3(0) < 1.4, w:=0.8 
Values at t=n 
-0.1 <Xi(n)<0.l 
- 1 <x2(n) <0.5 













concrete counterexample. Otherwise, if all paths give true, then we transform the set of 
current states to constraints and we try to prove by induction that the property holds for 
all future states. If a proof is obtained, then the property is verified. Otherwise, if the 
proof fails then, the BMC step is incremented; we compute the next set of interval states 
and the operations are re-executed. 
6.2.1 d-induction 
In formal verification, induction has been used to prove a property GP(n) in a transition 
system by showing that P holds in the initial states of the system and that P is main-
tained by the transition relation of the system. As such, the induction hypotheses are 
typically much simpler than a full reachable state description. Besides being a complete 
proof technique, when it succeeds, induction is able to handle larger models than bounded 






-*••' BMC Step 
L . ' - False 
True 
Next interval 
states Extract constraints b i Divergence 
Proof by induction 
Counter-Example 
Provided 
Property is verified 
for a bounded time 
Proved True 
Property is verified 
for a unbounded time 
Figure 6.2: Overview of the Verification Algorithm 
bounded model checking needs to check sufficiently long paths to get a reasonable confi-
dence. Hence, simple induction is not powerful enough to verify many properties. 
d-induction [6] is a modified induction technique, where one attempts to prove that 
a property holds in the current state, assuming that it holds in the previous d consecu-
tive states. Essentially, induction with depth corresponds to strengthening the induction 
hypothesis, by imposing the original induction hypothesis on d consecutive time-frames. 
Given a state transition system (S,/, I"), where S is the set of states, / C 5 is the set of 
initial states, 1 C S x S, the d-induction proof is defined as 
d - Indproof = Vd-base A Vd-induc 
where Vd-base is the induction base and ^fd-induc is the induction step defined as follows: 
d-\ d 





Vd-induc = A f f a i ^ i + l ) A A P(si) =*" P(5*+rf+l) 
i=k i=k 
It is worth noting that when d = 1, we have exactly the basic induction steps defined 
in classical induction. 
Similar to the general induction methods, (un)satisfiability based induction d — 
Indsat is the dual of the induction proof -ilndsat = d — lndproof. Checking the formula 
d - Indsat = §d-base V §d -indue f° r unsatisfiability, where the formulas §d-base (the base 
step) and §d-induc ( t n e induction step) are defined as follows: 
d-\ d 




§d-induc = A ^(si,Si+\)/\ A P(si) A ~'P(sk+d+\) 
i=k i=k 
The d-induction based verification (Algorithm 9 as in [6]) is an incremental algo-
rithm, where the depth bound d (Line 10) is incremented at each step and induction (Lines 
3, 6) is applied on the new formulas until a d-length counterexample is generated (Line 
4) or the property is proved over a suitable length (Line 7). 











initialize d — 0 
for d = 0 to dmax do 
it <^d-base is Trm then 
return counterexample 
else 




d = d+l 
end for 
157 
The advantage of d-induction over classical induction is that it provides the user 
with ways of strengthening the induction hypothesis by lengthening the time steps d com-
puted. Practically speaking, ^a-base is a bounded model checking (BMC) as defined ear-
lier in this section. For the case of systems with variables interpreted over real domains 
like AMS designs, the satisfiability of the formulae with a given set of initial conditions, 
requires algorithms to produce bounded envelopes for all the reachable states at the dis-
crete time points. 
6.2.2 Combining d-induction and Interval based BMC 
The d-induction based verification algorithm is an incremental algorithm, where depth is 
incremented at each step and induction is applied on the new formulas until a d-length 
counterexample is generated or the property is proved. The verification steps are given in 
Algorithm 10. 
The AMS model described as a set of recurrence equations is provided along with 
the (negated) property -^Prop[n\ under verification. Initial and environment constraints 
are also defined prior to the the verification procedure described in lines (1-18) as a loop 
of depth Nmax steps. For each depth d < Nmax, we first check the initial d-induction step 
by verifying whether the property is verified for all steps up to this depth d (Line 3). If the 
property is false, we generate a counterexample (Line 4). Before checking the induction 
step (Line 10), we verify whether an inclusion fixed point is reached. If so, the verification 
ends as it will be trivial to check for the induction step as no new verification information 
can be implied. When we apply the induction step, either the property is verified for un-
bounded time (Line 11), otherwise, we conclude that the current depth is not enough to 
verify the property and the depth in incremented (Line 14). 
It is worth noting, that constraints used in the induction steps are extracted from the 
previous reachable states. Hence, we strengthen the induction hypothesis by lengthening 
the time steps d computed. In case a counterexample needs to be generated, the extracted 
158 
Algorithm 10 d-induction based BMC 
Require: x[n] := SRE(A) 
Require: ->Prop{x[ri\) 
Require: %? = 50 
Require: EnvJOonst 
initialize d — 1 
for d = 1 to Nmax do 
if Prop-Check^ /\f=QProp[i],x[n]) == True then 
Find-Counterexample(->Prop\n],x\n\, Env-Const) 
else 
if Prop-Check(-iProp[d],x[d]) = = Fa/se then 
if/teacA[x[d]] C ^ ~ 1 then 
return fixpoint reached 
else 










constraints allow for finding a partial path violating the property. 
Setting bounds on the maximum number of iterations ensures that Algorithm 10 
will eventually terminate in one of the following possibilities. If the initial induction 
step fails, a counterexample is generated; otherwise if at a given time step n < Nmax, no 
new interval states are explored, then fixpoint inclusion guarantees that the property will 
be always verified. In this case, the induction step is verified as true, and the algorithm 
terminates. Otherwise we increase the induction depth and restart the verification. If we 
reach the maximum number of steps n — Nmax, and no counterexample is generated, then 
the property is verified up to bounded step Nmax. 
6.3 Applications 
We have applied the verification methodology proposed in this chapter to different classes 
of DT-AMS designs spanning various design levels, e.g., AT modulator at the functional 
level, digitally controlled analog computers at the macromodel level, and switched capac-
itor designs at the circuit level. 
We implemented the algorithms described in this Chapter in Mathematica. As an in-
put to the algorithms, we supply the recurrence equations and the initialization constraints 
(plus environment constraints for the induction method). The output is either a message 
signaling that verification succeeds, divergence occurs (only in BMC or D-induction ver-
ification) or a counter-example is provided. 
6.3.1 Third-order AZ Modulator 
We extended the verification results outlined throughout the chapter and summarized in 
Tables 6.1 and 6.2 by applying the d-induction algorithm to verify the stability of the third-
order AE modulator for different combinations of design parameters, inputs and initial 
conditions. Using a Mathematica implementation for Algorithm 10, we were able to prove 
160 
properties using the inductive BMC method, that we were unable to verify perviously 
using the conventional BMC method. In row 2 (Table 6.1), we were able only to verify 
the property for a bounded time step, with the d-induction BMC method, however, we 
were able to prove that the property will always hold (second row with parami in Table 
6.3). On the other hand, in row 4 (Table 6.1), the divergence occurs quickly, however, the 
property is proven True as shown in Table 6.3, row 4 with parani2. On the other hand, 
when comparing the d-induction verification results with the induction based verification 
results in Table 6.2, we get the expected results with the exception of Table 6.3, row 2 
with param\. The verification in Table 6.2 (Case2 with param\) identifies a counter-
example, while in Table 6.3, we were unable to complete the verification because of 
divergence of the interval calculations. The fact that simple induction was successful was 
due to an appropriate choice of environment constraints which are supplied manually, 
unlike in d-induction, where the constraints are extracted automatically from previous 
verification steps. A better implementation of interval arithmetics would allow therefore 
an enhancement in the verification results. 
6.3.2 Non-Linear Voltage Switching Circuit 
We studied the applicability of our methodology to the verification of a simple non-linear 
analog computer constructed from different components like opamp and voltage mul-
tipliers (Figure 6.3). For instance, a voltage multiplier is a non-linear analog system, 
which can be constructed using voltage controlled current sources like transconductance 
as shown in Figure 6.3.b followed by current to voltage converters. The design under ver-
ification is shown in Figure 6.3.a. We propose a circuit where the positive and negative 
feedbacks are externally controlled digitally, hence providing different configurations of 
the circuit. The circuit extends the design in [38] by adding a positive feedback section 
and supporting voltage multiplication making the circuit verification more challenging to 
161 










Third order AE modulator 
0<x i (0 )<0 .01 
- 0 . 0 1 < x 2 ( 0 ) < 0 
0.8 <x 3 (0 )< 0.82, M:= 0.6 
0 < xi (0) < 0.02 
-0.03 <x 2 (0 )< -0.01 
1 <*3(0)< 1.4,«:=0.8 
0<x i (0 )<0 .01 
-0.01 < x 2 ( 0 ) < 0 
0.8 <x 3 (0 )< 0.82, u:= 0.6 
0.012 < xi (0)< 0.013 
0.01 <x 2 (0)<0.02 
0.8<x3(0) < 0.82, u:= 0.54 
0<x i (0 )<0 .02 
-0.03 < x 2 ( 0 ) < - 0 . 0 1 
1 <* 3 (0 )< 1 . 4 , M : = 0 . 8 
0.012 < XI (0)< 0.013 
0.01 <x 2 (0 )< 0.02 




















achieve. The circuit SRE is described as follows: 
v2[n+l] = if[vd[n],times[vl[n],vO[n]],times{—2,vl[n}]] 
vin[n+ 1] = divide[(times[r\[n],v2[n+ 1]]), (plus[1000,r\[n]])] 
v0[n + 1] = divide[(times[vin[n + 1], (plus[r2[n], 1000])]), r2[n]]] 
rl[n+l] = if[rdl[n],a,b] 
r2[n + l] = if[rd2[n],c,d] 
where vl[n] is the input signal, a,b,c,d are different resistors values, chosen according 
to the logical conditions rd\[n] and rdl[«], which can be specified using a controller. 
Suppose we want to check the bounds on output voltage amplitude. We need to make sure 
162 
that a correct controller will ensure that the output voltage will never increase infinitely 
and will always be within certain range. This can be written as: 
G(P(k) = - 5 < Vo{k) < 5) 
After symbolic simulation, we obtain the following SREs. 
rl(n)r2(»)v0(n)vl(n) , 1000rl(/t)v0(n)vl(n) 
-5<if[vd(n),- rl(rc)+1000 
• + • rl(rc) + 1000' 
r2(n) 
2rl(n)r2(n)vl(n) 2000rl(n)vl(n) 
rl(n)+1000 rl(rc) + 1000 •, , 
r2(/i) J -
We choose several selector control frequencies to control the resistor as well as the 
input signal. The verification results for a different set of variable resistors ({250,500,1000, 
2000}), initial values and inputs are shown in Table 6.4. 
(a). Main Circuit (b). Voltage Multiplier 
Figure 6.3: Digitally Controlled Analog Computer 
6.3.3 Discussions 
In this section, we highlighted some experimental studies we conducted on different 
classes of AMS designs that can be described using the SRE model proposed in this 
thesis. From the experimental results, we observed that the choice of the initial intervals 
163 












Digitally Control Analog Computer 
- 0 . 5 < v l ( 0 ) < 1 . 5 
0.02 < v0(0) < 2.21 
0.1 < v2(0) < 0.2, a,b,c,d £ {500,2000} 
- 0 . 5 < v l ( 0 ) < 1 . 5 
0.02 < v0(0) < 2.21 
0.1 < v2(0) < 0.2, a,b,c,d € {500,2000} 
- 0 . 5 < v l ( 0 ) < 1 . 5 
0.02 < v0(0) < 0.21 
0.1 < v2(0) < 0.2, a,b,c,d e {500,2000} 
- 0 . 5 < v l ( 0 ) < 1 . 5 
0.02 < v0(0) < 0.21 
0 .1<v2(0)<0.2 
a,b,c,d£ {250,1000,500,2000} 
- 0 . 5 < v l ( 0 ) < 1 . 5 
0.02 < v0(0) < 0.21 
0.1 < v2(0) < 0.2, a,b,c,d G {500,2000} 
- 0 . 5 < v l ( 0 ) < 1 . 5 
0.02 < v0(0) < 0.21 
0.1 <v2(0)<0.2 




















for the parameters and the state variables affect greatly the divergence, rather than the size 
of the designs (number of equations). This is due to the over-approximation nature of the 
interval arithmetics. We have used some simplification rules such as the Horner rule in 
order to have a better narrow bound for the reachable states. 
6.4 Summary 
In this chapter, we have defined and implemented an induction based bounded model 
checking technique that traverses the structure of the normalized properties and provides 
a formal correctness proof or a counterexample, otherwise. Image computations have 
164 
been achieved using interval arithmetics over these symbolic expressions. We have im-
plemented our methodology using standard libraries for symbolic computation available 
in Mathematica, allowing the development of a fully automated verification engine. Ex-
perimental results have shown the feasibility of the approach. To the best of our knowl-
edge, this is the first proposal for a d-induction approach for the verification of analog and 




The need for formal verification methods in the design flow of embedded systems is be-
coming more of a requirement rather than a luxury. That was motivated by the previous 
successes in the verification of corner cases in digital designs and the tight time-to-market 
constraints. In fact, the verification of AMS designs is a great challenge because of two 
main obstacles: infinite continuous state space and the density of the time space. In this 
thesis, we have presented a formal verification methodology that addresses both obstacle. 
We proposed a recurrence equation (SRE) modeling framework for AMS designs 
based on the concept of generalized If-formula. Such model is adequate to describe the 
designs at several levels of abstraction and well suited for symbolic analysis in addition 
to formal verification. In fact, generalized system of recurrence equations (SREs)are a 
mathematical model that can represent both the digital behavior using If-formulae and 
the analog continuous state space using symbolic algebra. The symbolic computation 
algorithm produces a set of recurrence relations for each property that we wish to verify. 
For discrete-time systems, the design equations can be directly expressed by the SRE; 
while for continuous-time systems, a Taylor polynomials based approximation is applied 
with the necessary conditions to ensure preservation of the original behavior of the design. 
For the verification, we developed bounded model checking algorithms for continuous-
time AMS designs. We have proposed a semi-symbolic modeling of the state space using 
166 
the principle of Taylor models which provide a way for representing a combination of 
representations using a combination of polynomials and interval terms. The main advan-
tage of such modeling is the fact, that the polynomial representation helps slowing the 
divergence due to the over-approximated intervals. Moreover, the interval part provides 
an important abstraction to handle the continuous behavior. 
To overcome the time bound limitations of exhaustive methods associated with the 
bounded verification presented, we complement the approach with a qualitative abstrac-
tion verification approach. The approach is based on abstracting and verifying the qualita-
tive behavior of the circuits using a combination of techniques from predicate abstraction 
and constraint solving along with bounded model checking. The principle novelties in this 
work is adapting the concept of lazy abstraction for the verification of CT-AMS designs. 
To this aim, we identified a set of basic qualitative predicates (Darboux polynomials) 
as invariance predicates which helps avoid the construction of an abstract model for the 
whole state space. We also proposed a constraint solving approach for the verification of 
safety, switching and reachability properties. This method does not require explicit rep-
resentation of the state space but relies on generating functions that prove or disapprove 
the properties. 
To tackle the verification of discrete-time AMS designs, we have defined an in-
duction based bounded model checking technique that traverses the structure of the nor-
malized properties and provides a formal correctness proof or a counterexample. Image 
computations for induction are performed using interval arithmetics over these symbolic 
expressions. 
We have applied the verification methodology proposed in this thesis to example 
from several classes of AMS designs spanning various abstraction levels. We have imple-
mented our methodology using standard libraries for symbolic computation available in 
Mathematica, allowing the development of a fully automated verification engine. Experi-
mental results have proven the feasibility of the proposed approach. 
167 
Future Work. 
The formal verification of AMS designs is a relatively young research field and 
still under-developed, which is a bad and a good sign at the same time. It is bad be-
cause this shows the lack of extensive research which is due mainly to the complexity of 
the verification process and the challenging problems mostly inherited from the hybrid 
systems. Also, it is due to the different scientific backgrounds between AMS engineers, 
control engineers and computer scientists. However, this can motivate interdisciplinary 
collaborations. The good news is that room for exploration is yet wide open. Among the 
interesting directions is developing an AMS theory with high-order logic, process alge-
braic languages for AMS designs and formalizing the AMS theory within a formal theory 
like abstract interpretation, and developing specification logics for frequency properties 
among others. Another important direction is incorporating formal verification within the 
design flow, hence complementing simulation, testing and symbolic analysis. Also, the 
problem of extending classical temporal logics to derive suitable descriptions of analog 
properties is of great interest. 
From our point of view, our priority future work can be summarized as follows: 
• More investigation is needed to improve the implementation to verify more com-
plex circuits and to measure the limitation of the proposed methodology. Another 
challenge is to define and to verify more important properties related to industrial 
problems like audio and RF systems. 
• Investigating alternative implementations to improve the experimental capacity over 
more complex systems and to measure the limitation of the proposed methodology. 
• Also, an important effort is needed to classify the kind of properties and AMS 
systems that can be verified using this verification approach. 
• Extraction of the design equations from the circuit descriptions (Schematic dia-
grams or HDL-AMS designs). We are currently looking for methods to extract and 
168 
simplify the system equations using Bond graph analysis. 
Extracting the system equations to be used in behavioral modeling is a challenging 
task in the AMS design process. Nodal analysis techniques have been developed 
to this aim by extracting equations from the circuit netlist. However such extracted 
equation are very large in general and complicated to be used for behavioral analysis 
required at higher level in the design process. To overcome such problem, abstrac-
tion techniques have been developed as to generate simplified models preserving 




A.l Mathematica Functions 
We have implemented a prototype for the presented verification algorithms using sym-
bolic algebraic manipulation and real number theorem proving developed inside the com-
puter algebra tool Mathematica [114]. Proposed verification functions like Prop-Check 
and PropJ/erify can be done using equational theorem proving function in Mathematica 
such as Reduce. Reduce[expr,vars] simplifies the statement expr by solving equations or 
inequalities for vars and by eliminating quantifiers. The statement expr can be any logical 
combination of: 
• Ihs — rhs Equations 
• Ihs o rhs, where o e { ^ , ^ , < , > , ^ } Inequalities 
• expr e dom Domain Specifications 
• ForAll[x,cond,expr] Universal Quantifiers 
• Exists[x, cond, expr] Existential Quantifiers 
Reduce gives True if the expr is proved to be always true, False if expr is proved 
170 
to be always false and a reduced expr otherwise. The Mathematica implementation of 
Reduce is inspired by a real polynomial decision algorithm defined in [101]. 
Example A.l.l. For example, the safety verification problem in Example 5.2.1 can be 
formulated using Reduce as follows: 
Reduce[Exists[{x\,X2},l —xl—X2> 0&&1 — x\ + x2 > 0, —3+Xj +x2 > = 0],{xi,X2}] 
Example A.1.2. For simplicity of visualization, we provide details about applying the 
induction for the verification of first order AE modulator of one-bit with two quantization 
levels, +1V and —IV. The quantizer (input signaly(n)) should be between —2V and +2V 
in order not to be overloaded. The SRE of the AL is : 
y(n) = y(n — 1) + u(n) — v(n — 1) 
v(n-l)=IF(y(n-l)> 0,1,-1) 
Stability is expressed with the following property: G|y(«)| < 2, with the input 
\u\ < 1 and the initial condition |y(0)| < 1. Informally, the property means that to en-
sure that the modulator will always be stable starting from initial conditions, we must 
ensure that the modulator quantizer is in the interval [—2,2], if the input of the quantizer 
initially bounded in the interval [—1,1] and the modulator input in the interval [—1,1]. 
The property proof at time n can be formulated as follows: 
in:= Reduce [ 
ForAll[{u,y[n-l]}, And[-1 < u < 1, 
-2<y[n-l]<2], 





The function Findlnstance[expr,vars,assum] finds an instance of vars that makes 
expr True if an instance exists, and gives {} if it does not. The result of Findlnstance is 
of the form: 
{{vi —> instance\,V2 —* instance^..., vm —> instancem}} 
where vars = {vi,V2,...,vm}. Furthermore, Findlnstance may be able to find instances 
even if Reduce cannot give a complete reduction. The Mathematica implementation of 
Findlnstance is based on variants of Newton's, Secant and Brent's methods [17]. 
Example A.1.3. Consider the First-order AT Modulator in Example A. 1.2, with the input 
signal V|w| > 1 and initial condition |v(0)| < 1. The property: G|y(n)| < 2 fails to be veri-
fied. In fact, since the input to the modulator does not conform to the stability requirement, 
the modulator indeed will be unstable. For this property, we can find a counter-example: 
in:= FindInstance[And[ 1 < u, 1 > y[n — 1] > 0, 
( - l + « + y[n-l]>2)],u,y[n-l]] 
out:= {u —>2, y[n- l ] —> \ } 
The problem of finding invariants is an important part of the methodology. We 
need to find Darboux invariants and in the case of reachability verification, we look for 
invariants bounding the reachable states. Finding invariants is based on the evaluation of 
the coefficients of the predefined forms of polynomials. In this algorithm, we start with an 
invariant form with an initial degree and check if such invariant exists, if not, we increase 
the degree to form a new polynomial. A bound on the degree must also be specified 
to ensure termination of the search of the invariants. An arbitrarily assigned bound at 
the beginning of the algorithm is usually proposed hence ensuring termination. This is 
possible using the Mathematica Findlnstance function, for example. For example, to find 
the Darboux invariants j we apply Findlnstance as follows: 
FindInstance[ForAll[{x,y}, (Dj = = 9(j], {coefs}] 
172 
where j is a polynomial in x,y, with unknown coefficients coefs and K is the cofactor. 
173 
Bibliography 
[1] Accellera Property Specification Language Reference Manual (2004). Available: 
http://www.accellera.org 
[2] M. Allam, H. Alia. From Hybrid Petri Nets to automata, Journal Europen des 
Systmes Automatiss, Hermes, 32(9-10): 1165-85, 1998. 
[3] G. Al-Sammane. Simulation Symbolique des Circuits Decrits au Niveau Algorith-
mique. PhD thesis, Universite Joseph Fourier, Grenoble, France, July 2005. 
[4] R. Alur, C. Courcoubetis, T. A. Henzinger, N. Halbwachs, PH. Ho, X. Nicollin, A. 
Olivero, J. Sifakis, and S. Yovine. The Algorithmic Analysis of Hybrid Systems. 
Theoretical Computer Science 138(l):3-34, Elsevier, 1995 
[5] R. Alur, T. Dang, F. Ivancic. Reachability Analysis via Predicate Abstraction. In 
Hybrid Systems: Computation and Control, LNCS 2289, pp. 35-48. Springer, 2002. 
[6] N. Amla, X. Du, A. Kuehlmann, R.P Kurshan, K.L. McMillan. An Analysis of SAT-
Based Model Checking Techniques in an Industrial Environment. Correct Hardware 
Design and Verification Methods, LNCS, 3725, pp. 254-268, Springer, 2005. 
[7] D.K. Arrowsmith and CM. Place. Ordinary Differential Equations: A Qualitative 
Approach with Applications. Chapman & Hall, 1982. 
[8] E. Asarin, T. Dang, O. Maler. The d/dt Tool for Verification of Hybrid Systems. In 
Computer Aided Verification, LNCS 2404, pp. 365-370, Springer, 2002. 
174 
[9] A. Balivada, Y.V. Hoskote, J.A. Abraham, Verification of Transient Response of 
Linear Analog Circuits. In IEEE VLSI Test Symposium, pp. 42-47, 1995. 
[10] S. Banerjee, D. Mukhopadhyay, D.R. Chowdhury. Computer Aided Test (CAT) Tool 
for Mixed Signal SOCs. In IEEE VLSI Design, pp. 787-790, 2005. 
[11] S. Basu, R. Pollack, M.F. Roy. Algorithms in Real Algebraic Geometry, Springer, 
2003. 
[12] A. Bemporad and M. Morari, Verification of Hybrid Systems Via Mathematical Pro-
gramming. In Hybrid Systems: Computation and Control, LNCS 1569, pp.31-45, 
Springer, 1999. 
[13] M. Berz, G. Hoffstatter. Computation and Application of Taylor Polynomials with 
Interval Remainder Bounds, Reliable Computing, 4(1): 83-97, Springer, 1998. 
[14] A. Biere, A. Cimatti, E. Clarke, O. Strichman, and Y. Zhu. Bounded Model Check-
ing. Advances in Computers, 58:118-149, Academic Press, 2003. 
[15] M. S. Branicky, V. S. Borkar, and S. K. Mitter, A Unified Framework for Hybrid 
Control, In IEEE Proc. of Decision and Control, pp. 4228-4234, 1994. 
[16] Cadence Design Systems. Using a SoC Functional Verification Kit to Improve Pro-
ductivity, Reduce Risk, and Increase Quality. White Paper. 
[17] F. Cellier, E. Kofman. Continuous System Simulation, Springer, 2006. 
[18] A. Chutinan. Hybrid System Verification Using Discrete Model Approximations. 
PhD thesis, Department of Electrical and Computer Engineering, Carnegie Mellon 
University, May 1999. 
[19] A. Chutinan and B. H. Krogh. Computational Techniques for Hybrid System Verifi-
cation. IEEE Trans, on Automatic Control, 48(l):64-75, 2003. 
175 
[20] E. Clarke, A. Fehnker, Z. Han, B.H. Krogh, O. Stursberg, M. Theobald. Verification 
of Hybrid Systems based on Counterexample-Guided Abstraction Refinement. In 
Tools and Algorithms for the Construction and Analysis of Systems, LNCS 2619, 
pp. 192-207, Springer, 2003. 
[21] E. M. Clarke, O. Grumberg, S. Jha, Y. Lu, H. Veith. Counterexample-Guided Ab-
straction Refinement. In Computer Aided Verification, LNCS 1855, pp. 154-169, 
Springer, 2000. 
[22] E.M. Clarke, O. Grumberg, and D.A. Peled. Model Checking. MIT Press, 2000. 
[23] E. Clarke, D. Kroening, J. Ouaknine, O. Strichman. Computational Challenges in 
Bounded Model Checking. Journal on Software Tools for Technlogy Transfer, 7(2): 
174-183, Springer, 2005. 
[24] P. Cousot and N. Halbwachs. Automatic Discovery of Linear Restraints among Vari-
ables of a Program. In ACM Proc. on Principles of Programming, pp. 84-97, 1978. 
[25] P. Cousot, R. Cousot. Abstract interpretation: a Unified Lattice Model for Static 
Analysis of Programs by Construction or Approximation of Fixpoints. In ACM 
Symposium on Principles of Programming Languages, pp. 238252, 1977/ 
[26] D. Cox, J. little, and D. O'Shea. Ideals, Varieties and Algorithms: An Introduction 
to Computational Algebraic Geometry and Commutative Algebra. Springer, 1991. 
[27] D. Dams. Abstraction in Software Model Checking: Principles and Practice, LNCS 
2318, pp.14-21, Springer, 2002. 
[28] T. Dang, A. Donze, O. Maler, Verification of Analog and Mixed-signal Circuits 
using Hybrid System Techniques. In Formal Methods in Computer-Aided Design, 
LNCS 3312, pp.14-17, Springer, 2004. 
176 
[29] T. R. Dastidar, P. P. Chakrabarti. Verification System for Transient Response of Ana-
log Circuits Using Model Checking. In IEEE International Conference on VLSI, pp. 
195-200, 2005. 
[30] T. R. Dastidar, P. P. Chakrabarti. A Verification System for Transient Response of 
Analog Circuits. In ACM Trans. Design Automation of Electronic Systems, 12(3): 1 -
39, 2007. 
[31] C. Daws, A. Olivero, S. Tripakis, S. Yovine. The Tool KRONOS. Hybrid Systems: 
Verfication and Control, LNCS 1066, pp.208-219, 1996 
[32] A. Emerson. Temporal and Modal Logic. Handbook of Theoretical Computer Sci-
ence, Volume B: Formal Models and Sematics, pp. 995-1072, MIT Press, 1990 
[33] I. Filanovsky, C. Verhoeven and M. Reja. Remarks on Analysis, Design and Ampli-
tude Stability of MOS Colpitts Oscillator. In IEEE Tran. on Circuits & Systems 2, 
54(9): 800-804, 2007. 
[34] M. Franzle. What Will Be Eventually True of Polynomial Hybrid Automata? In 
Theoretical Aspects of Computer Software, LNCS 2215, pp. 340-359, Springer, 
2001. 
[35] G. Frehse. PHAVer: Algorithmic Verification of Hybrid Systems past HyTech. In 
Hybrid Systems: Computation and Control, LNCS 3414, Springer, pp. 258-273, 
2005. 
[36] G. Frehse, B. Krogh, R. Rutenbar, O. Maler, Time Domain Verification of Oscilla-
tor Circuit Properties, Electronic Notes Theoretical Computer Science, 153(3):9-22, 
2006. 
[37] G. Frehse, B. H. Krogh, R. A. Rutenbar. Verifying Analog Oscillator Circuits Using 
Forward/Backward Abstraction Refinement. In IEEE/ACM Design, Automation and 
Test in Europe, pp. 257-262, 2006. 
177 
[38] M. Freibothe, J. Schoenherr, and B. Straube. Formal Verification of the Quasi-Static 
Behavior of Mixed-Signal Circuits by Property Checking, Electronic Notes Theo-
retical Computer Sci., Elsevier, 153(3):23-35, 2006. 
[39] W. Fulks. Advanced Calculus: An Introduction to Analysis. Wiley, 1978. 
[40] M. Furi, M. Martelli. A Multidimensional Version of Rolle's Theorem. The Ameri-
can Mathematical Monthly, 102(3), 1995, pp. 243-249. 
[41] A. Ghosh and R. Vemuri, Formal Verification of Synthesized Analog Circuits, In 
ACM/IEEE Int. Conference on Computer Design, pp. 40-45, 1999. 
[42] G.G. Gielen and R. A. Rutenbar, Computer-Aided Design of Analog and Mixed-
Signal Integrated Circuits, Proceedings of the IEEE, 88(12): 1825-1852, 2000. 
[43] A. Goriely. Integrability and Nonintegrability of Ordinary Differential Equations, 
Advanced Series on Nonlinear Dynamics, Vol 19 World Scientific 2001. 
[44] D. Grabowski, D. Platte, L. Hedrich, E. Barke. Time Constrained Verification of 
Analog Circuits using Model-Checking Algorithms. Electronic Notes Theoretical 
Computer Science, 153(3):37-52, 2006. 
[45] S. Graf and H. Saidi. Construction of Abstract State Graphs with PVS. In Computer 
Aided verification, LNCS 1254, pp. 72-83. Springer, 1997. 
[46] PR. Gray, P.J. Hurst, S.H. Lewis, and R.G. Meyer. Analysis and Design of Analog 
Integrated Circuits, Wiley, 2001 
[47] M. R. Greenstreet, I. Mitchell: Integrating Projections. In Hybrid Systems : Com-
putation and Control, LNCS 1386, pp. 159-174, Springer, 1998. 
[48] M. R. Greenstreet: Verifying Safety Properties of Differential Equations. In Com-
puter Aided Verification, LNCS 1102, pp. 277-287, Springer, 1996 
178 
[49] M. R. Greenstreet, I. Mitchell: Reachability Analysis Using Polygonal Projections. 
In Hybrid System: Computation and Control, LNCS 1569, pp.103-116, Springer, 
1999. 
[50] S. Gupta, B.H. Krogh, R.A. Rutenbar: Towards Formal Verification of Analog De-
signs, In Proc. IEEE/ACM Conference on Computer Aided Design, pp. 210-217, 
2004. 
[51] N. Halbwachs, P. Raymond, and Y. Proy. Verification of Linear Hybrid Systems by 
Means of Convex Approximations. In Symposium on Static Analysis, LNCS 864, 
pp. 223-237, 1994. 
[52] K. Hanna, Reasoning about Real Circuits, In Theorem Proving in Higher Order 
Logics LNCS 859, pp. 235-253, Springer, 1994. 
[53] K. Hanna. Automatic Verification of Mixed-Level Logic Circuits. In Formal Meth-
ods in Computer-Aided Design, LNCS 1522, pp. 133-166, Springer, 1998. 
[54] K. Hanna, Reasoning About Analog-Level Implementations of Digital Systems. For-
mal Methods in System Design, 16(2): 127-158, Kluver, 2000. 
[55] W. Hartong, L. Hedrich, and E. Barke, Model Checking Algorithms for Analog 
Verification. In ACM/IEEE Design Automation Conference, pp. 542-547, 2002. 
[56] W. Hartong, L. Hedrich, and E. Barke. On Discrete Modelling and Model Checking 
for Nonlinear Analog Systems. In Computer Aided Verification, LNCS 2404, pp. 
401-413, Springer, 2002. 
[57] W. Hartong, R. Klausen, and L. Hedrich. Formal Verification for Nonlinear Ana-
log Systems: Approaches to Model and Equivalence Checking, Advanced Formal 
Verification, pp. 205-245, Kluwer, 2004. 
[58] T.A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Lazy Abstraction. In Symp. 
on Principles of Programming Languages, ACM, pp. 58-70, 2002. 
179 
[59] T. A. Henzinger, P. Ho, and Howard Wong-Toi. Algorithmic Analysis of Nonlinear 
Hybrid Systems. IEEE Transactions on Automatic Control 43:540-554, 1998. 
[60] T.A. Henzinger and P. Ho. A Note on Abstract-Interpretation Strategies for Hybrid 
Automata. In Hybrid Systems II, Lecture Notes in Computer Science 999, Springer-
Verlag, 1995, pp. 252-264. 
[61] T.A. Henzinger, P.-H. Ho, and H. Wong-Toi. HyTech: A Model Checker for Hybrid 
Systems. Software Tools for Technology Transfer, 1(1-2): 110-122, Kluwer, 1997. 
[62] L. Hedrich and E. Barke, A Formal Approach to Nonlinear Analog Circuit Verifi-
cation. In IEEE/ACM Intl. Conference on Computer Aided Design, pp. 123-127, 
1995. 
[63] L. Hedrich and E. Barke, A Formal Approach to Verification of Linear Analog Cir-
cuits with Parameter Tolerances. In IEEE/ ACM Design, Automation and Test in 
Europe, pp. 649-654, 1998. 
[64] M.P. Kennedy. Chaos in the Colpitts Oscillator, In IEEE Transactions on Circuits 
and Systems 1, 41:77174, 1994. 
[65] P. Kopke, T. Henzinger, A. Puri and P. Varaiya. What's Decidable About Hybrid 
Automata?. In ACM Symposium on Theory of Computing, pp. 372-382, 1995. 
[66] T. Kropf. Introduction to Formal Hardware Verification, Springer, 2000. 
[67] K. Kundert, H. Chang, D. Jefferies, G. Lamant, E. Malavasi, F. Sendig, Design of 
Mixed-signal Systems-on-a-chip, IEEE Transaction on Computer-Aided Design of 
Integrated Circuits and Systems, 19(12):1561-1571, 2000. 
[68] R.P. Kurshan. Computer-Aided Verification of Coordinating Processes: The 
Automata-Theoretic Approach, Princeton University Press, 1995. 
180 
[69] G. Lafferriere, G. J. Pappas, and S. Yovine. Reachability Computation for Linear 
Hybrid Systems. In Proc. of IFAC World Congress, pp. 7-12, 1999. 
[70] G. Lafferriere, G. J. Pappas, and S. Yovine. Symbolic Reachability Computation of 
Families of Linear Vector Fields. Journal of Symbolic Computation, 32(3):231-253, 
Academic Press, 2001. 
[71] J. Le Bail, H. Alia, R. David. Hybrid Petri Net, In Proc. of European Control Con-
ference, pp. 1472-7, 1991. 
[72] W. Lee, A. Pardo, J.-Y. Jang, G. Hachtel, and F. Somenzi. Tearing based automatic 
abstraction for CTL model checking. In IEEE/ACM International Conference on 
Computer-Aided Design, pp.76-81, 1996. 
[73] S. Little, N. Seegmiller, D. Walter, C. Myers, and T. Yoneda. Verification of 
Analog/mixed-signal Circuits using Labeled Hybrid Petri Nets. In International 
Conference on Computer-Aided Design, pp.275-282, 2006 
[74] S. Little, D. Walter, N. Seegmiller, C.J. Myers, T. Yoneda. Verification of Analog 
and Mixed-Signal Circuits Using Timed Hybrid Petri Nets. In Proc. of Automated 
Technology for Verification and Analysis, LNCS 3299, pp. 426-440, Springer, 2004. 
[75] S. Little, D. Walter, K. Jones, C. J. Myers. Analog/Mixed-Signal Circuit Verification 
Using Models Generated from Simulation Traces. In Automated Technology for 
Verification and Analysis, LNCS 4762, pp. 114-128, Springer, 2007. 
[76] R.P. Kurshan and K.L. McMillan. Analysis of Digital Circuits Through Symbolic 
Reduction. IEEE Trans, on Computer-Aided Design 10:13501371, 1991. 
[77] K. Makino, M. Berz. Remainder Differential Algebras and their Applications. In 
Computational Differentiation: 
181 
[78] O. Maler, D. Nickovic, Monitoring Temporal Properties of Continuous Signals. 
In Formal Modelling and Analysis of Timed Systems, LNCS 3253, pp. 152-166, 
Springer, 2004. 
[79] O. Maler, D. Nickovic and A. Pnueli, Real-Time Temporal Logic: Past, Present, 
Future. In Formal Modelling and Analysis of Timed Systems, LNCS 3829, pp. 2-
16, Springer, 2005 
[80] O. Maler, D. Nickovic, Amir Pnueli, From MITL to Timed Automata, In Formal 
Modelling and Analysis of Timed Systems, LNCS 4202, pp. 274-289, Springer, 
2006. 
[81] O. Maler, A. Pnueli. Reachability Analysis of Planar Multi-limear Systems. In Com-
puter Aided Verification, LNCS 697, 194-209, Springer, 1993. 
[82] L. Mendona de Moura, B. Dutertre, N. Shankar. A Tutorial on Satisfiability Modulo 
Theories. In Computer Aided Verification, LNCS 4590, pp. 20-36, Springer, 2007. 
[83] B. Mishra. Algorithmic Algebra, In Texts and Monographs in Computer Science 
Series, Springer, 1993. 
[84] J.S. Moore. Introduction to the OBDD Algorithm for the ATP community. Journal 
of Automated Reasoning, 12(l):33-^1-5, Springer, 1994. Techniques, Applications, 
and Tools, pp. 63-75, SIAM, 1996. 
[85] R.E. Moore. Methods and Applications of Interval Analysis, Society for Industrial 
and Applied Mathematics, 1979. 
[86] C.J. Myers, R. R. Harrison, D. Walter, N. Seegmiller, S. Little, The Case for Analog 
Circuit Verification. Electronic Notes Theoretical Computer Science, 153(3):53-63, 
2006. 
[87] V. Mysore, C. Piazza, B. Mishra. Algorithmic Algebraic Model Checking II: Decid-
ability of Semi-algebraic Model Checking and Its Applications to Systems Biology. 
182 
Automated Technology for Verification and Analysis, LNCS 3707, pp. 217-233, 
Springer, 2005. 
[88] N.S. Nedialkov, V. Kreinovich and S.A. Starks. Interval Arithmetic, Affine Arith-
metic, Taylor Series Methods: Why, What Next? In Numerical Algorithms, 37:325-
336, Springer, 2004. 
[89] N.S. Nedialkov, K.R. Jackson, and G.F. Corliss. Validated Solutions of Initial Value 
Problems for Ordinary Differential Equations. Applied Mathematics and Computa-
tion, Elsevier, 105(l):21-68, 1999. 
[90] D. Nickovic, O. Maler. AMT: a Property-based Monitoring Tool for Analog Sys-
tems. In Formal Modelling and Analysis of Timed Systems, Austria, LNCS 4763, 
pp. 304-319, Springer, 2007. 
[91] F. Pecheux, C. Lallement, and A. Vachoux, VHDL-AMS and Verilog-AMS as Alter-
native Hardware Description Languages for Efficient Modeling of Multidiscipline 
Systems. IEEE Trans, on Computer-Aided Design of Integrated Circuits and Sys-
tems, 24(2):204-225, 2005. 
[92] S. Prajna, A. Jadbabaie. Safety Verification of Hybrid Systems Using Barrier Cer-
tificates. In Hybrid Systems: Computation and Control, LNCS 2993, pp. 477-492, 
Springer, 2004. 
[93] S. Ratschan, Z. She. Safety Verification of Hybrid Systems by Constraint Propaga-
tion Based Abstraction Refinement. In Hybrid System: Computation and Control, 
LNCS 3414, pp. 573-589, Springer, 2005. 
[94] E. Rodrguez-Carbonell, Ashish Tiwari. Generating Polynomial Invariants for Hy-
brid Systems. Hybrid Systems: Computation and Control, LNCS 3414, pp. 590-605, 
Springer, 2005. 
183 
[95] J. Roll, A. Bemporad, and L. Ljung. Identification of Piecewise Affine Systems via 
Mixed-integer Programming, Automatica, 40(1): 37-50, Elsevier, 2004. 
[96] R.A. Rutenbar, G.G. Gielen, B.A. Antao. Computer-Aided Design of Analog Inte-
grated Circuits and Systems, IEEE Press, 2002. 
[97] A. Salem. Semi-formal verification of VHDL-AMS Descriptions. In IEEE Int. Sym-
posium on Circuits and Systems, pp. 333-336, 2002. 
[98] S. Sankaranarayanan, H. Sipma, Z. Manna. Constructing Invariants for Hybrid Sys-
tems. In Hybrid Systems: Computation and Control, LNCS 2993, pp 539-554, 
Springer, 2004. 
[99] S. Seshadri, J.A. Abraham, Frequency Response Verification of Analog Circuits 
Using Global Optimization Techniques, Journal of Electronic Testing, 17(5): 395-
408, Springer, 2001. 
[100] S. Steinhorst, A. Jesser, L. Hedrich. Advanced Property Specification for Model 
Checking of Analog Systems. In Analog'06, pp. 63-68, 2006, 
[101] A. Strzebonski. Real Polynomial Decision Algorithm Using Arbitrary-Precision 
Floating Point Arithmetic. Reliable Computing, 5(3):337-346, Springer, 1999. 
[102] O. Stursberg, S. Kowalewski, I. Hoffmann, and J. Preuig. Comparing Timed and 
Hybrid Automata as Approximations of Continuous Systems. In Hybrid Systems: 
Computation and Control,LNCS 1273, pp. 361-377, Springer, 1996. 
[103] O. Stursberg,S. Kowalewski, S. Engell: Generating timed discrete models of con-
tinuous systems. In Proc. IMACS, Symposium on Mathematical Modelling, pp. 203-
209, 1997 
[104] L. Tan, J. Kim, I. Lee. Testing and Monitoring Model-based Generated Program. 
Electr. Notes Theoritical Computer Science, 89(2): 128-148, 2003. 
184 
[105] P. Thati, G. Rosu. Monitoring Algorithms for Metric Temporal Logic Specifica-
tions. Electr. Notes Theor. Comput. Sci., Elsevier, 113: 145-162, 2005. 
[106] A. Tiwari and G. Khanna. Series of Abstractions for Hybrid Automata. In Hybrid 
Systems: Computation and Control, LNCS 2289, pp. 465-478, Springer, 2002. 
[107] A. Tiwari and G. Khanna. Nonlinear Systems: Approximating Reach Sets. In Hy-
brid Systems: Computation and Control, LNCS 2993, pp. 600-614, Springer, 2004. 
[108] A. Vachoux, C. Grimm, K. Einwich. Towards Analog and Mixed-Signal SOC De-
sign with SystemC-AMS.In Electronic Design, Test and Applications, IEEE, pp. 
97-102, 2004. 
[109] Verilog-AMS Language Reference Manual (2004). Available: 
http://www.accellera.org 
[110] VHDL-AMS Language Reference Manual (2004). http://www.eda.org/vhdl-ams/ 
[111] J. Vlach, K. Singhal. Computer Methods for Circuit Analysis and Design. Kluver, 
2003. 
[112] D. Walter, S. Little, N. Seegmiller, C. Myers, and T Yoneda, Symbolic Model 
Checking of Analog/Mixed-Signal Circuits. In IEEE Asia and South Pacific Design 
Automation Conference, pp.316-323, 2007 
[113] D. Walter, S. Little, C. Myers. Bounded Model Checking of Analog and Mixed-
Signal Circuits Using an SMT Solver. In Automated Technology for Verification and 
Analysis, LNCS 4762, pp. 66-81, Springer, 2007. 
[114] S. Wolfram. Mathematica: A System for Doing Mathematics by Computer. Addi-
son Wesley Longman Publishing, USA, 1991. 
[115] H. Yazarel and G. J. Pappas. Geometric programming relaxations for linear system 
reachability. In proc. AACC of American Control, pp. 553-559, 2004 
185 
[116] J. Yuan, C. Pixley, A. Aziz. Constraint-Based Verification, Springer, 2006. 
[117] C. Yan, M. Greenstreet. Circuit-Level Verification of a High-Speed Toggle, IEEE 
International Conference on Formal Methods in Computer-Aided Design, pp. 199-
206, 2007. 




• Concordia University: Montreal, Quebec, Canada 
Ph.D candidate, in Electrical Engineering, 01/03-present 
• Concordia University: Montreal, Quebec, Canada 
M.A.Sc, in Electrical Engineering, 09/00 - 12/02 
• Ain Shams University: Cairo, Egypt. 
B. Eng., Electronics & Communication Engineering, 09/95 - 09/00 
Work Experience 
• Research Assistant: 09/00-present 
ECE Department, Hardware Verification Group (HVG), Concordia University 
• Teaching Assistant: 09/00-present 
ECE Department, Concordia University 
Publications 
• Journal Publications: 
[Bio:Jr-01] M.H. Zaki, S. Tahar, and G. Bois: Qualitative Abstraction based Verifi-
cation for Analog Circuits. Revue des Nouvelles Technologies de l'information, 
Vol. 4, Issue 7, December 2007, RNTI-SM-1, Edition Cepadues, pp. 147-158. 
[Bio:Jr-02] M.H. Zaki, S. Tahar, and G. Bois: Formal Verification of Analog and 
Mixed Signal Designs : A Survey. Microelectronics Journal, Elsevier, 2008, 
In Print. 
187 
[Bio:Jr-03] G. Al Sammane, M.H. Zaki, S. Tahar, and G. Bois: A Formal Ap-
proach for the Verification of Discrete-Time Analog/Mixed Signal Designs. 
Transaction on Computer Aided Design. Submitted. 
[Bio:Jr-04] M.H. Zaki, W. Denman, S. Tahar and G. Bois. A Formal Verification 
Methodology for the Analog behaviour of Embedded Systems. AIAA Journal 
of Aerospace Computing, Information, and Communication. Submitted. 
[Bio:Jr-05] M.H. Zaki, G. Al Sammane, S. Tahar and G. Bois. A Bounded Verifi-
cation Approach for Analog and Mixed-Signal Designs Using Symbolic and 
Interval based Methods . Formal Methods in System Design, Springer. Sub-
mitted 
• Conferences Publications: 
[Bio:Cf-01] W. Denman, M.H. Zaki, S. Tahar A Bond Graph Approach for the 
Constraint based Verification of Analog Circuits. In Workshop on Formal 
Verification of Analog Circuits (FAC'08), Princeton, USA, July 14th, 2008. 
[Bio:Cf-02] R. Narayanan, N. Abbasi, G. Al Sammane, M.H. Zaki and S. Tahar. A 
Comparative Study of AMS Circuit Simulation in VHDL-AMS and SystemC-
AMS. In International Symposium on Embedded Systems & Critical Appli-
cations (ISESCA'08), Tunisia, May 2008. 
[Bio:Cf-03] Z.J. Dong, M.H. Zaki, G. Al Sammane, S. Tahar and G. Bois: Check-
ing Properties of PLL Designs using Run-time Verification; Proc. IEEE Inter-
national Conference on Microelectronics (ICM'07), pp.125-128, Cairo, Egypt, 
December 2007. 
[Bio:Cf-04] G. Al Sammane, M.H. Zaki, Z.J. Dong and S. Tahar: Towards Asser-
tion Based Verification of Analog and Mixed Signal Designs Using PSL; Proc. 
Languages for Formal Specification and Verification, Forum on Specification 
& Design Languages (FDL'07), Barcelona, Spain, September 2007. 
188 
[Bio:Cf-05] M. Zaki, G. Al Sammane, S. Tahar, and G. Bois: Combining Sym-
bolic Simulation and Interval Arithmetic for the Verification of AMS Designs; 
Proc. IEEE International Conference on Formal Methods in Computer-Aided 
Design (FMCAD'07), pp.207-215, Austin, Texas, USA, November 2007. 
[Bio:Cf-06] M. Zaki, G. Al Sammane, and S. Tahar: Constraint-Based Verification 
of Delta Sigma Modulators Using Interval Analysis; Proc. IEEE Midwest 
Symposium on Circuits & Systems (MIDSWEST'06), pp.726-729, Montreal, 
Quebec, Canada, August 2007. 
[Bio:Cf-07] ZJ. Dong, M. Zaki, G. Al Sammane, S. Tahar and G. Bois: Run-Time 
Verification using the VHDL-AMS Simulation Environment; Proc. IEEE 
Northeast Workshop on Circuits and Systems (NEWCAS'07), pp.1513-1516, 
Montreal, Quebec, Canada, August 2007. 
[Bio:Cf-08] M. Zaki, S. Tahar, and G. Bois: A Symbolic Approach for the Safety 
Verification of Continuous Systems; Proc. International Conference on Com-
putational Science (ICCS'07), pp. 93-100, Beijing, China, May 2007. 
[Bio:Cf-09] M. Zaki, G. Al Sammane, and S. Tahar: Formal Verification of Analog 
and Mixed Signal Designs in Mathematica; In: Y. Shi et al. (Eds.), Computa-
tional Science (ICCS'07), Lecture Notes in Computer Science 4488, Springer 
Verlag, 2007, pp. 263-267, Beijing, China, May 2007. 
[Bio:Cf-10] G. Al Sammane, M. Zaki, and S. Tahar: A Symbolic Methodology for 
the Verification of Analog and Mixed Signal Designs; Proc. IEEE/ACM De-
sign Automation and Test in Europe (DATE'07), pp. 1-6, Nice, France, April 
2007. 
[Bio:Cf-ll] M. Zaki, S. Tahar, and G. Bois: Abstraction Based Verification of 
Analog Circuits Using Computer Algebra and Constraint Solving; Proc. Inter-
national Workshop on Symbolic Methods and Applications to Circuit Design 
(SMACD'06), Florence, Italy, October 2006. 
189 
[Bio:Cf-12] M. Zaki, S. Tahar, and G. Bois: Formal Verification of Analog and 
Mixed Signal Designs: Survey and Comparison; Proc. IEEE Northeast Work-
shop on Circuits and Systems (NEWCAS'06), pp.281-284, Gatineau, Quebec, 
Canada, June 2006. 
[Bio:Cf-13] M. Zaki, S. Tahar, and G. Bois: A Practical Approach for Monitoring 
Analog Circuits; Proc. ACM 16th Great Lakes Symposium on VLSI (GLS-
VLSF06), pp. 330-335, Philadelphia, Pennsylvania, USA, April 2006. 
[Bio:Cf-14] M. Zaki, A. Habibi, S. Tahar, and G. Bois: On the Formal Analysis of 
Analog Systems using Interval Abstraction; Proc. NETCA Workshop on Ver-
ification and Theorem Proving for Continuous Systems, Oxford, UK, August 
2005. 
[Bio:Cf-15] M. Zaki, Y. Mokhtari, and S. Tahar: Model Reduction Tool for Hard-
ware Verification. Proc. IEEE Northeast Workshop on Circuits and Systems 
(NEWCAS'04), pp. 57-60, Montreal, Quebec, Canada, June 2004. 
[Bio:Cf-16] A. Talaat, M. Zaki and S.Tahar: A tool for Converting Finite State Ma-
chine to VHDL; Proc. IEEE Canadian Conference on Electrical & Computer 
Engineering (CCECE'04), pp. 1907-1910, Niagara Falls, Ontario, Canada, 
May 2004. 
[Bio:Cf-17] M. Zaki, Y. Mokhtari, and S. Tahar: A Path Dependency Graph for 
Verilog Program Analysis; Proc. Northeast Workshop on Circuits and Sys-
tems (NEWCAS'03), Montreal, Quebec, Canada, June 2003. 
[Bio:Cf-18] M. Zaki and S. Tahar: Syntax Code Analysis and Generation for Ver-
ilog; Proc. IEEE Canadian Conference on Electrical & Computer Engineering 
(CCECE'03), pp. 235-240, Montreal, Quebec, Canada, May 2003. 
• Technical Reports: 
190 
[Bio:Tr-01] M.H. Zaki, S. Tahar, G. Bois: A Survey on Formal Methods for Ana-
log and Mixed Signal Designs, Technical Report, ECE Dept, Concordia Uni-
versity, May 2006. 
[Bio:Tr-02] M.H. Zaki, G. Al Sammane, S. Tahar and Guy Bois: A Bounded 
Model Checking Approach for AMS Designs; Technical Report, Concordia 
University, Department of Electrical and Computer Engineering, May 2007. 
[Bio:Tr-03] M.H. Zaki, S. Tahar and G. Bois: Combining Constraint Solving and 
Formal Methods for the Verification of Analog Designs; Technical Report, 
Concordia University, Department of Electrical and Computer Engineering, 
June 2007. 
[Bio:Tr-04] Z. J. Dong, M.H. Zaki, G. Al Sammane, S. Tahar and G. Bois. A Run-
Time Verfication Approach for AMS Designs. Technical Report, Department 
of Electrical and Computer Engineering, Concordia University, July 2007. 
[Bio:Tr-05] W. Denman, M. Zaki and S. Tahar. Analog Formal Verification Via 
Bond Graphs and Constraint Solving. Technical Report, ECE Dept., Concor-
dia University, Montreal, Quebec, Canada, April 2008. 
191 
