Semi-formal verification of the steady state behavior of mixed-signal circuits by SAT-based property checking  by Schönherr, Jens et al.
Theoretical Computer Science 404 (2008) 293–307
Contents lists available at ScienceDirect
Theoretical Computer Science
journal homepage: www.elsevier.com/locate/tcs
Semi-formal verification of the steady state behavior of mixed-signal
circuits by SAT-based property checking
Jens Schönherr c,∗, Martin Freibothe a, Bernd Straube a, Jörg Bormann b
a Fraunhofer Institute for Integrated Circuits IIS, Design Automation Division EAS, Zeunerstraße 38, 01069 Dresden, Germany
b OneSpin Solutions GmbH, Theresienhoehe 12, 80339 Munich, Germany
c Signalion GmbH, Sudhausweg 5, 01099 Dresden, Germany
a r t i c l e i n f o
Keywords:
Mixed-signal
Formal verification
Property checking
VHDL behavioral description
a b s t r a c t
In this article, a verification methodology for mixed-signal circuits is presented that can
easily be integrated into industrial design flows. The proposed verification methodology
is based on formal verification methods. A VHDL behavioral description of a mixed-signal
circuit is transformed into a discrete model and then verified using well-established tools
from formal digital verification. Using the presentedmethodology, amuch higher coverage
of the functionality of a mixed-signal circuit can be achieved than with simulation based
verification methods. The approach has already been successfully applied to industrial
mixed-signal circuits.
© 2008 Elsevier B.V. All rights reserved.
1. Introduction
In today’s circuit designs, the integration of analog parts on system-on-chips (SoCs) andASICs is commonpractice. Usually
in such designs the analog and mixed-signal parts comprise a comparatively small fraction of the overall chip functionality.
In contrast, a large part of the development time of SoCs is spent on the analog andmixed-signal parts. This is due to the fact
that the degree of automation of the synthesis of analog andmixed-signal circuits is much lower than it is the case for digital
circuits and that there are many more different aspects that need to be verified for analog circuits compared to digital ones.
Moreover, the function of analog circuits is defined over continuous-valued quantities and the mathematical formalisms
needed to represent the circuit’s behavior are muchmore complex and difficult to analyze than the discrete formalisms, e.g.
boolean algebra used for digital circuits.
The design and verification ofmixed-signal circuits can be divided into tasks to be performed on twomain different levels
of abstraction. First, the analog components must be designed such that they comply with some electrical parameters like
the specified input–output behavior (e.g. amplification), maximum power consumption, frequency characteristics, or the
signal-to-noise ratio. Second, and the verification on this level of abstraction is the focus of this article, the interconnection
of the analog and the digital parts must implement the specified overall functionality. For the design and verification of the
interconnection, the analog circuits are described on a more abstract level by specifying the main characteristics of their
input–output behavior.
There are different kinds of mixed-signal circuits that require different verification methods to check them. Circuits like
closed-loop controllers are characterized by the fact that the behavior of the circuit typically depends significantly on the
state of the analog part, i.e. on the charge on the capacitances and the magnetic flux through the inductances. For such
∗ Corresponding author.
E-mail addresses: jens.schoenherr@signalion.com (J. Schönherr), martin.freibothe@eas.iis.fraunhofer.de (M. Freibothe),
bernd.straube@eas.iis.fraunhofer.de (B. Straube), joerg.bormann@onespin-solutions.com (J. Bormann).
0304-3975/$ – see front matter© 2008 Elsevier B.V. All rights reserved.
doi:10.1016/j.tcs.2008.03.032
294 J. Schönherr et al. / Theoretical Computer Science 404 (2008) 293–307
circuits the dynamic behavior is important and thus comprises a crucial part of their specification. The verification of this
kind of mixed-signal circuits (‘dynamic circuits’) is beyond the scope of this work.
In contrast, there are analog and mixed-signal circuits whose characteristic time constants are very small with respect
to the period of the clock cycle of their surrounding digital circuitry. That is, with respect to the interconnection of the
analog and/or mixed-signal part with the digital part, the steady state solutions are of main importance. On the level of
abstraction considered here the behavior of such circuits can sufficiently be represented with the help of steady state
behavioral descriptions. The article is focused on this class of mixed-signal circuits that we will refer to as ‘steady state’
circuits from now on. Examples for steady statemixed-signal circuits are certain kinds of analog to digital converters (ADCs)
and digital to analog converters (DACs) as for example flash and successive approximation register (SAR) ADCs, binary
weighted DACs, as well as digitally controlled amplifiers and analog switches.
This article is based on an approach to apply formal verification techniques known from the verification of digital
designs for the verification of steady state behavioral descriptions of mixed-signal circuits. In contrast to simulation,
formal verification techniques allow for the full functional coverage of digital blocks. This is achieved by the application
of automated mathematical proof techniques. Since these formal verification techniques are originally tailored for discrete
systems they cannot be applied directly to continuous systems likemixed-signal circuits.We propose the quantization of the
continuous-valued quantities that are used to represent the behavior of the analog parts to get a discrete-valued behavioral
model of amixed-signal design. The resulting discrete-time, discrete-valuedmodel can then be verified using a state-of-the-
art formal verification tool to prove its correctness. Our work is not focused on the presentation of an optimal hand-made
modeling and verification methodology. Instead, we provide a way that can be integrated in existing design flows and that
permits the use of well-established commercial tools.
Basically, there are twodifferentmethods in the area of formal verification, equivalence checking and property checking.1
With the help of equivalence checking, the implementation of a circuit is compared with a reference representation that is
typically described at a higher level of abstraction. Property checking, the topic of this article, is used to check whether
a behavioral model fulfills certain formal properties. These properties describe different aspects of the behavior specified
for the circuit in a temporal logic.2 Both, property checking and equivalence checking, complement one another. Property
checking is typically used to verify an abstract model of the circuit against specified properties, while equivalence checking
is used to verify, that the refinements and optimizations that were made starting from the abstract model did not introduce
any errors.
The article is structured as follows. In Section 2 other articles that have distributed to the area of formal analog and
mixed-signal verification are reviewed. Section 3 gives a formalized look on a typical industrial design flow and shows how
the verification methodology of this article fits into such a design flow. In Section 4 the derivation of the discrete model is
described. Section 5 explains how properties of a mixed-signal circuit can be expressed in a formal property language. The
example in Section 6 shows the application of the whole verification methodology. Section 7 concludes the article.
2. State of the art
In [1,2] it is proposed to derive a symbolic model of the analog parts of a mixed-signal circuit. This symbolic model
describes the analog steady state behavior. In this symbolic model, analog voltages are represented by bit-vectors of finite
length. The behavior of the analog parts is described at bit-level for one quantization parameter. A change of the quantization
parameter requires a manual change of the model. The difference between the behavior of the symbolic model and the
behavior of the circuit (quantization error) is not regarded in these papers. Additionally it is not mentioned how arithmetic
overflows thatmight occur due to the usage of a discretizedmodel can be handled during verification. The specified behavior
of the mixed-signal circuit is described by another model that has to be generated manually. The verification is then carried
out by performing an equivalence check that compares this model with the symbolic model. These behavioral models are
compared using BDDs [3]. The complexity of the circuits that can be verified using this flow is rather limited. Moreover, the
manual derivation of the symbolic models at bit-level and the representation of the specification by complete models limits
the usability of this approach significantly.
Qualitativemodeling [4,5] is based on differential algebraic equations (DAEs) that describe the behavior of analog circuits.
The real numbers that represent the currents and voltages are abstracted using the three-element set {0,+,−}, whereas
any real number is reduced to its representation by the corresponding sign in the resulting model. The algebraic operations
are mapped to this set. By using this abstraction, one limits the properties that can be verified concerning analog values
to the sign. Therefore, even the validity of rather simple properties of steady state mixed-signal circuits like the values of
amplification factors cannot be proven.
In the following paragraphs, several papers dealing with the verification of dynamic mixed-signal circuits are reviewed.
Typically, steady state mixed-signal circuits have a lot of digital inputs that control different modes of the circuit. In order
1 Traditionally, “property checking” was called “model checking” — a term that origins from the theory of temporal and modal logic.
2 If a set of properties completely describes the behavior of a circuit there is no formal difference between equivalence and property checking since the
complete property set can be considered as an abstract model. However, the convention is to use “property checking” when temporal logics are involved.
J. Schönherr et al. / Theoretical Computer Science 404 (2008) 293–307 295
to cope with the great number of today’s mixed-signal circuit’s digital inputs, these inputs must be treated symbolically to
be able to verify circuits of reasonable sizes. However, the verification techniques tailored to dynamic mixed-signal circuits
are not able to deal with the digital inputs symbolically. Hence, these techniques are not suitable for the verification of the
class of steady state circuits considered in this article.
In [6] an approach for the verification of linear analog circuits is presented. In this approach, the transfer function is
determined by the state equations. Assuming an upper bound for the frequencies, the transfer function is transformed using
z-transform into a time-discrete domain. The currents and voltages are quantized and represented by bit-vectors such that
the behavior can be represented with the help of a finite Mealy-automaton using BDDs. The proposed method carries out
an equivalence check, so that the specified behavior must be described by a complete model like in [1,2]. It is mentioned
that arithmetic overflows might occur, but overflows are not treated or recognized in this approach, so that a value at the
output of the model may be the result of an arithmetic overflow. Since this approach supports analog circuits only, it cannot
be applied to the verification of mixed-signal circuits.
Simple mixed-signal circuits can be represented by hybrid automata [7,8,25,27]. The verification of a circuit design is
done by performing a reachability analysis over the state-space of the corresponding hybrid automaton. Even under strong
restrictions, such as piecewise constant derivatives of the variables, the reachability problem remains undecidable for this
class of automata, for the state-space is infinite in general [9,26]. Recent approaches to the verification of hybrid automata
utilize different techniques to approximate the reachable state sets. Standard model checking algorithms are then applied
to these finite-state approximations [10,11]. The approach proposed in [12] suggests to perform a reachability analysis
on a certain class of hybrid systems that can be represented as mixed logical dynamical or piecewise affine systems to
get a piecewise linear approximation of the exact solution. Drawbacks of these approaches are that they introduce an
approximation error, are not sound [11] or their performance strongly depends on the shape of the reachable sets of
states [12].
Other approaches to the verification of hybrid systems lead to tools like CheckMate [13,14] and PHAVer [15]. The
CheckMate tool generates polyhedral flowpipe approximations to approximate the reachable state sets of systems belonging
to the class of hybrid systems called threshold event-driven hybrid systems. The verification is carried out based on such
finite state approximations called quotient transition systems. If the verification returns a negative result, the verification of
the original system is inconclusive and the user has to decidewhether to refine the approximation and re-run the verification
or to accept the result. A positive verification result also holds for the original system. Recently, there has been work on
adding a counter-example guided refinement procedure to the tool. CheckMate relies on numerical DAE solvers and thus is
not numerically exact. It follows, that the generated over-approximations are not formally sound. PHAVer implements the
verification of safety properties for a decidable subclass of hybrid automata called initialized rectangular hybrid automata.
A flowpipe approximation of the reachable state set of such an automaton representing a linear system is generated and
then used to reason about the system. The reachability analysis performed by PHAVer is not guaranteed to terminate as
termination is not guaranteed for the class of linear hybrid automata.
Based on [11], the authors of [16] propose an approach to the verification of non-linear analog circuits. The state-
space of an analog circuit that is given by the circuit’s inputs and independent state-variables is restricted to a finite
region that is approximated by hyperboxes. Discrete state-transitions of randomly chosen representatives of discrete
states are determined by over-approximating the solutions of algebro-differential equations. Additionally these transitions
are annotated with timing information so that timing constraints can also be verified. Due to complexity issues the
presented approach is only applicable for comparatively small analog circuits. The verification of mixed-signal circuits is
not considered.
3. Verification methodology
3.1. Verification in industrial design flows
Usually, the starting point of the design of a mixed-signal circuit is an informal specification in human language (cf.
Fig. 1). Starting from such a specification, a mixed-signal circuit is developed by passing through several refinement and
optimization steps.
Today it is common practice to verify a mixed-signal circuit against its specification using an analog and mixed-signal
(AMS) simulator (cf. Fig. 1(a)). For the simulation based verification of a design, a testbench is needed for the application of
the simulation stimuli to the circuit. Both, the testbench and the simulation stimuli have to be providedmanually. However,
due to the high simulation times at this detailed level of abstraction the functional coverage that can be achieved using AMS
simulation is very limited.
In order to weaken this problem a behavioral description written in VHDL [17] is derived from the AMS description. Such
a VHDL behavioral description represents the steady state behavior of the mixed-signal circuit as all assignments in this
kind of behavioral description are modeled without specifying delay times. Dynamic behavior and device tolerances of the
analog parts are not contained in this description.
The first step towards the generation of a VHDL behavioral description consists of the removal of any timing information
in the digital parts and the removal of the function of the analog parts from the circuit description i.e. empty VHDL
architectures are created for the analog entities. This first step can be automated.
296 J. Schönherr et al. / Theoretical Computer Science 404 (2008) 293–307
Fig. 1. Design flow and verification, application of simulation-based verification on different levels of abstraction.
Fig. 2. Design flow and verification using formal methods.
In a second step, the behavior of the analog parts is modeled manually. In the resulting models of the analog parts each
electrical quantity like voltages, currents, and resistances is represented by a corresponding VHDL type. These VHDL types
are mapped to real numbers i.e. they are defined as subtypes of the VHDL type real. It follows, that a VHDL behavioral
description derived this way only uses variables and signals of the type real and the usual arithmetic operations on them
in addition to the synthesizable subset of VHDL [18]. Since there is no notion of time in this model, a VHDL behavioral
description abstracts from the dynamic analog behavior to its steady state behavior with respect to the clock cycle of the
digital part of themixed-signal circuit. An example of such a VHDL behavioral description of amixed-signal circuit is given in
Section 6, Listing 2. In the following, it is assumed that in the VHDL behavioral descriptions the units at the left and the right
hand side of comparison operations and assignments are equal. For instance, it is not possible to assign the product of two
voltages to a signal that represents another voltage. Moreover, the functions over the analog quantities must be correctly
typed w.r.t. the electric laws. Since the VHDL behavioral description is derived from an AMS description, these assumptions
are typically fulfilled.
The derived VHDL behavioral description can be verified using a VHDL simulator (cf. Fig. 1(b)). In comparison to the
simulation of the mixed-signal circuit by an AMS simulator, the simulation time for the more abstract VHDL behavioral
description is much shorter. Moreover, the VHDL behavioral description can be checked together with other surrounding
digital parts using a single simulator. However, the simulation time is still high so that due to the complexity of today’s
circuit designs a reasonable functional coverage cannot be achieved in practice.
3.2. Semi-formal verification
Another approach to hardware verification is the application of formal verificationmethods [19]. With the help of formal
verification methods a complete coverage of a circuit’s functionality can be achieved [20]. For digital circuits, commercial
formal verification tools are already available. However, for analog and mixed-signal circuits the algorithms are still in the
research stage. Often, the application of these algorithms requires a considerable amount of manual effort. In this article,
we propose a verification methodology that can be highly automated and opens a way for currently available commercial
tools to mixed-signal verification.
Fig. 2 shows how our verification methodology is integrated in the design flow described in Section 3.1. Based on the
VHDL behavioral description of a mixed-signal circuit another, more abstract model is derived. This model is a discrete-
J. Schönherr et al. / Theoretical Computer Science 404 (2008) 293–307 297
Fig. 3. Comparison of the domains of the VHDL behavioral description and the discrete model of an example circuit with one analog input in.
valued representation of the behavior of amixed-signal circuit and, inwhat follows, is referred to as ‘discretemodel’. Instead
of the real numbers used in the VHDL behavioral description, integer values of a finite interval are used to describe electrical
quantities and parameters in the discrete model. Since only a finite number of integers is used for the description of the
analog behavior, the resulting discrete model can be represented by a finite Mealy-automaton.
Due to the restriction to the usage of integers to represent analog behavior, the discrete model only represents
the pointwise sampled behavior of the VHDL behavioral description (cf. Fig. 3). Therefore, the presented verification
methodology has to be characterized as semi-formal despite the application of formal verification methods.
As the discrete model can be completely described with the help of the synthesizable subset of VHDL, property checking
techniques known from digital designs can be applied for its verification. For our experiments related to this article CVE
gateprop of Infineon Technologies AG3 [20,21] is used. CVE gateprop translates the property and the model into a formula
of propositional logic and checks the satisfiability of the formula using a high performance SAT solver.4 The usage of CVE
gateprop is by nomeansmandatory. In principle, any other property checking tool can be usedwith the proposed verification
methodology as well.
4. Discrete modeling
4.1. Quantization
The description of the steady state behavior of mixed-signal circuits using VHDL is already common practice in the
industry. These VHDL behavioral descriptions are used to speed-up simulation times for the simulation based verification
of mixed-signal circuits (cf. Fig. 1(b)). To apply the semi-formal verification methodology described in Section 3.2, the only
additional task that has to be performed is the derivation of the discrete model from the VHDL behavioral description.
The difference between the VHDL behavioral description and the discrete model is the way the electrical quantities and
parameters are represented. In the VHDL behavioral description real numbers are used; in the discrete model solely integer
values of finite intervals can be used. Otherwise, the circuit’s behavior could not be represented by a finiteMealy-automaton,
so that a crucial requirement for the application of SAT- or BDD-based formal verification methods [19] would be violated.
For mixed-signal circuits it turns out to be advantageous if the real-valued analog domain of the VHDL behavioral
description is sampled point-wise, i.e. the discretemodel represents the behavior for a finite number of voltages and currents
at the circuit’s inputs only (cf. Fig. 3). The distance between two adjacent sampling points is always the same in the whole
model and its reciprocal is called resolution r. The domain of the electrical quantities and parameters in the discrete model
is a finite interval D = [qmin, qmax] ⊆ Z of the integers. The following relation between a value xq denoting, for instance, a
voltage, in the discrete model and a value xr in the VHDL behavioral description is assumed:
xr = xq/r. (1)
Let, for instance, D = [−50, 50] and r = 10.0V−1. In this case, the quantized value xq = 7 represents the voltage
xr = 7 / 10.0V−1 = 0.7V. In the discrete model all values of the VHDL behavioral description that are contained in
E = { xq / r | xq ∈ D } are represented. Hence, the discrete model is a quantized representation of the VHDL behavioral
description with D and r being are the parameters used for the quantization.
In general, the reasonable (with respect to the accuracy of the model and the resulting complexity of the verification
task) domains and resolutions of the different electrical quantities and parameters diverge a lot. Therefore, each quantity is
quantized independently.
3 Since May 2005, the development of this tool is continued by OneSpin Solutions GmbH (http://www.onespin-solutions.com).
4 General information about SAT solvers can be found in [22].
298 J. Schönherr et al. / Theoretical Computer Science 404 (2008) 293–307
Fig. 4. Quantization error∆out(V0) at V0 (solid line: graph of the transfer function of the VHDL behavioral description; dots: graph of the transfer function
of the discrete model).
Since all signals and variables of the VHDL behavioral description that represent the same quantity (e.g. voltage) are of the
same type they are quantized with the same quantization parameters. In some cases the discrete model could be optimized
w.r.t. the accuracy and complexity of the verification if some signals representing, for example, voltages would use different
quantization parameters than other signals. However, such discrete models cannot be derived automated and tuning the
quantization of the different signals requires a considerable manual effort. Therefore, uniform quantization parameters for
all signals and variables belonging to the same electrical quantity are assumed in this article.
For each electrical quantity and parameter like voltage V , current I, and resistance R there is a resolution rV , rI , and rR,
respectively, and a domain DV , DI , and DR, respectively. In the following, De denotes one of the domains DV , DI , or DR, while re
denotes one of the resolutions rV , rI , or rR and Ee represents {xq/re | xq ∈ De}.
4.2. Quantization error
Assuming that the quantized values are transformed back by (1) into the domain of real numbers and no arithmetic
overflow occurs in the discrete model, the values of the voltages and currents at the outputs of the discrete model are equal
to the values of the VHDL behavioral description if:
• the quantization parameters re and De are chosen in such a way that all real-valued constants of the VHDL behavioral
description, which represent electrical quantities and parameters, are contained in Ee and
• if {+,−, ∗} occur exclusively in the VHDL behavioral description as arithmetical operations.
However, these assumptions do not hold in general. If a division operation is used, as it is for example the case in the
behavioral descriptions of voltage dividers, the result of the divisionmust be rounded in order tomap it to the corresponding
value of the discrete domain. For certain values V¯0 at the inputs this rounding results in a deviation ∆out(V¯0) between
the values at the corresponding output out of the VHDL behavioral description and the discrete model (cf. Fig. 4). Such a
deviation also occurs if there are constant values in the VHDL behavioral description that are not elements of Ee. During
the quantization of these constants a rounding is unavoidable. The quantization error ∆out of the output out is defined as
the maximum deviation denoted by ∆out = maxV¯0(∆out(V¯0)) and the quantization error ∆ of the whole discrete model is
defined by∆ = maxout(∆out), i.e. the maximum quantization error of the outputs.
In principle, the quantization error can be computed by comparing the values at the output of the VHDL behavioral
description and the discrete model for each value that can be applied to the inputs of the discrete model. However, this
enumeration is not feasible for real life designs and there is still no way to compute the quantization error precisely and
efficiently. A conservative approximation can be computed by using affine arithmetic [23].
4.3. Choosing the quantization parameters
When choosing the value for the resolution re, there is a trade-off between the accuracy of the resulting discrete model
and the expected computation time and memory consumption for the subsequent formal verification. On the one hand, the
better the resolution, the more accurate is the resulting discrete model. On the other hand, the better the resolution re of
the model, the greater has to be the domain De in order to cover the relevant interval of the real numbers. The greater the
domain De, the more complex is the resulting model and thus the higher is the expected effort in formal verification.
A precise computation of the domains De requires a careful analysis of the VHDL behavioral description regarding the
admissible ranges of the voltages and currents at the inputs and the parameter values of the devices contained in themodel.
The choice of the domainhas to ensure that all constants used in theVHDLbehavioral description aswell as all values allowed
at the inputs can be represented. Determining De and re is a non-trivial task. The specification of the mixed-signal circuit as
well as information from the designers can give hints about how to choose re. Also, as a rule of thumb, all distinguishable
constants in the VHDL behavioral description should be distinguishable in the derived discrete model.
If the circuit is complex enough, the range of values of each quantity that needs to be covered in the discretemodel cannot
bemanually computedwith a reasonable effort and there is no algorithm that can compute this for non-trivial mixed-signal
circuits. Therefore, we propose an iterative approach. At first, an initial approximation of the domain is chosen according to
the information from the specification and the designers. However, if the domain De is chosen too small or the resolution re
J. Schönherr et al. / Theoretical Computer Science 404 (2008) 293–307 299
is chosen too high, the result of some arithmetic operation is not covered by the domain De, i.e. an overflow occurs. On the
contrary, if the resolution is chosen too low, the model is too inaccurate and some properties cannot been proven even for a
correct circuit. In both cases, the generation of the discretemodel and the verification has to be re-runwith newquantization
parameters.
4.4. Recognizing overflows
It is very important to recognize any occurring overflow in the discrete model during verification because overflows
might lead to false verification results.
There are two ways to recognize the occurrence of an overflow during property checking:
(1) A VHDL assertion fails.
(2) The values at all affected outputs indicate it.
The first method is a general solution and easy to implement. However, our experience shows that debugging becomes
a lot easier in the context of formal verification if the second method is used additionally.
To implement the propagation of the information about arithmetic overflows, the set D′e with D′e = De ∪ { inve} and
inve 6∈ De is used in the discrete model instead of De. In D′e, inve represents an invalid value. All arithmetic operations that
return a quantized value are defined in such a way that the result is inve if an overflow occurred, a division by zero occurred,
or one of the operands is equal to inve. This definition ensures the propagation of the information about an overflow to one
of the analog outputs (cf. Fig. 5).
However, this method does not work in general. If the result of an arithmetic function is used in a comparison operation
and not fed to an output, then the value inve cannot be propagated to an output, because the return value of a comparison is
defined to be boolean and cannot be extended by an additional value. For a safe identification of all overflows at least either
• all arithmetic functions (except for the comparison operations) are extended by a VHDL assertion or
• the comparison operations are extended by a VHDL assertion and the other arithmetic functions implement the
propagation mechanism as described above.
To ease the debugging processwhile ensuring the safe recognition of occurring overflows, a combination of bothmethods
should be used although it turned out that overflow propagation mechanism causes the time needed to verify a property to
increase a bit.
4.5. Derivation of the discrete model
The derivation of the discrete model from the VHDL behavioral description is carried out by performing the following
three steps:
(1) substituting the data types for the representation of electrical quantities and parameters
(2) substituting the functions for these data types
(3) quantization of the constants.
In the VHDL behavioral description, the data types for the electrical quantities and parameters are represented by real
numbers. In the discrete model, however, these definitions are substituted by finite intervals D′e of integers. Assuming qe,max
is the upper bound of De, the value qe,max + 1 is used to represent inve.
The arithmetic functions defined over these data types are also substituted. These functions must follow the rules for
treating inve asmentioned above in Section 4.4. The Listing 1 shows as an example the corresponding function for the addition
of two voltages.
function "+" ( l , r : voltage ) return voltage i s
variable i : integer ;
begin
i f ( l =vol t_ inv ) or ( r=vol t_ inv ) then
return volt_ inv ;
else
i := integer ( l )+ integer ( r ) ;
i f ( i <volt_min ) or ( i >volt_max ) then
assert f a l s e report " voltage_add_overflow "
severity f a i l u r e ;
return volt_ inv ;
else
return voltage ( i ) ;
end i f ;
end i f ;
end ;
Listing 1. Definition of an arithmetic operation including the treatment of arithmetic overflows.
300 J. Schönherr et al. / Theoretical Computer Science 404 (2008) 293–307
Fig. 5. Propagation of an arithmetic overflow to the output.
Fig. 6. Derivation of the discrete model.
If it is necessary to round the result xr of an arithmetic function (e.g. for the result of a division operation), the following
formula (2) is used:
xq = bxr · re + 0.5c . (2)
In this formula byc represents the largest integer that is not greater than y.
If there is a constant xr used in the VHDL behavioral description then the quantized value of xr is determined by the
formula (2). This ensures that all constants of Ee are quantized in a way compatible to formula (1).
Except for the constants, the discrete model only differs from the VHDL behavioral description in the definition of the
data types for the electrical quantities and parameters and in the definition of the operations over these data types. If all
these definitions are put into one separate package for the VHDL behavioral description and into another package for the
discretemodel, respectively, the quantization can be carried outwithout any human interaction by simply exchanging these
packages and by computing the quantization of the constants (cf. Fig. 6).
5. Formal properties
5.1. General
For the application of property checking, the properties described in the informal specification need to be expressed
formally in the property description language of the property checker that is used for formal verification. The property
checker CVE gateprop uses the proprietary property language VHI. In VHI, each property describes certain aspects of the
behavior of the circuit during some clock cycles, i.e. about a trace of finite length. A VHI property has two main parts: a
(possibly empty) set of assumptions and a set of commitments. Typically, the assumptions are used to express restrictions
on the values at the inputs or the state variables. The commitments describe the behavior the circuit must exhibit to be
correct, mainly in terms of expected values at the outputs and input–output relations. In the assumptions as well as in
the commitments it is possible to reference to the value of any signal at any time point of the trace. A property holds iff
the implication assumptions =⇒ commitments holds for each trace of the circuit starting from any arbitrary state and
allowing arbitrary values at the inputs at any timepoint. This is similar to boundedmodel checking [24]. However, in contrast
to [24], the circuit is not assumed to be in an initial state, especially not the reset state, instead, any arbitrary initial state is
considered.
For the verification of digital circuits, each VHI-property describes one transaction of the circuit. Since with respect to
time the behavior of steady state mixed-signal circuits only depends on the digital clock, each property of a mixed-signal
circuit describes a transaction at the digital side, too. In addition, it represents a relation between values at analog ports.
Typical steady state properties of mixed-signal circuits can be given as relations between input and output values. For
instance, in case of an analog to digital converter (ADC) or a digital to analog converter (DAC) a relation has to be given
between the digital and the analog value. In case of amplifiers, a relation between the voltages or currents at the input and
output are given.
The input–output-relation of many mixed-signal circuits can be described piece-wise linear, i.e. the admissible range
of analog input values can be split into intervals such that within each interval the corresponding input–output-relation is
linear. These intervals are often specified in terms of threshold values or over-modulation. Any piece-wise linear behavior
canbe expressed in property languages likeVHI by case-splitting using if–then–elseor case constructs. The conditions of these
language constructs describe the intervals by boolean connections of inequalities while the bodies describe the relation
between inputs and outputs. The if-then-else and case constructs can also be used to express different kinds of behavior
selected by different modes that are controlled by digital inputs. The nesting of these constructs allows for the specification
of complex steady state mixed-signal behavior. Language constructs for macro or function definitions keep the properties
compact and readable.
J. Schönherr et al. / Theoretical Computer Science 404 (2008) 293–307 301
Fig. 7. Acceptance region (gray): If the quantized transfer function is inside the acceptance region, then the transfer function is assumed to be correct.
The input–output-relation of many analog circuits is specified over the real numbers. However, there is no way to reason
about real numbers in discrete verification algorithms. Instead, we propose the usage of rational numbers which, in many
cases, is not a substantial restriction since only irrational numbers are excluded.
There is no standard describing the arithmetic of rational numbers in VHDL or any other hardware description languages.
Therefore, property languages like VHI do not support rational numbers but only integers.
A linear relation between x and y in general has the form
y = ax+ b. (3)
If a and b are rational numbers, then a and b can by definition be represented by a quotient of two integer values: a = an
ad
and
b = bn
bd
. The linear relation (3) can then be represented by
yadbd = anbdx+ adbn (4)
using arithmetic operations over integers only. This transformation enables the application of integer based property
languages to the description of linear relations described by rational numbers.
In general, the specification of a transfer function is based on a mathematical notation and has no relation to computer
arithmetic. Therefore, the arithmetic operations of the property language over integer values must be defined in a
mathematical sense and must not have an overflow semantics. The property specification language VHI does provide this
feature.
5.2. Dealing with quantization errors
The specified properties are described exactly by formulae like (4), but the discrete model may contain a quantization
error. Therefore, even correct mixed-signal circuits would be classified as being erroneous during verification. As illustrated
in Fig. 4, the quantization error ∆, i.e. the maximum deviation of the transfer function of the discrete model from the one
of the VHDL behavioral description, is typically very small. Hence, the properties are formulated in such a way that not only
the specified function is identified as being correct but also all functions, whose values differ at most by a certain value dev
from the exact value. The set of all these functions is called acceptance region in this verification methodology (cf. Fig. 7).
The value of dev is defined in the correctness property and determines the quality of the verification: the greater devmust be
chosen to verify a property, the higher is the likelihood that an incorrect transfer function is also accepted as being correct.
If a property fails for a certain value of dev the counter-example generated by the property checker can be reproduced by
simulating the real-valued VHDL behavioral description. This way one can check whether the counter-example describes a
bug in the circuit or is caused by the quantization error.
5.3. Checking for overflows
As mentioned in Section 4.4, if an arithmetic overflow has occurred at least one analog output of the discrete model is
equal to the value inve or at least one of the VHDL assertions of the arithmetic functions fails. To ensure that no overflow
occurs during the verification of a property, the property can easily be extended by the proposition “The voltages and
currents at all analog outputs are not equal to invV or invI , respectively, and none of the VHDL assert-statements fails”. In
general, such an extended property can only be proven to be valid if the voltages and currents at the inputs are restricted
to the admissible ranges as defined in the specification. These restrictions can be expressed in the assumption part of a
property with the help of inequalities.
5.4. Quantized values in properties
Typically, voltage or current values represented by rational numbers can be found in the circuit’s informal specification.
In a formal property these values must be represented by the corresponding quantized values. If the quantized values are
represented by actual numbers in the properties, the property could only be used for one particular resolution re. In our
verification methodology, the resolution is determined iteratively and changes therefore quite often in the beginning. In
302 J. Schönherr et al. / Theoretical Computer Science 404 (2008) 293–307
Fig. 8. Schematic of the example circuit.
order to make the properties independent from the actual quantization parameters we propose the following technique
that exploits the possibility of using VHDL constants in the properties.
Any constant that is used in the informal specification of the mixed-signal circuit is represented by a corresponding
constant-declaration in the VHDL behavioral description. It follows, that the discrete model also contains all these
constants. Due to the way the discrete model is generated, the values of these constants are quantized using the chosen
quantization parameters. In a formal property, these VHDL constants are used instead of integer numbers to represent
specified voltage or current constants. Therefore, such a property description can be used for the verification with arbitrary
quantization parameters applied to derive the discrete model, because the VHDL constants used in the formal property are
always quantized using the same parameters as the ones in the VHDL behavioral description.
6. Example
In the following, the presented verification methodology is demonstrated with a simple sequential example circuit. The
example is selected for the sake of clearness only, its size does not in any way reflect the size of mixed-signal circuits that
can be verified with the presented verification methodology. Moreover, the VHDL behavioral description is not restricted to
the VHDL constructs that are used in this example.
The schematic of the example mixed-signal circuit is depicted in Fig. 8. Depending on the value of the digital input
i_mode of the mixed-signal circuit, one of the two analog inputs i_0 or i_1 is selected in the next clock cycle. The voltage
at the selected analog input is amplified by the factor of (1 + 1000 /2000 ) or by the factor of (1 + 1000 /500 ),
respectively, depending on the value of the digital input v_mode during the previous clock cycle. The amplified voltage can
be measured at the circuit’s analog output outp. The VHDL behavioral description of this mixed-signal circuit is depicted
in Listing 2.
PACKAGE mixed_signal IS
TYPE voltage IS real ’ low TO real ’ high ;
TYPE r e s i s t o r IS real ’ low TO real ’ high ;
CONSTANT volt_0_0 : voltage = voltage ( 0 . 0 ) ;
CONSTANT volt_2_5 : voltage = voltage ( 2 . 5 ) ;
. . .
END mixed_signal ;
ENTITY example IS
PORT( clock : IN std_ulogic ;
v_mode : IN std_ulogic ;
i_mode : IN std_ulogic ;
i_0 : IN voltage ;
i_1 : IN voltage ;
outp : OUT voltage ) ;
END example ;
ARCHITECTURE beh OF example IS
J. Schönherr et al. / Theoretical Computer Science 404 (2008) 293–307 303
SIGNAL j1 , j2 : voltage ;
SIGNAL r1 : r e s i s t o r ;
SIGNAL i_mode_int , v_mode_int : std_ulogic ;
BEGIN
PROCESS ( clock ) BEGIN
IF ( r is ing_edge ( clock ) ) THEN
i_mode_int <= i_mode ;
v_mode_int <= v_mode;
END IF ;
END PROCESS ;
WITH i_mode_int SELECT
j1 <= i_0 WHEN ’ 0 ’ ,
i_1 WHEN OTHERS;
WITH v_mode_int SELECT
r1 <= re s i s t o r (2000.0) WHEN ’ 0 ’ ,
r e s i s t o r ( 500.0) WHEN OTHERS;
j2 <= j1 ∗ ( r1 + re s i s t o r (1000.0)) / r1 ;
outp <= gnd_0_0 WHEN j2 <= gnd_0v0 ELSE
vdd_2_5 WHEN j2 >= vdd_2v5 ELSE
j2 ;
END beh ;
Listing 2. VHDL behavioral description of the example circuit.
The discrete model of the example circuit is shown in Listing 3. The lines that have been changed in the VHDL behavioral
description to obtain the discretemodel are printed in italics. For the voltages, a resolution of rV = 20.0V−1 has been chosen,
the resistors are quantized with the resolution rR = 0.01 −1. The global constants volt_min = −512 and volt_max
= 510 determine the voltage domain DV = [volt_min, volt_max], and ohm_max = 30 the domain DR = [0, ohm_max].
The constant volt_invwhich is defined as volt_max+1 denotes the value invV for an invalid voltage value, the constant
resist_inv=ohm_max+1 denotes the value for an invalid resistor value.
PACKAGE mixed_signal IS
CONSTANT volt_min : in t ege r = −512;
CONSTANT volt_max : in t ege r = 510;
CONSTANT ohm_max: in t ege r = 30;
TYPE vo l tage IS RANGE volt_min TO volt_max +1;
TYPE r e s i s t o r IS RANGE 0 TO ohm_max+1;
CONSTANT volt_0_0 : vo l tage = vo l tage ( 0 ) ;
CONSTANT volt_2_5 : vo l tage = vo l tage (50 ) ;
CONSTANT vo l t _ inv : vo l tage = volt_max +1;
CONSTANT r e s i s t _ i n v : r e s i s t o r = ohm_max+1;
FUNCTION "∗" ( v : vo l tage ; r : r e s i s t o r )
. . .
END mixed_signal ;
ENTITY example IS
PORT( clock : IN std_ulogic ;
v_mode : IN std_ulogic ;
i_mode : IN std_ulogic ;
i_0 : IN voltage ;
i_1 : IN voltage ;
outp : OUT voltage ) ;
END example ;
ARCHITECTURE beh OF example IS
SIGNAL j1 , j2 : voltage ;
SIGNAL r1 : r e s i s t o r ;
304 J. Schönherr et al. / Theoretical Computer Science 404 (2008) 293–307
SIGNAL i_mode_int , v_mode_int : std_ulogic ;
BEGIN
PROCESS ( clock ) BEGIN
IF ( r is ing_edge ( clock ) ) THEN
i_mode_int <= i_mode ;
v_mode_int <= v_mode;
END IF ;
END PROCESS ;
WITH i_mode_int SELECT
j1 <= i_0 WHEN ’ 0 ’ ,
i_1 WHEN OTHERS;
WITH v_mode_int SELECT
r1 <= r e s i s t o r (20) WHEN ’ 0 ’ ,
r e s i s t o r ( 5) WHEN OTHERS ;
j2 <= j1 ∗ ( r1 + r e s i s t o r (10) ) / r1 ;
outp <= gnd_0_0 WHEN j2 <= gnd_0v0 ELSE
vdd_2_5 WHEN j2 >= vdd_2v5 ELSE
j2 ;
END beh ;
Listing 3. Discrete model of the example circuit.
The Listing 4 shows the specified behavior of the example circuit using VHI, the property specification language of the
property checker CVE gateprop. In general, the formal specification of a circuit comprises a set of formal properties. However,
in the case of the example circuit, the specified behavior can be completely described within one property.
In the first part of Listing 4 some macros are defined. The VHI type range used in the macros is interpreted as integer
value. The actual property starts with the keyword property. The section after freeze allows the definition of variables
(vm_0 and im_0 in the example) that represent values of signals at defined time points. After the keyword assume some
environmental assumptions for the correct working of the circuit can be defined. In the example, the voltages at the inputs
must be in the interval [0 V, 2.5 V]. The keyword prove is followed by the commitments, i.e. by the propositions to be
verified. Each assumption and each commitment is annotated with a temporal expression (in the example property always
at t+1) that describes which time point in the finite trace is referenced. The property as a whole describes a trace over
two clock cycles since time points of the interval [t, t + 1] are referenced in the property.
macros
dev : range := 1; end dev ;
d i f f ( a : range ; b : range ) : range :=
i f ( ( a−b) < 0) then
(b−a )
else
( a−b)
end i f ;
end d i f f ;
src ( im: std_ulogic ) : range :=
i f ( im = ’0 ’ ) then
i_0
else
i_1
end i f ;
end src ;
v_num(vm: std_ulogic ) : range :=
i f (vm = ’0 ’ ) then
7
else
6
end i f ;
end v_num;
J. Schönherr et al. / Theoretical Computer Science 404 (2008) 293–307 305
v_den : range := 2; end v_den ;
end macros ;
property example ;
freeze :
vm_0 = v_mode @ t ,
im_0 = i_mode @ t ;
assume :
at t +1: ( i_0 >=volt_0_0 ) and ( i_0 <=volt_2_5 ) ;
at t +1: ( i_1 >=volt_0_0 ) and ( i_1 <=volt_2_5 ) ;
prove :
at t +1: i f src ( im_0)∗v_num(vm_0) <= gnd_0v0∗v_den then
outp = gnd_0_0 ;
e l s i f src ( im_0)∗v_num(vm_0) >= vdd_2v5∗v_den then
outp = vdd_2_5 ;
else
d i f f ( outp∗v_den , src ( im_0)∗v_num(vm_0) )
<= dev∗v_den ;
end i f ;
at t +1: outp /= volt_ inv ;
end property ;
Listing 4. Formal property of the example circuit from Listing 3 in the language VHI of CVE gateprop.
In the example property the commitment states (after the keyword prove) that the voltage at the output is determined
through the amplification of the input selected by the value of i_mode at time point t by the factor given by the value
v_mode at time point t and that no arithmetic overflow occurs in the discrete model. The amplification factor is given by
the quotient v_num
v_den . The voltage at the output is allowed to deviate at most by the value denoted by dev from the specified
value to be accepted as correct. To allow for the specification of rational amplification factors in the property description
this specification is equivalently transformed (provided v_den > 0):∣∣∣∣outp− src · v_numv_den
∣∣∣∣ ≤ dev ≡ |(outp · v_den)− (src · v_num)| ≤ (dev · v_den). (5)
All the constants that are used in the property are defined in the VHDL behavioral description and, hence, the
corresponding quantized constants are defined in the discrete model. Therefore, this property describes the specified
behavior independently from the actual quantization parameters.
The example property fails for the discrete model of the circuit depicted in Fig. 8. Therefore, a counter-example is
provided by the CVE gateprop tool. A counter-example can be visualized using a waveform viewer and thus be used to
find the design error that caused the property to fail. Fig. 9 shows the corresponding counter-example that is generated by
CVE gateprop.
It can be seen in the counter-example that i_mode is 1 and v_mode is 0 at time point t. The specified behavior is the
amplification of i_1 by the factor of v_num
v_den = 72 = 3.5 at time point t+1. However, the quantized value of i_1 at t+1
is 5 which corresponds to the real value of 0.25 V according to the resolution rV = 20.0V−1 that was chosen to create
the discrete model. The value at the output outp at t+1 is 8 which corresponds to the real value of 0.4 V. Hence, the
amplification of the discrete model is 1.6 in this situation. The simulation of the VHDL behavioral description shows that
the implemented amplification for v_mode = 0 is 1.5 and that the property fail is not the due to a quantization error and,
hence, reveals a bug in the design. This bug can be fixed by changing the resistances of the circuit as shown in Listing 5. After
correcting the VHDL behavioral description the new discrete model is derived using the same quantization parameters and
the verification re-run and no error shows up.
. . .
WITH v_mode_int SELECT
r1 <= re s i s t o r (400.0) WHEN ’ 0 ’ ,
r e s i s t o r (500.0) WHEN OTHERS;
. . .
Listing 5. Bug-fix of the VHDL behavioral description.
306 J. Schönherr et al. / Theoretical Computer Science 404 (2008) 293–307
Fig. 9. Counter-example as waveform.
Fig. 10. Comparison of the functional coverage that can be reached with the different verification approaches in practice.
7. Evaluation and conclusion
The presented verification methodology has been successfully applied to several industrial mixed-signal circuits, as for
example an UMTS receiver unit and ameasurement interface that is comprised of a 12-bit successive approximation register
(SAR) analog to digital converter (ADC), digitally controlled amplifiers and a touch-screen interface. These circuits contain up
to 22 analog inputs, 63 digital inputs, 9 analog outputs, 5 amplifiers, and 97 analog switches. In one of the circuits we could
find an error, although the VHDL behavioral description of the circuit has been intensively verified by means of simulation.
The bug appeared for a very few of the 263 possible digital input patterns only.
In contrast to common simulation models, the discrete models presented in this work reflect a part of the behavior of a
mixed-signal circuit because their function is defined for finitely many input values only (cf. Fig. 3). However, during formal
verification all values of the domain of the discrete model are checked. Therefore, a much higher functional coverage can be
achieved in comparison to simulation based approaches (cf. Fig. 10).
A manual creation of a discrete model would require a highmanual effort. If instead, the method described in Section 4.5
is used, the discrete model can be created automatically once the quantization parameters have been chosen.
Another benefit of the verification methodology presented in this article lies in the safe identification of all arithmetic
overflows thatmight occur in the discretemodel during verification. This feature is achieved by the special kind of definition
of the arithmetic operations in the implemented VHDL package and by the extension of the correctness properties. This safe
identification is of great importance especially for the application in industrial environments.
The computational resources as CPU-time and memory consumption for the formal verification strongly depend on the
choice of the quantization parameters, in particular on the size of the chosen domains De. Since there is still no method to
compute proper quantization parameters in advance, the verification must be re-run with different parameters until the
discrete model is precise enough and the complexity of the model does not exceed the capacity of the formal verification
tool. In the verification methodology presented here the specified properties can be described independently from the
quantization parameters. Therefore, it is possible to use the same formal property for the different discrete models that
are derived from one VHDL behavioral description. Hence, a re-run of the verification using other quantization parameters
is possible without any additional manual effort besides the choice of the parameters.
With the proposed methodology, any analog behavior that can be described with arbitrary, piecewise linear functions
whose coefficients are given by rational numbers can be specified. This enables the formal description and verification of a
broad range of mixed-signal circuits.
J. Schönherr et al. / Theoretical Computer Science 404 (2008) 293–307 307
The representation of analog behavior using the discrete model approach presented in this work is restricted to
steady state behavior. Consequently, for example the dynamic behavior of analog parts in between two clock cycles of
its surrounding digital circuitry cannot be represented with this approach. Correctness criteria for dynamic mixed-signal
circuits are typically of quite other kinds than the criteria for steady state mixed-signal circuits. It cannot be expected that
there will be a verification technique that can be applied to both the investigation of the stability of a closed-loop controller
as well as the investigation of billions of input values of a digitally controlled analog switch and amplifier.
The verification methodology described in this article allows for the usage of any property specification language
that supports operations at bit level as well as arithmetic operations on integer values. An adaption of the language
for the description of steady state properties of mixed-signal circuits is not necessary. Using the presented verification
methodology, the quantization error can be considered in the formal properties. The manual effort necessary for writing
formal properties is much lower than the effort needed to write a test-bench and simulation stimuli.
All these features of the proposed verification methodology ease the introduction of formal verification into industrial
mixed-signal design flows.
References
[1] S. Hendricx, L. Claesen, A symbolicmodelling approach for the formal verification of integratedmixed-mode systems, in: Proceedings of 3rd Designing
Correct Circuits, DCC, September, 1996.
[2] S. Hendricx, L. Claesen, A symbolic core approach to the formal verification of integrated mixed-mode applications, in: Proceedings European Design
& Test Conference, ED&TC, IEEE Computer Society, 1997, pp. 432–436.
[3] M. Genoe, L. Claesen, E. Verlind, F. Proesmans, H. De Man, Illustration of the SFG-tracing multi-level behavioural verification methodology, by the
correctness proof of a high to low level synthesis application in CATHEDRAL-II, in: IEEE International Conference on Computer Design: VLSI in
Computer & Processors, ICCD, IEEE Computer Society, 1991.
[4] J. de Kleer, J.S. Brown, A qualitative physics based on confluences, Artificial Inteligence 24 (1984) 7–83.
[5] J. de Kleer, How circuits work, Artificial Inteligence 24 (1984) 205–280.
[6] A. Balivada, Y. Hoskote, J.A. Abraham, Verification of transient response of linear analog circuits, in: 13th IEEEVLSI Test Symposium, VTS, IEEE Computer
Society Press, 1995, pp. 42–47.
[7] R. Alur, C. Courcoubetis, T.A. Henzinger, P.-H. Ho, Hybrid automata: An algorithmic approach to the specification and verification of hybrid systems,
in: R.L. Grossmann, A. Nerode, A.P. Ravn, H. Rischel (Eds.), Hybrid Systems, in: LNCS, vol. 736, Springer, 1993, pp. 209–229.
[8] T.A. Henzinger, The theory of hybrid automata, in: Proceedings of the 11th Annual IEEE Symposium on Logic in Computer Science, LICS 1996, 1996,
pp. 278–292.
[9] T.A. Henzinger, J.-F. Raskin, Robust undecidability of timed andhybrid systems, in: LynchA.Nancy, KroghH. Bruce (Eds.), Hybrid Systems: Computation
and Control, Third International Workshop, HSCC 2000, in: LNCS, vol. 1790, Springer, 2000, pp. 145–159.
[10] S. Gupta, B.H. Krogh, R.A. Rutenbar, Towards formal verification of analog designs, in: Computer Aided Design, 2004, ICCAD-2004, IEEE/ACM
International Conference on Computer Aided Design, November, 2004, pp. 210–217.
[11] W. Hartong, L. Hedrich, E. Barke, Model checking algorithms for analog verification, in: DAC’02: Proceedings of the 39th Conference on Design
Automation, ACM Press, 2002, pp. 542–547.
[12] A. Bemporad, G. Ferrari-Trecate, M. Morari, Observability and controllability of piecewise affine and hybrid systems, IEEE Transactions on Automatic
Control 45 (2000) 1864–1876.
[13] Alongkrit Chutinan, Bruce H. Krogh, Verification of polyhedral-invariant hybrid automata using polygonal flow pipe approximations, in: Hybrid
Systems: Computation and Control, HSCC, 1999, pp. 76–90.
[14] E. Clarke, A. Fehnker, Z. Han, B. Krogh, O. Stursberg, M. Theobald, Phaver: Algorithmic verification of hybrid systems past hytech, in: Hybrid Systems:
Computation and Control, HSCC, 2003, pp. 192–207.
[15] Goran Frehse, Phaver: Algorithmic verification of hybrid systems past hytech, in: Hybrid Systems: Computation and Control, HSCC, 2005, pp. 258–273.
[16] D. Grabowski, D. Platte, L. Hedrich, E. Barke, Time constrained verification of analog circuits using model-checking algorithms, in: ENTCS, 2005.
[17] IEEE, IEEE 1076-2002 Standard VHDL Language Reference Manual, 2002.
[18] IEEE, IEEE 1076.6-2004 Standard for VHDL Register Transfer Level (RTL) Synthesis, 2004.
[19] Thomas Kropf, Introduction to Formal Hardware Verification: Methods and Tools for Designing Correct Circuits and Systems, Springer-Verlag, New
York, Inc., Secaucus, NJ, USA, 1999.
[20] Jöerg Bormann, Claudia Blank, Klaus Winkelmann, Technical and managerial data about property checking with complete functional coverage, in:
Euro DesignCon, 2006.
[21] Klaus Winkelmann, Hans-Joachim Trylus, Dominik Stoffel, Görschwin Fey., Cost-efficient block verification for a umts up-link chip-rate coprocessor,
in: DATE, 2004, pp. 162–167.
[22] MatthewW. Moskewicz, Conor F. Madigan, Ying Zhao, Lintao Zhang, Sharad Malik., Chaff: Engineering an Efficient SAT Solver, in: Proceedings of the
38th Design Automation Conference, DAC’01, June 2001.
[23] C.F. Fang, R. Rutenbar, T. Chen, Efficient static analysis of fixed-point error in dsp applications via affine arithmetic modeling, in: SRC-Techcon, 2003.
[24] Armin Biere, Alessandro Cimatti, Edmund M. Clarke, Yunshan Zhu, Symbolic model checking without BDDs, in: Proceedings of the 5th International
Conference on Tools and Algorithms for Construction and Analysis of Systems, TACAS ’99, Springer-Verlag, London, UK, 1999, pp. 193–207.
[25] O. Botchkarev, S. Tripakis, Verification of hybrid systemswith linear differential inclusions using ellipsoidal approximations, in: Nancy A. Lynch, Bruce
H. Krogh (Eds.), Hybrid Systems: Computation and Control, Third International Workshop, HSCC 2000, in: LNCS, vol. 1790, Springer, 2000, pp. 73–88.
[26] T.A. Henzinger, P.W. Kopke, A. Puri, P. Varaiya, What’s decidable about hybrid automata? in: Twenty-Seventh Annual ACM Symposium on Theory of
Computing, STOC 1995, ACM, 1995, pp. 373–382.
[27] A. Bouajjani, R. Echahed, R. Robbana, On the automatic verification of systems with continuous variables and unbounded discrete data structures,
in: Panos J. Antsaklis, Wolf Kohn, Anil Nerode, Shankar Sastry (Eds.), Hybrid Systems II, in: LNCS, vol. 999, Springer, Frankfurt, Main, 1995, pp. 64–85.
