Integrating Abstraction Techniques for Formal Verification of Analog Designs by Zaki, Mohamed H. et al.
Integrating Abstraction Techniques for the Formal Verification of
Analog Designs
Mohamed H. Zaki ∗, William Denman †, Sofie`ne Tahar ‡, Guy Bois ¶ §
Department of Electrical and Computer Engineering,
Concordia University, Montreal, Quebec, Canada
¶Genie Informatique, Ecole Polytechnique de Montreal
Montreal, Quebec, Canada
The verification of analog designs is a challenging and exhaustive task that requires deep understanding of physical
behaviours. In this paper, we propose a qualitative based predicate abstraction method for the verification of a class
of non-linear analog circuits. In the proposed method, system equations are automatically extracted from a circuit
diagram by means of a bond graph. Verification is applied based on combining techniques from constraint solving and
computer algebra along with symbolic model checking. Our methodology has the advantage of avoiding exhaustive
simulation normally encountered in the verification of analog designs. To this end, we have used Dymola, Hsolver,
SMV and Mathematica to implement the verification flow. We illustrate the methodology on several analog examples
including Colpitts and tunnel diode oscillators.
1 Introduction
The successful application of formal methods to the verification of digital and software systems has motivated re-
search towards extending the verification techniques beyond the discrete domain. Consequently, this has encouraged
the development of techniques to verify real-time and hybrid behaviours. Such behaviour can be observed in both the
aerospace and aeronautical domain, where formal verification has been used to ensure safety and correctness proper-
ties. For instance, Munoz et.al. [38] combined constraint solving and abstraction to check for collision avoidance.
A mechanical landing gear system was formally verified using theorem proving in [29], while the correctness of the
embedded software in avionics applications was checked using abstract interpretation [7] as part of the Astree project.
The focus of our paper is the verification of the analog behaviour of embedded systems that can be used in designs
with safety critical environments.
In general, embedded systems are characterized by their reactive and real-time dynamical behaviour with respect
to their environment. This interaction is often facilitated through sensors to capture the state of the environment and





designs, that are required at the interface between the circuitry and the environment. The important functionalities
of such designs are the processing of analog signals. Other functionalities include filtering, frequency synthesis and
generating timing references [36].
Hybrid systems theory was developed to deal with heterogeneous behaviour. Specifically, to fully understand
the system’s behaviour and meet high performance specifications, the designer must model all dynamic interactions.
These interactions can become very important when there are tight integrations or strong interactions among different
parts of the system. For instance, at the specification level, the embedded system architecture illustrated in Figure 1(a)
can be modeled in an abstract way as shown in Figure 1(b). The digital controller is modeled by finite state machines
(FSMs), while the dynamic environment is described using systems of ordinary differential equations (ODEs). In
addition, the sensor and A/D interface can be modeled as a threshold detector and event generator, respectively, while
the actuator and D/A components can be modeled as switches that choose between different system ODEs and set the









(a) Architecture Model (b) Behavioural modelling
Figure 1: Embedded Systems
In this respect, the dynamic behaviour of analog systems is generally modeled using systems of differential alge-
braic equations (DAEs), but generating the equations from a circuit diagram is not trivial. Specifically, the DAEs must
accurately describe the behaviour of the circuit while remaining simple enough to be verified using automated tools.
In addition, the verification of analog designs is a challenging task because of the complexity of modelling and
verifying continuous-time behaviour, when compared to digital designs. For instance, the digital design verification
is based on the validation of abstract models that reside in a finite state space. In contrast, the functionality of analog
designs depends on continuous electrical quantities, device parameters, in addition to parasitics and current leakage.
All those factors can drastically change the behaviour of an analog design making conventional finite-state verification
techniques inadequate. Consider the situation that a voltage at a specific node should not exceed a certain value.
Such a property is important, as a voltage exceeding a certain specified value can lead to failure of functionality and
ultimately to a breakdown of the design which can result in undesirable consequences.
Traditionally, simulation is used for the evaluation of a system’s functionality. However, simulation is often done
manually in an informal fashion and the search of the state space is not complete. As a consequence, simulation
methods lack the rigor needed to ensure correctness of the design. In addition, simulation falls short to validate
interesting properties of the design behaviour such as temporal requirements. Another problem is caused by the fact
that while a design is defined in advance, one cannot ensure a priori that the desired properties will exactly be met
during manufacturing of the actual circuit.
In summary, the analog design process must ensure with a high degree of confidence, the proper functionality in
all possible situations and be able to meet the performance requirements. This motivates the necessity of using formal
verification methodologies throughout the design process.
This paper demonstrates a novel verification flow to verify functional properties of analog designs. The basic
idea is to extract the design equations automatically from the corresponding circuit diagram, by means of bond graph
transformations [5]. An approach based on combining predicate abstraction and constraint solving is then applied to
verify the properties of interest.
Bond graphs are a domain independent framework for modelling physical systems that is based on the flow of
power between abstract objects. This allows for the universal treatment of different physical domains. The benefit
of using bond graphs as a modelling framework is the representation of designs using the concepts of energy flow,
effort and conservation. Additionally, the causality of bond graphs can be automatically generated [27], which leads
to the automatic extraction of DAEs. Moreover, since bond graphs are object oriented, larger models can be built from
simpler blocks reducing the need for a complex equation layer [5].
Abstraction methods for verification started with the seminal paper on abstract interpretation [8]. Since then, dif-
ferent abstraction approaches were developed to tackle different issues in the verification. One of the most successful
approaches is predicate abstraction [20]. In this approach, the state space is divided into a finite set of regions and a
set of rules is used to define the transition between these regions in a way that the generated state transition system can
be verified using model checking. Among the proposed enhancements of predicate abstraction is the lazy abstraction
approach [23]. The basic idea here is instead of generating the entire abstract model, a region is abstracted only when
it is needed in the verification step.
The different steps of the proposed methodology are shown in Figure 2. The methodology consists of two parts;
namely modelling and verification. In the modelling section, the circuit model is analyzed and simplified to obtain the
system of equations necessary for the verification.
At first, we require that the circuit in question is described in Dymola [11] using an electrical circuit diagram,
which can be translated automatically to the corresponding bond graph. The circuit components are then represented
by generic objects that have the same physical quantities as in the circuit diagram, but are connected by bonds that ex-
plicitly show the flow of power. The bond graphs are inherently acausal, but by assigning causality to the components,
the system’s state equations can be automatically generated using Dymola and the BondLib library [5]. Dymola is a
modelling framework and BondLib contains the bond graph models and components. The advantage of using Bondlib
























Figure 2: Proposed Verification Flow
Given the design equations and the property of interest, the verification consists of two complementary stages.
First invariant checking is applied to verify properties on the extracted system of equations. Due to incompleteness, a
negative result does not disapprove the property, in this case a refinement of the abstract states by predicate abstraction
techniques is used to verify the properties. The property verification provides the advantage of avoiding explicit
computation of reachable sets. If the property cannot be verified at this stage, refinement is needed only for the
non-verified regions by adding more predicates. Verification is then applied on the newly generated abstract model 1.
The proposed methodology has the advantage of avoiding exhaustive simulation usually encountered during the
verification. To this end, we have combined several tools to implement the verification flow. Basically, Dymola [11]
modeling engine is used to extract the design equations from the circuits’ schematics while Hsolver [32], Mathematica
[37] along with the model checker SMV [4] are used in the verification phase to construct the abstract model from the
design and to verify it against the specification properties. We illustrate the methodology on several analog examples
including Colpitts and tunnel diode oscillator circuits.
The rest of the paper is organized as follows: We start with an overview of the relevant work in Section 2. In
Section 3, we provide the theory behind bond graphs and analog modelling followed by the verification techniques in
1We use a simple refinement procedure based on interval methods for ODEs that identifies and eliminates the spurious counterexamples,
however, its description is outside the scope of this paper.
Section 4. Experimental results are shown in Section 7, before concluding the paper with Section 8.
2 Related Work
The proposed verification methodology spans through many different research domains. Therefore we will only high-
light the most crucial information including the work on bond graphs for the analysis of analog designs.
Bond graphs for system design and verification. Bond graphs have been successfully extended to aid in the verifi-
cation of aeronautical systems. In [17], bond graphs are used to model mechanics for different aeronautics systems.
The accuracy of the model was proven via simulation. The first work for the formal verification of bond graph models
was proposed in [33], where bond graphs are used to represent the complex mechanics of a landing gear system. Ver-
ification using extended duration calculus was applied on the extracted equations. However, the proposed approach
was limited to simple linear continuous while our methodology is developed to deal with more realistic non-linear
behaviours.
Researchers also explored the modelling of analog designs using bond graphs. In [5], bond graphs are used to
model an analog inverter, demonstrating that bond graphs constructed at different levels of abstraction can represent
simpler models. In [27], bond graphs are suggested as an addition to the framework of SystemC-AMS to aid in the
modelling and simulation of analog circuits. Simulation was the standard tool for the analog design. On the contrary,
we benefit from advances in formal verification of analog designs to propose a novel verification framework for analog
designs modeled using bond graphs.
Analog design verification. The verification of analog circuits started with the work in [25], the authors constructed
a finite-state discrete abstraction of electronic circuits by partitioning the continuous state space into fixed size hyper-
cubes and computed the reachability relations between these cubes using numerical techniques. In [15], the authors
tried to overcome the expensive computational method in [25], by combining discretization and projection techniques
of the state space, hence reducing its dimension. While the approach in [15] is less precise due to the use of projection
techniques, it is still sound. Variant approaches of the latter analysis were proposed. For instance, the model checking
tools d/dt [9], Checkmate [19] and PHaver [14] were adapted and used in the verification of a biquad low-pass filter
[9], a tunnel diode oscillator and a ∆Σ modulator [19], and voltage controlled oscillators [14]. In [22], the authors used
intervals to construct the abstract state space, while using heuristics to identify possible transition between adjacent
regions. The main difference with [25], is that they allow variable sized regions. In [39], the authors proposed a non-
linear approximation for reachable states of analog designs, where the state space exploration algorithms are handled
with Taylor approximations over interval domains. All of the above surveyed formal methods limit the verification
of the circuit to a predefined time bound because they depend on explicit state exploration. In contrast, we propose
in this paper qualitative based methods for the construction and verification of abstract models, which overcomes the
time bound requirement. A detailed literature overview of analog formal verification can be found in [41].
Predicate abstraction. In [1], the authors combined predicate abstraction with convex polyhedral analysis for the
verification of reachability properties of linear hybrid systems. A similar but more general abstraction approach was
proposed in [3]. In [35] a qualitative based approach was developed for an abstract model generation for hybrid
systems, based on higher derivative analysis. We distinguish ourselves from the above in several aspects. First, while
the predicates used in [1] are manually provided, we extract qualitative predicates from the system behaviour which
can complement the qualitative predicates presented in [35]. We also use different ideas for the transition relation,
based on a variant of the mean value theorem.
An invariant based approach was proposed in [34], where the problem of constructing invariants is turned into a
constraint solving problem. In [30], the authors proposed a similar framework using the idea of barrier certificates.
Barrier certificates, if they exist, are invariants that separate system behaviour from a bad state and hence provide
a safety verification approach. The work presented in this paper is different from the above mentioned work. We
distinguish ourselves by not limiting the verification to invariant checking allowing more reasoning capabilities on the
circuits of interest.
3 Analog Design Modelling
The analog component of embedded systems is usually composed of circuits built from basic passive and active
components (resistors, capacitance, inductance, transistors, etc), connected to various current and voltage sources in a
certain topology, achieving a specific desirable behaviour (e.g., filtering, amplification, etc.). We will provide in this
section, how to obtain the equations describing the design behaviour from the design description.
3.1 Bond Graphs as a Model for Analog Designs
Bond graphs were introduced by Paynter [12] who hypothesized that all physical systems and the interactions between
them could be modeled using energy and power alone. His work was extended later on by Karnopp and Rosenberg
[2] to enable the bond graph theory to be used in practice. They developed multi-port objects that could be used with
power bonds to model the flow of energy and information [26]. The benefit of a modelling framework based on energy
flow is that different domains can be analyzed using the same methodology.
Bond graphs define a necessary and sufficient set of primitives for the modelling of a wide range of practical
systems. The necessary and sufficent set of primitives consists of five elements, but normally a more practical set of
nine elements is used as shown in Table 1. The storage group contains the elements for capacitive storage (C type)
and inductive storage (I type). The supply group contains the sources of effort and flow. The reversible transformation
group contains a transducer and gyrator. The irreversible transformation group contains the elements for thermal
losses and entropy producing processes. While the distribution group contains junctions that represent the generalized
domain independent Kirchhoff current and voltage laws [2].
Table 1: Basic Objects of Bond Graphs
Group Components Electrical Domain Example
Storage Capacitive Inertial Capacitance Inductance
Supply Source of effort, source of flow Voltage source, current source
Reversible transformation Transducer, gyrator Transformer
Irreversible transformation Entropy producing process Thermal Resistance
Distribution 0 and 1 junctions KVL, KCL
Connections. Bond graphs are based on the first principle of energy conservation. The most basic element of a bond
graph is the power bond (Figure 3(a)). It is the energy link between two components. It is represented graphically by
a harpoon (half arrow), which points in the direction of positive power flow. The bond represents two variables, effort
and flow. In the electrical domain the effort variable is represented by voltage and the flow by current. It follows that
the product of the effort and flow variables represents the power flowing through the bond. Additional variables can
also be derived from the bonds. The displacement and momentum energy variables are related to the energy and flow
by their time derivatives.
The next basic component is the junction, which represents a circuit node or mesh (Figure 3(b)). At the 0 or
common-effort junction, the efforts are equal, which is analogous to a node in a circuit. At the 1 or common-flow
junction, the flows are equal, which is analogous to a mesh in a circuit.
(a) Power Bond (b) Mesh Bonds
Figure 3: Basic Bonds
Components. Using the bonds and junctions, it is possible to connect components together in a bond graph. There
are different types of single and multi port interfaces that can be used to represent many configurations. The single
port components are described below. The first basic elements are the sources of effort or flow. They are analogous
to voltage and current sources in circuit diagrams. Additional single port components are used to represent resistors,
capacitors and inductors. They are denoted using the letters R, L or C (Figure 4(a)).
It is possible to represent other electrical circuit components, such as transformers, gyrators and switches using
two port interfaces but their application and description are beyond the scope of this paper. It is important to note
though that more advanced components exist and they can be used to model electronic components beyond simple
analog ones.
(a) RC bond (b) Causality
Figure 4: Bond Graphs Basics
We have now seen how a given bond graph and a set of constitutive relations maps to a mathematical model of
the underlying system. A preferred alternative is a sequence of directed assignment statements such that unknowns
can be immediately and sequentially computed from the knowns on the right hand side. Such a model is sometimes
referred to as a computational model. Such a causal computational model requires the model variables to be ordered
in a specific cause-effect relationship.
Causality. Causality is the determination and representation of the directional relationship between an input and an
output [2]. By adding a causal bar to the end of a bond, the system equations that represent the two variables of effort
and flow can be indicated explicitly. There are many rigorous explanations on how to assign the causality of a bond
and how it relates to the system as a whole [2, 12, 26]. Fortunately, a simple definition exists that can be used for
the direct translation of circuit diagrams. The causal stroke is attached to the side of the bond that computes the flow
variable [6]. It is not necessary to assign causality because tools exist to automatically assign it to bond graphs. It is
important for the modeler to know how to assign causality manually because it can aid in the development of complex
bond graphs (Figure 4(b)).
Example 1. The tunnel diode oscillator circuit in Figure 5(a), which has been used by many researchers (e.g.,[19, 22])
as a benchmark, will be used as an example throughout the paper to demonstrate each step of our methodology. The
tunnel diodes exploit a phenomenon called resonant tunneling due to its negative resistance characteristic at very low
forward bias voltages. This means that for some range of voltages, the current decreases with increasing voltage. This
characteristic makes the tunnel diode useful as oscillator.
The corresponding bond graph generation goes as follows. Each circuit diagram component is transformed into
its bond graph counterpart. Circuit nodes are represented by 0 junctions and meshes are represented by 1 junctions as







(a) Circuit Diagram (b) Bond Graph
Figure 5: Tunnel Diode Oscillator
Simplification. By choosing to combine certain bond graph elements, it is possible to reduce the complexity of the
system without affecting the overall function. This can result in simpler DAEs that are extracted from the reduced bond
graph model. By using a simpler model, the number of states can be reduced, allowing for a less complex verification
problem.
The BondLib library developed by Cellier et al. [5] demonstrates the benefit of object oriented modelling with
bond graphs. The transistor models for BJTs and MOSFETS are true HSpice models that can be set to different lev-
els of complexity [5]. At each level, parasitics, current leakages and non-ideal effects can be added to the model by
specifying the correct parameter. The parameters are available to the modeler to dynamically alter the bond graph level.
3.2 Describing the Analog Behaviour
Once the bond graph is built, the set of system equations can be extracted and simplified. We use Mathematica
simplification functionalities [37] in order to remove redundant equations through rewriting techniques. The final
system of equations is the computational model on which we apply the verification.
The dynamical behaviour of analog designs is usually represented through equations describing the progressive
change of the state variables. These state variables can be regarded as memory elements that are able to preserve
previous states for a certain amount of time. For instance at the circuit level capacitance can be seen as a voltage
storage element while inductance as a current storage element 2. Analog circuits can be described by non-linear
polynomial ODEs as follows:
2It is worth noting that a resistance is a memoryless element.
Definition 1. Analog Circuit Model. An analog circuit model is a tuple A = (X ,X0,P ), with X = Vc1 ×Vcn × . . .×
Ilm ⊆ Rd as the continuous state space with d-dimensions, where Vci and Il j are the voltage across the capacitance
ci and the current through the inductance l j, respectively. X0 ⊆ X is the set of initial states (initial voltages on the
capacitances and currents through the inductance) and P : X → Rd is the continuous vector field.








Pl,k(x1, . . . ,xd)
where t is the independent real time, Pk (k = 1, . . . ,d) is a polynomial of degree m, a0 is a constant and Pl,k is a





1 . . .x
id
d
where ai1,...,id is a constant. We assume that the differential equation has a unique solution for each initial value.
The semantics of the analog model A = (X ,X0,P ) over a continuous time period Tc = [τ0,τ1] ⊆ R+ can be
described as a trajectory Φx : Tc → X for x ∈ X0 such that Φx(t) is the solution of x˙k = Pk(x1, . . . ,xd), with initial
condition Φx(0) = x and t ∈ Tc, is a time point. We can view the behaviour of the analog model A as a transition
system:
Definition 2. Analog Transition System. The transition system for analog model A is described as a tuple TA =
(Q,Q0,σ,L), where q ∈ Q is a configuration (x,Γ), x ∈ X and Γ is a set of intervals where ∪i≥0ti ⊆ R+, ti ∈ Γ. We
have t1, t2 ∈ Γ for Φx′(t1) = Φx′′(t2) = x and x′,x′′ ∈ X0. q ∈Q0, when t0 ∈ Γ and t0 is the singular interval, σ⊆Q×Q
is a transition relation such that (qn,qm) ∈ σ iff ∃tn ∈ Γn, ∃tm ∈ Γm. tn < tm and limtn→tm Φqnx (tn) = Φqmx (tm), x ∈ X0.
Finally, L is an interpretation function such that L : Q→ Rn×2R+ .
The set of reachable states Reach can then be defined as: Reach := {q′ ∈ Q|∃q ∈ Reach(0), t ∈ LΓ(q′),x′ =
Lx(q′),x = Lx(q) such that Φx(t) = x′}, where Reach(0) := Q0.
Example 2. Consider again the tunnel diode oscillator circuit in Figure 5(a). We focus on the current IL and the
voltage VC across the tunnel diode in parallel with the capacitor. the tunnel diode state equations are extracted from
the simplified bond graph (Figure 5(b)) using Dymola. The final equations are given as V˙C = 1C (−Id(VC)+ IL) and
I˙L = 1L (−VC − 1G IL +Vin), where Id(VC) describes the non-linear tunnel diode behaviour and Vin is the DC voltage
source. The extracted equations will be used as an input for the verification engine described in the next section.
4 Verification Methodology
The verification methodology we propose is illustrated in Figure 6. Starting with a circuit description as a system
of ODEs, along with specification properties provided in computational temporal logic (∀CTL) [4], we symbolically
extract qualitative predicates of the system. The abstract model is constructed in successive steps. In the basis step, we
only consider predicates that define the invariant regions for the system of equations based on the Darboux theory of
integrability [21]. Informally, the Darboux theory is concerned with the identification of the different qualitative be-
haviours of the continuous state space of the system. We make use of such idea to divide the analog design state space
into qualitatively distinct regions where no transition is possible between states of the different regions. Satisfaction
of properties is verified on these regions using constraint based methods, which rely on qualitative properties of the
system, by generating new constraints that prove or disprove a property. The property verification hence provides the
advantage of avoiding explicit computation of reachable sets.
If the property cannot be verified at this stage, refinement is needed only for the non-verified regions by adding
more predicates. Conventional model checking is then applied on the newly generated abstract model. The extraction
of the predicates is incremental in the sense that more precision can be achieved by adding more information to the
original construction of the system. When the property is marked violated, one possible reason is because of the

























Figure 6: Verification Methodology
4.1 Predicate Abstraction
Predicate abstraction is a method where the set of abstract states is encoded by a set of Boolean variables representing
each a concrete predicate. Based on [1], we define a discrete abstraction of the analog model A with respect to a given
n-dimensional vector of predicates Ψ = (ψ1, . . . ,ψn), where ψ : Rd → B, with B = {0,1} and d is the ODEs system
dimension. A polynomial predicate is of the form ψ(x) := P (x1, . . . ,xd) ∼ 0, where ∼∈ {<,≥}. Hence, the infinite
state space X of the system is reduced to 2n states in the abstract system, corresponding to the 2n possible Boolean
truth evaluates of Ψ.
Definition 3. Abstract Transition System. An abstract transition system is a tuple TΨ = (QΨ,Ã,QΨ,0), where:
• QΨ ⊂ L×Bn is the abstract state space for a n-dimensional vector predicates, where an abstract state is defined
as a tuple (l,b), with l ∈ L is a label and b ∈ Bn.
• Ã⊆ QΨ×QΨ is a relation capturing abstract transitions such that {bÃ b′|∃x ∈ ϒΨ(b), t ∈ R+ : x′ = Φx(t) ∈
ϒΨ(b′)∧ x → x′}, where the concretization function: ϒΨ : Bn → 2Rd is defined as ϒΨ(b) := {x ∈ Rd |∀ j ∈
{1, , . . . ,n} : ψ j(x) = b j}.
• QΨ,0 := {(l,b) ∈ QΨ|∃x ∈ ϒΨ(b),x ∈ X0} is the set of abstract initial states.











∀i≥ 0 and Postc(l,b) := {(l′,b′) ∈QΨ|(l,b)Ã (l′,b′)}. We can then deduce the following property between concrete
and abstract reachable states.
Lemma 1. 3 Given an Analog abstract transition system TΨ(A) and a vector of predicates Ψ, the following holds:
Reach⊆ {q ∈ Q|∃(l,b) ∈ ReachΨ : x ∈ ϒΨ(b)∧Lx(q) = x}
4.2 Abstraction Based Verification
The common concept between safety verification based on constraint solving and model checking based on predicate
abstraction is the requirement of over-approximation for the reachable states.
Given the analog model transition system TA representing the analog behaviour and a property ϕ expressed in
∀CTL. The problem of checking that the property holds in this model written as TA |= ϕ can be simplified to the
problem of checking that a related property holds on an approximation of the model TΨ, i.e., TΨ |= ϕ. More formally,
the main preservation theorem can be stated as follows [3]:
Theorem 1. Suppose TΨ is an abstract model of TA , then for all ∀ CTL state formulas describing TΨ and every state
of TA , we have s˜ |= ϕ˜⇒ s |= ϕ, where s ∈ γ(s˜). Moreover, TΨ |= ϕ˜⇒ TA |= ϕ.
3The proof of the lemma can be found in [40].
If a property is proved on an abstract model TΨ, then we are done. If the verification of TΨ reveals TΨ 2 ϕ˜, then we
cannot conclude that TA is not safe with respect to ϕ˜, since the counterexample for TΨ may be spurious. In order to
remove spurious counterexamples, refinement methods on the abstract model can be applied. The proof of Theorem 1
can be found in [3].
4.3 Invariants
Usually, a continuous system has a behaviour that varies in different regions of phase space which boundaries are
defined by special system solutions known in the literature as Darboux invariants [21]. These invariants partition the
concrete state space into a set of qualitative distinctive regions.
Definition 4. Given the system of ODEs dxkdt = Pk(x1(t), . . . ,xd(t)), with k = 1, . . .d (
dx
dt = P(x), x ∈ Rd and P =




The correspondence between the system of ODEs and the vector field DP is obtained by defining the time derivative
of functions of x as follows. Let G be a function of x: G : Rk → R, then dGdt := G˙ = DP(G) = P.∂xG . The time
derivative is called the derivative along the flow since it describes the variation of function G of x with respect to t as
x evolves according to the differential system. When DP(G) = 0, ∀x ∈ Rk, we have a time independent first integral
of DP. Several methods were developed recently based on the Darboux integrability theory [21], which is a theory
concerned with finding closed form solutions of system of ODEs, to tackle the problem by looking for a basis set of
invariants, i.e., Darboux invariants. Rather than looking at functions which are constant on all solutions, we look at
functions which are constant on their zero level set. Darboux polynomials Ji provide the essential skeleton for the
phase space from which all other behaviours can be qualitatively determined.







associated with the system dxdt = P(x),
a Darboux polynomial is of the form J (x) = 0 with J ∈ R[x], when DJ = K J , where K = K (x) is a polynomial
called the cofactor of J = 0.
Lemma 2. Given a system of ODEs and a vector field Df, J is an invariant of the system if J divides Df, more
formally, if there exists K ∈ R[x] such that Df(J ) = K J . The solution set of the system vanishes on the curve of J .
Proof. We can always represent the system by the associated vector field at each point F (x) = P(x) and ∇J ·F = kJ ,
where ∇J denotes the gradient vector related to J (x) and · is the scalar product. When J = 0, ∇J ·F = 0, meaning
that ∇J is orthogonal to the vector field F at these points. Therefore F is tangent to J = 0.
In the context of abstraction, we define the invariant regions as conjunction of Darboux invariant predicates. An
invariant region can be considered as an abstraction of the state space that confines all the system dynamics initiated
in that region:
Definition 6. Invariant Regions. We say that a region V is an invariant region of an analog model A such that
P (x(0)) = s0 |= V , P (x(ς)) = sς |= V and ∀t ∈ [0,ς],P (x(t)) = st |= V . Let V = {x ∈ Rk|x |= Γ}, be an invariant
region, where Γ is a conjunction of Darboux predicates (each is of the form p(x)∼ 0, where p is a polynomial function
and ∼∈ {<,≥}). If x(0) is some initial state, then V = V (x(0)) denotes an over-approximation of the set of states
reachable from x(0).
Example 3. Consider the non-linear circuit shown in Figure 7(a), where the non-linearity comes from the voltage
controlled current sources which currents Ics1 and Ics2 are described, respectively, as f1 = −x32 + x1 − x2 and f2 =
−x31 + 2x2. The voltages across the capacitors c1 and c2 can be described using ODEs, respectively, as follows:
x˙1 =−x32 and x˙2 = x1−x31. We identify the corresponding invariants: j1 = 1−x21−x22 and j2 = 1−x21+x22, which are
used to form three invariant regions: R1 = j1 ≥ 0∧ j2 ≥ 0, R2 = j1 < 0∧ j2 < 0 and R3 = j1 < 0∧ j2 ≥ 0 as shown in
Figure 7(b). Note that j1 ≥ 0∧ j2 < 0 is unfeasible and therefore discarded.
c2 = 1
g1 = 1
c1 = 1 g2 = 1
Ics1=    f1(x1,x2)
Ics2=    f2(x1,x2)
x2x1






















Figure 7: Illustrative Non-linear Analog Circuit
4.4 Constraint Based Verification
Constraint solving is the study of systems based on constraints (relation between the variables of the system). The
idea of constraint solving is to solve problems by stating constraints about the problem area and consequently, finding
solutions satisfying all the constraints. Two categories of constraint solvers are identified [38]:
• Satisfiability constraint solvers: When a constraint solver pronounces the existence of a solution, the constraints
are guaranteed to have a numerical solution. In addition, if a solution is produced, then it is guaranteed that
this solution satisfies the constraints. One such solver is Rsolver [31] and Mathematica built-in functions like
Reduce and FindInstance [37].
• Unsatisfiability constraint solvers: If a constraint solver pronounces the unfeasibility of the input constraints,
then this result is sound. If no solution is produced, then this means that the system is unfeasible. Realpaver
[16] is an example of this category.
In constraint solving techniques, the uncertainty of numerical variables are over-approximated using intervals
of real numbers to make safe decisions possible. Interval based arithmetics techniques provide efficient and safe
methods for solving continuous constraint satisfaction problems where real variables are constrained by equalities and
inequalities. The soundness is inherited from the inclusion property of interval arithmetics [28].
5 Invariant Based Verification
In this section, we propose a qualitative verification approach for analog circuits based on constraint based methods.
The basic idea is to apply quantified constraint based techniques to answer questions about qualitative behaviours of
the designs, by constructing functions that validate or falsify the property. The idea is different from conventional
approaches as it does not require the explicit reachable states computation. We consider two types of properties that
can be verified using that approach, namely safety and switching properties.
Safety Properties. Safety properties can be expressed in CT L [4] as ∀¤p; meaning that always on all executions the
constraint predicate p is satisfied for a set of initial conditions. The verification starts by getting the dual property
∃♦¬p (which means that there is an execution falsifying the constraint p) and applies constraint solving on the dual
property within the invariant regions of interest. In case of unsatisfiability, we conclude that the original property is
satisfied in the region, otherwise we cannot conclude the truth of the property and a refinement model providing more
details of the region is constructed.
Proposition 1. Safety Property Verification. ∀¤P is always satisfied in an invariant region V , if its dual property
∃♦¬P is never satisfied in that region 4.
Example 4. Consider the circuit in Example 3, with initial conditions x1(0) ∈ [−0.7,−1.1] and x2(0) ∈ [0.5,0.9].
Suppose the property to check is ∀¤P := x21 + x2 − 3 < 0 (see Figure 8(a)), meaning that all flows initiated from
x(0) = (x1(0),x2(0)), will be bounded by x21 + x2−3. The following regions satisfy the initial conditions R1 = j1 ≥
0∧ j2 ≥ 0 and R3 = j1 < 0∧ j2 ≥ 0. We check whether ∃♦P := x21 + x2−3≥ 0 is satisfiable in the invariant regions
R1 and R3. By applying constraint solving in Mathematica, we find that for the region R3, the constraints system is
satisfiable, hence the original property cannot be verified, and the state space of the region needs to be refined. For the
region R1, the constraints system is unfeasible, therefore we conclude that the safety property is satisfied.
It is worth noting that the barrier-certificate method [30] 5 can be applied as a complementary to our method. In
fact, Darboux predicates used as the basis of invariant regions can be considered as natural barrier certificates that are
4More details about the techniques as well as the proofs of the propositions in this paper can be found in [40].







































(b) Switching Verification (Ex-
ample 5)
Figure 8: Constraint Based Verification for the Circuit in Figure 7(a)
constructed without the need of initial and final constraints, hence reducing computational efforts.
Switching Properties. A special case of reachability verification ∃♦Q is the switching condition verification, i.e.,
starting from a set of initial conditions, the system will eventually cross a threshold, triggering a switching con-
dition. Such property is of great importance, for instance, a MOSFET transistor acting as switch changes states
based on the voltage condition applied on its gate. We consider here a restricted form of the switching property,
where we assume that threshold predicates divide the invariant region by intersecting the invariant region bound-
aries (at least two Darboux predicates). Given an invariant region V , a predicate Q is a switching condition if
k∧
i=0
∃x.(Q (x) = 0)∧ (Ii(x) = 0), where k≤ 2 and I is a Darboux invariant. The switching verification can be stated as
follows:
Proposition 2. Switching Property Verification. ∃♦Q is satisfied in a region V , if Q (x(0)) < 0 and DP(Q ) > 0 or
if Q (x(0)) > 0 and DP(Q ) < 0, in the region V . If these conditions are satisfiable, we conclude that the property is
verified and switching occurs.
Example 5. Consider the circuit shown in Figure 7(a), where the voltages across the capacitors c1 and c2 are described,
respectively, as follows: x˙1 = x21 + 2x1x2 + 3x
2
2 and x˙2 = 4x1x2 + 2x
2
2, with initial conditions x1(0) ∈ [0.5,1] and
x2(0)∈ [0.3,0.5]. Suppose that the switching condition property to check is ∃♦x1+x2−5= 0, meaning that switching
occurs when a certain trajectory will cross the threshold Q1 := x1 + x2− 5 = 0 (see Figure 8(b)). We construct the
Darboux functions: j1 := x2, j2 := x1 + x2, j3 := x1 − x2. The region R1 = j1 > 0∧ j2 > 0∧ j3 > 0 satisfies the
initial conditions. In addition, the predicate x1 + x2 − 5 < 0 satisfies the initial condition and DP(x1 + x2 − 5) > 0
because DP(x1 + x2 − 5) = (x1 + x2)(x1 + 5x2) is always positive in R1. Consider the initial conditions X(0)1 :=
(x1(0) ∈ [−10,−8] and x2(0) ∈ [4,5]) and X(0)2 := (x1(0) ∈ [−0.5,−1] and x2(0) ∈ [0.3,0.5]) in the invariant region
R2 = j1 > 0∧ j2 < 0∧ j3 < 0. For the switching condition Q2 :=−x1 + x2−5 = 0, we find that the initial condition
X(0)1 satisfies −x1+ x2−5 > 0, and X(0)2 satisfies −x1+ x2−5 < 0 while DP(−x1+ x2−5) =−(x1− x2)2 will be
always negative in region R2, therefore we conclude that the switching will occur for the initial condition X(0)1 but
not for X(0)2.
Sometimes constraint based verification fails to provide answers for the verification problem as the above methods
are not complete in general. In addition, more complex properties like oscillation cannot be proved using the above
method. We complement the approaches described in this section, by the predicate abstraction method allowing
conventional model checking to be applied.
6 Predicate Abstraction
6.1 Abstract State Space
In general, the effectiveness of the predicate abstraction method depends on the choice of predicates. In addition of
using Darboux predicates described in Section 4.3, we choose predicates identified in the properties of interest. In
addition to temporal property predicates, basic ideas from the qualitative theory of continuous systems can be adapted
within the predicate abstraction framework. The termination of the predicate generation phase is not necessary for
creating an abstraction. We can stop at any point and construct the abstract model. A larger predicate set yields a finer
abstraction as it results in a larger state space in the abstract model.
A set of predicates can be constructed using the notion of critical forms, which are special functions along them,
the vector field direction is either vertical or horizontal. In between these forms, there can be no vertical nor horizontal
vectors. In a region (abstract state) determined by the critical forms, all vectors follow one direction. These predicates
can be obtained easily by setting x˙ = 0. A generalization of critical forms is the concept of isoclines. Isoclines are
functions over which the system trajectories have a constant slope. A predicate pi is an isocline of ODEs system
if and only if ∃ai ∈ R with i = 1, . . . ,d such that Σdi=1aiPi(x)|pi = 0. Isocline and critical forms provide qualitative
information about the system behaviour. Hence, such information can be used in refuting certain behaviour that is
shown unreachable. For instance by knowing different constants ai, we deduce the direction of the flow crossing the
isoclines and therefore we decide how to build transitions between abstract states. Finding different isocline predicates
within an invariant region can be achieved by solving constraints on the parameters of predefined forms of an isocline
predicate.
Another kind of predicates, we propose, referred to as conditioned predicates, have the property that under specific
conditions, they provide certain information about the solution flow. A predicate pi is a conditioned predicate of an
ODEs system with conditions Γ1, . . . ,Γd , if it is of the form Σni=1ΓiPi(x)|pi = 0, where the conditions Γi are polynomials
with i = 1, . . . ,d, and d is the system dimension. For instance, consider the 3-dimensional system with the state
variables x,y,z, and the property predicate z > 1. We can construct another predicate that intersects z > 1 at specific
conditions, say y˙x˙ = 0. Then, the new predicate is of the form y˙− (z−1)x˙ = 0.
Example 6. Consider the analog circuit in Example 3. The critical forms predicates are p1 := x1, p2 := x2, p3 := 1−x1
and p4 := 1+ x1, as shown in Figure 9(a). For illustration purposes, we choose two isocline predicates p5 := x1−
x31 + x
3
2 and p6 := x1 − x31 − x32 as shown in Figure 9(b). Suppose, we are interested to verify a property including
the predicate p7 := x2 − x1 > 0.3, we can construct the conditioned predicate p8 := x˙2 − (x2 − x1 − 0.3)x˙1 = 0 as
shown in Figure 9(c). To build the abstract state space, we have three invariant regions and eight predicates. As
certain combination of predicates are unfeasible, the number of abstract states is < 28 abstracts states. In fact, region






















































Figure 9: Predicates for the Circuit in Figure 7(a)
Other methods for finding useful predicates were developed in [35], where the authors proposed a way to extract
predicates from polynomial ODEs by looking at higher derivatives. If p ∈ P, then add p˙, the derivative (with respect
to time) of p, to the set P unless p˙ is a constant or a constant factor multiple of some existing polynomial in P.
Predicates related to the basic functionality of the design of interest can also be provided in a manual fashion. The
conventional analysis of circuits can be an interesting direction for obtaining attractive predicates. It is worth noting
that the termination of the predicate generation phase is not necessary for creating an abstraction. We can stop at any
point and construct the abstract model. A larger predicate set yields a finer abstraction as it results in a larger state
space in the abstract model.
6.2 Computing Abstract Transitions
One main issue in constructing abstract state transition systems is the identification of the possible transitions. As
we divide the state space into invariant regions, we need only to construct transitions between abstract states within a
region. Therefore, we do not need to construct an abstract model for the whole state space. In general, information
from the solution of the ODEs is required to describe transitions between abstract states. In practice, each abstract
transition is initialized to the trivial relation relating all states and then stepwise refined by eliminating unfeasible
transitions. This guarantees that any intermediate result represents an abstraction and the refinement can be stopped
at any point of time. In the remaining of this section, we use a set of different rules to construct transition between
abstract states.
The simplest rule to use is the Hamming distance rule [35]. The Hamming distance (HD) is the number of
predicates for which the corresponding valuations are different in different abstract states. For instance, the Hamming
distance between state s1 := (p1 = 1∧ p2 = 0∧ p3 = 1∧ p4 = 1) and state s2 := (p1 = 1∧ p2 = 0∧ p3 = 0∧ p4 = 1)
is 1, written HD(s1,s2) = 1. Given two abstract states s1 and s2, we say that a transition exists between two abstract
states only if HD(s1,s2) = 1. The next rule we apply is based on the generalized mean value theorem [13], which is
an extension of the mean value theorem (MVT) for n-dimension.
Theorem 2. [13]. If x(t) is continuous on a time interval t1 ≤ t ≤ t2, and differentiable on t1 < t < t2, and assuming
that there exists a vector V orthogonal to x(a) and to x(b), then there is tc : t1 < Tc < t2 such that V is orthogonal to
x˙(tc)
We use quantified constraint based methods to check whether such condition is satisfied between two abstract
states. If the MVT is not satisfied, we deduce that no transition exists between the two states. The above rules
give an over-approximation of the transition system as no information about the vector field direction is used. In
order to remove such redundant transitions in the region of interest, we complement the above rules by applying the
intermediate value theorem as a way to identify the flow direction. In the context of abstraction, a transition between
two abstract states exists if a predicate valuation change during the execution over an interval domain as follows:
Theorem 3. Given a predicate λ, two states S1 = (l,b) and S2 = (l′,b′) differing only on the valuation of λ and a
time step interval solution I : {a1 ≤ x ≤ a2}, there is a transition between S1 and S2 if b |= JλKa1 (i.e., λ(a1) ∈ γ(b)),
b′ |= JλKa2 (i.e., λ(a2)∈ γ(b′)), JλKa1 6= JλKa2 6= 0 and ∃x such that JλKx = 0, with the interpretation function J.K :Rd →
{+,−,0}
To check for the above condition, we use interval analysis to guarantee that the solution is reliable; the real solutions
are enclosed by the computed intervals. Such guarantee is derived from the fundamental theorem of interval analysis
[28].
Practically, building the transitions is based on using constraint solving as a mean for refuting invalid transitions.
This can be achieved by posing the conditional predicates on a possible transition as a safety property. Unsatisfaction
of the property implies the nonexistence of such transition.
Example 7. Consider the Bipolar Junction Transistor (BJT) based Colpitts oscillator shown in Figure 10(a). Correct
functionality ensures that the BJT will never go to saturation region [24]. In fact, the BJT will either be in the Cut-
off mode or Forward active mode. The state space is subdivided into four regions according to the BJT modes of
operations (Cut-off, Reverse active, Forward active and Saturation) with threshold voltage Vth = 0.75.
Figure 10(b) is a snapshot of the Hsolver code written to represent the abstract states (each corresponding to a BJT
mode of operation), the possible transitions between the states, and the property to verify. For instance, the property
shown ensure that no transition occurs from Forward active (m1) to Saturation (m3). It can be validated by proving









(a) Circuit Diagram (b) HSolver Code
Figure 10: BJT Colpitts Circuit
7 Implementation and Experiments
7.1 Implementation
For experimentation purposes, we used Mathematica’s algebraic manipulation and quantified constraint solving ca-
pabilities [37] for the constraint based verification and for the construction of the abstract model. Conventional
model checking on the abstract models is applied using SMV and Hsolver. For instance, the built-in Mathematica
function Reduce[expr,vars] simplifies the statement expr by solving equations or inequalities for the state variables
vars = {v1,v2, . . . ,vm} and eliminating quantifiers. Reduce gives True if the expr is proved to be always true, False
if expr is proved to be always false and a reduced expr otherwise. For example, the safety verification problem
in Example 4 can be formulated using Reduce as follows: Reduce[Exists[{x1,x2},1− x21− x22 ≥ 0&&1− x21 + x22 ≥
0,−3+ x21 + x2 ≥= 0],{x1,x2}].
The problem of finding invariants is an important part of the methodology. We need to find Darboux invariants
and in the case of reachability verification, we look for invariants bounding the reachable states. Finding invariants
is based on the evaluation of the coefficients of the predefined forms of polynomials. In this algorithm, we start with
an invariant form with an initial degree and check if such invariant exists, if not, we increase the degree to form a
new polynomial. A bound on the degree must also be specified to ensure termination of the search of the invariants.
An arbitrarily assigned bound at the beginning of the algorithm is usually proposed hence ensuring termination. This
is possible using the Mathematica FindInstance function, for example. FindInstance[expr,vars] finds an instance of
vars that makes expr True if an instance exists, and gives {} if it does not. The result of FindInstance is of the form
{{v1 → inst1,v2 → inst2, . . . ,vm → instm}} where insti is the provided value. For example, to find the Darboux invari-
ants j we apply FindInstance as follows: FindInstance[ForAll[{x,y},D j ==K j],{coe f s}], where j is a polynomial
in x,y, with unknown coefficients coe f s and K is the cofactor.
7.2 Experimentation Results
We have applied the verification methodology proposed in this paper to a variety of circuits including Colpitts, Tunnel
diode oscillator and to other basic RLC circuits 6.
7.2.1 Tunnel Diode Circuit
Consider the tunnel diode circuit in Example 2 with the set of parameters {C = 1000e−12, L = 1e−6, G = 2000e−3,
Vin = 0.3} and the initial values {VC = 0.131V, IL = 0.055A}. We are interested to verify the circuit behaviour in the
region bounded by the constraints −0.5 V ≤VC ≤ 1.2 V and −0.5 A≤ IL ≤ 0.2 A using predicate abstraction.
We verify that the preceding combination of parameters and initial conditions do not produce oscillatory behaviour.
The behaviour in question is stated as the safety property Gv ≤ 0.3. The validation of the property ensures the non-
existence of oscillation. We code the circuit equations (determined in Example 2) along with the property in the
HSolver language. After verification, the results indicate that the property is satisfied. We can therefore conclude that
the chosen parameters do not allow the circuit to oscillate.
7.2.2 MOSFET based Colpitts Oscillator
The circuit diagram for a MOS transistor based circuit is shown in Figure 11(a). For the correct choice of component
values the circuit will oscillate. This is due to the bias current and negative resistance of the passive tank. The property
we analyze is whether for the given parameters and initial conditions the circuit will die out (Not oscillate) as shown
in Figure 11(b). The extracted equations are described as follows:
6More details about experimental studies and the bond graph transformations for the circuits will not be presented here because of space









0 V c2 > 0.3
kp∗ wl ∗ ((0.3−V c2)∗ (V c1 +V c2)−0.5∗ (V c1 +V c2)2) V c1 +V c2 < 0.3
kp
2 ∗ wl ∗ (0.3−V c2)2 V c1 +V c2 ≥ 0.3
Oscillation will not occur if the current cannot exceed a certain bound. More precisely, if verified to true, the
property ∀GIl > 0.004∧ Il < 0.004 implies no oscillation. The system equations, the property of interest along with
the required constraints were then translated into the HSolver code. In order to apply predicate abstraction, the state
space is abstracted into three regions (abstract states) because of the different states of the MOSFET transistor within
the circuit. The property was verified to be true indicating no oscillation. Figure 11(b) represents the circuit simulation

















(a) Circuit Diagram (b) Simulation
Figure 11: Colpitts Circuit
7.2.3 Non-Linear Analog Circuit
Consider the circuit in Example 3, with initial conditions x1(0) ∈ [−0.7,−1.1] and x2(0) ∈ [0.5,0.9]. We want to
verify the following ∀CTL property on the set of trajectories:
∀FP := x21 + x2−3≥ 0
which can be understood given the set of initial conditions, on every computation path, in the future the vector field will
always cross a threshold condition. We already verified in Example 4 that this cannot happen for the initial conditions
inside Region R1, but with the invariant checking applied, we could not deduce information regarding the behaviour
in region R3. After providing the required set of predicates, we only construct corresponding abstract state transition
graphs (ASTG) for regions R1,R3. Using the SMV model checker [4], we find that given the initial conditions such
property will be indeed satisfied in region R3.
7.2.4 RLC Circuit Oscillator
Checking for occurrence of oscillation is not always possible using predicate abstraction, due to the difficulty of gener-
ating an abstract model with no spurious transitions, in some cases we were successful to accomplish the verification.
We verified oscillation property for the circuit shown in Figure 12(a), with non-linear voltage source vs and non-
linear current source cs described using ODEs, respectively, as follows:
I˙l =−Vc− 15V
2
c and V˙c =−2Il − I2l + I3l
The equations are extracted from the bond graph shown in Figure 12(b) as explained in the methodology. After
that we generate using Mathematica the following invariants:







We can therefore construct two invariant regions R1 := j1 ≤ 0 and R2 := j1 > 0. Given the state space and invariant
regions as shown in Figure 12(b), we verify the following ∀CTL property on the set of trajectories:
∀G(∀F(Vc > Il)) ∧ ∀G(∀F(Vc < Il))
which can be understood as on every computation path, whenever the capacitor voltage Vc value exceeds the induc-
tor current value Il , it will eventually decrease below Il again and vise-versa. This property checks for oscillation
behaviour of the circuit. We constructed the abstract transition graph for each region and verified the property using
SMV. We found indeed that the circuit will always oscillate only inside the bounded regions as illustrated in Figure
13.
8 Conclusion
In this paper, we proposed a novel approach for the verification of analog designs. The greatest advantage of our
methodology is the lack of an exhaustive simulation that is commonly encountered in the formal verification of analog
designs. The major contributions are the following:
• By using bond graphs as a framework to represent circuits, models can be constructed at several levels of












(a) Analog Circuit (b) Bond Graph


















Figure 13: Phase Portrait and Invariant Regions for Circuit in Figure 12(a)
• A qualitative abstraction approach for the verification of analog properties was proposed using a combination
of techniques from predicate abstraction and constraint solving along with model checking.
We adapted the concept of lazy abstraction for the verification of analog designs. To this aim, we identified a
set of basic qualitative predicates (Darboux polynomials) as invariance predicates, which helped avoiding the
construction of an abstract model for the whole state space. We proposed a constraint solving approach for
the verification of safety and switching properties. Our method does not require explicit representation of state
space and relies on functions that prove or disapprove circuit properties
• When compared to similar research, our verification methodology overcomes the time bound limitations of other
exhaustive methods.
Future work includes investigating switched bond graphs for models mixed signal designs. This will allows us to
extend the predicate abstraction to support analog and mixed signal systems. We also plan to explore the verification
of more case studies that includes in addition the AMS designs, RF and mechanical components.
References
[1] R. Alur, T. Dang, F. Ivancic. Reachability Analysis Via Predicate Abstraction. In Hybrid Systems: Computation
and Control, LNCS 2289, pp. 35-48. Springer, 2002.
[2] F. Broenink, Introduction to Physical Systems modelling with Bond Graphs, SiE Whitebook on Simulation
Methodologies, 1999
[3] E. Clarke, A. Fehnker, Z. Han, B.H. Krogh, O. Stursberg, M. Theobald. Verification of Hybrid Systems based on
Counterexample-Guided Abstraction Refinement. In Tools and Algorithms for the Construction and Analysis of
Systems, LNCS 2619, pp. 192-207, Springer, 2003.
[4] E. Clarke, O. Grumberg , D.A. Peled. Model Checking. MIT Press, 1999.
[5] F.E. Cellier, C. Clauss and A. Urquia. Electronic Circuit modelling and Simulation in Modelica, In Proc. Eurosim
Congress on Modelling and Simulation, Vol. 2, pp. 1-10, 2007.
[6] F.E. Cellier and A. Nebot. The Modelica Bond Graph Library. In Proc. of the Modelica Conference, pp. 57-65,
2005.
[7] P. Cousot. Proving the Absence of Run-Time Errors in Safety-Critical Avionics Code. In Proc. IEEE/ACM Con-
ference on Embedded Software, pp. 79, 2007.
[8] P. Cousot, R. Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction
or approximation of fixpoints. In Proc. ACM Principles of Programming Languages, pp. 238-252, 1977.
[9] T. Dang, A. Donze, O. Maler, Verification of Analog and Mixed-signal Circuits using Hybrid System Techniques.
In Formal Methods in Computer-Aided Design, LNCS 3312, pp.14-17, Springer, 2004.
[10] W. Denman, M. Zaki and S. Tahar. Analog Formal Verification Via Bond Graphs and Constraint
Solving. Technical Report, ECE Dept., Concordia University, Montreal, Quebec, Canada, April 2008.
http://hvg.ece.concordia.ca/Publications/TECH REP/AMS BG TR08
[11] H. Elmqvist. Dymola - Dynamic modelling Language, User’s Manual. Dynasim, 1994. http://www.dynasim.se
[12] Y. El-Fattah. Constraint Logic Programming For Structure-Based Reasoning About Dynamic Physical Systems.
In Artificial Intelligence in Engineering, 10(3):253-264, Elsevier, 1996.
[13] M. Furi, M. Martelli. A Multidimensional Version of Rolle’s Theorem. The American Mathematical Society,
102(3), 1995, pp. 243-249.
[14] G. Frehse, B. H. Krogh, R. A. Rutenbar. Verifying Analog Oscillator Circuits Using Forward/Backward Abstrac-
tion Refinement. In Proc. IEEE/ACM Design, Automation and Test in Europe, pp. 257-262, 2006.
[15] M. R. Greenstreet, I. Mitchell: Reachability Analysis Using Polygonal Projections. In Hybrid System: Compu-
tation and Control, LNCS 1569, pp.103-116, Springer, 1999.
[16] L. Granvilliers. On the Combination of Interval Constraint Solvers. Reliable Computing, 7(6):467-483, 2001
[17] J. Granda and A. Montgomery. Automated Modelling and Simulation Using The Bond Graph Method For The
Aerospace Industry. In Proc. AIAA modelling and Simulation Technologies Conference and Exhibit, 2003.
[18] P.J. Gawthrop, G.P. Bevan. Bond Graph modelling: A Tutorial. In Control Systems Magazine, 27(2):24-45,
IEEE, 2007
[19] S.Gupta, B.H. Krogh, R.A. Rutenbar: Towards Formal Verification of Analog Designs, In Proc. IEEE/ACM
Conference on Computer Aided Design, pp. 210-217, 2004.
[20] S. Graf and H. Saidi. Construction of Abstract State Graphs with PVS. In Computer Aided Verification, LNCS
1254, pp. 72-83. Springer, 1997.
[21] A. Goriely. Integrability and Nonintegrability of Ordinary Differential Equations, Advanced Series on Nonlinear
Dynamics, Vol 19, World Scientific, 2001.
[22] W. Hartong, R. Klausen, L. Hedrich. Formal Verification for Nonlinear Analog Systems: Approaches to Model
and Equivalence Checking, Advanced Formal Verification, pp. 205-245, Kluwer, 2004.
[23] T. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Lazy Abstraction. In Proc. ACM Principles of Programming
Languages, pp. 58-70, 2002.
[24] M.P. Kennedy. Chaos in the Colpitts Oscillator, In IEEE Transactions on Circuits and Systems 1, 41:771-74,
1994.
[25] R.P. Kurshan and K.L. McMillan. Analysis of Digital Circuits Through Symbolic Reduction. IEEE Transactions
on Computer-Aided Design 10:1350-1371, 1991.
[26] Karnopp, D. Rosenberg, R. System Dynamics: a Unified Approach Wiley New York 1975
[27] T. Maehne, A. Vachoux. Proposal for a Bond Graph Based Model of Computation in SystemC-AMS. In Proc.
Languages for Formal Specification and Verification, Forum on Specification & Design Languages, 2007.
[28] R. E. Moore. Methods and Applications of Interval Analysis, Society for Industrial & Applied Mathematics,
1979.
[29] S. Nadjm-Tehrani, J. Stromberg, Formal Verification of Dynamic Properties in an Aerospace Application, In
Formal Methods in System Design, 14(2):135–169, Kluver, 1999.
[30] S. Prajna, A. Jadbabaie. Safety Verification of Hybrid Systems Using Barrier Certificates. In Hybrid Systems:
Computation and Control, Springer-Verlag, pp. 477-492. 2004.
[31] S. Ratschan. Continuous First-Order Constraint Satisfaction. In Artificial Intelligence, Automated Reasoning,
and Symbolic Computation, LNCS 2385, pp. 181-195, Springer, 2002
[32] S. Ratschan, Z. She. Safety Verification of Hybrid Systems by Constraint Propagation Based Abstraction Refine-
ment. In Hybrid System: Computation and Control, LNCS 3414, pp. 573-589, Springer, 2005.
[33] J.-E. Stromberg, S. Nadjm-Tehrani, J. Top. Switched Bond Graphs as Front-end to Formal Verification of Hybrid
Systems. In Proc. of Verification and Control of Hybrid Systems, LNCS 1066, p. 282-293, Springer, 1996.
[34] S. Sankaranarayanan, H. Sipma, Z. Manna. Constructing Invariants for Hybrid Systems. In Hybrid Systems:
Computation and Control, LNCS 2993, pp 539-554, Springer, 2004.
[35] A. Tiwari. Abstractions for hybrid systems. In Formal Methods in System Design 32(1):57-83, Springer, 2008.
[36] J. Vlach, K. Singhal. Computer Methods for Circuit Analysis and Design. Kluver, 2003.
[37] S. Wolfram. Mathematica: A System for Doing Mathematics by Computer. Addison Wesley Longman Publish-
ing, 1991.
[38] S. Xia, B. Divito, C. Munoz, Toward Automated Test Generation for Engineering Applications. In Proc.
IEEE/ACM International Conference on Automated Software Engineering, pp. 283-286, 2005
[39] M. Zaki, G. Al Sammane, S. Tahar, and G. Bois. Combining Symbolic Simulation and Interval Arithmetic for
the Verification of AMS Designs. In Proc. IEEE International Conference on Formal Methods in Computer-Aided
Design, pp. 207-215, 2007.
[40] M. Zaki, S. Tahar, and G. Bois: Combining Constraint Solving and Formal Methods for the Verification of
Analog Designs. Technical Report, ECE Department, Concordia University, Montreal, Quebec, Canada, May
2007, website http://hvg.ece.concordia.ca/Publications/TECH REP/ANA CBV TR07
[41] M. Zaki, S. Tahar and G. Bois. Formal Verification of Analog and Mixed Signal Designs: A Survey. Microelec-
tronics Journal, Elsevier B.V. Pub., 2008. DOI:10.1016/j.mejo.2008.05.013, pp. 1-10.
