Abstract-In this paper we firstly introduce a novel symbolic model checker (MScheck) for mixed-signal circuits. MScheck is capable to conflate the continuous behavior, typical for analog designs, and the discrete behavior in the digital domain for formal verification. Timing information of both systems will be symbolically stored within multi terminal binary decision diagrams (MTBDDs) for the entire verification procedure. The effectiveness of our approach is demonstrated on a phase locked loop (PLL) by formal verification of the locking property 1 .
I. INTRODUCTION
Todays microelectronic systems are characterized by an increasing level of integration complexity. In recent years multi circuit boards have been evermore integrated in few or ideally one single chip. Such systems are called System on Chip (SoC) and consist usually of a collection of digital and analog subcircuits. Generally, circuits that are divided into an analog and a digital part are often called mixed-signal systems.
One characteristic of mixed-signal systems is that each subsystem interacts with each other by internal connections and reacts to inputs coming from extern. Another characteristic is different state change behavior in both domains. Digital systems behavior usually exhibits discrete changes in time and values, whereas analog circuits usually exhibit continuous changes. The integration of both sub-circuits in one chip is an advanced but widely used method in chip design.
Because of this increase in complexity, the likelihood of subtle functional errors is much greater. Today mixed-signal circuit validation can be done by several analog/mixed-signal (AMS) simulators that only give an input pattern dependent, incomplete correctness of the circuit. To overcome todays design complexity formal proof techniques that guarantee total correctness must be evaluated. One common formal verification technique is model checking. Model checking tools prove the model of a design against a number of stated properties that the system must fulfill under all possible input variations.
A. Previous Work
The basic methodologies used by todays digital formal verification tools based upon symbolic representations like bi-nary decision diagrams (BDD) or applying satisfiability (SAT) solvers mostly used in bounded model checkers (BMC). However, analog and mixed-signal formal verification is much more crucial. Nevertheless, in recent years several approaches for verification of mixed-and hybrid systems were proposed. Most of them base on the finite state discrete abstraction by partitioning the continuous state space, whose dynamic is described by differential algebraic equations (DAE), into hypercubes using a fixed grid. The most popular tool is called HyTech and was introduced in [1] . HyTech is a symbolic model checker for linear hybrid automata that can be analyzed automatically using polyhedral state sets. In [2] the tool d/dt is proposed which computes the reachable states for hybrid systems by discrete time integration. Set of states are represented with orthogonal polyhedra, which guarantees the reachable state enclosures. PHAVer (Polyhedral Hybrid Automaton Verifier) [3] is another tool that do an on-the-fly overapproximation of piecewise affine dynamics and by partitioning the state space based on user definable constraints of the systems.
All the above mentioned tools are restricted to circuit properties like the linearity of the analog part or can only do reachability analysis. Furthermore, they suffer from explicitly handling and describing each digital state. In this work we introduce our tool MScheck that can verify mixed-signal circuits by using symbolic model checking techniques which represent states implicitly. We are capable to treat non-linear analog circuits integrated with a sequential digital circuit part at gate level. We used multi terminal binary decision diagrams (MTBDD) to efficiently represent time behavior within the circuit. Additionally, we used CTL-AT for defining mixed-signal properties.
The following sections discuss the verification flow we used for mixed-signal model checking. Section II gives a formal definition of the specification language CTL-AT we used for characterizing necessary circuit behavior. In section III a short introduction to the symbolic representation of timed delayed transition relations and state declarations will be given. The principles of the verification flow will be given in sections IV and V. In section VI we demonstrate our verification flow by verifying the behavior of a phase locked loop (PLL). Finally, a conclusion will be given in section VII.
II. SPECIFICATION LANGUAGE
In digital circuit verification some common formal specification languages exists. All these languages are based on linear 5A-2 time logic (LTL) or computation tree logic (CTL). The upto now proposed specification languages are able to analyze timing behavior for digital circuits based on a state transition graph called Kripke structure [4] . To specify dynamic system behavior with a CTL syntax, it is necessary to introduce timeconstrained temporal operators that additionally constrain the scope of the operations. To extend Kripke structures with transition delay time information and interface variables we introduce the time delayed transition structure. • S 0 ⊆ S is the set of initial states.
• G is a finite set of input symbols. • T : δ −→ is a function that labels each transition from state s to s + with the delay time using this transition.
• L : S −→ 2 AP is a function that labels each state with the set of atomic propositions true in that state.
A path π in a TDTS is an infinite sequence of states
we denote the part of π starting at s i . In the following, each state s i can be encoded by a binary coding vector z ∈ n which gives each state a unique representation. In [5] a timed constraint CTL (CTL-AT) specification language especially for analog properties was introduced. At this point we want to define CTL-AT more formally. We write (M, s 0 ) |= p to express that in a time delayed transition structure M formula p is true for starting state s 0 . The formal semantics of CTL-AT will be given in Definition 2. 
For many property circumstances it is useful to apply past time CTL-AT expressions. Past temporal operators can be described as a mirror image of future operators. Hence, we introduce past time operators (P ,H, and S) which are mirror images of future operators (F ↔ P , G ↔ H, U ↔ S). In this way, e.g. EP (φ) means that φ was true at some past instant.
III. SYMBOLIC REPRESENTATION
The key breakthrough in the digital verification domain came by using symbolic representation for states to avoid the state explosion problem. Rather than explicitly enumerating every single state symbolic model checkers use BDDs to specify sets of states in the form of Boolean functions. To store timing behavior we used multi terminal binary decision diagrams (MTBDDs) as an extension of BDDs. MTBDDs represent pseudo-Boolean functions by mapping a vector of Boolean values into a real number. With BDDs as well as with MTBDDs we can get a formal description of transition relations and state sets using characteristic functions [6] .
A. Characteristic Transition Function
In digital model checking theory transition relations and states are often denoted by characteristic functions. Characteristic functions are functional representations that indicate if a variable from a set A is contained in a subset B. To denote transition relations with delay time according to TDTS we define the following characteristic transition function. 
Definition 3 (Characteristic Transition Function) Let
Considering the binary coded vector z ∈ n representing each present state, the binary coded vector z + ∈ n representing each successor state, and the binary input coded vector g ∈ m . The overall CTF can now be written as a concatenation of all pseudo Boolean transition relations between each states s i , s j ∈ S.
(1) The symbol τ i,j denotes the according transition delay time between the present state s i and the successor state s j under the related input g(s i , s j ). For example, Figure 1(a) shows an illustration of a TDTS structure. The transitions, displayed as edges between the discrete states, are tagged with the delay time and the valid input value g ∈ G. The related MTBDD representation of the transition relation is given in Figure 1(b) . Each nonterminal value represents a state coding bit
or an input g. The terminal value denotes the delay 5A-2 GFED @ABC z1 0 u u kk kk kk kk kk kk kk kk kk kk kk k time using the transition represented by the path to its terminal node. Related to definition 3, the infinity symbol ∞ as a terminal value characterizes that there is no valid transition between two states. Similar to the symbolic representations in the digital manner, sets of states can also be given by MTBDDs. The terminal nodes in these MTBDDs are labeled only with 1 for a valid state or 0 for no valid state. For this reason MTBDDs which represent states can be considered as BDDs. In the remain of this paper we will denote the characteristic function for a set of states with φ = χ( z).
IV. ANALOG STATE SPACE
Our approach is basically superimposed on the analog state space discretization that was presented in [7] . Based on a modified nodal analysis a system of nonlinear differential-algebraic equations (DAE) is setup up for the circuit. The energy storing quantity (like voltage at capacitances and currents through inductors) and inputs span an extended continuously state space. This infinity state space is then bounded to a finite space, limited by e.g. supply voltages, and automatically divided into a finite number of homogeneous n-dimensional hyperboxes that cover the limited state space. Each hyperbox is treated as a discrete state and the dynamics can be interpreted as transitions which labels the delay time. The transition delay time between the discrete states is obtained by numerically solving the nonlinear DAE-systems of the circuit for a finite number of randomly chosen points within the predecessor hyperbox. The obtained discrete model describes the dynamics of the analog systems by a TDTS. Figure 2 gives the framework of the verification flow we used. The mixed-signal netlist contains both analog and digital circuit parts, which is split into a digital and an analog subcircuit. The interfaces between these two parts are modeled by simple 1-bit quantizer on the analog side (AD) and an 1-bit converter on the digital side (DA). The converter transforms the output value to a voltage source which supplies the analog circuit. To get a discrete time delayed transition structure for the analog circuit we applied the above described discretization method. The discretized state space is transformed into a corresponding transition relation MTBDD which contains all transition delay times.
V. SYMBOLIC MIXED-SIGNAL MODEL CHECKING
From the sub-netlist of the digital part the corresponding transition MTBDD is directly determined. Both transition MTBDDs are inputs of the model checking algorithm. Additionally, the mixed-signal specification of the system, which should be proven, is needed. For evaluating a CTL-AT formula simultaneously on the MTBDDs of both systems, we implemented a scheduling algorithm which is strongly dependent on the interface signals within the mixed-signal system.
A. Mixed-Signal CTL-AT Analysis
Considering mixed-signal systems, the strong concurrencies between the analog and digital subsystems have to be applied carefully. Hence, such systems consist of two kinds of input signals. One input ( e) is the immediate consequence to the output of the intercommunicating system and can be therefore considered as a state variable. The other input ( w) comes from extern and is independent of the system states. Both input signals are included in the transition MTBDD. The basic quantification functions for the EX and AX operations has to be modified as follows.
EX(φ st
Furthermore, the time constraints and the different delay time in both circuit domains restrict the verification to a crucial procedure. Hence, we developed a scheduling algorithm that sequentially decides which subsystem has to be evaluated by the CTL-AT formula and the time restriction. The time interval included in the CTL-AT formula is automatic divided into subintervals that guarantee that evaluation in the actual subsystem without having any affect to the other system part causing a state change. Algorithm 1 shows the basic structure of the recursive scheduling procedure for analog and digital CTL-AT evaluation. The initial arguments φ A and φ D are the analog and digital starting state MTBDDs declared in the 5A-2 Algorithm 1 CTLschedul (φA, φD, ϕA, ϕD, χ δ A , χ δ D , [t l , t h 
CTL-AT formula. χ δA and χ δD are the corresponding transition relation MTBDDs. The interval [t l , t h ] declares the desired time delay boundaries. First, corresponding to the starting states of both systems the least outgoing transition delay time for each subsystem has to be determined (getMinTransition). Whichever transition delay time is the lesser, the origin upper bound within the interval is modified by this value and the corresponding CTL-AT analysis for the appropriate subsystem starts (CheckCTL). After that, the last obtained state (φ with index I) in fixpoint iteration is responsible for the interaction to the other subsystem. For this reason an impact checking (CheckImpact) procedure has to be done. The function CheckImpact determines the corresponding set of input values
. . } to the other subsystem and modifies the relating MTBDD entry within the start state MTBDD.
The impact checker modifies the MTBDD input entry within the start state corresponding to the output value of the other subsystem. According to the new start state the CTL-AT analysis and an impact checking for the other subsystem can start. The function CTLschedul is then be recursively executed with the time interval decreased by the elapsed time. The function CheckCTL is calling the essence CTL-AT analysis procedure. As an example we will represent the algorithm CheckDigitalTimeEF and CheckAnalogTimeEF in Algorithms 2 and 3 which are evaluating the time restricted CTL-AT operation for a given initial state and time interval. The reason why we distinguish between the analog and digital EF operation, is that we can have different delay times within the analog system in contrary to the digital part. The Algorithm CheckDigitalTimeEF applies fixpoint iteration according to the time restriction given by the time interval [t l , t h ]. The value τ clk denotes the digital clock time. The function CheckEX is computed by using
the quantification procedure in equation (2) after mapping the MTBDD to a BDD. This can be done, because all terminal nodes excluding the infinity nodes are equal. The algorithm returns two MTBDDs Θ and Υ, while Θ represents the result of the EF operation and Υ gives the last state in iteration needed for the impact checking in Algorithm 1 (φ DI ).
Algorithm 3 applies a recursive call to evaluate the EF operation in the analog domain. We used a recursive algorithm, because all transitions are considered under time restriction explicitly. For every transition λ(φ A , χ δA ) ∈ δ outgoing from the actual state φ A the delay time τ tr and the iteration step is determined (CheckEX) by extracting the related transition relation and transforming it to a transition BDD before the recursive call is executed. The result Θ is a collection of all interim results during the time interval [t l , t h ]. Whereas Υ gives the last state needed for the impact checking in Algorithm 2 (φ AI ). Figure 3 demonstrates the scheduling algorithm by using the CTL-operation EF [t l , t h ] (D 1 ∧ A 4 ) . To ease the understanding we consider the product automata of an interacting set of analog and digital states. The big dashed circles depict digital states (D 1 , · · · , D 4 ) and the smaller circles depict analog states
Without loss of generality, we assume that the digital clock, i.e. the digital transition time, is bigger than each analog transition delay. Each set of states can be divided into states that produce a Boolean value 0 and a Boolean value 1 at the interacting output ports. The digital states with the grey background depict states that produce an e A = 0 and the states with white background an e A = 1. The red hatched analog states generate an e D = 0 and the green ones an e D = 1 at the output. The green dashed and the red edges between the digital states indicate which transition has to be applied dependently to the output of the analog subsystem and vice versa. 
VI. EXPERIMENTAL RESULTS
To demonstrate our symbolic approach we consider the phase locked loop (PLL) in Figure 4 . The PLL consists of . This means that we used a 7-bit counter, where the most significant bit (MSB) belongs to the clock level. The phase detecting is done by a simple XOR-gate. The synchronous output of the phase detector set the output latch W 0 which defines the output of the digital subcircuit. As a direct consequence the state MTBDD exhibits 9 variables, 7 for the counter, 1 for the output latch and 1 for defining the input.
For the analog part we got a four dimensional state space spanned by the three capacitance voltages (U C1 , U C2 , U C3 ) and the input voltage (U (v D )) within the D/A-Interconnection. We got 2.048 analog states which are symbolic encoded by 11 MTBDD variables. In Figure 5 the sub-state space spanned 5A-2 Figure 6 (a) illustrates the voltage U C3 at the capacity C 3 extracted from the MTBDDs we got by stepwise traversal using the EP operation. The voltage U C3 at C 3 represents the smoothed input voltage dependent to the digital phase detector output. After 16 ms the voltage achieved 0.55 V that has the effect that the output oscillation frequency at capacity C 1 remains at 250 Hz (see Figure 6 (b)) which is identical to the digital reference frequency f clk . The set of states the EP operation remained after 16 ms will be below denoted as φ lock = U C3 > 0.5 ∧ U C3 < 0.6. We used the following property to verify reachability behavior.
This property means, that starting from the given analog and digital states φ A and φ D the locking states φ lock will be achieved within 20 ms by at least one path.
B. Locking Analysis
Furthermore we verify locking behavior of the PLL. To get all states that lead to the locking states φ lock we used the AF formulation. We defined the locking property true |= AF [0.0ms, 30ms](φ lock )
to verify that all states lead to the locking states φ lock within the next 30 ms. This property is the main behavior of the PLL for phase synchronization of the input signal. 
C. Discussion
Upto now every verification method applying mixed-signal or hybrid systems suffers from an explicit representation of digital states. Furthermore, they can only analyze linear systems or can only do reachability analysis. In this contribution we firstly introduced a verification method for mixed-signal systems with a non-linear behavior. Our method represents both analog and digital states as well as timed transitions implicitly by MTBDDs. This approach is able to overcome different transition times in the analog circuit part in combination with the digital clock. Hence, interactions between the analog and digital circuit parts can now be formal verified. The proposed example gives an advanced mixed-signal circuit with non-linear behavior and a strong dependency between the analog and digital parts. The resulted state variables for both, the analog and digital part, did not achieved practical limits when considering todays BDD based verification tools. But it shows that different time restrictions and interactions between analog and digital parts can now be overcome for formal verification issues.
VII. CONCLUSION
This paper introduces a novel approach for symbolic mixedsignal circuit model checking. To treat the different time properties that characterize the analog and digital subcircuits we used MTBDDs for efficient storing time behavior. We extend common digital quantification procedures to handle timing dependency between the circuits. For specifying mixed-signal properties that will be checked we used CTL-AT as the specification language. To demonstrate our approach we verified the reachability and the locking behavior of a PLL.
