Abstract. Formal and semi-formal verification of analog/mixed-signal circuits is complicated by the difficulty of obtaining circuit models suitable for analysis. We propose a method to generate a formal model from simulation traces. The resulting model is conservative in that it includes all of the original simulation traces used to generate it plus additional behavior. Information obtained during the model generation process can also be used to refine the simulation and verification process.
Introduction
Increased interest in system on a chip design has resulted in a need to improve validation methods for analog/mixed-signal (AMS) circuits. Validation of digital circuits has changed dramatically in the past ten years while AMS circuit validation remains largely the same. AMS circuit validation is still largely driven by designers using many simulation traces to validate specific properties of a circuit. While this methodology has been used with success for many years, recent trends are stretching it beyond its capacity. Increase in process variations and use of mixed-signal circuits present challenges that this simulation only methodology is not well prepared to address.
Currently, most AMS designers use an informal approach to circuit verification. With the aid of a simulator, the designer creates a circuit that under ideal conditions meets a set of specifications. A major concern for circuit designers using today's process technologies is the circuit's resilience to process variation. To help understand how the circuit operates under global variation, corner simulations are run. These simulations evaluate the circuit performance under combinations of change for common global variations such process, voltage, and temperature. There may also be local transistor to transistor process variation. To understand how this variation affects the circuit, Monte Carlo simulation is employed. These methods for exploring global and local variation are very expensive. This expense increases dramatically as more sources of variation are explored. As a result, only the most common sources of variation of the most critical specifications of the most critical circuits are thoroughly validated. The design team also has no real measure of the quality of the verification performed on the design. The correctness of the design is almost solely the responsibility of each designer. The lack of feedback to the designer and large cost to verify the circuit under variation are major concerns when using this simulation only methodology.
Based on the success of formal methods for digital circuits there has been an increasing body of work in formal methods for AMS circuits. Several tools and methods have been developed to explore the continuous state space of these systems [1] [2] [3] [4] [5] [6] . These methods work well on small examples and have shown some promise to work on larger circuits. One challenge for these methods is the significant effort required to create an appropriate formal model for each different system. These methods also suffer from high computation costs for the analysis of the model. The more accurately the method explores the state space of the system the more computationally intensive it is.
In response to these challenges, there has been recent work in verifying formal properties within the framework of simulation. There are currently two main approaches for using simulation as a verification aid. The first approach attempts to find a finite number of simulation traces that are sufficient to represent all trajectories of the system and therefore prove correctness of the circuit [7] [8] [9] [10] . The second approach uses simulation traces to generate a formal model which is then analyzed using a state space exploration engine [11] . This paper describes a new method using the second approach.
Dastidar, et al. [11] generate a finite state machine (FSM) from a systematic set of simulation traces. This FSM includes currents, voltages, and time as state variables to generate an acyclic FSM. The state space of the system is divided into symmetric state divisions. After each delta time step, the current state of the simulator is determined and rounded to the center of the appropriate state division. The simulator is then started from this point and run for the next delta time step. This process continues until the global time reaches a user specified maximum. Conversely, our approach uses Labeled Hybrid Petri Nets (LHPNs) [4, 5] as the model. The state space is divided as specified by user provided thresholds. A global timer is not a part of the state space which results in graphs that may include cycles. Simulation traces are run from start to finish without stopping allowing our model to preserve the original simulation trace.
The novelty of our approach is that the model allows for dynamic variation of parameters. Standard simulation based methods allow for changes in initial conditions and parameters, but these values are then fixed for the duration of the simulation run. Our model explores the system under ranges of initial conditions as well as ranges of dynamically changing parameter values. This additional behavior improves our ability to uncover variation induced errors.
The verification flow supported by our tool, LEMA, is shown in Fig. 1 . Our previous work [4, 5, 12, 6] describes how a subset of VHDL-AMS can be compiled into an LHPN and analyzed using one of our model checkers. Each model checker uses a different data structure to represent that state space including: difference bound matrices (DBMs) [4] , binary decision diagrams (BDDs) [5] , and satisfiability modulo theories (SMT) formulas [6] . This paper describes the flow
VHDL-AMS Subset
Safety Property w w n n n n n n n n n n n n n ' ' P P P P P P P P P P P P P
v v n n n n n n n n n n n n ( ( P P P P P P P P P P P P Fig. 1 which takes simulation data, generates an LHPN, and uses one of these model checkers to verify the given property of the system. The remainder of this paper gives a brief introduction to LHPNs, describes the algorithms used to generate an LHPN model from a set of simulation traces, and concludes with a discussion of interesting metrics that can be extracted from the simulation data during model generation.
BDD-Based

Motivating Example
The switched capacitor integrator circuit shown in Fig. 2 is a circuit used as a component in many AMS circuits such as ADCs and DACs. Although only a small piece of these complex circuits, the switched capacitor integrator proves to be a useful example illustrating the type of problems that can be present in AMS circuit designs. Discrete-time integrators typically utilize switched capacitor circuits to accumulate charge. Capacitor mismatch can cause gain errors in integrators. Also, the CMOS switch elements in switched capacitor circuits inject charge when they transition from closed to open. This charge injection is difficult to control with any precision, and its voltage-dependent nature leads to circuits that have a weak signal-dependent behavior. This can cause integrators to have slightly different gains depending on their current state and input value. Circuits using integrators run the risk of the integrator saturating near one of the power supply rails. Therefore, the verification property to check for this circuit is whether or not the voltage V out can rise above 2000mV or fall below −2000mV. It is essential to ensure that this never happens during operation under any possible permutation of component variations. For simplicity, we assume for this example that the major source of uncertainty is that the capacitor C 2 can vary dynamically by ±10 percent from its nominal value. This circuit, therefore, must be verified for all values in this range [13] .
A schematic of a switched capacitor integrator.
Labeled Hybrid Petri Nets
An LHPN is a Petri net model developed to represent AMS circuits [4, 12] . The model is inspired by features in both hybrid Petri nets [14] and hybrid automata [15] . An LHPN is a tuple N = P, T, B, V, F, L, M 0 , S 0 , Q 0 , R 0 where: P : is a finite set of places;
T : is a finite set of transitions;
B : is a finite set of Boolean signals;
V : is a finite set of continuous variables;
L : is a tuple of labels defined below;
M 0 ⊆ P is the set of initially marked places; S 0 : is the set of initial Boolean signal values;
Q 0 : is the set of initial ranges of values for each continuous variable and;
R 0 : is the set of initial ranges of rates for each continuous variable.
A key component of LHPNs are the labels. Some labels contain hybrid separation logic (HSL) formulas which are a Boolean combination of Boolean variables and separation predicates (inequalities relating continuous variables to constants). These formulas satisfy the following grammar:
where b i are Boolean variables, x i and x j are continuous variables, and c i , c j , and c are rational constants in Q. Note that any inequality between two real variables can be formed with ≥ and negations of ≥ inequalities. The labels permitted in LHPNs are represented using a tuple L = En, D, BA, VA, RA :
En : T → φ labels each transition t ∈ T with an enabling condition; D : T → |Q| × (|Q| ∪ {∞}) labels each transition t ∈ T with a lower and upper bound [d l , d u ] on the delay for t to fire;
BA : T → 2 (B×{0,1}) labels each transition t ∈ T with Boolean assignments made when t fires;
(V ×Q×Q) labels each transition t ∈ T with a continuous variable assignment range, consisting of a lower and upper bound [a l , a u ], that is made when t fires;
(V ×Q×Q) labels each transition t ∈ T with a range of rates, consisting of a lower and upper bound [r l , r u ], that are assigned when t fires.
The semantics of the LHPN model are briefly illustrated using an LHPN model of the switched capacitor integrator shown in Fig. 3 . A formal description of the semantics for LHPNs can be found in [12] . The output voltage, V out , is modeled by the LHPN shown in Fig. 3a . The rate of the output voltage changes based on the value of V out and the input voltage. The square wave input voltage, V in , is modeled using the LHPN shown in Fig. 3b . V in is modeled as a stable, multi-valued continuous quantity. Stable, multi-valued continuous quantities are modeled using continuous variables with a rate of zero and are updated using a variable assignment after a time delay. The LHPN shown in Fig. 3c is used to detect a failure. The enabling condition on the transition is the negation of an HSL formula for the safety property being verified. When this transition is enabled and fires, a failure is detected. In the initial state, p 0 , p 1 , and p 6 are marked; fail is false; V out is −1000mV; V in is −1000mV; the rate of V in is 0; and the rate of V out is 18 to 22 mV/µs. Initially, t 1 is the only enabled transition. However, as time passes, V out crosses 0V enabling t 6 which fires immediately moving the token from p 6 to p 3 . After 100 to 101µs from the initial state, t 1 fires and sets V in to 1000mV. This change on V in enables transition t 3 which fires immediately and sets the rate of V out to be between −22 and −17 mV/µs. Transition t 4 fires next in zero time when V out < 0V . After this firing, transition t 2 fires after being enabled 99 to 100µs. This firing sets V in to −1000mV and enables transition t 5 which fires immediately and sets the rate of V out to be between 17 and 22 mV/µs. This behavior continues until the range of V out enables transition t 0 which fires and sets fail to true.
LHPN Model Generation
During the course of traditional analog circuit verification, designers run many different simulations to check that the circuit meets its specification. The goal of this work is to automatically generate an LHPN such as the one shown in Fig. 3 from simulation data. The generated LHPN model of the circuit is conservative and models all the provided simulation traces plus additional behavior. By using simulations already produced by the designer, no additional simulation time is required. However, the quality of the model is directly related to the simulations used to create it. If the designer has inadequately simulated the design, the model may not exhibit the full behavior of the system. In this case, there is a potential that the actual circuit may have a failing behavior that is not included in the generated model. To help address this issue, Section 6 proposes the use of coverage metrics. Algorithm 1 describes the process of taking simulation data and generating an LHPN. The input to our algorithm is time series simulation data, thresholds on the state space of the system, and the safety property to be checked specified using an HSL formula. The data is first sorted into bins based on the thresholds. Next, ranges of rates are calculated for each continuous variable within each bin. The algorithm assumes nothing about the dependence or independence of the rates. Each rate is calculated individually for each bin. It is expected that the rates change during different phases of operation. For this reason, it is important that thresholds are selected to separate the different phases of operation into distinct bins. At this point, continuous variables which are mostly stable but occasionally change are identified as variables that can be approximated by discrete transitions. Finally, after these calculations, the LHPN is generated.
Algorithm 1 is illustrated using two simulations of the switched capacitor integrator. In particular, the switched capacitor integrator is simulated with capacitance values of 23pF and 27pF for capacitor C 2 . The simulation data is recorded for the nodes representing the input voltage, V in , and output voltage, V out , during 400µs of transient simulation for each capacitance value. Part of the data from these simulations is shown in Tables 1 and 2 . The first step of Algorithm 1 is to bin the data based upon the thresholds provided. For this example, the thresholds chosen for both V in and V out are 0V. Each data file is analyzed and each time point is assigned to a bin based upon the values of V in and V out . In the data shown in Tables 1 and 2 , each digit in the fourth column represents a bin. The first digit represents the V in bin and the second digit represents the V out bin. For instance, at time 100.50µs in Table 1 , the bin assigned is 01 indicating that V in is below 0V and V out is above 0V. When V in moves above 0V at time 100.78µs, the bin assignment changes to 11.
The second step of Algorithm 1 calculates rate of change for each continuous variable. The rate of change is calculated for each bin using two time points within the same bin separated by a given interval. In the data shown in Tables 1  and 2 the interval is set to a length of ten. For example, the rate of change for V out at time 46.98µs in Table 1 is calculated by looking at its value at this time point and the value ten points later. This value is determined to be 21.74mV/µs. After all the rates have been calculated, the minimum and maximum rates for each bin are determined. These values are the specified rate of change whenever the model is in that specific bin. The range of rates for each bin found from these two simulation runs for V out from the switched capacitor integrator are shown in Table 3 . The third step of Algorithm 1 examines the rates for each continuous variable to determine if it can be reasonably approximated with a multi-valued continuous variable that makes discrete changes. This is true if a variable remains stable for large portions of time (i.e., has a rate of change that is nearly 0). In the switched capacitor integrator example, the square wave input voltage, V in , is an example of this type of signal. In Tables 1 and 2 , V in has a rate of change of 0 mV/µs at most times. For these discrete signals, the algorithm determines the amount of time that they spend at each discrete value. This is shown in the last column of Tables 1 and 2 . The value of this continuous variable is then assigned to change at that specified time. For example, V in is set to -1000mV and remains there for 100µs to 101µs after which is changes to 1000mV and remains there for 99µs to 100µs. This cycle then repeats. Using the information derived in the first three steps, Algorithm 1 can now generate an LHPN that models the provided simulation traces. A place is created for each bin discovered in the simulation traces. While in this example a place is produced for every bin assignment, in larger examples, many bins may never be encountered during simulation, so places are not generated for these unreachable bins. The places created for each bin from the integrator example are shown in the second column of Table 3 . Next, transitions between bins are created when a transition between two bins is found in the simulation traces. It is theoretically possible that this could result in a fully connected graph, but in practice this is highly unlikely. Each transition is given an enabling condition representing the threshold that is being crossed to move from the first bin to the second. The delay for the transition is set to [0,0] to make it fire immediately as the state of the system moves from one bin to the next. Finally, each transition is given a rate assignment to set the rate to the value for that bin as shown in Table 3 . For the integrator example, the result is the LHPN shown in Fig. 3a . Note that the rate assignment is omitted for transition t 6 , since the range of rates for p 6 and p 3 are the same. Similarly, the rate assignment for t 4 can be omitted.
Next, a separate net is created for each discrete multi-valued continuous signal. A place is added for each discrete value of this variable. For the integrator, place p 1 is added for V in equal to −1000mV, and p 2 is added to represent that V in is equal to 1000mV. A transition is added for each discrete change found in the simulation data. The delay of this transition is determined by the time calculated in the previous step. Finally, this transition includes a continuous variable assignment to execute the discrete change. For the integrator example, the LHPN generated to control V in is shown in Fig. 3b .
Finally, the last step is to create an LHPN to check the safety property provided as an HSL formula. This net has a single initially marked place and a single transition. The transition's enabling condition is the complement of the safety property. This transition has a delay of [0,0], and it sets a special Boolean signal fail to true when it fires. Therefore, to verify this safety property, a model checker only needs to determine if there exists any state in which fail is true. For the integrator example, the LHPN generated to check if the circuit can saturate is shown in Fig. 3c . Note that to cause analysis to terminate sooner, a Boolean condition, ¬fail , can be added to each transition in the LHPNs. This results in a deadlock once a failure is detected.
The LHPNs generated from simulation traces include ranges of rates. While these LHPNs can be directly analyzed using the BDD and SMT model checkers, they cannot be directly analyzed using the DBM method. To enable analysis of these LHPN models by the DBM model checker, a piecewise approximation of the range of rates is created by performing a transformation on the LHPN. In particular, this transformation allows the rate to change nondeterministically between the lower and upper bound on the range of rates. By exploring all of the possible nondeterministic rate changes the state space of the system for the entire range of rates is explored.
To simplify the description, the expansion process is illustrated using the LHPN in Fig. 4a which only has a threshold for V in at 0V and no threshold for V out resulting in just two bins represented with two places. The rate expansion proceeds by adding an additional transition and Boolean signal for each range of rates present in the unexpanded LHPN. The original transition is modified by changing the rate assignment to assign the lower bound of the range. Also, additional Boolean signal assignments are added to enable the firing of the upper bound of the rate and disable all other upper bound rate assignments. For example, in Fig. 4b the rate assignment on t 0 is changed from [−22, −17] to −22. The Boolean signal v1 is set to true enabling the firing of t 2 . The delay bound on t 2 is [0, ∞] allowing t 2 to fire at any time in the future while the enabling condition remains satisfied. When t 2 fires it sets the rate to the upper bound, −17 and sets the Boolean signal v1 to false. This translation method has been implemented in the LEMA tool enabling LHPNs with ranges of rates to be analyzed by any of the model checkers in the tool. Fig. 4 . LHPN demonstrating piecewise approximation of a range of rates.
C 2 = 25 pF 
Case Study
Using Algorithm 1, two simulation traces of the switched capacitor integrator result in the LHPN shown in Fig. 3 . Although neither of the simulation traces indicate a problem with saturation of the integrator, a state space analysis using the DBM model checker finds in less than a second that there is a potential for the circuit to fail. This failure can occur when the integrator charges the capacitor, C 2 , at a rate that is on average faster than the rate of discharge. This situation causes charge to build up on the capacitor and eventually results in V out reaching a voltage above 2000mV. The reason that this method can find this failure is that the LHPN model represents not only each simulation trace, but also the union of the traces. It is this behavior explored by unioning the traces that allows the analyzer to find the flaw in the circuit. Saturation of the integrator can be prevented using the circuit shown in Fig. 5 . In this circuit, a resistor in the form of a switched capacitor is inserted in parallel with the feedback capacitor. This causes V out to drift back to 0V. In other words, if V out is increasing, it increases faster when it is far below 0V than when it is near or above 0V. Using the same simulation parameters and thresholds for this circuit, Algorithm 1 obtains an LHPN with the same structure as the one shown in Fig. 3 , but the ranges of rates for each bin are as shown in Table 4 . This LHPN also fails the property as the thresholds are too simple to capture the effect of the additional switched capacitor. Due to the addition of this switched capacitor resistor, the rate of change is now very dependent on the Table 4 . Rates for Vout in the corrected integrator using two bins.
Bin Place Range of rates Comment 00 p6
[18,32] Vin < 0V ; Vout < 0V 01 p3 [9, 22] Vin < 0V ; Vout ≥ 0V 11 p4
[-22,-9] Vin ≥ 0V ; Vout ≥ 0V 10 p5
[-32,-18] Vin ≥ 0V ; Vout < 0V Table 5 . Rates for Vout in the corrected integrator using four bins.
Bin Place Range of rates Comment 00 p9
[23,32] Vin < 0V ; Vout < −500mV 01 p7
[18,27] Vin < 0V ; −500mV ≤ Vout < 0V 02 p5 [14, 22] Vin < 0V ; 0 ≤ Vout < 500mV 03 p3 [9, 16] Vin < 0V ; Vout ≥ 500mV 10 p10
[-16,-9] Vin ≥ 0V ; Vout < −500mV 11 p8
[-22,-14] Vin ≥ 0V ; −500mV ≤ Vout < 0V 12 p6
[-27,-18] Vin ≥ 0V ; 0 ≤ Vout < 500mV 13 p4
[-32,-23] Vin ≥ 0V ; Vout ≥ 500mV
value of V out . In particular, this variation slows the rate of the voltage change as it approaches the power supply rail. This prevents saturation of the integrator. Based on this knowledge, the thresholds on V out are changed to -500mV, 0V, and 500mV. These new thresholds result in the rates shown in Table 5 . The LHPN for this table is shown in Fig. 6 , and this LHPN is found to satisfy the property in less than a second using the DBM model checker. Finally, to explore the scalability of our algorithms, Table 6 shows how the size of the LHPN and model checking time scales as the number of thresholds increases.
Coverage Metrics
Our proposed method takes simulation traces from the designer and generates an LHPN. While the generated LHPN represents the behaviors that the designer deems to be important, it may miss problems not foreseen by the designer. Therefore, coverage metrics would be very useful to warn the designer about these unexplored portions of the state space where pitfalls may lie. Coverage information gives a quantitative metric about the quality of a set of simulation traces. This promises to aid the simulation only verification methodology as well as our model generation. We propose a coverage metric where each simulation trace is given a score. A higher score is achieved by a simulation trace that exhibits behavior not previously seen. From the perspective of the LHPN model some obvious examples of new behavior are entering a previously unvisited bin, taking a previously untaken bin to bin transition, or altering the overall rate of a bin. More complex measures of new behavior could be used such as the distance of the new trace from previously seen traces. A metric of this type gives a qualitative measure of the utility of an additional simulation trace. This type of metric could be used as an aid to determine the benefit of doing further simulations. A global metric for the entire set of simulation traces is also useful and could be created in a similar fashion. For the integrator example, using just the simulation trace shown in Table 1 with C 2 equal to 23pF would result in the LHPN shown in Fig. 3 . Adding the simulation trace shown in Table 2 with C 2 equal to 27pF results in the exact same LHPN structure, but the ranges of rate for V out would be changed. Therefore, the value of the second trace run is less than that of the first, but it still has some value. Finally, if a third trace with C 2 equal to 25pF is added at this point, the resulting LHPN would not change at all as the rates generated from this trace would be contained in those generated from the first two. Therefore, this trace adds no new knowledge, so the coverage metric would say that it has no value. As a final example, if a trace is added that changes V in at twice the frequency (i.e., every 50µs), it now becomes possible for V in to change before V out goes above 0V. This means that the LHPN generated would now have a new transition from p 6 to p 5 . This LHPN would also have a wider range of delays for when V in changes. Therefore, this additional trace provides new information.
Conclusion
Interest in formal and semi-formal methods for validating AMS circuits is increasing. Many of these methods are seriously handicapped by the difficulty of generating formal models. This paper develops a method to generate a conservative, trace preserving formal LHPN model from a set of simulation traces and thresholds on the state space. This LHPN model can be used by several different model checking engines to prove safety properties about the entire state space of the model. Using two variations of the switched capacitor integrator circuit, this paper shows how an adequate LHPN model can be created using two simulation traces and a basic set of thresholds. The model is analyzed using a DBM based model checker to obtain the expected verification results.
While the current version of the tool requires the user to provide thresholds, it would be interesting to explore automated methods to determine important thresholds. Our initial investigations into the autogeneration of thresholds attempt to increase the number of thresholds in regions where the rates change rapidly. Automatic generation of thresholds may also provide the designer with useful information about the circuit.
Another potential benefit of the method described in this paper is that an LHPN model can be translated into a VHDL-AMS or Verilog-AMS model. One problem for AMS designers is creation of abstract models of their circuit for use in a digital or mixed-mode simulation flow. Models can be created by hand but must be updated to remain consistent as circuits change. Using this method, the models could maintain their consistency by running the needed set of simulations after changes and regenerating the HDL model from the LHPN.
