Combining Constraint Solving and Formal Methods forthe Verification of Analog Designs

Mohamed H. Zaki, Sofiène Tahar and Guy Bois§

Department of Electrical and Computer Engineering,

Concordia University, Montreal, Canada

Email: {mzaki, tahar}@ece.concordia.ca§ Genie Informatique,

Ecole Polytechnique de Montreal, Montreal, Canada

Email: guy.bois@polymtl.ca

Technical Report

May, 2007

Abstract

The verification of analog designs is a challenging and exhaustive task that requires lots ofexpertise and deep understanding of the physical behaviors. Challenging problems like non-linear effects make a direct application of formal methods like model checking very difficultand abstraction techniques are required in order to achieve this task. In this report, we proposea qualitative based predicate abstraction method for the verification of a class of non-linearanalog circuits described by polynomial differential equations. The method is based on com-bining techniques from constraint solving and computer algebra along with symbolic modelchecking. We have implemented the proposed verification algorithms using the computer alge-bra system Mathematica and the SMV model checker, which we used to analyze the behaviorof non-linear oscillator circuits.

1

1 IntroductionComputer aided design (CAD) has been under intense research during the past decades to over-come challenges in the design process of analog designs. For verification purposes, simulation andnumerical approaches are usually applied to check that a design is robust with respect to differenttypes of inaccuracies like parameters tolerances, leakage current and high order effects. However,with designs growing in complexity, introducing more rigorous verification techniques, comple-menting simulation and overcoming its drawbacks is becoming of great importance.

Formal methods like model checking have been advocated for the verification of digital de-signs where their correctness is proved mathematically against some properties, i.e., establishingwhether the design meets the specifications. Motivated by the success of the application of formalmethods in the verification of digital designs, researchers started investigating the formal verifica-tion of analog designs. Usually, one is interested in global properties connected to the dynamicbehavior of the design. For example, we might be interested in reachability properties, like ”canwe reach from the initial state a state where a certain condition holds?” or ”will the circuit oscillatefor giving parameters?”. Unlike its digital counterpart, analog designs verification is a challengingand exhaustive task that requires lots of expertise and deep understanding of their behavior. Chal-lenging problems like non linear effects make a direct application of formal methods like modelchecking very difficult and abstraction techniques are required in order to achieve this task.

Predicate abstraction is one of the most successful approaches developed in [9], for the ver-ification of systems with infinite state space. In this approach, the state space is divided into afinite set of regions formed by a set of predicates. A set of rules is used to build the transitionbetween these regions in a way that that the generated state transition system can be verified usingmodel checking. Several enhancements of the original predicate abstraction were proposed in theliterature. For instance, the lazy abstraction approach was proposed in [13]. The basic idea hereis instead of generating the entire abstract model, a region is abstracted only when it is needed inthe verification step. Refinement is applied starting from the earliest state at which the abstractcounterexample fails to have a concrete counterpart.

Inspired by the concept of lazy abstraction, we propose a qualitative abstraction approach foranalog designs represented in terms of non-linear ordinary differential equations (ODEs), suchthat satisfaction of the property in the abstract model guarantees its satisfaction in the analogcircuit-level model. In the proposed abstraction, the state space is initially partitioned based onthe qualitative properties of the analog model and symbolic constrained based methods are appliedto check for property validation. In case of failure, an iterative verification/refinement process isapplied where the regions violating the property are refined and symbolic model checking is thenapplied for the property validation. We implemented the proposed verification algorithm using thecomputer algebra system Mathematica [23], along with the model checker SMV [4].

The rest of the report is organized as follows: After going through an overview of the relevant

2

related work in Section 2, we introduce the proposed verification methodology in Section 3. Weproceed in Section 4 by defining the analog system model, explaining predicate abstraction andintroducing a class of qualitative invariants. The constraint based verification approach is explainedin Section 5, followed by the abstract model construction in Section 6. Implementation issuesalong with illustrative experimental results are described in Section 7, before concluding with adiscussion in Section 8.

2 Related workLiterature touching the different aspects of the work in this report is wide enough and spans throughdifferent research domains. We will highlight in the following the most relevant work while indepth investigations can be found in references therein.Analog Design Verification. The common trend in analog and mixed signal designs formal ver-ification is the necessity of the explicit state space exploration using approximate reachable setscorresponding to the continuous dynamics of the system, to deduce the validity of the propertiesof interest. Several methods for approximating reachable sets have been proposed in the open lit-erature. They rely on the discretization of the continuous state space by using over-approximatingdomains like polyhedra and intervals. In [14], the authors construct a finite-state discrete abstrac-tion of electronic circuits by partitioning the continuous state space into fixed size hypercubes andcomputed the reachability relations between these cubes using numerical techniques. In [10], theauthors tried to overcome the expensive computational method in [14], by only over-approximatingthe reachable states using polyhedra models. Variant approaches of the latter analysis were pro-posed. For instance, the model checking tools d/dt [5], Checkmate [11] and PHaver [7] wereadapted and used in the verification of a biquad low-pass filter [5], a tunnel diode oscillator anda ∆Σ modulator [11], and voltage controlled oscillators [7]. In [12], the authors used intervals toconstruct the abstract state space. Petri nets based models and algorithms have been developed alsofor the reachability analysis of analog designs in [15]. In fact, all above surveyed formal methodslimit the verification of the circuit to a predefined time bound as they depend on explicit statesexploration. In contrast, we propose in this report qualitative based methods for the abstract mod-els construction and verification, therefore, overcoming the time bound requirement. In [1], theauthors propose an induction verification approach for the designs using symbolic methods. Whilesuch approach is not time constrained, it is limited for discrete time models, while our approachconsiders continuous time systems.

Predicates abstraction. In [2], the authors combined predicate abstraction with convex poly-hedral analysis for the verification of reachability properties of linear hybrid systems. Similar, butmore general abstraction approach was proposed in [3]. In [20] a qualitative based approach wasdeveloped for abstract model generation for hybrid systems, based on higher derivative analysis.

3

This work was later extended in [21], by using invariance to obtain more precise abstract model.A similar invariant based approach was proposed in [19], where more general invariants are con-structed for the whole system. In [17], the authors proposed a similar framework using the idea ofbarrier certificates. Barrier certificates if they exists, are invariants that separate system behaviorfrom a bad state, hence provide a safety verification approach.

The work presented in this report is in line with the above mentioned. However, we distin-guish ourselves in several aspects. First, while the predicates used in [2] are manually provided,we propose extracting qualitative predicates from the system behavior which can complement thequalitative predicates presented in [20]. We also propose different ideas for transition relation,based on a variant of the mean value theorem. In addition, the construction of the invariant pred-icates we use do not require a priori knowledge of initial conditions and in contrast to barriercertificates give knowledge of the whole system behavior rather than specific behaviors. There-fore, our approach can be used at the beginning of the abstraction to gain insight about the statespace.

3 Proposed MethodologyThe verification methodology we propose is illustrated in Figure 1. Starting with a circuit de-scription as a system of ODEs 1, along with specification properties provided in computationaltemporal logic (∀CTL) [4], we symbolically extract qualitative predicates of the system. The ab-stract model is constructed in successive steps. In the basis step, we only consider predicatesthat define the invariant regions for the system of equations based on the Darboux theory of inte-grability [8]. Informally, the Darboux theory is concerned with the identification of the differentqualitative behavior of the continuous state space of the system. We make use of such idea todivide the analog design state space into qualitatively distinct regions where no transition is pos-sible between states of the different regions. Satisfaction of properties is verified on these regionsusing constraint based methods, which rely on qualitative properties of the system, by generatingnew constraints that prove or disprove a property. The property verification hence provides theadvantage of avoiding explicit computation of reachable sets.

If the property cannot be verified at this stage, refinement is needed only for the non verifiedregions by adding more predicates and conventional model checking is then applied on the newlygenerated abstract model. The extraction of the predicates is incremental in the sense that moreprecision can be achieved by adding more information to the original construction of the system.When the property is marked violated, one possible reason is because of the false negative prob-

1An ODEs system is extracted from analog circuit schematics using conventional nodal analysis techniques [22],where the equation state variables represent the energy storing elements (voltages at capacitances, currents throughinductors).

4

lem due to the over-approximation of the abstraction. In this case refinement techniques may beintroduced. 2.

Temporal Properties

Analog Designs

Qualitative Based

Verification

Qualitative Analyzer

Qualitative Predicates Predicate

Abstraction

Model Checking

Refine

Property Verified

Property Not Verified

Temporal PropertiesTemporal Properties

Analog DesignsAnalog Designs

Qualitative Based

Verification

Qualitative Analyzer

Qualitative Predicates Predicate

Abstraction

Model Checking

Refine

Property Verified

Property Not Verified

Figure 1: Verification Methodology

4 Preliminaries

4.1 System DescriptionWe are concern in this report with analog circuits that are composed of basic components like in-ductors, capacitors and transistors in addition to non-linear sources (e.g., voltage controlled currentsources). Such circuits can be described by non-linear polynomial ordinary differential equations(ODEs) as follows:

Definition 1 Analog Circuit Model. An Analog circuit model is a tuple A = (X ,X0,P ), withX = Vc1 ×Vcn × . . .× Ilm ⊆ Rd as the continuous state space with d-dimensions, where Vci and Ll jare the voltage across the capacitance ci and the current through the inductance li, respectively.X0 ⊆ X is the set of initial states (initial voltages on the capacitances and currents through theinductance) and

P : X → Rd

is the continuous vector field.

2We use a simple refinement procedure based on interval methods for ODEs that identify and eliminate the spuriouscounterexamples, however its description is out the scope of this report.

5

The behavior of such analog circuit model A is governed by polynomial differential equationsof the form:

ẋk =dxkdt

= Pk(x1, . . . ,xd) = a0 +m

∑l=1

Pl,k(x1, . . . ,xd)

where t is the independent real time, Pk (k = 1, . . . ,d) is a polynomial of degree m, a0 is a constantand Pl,k is a polynomial of degree l,

Pl,k = ∑i1+...+id=l

ai1,...,id xi11 . . .x

idd

where ai1,...,id is a constant. We assume that the differential equation has a unique solution for eachinitial value. The semantics of the analog model A = (X ,X0,P ) over a continuous time periodTc = [τ0,τ1] ⊆ R+ can be described as a trajectory Φx : Tc → X for x ∈ X0 such that Φx(t) is thesolution of ẋk = Pk(x1, . . . ,xd), with initial condition Φx(0) = x and t ∈ Tc, is a time point. We canview the behavior of the analog model A as a transition system:

Definition 2 Analog Transition System. The transition system for analog model A is describedas a tuple TA = (Q,Q0,σ,L) where q ∈ Q is a configuration (x,Γ), x ∈ X and set of intervals Γwhere ∪i≥0ti ⊆ R+, ti ∈ Γ. We have t1, t2 ∈ Γ for Φx′(t1) = Φx′′(t2) = x and x′,x′′ ∈ X0. q ∈ Q0,when t0 ∈ Γ and Φx(t0) = x and t0 is the singular interval, L is an interpretation function such thatL : Q→ Rn×2R+ . Finally, σ⊆ Q×Q is a transition relation such that (qn,qm) ∈ σ iff

∃tn ∈ Γn,∃tm ∈ Γm.tn < tmand limtn→tm

Φqnx (tn) = Φqmx (tm),x ∈ X0

Definition 3 The set of reachable states Reach can then be defined as:

Reach := {q′ ∈ Q|∃q ∈ Reach(0), t ∈ LΓ(q′),x′ = Lx(q′),x = Lx(q)

such that Φx(t) = x′}, where Reach(0) := Q0.We can also define Reach as [2]:

Reach :=⋃

i≥0Reach(i)

whereReach(i) := Post(Reach(i−1))

withPost(Q̂⊆ Q) = {q ∈ Q|∃q̂ ∈ Q̂.(q̂,qm) ∈ σ}

6

4.2 Predicate AbstractionPredicate abstraction [2] is a method where the set of abstract states is encoded by a set of booleanvariables representing each a concrete predicate. In the abstraction method, we start first by defin-ing the abstract states and the maps from concrete to abstract states. An abstract transition systemis then created by constructing the abstract initial states and abstract transition relations. In orderto fulfill these steps a sound relationship between the concrete and abstract domain should be de-fined. Based on [2], we define a discrete abstraction of the analog model A with respect to a givenn-dimensional vector of predicates Ψ = (ψ1, . . . ,ψn), where ψ : Rd → B, with B= {0,1} and d isthe ODEs system dimension. A polynomial predicate is of the form

ψ(x) := Pk(x1, . . . ,xd)∼ 0where ∼∈ {

Proposition 1 Given an Analog abstract transition system TΨ(A) and a vector of predicates Ψ,the following holds:

Reach⊆ {q ∈ Q|∃(l,b) ∈ ReachΨ : x ∈ ϒΨ(b)∧Lx(q) = x}proof. By induction over i, similar to the proof described in [2].

4.3 InvariantsUsually, a continuous system has a behavior which varies in different regions of phase space whichboundaries are defined by special system solutions known in the literature as Darboux invariants[8]. These invariants partition the concrete state space into a set of qualitative distinctive regions.The first step in the proposed abstraction is to find the basis predicates using Darboux invariants.

Definition 5 Given the system of ODEs dxkdt = Pk(x1(t), . . . ,xd(t)), with k = 1, . . .d (dxdt = P(x),

x ∈ Rd and P = (P1, . . . ,Pd)), we define the corresponding vector field as

DP = P.∂x =d

∑k=1

Pk∂

∂xk

The correspondence between the system of ODEs and the vector field DP is obtained by defin-ing the time derivative of functions of x as follows. Let G be a function of x: G : Rk → R, then

dGdt

:= Ġ = DP(G) = P.∂xG

The time derivative is called the derivative along the flow since it describes the variation of functionG of x with respect to t as x evolves according to the differential system. When DP(G) = 0,∀x ∈ Rk, we have a time independent first integral of DP. A first integral G(x(t)) is a functionconstant on all solutions x = x(t) of the system and its time derivative vanishes on the solutioncurves of the system by the chain rule

Σdk=1(∂xkG)ẋk = 0

In fact, finding or checking for the existence of such invariants is very difficult in practice.Several methods were developed recently based on Darboux integrability theory [8], which is atheory concerned with finding closed form solutions of system of ODEs, to tackle the problemby looking for a basis set of invariants, i.e., Darboux invariants. Rather than looking at functionswhich are constant on all solutions, we look at functions which are constant on their zero levelset. Darboux polynomials Ji were first studied by Darboux in the last century, since then have beeninvestigated in the qualitative and algebraic analysis of continuous systems. These functions Ji pro-vide the essential skeleton for the phase space from which all other behaviors can be qualitativelydetermined.

8

Definition 6 Darboux Polynomials[8]. Given a vector field DP =d

∑i=1

Pi∂

dxiassociated with the

system dxdt = P(x), a Darboux polynomial is of the form J (x) = 0 with J ∈ R[x], when

DJ = K J

where K = K (x) is a polynomial called the cofactor of J = 0, with a degree of at most M −1.

Theorem 1 Given a system of ODEs and a vector field Df, J is an invariant of the system if Jdivides Df, more formally, if there exists K ∈ R[x] such that Df(J ) = K J . The solution set of thesystem vanishes on the curve of J .

proof We can always represent the system by the associated vector field at each point F (x) = P(x)and ∇J ·F = kJ , where ∇J denotes the gradient vector related to J (x) and · is the scalar product.When J = 0, ∇J ·F = 0, meaning that ∇J is orthogonal to the vector field F at these points.Therefore F is tangent to J = 0.

We define the invariant regions as conjunction of Darboux invariant predicates. So in thecontext of abstraction, invariant regions can be considered as abstraction of the state space suchthat being inside an invariant regions means that the system dynamics will always stay in thisregion:

Definition 7 We say that a region V is an invariant region of an analog model A such that

P (x(0)) = s0 |= V , P (x(ς)) = sς |= V and ∀t ∈ [0,ς],P (x(t)) = st |= V

. Let V = {x ∈ Rk|x |= Γ}, be an invariant region, where Γ is a conjunct of Darboux predicates(each is of the form p(x) ∼ 0, where p is a polynomial function and ∼∈ {

This circuit exhibits an oscillatory behavior when the initial capacitor voltages are within a spec-ified range. We identify the corresponding invariants:

j1 = 1− x21− x22 and j2 = 1− x21 + x22which are used to form three invariant regions: R1 = j1 ≥ 0∧ j2 ≥ 0, R2 = j1 < 0∧ j2 < 0 andR3 = j1 < 0∧ j2 ≥ 0 as shown in Figure 2.b. Note that j1 ≥ 0∧ j2 < 0 is infeasible and thereforediscarded.

c2 = 1

g1 = 1

c1 = 1 g2 = 1

Ics1= f1(x1,x2)Ics2= f2(x1,x2)

x2x1

(a) Analog Circuit Schematic

R3

R3

R1 R2R2

2.4

x1

2

−3.2

1.6

−4

−2.4

−0.840

−1.6

−2

0.8

−4.0

4.0

3.2

0.0

x2

(b) Darboux Invariants

Figure 2: Illustrative Non-linear Analog Circuit

5 Constraint Based VerificationIn this section, we propose a qualitative verification approach for analog circuits based on con-straint based methods. We consider three types of properties that can be verified using that ap-proach, namely safety, reachability and switching properties. The basic idea is to apply quantifiedconstraint based techniques to answer questions about qualitative behavior of the designs, by con-structing functions that validate or falsify the property. The idea is different from conventionalapproaches as it does not require the explicit reachable states computation.

10

5.1 Safety PropertiesSafety properties can be expressed in CT L [4] as ∀¤p; meaning that always on all executions theconstraint predicate p is satisfied for a set of initial conditions. The verification starts by gettingthe dual property ∃3¬p (which means that there is an execution falsifying the constraint p) andapplies constraint solving on the dual property within the invariant regions of interest. In caseof unsatisfiability, we conclude that the original property is satisfied in the region, otherwise wecannot conclude the truth of the property and an abstract model providing more details of theregion is constructed as described in Section 6.

Proposition 2 Safety Property Verification. ∀¤P is always satisfied in an invariant region V , ifits dual property ∃3¬P is never satisfied in that region.

Proof. The proof is straightforward as ∃3¬P is the complement of ∀¤P . One and only one ofboth properties can be satisfied in a given invariant region.

Example 2 Consider the circuit in Example 1, with initial conditions x1(0) ∈ [−0.7,−1.1] andx2(0) ∈ [0.5,0.9]. Suppose the property to check is

∀¤P := x21 + x2−3 < 0

Meaning that all flows initiated from x(0) = (x1(0),x2(0)), will be bounded by x21 + x2− 3, seeFigure 3 for details. The following regions satisfy the initial conditions

R1 = j1 ≥ 0∧ j2 ≥ 0 and R3 = j1 < 0∧ j2 ≥ 0

We check whether∃3P := x21 + x2−3≥ 0

is satisfiable in the invariant regions R1 and R3. By applying constraint solving in Mathematica,we find that for region R3, the constraints system is satisfiable, hence the original property cannotbe verified, and the state space of the region need to be refined. For the region R1, the constraintssystem is infeasible, therefore we conclude that the safety property is satisfied.

It is worth noting that the barrier-certificate method [17] can be applied as complementary to ourmethod. In fact, Darboux predicates used as basis of invariant regions can be considered as naturalBarrier certificates that are constructed without the need of initial and final constraints. Thereforethe main advantage is that they can be used in the verification for several initial and properties,hence reducing computational efforts.

11

P

X(0)

R3

R3

R1 R2R2

−3.2

20−4

0.8

x2

1.6

2.4

−0.8−2 4

−2.4

−1.6

0.0

−4.0

x1

4.0

3.2

Figure 3: Safety Verification (Example 2)

5.2 Reachability VerificationA failure in safety verification does not guarantee that the final set is reachable from the initial set.This is the problem of reachability verification, which is concerned with proving that at least onetrajectory of the system starting from a set of initial states will reach another given set of statesin a finite time. The reachability property is expressed as ∃3P , which means, eventually, thereexists an execution that will satisfy the constraint P. The main idea of the verification is to findbounds that include a trajectory from an initial to a final state. Reachability can be verified usingthe following proposition:

Proposition 3 Sufficient Condition for Reachability. Given the initial (Sin) and reachable (S f n)states bounded by ellipsoidal functions, Bin and B f n such that

∀s ∈ Sin.Bin(s)≤ 0

and∀s ∈ S f n.B f n(s)≤ 0

respectively, construct two functions Br1 and Br2, such that:

1. (Br1 = 0)∩ (Bin = 0) 6= /0 and (Br1 = 0)∩ (B f n = 0) 6= /02. (Br2 = 0)∩ (Bin = 0) 6= /0 and (Br2 = 0)∩ (B f n = 0) 6= /03. D(Bin) > 0|Bin=0 and D(B f n) < 0|B f n=0

12

4. D(Br1)≥ 0|Br1=0 ∧D(Br2)≤ 0|Br2=0 or D(Br2)≥ 0|Br2=0∧D(Br1)≤ 0|Br1=0.

The existence of the functions Br1 and Br2 implies the existence of trajectory to a reachablestate from an initial state i.e., ∃s0 ∈ Sin∃s1 ∈ S f n.Φ(t0) = s0 and Φ(t f ) = s1, where Φ is a trajectoryand t0 and t f are time points with t0 < t f . , bounded by

Br1 < 0∧Br2 > 0 or Br1 > 0∧Br2 < 0

Proof. Assume that there exists a couple of functions Br1 and Br2 satisfying the conditions(1− 3), while at the same time the system there is no reachable states from Bin to B f n. We havefour cases:

1. D(Br1) ≥ 0|Br1=0 ∧D(Br2) ≤ 0|Br2=0 and all the flow crossing Br1 and Br2 is going out ofthe bounded region Br1 < 0∧Br2 > 0.

2. D(Br1) ≥ 0|Br1=0 ∧D(Br2) ≤ 0|Br2=0 and all the flow crossing Br1 and Br2 is going insidethe bounded region Br1 > 0∧Br2 < 0.

3. D(Br2) ≥ 0|Br2=0∧D(Br1) ≤ 0|Br1=0 and all the flow crossing Br1 and Br2 is going out ofthe bounded region Br1 < 0∧Br2 > 0.

4. D(Br2) ≥ 0|Br2=0∧D(Br1) ≤ 0|Br1=0 and all the flow crossing Br1 and Br2 is going insidethe bounded region Br1 > 0∧Br2 < 0.

Assume that all flows crossing Br1 and Br2 is going inside a bounded region and such boundedregion does not include a fixpoint, then, we will have at least a a function with D(Br3) = kBr3,confined in the region and connected the initial and final regions, hence leading to contradiction.Similar argument for the case where all flow are going outside the bounded region.

Example 3 Consider the non-linear circuit shown in Figure 2.a, connected to different currentsources with the voltages across the capacitors c1 and c2 described using ODEs, respectively, asfollows:

ẋ1 = 3(x21−4) and ẋ2 = 3+ x1x2− x22Suppose we provide the initial condition Bin := (−1+ x1)2 +(−4+ x2)2 ≤ 0.5. We want to verifythe following property

∃3B f nwhere

B f n := (2+ x1)2 +(−1.8+ x2)2 ≤ 0.5

13

Using quantified constraint solving capabilities in Mathematica, we constructed the followingbounds:

B1 := 2.4+89x21 +235.8x2 = 1000

andB2 :=−74x1 +1.3x42 = 130

Therefore, we can deduce that the reachability property will indeed be satisfied (a sample reach-able trajectory is shown inside the region Figure 4).

B_inB_2B_1

B_fn

2

4

−4

2

0

−2

5

1

4

−5

3

−4

x2

−2

0−1

x1

−3

Figure 4: Reachability (Example 3)

5.3 Switching PropertiesA special case of reachability verification ∃3Q is the switching condition verification, i.e., startingfrom a set of initial conditions, the system will eventually cross a threshold, triggering a switchingcondition. Such property is of great importance in analog designs, for instance, a MOSFET transis-tor acting as switch changes states based on the voltage condition applied on its gate. We considerhere a restricted form of the switching property, where we assume that threshold predicates dividethe invariant region by intersecting the invariant region boundaries (at least two Darboux predi-cates). Given an invariant region V , a predicate Q is a switching condition if

k∧

i=0∃x.(Q (x) = 0)∧ (Ii(x) = 0)

where k ≤ 2 and I is a Darboux invariant. The switching verification can be stated as follows:

14

Proposition 4 Switching Property Verification. ∃3Q is satisfied in a region V , if

Q (x(0)) < 0 and DP(Q ) > 0

or ifQ (x(0)) > 0 and DP(Q ) < 0

in the region V . If these conditions are satisfiable, we conclude that the property is verified andswitching occurs.

proof. proof by contradiction. Suppose that:

1. The condition thatk∧

i=0∃x.(Q (x) = 0)∧ (Ii(x) = 0) holds

2. Q (x(0)) < 0 andDP(Q ) > 0 is satisfied

3. ∃3Q is not satisfied.

From the condition in (1) and the vector field behavior in (2), we deduce that there exists atrajectory starting from a state x(0) to a state x( f ) such that x( f ) |= Q . Therefore, contradictingassumption (3). Similar proof for the vector field with the following behavior: Q (x(0)) > 0 andDP(Q ) < 0.

Example 4 Consider the circuit shown in Figure 2.a, where the voltages across the capacitors c1and c2 described, respectively, as follows:

ẋ1 = x21 +2x1x2 +3x22 and ẋ2 = 4x1x2 +2x

22

with initial conditions x1(0) ∈ [0.5,1] and x2(0) ∈ [0.3,0.5]. Suppose the switching conditionproperty to check is

∃3x1 + x2−5 = 0meaning that switching occurs when a certain trajectory will cross the threshold x1 + x2− 5 = 0(See Figure 5). We construct the Darboux functions:

j1 := x2, j2 := x1 + x2, j3 := x1− x2The region

R1 = ( j1 > 0, j2 > 0, j3 > 0)

15

satisfies the initial conditions. In addition, the predicate Q := x1 + x2− 5 < 0 satisfies the initialcondition and

DP(Q := x1 + x2−5) > 0because

DP(Q := x1 + x2−5) = (x1 + x2)(x1 +5x2)is always positive in R1. Consider the initial conditions X(0)1 := (x1(0) ∈ [−10,−8] and x2(0) ∈[4,5]) and X(0)2 := (x1(0) ∈ [−0.5,−1] and x2(0) ∈ [0.3,0.5]) in the invariant region

R2 = ( j1 > 0, j2 < 0, j3 < 0)

For the switching condition−x1 + x2−5 = 0

we find out that the initial condition X(0)1 satisfies

−x1 + x2−5 > 0

and X(0)2 satisfies−x1 + x2−5 < 0

whileDP(−x1 + x2−5) =−(x1− x2)2

will be always negative in region R2, therefore we conclude that the switching will occur for theinitial condition X(0)1 but not for X(0)2.

Sometimes constraint based verification fails to provide answers for the verification problemdue to several reasons:

1. The above mentioned verification methods are not complete in general.

2. Sometimes the constraint solver fails to provide an answer (e.g., not able to construct boundsfor reachability).

3. More complex properties like oscillation cannot be proved using the above method.

We complement the approaches described in this section, by the predicate abstraction methodallowing conventional model checking to be applied. In the next section, we will describe how tofind useful predicates of the abstract states to refine the regions of interest, and to identify rules tobuild transitions between the abstract states. Symbolic model checking can then be applied on theconstructed model.

16

Q2

j3j2

j1

Q1

−5.0

−7.5

x2

7.5

10

0.0

5

2.5

x1

−5

5.0

0−10

−2.5

Figure 5: Switching Verification (Example 4)

6 Predicate Abstraction

6.1 Abstract State SpaceIn general, the effectiveness of the predicate abstraction method depends on the choice of pred-icates. In addition of using Darboux predicates described in Section 4.3, we choose predicatesidentified in the properties of interest. For instance, if we wish to verify that x > y is true, thenwe should add x− y > 0 and its complement to the predicate set. In addition to temporal propertypredicates, basic ideas from the qualitative theory of continuous systems can be adapted within thepredicate abstraction framework.

We define first the notion of critical point as follows:

Definition 8 A fixed point is a point at which the vector field vanishes. For the ODE systemẋ = P(x(t)), we look for solutions

x(t) = v,v ∈ Rn

such thatP(v) = 0

A set of predicates can be constructed using the using critical forms, which are special func-tions that intersect at the critical points. Along the critical forms the vector field direction is eithervertical or horizontal. In between these forms, there can be no vertical nor horizontal vectors. Ina region (abstract state) determined by the critical forms, all vectors follow one direction. Thesepredicates can be obtained easily by setting ẋ = 0.

17

A generalization of critical forms is the concept of isoclines. Isoclines are functions over whichthe system trajectories have a constant slope.

Definition 9 A predicate π is an isocline of ODEs system if and only if ∃ai ∈ R with i = 1, . . .dsuch that

Σdi=1aiPi(x)|π = 0

Isocline and critical forms provide qualitative information about the system behavior. Hence,such information can be used in refuting certain behavior that is shown unreachable. For instanceby knowing different constants ai in the above definitions, we know the direction of the flow cross-ing the isoclines and therefore we decide how to build transitions between abstract states. Findingdifferent isocline predicates within an invariant region can be achieved by solving constraints onthe parameters of predefined forms of an isocline predicate.

Another kind of predicates, we propose, referred to as conditioned predicates, have the prop-erty that under specific conditions, they provide certain information about the solution flow. Forinstance, consider the 3-dimensional system with the state variables x,y,z. and the property predi-cate z > 1. We can construct another predicate that intersect z > 1 at specific condition, say ẏẋ = 0.Then, the new predicate is of the form

ẏ− (z−1)ẋ = 0

These kind of predicates are important during refinement, when an abstract state needs to be subdi-vided into a new set of abstract states. The conditioned predicates are defined formally as follows:

Definition 10 A predicate π is a conditioned predicate of an ODEs system with conditions Γ1, . . . ,Γd ,if it is of the form

Σni=1ΓiPi(x)|π = 0where the conditions Γi are polynomials with i = 1, . . .d and d is the system dimension.

Example 5 Consider the analog circuit in Example 1. The critical forms predicates are

p1 := x1, p2 := x2, p3 := 1− x1 and p4 := 1+ x1as shown in Figure 6.a. For illustration, we choose two isocline predicates

p5 := x1− x31 + x32 and p6 := x1− x31− x32to show in Figure 6.b. Suppose, we are interested to verify a property including the predicate

p7 := x2− x1 > 0.3

18

we can construct the conditioned predicate

p8 := ẋ2− (x2− x1−0.3)ẋ1 = 0

as shown in Figure 6.c. To build the abstract state space, we have 3 Invariant regions and 8predicates. As certain combination of predicates are infeasible, the number of abstract states is< 28 abstracts states. In fact, region R1 = j1 ≥ 0∧ j2 ≥ 0 is subdivided into 29 abstract states.

P2

P1P4 P3

−0.4

−2.0

0.4

−0.8

1

−1.6

1.2

0−2

−1.2

−1 2

x2

1.6

0.8

x1

2.0

0.0

(a) Critical Forms Predicates

P6 P5

−1.2

0.8

x1

1−1

−1.6

1.2

−0.4

−2.0

−2

x2

1.6

0.0

0 2

0.4

−0.8

2.0

(b) Isocline Predicates

P8P7

1.5

2.0

−0.5

x2

0.0

1.0

−1.0

1.5

−0.5 0.5

0.5

0.0

1.0

x1

(c) Conditioned Predicates

Figure 6: Predicates for the Circuit Figure 2.a

Other methods for finding useful predicates were developed in [20], where the authors proposeda way to extract predicates from polynomial ODEs by looking at higher derivatives. If p ∈ P, thenadd ṗ, the derivative (with respect to time) of p, to the set P unless ṗ is a constant or a constantfactor multiple of some existing polynomial in P. The termination of the predicate generationphase is not necessary for creating an abstraction. We can stop at any point and construct theabstract model. A larger predicate set yields a finer abstraction as it results in a larger state spacein the abstract model.

6.2 Computing Abstract TransitionsAlong every invariant region we construct an abstract state transition graph, where each abstractstate is formed of a conjunction of predicates. One main issue in constructing abstract state transi-tion systems is the identification of possible transitions between the states. As we divide the statespace into invariant regions, we need only to construct transitions between abstract states within a

19

region. Therefore, we do not need to construct an abstract model for the whole state space. In gen-eral, information from the solution of the ODEs is required to describe transitions between abstractstates. Usually, an analytic solution is not possible and approximate methods are used instead.

In practice, each abstract transition is initialized to the trivial relation relating all states (a tran-sition exists between any two abstract states) and then stepwise refined by eliminating unfeasibletransitions from states which are unreachable. This guarantees that any intermediate result repre-sents an abstraction and the refinement can be stopped at any point of time. In the remaining ofthis section, we use a set of different rules to construct transition between abstract states.

The simplest rule to use is the Hamming distance rule. The Hamming distance (HD) is thenumber of predicates for which the corresponding valuations are different in different abstractstates. For instance, the Hamming distance between state

s1 := (p1 = 1∧ p2 = 0∧ p3 = 1∧ p4 = 1)

and states2 := (p1 = 1∧ p2 = 0∧ p3 = 0∧ p4 = 1)

is 1, writtenHD(s1,s2) = 1

Given two abstract states s1 and s2, we say that a transition can exist between two abstract states ifHD(s1,s2) = 1.The next rule we apply is based on the generalized mean value theorem, which is an extension ofthe mean value theorem (MVT) for n-dimension that was proposed in [6]:

Theorem 2 Generalized Mean Value Theorem[6]. If x(t) is continuous on a time interval t1 ≤t ≤ t2, and differentiable on t1 < t < t2. Assume that there exists a vector V orthogonal to x(a) andto x(b). Then there is tc : t1 < Tc < t2 such that V is orthogonal to ẋ(tc)

proof. Proof in [6].

For instance in the case of 2-dimensional system, x = (x(t),y(t)), the generalized MVT isreduced to the standard Cauchy MVT:

ẋ(tc)[y(b)− y(a)] = ẏ(tc)[x(b)− x(a)]

For a 3-dimensional system, x = (x(t),y(t),z(t)), we have [6]:

x(a)[y(b)ż(tc)− z(b)ẏ(tc)]+ z(a)[x(b)ẏ(tc)− y(b)ẋ(tc)] = y(a)[x(b)ż(T )− z(b)ẋ(tc)]

20

We use quantified constraint based methods to check whether such condition is satisfied betweentwo abstract states. If the MVT is not satisfied, we deduce that no transition exists between the twostates 3.

The above rules give an over-approximation of the transition system as no information aboutthe vector field direction is used. In order to remove such redundant transitions in the region ofinterest, we complement the above rules by applying the intermediate value theorem as a way toidentify the flow direction. In the context of abstraction, a transition between two abstract statesexists if a predicate valuation change during the execution over interval domain. We check for suchconditional abstract transition between two states by means of the intermediate value theorem asfollows:

Theorem 3 Intermediate Value Theorem Given a predicate λ, two states S1 = (l,b) and S2 =(l′,b′) differing only on the valuation of λ and a time step interval solution I : {a1 ≤ x≤ a2}, thereis a transition between S1 and S2 if b |= JλKa1 (i.e., λ(a1) ∈ γ(b)), b′ |= JλKa2 (i.e., λ(a2) ∈ γ(b′))and JλKa1 6= JλKa2 6= 0, ∃x such that JλKx = 0, with the interpretation function J.K :Rd →{+,−,0}

proof. Demonstration of the theorem is based on the proof of the Intermediate Value Theorem.

To check for the above condition, we use interval analysis to guarantee that the solution isreliable; the real solutions are enclosed by the computed intervals. Such guarantee is derived fromthe fundamental theorem of interval analysis [16].

Theorem 4 [16] Let f :Rd →R be a continuous function, then F : Id → I is an interval extensionof f if

{ f (x1, . . . ,xd)|x1 ∈ X1, . . . ,xd ∈ Xd} ⊆ F(X1, . . . ,Xd)where I is the interval domain.

proof. Proof in [16].

The constraint based approach for the safety and reachability proposed in Section 5 can alsobe used to check for possible transitions between abstract states using the notion of vector field.Another qualitative approach for transition relation have been proposed by Ashish et.al., in [21].

3In [18], the authors proposed a Cauchy MVT to check for possible transitions between regions. In this work, weuse the generalized MVT, which is more suitable for systems with higher dimensions.

21

6.3 Abstraction Based VerificationGiven the analog model transition system TA and a property ϕ expressed in ∀CTL. The problem ofchecking that the property holds in this model written as TA |= ϕ can be simplified to the problemof checking that a related property holds on an approximation of the model TΨ, i.e., TΨ |= ϕ̃, withϕ̃ = µ(ϕ), where µ is a mapping function: µ : Rd → B which is a function associating to eachpredicate λ(x1, . . . ,xd) an atomic proposition P. The main preservation theorem can be stated asfollows [3]:

Theorem 5 Suppose TΨ is an abstract model of TA , then for all ∀C̃T L state formulas describingTΨ and every state of TA , we have s̃ |= ϕ̃⇒ s |= ϕ, where s ∈ γ(s̃). Moreover, TΨ |= ϕ̃⇒ TA |= ϕ.

proof. Similar to the proof in [3].

If a property is proved on an abstract model TΨ, then we are done. If the verification of TΨ revealsTΨ 2 ϕ̃, then we cannot conclude that TA is not safe with respect to ϕ̃, since the counterexamplefor TΨ may be spurious. In order to remove spurious counterexamples, refinement methods on theabstract model can be applied [3].

7 Implementation and ExperimentsFor experimentation purposes, we used Mathematica algebraic manipulation and quantified con-straint solving capabilities [23] for the constraint based verification and for the construction ofthe abstract transition model. Conventional model checking on the abstract models is applied us-ing SMV [4]. For instance, The built-in Mathematica function Reduce[expr,vars] simplifies thestatement expr by solving equations or inequalities for variables set vars = {v1,v2, . . . ,vm} andeliminating quantifiers. Reduce gives True if the expr is proved to be always true, False if expris proved to be always false and a reduced expr otherwise. For example, the safety verificationproblem in Example 2 can be formulated using Reduce as follows:

Reduce[Exists[{x1,x2},1− x21− x22 ≥ 0&&1− x21 + x22 ≥ 0,−3+ x21 + x2 ≥= 0],{x1,x2}]

The problem of finding invariants is an important part of the methodology. We need to findDarboux invariants and in the case of reachability verification, we look for invariants bounding thereachable states. Finding invariants is based on the evaluation of the coefficients of the predefinedforms of polynomials. In this algorithm, we start from an initial degree general form invariantand check if such invariant exists, then increase the degree for a new polynomial. A bound on thedegree must also be specified to ensure termination of the search of the invariants. An arbitrarilyassigned bound at the beginning of the algorithm is usually proposed hence ensuring termination.

22

This is possible using the Mathematica FindInstance, for example. FindInstance[expr,vars] func-tion finds an instance of vars that makes expr True if an instance exists, and gives {} if it does not.The result of FindInstance is of the form

{{v1 → inst1,v2 → inst2, . . . ,vm → instm}}

where insti is the provided value. For example, to find the Darboux invariants j we apply FindInstanceas follows:

FindInstance[ForAll[{x,y},D j == K j],{coe f s}]where j is a polynomial in x,y, with unknown coefficients coe f s and K is the cofactor.

7.1 ExperimentationWe applied the verification proposed in this report to a variety of basic analog circuits. In additionto the verification of the different configurations of the circuit in Figure 2.a, we verified oscillationproperty for the circuit shown in Figure 7.a, with non-linear voltage source vs and non-linearcurrent source cs described using ODEs, respectively, as follows:

İl =−Vc− 15V2c and V̇c =−2Il− I2l + I3l

We identify the corresponding invariants:

j1 = 1−5I3l −15I2l +V 3c +152

V 2c +154

I4l

In this example, we can construct two regions R1 := j1 ≤ 0 and R2 := j1 > 0. Given the statespace and invariant regions as shown in Figure 7.b, we verify the following ACTL property on theset of trajectories:

∀2(∀3(Vc > Il)) ∧ ∀2(∀3(Vc < Il))which can be understood as on every computation path, whenever the capacitor voltage Vc valueexceeds the inductor current value Il , it will eventually decrease below Il again and vise-versa.This property checks for oscillation behavior of the circuit. We constructed the abstract model ofthe oscillator and verified the property using SMV. We found indeed that the circuit will alwaysoscillate only inside the bounded regions R1 shown in 7.b.

Consider the non-linear circuit shown in Figure 2.a, connected to different current sources withthe voltages across the capacitors c1 and c2 described using ODEs, respectively, as follows:

ẋ1 = x2 and ẋ2 =−x1 + x31

23

g2 = 1+

−

g1 = 1

c = 1

Ics= f2(I_l,V_c)

l=1

vs

Vvs= f1(I_l,V_c)

V_c

I_l

(a) Circuit Schematic

−3

0−1

0

I_l

−4

1

−2

5

3

−1

−5

1

2

V_c

3

4

2−2

(b) Phase Portrait and Invariant Regions

Figure 7: Non-Linear Oscillator

We identify the corresponding invariants:

j1 = 1+√

2x2− x21 and j2 = 1−√

2x2− x21We form four invariant regions:

R1 = j1 > 0∧ j2 > 0 R2 = j1 > 0∧ j2 < 0

andR3 = j1 < 0∧ j2 > 0 R4 = j1 < 0∧ j2 < 0

Suppose for the initial capacitors’ voltages

x1 ∈ [0,01] and x2 ∈ [0.4,0.8]

We want to verify the following ACTL property on the set of trajectories:

∀2(∀3(x2 > x1)) ∧ ∀2(∀3(x2 < x1))

which can be understood as on every computation path, whenever the voltage x2 will exceed volt-age x1, it will eventually decrease below x1 again and vise-versa. This property checks for oscilla-tion behavior of the circuit. We supply the user-predicates

p1 := x2−0.5∼ 0, p2 := x2 +0.5∼ 0

24

andp3 := x1− x2 ∼ 0, p4 := x1 ∼ 0, p5 := x2 ∼ 0

along with the isocline predicates

p6 :=−x1 + x31− x2 ∼ 0, p7 :=−x1 + x31 + x2 ∼ 0and

p8 :=−x1 + x31−25

x2 ∼ 0, p9 :=−x1 + x31 +25

x2 ∼ 0with ∼∈ {}, (see Figure 8). Based on initial conditions (initial voltages values), we onlyconstruct corresponding abstract state transition graphs (ASTG) for regions R1,R2. The ASTG forregion R1 is shown in Figure 9. By SMV model checker, we find that the circuit is oscillating onlyfor region R1; ACTL property is satisfied, while the property is violated in region R2, hence thesystem is not oscillating in this region.

−1.6

y

2.0

−0.8

1

1.6

1.2

−0.4

−2.0

−2

0.4

0 2

−1.2

0.0

0.8

−1

x

−1.5

x

1.0

−0.4

0.0 1.5

0.6

0.8

−0.2

0.2

−1.0

−0.5

−0.6

−1.0

1.0

0.4

0.0

−0.8

0.5

y

(a). Darboux Invariants (b). Abstract State Space

Figure 8: Phase Portrait of Circuit in Figure 2

8 ConclusionIn this report, we proposed a qualitative verification approach of analog circuits. The approachis based on abstracting and verifying the qualitative behavior of the circuits using a combinationof techniques from predicate abstraction and constraint solving along with model checking. Theprinciple novelties in this report are:

25

1 2

3

202122 19

18171615

14 13 12 11

10987

6 5 4

Figure 9: ASTG of Region R1 for the Circuit in Figure 2

1. We adapted the concept of lazy abstraction for the verification of analog circuits. To thisaim, we identified a set of basic qualitative predicates (Darboux polynomials) as invariancepredicates which helps avoid the construction of an abstract model for the whole state space.

2. We propose a constraint solving approach for the verification of safety and reachability prop-erties. Such method does not require explicit representation of state space, but relies ongenerating functions that prove of disapprove the properties.

3. Our methodology overcomes the time bound limitations of exhaustive methods developed inrelated work.

Future work includes extending the predicate abstraction to support AMS systems and explor-ing more case studies.

References[1] G. Al Sammane, M. Zaki, and S. Tahar: A Symbolic Methodology for the Verification of

Analog and Mixed Signal Designs; Proc. IEEE/ACM DATE, Nice, France, April 2007.

26

[2] R. Alur, T. Dang, F. Ivancic. Reachability Analysis Via Predicate Abstraction. In Hybrid Sys-tems: Computation and Control, LNCS 2289, pp. 35-48. Springer, 2002.

[3] E.M. Clarke, et. al. Verification of Hybrid Systems based on Counterexample-guided Abstrac-tion Refinement. In TACAS, LNCS 2619, Springer, pp. 192–207, 2003.

[4] E. Clarke, O. Grumberg , D.A. Peled. Model Checking. MIT Press, 1999.

[5] T. Dang, A. Donze, O.Maler: Verification of analog and mixed-signal circuits using hybridsystem techniques. In FMCAD, LNCS 3312, pp. 14-17, Springer, 2004.

[6] M. Furi, M. Martelli. A Multidimensional Version of Rolle’s Theorem. The American Mathe-matical Monthly, 102(3), 1995, pp. 243-249.

[7] G. Frehse, B. H. Krogh, R. A. Rutenbar. Verifying Analog Oscillator Circuits Using For-ward/Backward Abstraction Refinement. In IEEE/ACM DATE, pp. 257-262, 2006.

[8] A. Goriely. Integrability and Nonintegrability of ordinary differential equations, AdvancedSeries on Nonlinear Dynamics, Vol 19 World Scientific 2001.

[9] S. Graf and H. Saidi. Construction of Abstract State Graphs with PVS. In Computer Aidedverification, LNCS 1254, pp. 72-83. Springer, 1997.

[10] M. R. Greenstreet, I. Mitchell: Reachability Analysis Using Polygonal Projections. In HybridSystem: Computation and Control, LNCS 1569, pp.103-116, Springer, 1999.

[11] S.Gupta, B.H. Krogh, R.A. Rutenbar: Towards formal verification of analog designs,IEEE/ACM ICCAD: pp. 210-217, 2004.

[12] W. Hartong, et. al. Formal Verification for Nonlinear Analog Systems: Approaches to Modeland Equivalence Checking, Advanced Formal Verification, Kluwer: pp. 205-245, 2004.

[13] A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Lazy Abstraction. In Symp. on Principlesof Programming Languages, ACM, pp. 58–70, 2002.

[14] R.P. Kurshan and K.L. McMillan. Analysis of Digital Circuits Through Symbolic Reduction.IEEE Trans. on Computer-Aided Design 10:13501371, 1991.

[15] S. Little, et. al: Verification of Analog and Mixed-Signal Circuits Using Timed Hybrid PetriNets. In Proc. of ATVA, LNCS 3299, pp. 426-440, springer, 2004.

[16] R. E. Moore. Methods and Applications of Interval Analysis, Society for Industrial & AppliedMathematics, 1979.

27

[17] S. Prajna, A. Jadbabaie. Safety Verification of Hybrid Systems Using Barrier Certificates. InHybrid Systems: Computation and Control, Springer-Verlag, pp. 477-492. 2004.

[18] S. Ratschan, Z. She. Safety Verification of Hybrid Systems by Constraint Propagation BasedAbstraction Refinement. In Hybrid System: Computation and Control, LNCS 3414, pp. 573-589, Springer, 2005.

[19] S. Sankaranarayanan, H. Sipma, Z. Manna. Constructing Invariants for Hybrid Systems. InHybrid Systems: Computation and Control, LNCS 2993, pp 539-554, Springer, 2004.

[20] A. Tiwari and G. Khanna. Series of abstractions for hybrid automata. In Hybrid Systems:Computation and Control, LNCS 2289, pp. 465-478, Springer, 2002.

[21] A. Tiwari and G. Khanna. Nonlinear systems: Approximating reach sets. In Hybrid Systems:Computation and Control, LNCS 2993, pp. 600-614, Springer, 2004.

[22] J. Vlach, K. Singhal. Computer Methods for Circuit Analysis and Design. Kluver, 2003.

[23] S. Wolfram. Mathematica: A System for Doing Mathematics by Computer. Addison WesleyLongman Publishing, 1991.

28