Towards Formal
Verification of
Analog Designs
Smriti Gupta smritig@ece.cmu.edu
Bruce Krogh krogh@ece.cmu.edu
Rob A. Rutenbar rutenbar@ece.cmu.edu
Carnegie Mellon University
Pittsburgh, PA
• Research supported by the Semiconductor
Research Corporation 1
Big Question: Can We Formally
Verify Analog…?
DIGITAL
ANALOG Digital
Methodology
Simulation
Analog Abstraction
Methodology Formal
Simulation verification
Abstraction
Formal
verification 2
Outline
Background
Where does verification fit into analog design flow?
Hybrid System Verification
What is it? Why useful for analog?
Our hybrid checker: CheckMate
A small analog circuit example to illustrate ideas
A real circuit verification task: Delta Sigma
Modulator
Overview of the delta sigma modulator
Bad behavior explained
Formal verification and analysis
3
Verification in the Analog
Design Flow
Develop
systemreqs
Initial verification
Systemdesign
&partition
problem
Idealizedblocks/cells Can we check early if
Cell behavioral Circuitlevel Blocklevel Redesignif cells fail there are problems with
modeling insystemintegration
design design the spec or with the
Cell Block idealized initial design?
simulate simulate
Sizedschematics
Cell Cell parasitics
layout
Cell parasitics for cell/block
for cell models Cell extract& design
backannotate
Redesignif system
Block&chip integrationfails
layout
Estimate
chipparasitics
Interconnectparasitics
Realistic cell models Systemmodel
for integration
System integration
verif. problem
Fab&test
Can we check late for
problems caused when
ideal blocks become real4
Verifying Analog Designs as
Hybrid Systems
Hybrid systems: Interacting discrete-
continuous dynamics
Model checking for hybrid systems
construct a finite-state abstraction of the
continuous dynamics
verify the abstraction reachability or ACTL
specifications
if the verification is inconclusive, refine the
abstraction
Application to Analog Circuits
continuous dynamics: differential or difference
equations
5
CheckMate: Hybrid System
Verification Tool
MATLAB/Simulink model
1. Constructs finite-state
abstraction with
transition relation
based on polyhedral
representations of
continuous
q
flows
q'
abstraction if
p p'
π'1
necessary.
π'2
3. Refines
Polyhedral sets of π
initial continuous states (π'1,p',q')
(π,p,q)
& parameters (π'2,p',q')
Specifications over discrete states
• Reachability 2. Applies model
• ACTL checking to resulting
transition system.
www.ece.cmu.edu/~webk/ 6
Computing Flowpipes for
Continuous Dynamics
Given a set of initial states, the procedure is
to generate a sequence of polyhedra that
contains all state trajectories (flows) from
that set.
0 1 0
E.g. x& 0 0 Features of the
1 x
approach:
1 2 2
Xo
• each polyhedra
: set of initial states
contains flows for ∆tk =
tk+1 − tk
• applies to nonlinear
dynamics
• includes piecewise
constant inputs
• approximation error
can be made arbitrarily7
Illustration Circuit: Tunnel Diode
Oscillator
Verification
question:
For specified device
parameters and
ranges of initial
states, will the
circuit oscillate
Start
I
correctly?
L here
???
VC
From: Walter Hartong, Lars Hedrich, and Erich Barke, “Model Checking Algorithms for
Analog Verification.” Design Automation Conference, 2002, pp. 542-547.
8
Specification as a Finite-State
Machine
Current(0-1e-3A)
p7=currentis .7e-3 IL Threshold 2
p3=currentis .3e-3 Threshold 1
VC
Voltage(0-0.5V) IL IL Threshold 2
Threshold 2
Threshold 1 Threshold 1
VC VC
IL
Threshold 2
Threshold 1
Start
IL VC
Threshold 2
Threshold 1
VC
9
CheckMate Model
Current (0-1e-
locati
p7 = current on3
A)
circuit is .7e-3
locati
3
dynamics p3 = current is on2
.3e-3
locati
on1
Voltage (0-0.5V)
thresholds
Checkmate
Model Finite State
Machine 10
Flowpipes and Finite-State
Abstractions
Oscillating Case Non – Oscillating Case
4
x 10 4
x 10
*10 -4
10 locatio 10
n3 9
8 8 locatio
3 4 3 n3
7
6 locatio 6 locatio
Current
Current
n2 5*10-4 n2
4
IC IC
(X2)
(X2)
4
2 S 1 2 S 1
3
Flowpipe Flowpipe
2 2
Approximati Approximati
on
locatio 1 locatio
on
0 n1 0 n1
0 0.1 0.2 0.3 0.4 0.5 0 0.1 0.2 0.3 0.4 0.5
Voltage Voltage
(X1) (X1)
11
Flowpipe Detail
Oscillating Case
4 Important points
4
x 10
10 locatio CheckMate computes flowpipe
x 10
n3 approximations dynamically
8
3 4 Flowpipes are conservative,
6 locatio ie,guaranteed to bound real
Current
n2 dynamics
4
IC *10-4
(X2)
2 S 1
Flowpipe
2
Approximati
on
locatio
10
0 n1
0 0.1 0.2 0.3 0.4 0.5
Voltage
(X1)
12
A Real Circuit: Delta Sigma A/D
Converter Digital
fs
Encodin
g
Anal fs/2 High
∆Σ- Resolution
og fd/2
Modulato
inpu Downsampl Digital
r
t Anti-aliasing Digital ing Output
LPF Filter
Decima
tor
Delta Sigma Modulator
Samples input signal at a rate
One-Bit much higher than the Nyquist
Noise- Quantiz rate, and converts it into a
Shaping er Digital
Filter Encodin high-rate, low-resolution digital
Sampled g
Signal H(z) signal.
Shapes the noise introduced by
the quantizer such that the
noise is attenuated in the signal
D/A band and amplified outside the
Digital to signal band (at high
Analog frequencies).
Converter
Decimator
Low pass filter removes the
noise from the 13
high
∆Σ-Modulation: Closer Look
Digital
fs
Encoding
Analog fs/2 HighResolution
∆Σ-Modulator
input fd/2 Digital Output
Downsampling
Anti-aliasingLPF Digital Filter
Decimator
Quantizer
Integrator Error (e[n])
1-bit quantizer
compares analog
Z-1 signal to a 0V ref,
outputs +1 or -1
D/A
This is a chain of amplifiers
#amplifiers = “order” of system
14
Analysis of Quantization: Noise
is Shaped
Analog fs/2 HighResolution
∆Σ-Modulator
input fd/2 Digital Output
Downsampling
Anti-aliasingLPF Digital Filter
Decimator
noise
f fB f fB
re re
INPUT: Input signalq. OUTPUT: Input signalq.and
spectrum noise spectrum
15
∆Σ-Modulator: Undesired Behavior
Means What?
Instability Quantizer Overload
Quantizer overload can If signal at the quantizer
cause the discrete-time exceeds a specific
integrators to hit maximum level—circuit
saturation (max voltage no longer exhibits linear
limits). behavior
Quantizer
Integrator Error (e[n])
Z-1
D/A
16
Real Example: 3rd-Order ∆Σ
Modulator
Integrat
or
Quanti
zer
Essential problem:
A higher-order ∆Σ uses more amplifiers to
better suppress noise
But it also more unstable, more prone to
17
How Do We “Test” For
Undesired Behavior?
3rd order ∆Σ Modulator
input
-
+ noise
LPF
Criterion 1: Monitor the noise level
• Low noise level in the signal band
Criterion 2: Monitor the quantizer input
• No overload: quantizer input should be
between +/-2V
18
Criterion 1: Noise in Signal Band
(LPF output) input
Third-Order -
Input + noise
Delta Sigma LPF
Signal Modulator
DC Input
Desired
Signal
Noise
Low SNR
Undesire
d
High
SNR
Time
Samples 19
Criterion 2: Quantizer Overload
Undesire
d
Behavior
Quantizer
Input
Desired
Behavior
Time Samples
20
To Verify the ∆Σ Modulator
Select a reasonable set of initial
(continuous) states
Remember – this isn’t a digital circuit!
Need to start verification from some “sensible” known
region of state space
Build a complete CheckMate model
Switched continuous dynamics for continuous circuits
FSM abstraction of high level behavior
Run CheckMate model
Check if undesired behaviors manifest as “bad” parts of
state space reached
21
∆Σ Modulator: Selecting the Range
of Initial States
Random
Input
selected
Reached states set of initial states
(no overload) for verification
state
bounds
22
∆Σ Modulator: Building
CheckMate Model
Noise-
Shaping
& LPF Quanti
Filters zer
FSM
Hyperplanes
defining various
regions for the
quantizer input
“zero_threshold
”:x>0
Hyperplane
“overload” : -2 Low Pass
defining the Filter
<x<2
desired region of FSM
the LPF
23
∆Σ Modulator: Modeling
Quantizer as FSM
Hyperplane
defining the
desired region of
the LPF
24
∆Σ Modulator: Modeling
Quantizer as FSM
Quantizer states:
current & previous quantizer output
(inputs to noise-shaping & low-pass filters)
Hyperplane
defining the
desired region of
the LPF
25
∆Σ Modulator: Modeling
Quantizer as FSM
"Avoid" state defines quantizer overload
(reachability specification)
Hyperplane
defining the
desired region of
the LPF
26
Result: CheckMate Reachability
Computations
Quantizer overload
(first violations)
(two views)
quantizer
threshold
Breadth-first reachability (wrt discrete
transitions)
~3 minutes to find first violation at depth 27
Results: Effect of Quantizer
Switching
projection onto
X1-X3 plane
Reachable sets "split" when crossing quantizer
threshold
Leads to multiple branches in (brute-force) depth- 28
Summary
Can we formulate a useful analog
verification task
as a hybrid systems model checking
problem?
Yes
∆Σ Modulator is, to best of our knowledge, largest
nontrivial circuit to have any useful continuous
property checked formally
…but still many practical limitations
We check at idealized block level, ie, system-level
analog, not transistors
Model setup is still rather arduous
Still limited to low-orders systems with relatively few
state variables 29
Next Steps
Formal specifications for analog designs
Identify mixed-signal specifications amenable to time-
domain characterization
Create parameterized specification primitives for
CheckMate implementation
CheckMate model checker for analog
designs
Develop modeling guidelines
Implement abstraction methods (leverage CT
CheckMate)
Heuristics for polyhedral over approximations to
reduce computation time
Refinement strategies
Apply recent developments to increase
efficiency 30