Towards Formal

Verification of
Analog Designs
Smriti Gupta smritig@ece.cmu.edu
Bruce Krogh krogh@ece.cmu.edu
Rob A. Rutenbar rutenbar@ece.cmu.edu

Carnegie Mellon University

Pittsburgh, PA

• Research supported by the Semiconductor

Research Corporation 1
Big Question: Can We Formally
Verify Analog…?

DIGITAL

ANALOG Digital
Methodology
 Simulation
Analog  Abstraction
Methodology  Formal
 Simulation verification
 Abstraction
 Formal
verification 2
Outline
 Background
 Where does verification fit into analog design flow?

 Hybrid System Verification

 What is it? Why useful for analog?
 Our hybrid checker: CheckMate
 A small analog circuit example to illustrate ideas

 A real circuit verification task: Delta Sigma

Modulator
 Overview of the delta sigma modulator
 Bad behavior explained
 Formal verification and analysis
3
 Verification in the Analog
Design Flow
Develop
systemreqs
 Initial verification
Systemdesign
&partition
problem
Idealizedblocks/cells  Can we check early if
Cell behavioral Circuitlevel Blocklevel Redesignif cells fail there are problems with
modeling insystemintegration
design design the spec or with the
Cell Block idealized initial design?
simulate simulate

Sizedschematics
Cell Cell parasitics
layout
Cell parasitics for cell/block
for cell models Cell extract& design
backannotate
Redesignif system
Block&chip integrationfails
layout

Estimate
chipparasitics
Interconnectparasitics
Realistic cell models Systemmodel
for integration
 System integration
verif. problem
Fab&test
 Can we check late for
problems caused when
ideal blocks become real4
Verifying Analog Designs as
Hybrid Systems
 Hybrid systems: Interacting discrete-
continuous dynamics
 Model checking for hybrid systems
 construct a finite-state abstraction of the
continuous dynamics
 verify the abstraction reachability or ACTL
specifications
 if the verification is inconclusive, refine the
abstraction
 Application to Analog Circuits
 continuous dynamics: differential or difference
equations
5
 CheckMate: Hybrid System
Verification Tool
MATLAB/Simulink model
1. Constructs finite-state
abstraction with
transition relation
based on polyhedral
representations of
continuous
q
flows
q'

abstraction if
p p'
π'1

necessary.
π'2

3. Refines
Polyhedral sets of π

initial continuous states (π'1,p',q')

(π,p,q)
& parameters (π'2,p',q')

Specifications over discrete states

• Reachability 2. Applies model
• ACTL checking to resulting
transition system.

www.ece.cmu.edu/~webk/ 6
Computing Flowpipes for
Continuous Dynamics
Given a set of initial states, the procedure is
to generate a sequence of polyhedra that
contains all state trajectories (flows) from
that set.
 0 1 0
E.g. x&  0 0  Features of the
1 x
  approach:
 1 2 2
Xo
• each polyhedra
: set of initial states
contains flows for ∆tk =
tk+1 − tk
• applies to nonlinear
dynamics
• includes piecewise
constant inputs
• approximation error
can be made arbitrarily7
Illustration Circuit: Tunnel Diode
Oscillator
Verification
question:
For specified device
parameters and
ranges of initial
states, will the
circuit oscillate
Start
I
correctly?
L here

???

VC
From: Walter Hartong, Lars Hedrich, and Erich Barke, “Model Checking Algorithms for
Analog Verification.” Design Automation Conference, 2002, pp. 542-547.
8
 Specification as a Finite-State
Machine
Current(0-1e-3A)

p7=currentis .7e-3 IL Threshold 2

p3=currentis .3e-3 Threshold 1

VC

Voltage(0-0.5V) IL IL Threshold 2
Threshold 2

Threshold 1 Threshold 1

VC VC
IL
Threshold 2

Threshold 1
Start
IL VC
Threshold 2

Threshold 1

VC

9
CheckMate Model

Current (0-1e-
locati
p7 = current on3

A)
circuit is .7e-3
locati

3
dynamics p3 = current is on2
.3e-3
locati
on1
Voltage (0-0.5V)

thresholds

Checkmate
Model Finite State
Machine 10
Flowpipes and Finite-State
Abstractions
Oscillating Case Non – Oscillating Case
­4
x 10 ­4
x 10
*10 -4

10 locatio 10
n3 9
8 8 locatio
3 4 3 n3
7
6 locatio 6 locatio
Current

Current
n2 5*10-4 n2
4
IC IC
(X2)

(X2)
4
2 S 1 2 S 1
3
Flowpipe Flowpipe
2 2
Approximati Approximati
on
locatio 1 locatio
on
0 n1 0 n1
0 0.1 0.2 0.3 0.4 0.5 0 0.1 0.2 0.3 0.4 0.5
Voltage Voltage
(X1) (X1)

11
Flowpipe Detail
Oscillating Case
­4  Important points

­4
x 10

10 locatio  CheckMate computes flowpipe

x 10
n3 approximations dynamically
8
3 4  Flowpipes are conservative,
6 locatio ie,guaranteed to bound real
Current

n2 dynamics
4
IC *10-4
(X2)

2 S 1
Flowpipe
2
Approximati
on
locatio

10
0 n1
0 0.1 0.2 0.3 0.4 0.5
Voltage
(X1)

12
 A Real Circuit: Delta Sigma A/D
Converter Digital
fs
Encodin
g

Anal fs/2 High

∆Σ- Resolution
og fd/2
Modulato
inpu Downsampl Digital
r
t Anti-aliasing Digital ing Output
LPF Filter
Decima
tor
 Delta Sigma Modulator
 Samples input signal at a rate
One-Bit much higher than the Nyquist
Noise- Quantiz rate, and converts it into a
Shaping er Digital
Filter Encodin high-rate, low-resolution digital
Sampled g
Signal H(z) signal.
 Shapes the noise introduced by
the quantizer such that the
noise is attenuated in the signal
D/A band and amplified outside the
Digital to signal band (at high
Analog frequencies).
Converter
 Decimator
 Low pass filter removes the
noise from the 13
high
∆Σ-Modulation: Closer Look
Digital
fs
Encoding

Analog fs/2 HighResolution

∆Σ-Modulator
input fd/2 Digital Output
Downsampling
Anti-aliasingLPF Digital Filter

Decimator

Quantizer
Integrator Error (e[n])
1-bit quantizer
compares analog
Z-1 signal to a 0V ref,
outputs +1 or -1

D/A

This is a chain of amplifiers

#amplifiers = “order” of system
14
Analysis of Quantization: Noise
is Shaped

Analog fs/2 HighResolution

∆Σ-Modulator
input fd/2 Digital Output
Downsampling
Anti-aliasingLPF Digital Filter

Decimator

noise

f fB f fB
re re
INPUT: Input signalq. OUTPUT: Input signalq.and
spectrum noise spectrum

15
∆Σ-Modulator: Undesired Behavior
Means What?
 Instability
 Quantizer overload can
cause the discrete-time
integrators to hit
saturation (max voltage
limits).
 Quantizer Overload
 If signal at the quantizer
exceeds a specific
maximum level—circuit
no longer exhibits linear
behavior

Quantizer
Integrator Error (e[n])

Z-1

D/A

16
Real Example: 3rd-Order ∆Σ
Modulator
Integrat
or
Quanti
zer

 Essential problem:
 A higher-order ∆Σ uses more amplifiers to
better suppress noise
 But it also more unstable, more prone to
17
How Do We “Test” For
Undesired Behavior?
3rd order ∆Σ Modulator

input
-
+ noise
LPF

Criterion 1: Monitor the noise level

• Low noise level in the signal band
Criterion 2: Monitor the quantizer input
• No overload: quantizer input should be
between +/-2V

18
Criterion 1: Noise in Signal Band
(LPF output) input
Third-Order -
Input + noise
Delta Sigma LPF
Signal Modulator

DC Input

Desired
Signal
Noise

Low SNR

Undesire
d
High
SNR

Time
Samples 19
Criterion 2: Quantizer Overload

Undesire
d
Behavior
Quantizer
Input

Desired
Behavior

Time Samples

20
To Verify the ∆Σ Modulator
 Select a reasonable set of initial
(continuous) states
 Remember – this isn’t a digital circuit!
 Need to start verification from some “sensible” known
region of state space

 Build a complete CheckMate model

 Switched continuous dynamics for continuous circuits
 FSM abstraction of high level behavior

 Run CheckMate model

 Check if undesired behaviors manifest as “bad” parts of
state space reached

21
∆Σ Modulator: Selecting the Range
of Initial States
Random
Input

selected
Reached states set of initial states
(no overload) for verification

state
bounds

22
∆Σ Modulator: Building
CheckMate Model
Noise-
Shaping
& LPF Quanti
Filters zer
FSM

Hyperplanes
defining various
regions for the
quantizer input
“zero_threshold
”:x>0
Hyperplane
“overload” : -2 Low Pass
defining the Filter
<x<2
desired region of FSM
the LPF
23
∆Σ Modulator: Modeling
Quantizer as FSM

Hyperplane
defining the
desired region of
the LPF
24
∆Σ Modulator: Modeling
Quantizer as FSM
Quantizer states:
current & previous quantizer output
(inputs to noise-shaping & low-pass filters)

Hyperplane
defining the
desired region of
the LPF
25
∆Σ Modulator: Modeling
Quantizer as FSM
"Avoid" state defines quantizer overload
(reachability specification)

Hyperplane
defining the
desired region of
the LPF
26
Result: CheckMate Reachability
Computations
Quantizer overload
(first violations)
(two views)

quantizer
threshold
 Breadth-first reachability (wrt discrete
transitions)
 ~3 minutes to find first violation at depth 27
 Results: Effect of Quantizer
Switching
projection onto
X1-X3 plane

 Reachable sets "split" when crossing quantizer

threshold
 Leads to multiple branches in (brute-force) depth- 28
Summary
 Can we formulate a useful analog
verification task
as a hybrid systems model checking
problem?
 Yes
 ∆Σ Modulator is, to best of our knowledge, largest
nontrivial circuit to have any useful continuous
property checked formally

 …but still many practical limitations

 We check at idealized block level, ie, system-level
analog, not transistors
 Model setup is still rather arduous
 Still limited to low-orders systems with relatively few
state variables 29
Next Steps
 Formal specifications for analog designs
 Identify mixed-signal specifications amenable to time-
domain characterization
 Create parameterized specification primitives for
CheckMate implementation
 CheckMate model checker for analog
designs
 Develop modeling guidelines
 Implement abstraction methods (leverage CT
CheckMate)
 Heuristics for polyhedral over approximations to
reduce computation time
 Refinement strategies
 Apply recent developments to increase
efficiency 30