ZONA DE HABITABILIDAD GAL ´ ACTICA DE LA GALAXIA M3341

Model checking of AMS circuits exhaustively explores whether a model of AMS circuits satisfies a property. Models of the system could be discrete as well as continuous. In [63], Kurshan and McMillan presented the first approach to formally verify a digital circuit at a transistor level. They partitioned the state space in hypercubes as well as continuous input signals in to high and low logic with the assumption that they change values instantly. Time is similarly discretized in equal steps. They developed a transition relation between discrete states, and verified the model using the COPSON tool, against properties defined in ω-language. A similar discretization of state space based approach has been adopted in [48]. The difference here is that they used variable step based numerical integration, and adopted an automatic refinement of the discrete partitions so as to make them uniform. This process of partitions uniformity is based on the length and direction of the vector fields. Three types of transition relations between the partitions have been given. In one they used interval arithmetic to over-approximate the trajectories, whereas in the second type, they ran simulations at various points to establish transition relations. In the third, they made use of Lipschitz constants for non-linear functions. They implemented their approach in the tool AMCHECK and verified the discrete transition system against CTL properties.

Model checking techniques in continuous domain are based on reach set computa- tion (reachability). Starting in an initial set, reachability techniques in each iteration compute the next set of points. To find the complete tube of trajectories, the pre and post reachable sets are bloated up to get the convex hull of the set of points, comprising pre, post and the sets between them. This way the tube of trajectories is conservatively over approximated. In [81], Mark Greenstreet and Ian Mitchell presented a technique showing reachable sets for a MOS circuit modelled as a system of ODEs. They showed

correctness of analog circuits by reachability considering three cases. First they con- sidered linear ODEs and reachability computation was done based on the convex set representation. This was followed by computing reachable sets for linear ODEs with regions as non convex sets, and for non-linear ODEs with non-convex sets represent- ing state space regions. Safety properties of analog circuits were soundly verified by conservatively over-approximating all reachable sets.

Modelling non-linear circuits as a HDS has gained tremendous interest in the re- search community during the last decade. This is mainly due to the amount of research that has been going on in formal verification of HDSs [9],[2]. HDSs consist of both continuous and discrete domains, making their verification a difficult task. In [38], Goran et al. verified time domain properties of a tunnel diode oscillator using the tool PHAVER. They showed that variations in amplitude and jitter in the oscillator behaviour are bounded. Modelling oscillator dynamics as a hybrid automata, having modes with affine dynamics of the form ˙x = Ax + b, PHAVER conservatively over- approximated this with a linear hybrid automata (LHA), where the affine dynamics were replaced with differential inclusion alx≤ ˙x ≤ aux. They successfully showed that starting in close proximity to a limit cycle of a Tunnel diode oscillator (TDO), it os- cillates with a specific fundamental period. A similar but improved approach involving forward/backward reachability has been adopted in [36].

Gupta et al. used the CHECKMATE tool for hybrid systems analysis, and verified time domain properties of the TDO [45]. A MATLAB based tool CHECKMATE can handle hybrid automata having modes with continuous affine dynamics. It uses flow pipe approximation (which is a sequence of polyhedra) and constructs sound abstraction of continuous dynamics. Instead of discretizing the whole state space, it partitions the state space only along the trajectory of the system for a set of its initial conditions. Creating discrete transition systems from the polyhedral invariant hybrid automaton, CHECKMATE uses bi-simulation based model checking and verifies ACTL properties for the given hybrid system. The author in [45], showed oscillation in the state space of the TDO for one set of parameters, and a counterexample for oscillation when a second set of parameters was considered.

In [94] Thao et al, using Mixed Integer Linear Programming (MILP) for discrete hybrid systems, showed worst case safety properties of a△−Pmodulator. Considering the fact that reachability algorithms suffers from time and space explosion, they adopted a bounded horizon reachability concept. Similar to boolean satisfiability for bounded horizon reachability in digital systems, they used concepts of optimal control, and looked for a worst input which induced bad behaviour. They proved safety by proving

safety of the set of worst trajectories. In the same paper, they verified a low pass filter modelled by differential algebraic equations (DAE). They transformed DAEs into ODEs, and computed reachable sets for them on manifolds using the d/dt reachability tool. Steinhorst et al. in [87] showed oscillations in a tunnel diode and a ring oscillator using visualization techniques. Being only applicable to three dimensional space, circuits with higher dimension were projected to three dimensions. Particles were injected in the discrete state space and their tangent vectors were approximated with the nearest point of the discrete vector field. The particles represented independent simulations, and thus gave a picture of the complete state space.

Althoff et al. in [7] formally verified lock time of a CP PLL. They used HDSs the- ory for the behavioural model of the CP PLL with parameter uncertainties. Faced with the problem of very large numbers of mode switching, they approximated the hybrid switched system with a continuous system, and used reachability computation to find all possible sets of the PLL transient analysis and computed its locking time. Using La- belled Hybrid Petri net (LHPN) analysis tools, Walter et al. in [100], verified switched capacitor integrator circuits. LHPN models have been transformed in to symbolic mod- els, and then these were verified using BDD based model checking. A similar procedure has been adopted in [101], but the verification engine used an SMT solver to verify the symbolic model.

For a given property, a model checking algorithm invokes a decision procedure to traverse the state transition system, and verify whether or not the property is satisfied by that system. To deal with the state explosion problem, the model checking technique has been enhanced by bounded model checking (BMC) where the transition system is verified for a bounded length of state sequences [20]. BMC of hybrid systems involves predicate encoding of the sequential behaviour of transition system and the target formulas, and a decision procedure, e.g. SAT, to find a satisfying instantiation of the target formula. Using BMC, Zaki et al. in [112], proved properties of a_△−Pmodulator and oscillator circuits. Representing continuous parts of AMS circuits by differential equation and the digital part by event based models, they used a interval arithmetic based Taylor approximation of the continuous state space to avoid unsoundness.

Recently Satisfiability Modulo Theory (SMT) based techniques have been used for AMS circuit verification. This is because of the recent advancement of SMT solvers to handle Boolean combinations of several thousand linear as well as non linear arithmetic constraints. Thiwary et al. in [57], presented a SAT modulo theory based approach for AMS circuits verification. Based on device (diodes, transistors) voltage current rela- tionships, they tabulated these in the form of linear inequalities in their formulation.

Given these and the KCL/KVL constraints on current and voltages of different nodes in the circuit, they verified DC, steady state, and transient properties of circuits. They used Euler integration method to solve differential equations, which makes their tech- nique less accurate due to soundness issues. In [110], Yin et al. proposed a methodology which is based on Nonlinear-SMT assisted by simulation. They used Bayesian inference rule to trade off between the computational cost of simulation and the number of SMT enquiries. Modelled as hybrid systems, they verified safety properties of PLL using reachability of unsafe states. Ishii et al. in [52], presented a Sat Modulo ODE technique for model checking of non linear hybrid automata, and verified oscillation property of the TDO. They tightly integrated SAT solver with hybrid constraints using an inter- val solver thus enabling it to deal directly with ODEs without approximating them. Chao et al. in [27] proposed SMT based reachability analysis using implicit integration methods to verify safety and liveness properties of arbiter circuits.