Embedded systems include an increasing share of analog/mixed-signal components that are tightly interwoven with functionality of digital HW/SW systems. A challenge for verification is that even small deviations in analog components can lead to significant changes in system properties. In this paper we propose the combination of range-based, semisymbolic simulation with assertion checking. We show that this approach combines advantages, but as well some limitations, of multirun simulations with formal techniques. The efficiency of the proposed method is demonstrated by several examples.
1. Introduction
Analog/mixed-signal (AMS) systems are a crucial part of today’s embedded systems. Typical AMS components such as sensors, transceivers, and signal conditioning enable interaction of embedded HW/SW systems with its physical environment. In today’s embedded systems, the functionality of the analog components is tightly interwoven with the digital HW/SW system. A particular challenge of AMS systems is that parameters cannot be assumed to be fixed to a deterministic value like in a digital system.
Behavior of AMS systems cannot be assumed to be fixed for the following reasons: variations of parameters due to variations in the manufacturing process, but as well during operation (e.g., different temperatures, aging, and supply voltage) introduce deviations compared to an ideal reference. (Modeling) uncertainties are introduced by the fact that all models represent more or less accurate abstractions of physical reality. No model can be assumed to be absolutely accurate. Furthermore, computation with fixed-point arithmetic in the digital domain can contribute significantly to deviation from expected ideal behavior (rounding errors, quantization). In the following we refer to such deviations of a simulation run from possible real behavior in general as “deviations.”
A communication system with typical variations and deviations is shown in Figure 1 as an example. Variations of gain, offset, or due to temperature (Figure 1, left) are compensated in software. This is done at lower layers of the software by controlling variable gain amplifier (VGA), voltage controlled oscillator (VCO). Higher layers of the software stack introduce further error correction mechanisms in software. Dependability of the overall system is defined by complex interaction of AMS parts with the software stack. While known statistical methods (e.g., Monte Carlo simulation) allow us computing other statistic properties like Bit or Packet Error Rates (BER, PER), open issues are questions such as
how can we guarantee some system properties, for example, for safety relevant systems?
can we get information from the analysis that assists us in design and debug, such as counter examples?
System model including parameter deviations.
This paper proposes a new methodology that for the first time combines high verification coverage of formal verification on one hand with the general applicability of simulation-based approaches on the other hand. To achieve this goal, we combine assertion checking with symbolic simulation:
assertions specify required properties of a system;
in an overall system model, deviations and variations are represented by symbols that capture size and correlations of the deviations, variations, respectively;
for verification of “worst case” behavior, a range-based simulation using Affine Arithmetic shows that for given ranges of inputs and deviations the required properties are valid, and that no “forbidden state” is reached.
We mostly focus on level of block diagrams, but the methodology is as well applicable on circuit simulation. We implemented it based on SystemC and its AMS extensions. Section 2 gives a review of state of the art and related work. In Section 3 Affine Arithmetic is described, and some modeling examples are given. Section 4 describes semisymbolic simulation and the verification method proposed in this work. The applicability of the verification technology is demonstrated by examples given in Section 5. Section 6 concludes the paper and identifies future work.
2. State of Art and Related Work
When verifying AMS systems with parameter deviations, application of multirun simulation techniques (Monte-Carlo, worst-case analysis) can be considered as state-of-the art. Monte Carlo simulation [1] is a statistical technique. However, statistical techniques do not provide dependable “worst case” results. While the number of simulation runs can be reduced by importance sampling [2], the number of simulation runs required may still be prohibitive for analysis of complex systems. Corner case analysis [3] is a more appropriate means for finding worst case performances of AMS systems. Unfortunately, the number of simulation runs grows exponentially with the number of parameters considered. However, even if all corner cases are considered, the dependability of the result cannot be guaranteed since corner cases are not necessarily worst cases. Design of Experiments [4] allows reducing the number of simulation runs significantly and finding worst case performances more accurately.
Even with high number of simulation runs, there is no guarantee that worst case performances are found. A drawback of multi-run simulation methods is that the dependable operation of AMS systems cannot be guaranteed under all circumstances. For safety-critical systems, for example, in aviation or automotive systems this is a major drawback and motivation for further research.
In order to find counter examples, rapidly exploring random trees [5, 6] and robust test case generation have been proposed in [7–9]. Further, the simulation techniques proposed in [10, 11] guarantee that a system is “safe” if a set of trajectories lie within certain regions defined by previously found conditions. In contrast to these approaches the techniques proposed in [12, 13] compute an overapproximation of the set of states reached by all trajectories. While these methods support debugging and introduce coverage metrics, they are not able to deal with the increased complexity of systems that with deviations and variations. An approach that enables safety verification of hybrid systems with uncertain parameters is the use of barrier certificates proposed in [14]. Those methods can verify if a set of system trajectories crosses a barrier previously defined by a barrier certificate. Finding a proper barrier certificate is not easy and makes this approach difficult for system verification.
To cope with the drawbacks of simulation-based techniques, formal verification methods were proposed. The idea of formal methods is to use the formal checkers which automatically explore all possible states and transitions in the system model to check if the desired output behaviour is met or not. Hence, in contrast to simulation-based methods which can verify only one behaviour (for only one input stimuli) per operation, the formal methods deal with the set of behaviours at a time. Approaches for formal verification were firstly applied on digital systems [15–17], and due to their efficiency they found a good way in industrial applications. Approaches that also cover analog/mixed-signal or hybrid systems are rare and still in infancy.
In [18–20] hybrid systems with linear and nonlinear dynamics are approximated by timed automata in order to simplify their analysis. Reference [21] describes a model checking tool which requires discrete and (for continuous parts) linear system descriptions. For nonlinear continuous behavior, such approximations are too simple. Linear phase-portrait approximation [22] is a general technique, because its approximation does not depend on the order of the differential equation to be approximated. There is no standard method for partitioning the state space, and therefore it seems to be complicated to find proper discrete models for strongly nonlinear models. In [23–25] focus is on nonlinear analog behavior for which discretized models in the state space are used for verification. The efficiency of these approaches seems to be limited to smaller analog systems. With increasing complexity, the number of states in the discretized model grows which leads to the state explosion problem and high run time of verification algorithms applied on this model.
Due to limitation of formal methods for analog/continuous systems to small systems, simulation-based techniques are still the only way for verification of more complex analog/continuous and AMS systems. To formalize verification of AMS systems, assertions that describe typical properties of analog systems are the focus of recent research. In [26] mixed-signal assertions (MSA) were proposed to check properties of mixed-signal systems during simulation. These assertions were implemented in a separate SCAC (SystemC AMS Temporal Checker) library. This library is easily integrated in SystemC AMS simulation environment, due to its C++ based nature. In contrast to this approach, [27] features AMT, an offline tool for monitoring temporal properties of mixed-signal systems for verification. Both verification methodologies simulate and evaluate a nominal system model without taking into account any deviations caused by variations in design process.
A particular challenge in design of complex analog/mixed-signal systems is parameter variations. In any physical system, values are not implemented in an accurate way and change in a partially unpredictable way over time (e.g., due to temperature, aging, etc.). Such deviations form an ideal model change system behavior and can potentially cause malfunctions. For conventional simulation, multi-run methods as described in the first paragraph do not provide the result dependability and require a high number of simulation runs to explore the system behaviour while considering process variations. For formal approaches, such issues are still in infancy, because its applicability simply does not yet allow handling complex and heterogeneous systems such as AMS systems.
A first approach to cover deviation effects in AMS systems and compute the guaranteed worst case results at the same time was introduced in [28–31]. Deviations are modeled as ranges, superimposed on the nominal system model, and modified during system simulation to obtain the formally guaranteed range-based system quantities. For this purpose, Affine Arithmetic was applied. Using this approach the variations in parameter values are represented with deviated symbols which are traced to the system output. Hence, the contribution of all variations in the system is contained in the system response which simplifies analysis of the system robustness.
In [32] it is proposed that how Affine Arithmetic approach can be used to analyze worst case behavior of electrical circuits. Further, in [33] this methodology found its application in sizing of analog circuits. Using Affine Arithmetic the bounds on the worst case circuit behavior are calculated and the global minimum of sizing problem is determined due to inclusion isotonicity. Beside analog domain, Affine Arithmetic models can also be used in Digital Signal Processing (DSP) applications to represent errors introduced by calculations in floating-point arithmetic [34, 35].
Within this work, semisymbolic simulation based on Affine Arithmetic is combined with the assertion-based technology. Concretely, assertions based on Affine Arithmetic (AAF+A) are introduced to include range-based system quantities and allow specification and automatic verification of typical time and frequency-domain properties of systems considering variations in their parameter values.
Using the proposed verification method system verification is done during simulation.
The desired output behaviour is described with assertion which is embedded into simulation process.
The assertion is verified automatically. In the case where the design requirement is not met the simulation process is stopped reporting the user about the assertion violation.
Table 1 summarizes the advantages and disadvantages of previously described verification techniques.
Tradeoffs of verification methods for AMS systems with deviations.
Verification techniques
Disadvantages
Advantages
Multirun simulations
Low verification coverage, no “guarantee”
General applicability
Formal methods
State explosion problem, no complex, heterogeneous systems
High verification coverage “guarantee,” counter examples
Assertion-based techniques (MSA, AMT tool)
Only nominal behaviour verified, no “guarantee”
Well suited for complex systems, increased coverage
The verification method proposed in this work copes with the disadvantages of previous verification methods. Concretely, combining the assertion-based technology with semisymbolic simulation, which generates the dependable guaranteed result in which all output values for the considered parameter set are contained, 100% coverage can be obtained.
3. Affine Arithmetic and Its Use for Modeling Deviations3.1. Affine Arithmetic
Affine Arithmetic (AA) is a range arithmetic that overcomes the error explosion problem of Interval Arithmetic (IA) [36]. AA keeps track of correlations between quantities represented as ranges. This in particular enables application for simulation of control systems. A feedback loop, for instance, can be simulated keeping the correlation of identical ranges. A subtraction of related ranges therefore results in a reduced range avoiding the overapproximation inherent to Interval Arithmetic [29].
An affine expression x~ can be represented as
(1)x~=x0+∑i∈𝒩x~xiεi,εi∈[-1,1],
where a sum of deviation terms ∑i∈𝒩x~xiεi models the impact of independent deviations from the ideal system behavior described with the nominal value x0. The values of deviation symbols εi lie in the range [-1,1] which is scaled by the numerical value xi. Linear mathematical operations in Affine Arithmetic allow accurate symbolic computations and are defined as follows:
(2)x~±y~=(x0±y0)+∑i∈𝒩x~(xi±yi)εi,cx~=cx0+∑i∈𝒩x~cxiεi,
where 𝒩x~ defines a set of natural numbers identifying all deviation terms xiεi in symbol x~. In contrast to linear operations, nonlinear operations introduce an overapproximation of the exact solution, for example, multiplication as follows:
(3)x~·y~∶=(x0·y0)+∑i∈𝒩x~(x0yi+xiy0)εi+rad(x~)·rad(y~)ε𝒩x~+1,
where rad(x~) is equal to ∑i∈𝒩x~|xi| and represents the total deviation of x~. Although the multiplication operation results in an overapproximation, deviations in the result of this operation are traced to deviations contained in the quantities x~ and y~. The overapproximation is contained in residual term.
3.2. Modeling Examples with Affine Arithmetic
In the following we show how to model different deviations. We focus on block-diagram like representations with transfer functions as common in control theory, because this model of computation is generally applicable to a vast set of different domains, including communication systems and electronic circuits. We focus on giving some mathematical background that can be applied in C-language (as in the examples in later sections), but as well, for example, in Matlab/Simulink.
(a) Simple Example—Modeling Gain Variation. To model a gain variation of a block (e.g., a low noise amplifier (LNA)) we assume that the exact gain value is not known but lies in interval [Kmin,Kmax]. The range for K[Kmin,Kmax] can be modeled using Affine Arithmetic as follows:
(4)Knom+εKdev,ε∈[-1,1],
where Knom and Kdev correspond to the center value of the range and the maximum absolute deviation from the center value, respectively. To model the gain variation in the SystemC AMS (used as a simulation environment in this work) that extended with an abstract data type AAF and some constructors for typical deviations, it is only necessary to call the constructor of the amplifier module with Knom and Kdev as the second and the third argument. The first argument is always the name of the module. Therefore, the amplifier can be instantiated by the following line of code:
amp amp_(“amp_”, Knom, Kdev).
(b) Modeling (Parameter) Uncertainties. Modeling uncertainties are due to lack of capturing absolute accurate models of “real” behavior. In order to describe simple modeling uncertainties, a more general model is assumed in which the “real” behavior can be included by parameter variations. As simple example, the following transfer function of a system block will be supposed:
(5)P(s)=1s2+as+1.
Further, it will be supposed that the exact value of the parameter a is not known, but it is known that it lies in interval [amin,amax]. The range for parameter a can be modeled using Affine Arithmetic as
(6)anom+εadev,ε∈[-1,1],
where anom represents the midpoint of the range and adev the maximum absolute deviation from the midpoint. Now the transfer function P(s) can be expressed as
(7)P(s)=Pnom(s)1+εPdev(s)Pnom(s),ε∈[-1,1],
where Pnom(s) represents the nominal model with the parameter value anom as follows:
(8)Pnom(s)=1s2+anoms+1
and Pdev(s) is the deviation function modeled as Pdev(s)=adevs. The system block model with parameter deviation can be represented with the block diagram shown in Figure 2.
Block-diagram level representation of model transfer function with uncertain parameters.
(c) Variation of Time Delay, Jitter. Time delays are often varying, even in digital systems (“jitter”). A time delay can be modeled by the following transfer function:
(9)P(s)=e-τsPnom(s),
where Pnom(s) models an ideal behavior of a block (without time delay) and τ represents a time delay for which it is supposed that its exact value is not known, but it is known that it lies in interval [0,τmax]. The time delay causes deviation of the block from its ideal behavior Pnom(s). This deviation will be modeled using Affine Arithmetic. In order to do this the exponential function e-τs will be approximated using the first-order Taylor polynomial:
(10)e-τs:=e-τnoms+(e-sτ)′1!|τ=τnom*ετdev=e-τnoms+(-s)*e-τnoms*(ετdev),
where τnom represents time delay in ideal conditions whose value is zero. The symbol τdev represents the maximum absolute deviation of time delay from its nominal value, and ε is a real number whose value lies in interval [-1,1]. Substituting τnom=0 in the previous equation we get
(11)e-τs:=1+(-s)*ετdev,ε∈[-1,1].
Since the approximation of the exponential function e-τs with the first-order Taylor polynomial represents the linearization of e-τs around τnom, this polynomial is actually tangent line on the function at point τnom, as it can be seen in Figure 3. Replacing e-τs in (9) with this approximation the transfer function P(s) can be approximated with
(12)P(s):=Pnom(s)(1+(-s)*ετdev)=Pnom(s)(1+εPdev),ε∈[-1,1],
where Pnom(s) models the block ideal behavior and Pdev(s) models the deviation from the ideal behavior. The block diagram corresponding to this model is shown in Figure 4.
Linearization of exponential function e-τ.
Block-diagram representation of model of uncertain delay respectively jitter.
3.3. Abstraction of Accurate Model with Affine Arithmetic
For verification of accurate system models in the presence of parameter deviations, a high number of simulation runs is required to achieve a sufficient verification coverage. To deal with this drawback “semisymbolic” approach based on Affine Arithmetic is introduced. Using this method an abstract system model is created in which the accurate system behavior is included. Concretely, abstraction of system model gets an overapproximation of accurate models and therefore gives a guaranty that if the abstract model satisfies desired specifications, the accurate model will also meet them.
To create the abstract model it will be supposed that there is a small change of the input voltage signal vd around DC operating point (ID, VD) Δvd (see Figure 5(b)). This change will be modeled using Affine Arithmetic as follows:
(13)vd=VD+εΔvd,ε∈[-1,1].
The accurate model of a diode can be described with the following equation:
(14)id=Is(evd/ηVT-1).
To get the abstract model of a diode which is more simple for analysis, the accurate model will be approximated linearizing the nonlinear equation around DC operating point (ID, VD). This linearization will be performed using the first-order Taylor’s series as follows:
(15)id=ID+∂id∂vd(VD)(vd-VD)+lin_error=ID+IseVD/ηVT1ηVTεΔvd+lin_error,ε∈[-1,1],
where the symbol lin_error assigns linearization error which is added to enclose the accurate model in the abstracted one. The absolute value of this error represents the maximum absolute value of the Lagrange remainder:
(16)|lin_error|=max(12|∂2id∂vd2(ξ)|(vd-VD)2)=max(12|∂2id∂vd2(ξ)|)(Δvd2),
where ξ can take any value from ξ∈[VD-Δvd,VD+Δvd]. To include the accurate model, linearization error will be represented as
(17)lin_error=ε′|lin_error|,ε′∈[-1,1].
Forward diode characteristic.
Accurate diode model
Approximation of accurate model
Figure 5(b) shows approximation of nonlinear diode (from Figure 5(a)) at the operating point.
3.4. Time-Domain Properties Modeled with Affine Arithmetic
To analyze system behavior it is necessary to specify values of its properties. In the following there will be given a list of properties in time, but also in frequency domain whose specified values can be modeled using Affine Arithmetic approach.
3.4.1. Settling Time Property
This time is defined as the maximum time necessary for the output signal to settle within the error band, usually symmetrical around the value of the output signal asymptote, from the time at which an ideal step input is applied. The specified values for the settling time and the error band can be modeled with Affine Arithmetic as follows:
(18)spec(ts)=ts2+εts2,ε∈[-1,1],error_band=yasimp+εδ,ε∈[-1,1],
where δ represents an allowed tolerance from the asymptote yasimp.
(d) Operational Range Specification. This property defines allowed swinging in the output voltage, which does not cause a system make distortions on its output. This range will be represented with Affine Arithmetic as
(19)spec(swing)=SW+εβε∈[-1,1],
where SW represents the nominal value of range defining the swing property and β the allowed deviation from the nominal value.
3.5. Frequency-Domain Properties Modeled with Affine Arithmetic
The properties determining system behavior in frequency domain, whose specified values can be modeled with Affine Arithmetic, refer to low pass filter design specifications.
3.5.1. The Allowed Ripple in the Pass Band
This property defines maximum allowed deviation from the DC filter gain S(0). Using Affine Arithmetic this requirement can be represented as
(20)S(f)∈S(0)+εpδp,0≤f≤fp,
where εp∈[-1,1], S(0) is a DC gain in the pass band, δp is the maximum allowed deviation from the DC gain, and fp is the pass band edge frequency.
3.5.2. The Allowed Ripple in the Stop Band
This design specification defines the minimum allowed attenuation in the stop band and can be modeled in the similar way as
(21)S(f)∈δn2+εnδn2,f≥fn,
where εn∈[-1,1], δn represents the minimum attenuation, and fn represents the stop band edge frequency.
4. Semisymbolic Simulation and Assertion-Based Verification
In order to reduce high number of simulation runs required for simulation of systems with parameter variations, semisymbolic simulation is introduced. The idea of this approach is to model parameter deviations using Affine Arithmetic and simulate systems including these deviations. The simulation result is range-based system response which can be obtained in only one simulation run. Semisymbolic simulation can be performed on two levels: system level and circuit level.
4.1. Semisymbolic Simulation on System and Circuit Level
For semisymbolic simulations on system level SystemC AMS environment is used. Affine Arithmetic is implemented in a separate library which is due to SystemC AMS C++ based nature very easily integrated.
Beside system level analog circuits can also be simulated on lower level like transistor level. For this purpose, a semisymbolic circuit simulator has been developed [37]. Circuit simulation is performed in two steps.
A netlist of a simulated system is converted into the according system of differential algebraic equations (DAE) using the Modified-Node-Analysis (MNA):
(22)F(x_(t),x′_(t),p_(t),t)=0_,
where the vector x_(t) represents the vector of time dependable state variables and p_(t) represents the vector of time dependable circuit parameters.
The equation system is passed through a numerical equation solver which performs DC, AC, and Transient Analysis [37]. The solver uses numerical methods as forward, backward Euler or trapezoidal methods to solve the equations.
Since at transistor level analog circuits are usually described with nonlinear differential algebraic equations the numerical solving is followed by linearization of equation system in the operating point with respect to variables and parameters. To deal with affine terms the algorithm [37] with the following steps is applied in the simulator.
In the first step the nominal solution is computed using Newton-Raphson method. In the second step the equation system is linearized in the operating point. Result of linearization is the linear dependency of variables according to the parameter deviations. In the case of linear system with constant parameters and variable inputs the result of linearized equation system is exact affine solution and algorithm ends. As the equation system usually contains nonlinear expressions, the affine solution of the linearized system is usually an underestimation of the exact solution, and therefore it has to be extended to include the exact area. This is done in the third step of algorithm.
4.2. Assertion-Based Verification with Affine Arithmetic
The verification technology proposed in this work is based on assertions which use Affine Arithmetic to model specified values of system properties as ranges. As simulation and verification environment SystemC AMS is used. The assertions representing specifications are verified within simulation run. In the case where the specification is violated the specification violation is reported and simulation run is stopped. To describe specifications with AAF+A, the set of operators defining the syntax of these assertions is used. Table 2 summarizes available operators whose meaning will be briefly described in the following.
AAF+A operators.
AAF+A operators
Symbols
Operator meaning
Arithmetic operators
⊖∈{+,-,*,/,∧}
Symbols for the usual arithmetic operations
Relation operators
∙∈{<,>,≤,≥,==}
The usual relation operations
Logic operators
⊘∈{&&,∥,→}!
Logic and, or, implies not
Affine analog operator
IN
Compares two affine terms a and b
Affine analog frequency operator
AFO∈{FIN,GFIN}min, max
Compares two affine terms a and b within specified frequency interval, FIN assigns eventually; GIN assigns always Min finds frequency component with minimum amplitude value within specified frequency interval; max finds frequency component with maximum amplitude value within specified frequency interval
Slope operator
DV
Calculates slope of a signal
Temporal operators
□∈{G,F}
Always, eventually
Affine analog time interval
Time∈AAF, time=t0+εΔt,t0,Δt∈ℝ
Specified signal time interval of affine analog signal
Verification time interval
[t],t∈ℝ
Specified time within which the assertion is verified
The label AAF in the table assigns the set of affine terms. The set of assertions based on Affine Arithmetic (AAF+A) is comprised of two sets. The first set defines Boolean formulas checking validation of properties in time-domain TBF and the second one in frequency domain FBF. The operators from Table 2, comprising, respectively, the sets TBF and FBF, are given in Table 3.
Time and frequency domain formulas (TBF and FBF).
TBF
FBF
s∙d∈TBF
{GFIN,FIN}(f1,f2,FFT〈N〉(β),γ)∈FBF
s - affine signal, d∈ℝ
f1,f2∈ℝ, N ∈ℕ, β-affine signal, γ∈AAF
DV(s)∙d∈TBF
IN(ζ,ψ)∈FBF
s, affine signal, d∈ℝ
ζ∈FF,ψ∈AAF
IN{[time]}(φ,ϑ)∈TBF
c∙d∈FBF
φ∈{s, DV(s)},time∈AAF,ϑ∈AAF
c∈FF∧d∈ℝ
In order to simplify the description of the FBF set, the new set of frequency formulas FF is introduced. This set is determined with
(23){min,max}{[f1],[f1f2]}(FFT〈N〉(β))∈FF∧{min,max}(FFT〈N〉(β))∈FF,
where {f1,f2}∈ℝ, f1<f2, β is an affine signal, and N is an integer number representing the length of Fast Fourier Transform (FFT). Note that for the operators min, max the frequency interval [f1,f2] or the frequency f2 does not need to be specified. In that case default values for f1 and f2 are 0 Hz and fs/2 (fs represents a sampling frequency), respectively.
The sets TBF and FBF comprise the smallest set of AAF+A as follows:
TBF∪FBF⊂AAF+A,
(α∈AAF+A∧t∈ℝ)→□(α)∈AAF+A∧□[t](α)∈AAF+A,
(α,β∈AAF+A)→α⊘β∈AAF+A∧!(α)∈AAF+A.
The following table (Table 4) gives a brief description of operators given in Table 2. If α and β represent the ranges modeled with Affine Arithmetic, then the operator ≤ in Table 4 assigns that the first range α lies in the second range β (α⊂β). If β is a real value, then this operator assigns that the upper bound of α is lower or equal to the real variable β.
The meaning of operators in AAFA.
Operator
Explanation
IN(s,h)
Satisfied at time t′ in which (s(t′)≤h))
IN[time](s,h)
Satisfied at time t′((t′∈time) in which (s(t′)≤h))
FIN(f1,f2,FFT(s),β)
Satisfied if ∃f∈[f1,f2]⇒FFT(s)(f)≤α
GFIN(f1,f2,FFT(s),β)
Satisfied if ∀f∈[f1,f2]⇒FFT(s)(f)≤α
G{[t]}(h),F{[t]}(h), h∈AAFA+A
Satisfied if the formula h holds always or at least once during simulation, respectively
5. Demonstration Examples
Within this work the applicability of the proposed verification method will be shown through several examples. The examples are chosen to demonstrate ability to handle typical challenges for symbolic simulation like feedback, nonlinearities, and discontinuities. Note that complexity itself is not a challenge by itself. As the first example a closed loop control system composed of a PID controller and a plant is chosen. Its block diagram is shown in Figure 6. Further, as the second example also a feedback system, which needs to set a room temperature to a certain value considering variation in the external temperature, is chosen. The third example through which the performance of the method will be illustrated is a PLL (Phase-Locked Loop) circuit containing the loop and nonlinear elements like a phase detector or a voltage controlled oscillator.
Block diagram of a system with PID controller.
5.1. A Control System including a Parameter Uncertainty of a Plant
For the control system from Figure 6 a plant with the following transfer function will be considered:
(24)P(s)=1s2+as+1,
where for the parameter a it will be supposed that it lies in the interval [0.4,0.8]. This range is modeled using Affine Arithmetic as a=0.6+ε0.2 where ε∈[-1,1].
Substituting the affine form of the parameter a, P(s) can be rewritten as
(25)P(s)=Pnom(s)1+εPdev(s)Pnom(s)ε∈[-1,1],
where Pnom(s)=1/(s2+0.6s+1) and Pdev(s)=0.2s. For a PID controller model it is supposed that a noise filter for the derivative term is included, yielding to the following controller structure:
(26)C(s)=Kp(1+1Tis+Tds(Td/20)s+20),
where the proportional gain Kp is 1.8, the integral time Ti=0.38 s, and the derivative time Td=0.095 s. Between the integral and derivative times the ratio of 4 (Ti=4*Td) is chosen. In [38] it is shown that this ratio is appropriate for many industrial processes.
In order to behave appropriately whether in time or frequency domain, it is required for a control system to satisfy the certain number of specifications. One of the most important specifications on control systems is the stability of the closed loop system. The gain and phase margin of the closed loop system are typical stability criteria. The gain margin is the maximum amount of the gain which is allowed to increase in the loop before a closed loop system becomes unstable, and the phase margin tells how much the phase lag must increase to make the system unstable. Since it is necessary to specify both margins to ensure appropriate behavior of a system, they can be replaced by a single parameter named the stability margin Ms. This parameter is defined as the shortest distance between the Nyqvist curve of the loop transfer function and the critical point −1. This distance is actually the inverse of the maximum sensitivity. The loop transfer function is determined with L(s)=C(s)P(s) where C(s) and P(s) are the controller transfer function and the plant transfer function, respectively. Mathematically, the stability margin can be expressed as
(27)Ms=infω|-1-L(jω)|=infω|1+L(jω)|=[supω|11+L(jω)|]-1=[supω|S(jω)|]-1,
where S(jω)=1/(1+L(jω)) is the sensitivity function. In particular, the sensitivity function represents the disturbances amplification at the output of the plant by the closed loop system. Recommended values for the stability margin Ms lie in the range of [0.5,0.75] [38].
Within this paper it will be verified if the control system meets the stability margin specification. In order to satisfy the stability margin specification the system stability margin must lie in the recommended range. This range representing the specification for Ms will be modeled with Affine Arithmetic:
(28)spec(Ms)=Ms′+εδ,ε∈[-1,1],
where Ms′ represents the center value of the specified range and δ represents the maximum absolute distance from the center value. Concretely, since the specified range is [0.5, 0.75], spec(Ms) is equal to
(29)spec(Ms)=0.625+ε0.125,ε∈[-1,1].
Including the parameter uncertainty in the plant, the stability margin Ms can be rewritten as
(30)Ms=infω(infε|1+C(jω)P(jω)|)=infω(infε|1+C(jω)Pnom(jω)1+εPdev(jω)Pnom(jω)|).
This equation expresses that for every frequency it is necessary to determine the shortest distance of the loop transfer function from the critical point −1. It is very easy to be seen that the shortest distance will be obtained for ε=1, which corresponds to the lower bound of range 1+C(jω)P(jω).
A control system including uncertainties meets the stability margin specification if its stability margin Ms lies in the range [0.5,0.75]. Since Ms is crucial to verify the control system against the given specification, the proposed verification method will use the system given in Figure 7 to calculate the stability margin Ms.
Ms calculation block diagram for parameter uncertainty.
Using the proposed verification method the specification to be verified will be described with AAF+A assertion which will be verified during simulation run. In order to calculate the stability margin following Expression 4 the minimum value of |1+C(s)P(s)| with respect to frequency will be determined. This value can be found using AAF+A frequency operator min. One has
(31)Ms=min(|1+C(jω)P(jω)|)=min(|H(jω|))=min(FFT〈N〉(h(t))),
where h(t) represents the response of the system with transfer function 1+C(jω)P(jω) (Figure 7) on Dirac impulse. The operator FFT assigns the Fast Fourier Transform, and N is the number of points for which the Fourier is calculated. In this work N will be set to 2048.
It is important to note that the values calculated by FFT operator are range-based values, because the uncertainty of the plant model is modeled with Affine Arithmetic. The infimum with respect to frequency can be determined as the minimum of all FFT frequency components min(FFT). The stability margin corresponds to the lower bound of the range representing min(FFT) (ε=1) (Expression 4). As it is said, in order to meet design specification, it is required from the control system that its Ms lies in the specified range spec(Ms). Using the proposed method this requirement can be written as AAF+A assertion which will be verified during simulation as follows:
(32)G(IN(min(FFT〈2048〉(h(t))),0.625+ε0.125)).
This assertion expresses that infimum with respect to frequency determined with min(FFT〈2048〉(h(t)) must always (assigned with operator G) lie in the range modeling the stability margin specification (0.625+ε0.125) during simulation.
5.2. A Room Heating Control System
As the second demonstration example a system which controls a room temperature is chosen. The block diagram of the system is shown in Figure 8.
The block diagram of a room heating control system.
For room modeling the model including the thermal resistance of the wall between the room and the ambient Rra, and the thermal capacitance of the room Cr is used. One part of heat, brought into the room, leaves the room through the resistor with Rra and the other part is stored in the capacitor with thermal capacity Cr. This mathematical model can be described with the following equation:
(33)q=θr-θeRra+Cdθrdt.
Using Laplase transformation the equation can be transformed into
(34)q=θr-θeRra+Csθr,
where q is the heat bringing into the system, θr is the temperature of the room, and θe is the external temperature. To determine the value of the thermal capacitance Cr, the certain number of factors needs to be considered (the heat capacity of the stuff in the room, the air in the room…). Within this work the value Cr=107(J/K) is chosen (Appendix C in [39]). For the thermal resistance Rra the value of Rra=0.0846*10-6(°C/W).
The controller used for this system is a PID controller with the following coefficients:
(35)C(s)=c1+c2s+c3s=0.1*108+0.15*108s+0.15*108s.
According to (34) the room temperature θr can be calculated as
(36)θr=qRra1+sCrRra+θe1+sCrRra.
For the external temperature θe it will be supposed that its value varies and lies in the range [-2,1]. This range will be modeled using Affine Arithmetic as
(37)[-2,1]=-0.5+ε1.5,ε∈[-1,1].
Considering the variation in the external temperature it will be verified
if the room temperature θr within 5 seconds reaches the value varying within 3% of the final value,
if the final value is reached.
These two requirements will be described using Affine Arithmetic Assertions (AAF+A) and verified during simulation. The final value of the temperature is supposed to be 30°C. The assertion corresponding to the first requirement can be written as
(38)F(IN[ts2+ε1ts2](θr,θfinal+ε2δ)→G(IN(θr,θfinal+ε2δ))[ts2+ε1ts2]),
where ts is 5 s, θfinal is 30∘C, and δ=0.03*30=0.9∘C and ε1,ε2∈[-1,1]. The second requirement can be described with the following assertion:
(39)F(θr==30).
The simulation results are given in Table 5 in Section 5.4.
Simulation results.
Example
Time without AAFA (s)
Time with AAFA (s)
Overhead (s)
The control system with parameter uncertainty
17.6
19.5
1.9
The room heating control system
9.3
10.8
1.5
PLL circuit
7.3
Simulation run stopped
—
5.3. A PLL Circuit including Parameter Uncertainties
As the second demonstration example a phased-locked loop (PLL) circuit is chosen. Due to high number of applications phased-locked loops found their place in analog-mixed-signal (AMS) systems. Some of these applications are listed in the following:
in radio transmitters it is used to synthesize frequencies, which are a multiple of a reference frequency;
clock generators which multiply a low-frequency reference clock to higher operating frequencies of microprocessors;
in communication systems for coherent demodulation and demodulation of frequency and phase modulated signals.
In this paper a PLL circuit as a frequency synthesizer is considered. Its block diagram is shown in Figure 9. This PLL model models the behavior of the system in ideal conditions. In reality certain numbers of deviations influence the behavior of the PLL causing design specifications to violate from their values previously defined by design. Since the PLL is often the part of more complex AMS systems (e.g., in the role as a frequency synthesizer it is embedded into communication systems to generate carrier frequencies) it is of a great importance to verify if the desired output behaviour in the presence of parameter deviations is still met. Within this work a time delay of the filter from Figure 9 will be considered and added to the PLL model.
PLL circuit on block level.
As it can be seen from the figure the PLL model is comprised of a frequency detector, a filter, and a voltage controlled oscillator (VCO). The filter with the following transfer function is used:
(40)Hf(s)=Kf(bs+1)ase-τs,
where Kf is the filter gain, and within this work it will be supposed that its value is one. For parameters a and b the values 2e-3 and 680*0.5*10-6 are supposed, respectively. The parameter τ represents time delay of the filter, and for this example it will be supposed that its value lies in the range [0,100μs]. In Section 3.2 it is shown that time delay causes deviation from the nominal filter behavior approximating the filter transfer function Hf(s) with
(41)Hf(s):=Hf,nom(s)(1+(-s)*ετdev)=Hf,nom(s)(1+εHf,dev)ε∈[-1,1],
where Hf,nom represents the filter transfer function in ideal conditions (time delay τ is zero). Substituting the values for parameters Kf, a, and b, Hf,nom can be rewritten to
(42)Hf,nom(s)=(680*0.5*10-6s+1)2*10-3s.
The parameter τdev represents the maximum value of time delay which is for this example 100μs. The block diagram of the PLL model considering the filter time delay is shown in Figure 10.
PLL model with the filter time delay.
For this PLL model it will be verified if the lock time of the PLL to switch from one frequency to within 5 kHz of another frequency is not greater than 1 ms. The PLL parameters such as fstep, the minimum obtained value of the output frequency fo,min and the maximum obtained value of the output frequency fo,max, are supposed to be 100 KHz, 2 MHz, and 3 MHz, respectively. The detector gain Kd and the gain of the voltage controlled oscillator Kv are supposed to be
(43)Kd=0.111Vrad,Kv=11.2*106radVs.
The loop gain of the system from Figure 10 is equal to
(44)L(s)=Kds*Hf(s)*Kv*1N.
From this formula it can be seen that for the maximum ratio of a programmable counter the loop gain will have the minimum value causing maximum lock time. Thus, only this ratio value will be considered. For considered PLL circuit this value is equal to
(45)Nmax=fo,maxfstep=3MHz100kHz=30.
Using the verification method proposed in this work the specification to be verified will be described with AAF+A assertion. This assertion will be verified during simulation as follows:
(46)F(IN[ts2+ε1ts2](fo,fsteady+ε2δ)→G(IN(fo,fsteady+ε2δ))[ts2+ε1ts2]),
where the values of ε1 and ε2 lie in the range [-1,1]. The operator F in the assertion assigns that the output frequency fo must eventually within the settling time ts enter the error band around the value of the steady state fsteady+ε2δ and stay there (assigned with operator G).
We consider only the maximum ratio of the programmable counter, and therefore the frequency value in the steady state is fsteady=N*fstep=30*100KHz=3MHz. The other parameters are according to desired specification equal to
(47)ts=1ms,δ=5kHz.
Substituting these values in the previous assertion we have
(48)F(IN[0.5*10-3+ε10.5*10-3](fo,3*106+ε25*103)F→G(IN(fo,3*106+ε25*103))).
5.4. Experimental Results
The SystemC AMS is used as simulation and verification environment. The control system considering the filter parameter uncertainty was simulated and verified for 106 s with the sampling rate Ts=1 s. The specification (Assertion 6) passed and the stability margin calculated for the control system is shown in Figure 11. The symbol k in the figure assigns the k frequency component of Fast Fourier Transform which was used to determine the stability margin with respect to frequency.
Simulation results. The stability margin of the control system Ms and the room temperature θr.
Using the sampling period Ts=0.5s the heating control system was simulated for 2*105s. The system met desired requirements and both assertions (Assertions 8 and 9) passed. The signal representing the room temperature θr is shown in Figure 11.
The PLL circuit was simulated and verified for 20 s with the sampling period Ts=0.1ms. It was verified if the lock time of the PLL to switch from 2.9 MHz to within 5 kHz of 3 MHz is less than 1 ms. The Assertion 10 failed, and simulation run was stopped reporting the information about the specification violation. The fact that the PLL output frequency did not (within 1ms) set to the desired value within the specified tolerance does not imply that it will not do so after some time. To prove this the PLL simulation result is given in Figure 12.
The PLL output frequency.
Since the assertion failed and the simulation run was stopped, the PLL response from Figure 12 is the result of simulation in the case where the assertion is omitted. From the figure it can be concluded that the output frequency converges to its final value and deviated terms converge to zero. This fact is one of the main advantages of the Affine Arithmetic approach. Its ability to identify the correlation between system quantities reaches its maximum in the systems with feedback loops like the case with our demonstration examples.
Hence, even in the case where the loop contains the nonlinear elements the additional terms (which are the result of overapproximation introduced by nonlinear operations) will have negligible values, and the output will converge to its finite value. To free the memory of unnecessary variables, the authors in [28] propose the (cleanup) method. Concretely, all terms under some user specified value are replaced with only two symbols, the one representing the sum of all terms with a positive and the other with a negative sign. In this way the safe inclusion of the result is kept, and the number of terms is drastically decreased.
Table 5 summarizes the simulation times necessary for all designs in the case where AAF+A assertions were included into design simulation and when they were omitted. It can be noted that in the case where the assertions were satisfied, the proposed verification method generated additional simulation time, but the overhead was not high.
The simulation time of the PLL in the case where the assertion was embedded into simulation was omitted. The reason lies in the fact that the assertion failed stopping the simulation process, and hence the time required for simulation was much lower than for the case in which the assertion was not included.
6. Conclusion and Future Work
This work introduces a methodology that enables verification of analog/mixed-signal systems including deviations. The verification method is combined with symbolic simulation which generates the worst case dependable response adding deviations to a system model and modeling them as ranges. Since the generated output behaviour contains all possible traces for the considered parameter set the proposed assertion-based technology can provide formal verification result using simulation-based techniques. The assertions use Affine Arithmetic to model allowed or forbidden areas of typical system properties as ranges. The specified ranges are further combined with Boolean logic, frequency operators, and temporal logic which allows us to verify the system behaviour in time, but also in the frequency domain. The assertions are embedded into simulation, and as soon as the assertion violation is detected, the simulation run is stopped, and information about the assertion harm is reported.
Overapproximation is a challenge that can become a problem for strongly nonlinear systems. The first step to deal with this problem was proposed in [28] and found its applicability in the systems containing the loops. The further step towards the problem solution is to modify Affine Arithmetic in the way that we keep the second order terms in symbolic representation and in this way that we reduce overapproximation.
Furthermore, the AAF+A assertions (Table 2) will be extended from rather formal operators to libraries of application-specific properties that are close to requirement specifications found in various application domains. Also, the method up to now verifies the system against the specifications for which time and frequency requirements must be known in advanced. One interesting direction in the future would be to extend the method to extract the information about lower and upper bounds of time or frequency for which the system behaviour is still desirable under the considered set of deviated parameters.
Acknowledgment
This work has been funded by the Vienna Science and Technology Fund (WWTF) through Project ICT08_012.
RubinsteinR. Y.HocevarD. E.LightnerM. R.TrickT. N.Study of variance reduction techniques for estimating circuit yieldsAntreichK.GräbH.WieserC.Practical methods for worst-case and yield analysis of analog integrated circuitsRafailaM.GrimmC.DeckerC.PelzG.Sequential design of experiments for effective model-based validation of electronic control unitsBranickyM. S.CurtissM. M.LevineJ. A.MorganS. B.RRTs for nonlinear, discrete, and hybrid planning and controlProceedings of the 42nd IEEE Conference on Decision and ControlDecember 20036576632-s2.0-1542359087BhatiaA.FrazzoliE.Incremental search methods for reachability analysis of continuous and hybrid systems2993Proceedings of the International Workshop Hybrid Systems: Computation and Control (HSCC '04)2004Springer142156Lecture Notes in Computer ScienceJuliusA.FainekosG.AnandM.LeeI.PappasG.Robust test generation and coverage for hybrid systems4416Proceedings of the International Workshop Hybrid Systems: Computation and Control (HSCC '07)2007Springer329342Lecture Notes in Computer ScienceEspositoJ. M.Randomized test case generation for hybrid systems: metric selectionProceedings of the 36th Southeastern Symposium on System Theory2004236240ZhaoQ.KroghB. H.HubbardP.Generating test inputs for embedded control systemsKapinskiJ.KroghB. H.MalerO.StursbergO.On Systematic simulation of open continuous systems2623Proceedings of the International Workshop Hybrid Systems: Computation and Control (HSCC '03)2003Springer283297Lecture Notes in Computer ScienceGirardA.PappasG.Verification using simulation3927Proceedings of the International Workshop Hybrid Systems: Computation and Control (HSCC '06)2006Springer272286Lecture Notes in Computer ScienceChutinanA.KroghB. H.Computing polyhedral approximations to flow pipes for dynamic systemsProceedings of the 37th IEEE Conference on Decision and Control (CDC '98)December 1998208920942-s2.0-0032266345KurzhanskiA. B.VaraiyaP.Ellipsoidal techniques for reachibility analysis1790Proceedings of the International Workshop Hybrid Systems: Computation and Control (HSCC '00)2000Springer202214Lecture Notes in Computer SciencePrajnaS.JadbabaieA.Safety verification of hybrid systems using barrier certificates2993Proceedings of the International Workshop Hybrid Systems: Computation and Control (HSCC '04)2004Springer477492Lecture Notes in Computer ScienceClarkeE. M.GrumbergO.PeledD. A.BurchJ. R.ClarkeE. M.McMillanK. L.DillD. L.HwangL. J.Symbolic model checking: 1020 states and beyondClarkeE.GrumbergO.LongD.Verification tools for finite-state concurrent systems803Proceedings of the Decade of Concurrency, Reflections and Perspectives1994Springer124175Lecture Notes in Computer ScienceMalerO.BattG.Approximating continuous systems by timed automata5054Proceedings of the 1st international workshop on Formal Methods in Systems Biology (FMSB '08)2008SpringerLecture Notes in Computer ScienceStursbergO.KowalewskiS.EngellS.On the generation of timed discrete approximations for continuous systemsStursbergO.KowalewskiS.EngellS.Timed approximations of hybrid processes for controller verificationProceedings of the 1st IFAC Conference on Analysis and Design of Hybrid Systems2003289295AlurR.HenzingerT. A.LafferriereG.PappasG. J.Discrete abstractions of hybrid systemsHenzingerT.Wong-ToiH.Linear phase-portrait approximations for nonlinear hybrid systems1066Proceedings of the Hybrid Systems III: Verification and Control1996Springer377388Lecture Notes in Computer ScienceHartongW.HedrichL.BarkeE.Model checking algorithms for analog verificationProceedings of the 39th Annual Design Automation Conference (DAC '02)June 20025425472-s2.0-0036049096GrabowskiD.PlatteD.HedrichL.BarkeE.Time constrained verification of analog circuits using model-checking algorithmsHartongW.HedrichL.BarkeE.On discrete modelling and model checking of nonlinear analog systemsProceedings of the 14th International Conference on Computer Aided Verification (CAV ’02)2002401413LämmermannS.JesserA.RathgeberM.RufJ.HedrichL.KropfT.RosenstielW.Checking heterogeneous signal characteristics applying assertion-based verificationProceedings of the Frontiers in Analog Circuit Verification (FAC '09)2009Grenoble, FrancePnueliA.MalerO.Extending PSL for analog circuits2005PROSYD Deliverable D 1.3/1HeupkeW.GrimmC.WaldschmidtK.Semi-symbolic simulation of nonlinear systemsProceedings of the Forum on Specification and Design Languages (FDL '05)September 2005Lausanne, SwitzerlandECSIGrimmC.HeupkeW.WaldschmidtK.Refinement of mixed-signal systems with affine arithmeticProceedings of the Design, Automation and Test in Europe Conference and Exhibition (DATE '04)February 2004IEEE Press3723772-s2.0-304265860810.1109/DATE.2004.1268875GrimmC.HeupkeW.WaldschmidtK.Analysis of mixed-signal systems with affine arithmeticGrabowskiD.OlbrichM.GrimmC.BarkeE.Range arithmetics to speed up reachability analysis of analog systemsProceedings of the Forum on Specification, Verification and Design Languages (FDL '07)2007Barcelona, SpainFemiaN.SpagnuoloG.True worst-case circuit tolerance analysis using genetic algorithms and affine arithmeticLemkeA.HedrichL.BarkeE.Analog circuit sizing based on formal methods using affine arithmeticProceedings of the IEEE/ACM International Conference on Computer Aided Design (ICCAD '02)November 20024864892-s2.0-003691723610.1145/774572.774643FangC. F.RutenbarR. A.PüschelM.ChenT.Toward efficient static analysis of finite-precision effects in DSP applications via affine arithmetic modelingProceedings of the 40th Design Automation Conference (DAC '03)June 20034965012-s2.0-0042635701FangC. F.ChenT.RutenbarR. A.Floating-point error analysis based on affine arithmetic2Proceedings of IEEE International Conference on Accoustics, Speech, and Signal Processing (ICASSP ’03)April 20035615642-s2.0-0141607895MooreR. E.GrabowskiD.OlbrichM.BarkeE.Analog circuit simulation using range arithmeticsProceedings of the Asia and South Pacific Design Automation Conference (ASP-DAC '08)March 2008Seoul, KoreaIEEE Computer Society Press7627672-s2.0-4954910394010.1109/ASPDAC.2008.4484053ÅströmK. J.HägglundT.Ryder-CookD.Thermal modelling of buildings2009University of Cambridge