[PPT] - Formal Verification of Analog Designs using MetiTarski William PowerPoint Presentation

SLIDE 1

Formal Verification of Analog Designs using MetiTarski

William Denman, Behzad Akbarpour, Sofiène Tahar1 Mohamed H. Zaki2 Lawrence C. Paulson3

1Concordia University, Montreal, Canada 2University of British Columbia, Vancouver, Canada 3University of Cambridge, United Kingdom

FMCAD’09 November 17th, 2009

SLIDE 2

2 / 36 FMCAD’09 William Denman

Should we care about formal verification for analog circuits?

Yes! Not really… Verifiers / Researchers Designers Common motivation

SLIDE 3

3 / 36 FMCAD’09 William Denman

Some interesting statistics [IBS Corporation]

– Analog Circuitry 2% of the transistor count – 20% of the IC Area – 40% of the design Effort

Analog verification continues to be a

serious bottleneck

50% of the errors that require re-design are from analog circuitry

SLIDE 4

4 / 36 FMCAD’09 William Denman

Challenges

– Infinite/Continuous state space – Infinite time – PVT : Sensitivity to process variation, voltage, temperature – Non-linear behaviour

We propose

– A time unbounded verification – Using MetiTarski : An Automated Theorem Prover

Formal Verification for Analog Circuits?

SLIDE 5

5 / 36 FMCAD’09 William Denman

Motivation
Related Work
Proposed Methodology
Brief Introduction to MetiTarski
Illustrative Example
Conclusion
Future Plans

SLIDE 6

6 / 36 FMCAD’09 William Denman

Balivada [1995]

– Discretization of a circuit’s transfer function to the Z-domain – Apply digital based equivalence checking techniques

Hartong, Klausen and Hedrich [2004]

– From analog circuit transfer functions – Verify dynamic behaviour of the specification and implementation state spaces.

Model Checking/

Reachability Analysis Proof Based Equivalence Checking

Presence of tolerance margins

SLIDE 7

7 / 36 FMCAD’09 William Denman

Kurshan and McMillan [1991]

– State space subdivision of transistor behaviour – Predict possible transitions between states

Gupta [2004] , Dang [2006], Frehse [2006], Little

[2006], Greenstreet [2007]

– Reachability relations using projection techniques – Over-approximation, but verification still sound Possible Time Bounded Verification

Model Checking/

Reachability Analysis Proof Based Equivalence Checking

SLIDE 8

8 / 36 FMCAD’09 William Denman

Ghosh and Vemuri [1999]

– PVS used to prove functional equivalence between models – Specification built in VHDL-AMS – Approximated DC models

Hanna [2000]

– Predicates defining voltage and current behaviour – Theorem Proving used – Conservative approximation

Model Checking/

Reachability Analysis Proof Based Equivalence Checking

Manual/Heuristic steps

SLIDE 9

9 / 36 FMCAD’09 William Denman

Motivation
Related Work
Proposed Methodology
Brief Introduction to MetiTarski
Illustrative Example
Conclusion
Future Plans

SLIDE 10

10 / 36 FMCAD’09 William Denman

Analog

Circuit Closed Form Solution Specification Inequality MetiTarski Range Reduction

Property Verified True

Property of Interest Add Axioms Does not terminate Does not terminate Proof generated

SLIDE 11

11 / 36 FMCAD’09 William Denman

Analog circuit specification

– Circuit must oscillate – Gain for certain frequency range

Isolate the property

– Oscillation : Is it present? – Gain : 3dB Bandwidth

Inequality

– Voltage < Upper threshold – Gain > Minimum Required Value

Specification

Inequality Property of Interest

SLIDE 12

12 / 36 FMCAD’09 William Denman

Analog circuit

– Differential equations – Kirchoff law Equations

Closed Form Solution

– Bounded number of analytical functions – No differential operators – Not always easy to obtain

Analog

Circuit Closed Form Solution

SLIDE 13

13 / 36 FMCAD’09 William Denman

Automated Theorem Proving

– The axioms are specific mathematical facts – Bounding properties – Definition of functions

Range Reduction

– Functions are not defined over all ranges – Large bounds cause proof to never end – Apply basic trigonometric identities

Range

Reduction Add Axioms

) 2 sin( ) sin( ) 2 cos( ) cos( π π + = + = x x x x

SLIDE 14

14 / 36 FMCAD’09 William Denman

Motivation
Related Work
Proposed Methodology
Brief Introduction to MetiTarski
Illustrative Example
Conclusion
Future Plans

SLIDE 15

15 / 36 FMCAD’09 William Denman

Developed by Akbarpour and Paulson [‘07]

– Automated Theorem Prover – Transcendental functions (sine, cosine, ln, exp, etc.) – Square Root

Theory behind the tool

– Resolution prover combined with a decision procedure – Decidability of real closed fields (RCF) by Tarski – Function families of upper and lower bounds by Daumas and others

SLIDE 16

16 / 36 FMCAD’09 William Denman

Metis QEPCAD-B Resolution Theorem Prover Decision Procedure MetiTarski

SLIDE 17

17 / 36 FMCAD’09 William Denman

QEPCAD-B

– Advanced implementation of cylindrical algebraic decomposition – Best available decision procedure for RCF – Eliminates quantifiers from a formula reduces to

.

2

= + + ∃ c bx ax x

) ( ) ( ) 4 (

2

= = = ∨ ≠ ∧ = ∨ ≥ − ∧ ≠ c b a b a ac b a

SLIDE 18

18 / 36 FMCAD’09 William Denman

Assuming
We are given a function containing exp(x)

– Upper bound axiom is – Will usually need more than one axiom

120

60 12 ) 120 60 12 (

2 3 2 3

− + − + + + − x x x x x x

4 ≤ ≤ x

SLIDE 19

19 / 36 FMCAD’09 William Denman

Motivation
Related Work
Proposed Methodology
Brief Introduction to MetiTarski
Illustrative Example
Conclusion
Future Plans

SLIDE 20

20 / 36 FMCAD’09 William Denman

PWL: Simplest class of nonlinear circuits
Behaviour can be reasonably approximated

. 1 723 . 723 . 276 . 276 . < ≤ ≤ < ≤ ≤

C C C

V V V

SLIDE 21

21 / 36 FMCAD’09 William Denman

ODEs

Piecewise ODEs Transition Relations Initial Conditions MAPLE M1 MetiTarski M2 M3

Modes of operation

SLIDE 22

22 / 36 FMCAD’09 William Denman

Using a computer algebra system
Piecewise ODEs

– Separate behaviour of the component into modes

Transition relations

– Determined by the piecewise model

Initial Conditions

– Dependant on the system specification

Piecewise

ODEs Transition Relations Initial Conditions

SLIDE 23

23 / 36 FMCAD’09 William Denman

Closed form solution

for each mode

Procedure followed

until each mode visited

ODEs Mode N Initial Conditions Maple Invlaplace Closed Form Solution Maple Fsolve Switching Time Maple Eval Initial Conditions Mode N+1

SLIDE 24

24 / 36 FMCAD’09 William Denman

Starting with the ODEs of the system
ID(VC) is the current through the tunnel diode
Inverse Laplace transform taken to get closed

form solutions in each mode

SLIDE 25

25 / 36 FMCAD’09 William Denman

Using the produced solution

– Fsolve used to compute time when switches modes – Mode 1 -> Mode 2 : VD > 0.276

Initial conditions determined

– Take solution from Fsolve – Use Eval to evaluate function values

Continue until each mode visited

SLIDE 26

26 / 36 FMCAD’09 William Denman

Choose the property of interest

– Reason about oscillation – Reason about bounded behaviour

Turn into an inequality

– Non-oscillation : IL will never pass an upper bound – Bounded Behaviour : IL and VC will remain bounded

Input into MetiTarski

!"

SLIDE 27

27 / 36 FMCAD’09 William Denman

Transform inequality into the MetiTarski syntax
Remember: each mode must be checked
For All

Mode Switch Time Closed form solution Property inequality Time in a specific mode

SLIDE 28

28 / 36 FMCAD’09 William Denman

Property 1

– Non-Oscillation

In each mode upper threshold not passed

– IL : Current through the inductor

SLIDE 29

29 / 36 FMCAD’09 William Denman

Property 2 – Bounded Behaviour
In each mode

the current and voltage are bounded

Necessary to

add axioms in 2 cases.

SLIDE 30

30 / 36 FMCAD’09 William Denman

Recall the property

!

IL will never pass an upper bound

Non Oscillation

SLIDE 31

31 / 36 FMCAD’09 William Denman

Applied methodology to a basic OP-AMP
Required additional method to obtain a closed

form solution.

SLIDE 32

32 / 36 FMCAD’09 William Denman

Motivation
Related Work
Proposed Methodology
Brief Introduction to MetiTarski
Illustrative Example
Conclusion
Future Plans

SLIDE 33

33 / 36 FMCAD’09 William Denman

Developed a methodology for the automated

verification of analog designs

– Algebra system steps are semi-automated, but mechanical in nature – MetiTarski completely automated – Most proofs complete quickly

Applied to several analog circuits

– Interesting and complex behaviour – Two different methods for closed form solutions

#

SLIDE 34

34 / 36 FMCAD’09 William Denman

Computing Closed Form Solutions

– Investigate methods for solving nonlinear ODEs

Scale to Larger Problems

– Efficient methods for calculating piecewise linear functions – Apply methodology to more precise models

"

SLIDE 35

35 / 36 FMCAD’09 William Denman

Formal Verification of Analog Designs using MetiTarski

William Denman, Behzad Akbarpour, Sofiène Tahar1 Mohamed H. Zaki2 Lawrence C. Paulson3

FMCAD’09 November 17th, 2009

Yes! Not really… Verifiers / Researchers Designers Common motivation

– Analog Circuitry 2% of the transistor count – 20% of the IC Area – 40% of the design Effort

serious bottleneck

50% of the errors that require re-design are from analog circuitry

– Infinite/Continuous state space – Infinite time – PVT : Sensitivity to process variation, voltage, temperature – Non-linear behaviour

– A time unbounded verification – Using MetiTarski : An Automated Theorem Prover

– Discretization of a circuit’s transfer function to the Z-domain – Apply digital based equivalence checking techniques

– From analog circuit transfer functions – Verify dynamic behaviour of the specification and implementation state spaces.

Reachability Analysis Proof Based Equivalence Checking

Presence of tolerance margins

– State space subdivision of transistor behaviour – Predict possible transitions between states

[2006], Greenstreet [2007]

– Reachability relations using projection techniques – Over-approximation, but verification still sound Possible Time Bounded Verification

Reachability Analysis Proof Based Equivalence Checking

– PVS used to prove functional equivalence between models – Specification built in VHDL-AMS – Approximated DC models

– Predicates defining voltage and current behaviour – Theorem Proving used – Conservative approximation

Reachability Analysis Proof Based Equivalence Checking

Manual/Heuristic steps

Circuit Closed Form Solution Specification Inequality MetiTarski Range Reduction

Property of Interest Add Axioms Does not terminate Does not terminate Proof generated

– Circuit must oscillate – Gain for certain frequency range

– Oscillation : Is it present? – Gain : 3dB Bandwidth

– Voltage < Upper threshold – Gain > Minimum Required Value

Inequality Property of Interest

– Differential equations – Kirchoff law Equations

– Bounded number of analytical functions – No differential operators – Not always easy to obtain

Circuit Closed Form Solution

– The axioms are specific mathematical facts – Bounding properties – Definition of functions

– Functions are not defined over all ranges – Large bounds cause proof to never end – Apply basic trigonometric identities

Reduction Add Axioms

) 2 sin( ) sin( ) 2 cos( ) cos( π π + = + = x x x x

– Automated Theorem Prover – Transcendental functions (sine, cosine, ln, exp, etc.) – Square Root

– Resolution prover combined with a decision procedure – Decidability of real closed fields (RCF) by Tarski – Function families of upper and lower bounds by Daumas and others

Metis QEPCAD-B Resolution Theorem Prover Decision Procedure MetiTarski

– Advanced implementation of cylindrical algebraic decomposition – Best available decision procedure for RCF – Eliminates quantifiers from a formula reduces to

2

= + + ∃ c bx ax x

) ( ) ( ) 4 (

= = = ∨ ≠ ∧ = ∨ ≥ − ∧ ≠ c b a b a ac b a

– Upper bound axiom is – Will usually need more than one axiom

60 12 ) 120 60 12 (

− + − + + + − x x x x x x

4 ≤ ≤ x

. 1 723 . 723 . 276 . 276 . < ≤ ≤ < ≤ ≤

V V V

Piecewise ODEs Transition Relations Initial Conditions MAPLE M1 MetiTarski M2 M3

Modes of operation

– Separate behaviour of the component into modes

– Determined by the piecewise model

– Dependant on the system specification

ODEs Transition Relations Initial Conditions

for each mode

until each mode visited

ODEs Mode N Initial Conditions Maple Invlaplace Closed Form Solution Maple Fsolve Switching Time Maple Eval Initial Conditions Mode N+1

form solutions in each mode

– Fsolve used to compute time when switches modes – Mode 1 -> Mode 2 : VD > 0.276

– Take solution from Fsolve – Use Eval to evaluate function values

– Reason about oscillation – Reason about bounded behaviour

– Non-oscillation : IL will never pass an upper bound – Bounded Behaviour : IL and VC will remain bounded

!"

Mode Switch Time Closed form solution Property inequality Time in a specific mode

– Non-Oscillation

– IL : Current through the inductor

the current and voltage are bounded

add axioms in 2 cases.

!

IL will never pass an upper bound

Non Oscillation

form solution.

verification of analog designs

– Algebra system steps are semi-automated, but mechanical in nature – MetiTarski completely automated – Most proofs complete quickly

– Interesting and complex behaviour – Two different methods for closed form solutions

#

– Investigate methods for solving nonlinear ODEs

– Efficient methods for calculating piecewise linear functions – Apply methodology to more precise models

"

$%