Verification of Delta Form Realization in Fixed-Point Digital - - PowerPoint PPT Presentation

Verification of Delta Form Realization in Fixed-Point Digital Controllers Using Bounded Model Checking

Iury V. Bessa, Hussama I. Ibrahim, Lucas C. Cordeiro, and João E. C. Filho iurybessa@ufam.edu.br

Application of a Digital Controller to a Power DC-DC Converter

• Digital controllers have become pervasive in power eletronics

applications

• Despite several advantages, they present some limitations for these

applications

Motivation Controllers DCVerifier Evaluation Conclusions

The desired setpoint may not be a representable value due to the quantization effects

SBESC 2014 2

• Limit Cycle (LC) oscillations require high effort from engineers
• Round-off errors in products or overflows in sums may cause oscillations
• The output voltage might present an undesireble oscillation

Motivation Controllers DCVerifier Evaluation Conclusions

SBESC 2014 3

Limit cycle

• scillations

The desired setpoint may not be a representable value due to the quantization effects

Application of a Digital Controller to a Power DC-DC Converter

• More energy losses and short silicon lifespan
• LC’s are actually verified trough time-domain simulations

‒ This is an inefficient method since it is time-consuming and not conclusive

Motivation Controllers DCVerifier Evaluation Conclusions

SBESC 2014 4

Limit cycle

• scillations

The desired setpoint may not be a representable value due to the quantization effects

Application of a Digital Controller to a Power DC-DC Converter

Bounded Model Check (BMC)

• Basic Idea: given a transition system M, check negation of a given

property φ up to given depth k

• Translated into a VC ψ such that: ψ is satisfiable iff φ has

counterexample of max. depth k

• BMC has been applied successfully to verify (embedded) software since

early 2000’s, but it has not been used to verify digital controllers . . .

M0 M1 M2 Mk-1 ¬ϕ0 ¬ϕ1 ¬ϕ2 ¬ϕk-1 ¬ϕk ∨ ∨ ∨ ∨

Counterexample trace Transition System Property Bound

Mk

SBESC 2014 5

Motivation Controllers DCVerifier Evaluation Conclusions

Objectives of this work

• Investigate the FWL effects in fixed-point digital controllers

implementation via a BMC tool

• Propose a methodology for digital controllers implementation with

the aid of a BMC tool: the DCVerifier

• Verification engine: ESBMC (Efficient SMT-based Context-

Bounded Model Checker)

• Check the perfomance of the delta implementations
• Verify overflows, limit cycles, time constraints, stability, and mimimum

phase in digital controllers

Motivation Controllers DCVerifier Evaluation Conclusions

SBESC 2014 6

Perform BMC of digital controllers implemented in direct and delta forms

Digital Controllers Implementation Forms

• Digital controllers implementation forms:

‒ Direct form ‒ Companion form ‒ Jordan form ‒ Diagonal form ‒ Ladder form ‒ Delta form

• Direct Forms

‒ DFI ‒ DFII ‒ DTFII

SBESC 2014 7

Motivation Controllers DCVerifier Evaluation Conclusions

float controller() { float yn=0; for (int k=0; k<M; k++) { yn += *b++ * *x--; } for (int k=1; k<N; k++) { yn-= *a++ * *y--; } return yn; }

Some advantages of the delta form

• Delta forms:

‒ DDFI ‒ DDFII ‒ DDTFII

• Literature indicates that

there is a close connection between digital delta form and the continuous controller

• Better numericals

properties

• Reduced round-off errors

SBESC 2014 8

Motivation Controllers DCVerifier Evaluation Conclusions

Output Time

Digital Controllers Implementation Aspects

• Reduced dynamical range
• Quantization effects (FWL):

‒ Overflows: occurs when a sum or product exceeds the maximum representable value ‒ Limit Cycles: oscillations in output that keep a constant input due to round-offs and overflows ‒ Output errors: the response presents deviations from the expected value

• Time constraints
• Coefficients round-off:

‒ Poles and zeros sensitivity: dynamical behavior changes ‒ Stability issue

SBESC 2014 9

Motivation Controllers DCVerifier Evaluation Conclusions

Digital Controllers Verification Paradigm

• Common techniques to avoid problems:

‒ Scaling: may prevent overflows, but enhances the output error ‒ Resolution changes (number of bits): boosts the precision, reducing errors and preventing LC ‒ Linear and non-linear compesations: an aditional control loop may rectify the LCs ‒ Non-fragile Control: the deviations of FWL effects are considered in design as uncertains, and the designed controller should be robust to them

• Digital controllers implementation validation:

‒ Based on simulations and tests ‒ Consume a lot of effort and time ‒ Cannot cover all the possibilities

SBESC 2014 10

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier: Digital Controllers Implementation with Bounded Model Checking

Controller Design Define Representation Define Realization Form Configure Verifications Verify Using a BMC tool Property Violation?

Motivation Controllers DCVerifier Evaluation Conclusions

Counterexample

NO YES

SBESC 2014 11

SUCCESS

Controller Design Define Representation Define Realization Form Configure Verifications Verify Using a BMC tool Property Violation? Counterexample

NO YES

Using prefered tools and methods

SBESC 2014 12

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier: Digital Controllers Implementation with Bounded Model Checking

SUCCESS

Controller Design Define Representation Define Realization Form Configure Verifications Verify Using a BMC tool Property Violation? Counterexample

NO YES

Fixed-point format <k,l>, k bits for the integer part and l bits for the fractional part

SBESC 2014 13

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier: Digital Controllers Implementation with Bounded Model Checking

SUCCESS

DCVerifier: Digital Controllers Implementation with Bounded Model Checking

Controller Design Define Representation Define Realization Form Configure Verifications Verify Using a BMC tool Property Violation? Counterexample

NO YES

DFI, DFII, DTFII, DDFI, DDFII, and DDTFII

SBESC 2014 14

Motivation Controllers DCVerifier Evaluation Conclusions

SUCCESS

Controller Design Define Representation Define Realization Form Configure Verifications Verify Using a BMC tool Property Violation? Counterexample

NO YES

Verification setups: maximum verification time, assertions, test case, and hardware specifications

SBESC 2014 15

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier: Digital Controllers Implementation with Bounded Model Checking

SUCCESS

Controller Design Define Representation Define Realization Form Configure Verifications Verify Using a BMC tool Property Violation? Counterexample

NO YES

e.g., ESBMC

SBESC 2014 16

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier: Digital Controllers Implementation with Bounded Model Checking

SUCCESS

Controller Design Define Representation Define Realization Form Configure Verifications Verify Using a BMC tool Property Violation? Counterexample

NO YES

SBESC 2014 17

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier: Digital Controllers Implementation with Bounded Model Checking

SUCCESS

Controller Design Define Representation Define Realization Form Configure Verifications Verify Using a BMC tool Property Violation? Counterexample

NO YES

SBESC 2014 18

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier: Digital Controllers Implementation with Bounded Model Checking

SUCCESS

Controller Design Define Representation Define Realization Form Configure Verifications Verify Using a BMC tool Property Violation? Counterexample

NO YES

Sequence of inputs and states that leads to a failure. May be reproduced in a simulation tool

SBESC 2014 19

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier: Digital Controllers Implementation with Bounded Model Checking

SUCCESS

Controller Design Define Representation Define Realization Form Configure Verifications Verify Using a BMC tool Property Violation? Counterexample

NO YES

Re-choose the numeric format and/or realization form

SBESC 2014 20

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier: Digital Controllers Implementation with Bounded Model Checking

SUCCESS

Controller Design Define Representation Define Realization Form Configure Verifications Verify Using a BMC tool Property Violation? SUCCESS Counterexample

NO YES

Re-design the controller, in the worst case

SBESC 2014 21

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier: Digital Controllers Implementation with Bounded Model Checking

SBESC 2014 22

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier usage example

Controller Design

• =

. .

Define Representa tion

• < 3,12 >:3 bits

for integer part and 15 bits for fractional part Define Realization Form

• DFII

Configure Verification

• Verify overflow
• Verification

time:3600

• MSP340 16

MHz Verify using a BMC Tool

• ESBMC

Result

• Verification

Failed

SBESC 2014 23

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier usage example

Controller Design

• =

. .

Define Representa tion

• < 3,12 >:3 bits

for integer part and 15 bits for fractional part Define Realization Form

• DFII

Configure Verification

• Verify overflow
• Verification

time:3600

• MSP340 16

MHz Verify using a BMC Tool

• ESBMC

Result

• Verification

Failed

SBESC 2014 24

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier usage example

Controller Design

• =

. .

Define Representa tion

• < 3,12 >:3 bits

for integer part and 12 bits for fractional part

• Dynamical

Range: [-1,1] Define Realization Form

• DFII

Configure Verification

• Verify overflow
• Verification

time:3600

• MSP340 16

MHz Verify using a BMC Tool

• ESBMC

Result

• Verification

Failed

Numeric format choosen based on impulse response sum and in the hardware limitations

SBESC 2014 25

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier usage example

Controller Design

• =

. .

Define Representa tion

• < 3,12 >:3 bits

for integer part and 12 bits for fractional part

• Dynamical

Range: [-1,1] Define Realization Form

• DFII

Configure Verification

• Verify overflow
• Verification

time:3600

• MSP340 16

MHz Verify using a BMC Tool

• ESBMC

Result

• Verification

Failed

Random first trial

SBESC 2014 26

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier usage example

Controller Design

• =

. .

Define Representa tion

• < 3,12 >:3 bits

for integer part and 12 bits for fractional part

• Dynamical

Range: [-1,1] Define Realization Form

• DFII

Configure Verification

• Verify overflow
• Verification

time:3600

• MSP430 16-bit

16 MHz Verify using a BMC Tool

• ESBMC

Result

• Verification

Failed

SBESC 2014 27

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier usage example

Controller Design

• =

. .

Define Representa tion

• < 3,12 >:3 bits

for integer part and 12 bits for fractional part

• Dynamical

Range: [-1,1] Define Realization Form

• DFII

Configure Verification

• Verify overflow
• Verification

time:3600

• MSP430 16-bit

16 MHz Verify using a BMC Tool

• ESBMC
• Bound: 10

samples

Result

• Verification

Failed

SBESC 2014 28

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier usage example

Controller Design

• =

. .

Define Representa tion

• < 3,12 >:3 bits

for integer part and 12 bits for fractional part

• Dynamical

Range: [-1,1] Define Realization Form

• DFII

Configure Verification

• Verify overflow
• Verification

time:3600

• MSP430 16-bit

16 MHz Verify using a BMC Tool

• ESBMC
• Bound: 10

samples

Result

• Verification

Failed Failure due to a sum overflow (sum result = 2.0879 > 1). Input sequence: {0.9995, -0.9995, 0.9995, 1, 1, 1, 0.9995, 0.9995, 0.9995, 0.9995, 1} Redefine the implementation!

SBESC 2014 29

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier usage example

Controller Design

• =

. .

Define Representa tion

• < 3,12 >:3 bits

for integer part and 12 bits for fractional part

• Dynamical

Range: [-1,1] Define Realization Form

• DFII

Configure Verification

• Verify overflow
• Verification

time:3600

• MSP340 16

MHz Verify using a BMC Tool

• ESBMC

Result

• Verification

Failed

Maintain the Representation

SBESC 2014 30

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier usage example

Controller Design

• =

. .

Define Representa tion

• < 3,12 >:3 bits

for integer part and 12 bits for fractional part

• Dynamical

Range: [-1,1] Define Realization Form

• TDFII

Configure Verification

• Verify overflow
• Verification

time:3600

• MSP340 16

MHz Verify using a BMC Tool

• ESBMC

Result

• Verification

Failed

Change the Realization Form TDFII presents less sums and products

SBESC 2014 31

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier usage example

Controller Design

• =

. .

Define Representa tion

• < 3,12 >:3 bits

for integer part and 12 bits for fractional part

• Dynamical

Range: [-1,1] Define Realization Form

• TDFII

Configure Verification

• Verify overflow
• Verification

time:3600

• MSP430 16-bit

16 MHz Verify using a BMC Tool

• ESBMC

Result

• Verification

Failed

SBESC 2014 32

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier usage example

Controller Design

• =

. .

Define Representa tion

• < 3,12 >:3 bits

for integer part and 12 bits for fractional part

• Dynamical

Range: [-1,1] Define Realization Form

• TDFII

Configure Verification

• Verify overflow
• Verification

time:3600

• MSP430 16-bit

16 MHz Verify using a BMC Tool

• ESBMC
• Bound: 10

samples

Result

• Verification

Failed

SBESC 2014 33

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier usage example

Controller Design

• =

. .

Define Representa tion

• < 3,12 >:3 bits

for integer part and 12 bits for fractional part

• Dynamical

Range: [-1,1] Define Realization Form

• TDFII

Configure Verification

• Verify overflow
• Verification

time:3600

• MSP430 16-bit

16 MHz Verify using a BMC Tool

• ESBMC
• Bound: 10

samples

Result

• Verification

Failed

Repeat the test

SBESC 2014 34

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier usage example

Controller Design

• =

. .

Define Representa tion

• < 3,12 >:3 bits

for integer part and 12 bits for fractional part

• Dynamical

Range: [-1,1] Define Realization Form

• TDFII

Configure Verification

• Verify overflow
• Verification

time:3600

• MSP430 16-bit

16 MHz Verify using a BMC Tool

• ESBMC
• Bound: 10

samples

Result

• SUCESS

The problem was solved

SBESC 2014 35

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier usage example

Controller Design

• =

. .

Define Representa tion

• < 3,12 >:3 bits

for integer part and 12 bits for fractional part

• Dynamical

Range: [-1,1] Define Realization Form

• TDFII

Configure Verification

• Verify limit

cycle

• Verification

time:3600

• MSP430 16-bit

16 MHz Verify using a BMC Tool

• ESBMC
• Bound: 10

samples

Result

• SUCESS

But verifing limit cycles...

SBESC 2014 36

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier usage example

Controller Design

• =

. .

Define Representa tion

• < 3,12 >:3 bits

for integer part and 15 bits for fractional part

• Dynamical

Range: [-1,1] Define Realization Form

• TDFII

Configure Verification

• Verify limit

cycle

• Verification

time:3600

• MSP430 16-bit

16 MHz Verify using a BMC Tool

• ESBMC
• Bound: 10

samples

Result

• Verification

Failed Appears an oscillation: {-0.002, -0.002, -0.0015, -0.0015, -0.002, -0.002, -0.0015, -0.0015, -0.002, -0.002}. Zero input sequence Redefine the implementation!

SBESC 2014 37

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier usage example

Controller Design

• =

. .

Define Representa tion

• < 3,4 >:3 bits

for integer part and 4 bits for fractional part

• Dynamical

Range: [-1,1] Define Realization Form

• TDFII

Configure Verification

• Verify limit

cycle

• Verification

time:3600

• MSP430 16-bit

16 MHz Verify using a BMC Tool

• ESBMC
• Bound: 10

samples

Result

• SUCESS

Verifing with a different representation... There is a trade off: the oscillation is solved; however there is an accurate loss.

SBESC 2014 38

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier usage example

Controller Design

• =

. .

Define Representa tion

• < 3,4 >:3 bits

for integer part and 4 bits for fractional part

• Dynamical

Range: [-1,1] Define Realization Form

• TDFII

Configure Verification

• Verify limit

cycle

• Verification

time:3600

• MSP430 16-bit

16 MHz Verify using a BMC Tool

• ESBMC
• Bound: 10

samples

Result

• SUCESS

SUCCESS

SBESC 2014 39

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier usage example

Controller Design

• =

... ..

Define Representati

• n
• < 3,4 >:6 bits

for integer part and 7 bits for fractional part

• Dynamical

Range: [-5,5] Define Realization Form

• TDFII

Configure Verification

• Verify stability
• Verification

time:3600

• MSP430 16-bit

16 MHz Verify using a BMC Tool

• ESBMC
• Bound: 10

samples

Result

• Verification

Failed UNSTABLE

SBESC 2014 40

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier usage example

Controller Design

• =

... ..

Define Representati

• n
• < 3,4 >:6 bits

for integer part and 7 bits for fractional part

• Dynamical

Range: [-5,5] Define Realization Form

• TDFII

Configure Verification

• Verify stability
• Verification

time:3600

• MSP430 16-bit

16 MHz Verify using a BMC Tool

• ESBMC
• Bound: 10

samples

Result

• Verification

Failed UNSTABLE

SBESC 2014 41

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier usage example

Controller Design

• =

... ..

Define Representati

• n
• < 3,4 >:6 bits

for integer part and 7 bits for fractional part

• Dynamical

Range: [-5,5] Define Realization Form

• TDFII

Configure Verification

• Verify stability
• Verification

time:3600

• MSP430 16-bit

16 MHz Verify using a BMC Tool

• ESBMC
• Bound: 10

samples

Result

• Verification

Failed UNSTABLE

SBESC 2014 42

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier usage example

Controller Design

• =

... ..

Define Representati

• n
• < 3,4 >:6 bits

for integer part and 7 bits for fractional part

• Dynamical

Range: [-5,5] Define Realization Form

• TDFII

Configure Verification

• Verify stability
• Verification

time:3600

• MSP430 16-bit

16 MHz Verify using a BMC Tool

• ESBMC
• Bound: 10

samples

Result

• Verification

Failed UNSTABLE

SBESC 2014 43

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier usage example

Controller Design

• =

... ..

Define Representati

• n
• < 3,4 >:6 bits

for integer part and 7 bits for fractional part

• Dynamical

Range: [-5,5] Define Realization Form

• TDFII

Configure Verification

• Verify stability
• Verification

time:3600

• MSP430 16-bit

16 MHz Verify using a BMC Tool

• ESBMC
• Bound: 10

samples

Result

• Verification

Failed UNSTABLE

SBESC 2014 44

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier usage example

Controller Design

• =

... ..

Define Representati

• n
• < 3,4 >:6 bits

for integer part and 7 bits for fractional part

• Dynamical

Range: [-5,5] Define Realization Form

• TDFII

Configure Verification

• Verify stability
• Verification

time:3600

• MSP430 16-bit

16 MHz Verify using a BMC Tool

• ESBMC
• Bound: 10

samples

Result

• Verification

Failed UNSTABLE

SBESC 2014 45

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier usage example

Controller Design

• =

... ..

Define Representati

• n
• < 3,4 >:6 bits

for integer part and 7 bits for fractional part

• Dynamical

Range: [-5,5] Define Realization Form

• TDFII

Configure Verification

• Verify stability
• Verification

time:3600

• MSP430 16-bit

16 MHz Verify using a BMC Tool

• ESBMC
• Bound: 10

samples

Result

• Verification

Failed UNSTABLE

SBESC 2014 46

Motivation Controllers DCVerifier Evaluation Conclusions

DCVerifier usage example: Delta effect

Controller Design

• =

... ..

Define Representati

• n
• < 3,4 >:6 bits

for integer part and 7 bits for fractional part

• Dynamical

Range: [-5,5] Define Realization Form

• TDFII

Configure Verification

• Verify stability
• Verification

time:3600

• MSP430 16-bit

16 MHz Verify using a BMC Tool

• ESBMC
• Bound: 10

samples

Result

• SUCESS

STABLE

Experimental Objectives

• Use BMC tools to verify digital controllers
• Find potential bugs before the deployment
• Evaluate the proposed methodology, in particular the DCVerifier
• Verify overflows, limit cycles, time constraints, and stability
• Compare the delta operator and the direct-form performance from the

verification point of view

SBESC 2014 47

Motivation Controllers DCVerifier Evaluation Conclusions

Experiments Setup

• Verification Enviroment

‒ Intel Core i7-2600 3.40 GHz processor, 24 GB of RAM, and Ubuntu 11.10 64- bits ‒ ESBMC v1.23 with the SMT solver Z3 v4.0

• Hardware Considerations

‒ Verifications based on MSP340, 16 MHz clock ‒ Wordlength: 16 bits

SBESC 2014 48

Motivation Controllers DCVerifier Evaluation Conclusions

Experimental Results

SBESC 2014 49

Motivation Controllers DCVerifier Evaluation Conclusions

The verification results are conclusive in almost 95%

• f

the testcases

Experimental Results

SBESC 2014 50

Motivation Controllers DCVerifier Evaluation Conclusions

Direct realization presented 40%

• f

errors in

• properties. Delta

decreased it to 27.5%

Conclusions

• BMC is a promising alternative for digital controllers verification
• The verifications are conclusive in 94.5% of the benchmarks
• Neither false positives nor false negatives are reported
• The DCVerifier may reduce the design efforts

‒ Since it is automatic and reliable

• Delta form doesn’t remove all errors, but it decreases them substantially.
• Future work

‒ Include more properties and realization forms ‒ Include closed-loop properties verification ‒ Create an automatic design tool

Motivation Controllers DCVerifier Evaluation Conclusions

SBESC 2014 51

Thank you for your attention!

The tool and all benchmarks are avaliable at www.esbmc.org

SBESC 2014 52