ANALOG 2016 - Publikationsdatenbank der TU Wien · Adrián Romero1, Jesús González2, Ulrich Hilleringmann3, Peter Glösekötter1 1 FH Münster – University of Applied Sciences;

266

ITG

-Fac

hber

icht

ANALOG 2016

Beiträge der 15. ITG/GMM-Fachtagung 12. – 14. September 2016in Bremen

Informationstechnische Gesellschaft im VDE (ITG)

Bibliografische Information der Deutschen NationalbibliothekDie Deutsche Nationalbibliothek verzeichnet diese Publikation in der Deutschen Nationalbibliografie; detaillierte bibliografische Daten sind im Internet über http://dnb.dnb.de abrufbar.

ISSN 0932-6022

© 2016 VDE VERLAG GMBH · Berlin · Offenbach www.vde-verlag.deAlle Rechte vorbehalten

CD-Produktion: DMS – Disk Media Service, Berlin Produced in Germany

ISBN 978-3-8007-4265-3

Titelfoto: S. Mahlknecht; TU Wien: WUR Receiver

ITG-Fachbericht 266ANALOG 2016Beiträge der 15. ITG/GMM-Fachtagung 12. – 14. September 2016 in Bremen

Veranstalter: Informationstechnische Gesellschaft im VDE (ITG) VDE/VDI-Gesellschaft Mikroelektronik, Mikrosystem- undFeinwerktechnik (GMM)

Tagungsleitung: Christoph Grimm, Technische Universität Kaiserslautern

VDE VERLAG GMBH

Bibliografische Information der Deutschen NationalbibliothekDie Deutsche Nationalbibliothek verzeichnet diese Publikation in der Deutschen Nationalbibliografie; detaillierte bibliografische Daten sind im Internet über http://dnb.dnb.de abrufbar

ISBN 978-3-8007-4265-3ISSN 0932-6022

© 2016 VDE VERLAG GMBH ∙ Berlin ∙ Offenbach, Bismarckstraße 33, 10625 Berlin www.vde-verlag.de

Alle Rechte vorbehalten

Das Werk ist urheberrechtlich geschützt. Jede Verwertung außerhalb der engen Grenzen des Urheberrechtsgesetzes ist ohne Zu stimmung des Verlags unzulässig und strafbar. Die Wiedergabe von Gebrauchsnamen, Handelsnamen, Warenbeschreibungen etc. berechtigt auch ohne besondere Kennzeichnung nicht zu der Annahme, dass solche Namen im Sinne der Markenschutz-Gesetzgebung als frei zu betrachten wären und von jedermann benutzt werden dürfen. Aus der Veröffentlichung kann nicht geschlossen werden, dass die beschriebenen Lösungen frei von gewerblichen Schutzrechten (z. B. Patente, Gebrauchsmuster) sind. Eine Haftung des Verlags für die Richtigkeit und Brauchbarkeit der veröffentlichten Programme, Schaltungen und son-stigen Anordnungen oder Anleitungen sowie für die Richtigkeit des technischen Inhalts des Werks ist ausgeschlossen. Die gesetzlichen und behördlichen Vorschriften sowie die technischen Regeln (z. B. das VDE-Vorschriftenwerk) in ihren jeweils geltenden Fassungen sind unbedingt zu beachten.

Production: DMS – Dinsk Media Service, Berlin, GermanyProduced in Germany

5

ITG-Fachbericht 266: ANALOG 2016, 12.– 14.09.2016 in Bremen

Inhaltsverzeichnis

Keynotes

01 Keynote 1 – Experiment Planning for Simulation based Verification . . . . . . . . . . . . . . . . . . . . . . 7Monica Rafaila, Infineon Technologies München

02 Keynote 2 – Analog-Verifikation – Same procedure as last year? – Weit gefehlt! . . . . . . . . . . . . 8Walter Hartong, Cadence Design Systems, München

03 Keynote 3 – Monitoring analog and mixed-signal design emulated on FPGA . . . . . . . . . . . . . . . 9Dejan Nickovic, Austrian Institute of Technology, Wien

Verifikation von Robustheit

04 Optimized Disturbance Weighting for Robust System Design under Parameter Uncertainties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Leandro Gil, Martin Radetzki, Universität Stuttgart

Synthese und Layoutgenerierung

05 Power-Down Schematic Synthesis for Analog/Mixed-Signal Circuits . . . . . . . . . . . . . . . . . . . . . 16Maximilian Neuner, Michael Zwerger, Helmut Gräb, Technische Universität München

06 Explicit Feature and Edge Insertion for Improved Analog Layout Generators in Advanced Semiconductor Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Benjamin Prautsch, Uwe Eichler, Torsten Reich, Jens Lienig, Fraunhofer IIS/EAS, Dresden

Analoge Schaltungen in intelligenden Sensorsystemen

07 Low-Power High-Gain Operational Amplifier for Analog Image Pre-Processing in Smart Sensor Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Christopher Soell1, Timo Mai1, Lan Shi1, Juergen Roeber1, Thomas Ussmueller2, Robert Weigel1, Amelie Hagelauer1,1Friedrich-Alexander-Universität Erlangen-Nürnberg; 2Universität Innsbruck, Austria

08 Fast and precise on-chip IDDQ current sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Dirk Michael Nuernbergk, Christian Lang, Melexis GmbH, Erfurt

09 A 4-GHz LC-Based Voltage Controlled Oscillator & Frequency Divider for use in Neutrino Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Nina Parkalian1, Markus Robens1, Christian Grewing1, Stefan van Waasen21Forschungszentrum Jülich GmbH; 2Universität Duisburg-Essen

Schaltungen und Technologie

10 Dynamic body bias for 22 nm FD-SOI CMOS Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Stefan Nedelcu1, Matthias Voelker1, Leonhard Klein1, Claudia Schuhmann1, Norbert Schuhmann1, Johann Hauer1, Torsten Reich2, Sunil Rao21Fraunhofer IIS, Erlangen; 2Fraunhofer IIS/EAS, Dresden

6


11 Switch Bootstrapping in a 1.5 Bit Pipeline Stage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Robert Loehr, Frank Ohnhaeuser, Juergen Roeber, Robert Weigel, Friedrich-Alexander-Universität Erlangen-Nürnberg

12 Capacitive Gate Drive Signal Transmission with Transient Immunity up to 300 V/ns . . . . . . . 53Jonathan Hackel, Achim Seidel, Jürgen Wittmann, Bernhard Wicht, Hochschule Reutlingen

Verifikation von Mixed-Signal Systemen

13 Instrumentation of the Control Flow of SystemC AMS – Models for Symbolic Simulation . . . 58Carna Radojicic, Christoph Grimm, Technische Universität Kaiserslautern

14 Metrics for Formal Property Checking Against Undesired Circuit Behavior in Embedded Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Michael Rathmair, Florian Schupfer, Technische Universität Wien, Austria

Modellbasierte Entwicklung und Simulation von Systemen

15 Modeling of Linear Stimuli for Accelerated Mixed-Signal Simulations . . . . . . . . . . . . . . . . . . . 70Sara Divanbeigi, Lukas Lee, Enno Röhrig, Markus Olbrich, Erich Barke, Leibniz Universität Hannover

16 Fault Injection and Mixed-Level Simulation for Analog Circuits – A Case Study . . . . . . . . . . . 75Saed Abughannam, Liang Wu, Wolfgang Müller, Christoph Scheytt, Heinz Nixdorf Institut, Paderborn

17 Model Based Design at System-Level of Mixed-Signal SoC for Battery Management System . 81Xiao Pan, Christoph Grimm, Technische Universität Kaiserslautern

Poster

18 Online verification of AMS Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Matthias Sauppe, Erik Markert, Ulrich Heinkel, Technische Universität Chemnitz

19 Capacitance to Digital Converter ASIC with Wireless Energy and Wireless Data Transmission for a Medical Implant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Rajeev Ranjan, Bibin John, Dietmar Schroeder, Wolfgang Krautschneider, Technische Universität Hamburg

20 Organic Field-Effect and Nanoparticle Thin-Film Transistors: Static Model . . . . . . . . . . . . . . . 98Adrián Romero1, Jesús González2, Ulrich Hilleringmann3, Peter Glösekötter11FH Münster – University of Applied Sciences; 2Universidad de Granada; 3Universität Paderborn

21 Model-Based Reference Design Projects with MathWorks’ HDL Workflow Advisor for Custom-Specific Electronics with the Zedboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Martin Versen, Stefan Kipfelsberger, Fatma Sökmen, University of Applied Sciences, Rosenheim

Metrics for Formal Property Checking Against Undesired CircuitBehavior in Embedded SystemsMichael Rathmair and Florian SchupferTU Wien, Institute of Computer Technology, 1040 Vienna, Gusshausstrasse 27-29/384, [email protected], [email protected]

Abstract

Modern embedded systems, including analog and digital circuits, strongly rely on the verification of the intended systemfunctionality. Property checking, as a formal verification methodology may prove the correct behavior of design subparts.Due to scalability issues, a dedicated selection of characteristics to be checked and constrictive model complexity isrequired for keeping the verification effort reasonable. In this work we propose checking for undesired functionalities,whether they are intentionally (debug artifact), unintentionally (hardware Trojan) or due to reuse of functional modulespresent in the design. We define measures (abstracted costs) which may be used for effective verification planning.Characteristics are rated on a common knowledge base, revisioned over past design projects in combination with statisticalruntime estimation. A resulting subset of cost efficient properties is finally handed over to an automatic checking tool.

1 Introduction

Today, the functional complexity of embedded systemsincreased to a level where segmentation of the full de-velopment task and reuse of design components becamea necessity. This opens new vulnerabilities for interfer-ence behavior in hardware designs. Unspecified systemfunctionalities may be caused by functional compositionof modules and integration of new customer specificimplementations [10]. Strictly speaking, sources forunwanted behavior may lead from undocumented lines ofcode in a behavioral description, over unused obfuscatedcircuit structures, debug and monitoring structures, tohardware Trojans which may enable attackers to com-promise system functionalities. Finally, after refinementand synthesis of the model the represented behavior isimplemented in silicon hardware structures. In this workpredefined formal properties, describing unintentionalcharacteristics as formulas are verified whether they aresatisfied on a model. One of the major advantages ofapplied property checking algorithms is that verificationrequires no generation of specific test stimuli [3, 4]. Asillustrated in Fig. 1 test based verification aims to checkwhether single functionalities satisfies their specificationunder strictly defined system states and input signals.Property checking, allows to describe abstract character-istics of objected behavior resulting in an area coveringcompositions of functionalities [11, 4].

Main investigation of this paper is not to increase the per-formance of analog formal verification itself, but to intro-duce a metric which proposes an approach to assess andestimate effort for verifying properties in a design (see Sec-tion 3). The proposed procedure may guide a verificationengineer to decide which property formulas are checkedon the model. Resulting counterexamples may act as startpoints for debugging and optimization and finally increase

Simulation and Test-based Verification

Formal Property Checking

Testcase1

Testcase2

Testcase3

Property1

Property2 Property3

Figure 1 Abstract illustration of a specific design space.Test and simulation based verification is aimed to checka specific behavior under defined input stimuli. Formalproperty checking can show that a specific characteristicis satisfied (not satisfied) on a subpart of the full design.

the confidence of the system. Section 4 gives a demon-stration example where results are summarized in order toillustrate a formal verification planning strategy.

2 Formal Property Checking ofAnalog Functionalities

Hardware property checking, is deduced from softwareverification purposes and adapted for verifying circuits.Therefore, the hardware behavior is represented in a for-malized, mathematically precise and unambiguous manner[1, 11]. Applied algorithms systematically explore feasiblestates of the system and guarantee (mathematical proof)that defined characteristics hold for all possible inputsignals. For digital circuits, Finite State Machine (FSM)representations are unwinded and property formulations(p) are evaluated if they are satisfied on the resultingflattened model M, (M |= p) [1]. For analog functionalitiesa key task is the discretization of the continuous statespace. Depending on the selected algorithm and resolutionthis causes an assessable discretization error [2]. An


ISBN 978-3-8007-4265-3 © 2016 VDE VERLAG GMBH ∙ Berlin ∙ Offenbach64

approach published in [3] is to represent the state spaceby a discrete graph structure. The reachable state spaceis partitioned into hypercubes of homogeneous behavior.Each hypercube is defined by derivations of systemvariables and represent vertices in the graph structure usedfor model checking [3].

Properties are defined in a formal language, which enablesthe description of logical and temporal characteristics.In this work, we make use of temporal logics such asLinear Temporal Logic or Linear-time Temporal Logic(LTL) and Computational Tree Logic (CTL) for propertyspecification. For analog model checking a more specificAnalog Specification Language (ASL) including enhancedformulations for offset, gain, slew rate, etc. characteristicsmay be used [3]. Model checking tools automaticallyprove the satisfaction of given formulas on the systemmodel independent of input stimulus [4, 11, 1].

For this paper we follow a top-down refinement systemdevelopment approach. Specified functional componentsare modeled using a highly abstracted behavioral descrip-tion as SystemC-AMS, System Verilog, VHDL-AMSetc. These models represent an executable specificationand allow verification, simulation and test processes in avery early design phase. This first coarse-grained modelis refined by architectural- and circuit-level synthesisprocesses and finally implemented as a piece of hardware[8, 9].

As illustrated in Fig. 2, the full set of verification prop-erties is divided into a limited set of desired propertiesPd covered by the specification and an unbound set ofundesired ones Pu.

Hence, an exhaustive verification of all feasible undesiredcharacteristics is not possible. In the following weintroduce an abstract cost level which indicates the effortinvested in formal design verification. These costs can beequally viewed as a confidence value for the absence ofunwanted characteristics during design phase and may actas measure for future designs.

Desired Properties

Spec

UndesiredProperties

Figure 2 The set of desired properties, defined by thespecification, is a limited area inside an infinitely expand-able property space. Undesired characteristics are illus-trated as a surrounding infinite cloud.

Single undesired properties pu1, pu2, pu3, . . . puK are storedin a knowledge base, revisioned over several designprojects. Each of the proposed property formulas describea possibly included unspecified behavior caused by func-

tional components itself or new composition of featuresfor a new product release (e.g. unspecified signal reset,utilization of unused bits in communication frames, debugand monitoring structures used for the development of acomponent, etc.) Stored characteristics are reused, slightlyadapted and applied on new designs.

3 Effort Estimation and VerificationPlanning

To estimate costs and efforts for formal property checking,we propose an abstract metric. Within this measure,developers and researchers may be able to specify a levelof hardware verification confidence which correlates witheffort spent on formal property checking. The proposedvalues will also rate the impact of undesired behavior forthe overall goal of a functional correct design. Hence,the discussed values can be seen as abstracted withoutany direct influence to the design process itself. Virtuallycalculated costs C may be directly mapped to real devel-opment costs and may guide engineers to estimate cost ofverification.

As a first step, complexity considerations advise partition-ing the full design into functional blocks. Formal checkingprocesses performed on a full design model results in vastchecking costs. Thus, property checking, as used in thiswork, is applied on subsystems of the full design. We cate-gorize a selected subsystem as a representative of a specificfield of function or application. Specified undesired prop-erties for these are collected into sets Pus1,2,3,... (see Fig. 3).Each specified undesired property is assigned to at leastone segment (puk ∈ Pu1)∨(puk ∈ Pus2)∨ . . .∨(puk ∈ PusM),∀k = 1 . . .N. Total abstract checking costs for a systemC are composed of subcosts for checking each segmentC = ∑

Mx=1 CPusx , where M is the number of defined seg-

ments.

Application 3Function 3Application 1

Function 1

Appl

icat

ion

2

Func

tion

2

Section

View

Figure 3 Segmented undesired property space of a de-sign. For each segment representing a specific function orapplication a total cost value may be calculated for cover-ing included undesired characteristics.

As a second step βpu is defined which is an occurrenceprobability of a specific property formulation. βpu ratesthe number of positive hits at previous verification runsto the number of totally applied checking runs. For theconstruction of a section view, as illustrated in Fig. 3, allproperties in set Pus1 are considered. For the computation



of a section view diagram, which reflects a segment costcharacteristic, occurrence probabilities βpu and checkingcosts Cpu of a property are plotted. Obtained functional-ities have a maximum cost level of γ which is an initialstatic offset value when defining the undesired propertycosts.

Besides the calculation of βpu, a further requirement forthe construction of a section view diagram is to assess theverification costs Cpu of each property. In this work we re-strict in checking CTL (computation tree logic) and LTL(linear temporal logic) property formulations. For CTLand LTL, complexity considerations are well described inliterature [5, 6]. The size of the formal model |S| has amain influence on checking time (number of states andtransitions). The length of the property formula length(ϕ),which is normally very small compared to the model size,has a minor impact on checking effort. Finally algorith-mic complexities θLT L and θCT L are defined using the Onotation [5, 6].

θCT L = O(|S| · length(ϕ))

θLT L = 2O(length(ϕ)) ·O(|S|)

This complexity value can be precalculated for each givenmodel/property combination without execution of thespecific verification tool.

For the estimation of checking duration at a dedicated cal-culated complexity value θ , an estimation function

fτ(θ) = a ·θ b

is introduced. Coefficients a and b are evaluated by read-ing verification time consumption τ and complexity θ val-ues from the described knowledge base. Quadratic resid-uals between prerecorded checking times and the estima-tion function values will be reduced under the constraintmin

(∑

Ki=1 |τi− fτ(θi)|2

).

Thus, with the help of fτ(θ) we get an average time esti-mation for checking a selected property, verified on a newsystem respecting the complexity θ .For the translation of this duration value into a cost quantitya conversion factor f c is introduced. f c is initially definedby engineering and computation costs for each single prop-erty. Due to model reuse, property order heuristics, etc.this factor is not constant and may be refined after each ver-ification run. Finally, average abstract checking costs for adedicated property may be estimated by Cpu = fτ(θ) · f c.As shown in Fig. 4, for each property included in segmentCPus1 , a point is plotted in the section view. For a cost char-acteristic measure of a segment, an exponential function

f s(Cpu) = e−k(Cpu−γ)

is constructed. Parameter k in this function representingthe section metric is evaluated under the constraints thatβpu must be less or equal than f s for all properties includedin the section, and f s has a static node at (γ,1):

{ f s(Cpu ≤ γ) = 1}∧{βpui ≤ f s(Cpui)},∀pui ∈ Pus j

cost

occ

urr

ence

pro

babili

ty 1

0.5

Figure 4 Section view as indicated in Fig. 3. Propertiesincluded in segment CPus1 are plotted in the diagram. Forrating the segment, function fs(Cpu) is constructed wherek represents a segment metric

As a result of defining occurrence probabilities, abstractcosts and segmentation effort measures the following qual-itative statements can be specified.

Refinement:The characteristic measure k is mainly influenced by upperrightmost points in the segment view (Fig. 5-a). In otherwords, unintended properties which were often satisfied inprevious projects cause a high checking costs characteristicfor the full segment. As illustrated in Fig. 5-a, the prop-erty pu5 is refined and hence replaced by pu6 and pu7. Thismay reduce occurrence probabilities but may increase totalcosts if checking of both refined properties is intended. Af-ter the refinement, pu2 determines the construction of theexponential characteristic function. Parameter k changes toa larger value k′ ≥ k. A faster decrease of the occurrenceprobability in respect to checking costs, rates the accord-ing segment as being cheaper. New refined properties haveno prerecorded history of their usage. Thus, occurrenceprobabilities may be estimated by enhanced static modelanalysis.

Selection of a maximum cost level:If a dedicated minimum occurrence probability βpuMin isrequired, the segment measure function f s returns a maxi-mum cost level CpuMax. This cost value is not exceeded byany single property where βpu ≥ βpuMin is fulfilled.

Verification planning procedure:More interesting for verification planning is the evaluationof total checking costs if a minimum occurrence probabil-ity βpuMin is required. Which properties are selected for achecking process if a limited verification budget is given?Summarized costs for checking properties of a segment arelimited to CPus , and costs for each single property must notexceed CpuMax.{

∑i(Cpui− γ)≤CPus

}∧{Cpui ≤CpuMax}

To guarantee a desired minimum historical occurrenceprobability βpuMin, all properties in shaded area 1 (Fig. 5-b)have to be checked. It may happen that the checking budgetfor the segment CPus is not fully consumed after consider-ing all properties of area 1. The rest of the effort is used toselect checking properties in shaded area 2, extending from



low to high costs. A selection rule in this case is given bycovering properties having lower cost first in order to in-crease the quantity.

cost

occurr

ence

pro

babilit

y 1

0.5

cost

occurr

ence

pro

babilit

y 1

0.5

a)

b)

1

2

Figure 5 a) Refinement of unspecified property pu5 to 2properties having a lower occurrence probability (refine-ment of the check). b) Planning procedure, for coveringundesired properties below a defined verification budget.

4 Demonstration Example

The demonstration example selected for this work is asystem generating pulse with modulated (PWM) signalsfor three phase motor control applications. As indicatedin Fig. 6 control signals driving the gate inputs of thepower amplifier stages are derived from continuous analogsignals levels (SigIn1. . . 3). These are compared with aperiodic sawtooth signal. To avoid short circuit switchingperiods between the upper and the lower side of the poweramplifier stages a signal delay circuit is inserted before thelower side transistor’s gate inputs (M4, M5, M6).

The created behavioral model for property checking ishighly abstracted and can be seen as an executable circuitspecification. Analog voltages are discretized with an 10bit resolution and represented by integer variables rangingfrom 0 to 1023. The sawtooth generator is represented byan up-counting value in combination with an appropriateoverflow logic. Lower side gate delay elements are de-scribed by additionally derived sawtooth signal comparevalues. A silicon circuit implementation may result aftervarious manual/automatic refinement and synthesis stepsbased on this high level description.As described in the previous sections our planningmethodology relies on a database where prior verificationtiming results are stored in. Thus, for this demonstrationexample we checked the same design properties also onthree other circuit models: A single sawtooth generator

Gen

Delay

Delay

Delay

+-

+-

+-

M1 M2 M3

M4 M5 M6

SigOut1SigOut2SigOut3

SigIn1

SigIn2

SigIn3

VCC

GNDStrobe

Figure 6 Demonstration example for this paper is a threephase motor control circuit. Signals driving the gate in-puts of the power transistors are derived form analog volt-ages SigIn1. . . 3.

just generates an upcounting value with reset as used inFig. 6. A timer unit as used in a microcontroller includingoverflow and capture and compare functionalities. ARGB LED dimmer circuit which generates three PWMsignal for continuous illumination and colour levels.These circuits are assumed as previous projects and willprovide verification data (time consumption values forfτ(θ)). Properties and corresponding verification timingresults are stored in a knowledge base, realized as anXML file. A structural overview of the XML file isshown in Fig. 7. Each property holds a set of check-ing runs including additional detailed information as thespecific property formula, runtime, system complexity, etc.

Figure 7 Structural illustration of the used XML repos-itory including the properties and results of previousmodel checking runs.

As a set of undesired properties Pu, nine for-mulas pu1 . . . pu9 distributed into two segmentsPus1 = {pu1, . . . , pu4} and Pus2 = {pu5, . . . , pu9}, are



Figure 8 Time consumption for checking pu1 . . . pu4 applied on previous system models. Lines represent estimationfunctions f s(Cpu), used for verification planning procedures. Data points highlighted by an asterisk mark real measuredchecking duration values for pu1 . . . pu4 on the new motor control design obtained from the used model checking tool.

expressed and handed over to the academic model check-ing tool NuSMV [7]. The checked properties representedas LTL and CTL formulas are stated in Fig. 8. They checkwhether unwanted functionalities of the strobe signalovStrobe, which is set at the maximum of the sawtoothsignal, is not satisfied on the model. The rest of thisexample concentrates on the proposed effort measures notdetailing in the content of the checked formulas. Alsoother licensed commercial tools (e.g. Cadence) can beused for verification of the defined properties. Differencesin verification software are covered within the resultsstored in the repository. The proposed methodology is in-dependent of tool performance or implemented algorithms.

Fig. 8 illustrates time consumption values for checkingproperties {pu1, . . . , pu4} included in segment 1 on thesystems assumed as previous projects (sawtooth signalgenerator, timer and LED dimmer applications). Forextended creation of verification data filling the repositoryfor past projects we additionally modified the resolutionof analog signal discretizations (10 to 16 bit). Thus, wegot a selection of 19 different system implementations.The verification tool is executed sequentially resultingin the verification execution time data τ at a specificsystem complexity θ for each property {pu1, . . . , pu4}.Approximated functions plotted in the diagram showtiming estimation functions fτ(θ). Coefficients a and bof fτ(θ) are evaluated under respect of the minimizationconstraint of residuals.

The automata model representing the discretized analogstate space and the behavior of the new motor control sys-tem implements 1027 transitions and 2.2033 · 1012 reach-able system states. To validate the timing estimation func-tions fτ(θ) we checked the given properties on the newsystem (motor controller). The asterisk in Fig. 8 mark realmeasured timing results obtained from the verification tool.This shows, that under given system complexities θ thecalculated timing approximation functions based on pre-vious projects result in good verification time estimations.Assuming a cost rating factor f c = 10 the following ab-stract costs for checking pu1 . . . pu4 are calculated:

Cpu1 = 136.793Cpu2 = 65.456

Cpu3 = 636.141Cpu4 = 42.618

Resulting in total checking cost for the segment Pus1

CPus1 = 881.008

Next, we calculate occurrence probabilities in order to cre-ate a section view for Pus1 and evaluate the section ef-fort function f s(Cpu). As described previously in total wechecked 19 systems assuming them as previous verifica-tion projects. Each design has been verified 100 times re-sulting in 1900 checking runs for each property formula-tion. Within this 1900 verification runs, we assume 3, 16,1 and 12 property violations for pu1 . . . pu4. By calculating



the dedicated occurrence probabilities βpu, the accordingPus1 section view can be constructed (see Fig. 9). Propertypoint pu3 in the diagram is defining an exponent value k of0.011869477 to fulfill the previously described constraintfor f s(Cpu).

f s(Cpu1) = e−0.011869477(Cpu−25)

Maximum checking costs for desired functionalities γ aredefined as 25. As a verification planning strategy, we eval-uate checking cost of segment Pus1 for a minimum occur-rence probability of βpuMin = 0.5% (checked level in Fig.9). Hence, property pu4 and pu2 has to be verified which re-sults to a summarized abstract cost value of 108.074. Thiscost value represents a measure for planning and manage-ment procedures for this particular design and may be di-rectly translated into real verification costs.

0 100 200 300 400 500 6000.0001

0.001

0.01

0.1

1

Figure 9 Section view for segment Pus1, indicating costsand occurrence probabilities for pu1 . . . pu4 (βpu axis inlogarithmic scale).

5 Conclusion and Future Work

In this paper we introduce effort and cost metrics forformal property verification. Methodologies are appliedduring the design phase and mainly objected to systemswhich behavior is given by a composition of previouslyimplemented functional blocks. Thus, for verificationplanning we propose not just checking intended function-alities of a system but also verifying if undesired (maybeharmful) properties are not fulfilled. This work is notabout improving the verification performance but ratherin a target orientated selection of verification properties tooptimize costs in projects. The selection of properties tobe checked is based on a common repository, revisionedover several design projects. Finally, checking time andeffort represented as an abstract cost value are evaluated bystatistical methods and monitored execution characteristicsof verification runs. Results, as effort metrics and planningstrategies may be used for future design processes, butscalability improvements are depend on enhancements inmodel checking techniques and will directly influence theindustrial applicability of the proposed methodology.

For future work, main investigation is to apply the pro-posed verification planning methodology at a small real in-dustrial design project. Long term studies may show if thecalculated metrics and proposed property selection meth-ods result in an additional benefit.

6 References

[1] Christel Baier and Katoen Joost-Pieter, “Principles ofModel Checking”, MIT Press, 2008.

[2] S. Steinhorst and L. Hedrich, “Trajectory-Directed dis-crete state space modeling for formal verification ofnonlinear analog circuits,” 2012 IEEE/ACM Interna-tional Conference on Computer-Aided Design (IC-CAD), San Jose, CA, 2012, pp. 202-209.

[3] E. Barke and D. Grabowski, et.al. , “Formal Ap-proaches to Analog Circuit Verification,” Design, Au-tomation & Test in Europe (DATE), , 2009, pp.724-729.

[4] William K. Lam, “Hardware Design Verification: Sim-ulation and Formal Method-Based Approaches” (Pren-tice Hall Modern Semiconductor Design Series), Pren-tice Hall PTR, 2005.

[5] E. M. Clarke and E. A. Emerson and A.P. Sistla, “Au-tomatic verification of finite-state concurrent systemsusing temporal logic specifications”, ACM TOPLASvol. 8(2), 1986.

[6] Ph. Schnoebelen, “The Complexity of Temporal LogicModel Checking”, Advances in Modal Logic, pp. 393-436, 2002.

[7] Roberto Cavada and Alessandro Cimatti and CharlesArthur Jochim and Gavin Keighren and EmanueleOlivetti and Marco Pistore and Marco Roveri and An-drei Tchaltsev, “NuSMV 2.5 User Manual”, FBK-irst,2010.

[8] S. A. Huss, “Analog circuit synthesis: a search for theHoly Grail?,” 2006 IEEE International Symposium onCircuits and Systems, Island of Kos, 2006, pp. 4 pp.-1466.

[9] F. Paugnat, K. Morin-Allory and L. Fesquet, "A re-finement process for top-down mixed-signal designsthanks to SystemC-AMS," New Circuits and SystemsConference (NEWCAS), 2011 IEEE 9th International,Bordeaux, 2011, pp. 378-381.

[10] V. Sklyarov and I. Skliarova, “Reuse Technique inHardware Design”, 2007 IEEE International Confer-ence on Information Reuse and Integration, Las Vegas,IL, 2007, pp. 36-41.

[11] Thomas Kropf, “Introduction to Formal HardwareVerification”, Springer-Verlag New York, Inc., 1999.



Documents

ANALOG 2016 - Publikationsdatenbank der TU Wien · Adrián Romero1, Jesús González2, Ulrich Hilleringmann3, Peter Glösekötter1 1 FH Münster – University of Applied Sciences;