# ATVA 2017 ForFET: A Formal Feature Evaluation Tool for Hybrid Systems

António A. Bruto da Costa, Dept. of Computer Sc & Engg

Pallab Dasgupta Professor, Dept. of Computer Sc & Engg



**Acknowledging** 



Assertions are commonplace in verification today. Standards include SVA and PSL.

AMS assertions have been studied. No standards yet.

A primary contribution of this research is in *formally* analyzing <u>AMS features</u> which look beyond assertions.

Features = Real valued functions computed over assertion matches.

### Features: Real valued functions computed over assertion matches

Overshoot (Mp) **Quantitative measurement** over a **behaviour** of a system. Vs Assertion **Boolean** (True/False) Undershoot (Mu) Vout **Rise Time** of a second order response **Rise Time (Trise)** of a signal is the time taken for a signal (Vout) to rise from 10% to 90% of its time Peak Time (tp) rated value (Vs). Settling Time (ts)

The Assertion: Rise Time should be less than 10ms

@+(M.Vout ≥ 0.1\*Vs) ⇒ ##[0:10e-3] @+(M.Vout ≥0.9\*Vs)

### Features: Real valued functions computed over assertion matches

Quantitative measurement over a **behaviour** of a system.

> Assertion == Boolean (True/False) Feature == Real Valued Quantity

**Rise Time** of a second order response of a signal is <u>the time taken for a signal</u> (Vout) to rise from 10% to 90% of its rated value (Vs).



feature RiseTime(Vs); begin var t1, t2; @+(M.Vout ≥ 0.1\*Vs),t1=\$time |-> RiseTime = t2 - t1; end The Assertion: Rise Time should be less than 10ms The Feature: What is the Rise Time of the circuit? @+(M.Vout ≥ 0.9\*Vs), t2=\$time MinRise <= RiseTime <= MaxRise

### **Feature Computation over Sequence Matches**

Restoration time for a battery charger: Time to restore charge in the maintenance mode.



feature restorationTime();

begin

var t1,t2; state==M && v==Vrestart, t1 = \$time ##[0:\$]state == CV && v==Vterm, t2 = \$time
|→ restorationTime = t2-t1;

end

### **Our Contributions**

- The study presented here discusses:
  - A Generalized Methodology for Constructing Feature Monitors
  - Using Feature Monitors for Analyzing Hybrid Automata
  - The ForFET Tool for Formal Feature Analysis
- Our past work in this area:
  - The Feature Indented Assertion (FIA) language for specifying features was introduced in, A. Ain, A. A. B. da Costa, and P. Dasgupta, "Feature Indented Assertions for Analog and Mixed-Signal Validation," IEEE TCAD, DOI:10.1109/TCAD.2016.2525798, 2016.
  - The notion of formally analyzing features over HA was introduced by us first in, A. A. B. da Costa and P. Dasgupta, "Formal interpretation of assertion based features on AMS designs," IEEE Design & Test, vol. 32 (1), pp. 9–17, 2015.

### Working of ForFET



### ForFET Methodology Step 1: The Feature

**Settle Time:** Time taken for the output voltage to settle to below Vr + E, where Vr is the rated voltage for the regulator, for two successive openings of the capacitor switch

```
feature settleTime(Vr,E);

begin

var st;

(x1>=Vr+E) ##[0:$]

@+(state==Open) && (x1<=Vr+E), st=$time ##[0

@+(state==Open) && (x1<=Vr+E)

|-> settleTime = st;

end
```



Hybrid Automaton of a Buck Regulator



#### INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR

### ForFET Methodology Step 2: The Feature Automaton



#### end

#### INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR



10









4

### **Case Studies and Results**

**Battery Charger Behavioural (Functional) Model:** •



for the Battery Charger

#### Some of the time domain features of a battery charger are:

- Pre-charge current
- Time constant of the charging current
- Constant charge current

- Restoration time
- Time constant of the voltage response

**Charging Modes** 

### **Features: Battery Charger**



#### **Restoration Time**

Time taken by battery to restore back to constant voltage (CV) mode from maintenance mode.

#### feature RestorationTime;

begin

```
var t1,t2;
(batt.state == Maintenance) && ( @<sup>-</sup>(batt.V,Vrestart), t1 = $time ) ##[0:$]
(batt.state==CV) && ( @<sup>+</sup>(batt.V ,Vterm),t2 = $time )
|-> RestorationTime = t2 - t1;
```

end

### **Case Studies and Results**

• Buck Regulator Behavioural (Functional) Model:



Output Voltage of a Typical DC/DC Buck Regulator in Different Charging Modes

State Transition Diagram of PFM Operation of a Typical DC/DC Buck Regulator

G9

**G**9

G10

Charge Mode

**D7** 

Discharge Mode D8

G11

FlowPipe (Current vs. Voltage) for the Buck Regulator

#### Some of the time domain features of a buck regulator are:

- Peak Overshoot Voltage
- Settle Time
- •Peak to Peak Output Voltage

#### INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR



### **Features: Buck Regulator**

| Settle Time<br>Time taken for the output<br>voltage to settle below E<br>of the rated voltage, Vr,<br>for two successive<br>openings of the capacitor<br>switch. | feature settleTime(Vr,E);<br>begin<br>var t;<br>(buck.v >= Vr+E) ##[0:\$]<br>@+(buck.state == Open) && (buck.v <=Vr+E), t = \$time ##[0:\$]<br>@+(buck.state == Open) && (buck.v <=Vr+E)<br> -> settleTime = t;<br>end |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Restoration Time                                                                                                                                                 | feature overshoot(Vr);                                                                                                                                                                                                 |

The peak value of the voltage response curve measured from the desired response of the system.

```
teature oversnoot(vr);
```

begin

```
var v1;
  (buck.state == Discharge) && (buck.v >= Vr), v1 = v
     |-> overshoot = v1;
end
```

### The numbers that count

### **Results of Formal Feature Analysis**

| Feature                         | Size of Set |       | Step      | CPU-Time      | Feature Range |            |  |
|---------------------------------|-------------|-------|-----------|---------------|---------------|------------|--|
| Name                            | $Q_F$       | $X_F$ | Size      | (mins : secs) | Min           | Max        |  |
| Test Case: Buck Regulator       |             |       |           |               |               |            |  |
| Settle Time                     | 4           | 7     | $10^{-6}$ | 21m : 38s     | 125.166µs     | 225.166µs  |  |
|                                 |             |       | $10^{-3}$ | 0m : 40s      | 125.166µs     | 225.166 µs |  |
| Overshoot                       | 4           | 7     | $10^{-6}$ | 13m : 22s     | 5V            | 5.21V      |  |
|                                 |             |       | $10^{-3}$ | 0m : 7s       | 5V            | 5.21V      |  |
| Test Case: Battery Charger      |             |       |           |               |               |            |  |
| Charge                          | 7           | 7     | 1         | 0m : 30s      | 1hr 24min     | 4hr 34min  |  |
| Time                            |             |       | 0.1       | 0m : 50s      | 2hr 4min      | 4hr 27min  |  |
| Restoration                     | 7           | 7     | 1         | 1m : 26s      | 5min 51sec    | 12min 3sec |  |
| Time                            |             |       | 0.1       | 4m : 33s      | 7min 35sec    | 10min 2sec |  |
| Bandwidth                       | 7           | 7     | 1         | 0m :25s       | 16.8µHz       | 202.5µHz   |  |
|                                 |             |       | 0.1       | 0m : 56 s     | 32.87µHz      | 65.85µHz   |  |
| Test Case: Cruise Control Model |             |       |           |               |               |            |  |
| Speed Capture                   |             |       | 1         | 0m : 0.831 s  | 37sec         | 49sec      |  |
| Precise                         | 8           | 8     | 0.1       | 0m : 11.68s   | 41sec         | 44.8sec    |  |
| k=40                            |             |       | 0.01      | 3m : 51.13s   | 41.44sec      | 44.26sec   |  |
| Speed Capture                   |             |       | 1         | 0 m : 5.20s   | 33sec         | 49sec      |  |
| Range, k1=20,                   | 8           | 8     | 0.1       | 3m : 4.28s    | 35.3sec       | 45.9sec    |  |
| k2=40                           |             |       | 0.01      | 31m : 31s     | 35.45sec      | 45.41sec   |  |

#### Model Number of Analysis Name Locations Variables Accuracy **CPU-Time** $10^{-6}$ 1min 2sec **Buck Regulator** 2 4 5 Battery Charger 2.3 sec 3 0.1 Cruise Control 0.8 sec 6 4 0.1

#### A few key observations...

- The method of analysis scales well for various types of features.
- Computational accuracy beyond a point leads to insignificant improvements in the feature range computed.
- For quick analysis an appropriate *Step Size* may be decided upon.
- Unsatisfactory feature ranges require re-evaluation of models parameters, and fine-tuning of the design strategy.

### **Observations**

#### Accuracy Saturation marked as x

#### Precision α (Feature Width)<sup>-1</sup> α Execution Time



### **Observations Contd.**

#### Accuracy Saturation marked as x

### Precision α (Feature Width)<sup>-1</sup> α Execution Time



### The Road Forward...

- **>** Building a cool GUI for ForFET.
  - Hybrid Automaton model browser and editor
  - Browser, Editor and Syntax Highlighter for <u>features</u>
  - One click feature analysis
- > Feature Range [ $F_{min}$ ,  $F_{max}$ ] extreme value analysis
  - Can we tell which action choices and timings lead to F<sub>min</sub>, F<sub>max</sub>
  - Using SMT solvers dReach/dReal for δ-satisfiability to generate traces for F<sub>min</sub>, F<sub>max</sub>
- What about simulatable models? Can we learn features from simulation traces?
  - Learning AMS assertions from simulation traces.
- A specialized Feature Analysis Engine

## Thanks for listening! Any Questions?

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR