Synchronizing AMS Assertions With AMS Simulation

Synchronizing AMS Assertions with AMS Simulation:
From Theory to Practice
SUBHANKAR MUKHERJEE, PALLAB DASGUPTA,

and SIDDHARTHA MUKHOPADHYAY, Indian Institute of Technology Kharagpur
SCOTT LITTLE, JOHN HAVLICEK, and SRIKANTH CHANDRASEKARAN,
Freescale Semiconductor
The verification community anticipates the adoption of assertions in the Analog and Mixed-Signal (AMS)
domain in the near future. Several questions need to be answered before AMS assertions are brought
into practice, such as: (a) How will the languages for AMS assertions be different from the ones in the
digital domain? (b) Does the analog simulator have to be assertion aware? (c) If so, then how and where
38
on the time line will the AMS assertion checker synchronize with the analog simulator? and (d) What
will be the performance penalty for monitoring AMS assertions accurately over analog simulation? This
article attempts to answer these questions through theoretical analysis and empirical results obtained from
industrial test cases. We study logics which extend Linear Temporal Logic (LTL) with predicates over real
variables, and show that further extensions allowing the binding of real-valued variables across time makes
the logic undecidable. We present a toolkit which can integrate with existing AMS simulators for checking
AMS assertions on practical designs. We study the problem of synchronizing the AMS simulator with the
AMS assertion checker and demonstrate the performance penalty of different synchronization options.
Categories and Subject Descriptors: B.7.2 [Integrated Circuits]: Design-Aids—Verification
General Terms: Verification
Additional Key Words and Phrases: Satisfiability, simulation, mixed-signal, temporal logic
ACM Reference Format:
Mukherjee, S., Dasgupta, P., Mukhopadhyay, S., Little, S., Havlicek, J., and Chandrasekaran, S. 2012.
Synchronizing AMS assertions with AMS simulation: From theory to practice. ACM Trans. Des. Autom.
Electron. Syst. 17, 4, Article 38 (October 2012), 25 pages.
DOI = 10.1145/2348839.2348842 http://doi.acm.org/10.1145/2348839.2348842
1. INTRODUCTION
The adoption of assertion checking capabilities in digital circuit simulators has been
rapid, primarily because the interpretation of assertion semantics in the digital do-
main is well-aligned with the simulation semantics of the circuit itself. Digital circuit
simulators typically evaluate the truth of signals at clock boundaries and the truth of
all assertions are also evaluated at the clock boundaries. Since the common denomi-
nator for sampling the signal values is the same for the simulator and the assertion
This work was partially supported by Freescale Semiconductor, through SRC/GRC research grant (Project
Code: 2008-TJ-1835).
Authors’ addresses: S. Mukherjee (corresponding author), P. Dasupta and S. Mukhopadhyay, Indian
Institute of Technology Kharagpur, India; email: subho.mukerji@gmail.com; S. Little, J. Havlicek, and
S. Chandrasekaran, Freescale Semiconductor.
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted
without fee provided that copies are not made or distributed for profit or commercial advantage and that
copies show this notice on the first page or initial screen of a display along with the full citation. Copyrights
for components of this work owned by others than ACM must be honored. Abstracting with credit is per-
mitted. To copy otherwise, to republish, to post on servers, to redistribute to lists, or to use any component
of this work in other works requires prior specific permission and/or a fee. Permission may be requested
from Publications Dept., ACM, Inc., 2 Penn Plaza, Suite 701, New York, NY 10121-0701, USA, fax +1 (212)
869-0481, or permissions@acm.org.
c 2012 ACM 1084-4309/2012/10-ART38 $15.00
DOI 10.1145/2348839.2348842 http://doi.acm.org/10.1145/2348839.2348842
ACM Transactions on Design Automation of Electronic Systems, Vol. 17, No. 4, Article 38, Publication date: October 2012.
38:2 S. Mukherjee et al.
checker, namely some well-defined clock, the synchronization between the assertion
checker and the simulator is natural [Dasgupta 2006].
On the other hand, in Analog and Mixed-Signal (AMS) simulation, the choice of
the sampling points depends on the sampling algorithm used by the simulator and
typically the sampling in nonuniform. The density of sampling points within a time
interval is typically related to the growth rate of the functions being sampled within
that interval. One of the main challenges in building an AMS assertion checker over a
AMS simulator is to determine whether the sampling points chosen by the simulator
are adequate to determine the truth of an assertion correctly. More specifically we
need to answer two questions.
(1) Can the truth of an assertion change between sampling points chosen by the sim-
ulator? If this happens then we may miss the violation of an assertion.
(2) If the answer to the first question is true, then we need to ask the question: Where
and how should the assertion checker insert additional sampling points in order to
guarantee that the truth of the assertions is evaluated correctly?
The answer to both questions is related to the expressive power of the assertion spec-
ification language. The answer to the second question has a significant impact on the
performance of the simulator. Insertion of too many additional simulation points can
significantly degrade the performance of an AMS simulator. For example, using a sam-
pling clock of fine granularity as advocated in some of the early works [Mukhopadhyay
et al. 2009] in this area is not a good option in practice and may degrade the perfor-
mance of the analog simulator, as demonstrated later in this article.
The first part of the article studies the fundamental requirements in extending
propositional Linear Temporal Logic (LTL) [Pnueli 1977] to a decidable logic capa-
ble of expressing AMS behaviors. In line with existing literature on AMS extensions
of LTL [Alur et al. 1991; Li and Tang 2003; Maler and Nickovic 2004; Maler et al.
2005, 2008], we consider the following two basic requirements for AMS assertion
specification.
(1) Discrete time to dense real time. LTL and assertion languages like SystemVerilog
Assertions (SVA) [IEEE Std 1800-2009 2010] and Property Specification Language
(PSL) [IEEE Std 1850-2010 2010], which are derived from LTL, have a well-defined
discrete-time semantics. In digital designs, events are checked at clock boundaries
and therefore, it suffices to measure the progress of time in terms of the num-
ber of clock cycles. On the other hand, analog events can occur anywhere, hence
we require dense real-time semantics. Logics like Metric Interval Temporal Logic
(MITL) [Alur et al. 1991] extend LTL to the dense real-time domain.
(2) Use of real-valued variables. In MITL, properties are defined over a set of Boolean
variables (atomic propositions). In the AMS domain we also require the ability to
specify properties involving real-valued variables. Existing extensions of MITL,
such as Signal Temporal Logic (STL) [Maler and Nickovic 2004], also allow Pred-
icates Over Real Variables (PORVs) which are simple constraints over real-valued
variables.
The primary objective of this article is to study the issues related to synchronizing a
checker for assertions expressed in AMS assertion languages like STL with the AMS
simulator. In the first part of this article, we explore simple extensions of STL and
study the effect of these extensions on the decidability of the logic. We observe that
extending STL with the notion of events (which yields AMS-LTL) does not alter the
decidability of the logic. We further show that a basic extension to the logic that allows
Synchronizing AMS Assertions with AMS Simulation: From Theory to Practice 38:3
simple bindings between the values of a real variable across time yields an undecidable
extension of AMS-LTL.
This extension has significant value in terms of expressing AMS behaviors. There-
fore (unlike previous researchers) we allow these extensions in our logic while being
conscious of the fact that the fundamental problems like satisfiability and validity are
undecidable for these extensions. Nevertheless, it is important to note that the task of
evaluating the truth of such assertions over simulation traces remains decidable.
In a recent work [Mukherjee et al. 2011] we extended AMS-LTL assertions with
formalisms like auxiliary state machines and auxiliary functions, which also buys ex-
pressibility at the cost of decidability of the validity problems. The focus of that paper
was on enhancing the framework in terms of expressibility of AMS behaviors, looking
beyond assertions. On the other hand, the focus of this article is on studying the un-
derlying issues related to synchronizing the checker with the AMS simulator. This is
an important requirement for developing tool suites for AMS assertion checking.
The second part of this article focuses on checking AMS assertions dynamically
over simulation runs. There are several basic challenges in checking AMS assertions
dynamically as opposed to the task of checking these assertions offline. These include
the following.
(1) We tune the granularity of sampling in the analog simulation adaptively based on
the state of the assertion checker.
(2) We maintain a window of history in order to avoid a state explosion in the checker
because of the dense real-time semantics.
In this article we discuss these challenges and present the algorithm used in our
tool for checking AMS assertions over simulation.
The third part of the work explores the overhead of synchronizing AMS assertion
checking with an underlying AMS simulator. In order to evaluate the truth of PORVs
in a AMS assertion accurately, our toolkit uses the notion of cross events, which are
defined in the Verilog-AMS [Verilog-AMS 2010] standard. However, cross events po-
tentially degrade the performance of an analog simulator. This article studies the
extent of this degradation with industrial test cases.
The work is organized as follows. Section 2 presents some related works in the do-
main of AMS assertions. In this section, we briefly discuss the syntax and semantics
of STL. In Section 3, we propose an extension of STL, called AMS-LTL, and present
its satisfiability problem. Section 4 further extends AMS-LTL with local variables to
derive AMS-LTL L , and studies decidability of the extended logic. Section 5 presents
a dynamic monitoring scheme for the extended formalisms over a simulation run. We
discuss the issue of synchronizing assertions with the AMS simulators. In Section 6,
we study accuracy of the proposed methodology. Results related to simulation over-
head of the assertion monitors in our prototype toolkit have been reported in Section 7
on a number of industrial test cases.
2. BACKGROUND AND RELATED WORK

This section presents the background of the proposed work, including formal def-
initions, summary of related work, and existing state-of-the-art in AMS assertion
checking.
Propositional temporal logics, like LTL, extend Boolean logic by allowing us to re-
late the truth of Boolean propositions in different time instances. There are several
extensions of LTL that have dense real-time semantics. These include Metric Tempo-
ral Logic (MTL) [Alur and Henzinger 1990], MITL [Alur et al. 1991], TPTL [Alur and
Henzinger 1994], and LTLC [Li and Tang 2003]. The validity problem of several logics
in this family with dense real-time semantics are undecidable [Alur and Henzinger
1990]. However, the problem of checking such properties over finite (or periodic) sim-
ulation traces is decidable in polynomial time, as elaborated in Markey and Raskin
[2006].
In addition to dense real-time semantics, AMS assertion languages should be
able to handle real-valued variables. Most of the existing AMS assertion languages
encapsulate real-valued variables in Predicates Over Real Variables (PORV), which
are linear constraints over the real variables. The authors of Jesser et al. [2007]
used predicates over real variables in a PSL framework. They presented a tool called
MLDesigner which uses continuous time discrete-event model of computation for
the analog part and discrete event for the digital part of the circuit. The authors of
Steinhorst and Hedrich [2008] proposed the Analog Specification Language (ASL) for
verifying complex static and dynamic circuit properties like oscillation and startup
time. In Dastidar and Chakrabarti [2008], the authors proposed an extension of
CTL to verify transient response of analog circuits. There the authors used temporal
predicates over the real-valued signals to express edges; however, the extended logic
had a discrete-time semantics.
The analysis presented in this article uses an extension of the language, STL. Sec-
tion 2.1 briefly outlines STL and an offline monitoring scheme of STL over continuous
signals as described in Maler and Nickovic [2004].
2.1. Signal Temporal Logic (STL): Brief Outline

STL extends the set of atomic propositions, AP, with a finite set of PORVs, AP A . The
formal definition of PORVs is given next.
Definition 2.1 (Predicate over Real Variables). If the set of continuous variables is
X = {x1 , x2 , ..., xn}, then a Predicate over Real Variables, pa, is constructed as, pa ::=
f (x1 , x2 , ..., xn) ∼ 0, where f is a mapping, f : Rn → R, and ∼ is a relational operator
such that ∼∈ {>, ≥}. Throughout this article, we consider f to be a linear map.
Other relational operators like <, ≤, and = are derived from ∼ and the propositional
connectives.
The syntax of STL uses the notion of time intervals, as defined next.
Definition 2.2 (Time Interval). Time is considered to be the set of all nonnegative
real numbers R≥0 . An interval I is a nonempty convex subset of R≥0 and is expressed
in the forms (a, b ), [a, b ], (a, b ], [a, b ), where a, b ∈ R≥0 and b > a. The left and right
end points of I are denoted by l(I) = a and r(I) = b , respectively.
Two intervals I1 and I2 are said to be adjacent iff I1 ∪ I2 is an interval, and I1 ∩ I2 = ∅.
For example, [0, 4] and (4, 5.1) are adjacent to each other, whereas [0, 4.1] and (4.5, 5.1)
are not. In this interval notation, for t, t
∈ R≥0 , (I + t) denotes the interval {t
+ t| t
∈ I}.
Similarly (I − t) denotes the interval {t
− t| t
∈ I and t
− t ≥ 0}.
It may be noted that the preceding definition of a time interval does not allow sin-
gular intervals (that is, b = a). This is an important consideration with respect to
the decidability of the logic. It has been shown that MITL and its extensions become
undecidable when singular intervals are allowed [Alur et al. 1991].
Definition 2.3 (Syntax of STL). An STL formula ϕ is defined by the following
grammar.
ϕ ::= | p|¬ϕ|ϕ ∧ ϕ|ϕU I ϕ
Here p ∈ AP ∪ APA and I is an interval.
The semantics of STL is defined over the observable signals at the interface of the
system. Each observable state is defined as the subset, s, of the propositions AP ∪ APA
that are true in that state. If none of the propositions in AP ∪ APA change in a
time interval, I, then the state remains unchanged over this interval, I. The seman-
tics of STL is interpreted over timed state secquences, which is formally defined as
follows.
Definition 2.4 (Timed State Sequence). A state sequence is an infinite sequence of
states, S = s0 s1 s2 ..... such that si ⊆ AP ∪ APA . An interval sequence I is an infinite
sequence of intervals I = I0 I1 I2 ....., where Ii is left closed and right open ∀ i ∈ N≥0 , and
I has the following three properties.
— Initiality: For I0 , l(I0 ) = 0.
— Progress: For every t > 0 there exists an interval Ii such that t ∈ Ii.
— Adjacency: For every i ≥ 0 Ii and Ii+1 are adjacent to each other.
A timed state sequence is a pair τ = (S, I) such that for each time, t ∈ Ii, the state is
si.
Informally, timed state sequences can be represented as infinite sequences of the
form
(s0 , I0 ) → (s1 , I1 ) → (s2 , I2 ) → ...
where at time t the observable state of the system is si, such that, t ∈ Ii.
Definition 2.5 (Suffix of Timed State Sequences). For a timed state sequence τ =
(S, I), the suffix of τ , τ t at time t is defined as the timed state sequence
(si, Ii − t) → (si+1 , Ii+1 − t) → (si+2 , Ii+2 − t) → ...
such that t ∈ Ii.
Definition 2.6 (Semantics of STL). For an STL formula, ϕ, and a timed state se-
quence, τ = (S, I), the satisfaction relation τ ϕ is defined inductively as follows:
— τt , for all t.
—τ p, iff s0 p, where p ∈ AP ∪ APA .
—τ ¬ϕ iff τ ϕ.
—τ ϕ1 ∧ ϕ2 iff τ ϕ1 and τ ϕ2 .
—τ ϕ1 U I ϕ2 iff for some t ∈ I, τ t ϕ2 , and for all t

∈ [0, t), τ t ϕ1 .
We use ⊥ to represent ¬. Other propositional operators like disjunction (∨), im-
plication (⇒), and other temporal operators like future (F), global (G), weak until (W),
and release (R) are derived in a similar way as in MITL. For example, ϕ1 R I ϕ2 (which
is used later in this article) is the same as ¬(¬ϕ1 U I ¬ϕ2 ).
The following example presents some properties developed with STL.
Example 2.7. If enable is low, vout will be less than 0.2V within 10μs. – This may
be expressed by the following safety property in STL.
¬enable ⇒ F[0,10e−6] (vout < 0.2)
If enable is held low for at least 2μs then vout will become less than 0.2V within next
10μs. – We encode this by the following safety property in STL.
G[0,2e−6] (¬enable) ⇒ F[2e−6,12e−6] (vout < 0.2)
2.2. Monitoring STL over Finite Simulation Traces

There has been considerable research in recent times on the task of checking real-time
logics over simulation runs. This includes offline approaches such as Maler and
Nickovic [2004], Maler et al. [2008], and Nickovic and Maler [2007] and online ap-
proaches such as Mukhopadhyay et al. [2009]. An incremental semionline monitoring
approach was presented in Nickovic [2008]. In this section, we briefly outline the
offline monitoring algorithm of STL as presented in Maler and Nickovic [2004]. This
algorithm has been extended for monitoring the proposed AMS-LTL logic dynamically
over simulation runs.
The input for the algorithm presented in Maler and Nickovic [2004] is a simulation
trace, formally defined as follows.
Definition 2.8 (Trace). If Vc = {x1 , x2 , ..., xn} is the set of continuous variables, and
Vb = {b 1 , b 2 , ..., b m} is the set of Boolean variables then a trace is a mapping, S, from
time domain to valuations of Vc and Vb , that is,
S : R≥0 → Rn × {, ⊥}m,
where R≥0 is the set of nonnegative real numbers representing the time domain.
Definition 2.9 (ϕ-Atom Set). The ϕ-atom set of an STL formula ϕ, denoted by A(ϕ),
is the set of atomic propositions in ϕ, formally defined as A(ϕ) = { p ∈ AP ∪ AP A | p is
contained in ϕ}.
Definition 2.10 (True Set). Given an STL formula ϕ and a trace S, the true set,
A(ϕ, t, S) of ϕ on S at time t, is the subset of A(ϕ) that are true on S at time t.
Every trace, S, can be partitioned into a sequence of adjacent time intervals, I =
I0 I1 I2 ..., such that the observable state of the system is the same within each interval,
and differs in adjacent intervals. Therefore, a given trace S can be converted into an
equivalent timed state sequence τ = (S, I), where I = I0 I1 I2 ... satisfies the following.
∀t, t
∈ Ii, A(ϕ, t, S) = A(ϕ, t
, S)
∀t ∈ Ii, ∀t
∈ Ii+1 , A(ϕ, t, S) = A(ϕ, t
, S)
The algorithm presented in Maler and Nickovic [2004] uses the length, L(ϕ), of the
given property ϕ, to determine a window of evaluation. It has been shown that it is
sufficient to know the truth of each proposition, p, in the interval [t − L(ϕ), t] in order
to evaluate the truth of ϕ at the time instance t. L(ϕ) is computed as follows.
Definition 2.11 (Length of ϕ). The length of an STL property ϕ is recursively de-
fined as:
— L( p) = 0, where p ∈ AP ∪ APA .
— L(ϕ1 ∧ ϕ2 ) = max{L(ϕ1 ), L(ϕ2 )}.
— L(¬ϕ) = L(ϕ).
— L(ϕ1 U I ϕ2 ) = r(I) + max{L(ϕ1 ), L(ϕ2 )}.
The offline monitoring scheme proposed in Maler and Nickovic [2004] works on a given
simulation trace in the following way.
Suppose Z + (ψ) denotes the set of true intervals of ψ, that is, the set of time intervals
where ψ is true. Similarly, Z − (ψ) denotes the set of time intervals where ψ is false.
For a given property, ϕ, the checker computes the true intervals of ϕ using the true
intervals of its subformulas. For example, the true intervals of ϕ1 ∧ ϕ2 can be computed
using the true intervals of ϕ1 and ϕ2 as follows.
Z + (ϕ1 ∧ ϕ2 ) = Z + (ϕ1 ) ∩ Z + (ϕ2 ) (1)
Fig. 1. Evaluation of truth for an STL formula.
Similarly, the true intervals of ϕ1 U I ϕ2 are computed as follows.

Z + (ϕ1 U I ϕ2 ) = {({Ii} ∩ {I j}) [l(I), r(I)]} ∩ {Ii} (2)
Ii ∈Z + (ϕ1 ), I j∈Z + (ϕ2 )
Here I is nonempty, and I [a, b ] is defined as

I [a, b ] = [ max(l(I) − b , 0), max(r(I) − a, 0) ).
It is to be noted that {Ii} and {I j} are singleton sets. Thus {Ii} ∩ {I j} is singleton or
empty, and so are {({Ii} ∩ {I j}) [l(I), r(I)]}, and {({Ii} ∩ {I j}) [l(I), r(I)]} ∩ {Ii}. The
operations on intervals such as union, intersection are standard [Weems 1989].
We demonstrate this algorithm with an example. Consider the trace shown at the
top of Figure 1 over the signals, vx and v y . Let ϕ = (v y > 0.1) U[1.5,2.5] (vx > 0.1) be
our property. The true intervals of the PORVs, (v y > 0.1), and (vx > 0.1), are derived
from the trace and are shown as waveforms, W2 and W3 respectively. Waveform W4,
which represents the property, ψ1 = (v y > 0.1) ∧ (vx > 0.1), is computed from W2 and
W3 using Eq. (1). Waveform W5, which represents the property, ψ2 = F[1.5,2.5] ψ1 , is
computed as follows. For each true interval, I, of ψ1 , we compute a true interval, I
, of
ψ2 as
I
= I [1.5, 2.5] = [max(l(I) − 2.5, 0), max(r(I) − 1.5, 0)).
Finally in W6 the true intervals of ϕ are computed from the waveforms W4 and W5
using Eq. (2).
We name this algorithm Offline(ϕ, S, h, t) that stores a history of length h > L(ϕ)
about the truth of each member of A(ϕ), and returns the truth of ϕ for the time interval
[t − h, t − L(ϕ)) at time t on trace S.
3. AMS-LTL: SYNTAX, SEMANTICS AND COMPLEXITY

The logic MITL extends LTL with dense real-time operators. It has been shown
that the validity problem of MITL is decidable if singular time intervals are not al-
lowed [Alur et al. 1991]. In Alur and Henzinger [1990] it has been shown that most ex-
tensions to the core model of real time are undecidable. In our analysis we focus on the
other aspect of AMS assertion languages, namely on the use of real-valued variables.
One of the extensions that we considered beyond the logic, STL, is by adding the no-
tion of local variables into the logic. Local variables have been popular in SystemVer-
ilog assertions because it allows the binding of uninterpreted variable values across
time domains. For example, consider the following SVA property.
property PIPE;
int x;
(posedge clk)
(In, x = DataIn) |-> ##[1,4] (Out && DataOut == x);
endproperty
This property says that the Out signal must be asserted between 1 and 4 cycles after
the In signal is asserted, and the value of the DataIn signal at the time when the In
signal is asserted is the same as the value of the DataOut signal when the Out signal
is asserted. In this property there is no specific value that is associated with the local
variable, x, that is, x is an uninterpreted variable. For evaluating this property during
simulation, the simulator must record the DataIn value at each clock cycle where In
is asserted, so that it can be matched with the DataOut value when Out is asserted.
In the digital domain this recording takes place at discrete points of time, typically
synchronized with the clock. In the AMS domain we need to define events at which the
recording will take place, otherwise we will be faced with recording such signals over
dense time intervals.
The notion of events also allows us to express properties that are not easily express-
ible otherwise. For example, consider the following properties.
— If enable goes high, within 10μs, vout goes above 2V (a property related to rise time).
— If reset goes high then within 10μs, vout starts falling.
These two properties require the modeling of events. Events like enable and reset
going high are typical in the digital domain, whereas behaviors like vout starts falling
are from the AMS domain. The second property requires local variables because a
comparison of values of the real variables across time is necessary. Properties of such
types cannot be expressed in STL in any obvious way.
The property specification language used in this article allows both events and local
variables. However, in order to elucidate our presentation, we first extend STL to the
logic AMS-LTL which allows the specification of events but not local variables. Later
we further extend AMS-LTL to AMS-LTL L which allows local variables.
Definition 3.1 (Syntax of AMS-LTL). The syntax of the AMS-LTL formula ϕ is de-
fined recursively by the following grammar rules.
ϕ ::= | p | E | ¬ ϕ | ϕ ∧ ϕ | ϕ U I ϕ
E is an event to express change of truth of propositions and is defined by the follow-
ing grammar rules
E ::= @+ (B) | @− (B) | @(B),
B ::= p | ¬ B | B ∧ B,
where p ∈ AP ∪ APA .
Definition 3.2 (Semantics of AMS-LTL). For an AMS-LTL formula ϕ and a timed

state sequence τ = (S, I), the satisfaction relation τ ϕ is identical to that of STL with
the following additional semantics of events.

— τ t @+ (b ), iff t > 0, and ∃Ii such that l(Ii) = t, ∀t

∈ Ii. τ
t b , and ∀t
∈ Ii−1 . τ
t b
— τ t @− (b ), iff t > 0, and ∃Ii such that l(Ii) = t, ∀t
∈ Ii. τ t b , and ∀t
∈ Ii−1 . τ t b
— τ t @(b ), iff τ t @+ (b ) or τ t @− (b ).
P ROPOSITION 3.3. AMS-LTL subsumes STL.
We demonstrate the expressibility of AMS-LTL with some examples.
Example 3.4. If enable goes high, within 10μs, vout goes above 2V (a property re-
lated to rise time). – We express this safety requirement as follows.
ϕ ≡ @+ (enable) ⇒ F[0,1e−5] (vout > 2)
Example 3.5. If va crosses 1.3V in the rising direction, within 0.5μs the system
should flag failure by asserting c. – This is a safety requirement which may be ex-
pressed in AMS-LTL as
ϕ ≡ @+ (va > 1.3) ⇒ F[0,5.0e−7] (c).
Example 3.6. If va crosses 1.2V in the rising direction, then it should remain above
1.2V for at least 20ns. – This is again a safety requirement which may be expressed in
AMS-LTL as follows.
ϕ ≡ @+ (va > 1.2) ⇒ G[0,2.0e−8] (va > 1.2)
Example 3.7. From 0.0ns, the time for the voltage of va to settle between 1.0V
and 1.2V for at least 500ns is 250.0ns with a 25.0ns tolerance. – If rising edge of
start denotes 0.0ns, then this requirement is encoded as an AMS-LTL formula in the
following way.
ϕ ≡ @+ (start) ⇒ F[2.25e−7,2.75e−7] (G[0,5e−7] ((va > 1.0) ∧ (va < 1.2)))
3.1. Decidability of AMS-LTL

In this subsection, we study the validity/satisfiability problem of AMS-LTL. We show
that adding PORVs and events to MITL (as in AMS-LTL) does not change the com-
plexity of the validity/satisfiability problem and it remains EXPSPACE-complete. In
order to establish this result we present an algorithm for deciding the satisfiability
of AMS-LTL formulas. The following example outlines the approach followed in our
algorithm.
Example 3.8. Consider the following property.
ϕ ≡ G[0,2.5] (a < 10) ∧ F[1,1.5] (a > 20)
We replace the PORVs (a < 10) and (a > 20) with Boolean variables x1 and x2 respec-
tively to obtain an MITL property.
ψ ≡ G[0,2.5] (x1 ) ∧ F[1,1.5] (x2 )
The MITL property ψ is satisfiable because we have lost the information that there
is a conflict between the predicates (a < 10) and (a > 20) and that no state can
satisfy both x1 and x2 . Therefore in order to reach the correct decision about the
satisfiability of ϕ, we must restrict the accepting traces in the tableau for ψ to those
that do not visit states labeled by both x1 and x2 . This is achieved by adding conflict
constraints.
In this example, it may be noted that x1 and x2 are not negations of each other
because they can be false together. The only conflicting case is that both x1 and x2
cannot be true together. We therefore add the conflict constraint.
ψ ≡ G(¬(x1 ∧ x2 ))
Thereafter we check the satisfiability of the following MITL property to determine the
satisfiability of ϕ.
φ ≡ G[0,2.5] (x1 ) ∧ F[1,1.5] (x2 ) ∧ G(¬x1 ∨ ¬x2 )
The preceeding AMS-LTL property is not satisfiable, which matches with the fact that
ϕ is not satisfiable.
Given a set of PORVs, C = {ci}, for i = 1, 2, ..n, a core is a conjunction of PORVs of the
form c j1 ∧ c j2 ∧ c j3 ... ∧ c jm , for n ≥ m ≥ 1, and c jk ∈ C or ¬c jk ∈ C. A minimal unsatisfiable
core is a minimal core which is unsatisfiable. The task of enumerating the minimal
unsatisfiable cores is a well-studied problem [de la Banda et al. 2003; Yan et al. 2006],
and known to be DP-complete [Yan et al. 2006]. The proposed methodology works as
described in Algorithm 1.
ALGORITHM 1: CheckSAT(ϕ)
1: Replace each PORV, ci, in ϕ with a new distinct Boolean variable xi. Let ψ be the modified
property, which is in MITL. Each xi represents a PORV ci.
2: Determine the set, CU , of minimal unsatisfiable cores over the set {ci}.
3: Check the satisfiability of the following MITL property.
⎛ ⎞

φ≡ψ G⎝ ¬Ck ⎠
Ck ∈CU
An event is a proposition over the valuations of the Boolean signals and the PORVs
at the current time interval and the same at the previous time interval. Hence, we
reduce the satisfiability problem of AMS-LTL to the satisfiability problem of MITL by
replacing the PORVs with Boolean variables and adding a set of conflict constraints
derived from the minimal unsatisfiable cores. The authors of de la Banda et al. [2003]
and Yan et al. [2006] describe an O(3n) algorithm to find out the set of minimal unsat-
isfiable cores from a set of constraints on real-valued variables. Algorithm 2 outlines
their approach.
Intuitively this algorithm makes use of the fact that supersets of unsatisfiable sets
of constraints are also unsatisfiable.
L EMMA 3.9. Given an AMS-LTL property ϕ, Algorithm 1 determines the satisfiabil-
ity of ϕ correctly.
P ROOF. Suppose ϕ is unsatisfiable. If the property ψ created in Step 1 of Algorithm 1
is also unsatisfiable, then we are done. Otherwise consider an accepting run for ψ and
replace each new variable, xi, with the PORV, ci, it represents. If there is no conflict
among the PORVs in each timestep of this trace, this trace represents a witness for ϕ,
which is a contradiction. Therefore each accepting run for ψ, must have a conflict of
the PORVs in some time interval. Consequently, Step 3 of Algorithm 1 will find the
property to be unsatisfiable.
The reverse is obvious, since whenever ϕ is satisfiable, then every accepting run for
ϕ will be an accepting run for the property checked in Step 3 of Algorithm 1.
ALGORITHM 2: FindMinUnsatCore(C)
1: S = {true}; U = ∅;
2: for each pi ∈ C do
3: for each s ∈ S do
4: w1 = s pi; w2 = s ¬ pi;
5: if w1 is UNSAT
then
6: U = U {w1 }; S = S {w2 };
7: else
8: S = S {w1 };
9: if w2 is UNSAT
then
10: U = U {w2 };
11: else
12: S = S {w2 };
13: end if
14: end if
15: end for
16: end for
T HEOREM 3.10. The satisfiability problem of AMS-LTL is EXPSPACE-complete.
P ROOF. Since AMS-LTL subsumes MITL and the satisfiability problem of MITL
is EXPSPACE-complete [Alur and Henzinger 1990], AMS-LTL satisfiability is EXP-
SPACE-hard. To prove that AMS-LTL satisfiability is in EXPSPACE, we use Algo-
rithm 1. The complexity of Step 1 of Algorithm 1 is linear in the size of ϕ. Step 2 is
a well-studied problem [de la Banda et al. 2003; Yan et al. 2006], and is known to be
DP-complete which is contained in EXPSPACE. Step 3 is EXPSPACE-complete. So,
Algorithm 1 can decide satisfiability of ϕ in EXPSPACE. Thus AMS-LTL satisfiability
is EXPSPACE-complete.
4. AMS-LTLL : AMS-LTL WITH LOCAL VARIABLES

It is important to note that AMS-LTL can relate the truths of predicates in different
time instances, but it cannot relate the values of the real variables in different time
instances. For example, suppose we wish to express that a Linear DropOut regulator
(LDO) has a dropout voltage of 3.2V, that is, if the input voltage, vin, falls below 3.2V,
then the output voltage vout will start falling within 0 to 1.5 seconds. In order to capture
the requirement that vout starts falling, we will have to compare the value of vout at
different time points, which is not possible in AMS-LTL.
AMS-LTL L is a simple extension of AMS-LTL where we allow uninterpreted real
variables to carry the values of real variables from one time instance to another. The
following property expresses our previous requirement using local variables.
(@+ ( vin < 3.2 ), y ← vout) ⇒ F[0,1.5] ( vout < y )
The local variable y records the value of vout when vin falls below 3.2V. The property
matches if vout falls below this value within 1.5 seconds. The notation, y ← vout,
represents the recording of vout in y.
The formal syntax and semantics of AMS-LTL L with local variables are given as
follows. Without loss of generality, we define the syntax for single local variable which
may be extended for arbitrary number of such variables.
Definition 4.1. (AMS-LTL L : Syntax). An AMS-LTL L subformula ϕl involving single

local variable is written using the following grammar rule.
ϕl ::= (E, xl ← z) ∧ ϕ(AP ∪ AP A ∪ AP L ) |
(E, xl ← z) ⇒ ϕ(AP ∪ AP A ∪ AP L )
Here E is an event on trace S, z ∈ X , AP is the set of Boolean variables, and AP A
is a set of PORVs over X , where X is the set of continuous variables. xl ← z denotes
assignment of the current value of z to the local variable xl . AP L is a set of PORVs
over X ∪ {xl }. ϕ is an AMS-LTL L formula over AP ∪ AP A ∪ AP L .
4.1. Decidability of AMS-LTLL

This subsection studies the validity/satisfiability problem of AMS-LTL L . We prove that
the satisfiability problem of AMS-LTL L is undecidable.
The satisfiability problem of SVA with local variables has been shown to be
EXP-SPACE-complete in Bustan and Havlicek [2006]. To prove the undecidability
result of AMS-LTL L , we use a variant of a 2-counter machine as described in Alur and
Henzinger [1994, 1990] and reduce it to an instance of AMS-LTL L satisfiability. A non-
deterministic 2-counter machine M has two counters, namely C and D, and a sequence
of n instructions. Each of these instructions may increment or decrement one of the
counters, or jump conditionally upon one of the counters being zero. After a nonjump
instruction gets executed, M can jump nondeterministically to one or many specified
instructions. The configuration of M is described by a triple l, c, d, where 1 ≤ l ≤ n,
c ≥ 0, and d ≥ 0 are current values of the location counter and the two counters C and
D, respectively. A computation of M is an infinite sequence of related configurations,
starting with the initial configuration 1, 0, 0. The computation is recurrent iff it
contains infinitely many configurations with the value of the location counter being 1.
T HEOREM 4.2. The satisfiability problem of AMS-LTL L is undecidable.
P ROOF. The problem of deciding whether a nondeterministic 2-counter machine has
a recurring computation is undecidable [Alur and Henzinger 1994]. Thus, to prove
undecidability of the satisfiability problem of AMS-LTL L formulas, it will suffice, for
a given 2-counter machine M, to construct an AMS-LTL L formula ϕ M such that ϕ M is
satisfiable iff M has a recurring computation.
The initial configuration l, c, d of M is encoded in AMS-LTL L by the formula
ϕ0 ≡ (l = 1) ∧ (c = 0) ∧ (d = 0).
Then, the proper configuration is ensured by adding a set of formulas ϕl for each lth
instruction, where 1 ≤ l ≤ n (n is the total number of instructions). For instance, sup-
pose the 1st instruction increments the counter C and proceeds nondeterministically
to instruction 3 or instruction 5. Since the steps of a counter machine are modeled
as integers, a next step may be modeled as F[1−ε,1+ε] in context of a real-time logic,
where 0 < ε < 1. This allows us to encode the stated instruction of the counter
machine as
ϕ1 ≡ G(@+ (l = 1), (x ← c), (y ← d) ⇒
F[1−ε,1+ε] (((l = 3) ∨ (l = 5)) ∧ (c = x + 1) ∧ (d = y))).
Here x and y are local variables, that have been used to carry over the values of the
counters C and D from the current time instance to the next time instance.
There will be n such formulas for the n instructions. The recurrence condition may
be encoded in AMS-LTL L in following way.
ϕn+1 ≡ G(F(l = 1))
Table I. Extended Logics and their Complexity

Satisfiability Model Checking
Logic Features
Problem Finite Prefixes
extends STL EXPSPACE-Complete
AMS-LTL
with events (same as MITL)
PTIME
extends AMS-LTL
AMS-LTL L Undecidable
with local variables
If ϕ M is constructed by taking conjunctions of all these n + 2 formulas, that is, ϕ M ≡

ϕ0 ∧ ϕ1 ∧ ... ∧ ϕn+1 , then ϕ M is satisfiable iff M has a recurrent computation. Thus,
we reduce the decidability problem of having recurrent computation in a 2-counter
machine into the satisfiability problem of an AMS-LTL L formula. Since the problem
of finding a recurrent computation of M is undecidable, the satisfiability problem of
AMS-LTL L is undecidable.
5. PROPERTY MONITORING OVER SIMULATION

For dynamic monitoring of AMS-LTL L during simulation, we extend Algorithm
Offline(ϕ, S, h, t) outlined in Section 2. This algorithm maintains history (a set of non-
singular time intervals) of length h, about the truth of A(ϕ), and uses a bottom-up
approach to return the truth of ϕ, for the time interval [t − h, t − L(ϕ)) at time t.
T HEOREM 5.1. Model checking AMS-LTL L on finite prefixes of timed state sequences
is in PTIME.
P ROOF. DThe proof is similar to that of Theorem 24 of Markey and Raskin [2006].
The proof works by counting the true intervals created while evaluating an AMS-LTL
property over a given finite prefix, π , of a timed state sequence. Let |π | denote the
number of intervals in π .
(1) For atomic propositions, including PORVs, the intervals are trivially computed by
reading the intervals of π .
(2) For Boolean combinations of subformulas, the true intervals are computed from
the true intervals of its subformulas by applying the corresponding operations.
For example, if there are m true intervals of ϕ1 and n true intervals of ϕ2 , then
there are O(m + n) true intervals for ϕ1 ∧ ϕ2 and ϕ1 ∨ ϕ2 .
(3) For subformulas of the form ϕ1 U I ϕ2 , the number of true intervals is O(m + n)
where m and n are respectively the number of true intervals of ϕ1 and ϕ2 . This is
by construction using Algorithm Offline(ϕ, S, h, t) outlined in Section 2.
Let us now consider the effect of events and local variables on the complexity.
(1) The number of occurrences of the events specified in an AMS-LTL property is
O(|π |).
(2) The recording of values of local variables are synchronized with events (as per
the syntax of AMS-LTL L ). Therefore the number of recording events is O(|π |).
Therefore a PORV involving a local variable has O(|π |) true intervals.
Therefore the complexity of evaluating AMS-LTL L properties on finite prefixes of
timed state sequences is polynomial in the size of the prefix and the size of the
property.
Table I summarizes different logics presented in this article with their expressibility
and computational costs.
5.1. Algorithm for Dynamic Monitoring

In this subsection, we consider the problem of monitoring AMS-LTL L properties over
simulation. The following definitions are useful for formalizing the problem.
Definition 5.2 (Sampling Function). A sampling function is a mapping T : N≥0 →
R≥0 , such that ∀n1 , n2 ∈ N≥0 , if n1 > n2 then T(n1 ) > T(n2 ). The ith sample T(i) is also
denoted by Ti, for i ∈ N≥0 .
Simulation evaluates the values of the signals at various sampling points. Given a
sampling function, the semantics of AMS-LTL (and AMS-LTL L ) may be interpreted
on the reconstructed trace obtained by applying zero-order hold [Sundararajan 2003]
on the sampled signals. We also refer to the reconstructed trace as sampled trace.
In order to evaluate the truth of the properties correctly, the time points at which the
truth of a PORV changes must be known precisely. The following definition captures
the notion of precise sampling.
Definition 5.3 (A(ϕ)-Accurate Sampling Function). A sampling function T is A(ϕ)-
accurate over a trace S iff, ∀t ∈ R≥0 if ∃t
∈ R≥0 , such that t
< t and ∀t
∈ [t
, t).A(ϕ, t, S) =
A(ϕ, t
, S), then ∃k such that T(k) = t.

Informally, if A(ϕ, t, S) changes at t = t0 then there exists a sampling point k such
that T(k) = t0 .
If T(k) is such that t − ε ≤ T(k) ≤ t + ε then T is said to be A(ϕ)-accurate with ε
tolerance.
Example 5.4. Consider the following property.
ϕ ≡ (vx > 1.0) U[0,4.0] ((v y > 1.2) U[1.0,3.0] ((a ∨ (vx > 1.2)) U[0,5.1] b ))
Here ϕ is an AMS-LTL formula over the signals {vx , v y , a, b }. A trace S is shown in
Figure 2 on which ϕ is to be monitored. For ϕ, the ϕ-atom set is A(ϕ) = {(vx > 1.0), (v y >
1.2), (vx > 1.2), a, b }, and the true set at t = 4.6 is A(ϕ, 4.6, S) = {(vx > 1.0), (v y >
1.2), (vx > 1.2)}. Similarly A(ϕ, 8.6, S) = {(vx > 1.0), (vx > 1.2), b }. The dots represent
the A(ϕ)-accurate sampling points.
We defined the semantics of the logic over timed state sequences. On the other
hand, when the property checker works with an AMS simulator, it is able to read
the values of the variables at discrete sampling points. An A(ϕ)-accurate sampling
function guarantees the existence of sampling points at those instances of time at
which the truth of the atomic propositions of ϕ changes. Therefore the true intervals of
these propositions are accurately computed by the property checker, and consequently
it is able to determine the truth of the property correctly.
T HEOREM 5.5. If we are given an A(ϕ)-accurate sampling function, T, then Algo-
rithm 3 guarantees to derive the truth of ϕ correctly for S.
P ROOF. The proof follows from: (a) the correctness of the property monitoring algo-
rithm on timed state sequences, and (b) the fact that an A(ϕ)-accurate sampling en-
sures that the true intervals for all atomic propositions in ϕ are computed correctly.
The correctness of property monitoring on timed state sequences follows from the
correctness of the algorithm presented in Maler and Nickovic [2004] for monitoring
STL.
Theorem 5.5 establishes that if the sampling function is A(ϕ)-accurate, then
Algorithm 3 evaluates the truth of ϕ correctly. We now discuss the problem when
Fig. 2. Signals with sampling function for Example 5.4.
the sampling function is not A(ϕ)-accurate. Let us consider the following AMS-LTL
property.
ϕ ≡ @+ (vin > 3) ⇒ F[2e−3,3e−3] (vout > 1.8)
The property says that, if the vin crosses 3V in rising direction, then within 2ms to
3ms vout will be above 1.8V. Figure 3 shows the events @+ (vin > 3), and @+ (vout > 1.8)
with black dots on the plot, whereas the dotted lines represent simulation points. As
ALGORITHM 3: Monitor-Trace(S, ϕ, T)
1: initialize: history = 0, {L k = ∅}, i = 0, where history is the length of stored history about the
truth of ground literals, in ϕ. {L k } is a set of lists, such that L k contains the set of time
intervals where kth ground literal of ϕ is true. Variable i denotes an index.
2: start simulation.
3: for ith sample such that i ≥ 0 do
4: progress simulation time, and set i = i + 1.
5: if L(ϕ) = 0 then
6: evaluate ϕ and flag failure if the evaluated truth is false.
7: terminate, if simulation ends.
8: continue.
9: end if
10: add history about the truth of the ground literals of ϕ for the time interval
[T(i − 1), T(i)) in {L k }.
11: set history = history + δi, where δi = T(i) − T(i − 1).
12: if history > L(ϕ) then
13: call Offline(ϕ, S, history, T(i)), and return truth of ϕ for the time interval
[T(i) − history, T(i) − L(ϕ)), based on {L k }.
14: free history in {L k } for time prior to t = T(i) − L(ϕ).
15: set history = L(ϕ).
16: end if
17: terminate, if simulation ends.
18: end for
Fig. 3. Requirement of accurate sampler for ϕ ≡ @+ (vin > 3) ⇒ F[2e−3,3e−3] (vout > 1.8).
shown in Figure 3, event @+ (vout > 1.8) occurs exactly 3.2ms after @+ (vin > 3), which
leads to a refutation for the property ϕ. But, due to imprecise sampling, the simulator
detects the event @+ (vout > 1.8), exactly 2.8ms after the event @+ (vin > 3). Thereby, the
checker fails to refute ϕ, which is not the desired outcome.
To avoid such cases we need a sampling function that can detect cross events like
@+ (vin > 3) with infinite precision, that is, the sampling function for a property ϕ needs
to be A(ϕ)-accurate. In practice it is not possible to force the simulator to be A(ϕ)-

accurate and hence we need to work with sampling functions that are A(ϕ)-accurate
with ε tolerance. We can choose a value of ε because most analog simulators use
successive approximation methods to detect cross events with the specified accuracy.
In the next section we present some theoretical analysis on AMS-LTL checking with
A(ϕ)-accurate sampling function with a ε tolerance.
6. ACCURACY OF VERIFICATION
This section presents some of the accuracy-related issues regarding property monitor-
ing with a ε tolerance in the A(ϕ)-accurate sampling function. A related problem about
robust sampling was addressed in Fainekos and Pappas [2009]. There the authors
show that if the dynamics of the signals fulfill certain conditions (Lipschitz continu-
ity), then it is possible to sample the signals at uniform discrete intervals such that if
the sampled trace satisfies an MITL specification then the original continuous trace
also satisfies that MITL specification.
We use the negation normal form of AMS-LTL (that allows negations only with the
atomic propositions and events, and uses the temporal operator release along with
until) for this purpose.
If I is a bounded interval with nonnegative real end points and ε ∈ R≥0 then I ⊕ ε
and I ε are defined as follows.
I ⊕ ε = t ∈ R≥0 |∃t
∈ I ∧ |t − t
| ≤ ε
I ε = t ∈ R≥0 |∀t
∈ R≥0 ∧ |t − t
| ≤ ε → t
∈ I
Definition 6.1. (ε-Stronger Property). If ϕ is an AMS-LTL property and ε ∈ R≥0 then
the ε-Stronger-ϕ, Rε (ϕ), is recursively defined as follows.
— Rε ( p) = p, and Rε (¬ p) = ¬ p.
— Rε (E) = E, and Rε (¬E) = ¬E.
— Rε (ϕ1 ∧ ϕ2 ) = Rε (ϕ1 ) ∧ Rε (ϕ2 ).
— Rε (ϕ1 ∨ ϕ2 ) = Rε (ϕ1 ) ∨ Rε (ϕ2 ).
— Rε (ϕ1 U I ϕ2 ) = Rε (ϕ1 )U Iε Rε (ϕ2 ).
— Rε (ϕ1 R I ϕ2 ) = Rε (ϕ1 )R I⊕ε Rε (ϕ2 ).
Here p is a proposition, and E is an event.
Definition 6.2. (ε-Weaker Property). If ϕ is an AMS-LTL property and ε ∈ R≥0 then
the ε-Weaker-ϕ, Wε (ϕ), is recursively defined as follows.
— Wε ( p) = p, and Wε (¬ p) = ¬ p.
— Wε (E) = E, and Wε (¬E) = ¬E.
— Wε (ϕ1 ∧ ϕ2 ) = Wε (ϕ1 ) ∧ Wε (ϕ2 ).
— Wε (ϕ1 ∨ ϕ2 ) = Wε (ϕ1 ) ∨ Wε (ϕ2 ).
— Wε (ϕ1 U I ϕ2 ) = Wε (ϕ1 )U I⊕ε Wε (ϕ2 ).
— Wε (ϕ1 R I ϕ2 ) = Wε (ϕ1 )R Iε Wε (ϕ2 ).
Here p is a proposition, and E is an event.
The real-time property preservation rules for weakened and strengthened MITL
properties have been discussed in Huang et al. [2003]. In this subsection we discuss
the accuracy of assertion monitoring under ε amount of tolerance in the A(ϕ)-accurate
sampling function. An ε amount of tolerance in a A(ϕ)-accurate sampling function, T,
implies T can detect truth change of each p ∈ A(ϕ) with a tolerance of ±ε.
T HEOREM 6.3. If T is a A(ϕ)-accurate sampling function with ε tolerance, and S

is
the sampled trace corresponding to S then satisfaction of Rε (ϕ) on S
implies satisfaction
of ϕ on S.
P ROOF. Proof is straightforward by using induction on the structure of ϕ.
T HEOREM 6.4. If T is a A(ϕ)-accurate sampling function with ε tolerance, and S
is the sampled trace corresponding to S then failure of Wε (ϕ) on S

implies failure of ϕ
over trace S.
P ROOF. Proof is straightforward by using induction on the structure of ϕ.
6.1. An Approximate A(ϕ)-Accurate Sampler

Suppose X is a set of continuous variables, and f (X ) ≥ 0 is a PORV with linear predi-
cate mapping f : Rn → R. Since f is linear, we take f (X ) = M.X + c, where M ∈ Rn,
and c ∈ R such that M = [m1 m2 ... mn], ∀i mi ∈ R. For simplicity, we restrict our
discussion to PORVs of the form f (X ) > 0. We assume the following constraint over X
so as to ensure continuity of the signal with a finite number of bounded discontinuities.
A SSUMPTION 1. If K 1 and K 2 are vectors of nonnegative real numbers such that

K 1 = [a1 a2 ... an]T , and K 2 = [b 1 b 2 ... b n]T , then
∀ t1 , t2 > 0, |X (t2 ) − X (t1 )| < K 1 + K 2 |t2 − t1 |,
where ∀i, ai, b i ≥ 0.
Assumption 1 is basically a relaxed form of Lipschitz continuity to allows signals

with piecewise Lipschitz continuity and a number of bounded discontinuities, along
with Lipschitz continuous signals. Constants like K 1 , K 2 may be modeled from prior
knowledge about the design under verification. However, such constants are not known
a priori for an arbitrary execution trace. It may be an interesting research direction to
learn, and make use of these constants on-the-fly from a simulation trace.
T HEOREM 6.5. Based on PORV f (X ) > 0, the next sampling point from t = t1 can be
scheduled at t = t2 = t1 + (| f (X (t1 ))| − ε − α)/β without missing any change of the truth
of f (X ) > 0, where α = |M|.K 1 , β = |M|.K 2 and ε is the tolerance at which the PORV,
f (X ) > 0 changes its truth.
P ROOF. At sampling time t1 , f (X ) has the value f (X (t1 )) and we want to calculate
the next sampling time t2 > t1 such that the analog predicate (f (X ) > 0) just changes
its value with a tolerance of ε. That is, we want to calculate t2 such that | f (X (t2 ))| < ε,
provided that | f (X (t1 ))| > ε. Now
| f (X (t2 )) − f (X (t1 ))| = |M.(X (t2 ) − X (t1 ))|

= |m1 .(x1 (t1 ) − x1 (t2 )) + m2 .(x2 (t1 ) − x2 (t2 )) +
.... + mn.(xn(t1 ) − xn(t2 ))|
≤ |m1 |.|x1 (t1 ) − x1 (t2 )| + |m2 |.|x2 (t1 ) − x2 (t2 )| +
.... + |mn|.|xn(t1 ) − xn(t2 )|
= |M|.|(X (t2 ) − X (t1 ))|
= |M|.K 1 + |M|.K 2 .|t2 − t1 |
= α + β|t2 − t1 |.
Fig. 4. Signal.
Thus, we get | f (X (t2 )) − f (X (t1 ))| ≤ α + β(t2 − t1 ), and we have || f (X (t2 ))| −
| f (X (t1 ))|| ≤ | f (X (t2 )) − f (X (t1 ))|. Combining, we get
|| f (X (t2 ))| − | f (X (t1 ))|| ≤ α + β(t2 − t1 )
−α − β(t2 − t1 ) ≤ | f (X (t2 ))| − | f (X (t1 ))| ≤ α + β(t2 − t1 ).
Simplifying, we get
t2 − t1 ≥ (| f (X (t1 ))| − | f (X (t2 ))| − α)/β.
Since at t2 we want | f (X (t2 ))| < ε, we get t2 > t1 + (| f (X (t1 ))| − ε − α)/β. After this
amount of time the function value can fall below the tolerance, thus the predicate can
toggle its value. Thus we do not need any sampling point before t2 and we can have a
sampling point at t2 . Thus we estimate the next sampling point, based on the PORVs
involving ϕ, to be t2 = t1 + (| f (X (t1 ))| − ε − α)/β.
To demonstrate this consider the following example.
Example 6.6. Suppose the signal is given as in Figure 4 and the equation of the 1st
rising portion is y(t) = (2t − 2)/7. We are at t1 = 2 for kth sample (say) and want to
estimate next sampling point based on the PORV y(t) > 1.2. Suppose tolerance ε = 0.
We see that f (X (t)) = (y(t)−1.2), K 1 = [0], K 2 = [2/7], and M = [1]. So α = 0 and β = 2/7.
Thus, we calculate the next sampling point at t2 = 2 + (|(2 × 2 − 2)/7 − 1.2|)/(2/7) = 5.2
and we see that the actual cross event @+ (y(t) > 1.2) occurs at t = 5.2.
7. TOOL FLOW AND EXPERIMENTAL RESULTS

In this section, we outline the tool flow developed for monitoring AMS-LTL L properties
during simulation. We also describe how Verilog-AMS language features are lever-
aged to establish the communication between our tool and standard AMS simulators.
We present experimental results to demonstrate the trade-off between the accuracy
of evaluating cross events and the overhead of the assertion checker on simulation
performance.
Figure 5 shows the overall tool flow. The PORVs within an assertion are extracted
by the tool and monitors for these are automatically synthesized in Verilog-AMS. The
outputs of these monitors are read by the assertion checker through a Verilog Proce-
dural Interface (VPI), which is a standard supported by AMS simulation tools.
Fig. 5. AMS assertion checking tool flow.
We now explain the construction of monitors for PORVs. For each PORV, say
(V(out) > 1.8), our tool automatically generates a Verilog-AMS monitor, such as
follows.
initial begin
PORV 1 = (V(out)>1.8) ? 1 : 0;
end
always@(cross(V(out)-1.8, 0, 1.0e-12, 1.0e-6)) begin
PORV 1 = (V(out)>1.8) ? 1 : 0;
end
The monitor defines a cross event, which is supported in Verilog-AMS. The second ar-
gument of the cross event defines the direction of cross, the third and fourth arguments
define the time tolerance and value tolerance, respectively. In order to make sure that
the property checker is invoked when a cross event takes place, we use the Verilog
Procedural Interface (VPI) as follows. In the testbench we add the following directive.
always (PORV 1) begin
$my checker( <list of arguments> );
end
This tells the simulator that the user-defined system call, my checker( <list of
arguments> ) must be made whenever the cross event PORV 1, occurs. When this
system call is made, we would like it to invoke our AMS-LTL L checker function, say
CheckerRoutineInC( <list of arguments> ), with the relevant arguments, including
the current simulation time. This is implemented through the following interface
definition.
$my checker call=CheckerRoutineInC
Table II. Descriptions of the Test Cases in Table III

Test No. of No. of No. of No. of
Cases Nodes Transistors Capacitors Resistors
I: LDO 1436 336 861 1270
II: Buck 1853 2455 350 501
III: PMU 7555 3799 3794 5581
IV: Clock Generation Unit 1579 32970 2516 52
The C function CheckerRoutineInC( <list of arguments> ) can access the values

of the signals through the VPI function vpi get value().
Therefore, in summary, the definition of cross events directs the simulator to eval-
uate the cross events with specified accuracy, ε, thereby ensuring that the sampling
function is accurate with ε tolerance. When a specified crossing takes place, the corre-
sponding system call (as defined by us) is made, resulting in the invocation of the prop-
erty checker routine (which is written in C). The checker routine reads the values of
the signals through VPI functions and applies the algorithm for property monitoring.
We now outline the way in which local variables are handled. The syntax of AMS-
LTL L ensures that local variables are assigned before their values are used in any
PORV. Therefore the initial values of each local variable, xl , in a monitor can be any-
thing. Properties with local variables are either of the form: (E, xl ← z) ∧ ϕ, or of the
form (E, xl ← z) ⇒ ϕ. In both forms, the properties are triggered with an event, E.
The event E may be a cross event, or a posedge/negedge of a Boolean. When the event
E takes place, our checker routine is invoked as described before, and when this hap-
pens, the checker routine uses VPI functions to read the value of signal z and records
it in a data structure for the local variable xl . As the value of an instance of the local
variable, xl , is recorded, and we update (through VPI) the monitors for those PORVs
in ϕ that involve xl . For overlapping matches of the property (with possibly different
valuations of xl ) we use separate PORV monitors. From an efficiency perspective, in
order to prevent arbitrary crossings before xl is recorded for the first time, we initialize
each xl to abnormally high values at the beginning of simulation.
In the approach described so far, we force the simulator to use a sampling function
which is A(ϕ)-accurate with ε tolerance by specifying the cross events in the monitors
for the PORVs of ϕ with a ε tolerance. In order to detect a cross event with a tolerance
of ε, the simulator may have to add additional sampling points through successive
approximations. This induces a nontrivial overhead on simulation performance. We
now present experimental results to demonstrate the trade-off between simulation
performance and accuracy of cross evaluation.
The results are distributed into two types. It is anticipated that AMS-LTL proper-
ties will be used during netlist simulation as well as during simulation of behavioral
models. Since the overhead in these two types can be quite different, we present re-
sults on behavioral models and netlists separately.
All the test cases used in our experiments are circuits and models from the industry.
Table II reports the size of the circuits used as test cases in our experimentation. Test
Case I and Test Case II are the same test cases described in Mukherjee et al. [2011],
whereas for Test Case III, namely the PMU, a broad architectural view and an asser-
tion suite having 31 properties (having more than 70 PORVs in total) can be found
in Mukherjee and Dasgupta [2011]. Test Case IV is a clock generation unit that con-
tains a voltage regulator, three oscillators, digital calibration logic, and analog testing
infrastructure. The three oscillators are intended for different applications. There is
a high-speed (several MHz), high-accuracy oscillator intended to operate in full power
modes. There is a low-speed (kHz), high-accuracy oscillator that can run in full- or
Table III. CPU Time for Simulating Designs with Checker for Circuit Netlists
Tolerance of Simulation Periodic CPU Time for
Cross Evaluation Time Checker Simulation (sec)
Time Value (sec) (YES/NO) without only Cross with
(sec) (V) Frequency Checker Events Checker
Test Case I: LDO
1e-9 1e-6 3e-3 NO 7.24 9.95 10.11
1e-6 1e-4 3e-3 NO ” 9.64 10.05
1e-4 1e-3 3e-3 NO ” 9.63 9.79
- - 3e-3 100MHz ” - 39.06
- - 3e-3 10MHz ” - 35.48
Test Case II: Buck
1e-9 1e-6 500e-6 NO 120.6e3 145.5e3 145.9e3
1e-6 1e-4 500e-6 NO ” 144.0e3 144.9e3
1e-4 1e-3 500e-6 NO ” 143.6e3 144.0e3
- - 500e-6 100MHz ” - 159.9e3
- - 500e-6 10MHz ” - 148.4e3
Test Case III: PMU
1e-9 1e-6 600e-6 NO 144.4e3 146.9e3 168.5e3
1e-6 1e-4 600e-6 NO ” 146.6e3 168.1e3
1e-4 1e-3 600e-6 NO ” 145.9e3 166.5e3
- - 600e-6 100MHz ” - 178.4e3
- - 600e-6 10MHz ” - 162.2e3
Test Case IV: Clock Generation Unit
1e-9 1e-6 50e-6 NO 16.52e3 16.84e3 16.65e3
1e-6 1e-4 50e-6 NO ” 16.69e3 16.72e3
1e-4 1e-3 50e-6 NO ” 16.69e3 16.93e3
- - 50e-6 100MHz ” - 17.56e3
- - 50e-6 10MHz ” - 16.80e3
low-power modes (low-power mode may result in decreased accuracy). Finally, there
is a medium-speed (MHz), low-accuracy oscillator intended to run in low-power mode.
All oscillators can be tuned to a range of different frequencies. The circuit voltage reg-
ulator is used to provide a highly accurate voltage source for the oscillators. There are
several test modes available for use in testing and calibration of the analog circuits.
Table III and Table IV present our experimental results. We vary the time and
value tolerances for the cross events and note the runtime of the simulator in three
different settings, namely: (a) when the simulator is run without PORV monitors as
well as the assertion checker, (b) when the simulator is run with the PORV monitors,
but without the assertion checker, and (c) when the simulator is run with the assertion
checker and PORV monitors. Column 5, 6, and 7 of Table III and Table IV report these
three scenarios respectively. For each test case, the first three rows report simulation
overhead results with different time and value tolerances, whereas the last two rows
report simulation times with periodic checkers, that is, the checkers are synchronized
at periodic clock boundaries of specified frequencies (similar to Mukhopadhyay et al.
[2009]). All simulations were carried out with Cadence AMS simulator on a 2.33 GHz
Intel-Xeon server with 32GB RAM with the exception of IV which was carried out on
a 2.2 GHz AMD Opteron with 2GB RAM.
Table IV. CPU Time for Simulating Designs with Checker for Behavioral Models
Tolerance of Simulation Periodic CPU Time for
Cross Evaluation Time Checker Simulation (sec)
Time Value (sec) (YES/NO) without only Cross with
(sec) (V) Frequency Checker Events Checker
Test Case V: LDO
1e-9 1e-6 3e-3 NO 1.61 4.17 4.36
1e-6 1e-4 3e-3 NO ” 4.04 4.19
1e-4 1e-3 3e-3 NO ” 4.03 4.16
- - 3e-3 100MHz ” - 230.54
- - 3e-3 10MHz ” - 26.634
Test Case VI: Buck
1e-9 1e-6 500e-6 NO 19.71 44.81 48.82
1e-6 1e-4 500e-6 NO ” 42.55 46.31
1e-4 1e-3 500e-6 NO ” 40.25 43.72
- - 500e-6 100MHz ” - 80.88
- - 500e-6 10MHz ” - 57.52
Test Case VII: PLL
1e-9 1e-6 2.5e-3 NO 77.27 88.71 134.34
1e-6 1e-4 2.5e-3 NO ” 88.23 134.18
1e-4 1e-3 2.5e-3 NO ” 88.11 134.14
- - 2.5e-3 100MHz ” - 232.56
- - 2.5e-3 10MHz ” - 183.15
Test Case VIII: Clock Generation Unit
1e-9 1e-6 105e-6 NO 1.09 1.60 1.60
1e-6 1e-4 105e-6 NO ” 1.58 1.60
1e-4 1e-3 105e-6 NO ” 1.56 1.57
- - 105e-6 100MHz ” - 8.68
- - 105e-6 10MHz ” - 2.48
It may be noticed that the overhead due to the additional cross events and property
checker is more pronounced in case of lightweight behavioral models as compared to
transistor-level circuit netlists. Simulation performance degrades with higher preci-
sions (lower tolerances) of the cross events, however, this degradation is marginal. We
further notice that in most cases the simulation overhead is primarily due to the cross
events, however, in some cases (for example Test Case VII) overhead of the assertion
checker is also significant primarily due to a longer trace, and more occurrences of
threshold crossings of the signals of interests, leading to larger size for the lists con-
taining the truth of the ground literals, hence resulting in longer time for evaluating
the truth of the assertions. In other words, a greater number of threshold crossings
increase-memory usage (as the number of intervals to be stored so as to describe the
truth of a proposition is proportional to the number of threshold crossings for that
proposition), and leads to longer computation time. Further, we notice that the results
corresponding to the periodic checkers indicate that synchronizing assertion evalua-
tion at periodic clock boundaries is even costlier in terms of performance degradation;
moreover this approach does not guarantee correctness either, as explained earlier.
8. CONCLUSIONS
This article attempts to answer some of the open questions on developing languages
for AMS assertions and checking them using a checker linked with AMS simulators. In
this article we have analyzed different variants of AMS assertion languages and have
presented complexity results to demonstrate the trade-off between expressibility and
complexity for these languages. We have shown that in the AMS domain, expressibility
comes with a significant price in terms of computational complexity.
We have presented an algorithm and a tool flow based on the algorithm that per-
forms dense real-time monitoring of AMS assertions over simulation. We have at-
tempted to answer an important question, namely, how much does AMS assertion
checking affect the underlying AMS simulation? We have shown that in order to eval-
uate the truth of AMS assertions with acceptable degree of confidence, the AMS as-
sertion checker must demand closer monitoring of certain events from the underlying
AMS simulator. It is possible for the assertion checker to identify such events a priori
and specify appropriate primitives for synchronization with the AMS simulator. How-
ever, our experiments also demonstrate that monitoring such events with the desired
level of accuracy adds a nontrivial overhead over AMS simulation in terms of simu-
lation time, though it is significantly more preferable than increasing the granularity
of simulation sampling uniformly without assistance from the assertion checker. We
believe that this study will be of considerable practical value to developers of future
CAD tools for AMS assertion checking.
REFERENCES
A LUR , R. AND H ENZINGER , T. A. 1990. Real-Time logics: Complexity and expressiveness. Inf. Comput. 104,
390–401.
A LUR , R. AND H ENZINGER , T. A. 1994. A really temporal logic. J. ACM 41, 1, 181–203.
A LUR , R., F EDER , T., AND H ENZINGER , T. A. 1991. The benefits of relaxing punctuality. J. ACM 43, 1,
116–146.
B USTAN, D. AND H AVLICEK , J. 2006. Some complexity results for systemverilog assertions. In Proceedings
of the Conference Computer Aided Verification. Springer. vol. 4144.
D ASGUPTA , P. 2006. A Roadmap for Formal Property Verification. Springer.
D ASTIDAR , T. R. AND C HAKRABARTI , P. P. 2008. A verification system for transient response of analog
circuits. ACM Trans. Des. Autom. Electron. Syst. 12, 31:1–31:39.
DE LA B ANDA , M. G., S TUCKEY, P. J., AND WAZNY, J. 2003. Finding all minimal unsatisfiable subsets. In
Proceedings of the 5th ACM SIGPLAN Conference on Principles and Practice of Declaritive Prog (PPDP).
32–43.
FAINEKOS, G. E. AND PAPPAS, G. J. 2009. Robustness of temporal logic specifications for continuous-time
signals. Theor. Comput. Sci. 410, 42, 4262–4291.
H UANG, J., V OETEN, J., AND G EILEN, M. 2003. Real-Time property preservation in approximations of
timed systems. In Proceedings of the 1st ACM and IEEE International Conference on Formal Methods
and Models for Co-Design. IEEE Computer Society, 163.
IEEE S TD 1800-2009. 2010. IEEE standard for system verilog: Unified hardware design, specifica-
tion and verification language. http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=5354441&url=
http%3A%2Fieeexplore.ieee.org%2Fxpls%2Fabs all.jsp%3Farnumber%3D5354441.
IEEE S TD 1850-2010. 2010. IEEE standard for property Specification language (PSL).
http://standards.ieee.org/findstds/standard/1850-2010.html.
J ESSER , A., L ÄMMERMANN, S., PACHOLIK , A., W EISS, R., R UF, J., F ENGLER , W., H EDRICH , L., K ROPF, T.,
AND R OSENSTIEL , W. 2007. Analog simulation meets digital verification - A formal assertion approach
for mixed-signal verification. In Proceedings of the 14th Workshop on Synthesis and System Integration
of Mixed Information Technologies. 507–514.
L I , G. AND T ANG, Z. 2003. Translating a continuous-time temporal logic into timed automata. In Proceed-
ings of the Asian Symposium on Programming Languages and Systems. 322–338.
M ALER , O. AND N ICKOVIC, D. 2004. Monitoring temporal properties of continuous signals. In Proceedings of
the International Conference on Formal Modelling and Analysis of Timed Systems (FORMATS). Lecture
Notes in Computer Science, vol. 3253. Springer, 152–166.
M ALER , O., N ICKOVIC, D., AND P NUELI , A. 2005. Real time temporal logic: Past, present, future. In
Proceedings of the International Conference on Formal Modelling and Analysis of Timed Systems
(FORMATS).
M ALER , O., N ICKOVIC, D., AND P NUELI , A. 2008. Checking temporal properties of discrete, timed and
continuous behaviors. In Pillars of Computer Science, 475–505.
M ARKEY, N. AND R ASKIN, J.-F. 2006. Model checking restricted sets of timed paths. Theor. Comput. Sci.
358, 2, 273–292.
M UKHERJEE , S. AND D ASGUPTA , P. 2011. AMS-LTL properties: Samples from industrial test cases.
http://www.facweb.iithgp.ernet.in/∼pallab/PMU.pdf.
M UKHERJEE , S., D ASGUPTA , P., AND M UKHOPADHYAY, S. 2011. Auxiliary specifications for context-
sensitive monitoring of ams assertions. IEEE Trans. Comput.-Aid. Des. Integr. Circ. Syst. 30, 10,
1446–1457.
M UKHOPADHYAY, R., PANDA , S. K., D ASGUPTA , P., AND G OUGH , J. 2009. Instrumenting ams assertion
verification on commercial platforms. ACM Trans. Des. Autom. Electron. Syst. 14.
N ICKOVIC, D. 2008. Checking timed and hybrid properties: Theory and applications. Ph.D. thesis, Univer-
sity Joseph Fourier Grenoble 1.
N ICKOVIC, D. AND M ALER , O. 2007. Amt: A property-based monitoring tool for analog systems. In Proceed-
ings of the International Conference on Formal Modeling and Analysis of Timed Systems (FORMATS).
304–319.
P NUELI , A. 1977. The temporal logic of programs. In Proceedings of the Symposium on Foundations of
Computer Science (FOCS). 46–57.
S TEINHORST, S. AND H EDRICH , L. 2008. Model checking of analog systems using an analog specification
language. In Proceedings of the Conference on Design, Automation and Test in Europe. ACM, New York,
324–329.
S UNDARARAJAN, D. 2003. Digital Signal Processing: Theory and Practice. World Scientific.
V ERILOG -AMS. 2010. Verilog-AMS language reference manual. www.eda.org/verilog-ams/.
W EEMS, B. P. 1989. Operations on sets of intervals - An exercise for data structures or algorithms. SIGCSE
Bull. 21, 1, 174–176.
YAN, J., Z HANG, J., AND X U, Z. 2006. Finding relations among linear constraints. In Proceedings of the 8th
International Conference on Artificial Intelligence and Symbolic Computation. 226–240.
Received December 2010; revised April 2012; accepted June 2012

Synchronizing AMS Assertions With AMS Simulation

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Synchronizing AMS Assertions With AMS Simulation

Uploaded by

Copyright:

Available Formats

Synchronizing AMS Assertions with AMS Simulation:

From Theory to Practice

SUBHANKAR MUKHERJEE, PALLAB DASGUPTA,

2. BACKGROUND AND RELATED WORK

2.1. Signal Temporal Logic (STL): Brief Outline

—τ ϕ1 U I ϕ2 iff for some t ∈ I, τ t ϕ2 , and for all t

2.2. Monitoring STL over Finite Simulation Traces

Fig. 1. Evaluation of truth for an STL formula.

Similarly, the true intervals of ϕ1 U I ϕ2 are computed as follows.

Here I is nonempty, and I  [a, b ] is defined as

3. AMS-LTL: SYNTAX, SEMANTICS AND COMPLEXITY

Definition 3.2 (Semantics of AMS-LTL). For an AMS-LTL formula ϕ and a timed

— τ t @+ (b ), iff t > 0, and ∃Ii such that l(Ii) = t, ∀t

3.1. Decidability of AMS-LTL

T HEOREM 3.10. The satisfiability problem of AMS-LTL is EXPSPACE-complete.

4. AMS-LTLL : AMS-LTL WITH LOCAL VARIABLES

(@+ ( vin < 3.2 ), y ← vout) ⇒ F[0,1.5] ( vout < y )

Definition 4.1. (AMS-LTL L : Syntax). An AMS-LTL L subformula ϕl involving single

4.1. Decidability of AMS-LTLL

Table I. Extended Logics and their Complexity

If ϕ M is constructed by taking conjunctions of all these n + 2 formulas, that is, ϕ M ≡

5. PROPERTY MONITORING OVER SIMULATION

5.1. Algorithm for Dynamic Monitoring

, S), then ∃k such that T(k) = t.

Fig. 2. Signals with sampling function for Example 5.4.

to be A(ϕ)-accurate. In practice it is not possible to force the simulator to be A(ϕ)-

T HEOREM 6.3. If T is a A(ϕ)-accurate sampling function with ε tolerance, and S

is the sampled trace corresponding to S then failure of Wε (ϕ) on S

6.1. An Approximate A(ϕ)-Accurate Sampler

A SSUMPTION 1. If K 1 and K 2 are vectors of nonnegative real numbers such that

Assumption 1 is basically a relaxed form of Lipschitz continuity to allows signals

| f (X (t2 )) − f (X (t1 ))| = |M.(X (t2 ) − X (t1 ))|

|| f (X (t2 ))| − | f (X (t1 ))|| ≤ α + β(t2 − t1 )

−α − β(t2 − t1 ) ≤ | f (X (t2 ))| − | f (X (t1 ))| ≤ α + β(t2 − t1 ).

t2 − t1 ≥ (| f (X (t1 ))| − | f (X (t2 ))| − α)/β.

7. TOOL FLOW AND EXPERIMENTAL RESULTS

Fig. 5. AMS assertion checking tool flow.

Table II. Descriptions of the Test Cases in Table III

The C function CheckerRoutineInC( <list of arguments> ) can access the values

Received December 2010; revised April 2012; accepted June 2012

You might also like

Here I is nonempty, and I [a, b ] is defined as