verifying global convergence for a digital phase …yanpeng/talks/fmcad2013.pdfverifying global...
TRANSCRIPT
Verifying Global Convergence for aDigital Phase-Locked Loop
Jijie Wei & Yan Peng & Mark Greenstreet & Grace Yu
University of British ColumbiaVancouver, Canada
October 22, 2013
Wei & Peng & Greenstreet & Yu (UBC) Verifying a Digital PLL FMCAD (Oct. 22, 2013) 1 / 18
Outline
Verifying global convergence of a state-of-the-art digital PLL.P Phase-Locked Loop (PLL) introduction
Verification as a hybrid automata reachability problemVerification as a SMT problemConclusion
Wei & Peng & Greenstreet & Yu (UBC) Verifying a Digital PLL FMCAD (Oct. 22, 2013) 2 / 18
PLL: Block Diagram
Phase Detector
Loop Filter
Voltage Controlled Oscillator
Divide by N Counter
Reference Clock
Output Clock
A PLL is a feedback control system that, given an input referenceclock, it outputs a clock at a frequency that’s N times of the inputclock frequency and aligned with the reference in phase.
PLLs are ubiquitous in analog and mixed-signal designs. E.g.frequency multiplication for clock-acquisition in high-speed links,modulators and demodulators for wireless communication.
Wei & Peng & Greenstreet & Yu (UBC) Verifying a Digital PLL FMCAD (Oct. 22, 2013) 3 / 18
PLL: Global Convergence
PLL
Dynamical System
Analog
Always Lock
Digital
Continuous Model
Global Convergence
Recurrence Model
The most essential function of a PLL is to lock at the right phaseand frequency. The more quickly a PLL locks the better.Showing convergence from a single initial state requires very longsimulation runs – this is intractable for many designs.Global convergence requires that the PLL locks from all initialstates. This needs a formal approach.
Wei & Peng & Greenstreet & Yu (UBC) Verifying a Digital PLL FMCAD (Oct. 22, 2013) 4 / 18
A State-of-the-Art Digital PLL (from CICC 2010)[CNA10]
∆Σ
0:7
DCO
4:7BBPFD
0:23
0:14
15:23LPF
DCO
+
− dnup
∆θ
cvPFD
Fref
Fref
Σ0:7
0:3
FDCO
Fref
Σ DAC −+
Cdecap
F
−(
Centercode
)
÷N
DCO has three control inputs:capacitance setting (digital), supply voltage (linear), phasecorrection (time-difference of digital transitions).Uses linear and bang-bang PFD.Integrators are digital.LPF and decap to improve power-supply rejection.It is impractical to verify global convergence using simulation.
Wei & Peng & Greenstreet & Yu (UBC) Verifying a Digital PLL FMCAD (Oct. 22, 2013) 5 / 18
Verification Outline
SMT
Digital PLL
Hybrid Automata
ReachabilitySpaceEx
Lyapunov Z3
GlobalConvergence
Z3->Out of time
SpaceEx->Over approximation
Non-linear Term
Simplification
Oscillation Avoidance
Model
Fixed parameterParameter interval
+ error term
+ errorterm
t
f(t) ��the digital accumulator � approximation by an integral
Wei & Peng & Greenstreet & Yu (UBC) Verifying a Digital PLL FMCAD (Oct. 22, 2013) 6 / 18
Outline
Verifying global convergence of a state-of-the-art digital PLL.◦ Phase-Locked Loop(PLL) introductionP Verification as a hybrid automata reachability problem
I Digital PLL overviewI Modelling as a product hybrid automatonI Verifying the digital PLL in three phasesI Modelling and Verifying the reset delay
Verification as a SMT problemConclusion
Wei & Peng & Greenstreet & Yu (UBC) Verifying a Digital PLL FMCAD (Oct. 22, 2013) 7 / 18
Hybrid Automata Approach
. . .
. . .
. . .
. . .
mode 2
mode 3
mode 1 mode mode
2
1 3
Corresponding Piecewise ModelA Hybrid Automaton
mode
x = f1(x)I1(x)
x = f3(x)I3(x)
x = f2(x)I2(x)
g1→2
g1→3
g2→···
g2→···
g3→···
g3→···
Each mode has its own continuous dynamics: x = fm(x).Each mode has an invariant, Im. The automaton must transitionto another mode before Im is violated.Transitions are guarded by conditions on the continuous state.
Wei & Peng & Greenstreet & Yu (UBC) Verifying a Digital PLL FMCAD (Oct. 22, 2013) 8 / 18
Hybrid Automata product
c sat low
f_dco < f_ref
f_dco > f_fref
c sat high
phase sat
c sat low
c sat high
c sat lowv sat low
c sat highv sat low
c sat lowv sat high
c sat highv sat high
Hybrid Automata product of BBPFD and PFD Hybrid Automata product of DCO
DCO is linearized and vctrl is divided into 7 overlapping intervals.vctrl has saturation modes, so 3 modes for each vctrl .Because of the BBPFD, C has 4 modes: up, down, saturated lowand saturated high.PFD: 1 mode, with self-loopProduct automaton has 84 modes.
Wei & Peng & Greenstreet & Yu (UBC) Verifying a Digital PLL FMCAD (Oct. 22, 2013) 9 / 18
Difficulty
C VS time Ph_diff VS time
BBPFD causes limit-cycle oscillations which create thousands oftransitions on path to convergence.SpaceEx[FLGD+11] uses a support function representation thatintroduces large over-approximations on mode changes⇒false-negatives.
Wei & Peng & Greenstreet & Yu (UBC) Verifying a Digital PLL FMCAD (Oct. 22, 2013) 10 / 18
Verification Strategy
v
c
v=
v min
v=
v max
c = cmax
c = cmin
Identify the phases the digital PLL goes through when locking.Phase 1: Large frequency difference – C heads to limit and saturates.Phase 2: Large frequency difference, C-saturated, the linear phase
path acquires frequency lock.Phase 3: ∆θ changes sign – C and vctrl converge to phase and
frequency lock.
Wei & Peng & Greenstreet & Yu (UBC) Verifying a Digital PLL FMCAD (Oct. 22, 2013) 11 / 18
Phase 3: avoiding mode transitions
C leaves its saturation modemake a change of variables, let
w = fdco − ffref
the convergence of w is strong enough thatSpaceEx shows convergence, even with itsover-approximations for mode transitions.SpaceEx shows that the reachable regionof w shrinksGiven the invariant that w will shrinkasymptotically, convergence of vctrl can beobtained
Wei & Peng & Greenstreet & Yu (UBC) Verifying a Digital PLL FMCAD (Oct. 22, 2013) 12 / 18
Outline
Verifying global convergence of a state-of-the-art digital PLL.◦ Phase-Locked Loop(PLL) introduction◦ Verification as a hybrid automata reachability problemP Verification as a SMT problem
I Verifying a simplified model with Lyapunov functionsI Improved model with quantization error and parameter
rangesConclusion
Wei & Peng & Greenstreet & Yu (UBC) Verifying a Digital PLL FMCAD (Oct. 22, 2013) 13 / 18
Lyapunov Function
vc
A Lyapunov function defines a potential for the system.I If this potential is always positive and decreasing outside of
the target region, then the system will eventually reach thetarget.
I A Lyapunov function is the continuous counterpart of aranking function for discrete progress arguments.
A simple function for linear ODEs: x = Ax :
Wei & Peng & Greenstreet & Yu (UBC) Verifying a Digital PLL FMCAD (Oct. 22, 2013) 14 / 18
Lyapunov Function
vc
A Lyapunov function is the continuous counterpart of a rankingfunction.A simple function for linear ODEs: x = Ax :I Let P be the solution of AT P + PA = −I. A possible Lyapunov
function becomes Ψ(x) = X T PX .I By construction, P is symmetric.I If P is positive definite, then the system x = Ax globally
converges to x = 0Wei & Peng & Greenstreet & Yu (UBC) Verifying a Digital PLL FMCAD (Oct. 22, 2013) 14 / 18
Verifying a Simplified Nonlinear Model using Z3[DMB08]
entire process.
Strong candidate for automation
using symbolic/programatic differentiation
This step guarantees soundness of the
Linearize
(manual)
Construct
Lyapunov Fn (Z3)
Verify LyapunovConditions
Point (Z3)
Find Equilibrium
Z3 easily proves global convergence.Fixed procedure: promising for automation.
Wei & Peng & Greenstreet & Yu (UBC) Verifying a Digital PLL FMCAD (Oct. 22, 2013) 15 / 18
Improving the Model
Z3 easily proves the simple system (just shown)We added details to the model to make it more realisticI Parameters with rangesI Quantization error: we approximate discrete sums in the real
digital PLL with integralsI Both ranges and quantization
In all of these, Z3 would run longer than we had patienceSolution: manually simplify terms in the proposed LyapunovfunctionThe approach remains sound because Z3 checks the Lyapunovconditions, it doesn’t matter how we came up with the Lyapunovfunction.
Wei & Peng & Greenstreet & Yu (UBC) Verifying a Digital PLL FMCAD (Oct. 22, 2013) 16 / 18
Adjust the Proof in Z3
Parameters with ranges:Inequality ranges for parameters α ∈ 1± 0.2, β ∈ 1± 0.2,v0 ∈ 1± 0.2 and c0 ∈ 1± 0.2.
Strategy: Check where the parameters are used, try simplifynon-linear part. e.g. we replace some of the parameters in theJacobian matrix with its nominal value.
Example:Simplifying an element of the Jacobian matrix:
g1αc0+βccode
→ g1c0+βccode
The approximation is based on the observation that α ∈ 1± 0.2.
Z3 happily proved the conditions, again.
Wei & Peng & Greenstreet & Yu (UBC) Verifying a Digital PLL FMCAD (Oct. 22, 2013) 17 / 18
Adjust the Proof in Z3
Adding quantization error:Need to show: ∀x ∈ QT −Q0 and ∀η ∈ Err , f (x + η)T Px < 0,where f is nonlinear. This creates nonlinear terms for thecomponents of η.
Strategy: Choose any y = x + η and any η ∈ Err . If y + η ∈ Q0 −QT ,then need to show f (y)T P(y + η) < 0
vc
Wei & Peng & Greenstreet & Yu (UBC) Verifying a Digital PLL FMCAD (Oct. 22, 2013) 17 / 18
Conclusion and Future Work
We verified global convergence for a state-of-the-art, digitalphase locked loop (PLL) using piecewise linear differentialinclusions with SpaceEx.Using a simplified model, we showed convergence wherespecifications for components are interval bounds using Z3.Future Work:I Provide bounds on lock time.I Complete models for low-pass filter and Delta-Sigma
modulator.I Examine other digital PLL architectures to assess the
reusability and automatability of this verification.I Component validation: formalize the connection between the
models used and those used in other phases of the analogand mixed-signal design process.
Wei & Peng & Greenstreet & Yu (UBC) Verifying a Digital PLL FMCAD (Oct. 22, 2013) 18 / 18
Conclusion and Future Work
We verified global convergence for a state-of-the-art, digitalphase locked loop (PLL) using piecewise linear differentialinclusions with SpaceEx.Using a simplified model, we showed convergence wherespecifications for components are interval bounds using Z3.Future Work:I Provide bounds on lock time.I Complete models for low-pass filter and Delta-Sigma
modulator.I Examine other digital PLL architectures to assess the
reusability and automatability of this verification.I Component validation: formalize the connection between the
models used and those used in other phases of the analogand mixed-signal design process.
Thank You!Wei & Peng & Greenstreet & Yu (UBC) Verifying a Digital PLL FMCAD (Oct. 22, 2013) 18 / 18
References
J. Crossley, E. Naviasky, and E. Alon, An energy-efficientring-oscillator digital pll, Custom Integrated Circuits Conference(CICC), 2010 IEEE, 2010, pp. 1–4.
Leonardo De Moura and Nikolaj Bjørner, Z3: an efficient smtsolver, Proceedings of the Theory and practice of software, 14thinternational conference on Tools and algorithms for theconstruction and analysis of systems (Berlin, Heidelberg),TACAS’08/ETAPS’08, Springer-Verlag, 2008, pp. 337–340.
Goran Frehse, Colas Le Guernic, Alexandre Donze, Scott Cotton,Rajarshi Ray, Olivier Lebeltel, Rodolfo Ripado, Antoine Girard,Thao Dang, and Oded Maler, Spaceex: scalable verification ofhybrid systems, Proceedings of the 23rd international conferenceon Computer aided verification (Berlin, Heidelberg), CAV’11,Springer-Verlag, 2011, pp. 379–395.
Wei & Peng & Greenstreet & Yu (UBC) Verifying a Digital PLL FMCAD (Oct. 22, 2013) 19 / 18
Appendix: the Simplified Continuous Nonlinear Model
The ODE model:
c = g1 · (fref − 1N
v0+αvc0+βc ) where c ∈ (cmin, cmax )
v = g2 · (c − ccode)
Note: c = 0 when c = cmin or c = cmax
Quantization error is included in later work.Linear phase path is simplified away for convenience.
Wei & Peng & Greenstreet & Yu (UBC) Verifying a Digital PLL FMCAD (Oct. 22, 2013) 20 / 18
Appendix: the Proposition
Formal definition of the proposition we introduced:
Proposition:Let Err denote quantization error and assume Err is symmetric around0: if η ∈ Err then −η ∈ Err as well. We can easily show:
∀x ∈ Q0 − QT .∀η ∈ Err .h(x + η)T Px < 0⇔
∀y ∈ (Q0 − QT )⊕ Err .∀η ∈ Err .(y + η ∈ Q0 − QT )⇒ (h(y)T P(y + η) < 0)
The Minkowski sum of two sets, A⊕ B, is the set of elements that can be obtained asthe sum of an element from A and an element from B:
A⊕ B = {z | ∃a ∈ A. ∃b ∈ B. z = a + b}
Wei & Peng & Greenstreet & Yu (UBC) Verifying a Digital PLL FMCAD (Oct. 22, 2013) 21 / 18
PLL: Verified digital PLL
DCO
BBPFD
0:23
0:14
15:23LPF
DCO
+
− dnup
∆θ
cvPFD
Fref
Fref
Σ0:7
0:3
4:7
∆Σ
FDCO
Fref
Σ DAC −+
Cdecap
F
−(
Centercode
)
÷N
We omitted the Delta-Sigma modulator, low-pass filter, and linearregulator for simplicity.We believe all of these could be included using the same methodsthat we’ve used for the rest of the digital PLL.
Wei & Peng & Greenstreet & Yu (UBC) Verifying a Digital PLL FMCAD (Oct. 22, 2013) 22 / 18
Modeling the DCO
2 4 6 8 100
0.5
1
1.5
2
2.5
3
3.5
load capacitance, c (pF)
DC
O f
req
ue
ncy,
f DC
O (
GH
z)
2 4 6 8 100
0.5
1
1.5
2
2.5
3
3.5
simulation datalinear fit for 1/f
DCO
0.4 0.5 0.6 0.7 0.8 0.9 1 1.1 1.20
0.5
1
1.5
2
2.5
3
3.5
operating voltage, v (volts)
DC
O f
req
ue
ncy,
f DC
O (
GH
z)
0.4 0.5 0.6 0.7 0.8 0.9 1 1.1 1.20
0.5
1
1.5
2
2.5
3
3.5
simulation data
linear fit
Simulation results (Spectre, 65nm, simple ring-oscillator) showDCO period is nearly linear in C.DCO frequency is linear in vctrl .Our model:
fDCO ∈ 1 + αvctrl
1 + βCf0 ⊕ errDCO
Wei & Peng & Greenstreet & Yu (UBC) Verifying a Digital PLL FMCAD (Oct. 22, 2013) 23 / 18
Reset Delay
R
Q D
R
D Q
UP DNΦref Φdco
Φref
Φdco
UP
DN
RESET
Because of reset delays, edges of Φref or Φdco maybe missed.I This can cause occasional flips in the sign of the
phase-detector output.Analytically, we derived a vctrl bound, [Vlo,Vhi ] that precludes suchsign flips.Our bound shows that such sign flips cannot occur for the designparameters of the CICC’10 PLL.
Wei & Peng & Greenstreet & Yu (UBC) Verifying a Digital PLL FMCAD (Oct. 22, 2013) 24 / 18
Reset Delay in Phase two
C
VV = V
min
V = V
max
C = Cmax
C = Cmin
In Phase two, the c signal could move from its saturation valuebecause of the spurious sign changes at the output of the PFD.We simulated the PFD in Spectre to measure the reset delay.SpaceEx verified that V will still make process even with thesespurious sign changes.
Wei & Peng & Greenstreet & Yu (UBC) Verifying a Digital PLL FMCAD (Oct. 22, 2013) 25 / 18
Appendix: Comparison
The hybrid-automatonapproach very closely followedthe structure of the digital PLL.I Seems likely to be more
intuitive for real-worlddesigners and verifiers.
I Verified the digital PLL fora specific choice of modelparameters.
I ”Feels” likemodel-checking.
I Manual decompositioninto lemmas required.
The SMT approach is moregeneral:I Handles some of the
non-linearities directly.I Verified the digital PLL
with model parameters ininterval ranges.
I ”Feels” like theoremproving.
Wei & Peng & Greenstreet & Yu (UBC) Verifying a Digital PLL FMCAD (Oct. 22, 2013) 26 / 18