IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS I, VOL. –, NO.

-, ——- 20– 1

Model Validation and Formal Verification of PWM

DC-DC Converters
Omar Ali Beg, Student Member, IEEE, Houssam Abbas, Member, IEEE, Taylor T. Johnson, Member, IEEE,
and Ali Davoudi, Senior Member, IEEE

Abstract—This paper presents hybrid automaton modeling, HSolver [16], d/dt [17], Flow* [18], and SpaceEx [19]–
comparative model validation, and formal verification of stability [21]. To effectively use such model checking tools, hybrid
through reachability analysis of PWM DC-DC converters. Con- automaton models of DC-DC converters are required [22].
formance degree provides a measure of closeness between the
proposed hybrid automaton models and experimental data. Non- Hybrid automaton modeling of DC-DC converters is presented
determinism due to variations in circuit parameters is modeled by the authors in [23]–[25], and others in [26]–[29]. However,
using interval matrices. In direct contrast to the unsound and [26]–[28] do not consider component losses/variations and the
computationally-intensive Monte Carlo simulation, reachability discontinuous conduction mode (DCM), and do not perform
analysis are introduced to overapproximate the set of reachable the reachability analysis. PHAVer in [30] computes the reach
states and ensure stable operation of PWM DC-DC converters.
Using a 200 W experimental prototype of a buck converter, sets for an open-loop boost converter, but does not include
hybrid automaton models of open-loop and hysteresis-controlled DCM or component losses. MATLAB/Ellipsoidal Toolbox is
converters are first validated against experimental data using used in [31] for the reachability analysis of DC-DC converters.
their conformance degrees. Next, converter stability is formally However, Ellipsoidal-based set computations suffer from the
verified through reachability analysis, and informally validated curse of dimensionality. SpaceEx (the successor of PHAVer)
using Monte Carlo simulations and experimental results.
scales quite efficiently, and is used as the reachability analysis
Index Terms—DC-DC converter, formal verification, hybrid tool in this paper. The main contributions of this paper are:
automaton, model validation, reachability analysis.

I. I NTRODUCTION • The hybrid automaton models for DC-DC convert-

ers are automatically generated, validated against
M ODELING and control of PWM DC-DC converters
require building an abstract model that reasonably
matches the experimental data obtained from a prototype, and
Simulink/Stateflow, PLECS simulations, and hardware
measurements, and verified using reachability analysis in
SpaceEx. These models include component nonidealities
ensuring converter’s proper operation despite parametric un-
and different operational modes.
certanity. Conventional analysis techniques involve simulation-
• The conformance degree of the hybrid automaton models
based Monte Carlo paradigms [1]–[5]. However, considering
validates these against the experimental data, by provid-
all possible parameter variations and initial conditions is com-
ing a proximity measure between executions/behaviors of
putationally prohibitive. The boundaries of state trajectories
these two in both time and space.
can be found from average-value models [6]–[9]. We use
• Non-determinism due to parametric variations is modeled
rigorous model validation paradigms [10] by employing the
using interval matrices, which results in a set-valued
conformance degree to quantify the closeness between the
additive input term in the system dynamics.
abstract model waveforms and experimental data [11]. Stable
• The reachability analysis achieves a fixed point where
converter operation is formally verified using the reachability
there are no other reach sets (i.e., the model output will
analysis. It overapproximates the set of all possible reachable
remain within reach sets as t → ∞). It is impossible to
states (i.e., the reach sets) from a given set of initial states and
get such success through Monte Carlo analysis.
parameter values. One can then confidently ascertain stable
converter operation if the reach sets remain within a desired
region of the state space for a given time span.
The remainder of this paper is organized as follows: hybrid
General reachability analysis tools include, but are not
automaton modeling is discussed in SECTION II. Application
limited to, HyTech [12], [13], PHAVer [14], UPPAAL [15],
of conformance degree for model validation is discussed
This work was supported in part by the National Science Foundation in SECTION III. SECTION IV uses interval analysis to
under the award number ECCS-1137354, in part by the U.S. Office of model the non-determinism caused by the parameter vari-
Naval Research under grant N00014-14-1-0718, in part by the Air Force ation. SpaceEx-based reachability analysis is discussed in
Research Laboratory under contract number FA 8750-13-2-0115, and in
part by the Air Force Office of Scientific Research’s Summer Faculty SECTION V. SECTION VI validates the developed models
Fellowship Program. Omar A. Beg, T. Johnson, and A. Davoudi are with against a 200 W buck converter prototype using the confor-
the University of Texas, Arlington, TX 76019, USA. H. Abbas is with Uni- mance degree, formally verifies the model properties using
versity of Pennsylvania, Philadelphia, USA. (e-mail: [email protected];
[email protected]; [email protected]; [email protected]). reachability analysis, and presents comparison with the Monte
Manuscript received Month –, 20–; revised Month –, —–. Carlo simulation. SECTION VII concludes the paper.
IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS I, VOL. –, NO. -, ——- 20– 2

Topology. 1 Topology. 2
Invariant Set
X’’’
Guard Set

- -

+
+

Continuous Flow
X’’

Voltage
Discrete Transition
Switch : ON Diode : OFF τ ≥ DTsw Switch : OFF Diode : ON Topology 2
τ′ := 0
X’
i (0) CCM
L x = A x + B u x = A x + B u
v (0) 1 1 2 2 X0
C
τ=0 τ ≤ DTsw τ ≥ (1-D)Tsw τ ≤ (1-D)Tsw
τ′ := 0
Topology 1

DCM Current 5

i ≤0
τ ≥ (1-D)Tsw L
Topology. 3
τ′ := 0 Fig. 2. Execution of the hybrid automaton model of DC-DC converters.

x = A x + B u
3 3
-
+

• G is a set of guard conditions for each element in E.

τ ≤ (1-D)Tsw • The flow function F : Q × X × U → X ⊆ n assigns a R
Lipschitz continuous vector space for the time derivative
Switch : OFF Diode : OFF of x defined by the solution of the differential inclusion
ẋi ∈ F (qi , xi , ui ) in the ith topology.
Fig. 1. Topologies, operational modes, and hybrid automaton modeling of a
DC-DC buck converter. • g : E → G is called the guard function that maps each
element in E to its corresponding guard in G. It ensures
transitions to an appropriate topology, once the guard
II. H YBRID AUTOMATON M ODELING condition is reached, as shown in Fig. 2.
A. Hybrid Automaton Model Syntax and Semantics • h : E × X → X resets the continuous state, i.e., if
the transition from one topology to another takes place
DC-DC converters exhibit both continuous and discrete be- as defined by the set E with a final state in the set X,
haviors due to the presence of passive elements and switching the continuous state has to be reset with a new value
components, respectively. Hybrid automaton modeling [32], x0 = h(e, x(t)) in X.
[33] integrates resulting differential equations and finite state
machines in a single formalism. The state of a hybrid automa- Definition 2.2: An execution of a hybrid automaton model H
ton model may change in two ways,i.e., through a continuous is an alternating sequence of continuous flow trajectories and
f low ρ
flow trajectory within a given topology, and through a discrete discrete transitions, denoted by X0 −−−−−−−−−−→ X 0 −−−−→
ẋ=f1 (q1 ,x1 ,u1 ) (q1 ,q2 )
transition between two given topologies. A topology is defined f low
as the circuit configuration in each switching sub-interval. X 00 −−−−−−−−−−→ X 000 . . ., as shown in Fig. 2.
ẋ=f2 (q2 ,x2 ,u2 )
Definition 2.1: A hybrid automaton model is defined by a Definition 2.3: The continuous flow trajectory for a hybrid
tuple H = hQ, X, init, U, inv, E, G, F, g, hi, where automaton model H is defined as: for a given (qi , xi ) ∈ init
• Q = {q1 , q2 , ...., qN } is a finite set of topologies. and ui ∈ U , there is a flow function ẋi = f (qi , xi , ui )
• X ⊆
n
R
represents continuous state variables, with x0i that results in a final continuous state x0i , whereas qi remains
being the value of the ith state at the end of a transition. unchanged, iff inv(xi ) is true and the guard gi ∈ G is not
f low
• init ⊂ Q0 × X0 is a set of initial conditions, such that violated, such that xi −−−−−−−−−−→ x0 .
ẋ=f1 (q1 ,x1 ,u1 )
Q0 ⊆ Q and X0 ⊆ X.
Continuous flow trajectories evolve as the real time τ
• U = {u1 , u2 , ...uN } forms the input for each topology.
X elapses. At each topology, converter dynamics can be mod-
• inv : Q → 2 is a mapping that assigns an invariant
eled by ordinary differential equations (ODE); e.g., system
inv (qi ) ⊆ X for each topology in Q. 2X denotes the
matrices Aq and Bq describe the continuous flow trajectories
power set, i.e., the set of all subsets of X. An invariant
in topology q ∈ {1, 2, 3} of Fig. 1.
inv (qi ) ⊆ X is a property of the hybrid automaton
Definition 2.4: The discrete transition for a hybrid automa-
model that must be satisfied by all reach sets for a given
ton model H is defined as: for a given (qi , xi ) ∈ init and
topology qi . Once an invariant is violated, the real time τ
ui ∈ U , there is a function ρ = h(eij , xi ) that resets the
is stopped, forcing the continuous state to stop evolving
continuous state to x0i , and the topology to qj , iff inv(xi ) and
within a topology. Here, invariants are defined in the form
the guard gi ∈ G are both true, and ∃ eij ∈ E, such that the
of bounds for a continuous state variable (Fig. 2). ρ
transition ρ is denoted by xi −−−−→ x0i .
• E ⊂ Q×Q is a set of feasible discrete transitions allowed (qi ,qj )
in the hybrid automaton model. It might not be possible The switching instance can be determined either externally
to visit the entire set of topologies from one particular (e.g., by a duty cycle command for the MOSFET) or internally
topology. (e.g., by meeting appropriate threshold conditions for the
IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS I, VOL. –, NO. -, ——- 20– 3

diode). The sequence of topologies, observed periodically in

Discrete transitions occuring within τ :
the steady state, defines an operational mode. Example of three c
25 Topology 1 to Topology 2 to Topology 3
topologies and two operational modes for a buck converter are
shown in Fig. 1. 20 T

vC, V
B. Model Instantiation for DC-DC Converters 15
We define D as the duty cycle, Tsw as the switching
period, Vin as the DC input voltage, and Vref as the reference 10 τc
voltage. We can represent the continuous dynamics for a given
topology as a standard set of state-space equations 5
Stateflow Simulation
dx Experiment Data
= Aq x + B q u (1) 0
dt 0 0.005 0.01 0.015 0.02
R
where, x ∈ n is a vector of continuous states, Q is a
Time, Sec
finite set of topologies, u ⊆ U such that U ⊆ m is a R
R R
Fig. 3. Output trajectories of capacitor voltage for the closed-loop controlled
set of input vectors, and Aq ∈ n×n and Bq ∈ n×m are buck converter - local mismatch for interval τc and corresponding ε.
system matrices. Such formation can be readily created for
the buck converter in Fig. 1, as given in the APPENDIX. The
be defined in terms of switching boundaries. The hysteresis
instantiation of the hybrid automation model for an open-loop
band is formed by defining an upper switching boundary,
DC-DC converter, as per Definition 2.1 and Definition 2.2, is:
Vref + δ, and a lower switching boundary, Vref − δ, where
• Three topologies are denoted by Q = {q1 , q2 , q3 }. Vref is the desired output voltage, and δ is the tolerance level.
0
• The continuous state vector is x = [iL vC τ ] . τ Thus, G = {(vC ≥ Vref + δ) , (vC ≤ Vref − δ) , (iL ≤ 0) ,
dτ
represents real time such that dt = 1. (vC ≤ Vref − δ)}.
0 0 0
• U = {[Vin , 0, 0] , [0, 0, 0] , [0, 0, 0] } forms the input It should be noted that time τ does not appear in the
vector set. guard expressions. Therefore, we have developed two hybrid
• E = {(q1 , q2 ) , (q2 , q1 ) , (q2 , q3 ) , (q3 , q1 )} defines the automaton models for the closed-loop buck DC-DC converter,
feasible discrete transitions, e.g., (q2 , q3 ) means a discrete i.e., one with variable τ (called the time-dependent hybrid
transition from topology 2 to 3 is allowed. automaton model), and another without variable τ (called
• The continuous flow trajectory is computed using (1), the time-independent hybrid automaton model). For the time-
with the corresponding state matrices for each topology. independent hybrid automaton model, we perform the reacha-
f low
For topology 1, this can be denoted by X0 −−−−−−−−−−→ bility analysis for an unbounded time, i.e., compute the reach
ẋ=f1 (q1 ,x1 ,u1 )
X 0 , as shown in Fig. 2. X0 is the initial and X 0 is the sets as t → ∞.
final set of states as the automaton continuously evolves
III. VALIDATION THROUGH C ONFORMANCE D EGREE
with the continuous flow dynamics f1 (q1 , x1 , u1 ).
• Guard conditions, for elements of E, are defined Model validation of DC-DC converters requires comparing
by G = {(τ ≥ DTsw ) , (τ ≥ (1 − D) Tsw ) , (iL ≤ 0) , output trajectories (or simulation traces) for a given model
(τ ≥ (1 − D) Tsw )}. referred to as M, and the measured data from an experimental
• The reset function h defines a new continuous state x00 for prototype referred to as I. The goal is to find an appropriate
the new topology. For example, if a transition is to take measure of distance for output trajectories of hybrid automata.
place from topology 1 to topology 2 with some final state Definition 3.1: The behavior BH of the hybrid automaton
x0 ∈ X 0 in topology 1, h assigns the new state x00 ∈ X 00 model H with initial state (q0 , x0 ) under the influence of the
in topology 2. For topology 1 to topology 2, a transition input u for the given time horizon T is defined by the output
ρ
ρ is denoted by X 0 −−−−→ X 00 , as shown in Fig. 2. trajectory yH ((q0 , x0 ), u, T ), where, q0 ∈ Q0 , x0 ∈ X0 , and
(q1 ,q2 ) u ∈ U.
The evolution of the hybrid automaton model starts with One can consider the output trajectories of the capacitor volt-
initial conditions from set init, e.g., (q1 , x0 ) ∈ init for a age (vC ) for a closed-loop buck converter shown in Fig. 3. The
given input u1 = [Vin , 0, 0]0 and, subsequently, the continuous experimental data obtained from a prototype and output trajec-
state evolves according to the flow function. The discrete tory of the hybrid automaton model in Simulink/Stateflow are
state (i.e., topology) remains constant; i.e., q (t) = q1 , as xi overlaid. Intuitively, the two output trajectories look similar,
evolves inside the invariant inv (q1 ). Once the continuous state however, the sup norm would give a very large value to the
trajectory reaches the guard G (q1 , q2 ) corresponding to the distance between them. This is, partly, because I and M
edge E (q1 , q2 ), the topology may transition from q1 to q2 , might transition among various topologies at slightly different
and the continuous state is reset with a new value x00 in the moments in time. Therefore, our distance measure should
new invariant set inv (q2 ) ⊂ X. allow some wiggle room in time; Rather than comparing
This hybrid automaton model can be extended to closed- only the states that are exactly time-aligned, it should allow
loop DC-DC converters, e.g., hysteresis-controlled converters. comparison of states that are within some τc > 0 time units
The tuple remains the same except that the guards shall of each other.
IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS I, VOL. –, NO. -, ——- 20– 4

Moreover, it is not appropriate to compare outputs when IV. M ODELING N ON -D ETERMINISM USING I NTERVAL
two systems are in different topologies. Thus, our distance A NALYSIS
measure must only compare states after an equal number of The system matrices in the hybrid automaton models of DC-
discrete transitions between topologies of the two systems. DC converters depend on component values. The variations
Note that within the time window τc in Fig. 3, both the due to manufacturing tolerance, aging, and temperature result
hardware prototype as well as the Stateflow model exhibit in non-determinism of component values. We use the interval
two discrete transitions between topologies. To this end, we arithmetic [34] to incorporate the parameter variations within
introduce the parameter j ∈ N, that counts the number of the reachability analysis framework. The range of component
discrete transitions each system makes. It is reasonable to values are represented in terms of intervals. A real interval v
require that the transition times of the two systems be close is a set of real numbers given by
to consider that the systems themselves are close: the value
τc will also bound the difference in transition times. The [v, v] = {v ∈ R : v ≤ v ≤ v}, (2)
distance measure will account for the distance between output
trajectories, captured by the value ε > 0. Thus, we have a where v is the infimum and v is the supremum. These inter-
2-value distance measure, with values τc and ε capturing the vals may also be defined by the midpoint-radius representation
time and space distance between the two output trajectories. 1
These are illustrated in Fig. 3. mid(v) = (v + v), (3)
2
The output trajectories of hybrid automaton models are 1
parameterized with t and j. t ∈ R+ is the time spent in a given rad(v) = (v − v). (4)
2
converter topology, and j ∈ N counts the number of discrete
transitions between different topologies. We write y1 (t; j) for The interval matrix for the system matrix is A = [A, A].
the output trajectory at the hybrid time (t; j) ∈ R+ × N, i.e., System stability can be deferred by examining matrix extrema,
at time t and after j transitions. Let domy1 ⊂ R+ × N denote i.e., A and A [35]. Therefore, it is sufficient to consider every
the domain of output trajectory y1 , i.e., the set of all (t; j), so combination of matrix extrema to overapproximate the reach
that (T, J, τc , ε)-closeness [11] can be formally defined. set. The overapproximation of an interval matrix A is given by
splitting it into two parts, i.e., a nominal part and a symmetric
Definition 3.2: Take an output trajectory duration T ∈ R+ , part [36]. For the ith state variable, one has
a maximum number of discrete transitions J ∈ N, and
parameters τc , ε > 0. Two output trajectories y1 and y2 are ẋi = ai1 x1 + ai2 x2 + ... + aij xj + ... + ain xn . (5)
(T, J, τc , ε)-close, shown as y1 ≈(τc ,ε) y2 , if (a) for all (t, j) ∈ To incorporate parameter variation, one can replace the
domy1 such that t ≤ T, j ≤ J, there exists (s, j) ∈ domy2 above coefficients with intervals
where |t − s| ≤ τc , and ky1 (t, j) − y2 (s, j)k ≤ ε, and (b) for
all (s, j) ∈ domy2 such that s ≤ T, j ≤ J, there exists (t, j) ∈ ẋi ∈ [mid(ai1 ) ± rad(ai1 )]x1 + ...[mid(aij ) ± rad(aij )]xj
domy1 where |t − s| ≤ τc , and ky2 (s, j) − y1 (t, j)k ≤ ε. + ... + [mid(ain ) ± rad(ain )]xn . (6)
(T, J, τc , ε)-closeness gives a proximity measure between the The mid-points are constant terms, which can be separated
two output trajectories in both time and space. It shows that
ẋi ∈ ai1 x1 + ri1 + ...aij xj + rij ... + ain xin + rin . (7)
for every point y1 (t, j), y2 has a point ε-close to it, which
may occur anywhere in the window [t − τc , t + τc ] (and The radii ri1 , ri2 , ..., rij , ..., rin are given by
vice versa). Allowing this wiggle room in time is important
when comparing the output trajectories, because the discrete rij ∈ [−rad(aij ), rad(aij )]xj , (8)
transitions could occur at different times. The two values T which are used to define the invariants for the hybrid
and J limit our testing horizon. (T, J, τc , ε)-closeness can be automaton model, i.e.,
lifted from output trajectories to systems. One can validate
the model through the conformance degree between its output − [−rad(aij ), rad(aij )]xj ≤ rij ≤ [−rad(aij ), rad(aij )]xj .
trajectory and measured data. (9)
These invariants are defined for each topology of the DC-
Definition 3.3: Let H1 and H2 be two hybrid automata. The DC converter. As seen in (9), the state variable xj is also
conformance degree of H1 to H2 , given τc , is defined as the included in the invariants.
smallest ε such that for every trajectory y1 of H1 , there exists
a trajectory y2 of H2 , where y1 ≈(τc ,ε) y2 . We denote this V. R EACHABILITY A NALYSIS FOR H YBRID AUTOMATA
conformance degree by CDτ (H1 , H2 ).
Reachability analysis can be used for the formal verification
We will use this definition intuitively for model validation of converter properties, e.g., stability in the sense of Lyapunov,
of DC-DC converters. We compute the conformance degree i.e., ẋ = f (x(t)) is stable if ∀ θ > 0 , ∃ β > 0 such that
CDτ (H1 , H2 ) for some τc > 0 in different case studies of if kx(0)k ≤ β ⇒ kx(t)k ≤ θ ∀ t ≥ 0. We may define
SECTION VI, and effectively say that some local mismatch a bounded region and verify that the output of the hybrid
is permissible within a window τc for the output trajectories automaton model eventually reaches, and always remains, in
of the models and the hardware prototype. this stable region, as seen in Fig. 4. We define the stability
IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS I, VOL. –, NO. -, ——- 20– 5

5), and implemented in various reachability analysis tools by

software research community as mentioned in SECTION I.
Simulation Trajectory The reach sets for continuous dynamics can be computed using
continuous post-operators so long as the continuous dynamics
of DC-DC converter are contained within the invariant set
Safe Operating Region
in Steady State defined for the corresponding topology or do not enter the
Voltage

Reach Sets guard set. Once the guard condition is satisfied within an
invariant, a transition takes place from topology 1 to topology
2 such that the next reach set is computed using discrete post-
operator. This process goes on until either the final time in a
Initial State X0
local time horizon, or a fixed point, is reached. A fixed point
signifies that the reachability algorithm cannot find any new
reach set during the current iteration other than those computed
Current in the previous iteration.
SpaceEx reachability tool computes the reach sets of a
Fig. 4. Reachability analysis using reach sets for formal verification of a hybrid dynamical system. It is a classical fixed point algorithm
hybrid automaton model.
based on computation of symbolic states [19], [20]. A symbolic
state is defined as a pair (l, Ω), where l is a topological
Invariant Set for Respective instance, and Ω is the corresponding convex continuous set.
Topological Instance Topology 2 The reach set R is obtained by computing the set of symbolic
Guard Set for Transition from One
Topology to Other states. This reach set is the fixed point of the sequence
Ro = postc (Init), and the successors are computed using
X’’
Discrete [


Transition Rk+1 := Rk postc postd Rk (11)
Voltage

Reach Sets
X’ where, postd is the discrete post-operator that defines the
reach sets by a discrete transition from R. This corresponds
X0 to the h function defined in Definition 2.1. postc is the
X’’’ continuous post-operator that defines the reach sets from R
after an arbitrary amount of time is elapsed. This corresponds
Topology 1 Next Transition to the flow function in Definition 2.1.
Current 6
Computation of the reachability post-operators for Ω is
challenging, so each Ω is represented by its corresponding
Fig. 5. Reach set in different topologies with transitions imposed by guards. support function to facilitate various set operations such as
linear mapping, Minkowski sum, and convex hull. A support
function is an exact representation of a given Ω. An approxi-
specification such that from the settling time ts , the output mated computation of Ωk is given in [20] for the k th time step.
voltage VC (t) should remain bounded within a tolerance γ Hence, a sequence of convex continuous sets Ω0 , Ω1 , ....ΩN −1
of the reference voltage Vref (t), i.e., for t ≥ ts ⇒ VC (t) = is computed to form a flowpipe that covers the reach sets
Vref (t) ± γ. up to a pre-defined time such that N represents the number
Definition 5.1: State x is reachable iff ∃ an execution α of time steps. This flowpipe is then used to compute the
such that x ∈ α. transition successors. Only those states can take the transition
The set of reachable states contains all the states that can be that satisfy the guard associated with the present topology and
reached from a given set of initial conditions for a given time. the invariant of the target topology. This process is continued
Consider an example of an autonomous system ẋ = Ax. The until a fixed point is reached, i.e., if all the reach sets that
set of states from initial time t0 to final time tf , reached from are computed in the present iteration, are contained in reach
a given initial set X0 , is the union of the reachable states sets computed in the previous iteration, i.e., Rk+1 ⊆ Rk .
t
[ This signifies that no new reach sets could be found and
Rtf0 (X0 ) = eAt X0 . (10)
the computation process may be terminated. Interested readers
t∈[t0 ,tf ]
may see [20] for further implementation detail.
However, (10) does not cater to the discrete transitions SpaceEx is a development platform with various verification
associated with the hybrid dynamical systems. Additionally, algorithms (called scenarios). Three scenarios are available in
the exact set of all reachable states is undecidable. In practice, SpaceEx v0.9.8d; i.e., PHAVer (Polyhedral Hybrid Automaton
overapproximations of the reachable states are computed using Verifyer), LGG (Le Guernic-Girard) algorithm wherein the
geometrical data structures (e.g, boxes, polytopes, ellipsoids, reach set is overapproximated by a set of polyhyedra, and STC
or zonotopes [37]), called the overapproximated reach sets algorithm (an enhancement of LGG with automatic clustering).
and denoted by R. For simplicity, we call these as the reach The version of LGG implemented in SpaceEx uses outer
sets in this paper. This framework can be extended to hybrid polyhedral approximations to compute the image of discrete
dynamical systems by including invariants and guard sets (Fig. transitions, making it scalable. STC algorithm produces fewer
IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS I, VOL. –, NO. -, ——- 20– 6

dSpace
TABLE I
Laptop installed C ONFORMANCE D EGREE A NALYSIS
DS1103
with dSpace and
System
MATLAB Software
dSpace
CP1103 Configuration Type of Output Trajectories τc Value ε Value
Connector
Panel Current (iL ) - PLECS vs Experiment 2× 10−3 1.9117
Current (iL ) - Stateflow vs Experiment 2 × 10−3 1.9125
Current (iL ) - Stateflow vs PLECS 2 × 10−3 0.1785
Open loop
Voltage (vC ) - PLECS vs Experiment 8 × 10−3 1.1231
Load Voltage (vC ) - Stateflow vs Experiment 8 × 10−3 1.1033
Voltage (vC ) - Stateflow vs PLECS 8 × 10−3 0.6666
Experimental Buck Current (iL ) - PLECS vs Experiment 5 × 10−5 3.0590
Converter
Current (iL ) - Stateflow vs Experiment 5 × 10−5 3.0590
Fig. 6. Buck converter prototype controlled with a dSPACE DS1103 system. Current (iL ) - Stateflow vs PLECS 5 × 10−5 0.0878
Closed loop
Voltage (vC ) - PLECS vs Experiment 8 × 10−4 1.3105
Voltage (vC ) - Stateflow vs Experiment 8 × 10−4 1.3105
convex continuous sets for a given accuracy, and computes
more precise images of discrete transitions. Based on the LGG Voltage (vC ) - Stateflow vs PLECS 8 × 10−4 0.0584
scenario, the flowpipes (i.e., the reach sets over time) are
bounded with piecewise linear approximations of the support
function over time. A comparison of both scenarios is given abstractions for MO , whereas MCP and MCS are reasonable
in [21]. abstractions for IC . Therefore, we have validated the hybrid
automaton models against both the open-loop and the closed-
VI. C ASE S TUDIES loop converter prototypes.
An experimental setup of a buck converter, controlled with a
dSpace DS1103 unit, has been prototyped, as shown in Fig. 6. B. Formal Verification of the Open-loop Buck Converter
The experimental results are used for benchmarking purposes We consider the voltage stability specification to perform
against MATLAB/PLECS [38], Simulink/Stateflow [39], and formal verification. For example, for ts = 0.025 sec, and
SpaceEx reachability analysis. Circuit parameters L = 2.65 Vref = 48 V, we define γ = 7 V. This results in an upper
mH, C = 2.2 mF, and R = 10 Ω are used throughout this voltage bound of 55 V, and lower voltage bound of 41 V, as
study. We have used the Hybrid Source Transformer (HyST) shown in Fig. 8(b) by dotted lines. The input parameters are
which is a source-to-source conversion tool for hybrid automa- Vin = 100 V, and fs = 60 kHz. The output trajectories and
ton models [40]. The hybrid automaton model is developed phase-plane responses are considered for the startup transients
using the java interface in MATLAB, and transformed into a of the open-loop buck converter. The converter models in
SpaceEx compatible model using HyST data structures. We PLECS, Simulink/Stateflow, and SpaceEx are verified, and
have used the STC support function of SpaceEx v0.9.8d using an acceptable match is reported in Fig. 7. The parameters’
an Intel Core i7 processor on a Windows 7 platform. We variations have been modeled using interval analysis, and
use the conformance degree to validate the hybrid automaton also included in the Monte Carlo simulation. The reachabil-
model against the experimental data. Then, the reachability ity analysis results, obtained using SpaceEx, are plotted in
analysis results are provided for an open-loop and a hysteresis- Fig. 8. It can be seen that the steady-state inductor current
controlled buck converter. and capacitor voltage waveforms lie within the reachability
analysis results, i.e., the simulations and measurement data
A. Model Validation Using Conformance Degree Testing are contained within the reach sets. Moreover, we verify that
vC (t) ∈ [41, 55] for t ≥ ts for Stateflow, PLECS, measure-
We use notations IO and IC for hardware prototypes
ment data, Monte Carlo analysis, and SpaceEx analysis results.
in open-loop and closed-loop configurations, respectively.
PLECS and Stateflow models are denoted by MOP , MCP
and MOS , MCS , respectively, where subscript O denotes C. Formal Verification of the Hysteresis-controlled Converter
an open-loop and C denotes a closed-loop configuration. The We define the voltage stability specification for the closed-
computed ε values against τc (as defined in SECTION III) are loop buck converter to perform formal verification. For ts =
tabulated in Table I for the corresponding output trajectories. 0.012 sec, and Vref = 12 V, we define γ = 3 V. This leads to
It is evident from Table I that the ε values of MOP and MOS upper and lower voltage bounds of 15 and 9 V, respectively, as
as well as MCP and MCS are close enough (also, as seen shown by dotted lines in Fig. 11(b). In this case study, the time-
in Figs. 7, 9, and 10). We have also computed conformance dependent and the time-independent models (as mentioned
degrees for the prototype buck converters, i.e., IO and IC , in SECTION II) are considered. First, SpaceEx reachability
in comparison with other models, i.e., MOP , MOS and analysis is performed using both LGG and STC for the time-
MCP , MCS . The values depicted in Table I provide enough dependent model. The new parameters are Vin = 24 V,
wiggle room to validate that MOP and MOS are reasonable Vref = 12 V, and fs = 50 kHz. The trajectories are shown for
IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS I, VOL. –, NO. -, ——- 20– 7

Stateflow
15 PLECS 40 40
Experiment
SpaceEx 30 30

vC, V

vC, V
10
iL, A

Stateflow
20 20 PLECS
Stateflow
5 PLECS Experiment
10 Experiment 10 SpaceEx
SpaceEx
0 0.01 0.02 0.03 0 0.01 0.02 0.03 5 10 15
(a) Time, Sec (b) Time, Sec (c) iL, A

Fig. 7. Startup transients for an open-loop buck converter including Stateflow, PLECS, experiment, and SpaceEx; (a) current vs. time, (b) voltage vs. time,
and (c) phase portrait.

Stateflow 50 50
PLECS
15 Experiment 40
40
Monte Carlo
SpaceEx ts
vC, V

vC, V
30
iL, A

10 30 Stateflow
Stateflow PLECS
20 PLECS 20
Experiment
5 Experiment
10 Monte Carlo
Monte Carlo 10
SpaceEx
SpaceEx
0
0 0.01 0.02 0.03 0 0.01 0.02 0.03 5 10 15
(a) Time, Sec (b) Time, Sec (c) i ,A
L

Fig. 8. Startup transients for an open-loop buck converter using interval matrices and the Monte Carlo simulation including Stateflow, PLECS, experiment,
and SpaceEx; (a) current vs. time, (b) voltage vs. time, and (c) phase portrait.

Stateflow
12 15 15
PLECS
10 Experiment
SpaceEx
8 10 10 Stateflow
vC, V

vC, V
iL, A

PLECS
6
Stateflow Experiment
4 5 PLECS 5 SpaceEx
2 Experiment
SpaceEx
0
0 0.005 0.01 0.015 0.02 0 0.005 0.01 0.015 0.02 0 5 10
(a) Time, Sec (b) Time, Sec (c) iL, A

Fig. 9. Time-dependent hysteresis-controlled buck converter: Stateflow, PLECS, experiment, and SpaceEx LGG results using deterministic models; (a) current
vs. time, (b) voltage vs. time, and (c) phase portrait.

Stateflow, PLECS, and experimental data along with reach sets τ . This would not be possible through Monte Carlo analysis
computed using SpaceEx LGG and STC scenarios in Fig. 9 as, even for a limited time span, one has to take into account
and Fig. 10, respectively. The Stateflow, PLECS, and SpaceEx infinite number of possible combinations. We have success-
results match right from the start until the steady state is fully achieved a fixed point using SpaceEx LGG scenario, with
reached. Experimental results match that of Stateflow, PLECS, unbounded time, and with all possible parameter variations.
and SpaceEx in the steady state. Next, the non-determinism The phase-plane plots are given for the start-up transients in
due to the parameter variations is modeled using the interval Fig. 12. As seen, all results remain within the computed reach
matrices. It can be observed in Fig. 11 that Stateflow, PLECS, sets as t → ∞, verifying vC (t) ∈ [9, 15] as t → ∞.
and measured results remain within the reach sets computed
using SpaceEx, vC (t) ∈ [9, 15] for t ≥ ts . A comparison of Monte Carlo analysis and SpaceEx reach-
ability analysis, in term of computation times, is shown
We can formally verify the time-independent SpaceEx in Table II. Both are run on a Windows 7 SP1 (64 bit)
model for an unbounded time, i.e., t → ∞, by excluding platform, with Intel (R) core i7-2600 CPU with 3.40 GHz,
IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS I, VOL. –, NO. -, ——- 20– 8

Stateflow
12 15 15
PLECS
10 Experiment
SpaceEx
8 10 10 Stateflow

vC, V

vC, V
iL, A

PLECS
6
Stateflow Experiment
4 5 5 SpaceEx
PLECS
2 Experiment
SpaceEx
0 0
0 0.005 0.01 0.015 0.02 0 0.005 0.01 0.015 0.02 0 5 10
(a) Time, Sec (b) Time, Sec (c) iL, A

Fig. 10. Time-dependent hysteresis-controlled buck converter: Stateflow, PLECS, experiment, and SpaceEx STC results using deterministic models; (a) current
vs. time, (b) voltage vs. time, and (c) phase portrait.

15 ts
Stateflow
PLECS 15 15
Experiment
10 Monte Carlo
SpaceEx
vC, V

vC, V
Stateflow
iL, A

10 10
Stateflow PLECS
5 PLECS Experiment
5 Experiment 5 Monte Carlo
Monte Carlo SpaceEx
SpaceEx
0
0.005 0.01 0.015 0.02 0 0.005 0.01 0.015 0.02 0 5 10 15
(a) Time (τ), Sec (b) Time (τ), Sec (c) i ,A
L

Fig. 11. Time-dependent hysteresis-controlled converter analysis using interval matrices including Stateflow, PLECS, experiment, Monte Carlo, and SpaceEx;
(a) current vs. time, (b) voltage vs. time, and (c) phase portrait.

VII. C ONCLUSION
20
A hybrid automaton modeling approach for PWM DC-
DC converters is developed. We have used the conformance
15
testing for model validation when compared with a hardware
prototype of DC-DC converters. The interval matrices analysis
vC, V

10 Stateflow accommodates the model non-determinism caused by varia-

PLECS tions in component values. Reachability analysis frameworks
Experiment are developed for formal verification of the resulting hybrid
5 Monte Carlo automaton models. It is shown that the proposed reachability
SpaceEx
analysis outperforms the brute force Monte Carlo analysis in
0 computation time and confidence level.
−5 0 5 10 15
iL, A

ACKNOWLEDGMENT
Fig. 12. Time-independent hysteresis-controlled converter analysis using
interval matrices including stateflow, PLECS, experiment, Monte Carlo, and The authors would like to thank Luan V. Nguyen and
SpaceEx. Vahidreza Nasirian for their help.

A PPENDIX
The state-space matrices for circuit topology 1, 2, and 3 are:
16.0 GB RAM processor, MATLAB version 8.5.0.197613
(R2015a), PLECS version 3.7.3, and SpaceEx version 0.9.8d. 
−(rL + rS ) −1

While infinite iterations are required to have full confidence 0  1
 L L
in model validation through Monte Carlo analysis, we have 
1 −1

 L
A1 =  0  , B1 =  0  , (12)
 
only used finite (i.e., 2000) iterations as would be done in  C RC 
practice. Even then, it is evident that the SpaceEx reachability  1 0
outperforms the Monte Carlo analysis in computation time, as 0 0
τ
seen in Table II.
IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS I, VOL. –, NO. -, ——- 20– 9

TABLE II
C OMPARISON OF M ONTE C ARLO AND S PACE E X A NALYSIS

System Configuration Monte Carlo Iterations Monte Carlo Time (sec) SpaceEx Time (sec) Times SpaceEx is Faster

Open Loop 2000 1.0151 × 104 1701.43 5.9662

Hysteresis control (time-dependent) 1000 315.43 137.65 2.2915
Hysteresis control (time-independent) 1000 315.43 230.57 1.3680
Hysteresis control, steady state (time-independent) 2000 1327 229.03 5.794

−rL −1
 
 L 0 [17] E. Asarin et al., “The d/dt tool for verification of hybrid systems,”
L 0
 
in Computer Aided Verification, E. Brinksma and K. G. Larsen, Eds.
 1 −1
 
Berlin Heidelberg: Springer, Sep. 2002, pp. 365–370.
A2 =  0  , B2 = 0 , (13)
 
 C RC  [18] X. Chen et al., “Flow*: An analyzer for non-linear hybrid systems,” in
 1 0 Computer Aided Verification, ser. Lecture Notes in Computer Science,
0 0 N. Sharygina and H. Veith, Eds. Springer Berlin Heidelberg, 2013,
τ vol. 8044, pp. 258–263.
and 0 [19] G. Frehse, “An introduction to SpaceEx v0.8,”
0 0 http://spaceex.imag.fr/documentation/user-documentation/introduction-
0
 
0 −1 spaceex-27, dec 2010.
0 [20] G. Frehse et al., “SpaceEx: Scalable verification of hybrid systems,”
A3 = 
 RC
 , B3 =  0 , (14)
1
 in Proc. 23rd Int. Conf. on Comput. Aided Verification, Snowbird, UT,
0 0 0 2011, pp. 379–395.
τ [21] G. Frehse, “A brief experimental comparison of the STC and LGG anal-
respectively. ysis algorithms in SpaceEx,” http://spaceex.imag.fr/documentation/user-
documentation/brief-experimental-comparison-stc-and-lgg-analysis-
R EFERENCES algorithms-spaces, Nov 2012.
[22] M. Miranda and A. Lima, “Formal verification and controller redesign of
[1] W. Huang et al., “System accuracy analysis of the multiphase voltage power electronic converters,” in Proc. IEEE Int. Symp. Indust. Electron.,
regulator module,” IEEE Trans. Power Electron., vol. 22, no. 3, pp. Ajaccio, France, 2004, pp. 907–912.
1019–1026, May 2007. [23] L. Nguyen and T. Johnson, “Benchmark: Dc-to-dc switched-mode
[2] M. Li et al., “Design verification and testing of power supply system by power converters (buck converters, boost converters, and buck-boost
using virtual prototype,” IEEE Trans. Power Electron., vol. 18, no. 3, converters),” in Applied Verification for Continuous and Hybrid Systems
pp. 733–739, May 2003. Workshop, Berlin, Germany, 2014, pp. 19–24.
[3] M. del Casale et al., “Selection of optimal closed-loop controllers for [24] T. Johnson et al., “Design verification methods for switching power
dc-dc voltage regulators based on nominal and tolerance design,” IEEE converters,” in Proc. 3rd Power and Energy Conf. at Illinois, Urbana,
Trans. Ind. Electron., vol. 51, no. 4, pp. 840–849, Aug 2004. IL, 2012, pp. 1–6.
[4] T. Neugebauer and D. Perreault, “Computer-aided optimization of dc/dc
[25] S. Hossain et al., “Reachability analysis of closed-loop switching power
converters for automotive applications,” IEEE Trans. Power Electron.,
converters,” in Proc. 4th Power and Energy Conf. at Illinois, Urbana,
vol. 18, no. 3, pp. 775–783, May 2003.
IL, 2013, pp. 130–134.
[5] D. Maksimovic et al., “Modeling and simulation of power electronic
converters,” Proc. IEEE, vol. 89, no. 6, pp. 898–912, Jun. 2001. [26] M. Hongbo and F. Quanyuan, “Hybrid modeling and control for buck-
[6] H. Behjati et al., “Alternative time-invariant multi-frequency modeling boost switching converters,” in Proc. Int. Conf. Commun., Circuits and
of pwm dc-dc converters,” IEEE Trans. Circuits Syst. I: Regular Papers, Syst., Milpitas, CA, 2009, pp. 678–682.
vol. 60, no. 11, pp. 3069–3079, Nov 2013. [27] M. Senesky et al., “Hybrid modelling and control of power electronics,”
[7] J. Kimball and P. Krein, “Singular perturbation theory for dc-dc con- in Proc. 6th Int. Workshop on Hybrid Systems: Computation and Control,
verters and application to pfc converters,” IEEE Trans. Power Electron., Prague, Czech Republic, 2003, pp. 450–465.
vol. 23, no. 6, pp. 2970–2981, Nov 2008. [28] C. Sreekumar and V. Agarwal, “A hybrid control algorithm for voltage
[8] Z. Mihajlovic et al., “Output ripple analysis of switching dc-dc convert- regulation in dcdc boost converter,” IEEE Trans. Ind. Electron., vol. 55,
ers,” IEEE Trans. Circuits and Syst. I: Regular Papers, vol. 51, no. 8, no. 6, pp. 2530 – 2538, Jun. 2008.
pp. 1596–1611, Aug 2004. [29] Y. Quan et al., “Simultaneous ccm and dcm operations of boost converter
[9] B. Lehman and R. M. Bass, “Extensions of averaging theory for power by a pwm hybrid control strategy,” in Proc. IEEE 39th Annual Conf.
electronic systems,” IEEE Trans. Power Electron., vol. 11, no. 4, pp. Ind. Electron. Society, Vienna,Austria, 2013, pp. 1260–1265.
542–553, Jul 1996. [30] U. Kuhne, “Analysis of a boost converter circuit using linear hybrid
[10] L. Ljung, System Identification: Theory for the User, 2nd ed. New automata,” ENS Cachan, Cedex, France, Tech. Rep., 2010.
Jersey, USA: Prentice-Hall, Inc., 1999. [31] E. Hope et al., “A reachability-based method for large-signal behavior
[11] H. Abbas et al., “Formal property verification in a conformance testing verification of dc-dc converters,” IEEE Trans. Circuits Syst. I, vol. 58,
framework,” in Proc. ACM-IEEE 12th Int. Conf. on Formal Methods no. 12, pp. 2944–2955, Dec. 2011.
and Models for Syst. Design, Lausanne, 2014, pp. 155–164.
[32] O. Stursberg and B. Krogh, “Efficient representation and computation
[12] R. Alur et al., “Automatic symbolic verification of embedded systems,”
of reachable sets for hybrid systems,” in Hybrid Systems: Computation
IEEE Trans. Software Eng., vol. 22, no. 3, pp. 181–201, Mar. 1996.
and Control, O. Maler and A. Pnueli, Eds. Springer Berlin Heidelberg,
[13] T. Henzinger et al., “HyTech: A model checker for hybrid systems,”
2003, vol. 2623, pp. 482–497.
in Computer Aided Verification, O. Grumberg, Ed. Berlin Heidelberg:
Springer, Mar. 1997, pp. 460–463. [33] T. Henzinger, “The theory of hybrid automata,” in Proc. IEEE Symp. on
[14] G. Frehse, “PHAVer: Algorithmic verification of hybrid systems past Logic in Comput. Science, New Brunswick, NJ, 1996, pp. 278–292.
HyTech,” vol. 10, no. 3, Jun. 2008, pp. 263–279. [34] R. Moore et al., Introduction To Interval Analysis. Cambridge Uni
[15] J. Bengtsson et al., “UPPAAL a tool suite for automatic verification of Press, 2009.
real-time systems,” in Hybrid Systems III. Berlin Heidelberg: Springer, [35] J. Rohn, “Stability of interval matrices: the real eigenvalue case,” IEEE
Jun. 2005, pp. 232–243. Trans. Autom. Control, vol. 37, no. 10, pp. 1604–1605, Oct. 1992.
[16] S. Ratschan and Z. She, “Safety verification of hybrid systems by [36] M. Althoff et al., “Analyzing reachability of linear dynamic systems
constraint propagation based abstraction refinement,” in Hybrid Systems: with parametric uncertainties,” in Modeling, Design, and Simulation
Computation and Control, M. Morari and L. Thiele, Eds. Berlin of Systems with Uncertainties, A. Rauh and E. Auer, Eds. Berlin
Heidelberg: Springer, Mar. 2005, pp. 573–589. Heidelberg: Springer, May 2011, pp. 69–94.
IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS I, VOL. –, NO. -, ——- 20– 10

[37] P. Hnsch et al., “Reachability analysis of linear systems with stepwise Taylor T Johnson is an Assistant Professor of Com-
constant inputs,” Electronic Notes in Theoretical Computer Science, vol. puter Science and Engineering at the University of
297, no. 0, pp. 61–74, Dec. 2013. Texas at Arlington. Dr. Johnson completed his PhD
[38] PLECS Manual Version 3.7, Plexim Inc., Cambridge, MA, USA, 2015. and MSc in Electrical and Computer Engineering
[39] MATLAB Stateflow User’s Guide, Mathworks, MA, USA, 2015. at the University of Illinois at Urbana-Champaign
[40] S. Bak et al., “HyST: A source transformation and translation tool for in 2013 and 2010, respectively. He was a visiting
hybrid automaton models,” in Proc. ACM 18th Int. Conf. on Hybrid graduate research assistant at the Air Force Research
Syst.: Computation and Control, Seattle, WA, 2015, pp. 128–133. Laboratory (AFRL)s Space Vehicles Directorate at
Kirtland Air Force Base in 2011, and was a vis-
iting faculty researcher at the AFRLs Information
Directorate in 2014. Dr. Johnson worked in industry
for Schlumberger at various times between 2005 and 2010 helping develop
new downhole embedded control systems. Dr. Johnsons research focus is
Omar Ali Beg (S‘14) received the B.E. and M.S. developing algorithmic techniques and software tools to improve the reliability
degrees in electrical engineering from National Uni- of cyber-physical systems. Dr. Johnson has published over twenty papers on
versity of Sciences and Technology, Pakistan. He is these methods and their applications in areas like power and energy systems,
presently working toward his PhD degree at Univer- aerospace, and robotics, two of which were recognized with best paper awards,
sity of Texas at Arlington, TX, USA. He is recipient from the IEEE and IFIP, respectively.
of the US Air Force Research Laboratory summer
research fellowship 2015. His research interests in-
clude the modeling, reachability analysis and formal
verification of software-controlled power electronics
devices. Ali Davoudi (S‘04-M‘11-SM‘15) received his Ph.D.
in Electrical and Computer Engineering from the
University of Illinois, Urbana-Champaign, IL, USA,
in 2010. He is currently an Assistant Professor
in the Electrical Engineering Department, Univer-
sity of Texas, Arlington, TX, USA. He was with
Houssam Abbas is a postdoctoral fellow in the Solar Bridge Technologies, Champaign, IL; Texas
Department of Electrical and Systems Engineering Instruments Inc., Rochester, MN; and Royal Philips
at the University of Pennsylvania with Professor Electronics Rosemont, IL. His research interests
Rahul Mangharam. Houssam holds a PhD in Electri- include various aspects of modeling and control of
cal Engineering from Arizona State University. His power electronics and finite-inertia power systems.
research interests are in the verification, control and Dr. Davoudi is an Associate Editor for IEEE Transactions on Transportation
conformance testing of Cyber-Physical Systems, in Electrification and IEEE Transactions on Energy Conversion. He has received
particular hybrid systems. Current research includes 2014 Ralph H. Lee Prize paper award from IEEE Transactions on Industry
the verification of medical devices, verification and Applications, best paper award from 2015 IEEE International Symposium
control of autonomous vehicles, and anytime com- on Resilient Control Systems, and 2014-2015 best paper award from IEEE
putation and control. Transactions on Energy Conversion.