Verifying nonlinear analog and mixed-signal circuits with inputs by Fan, Chuchu et al.
Verifying nonlinear analog and mixed-signal
circuits with inputs
Chuchu Fan ∗ Yu Meng ∗ Ju¨rgen Maier ∗∗ Ezio Bartocci ∗∗
Sayan Mitra ∗ Ulrich Schmid ∗∗
∗University of Illinois at Urbana-Champaign, (emails: {cfan10, yumeng5,
mitras}@illinois.edu )
∗∗ Technische Universita¨t Wien, (emails: {jmaier, s}@ecs.tuwien.ac.at,
ezio.bartocci@tuwien.ac.at)
Abstract: We present a new technique for verifying nonlinear and hybrid models with inputs.
We observe that once an input signal is fixed, the sensitivity analysis of the model can be
computed much more precisely. Based on this result, we propose a new simulation-driven
verification algorithm and apply it to a suite of nonlinear and hybrid models of CMOS
digital circuits under different input signals. The models are low-dimensional but with highly
nonlinear ODEs, with nearly hundreds of logarithmic and exponential terms. Some of our
experiments analyze the metastability of bistable circuits with very sensitive ODEs and
rigorously establish the connection between metastability recovery time and sensitivity.
1. INTRODUCTION
Analog and mixed-signal circuits have provided a well-
spring of hard problem instances for formal verification
of hybrid systems (HS). Tools like HyTech (Henzinger
et al., 1997), PHAVer (Frehse, 2008), SpaceEx (Frehse et al.,
2011), Checkmate (Gupta et al., 2004), d/dt (Dang et al.,
2004), and Coho (Yan and Greenstreet, 2008) have tar-
geted and successfully verified linear dynamical and hy-
brid models for tunnel-diode oscillators (Lata and Ja-
madagni, 2010), ∆Σ modulators (Gupta et al., 2004; Dang
et al., 2004), filtered oscillators (Frehse et al., 2011), and
digital arbiters (Yan and Greenstreet, 2008). Only re-
cently, verification tools such as Flow* (Chen et al., 2013),
NLTOOLBOX (Dang et al., 2009), iSAT (Fra¨nzle et al.,
2007), dReach (Kong et al., 2015), C2E2 (Fan et al., 2016)
and CORA (Althoff and Grebenyuk, 2016), have demon-
strated the feasibility of verifying nonlinear dynamic and
hybrid models. These tools are still limited in terms of the
complexity of the models and the type of external inputs
they can handle, and they require quite often manual
tuning of algorithmic parameters. The verification chal-
lenge for nonlinear circuits is further exacerbated by the
fact that these problems often require state exploration in
regions, where the model is very sensitive. For example,
bi-stable circuits like a storage element or a flip-flop can
be driven into a metastable state where the circuit may
output signals in the forbidden region between logical 0
and logical 1 or experience very high-frequency oscilla-
tions for an arbitrary time, before resolving to a proper
state (Marino, 1981).
In this paper, we present a novel technique for verifying
nonlinear dynamic and hybrid models with externally
controlled input functions. The approach builds up on
previous work that combines numerical simulation with
model-based sensitivity analysis for bounded invariant
verification (Fan et al., 2016). For (bounded) invariant ver-
ification, we need to check whether the set of reachable
states (up to a given time T ) intersects with the unsafe set.
In general, computing the exact bounded reachable set
for nonlinear dynamic systems is hard. The simulation-
driven approach circumvents this by over-approximating
the reachable states using numerical simulations from a
finite number of initial states and bloating these simu-
lations by a factor determined by the sensitivity of the
solutions to initial states. Previous work establishes that
the resulting algorithms are sound, complete for robust
invariant verification (Duggirala et al., 2013), and exten-
sible to nonlinear hybrid models (Fan et al., 2016). The
key ingredient for the effectiveness of this approach is the
precise symbolic approximation of sensitivity as formal-
ized by so called discrepancy functions. If the discrepancy
function is excessively conservative, then in practice, the
verification algorithm may trigger many refinements, and
never reach a decision.
One major shortcoming of existing approaches is their
inability to handle sensitivity analysis of models with
external inputs. For a typical digital circuit like a simple
inverter, the output trajectory Vout depends strongly on
the input trajectory Vin. The naı¨ve approach for handling
external inputs, namely, making the system closed by
considering input signals as additional state variables,
does not work as the resulting discrepancy functions be-
come too conservative to be effective, i.e., the overapprox-
imation error of the discrepancy function becomes too
large (see the discussion in Section 2.2).
In this paper we therefore propose a new method for
computing discrepancy functions for open models. We
show that for a given input signal and a numerical solu-
tion of the model, it is possible to compute precise upper-
bounds on solutions from neighboring initial states, ex-
periencing the same input (Theorem 6). Using this new
method for discrepancy computation, we have general-
ized the verification algorithm to handle nonlinear hy-
brid models with inputs. This approach was later inte-
ar
X
iv
:1
80
3.
02
97
5v
1 
 [c
s.S
Y]
  8
 M
ar 
20
18
Fig. 1. Input signal u(t) (left), corresponding trajectory of x1, x2 (cen-
ter), and reach sets from B0.1([0.5, 0.24]T )
grated in a new version of the tool C2E2 described in
detail in Fan et al. (2016). We show the feasibility of our
approach by evaluating several Complementary Metal-
Oxide Semiconductor (CMOS) digital circuit models, in-
cluding an inverter, a NOR-gate and an OR-gate 1 . Fur-
thermore, two very sensitive models of storage elements,
one consisting of two inverters in a feedback-loop and the
other of an OR-gate with its output fed back to one of its
inputs, are investigated. The latter allows to memorize a
rising transition on its second input, and is an ideal target
for demonstrating the capability of C2E2 to even predict
metastable behavior correctly. Our results demonstrate
that the new C2E2 can indeed be used to verify reach-
ability problems for open circuits with unprecedented
complexity (over one hundred logarithmic and exponen-
tial terms in differential equations). Experiments confirm
what is known about metastable behavior, and provide
detailed insights into the close connection between sensi-
tivity and metastability recovery (time). Comparisons to
leading verification tools, i.e., Flow*, CORA and dReach
show that C2E2 outperforms these approaches not only
in speed but also in the amount of provided features and
the maximal ODE complexity that still can be handled.
We thus conclude that our technique is a very powerful,
viable approach for simulating dynamic open models.
2. SIMULATION-DRIVEN VERIFICATION
Notations For a real vector x ∈ Rn, ‖x‖ denotes its
l2 norm. For a set S ⊂ Rn, the diameter dia(S) is the
supremum of the distance between any pair of points in
S. For δ ≥ 0, Bδ(x) is the closed δ-ball around x. Closed
δ-balls around sets are defined as Bδ(S) = ∪x∈SBδ(x).
S ⊕ S′ is the Minkowski sum of sets S and S′. For a
real matrix A ∈ Rn×n, (A)ij is the entry on the ith row
and the jth column; eig(A) is the largest eigenvalue of
A. For a pair of matrices A, A¯ with (A)ij ≤ (A¯)ij for all
1 ≤ i, j ≤ n, we define the interval matrix as the set of
matrices:
[A, A¯] , {A ∈ Rn×n|(A)ij ≤ (A)ij ≤ (A¯)ij , 1 ≤ i, j ≤ n}.
2.1 Dynamic systems with inputs
An n-dimensional dynamic system with m-dimensional
input is described by an ordinary differential equation:
x˙(t) = f(x(t), u(t)), (1)
where f : Rn × Rm → Rn is a continuously differentiable
function, and a compact set Θ ⊆ Rn of initial states. The
input is an integrable function u : [0,∞) → U , where
1 Files can be found at https://publish.illinois.edu/
c2e2-tool/gate/.
Fig. 2. Over-approximation of x1(t) without separate input from state
variables. Note the different scale compared to Figure 1.
U ⊂ Rm is a compact set. Given an input u, the solution
or the trajectory of the system is a function ξu : Rn ×
Rm × R≥0 → Rn, such that for any initial state x0 ∈ Θ
and at any time t ∈ R≥0, ξu(x0, t) satisfies (1). A state
x ∈ Rn is reachable if there exists x0 ∈ Θ and a time
t ≥ 0 such that ξu(x0, t) = x. The set of all reachable
states over an interval of time [0, t1] with input u is
denoted by Reachu(Θ, [0, t1]); Reachu(Θ, [t1, t1]) is written
as Reachu(Θ, t1) in brief.
Example 1. Consider a cardiac oscillator described by the
time-invariant ODEs x˙1 = −x1(x21 + 0.9x1 + 0.9) + 2x2u+
1; x˙2 = x1 − 2x2. For a smoothed sigmoidal input u, the
corresponding trajectories and (over-approximations of)
reach sets projected on x1(t), x2(t) are shown in Figure 1.
2.2 Safety verification problem
Given an n-dimensional dynamic system, an input signal
u(t), a compact initial set Θ ∈ Rn, an unsafe set unsafe ⊆
Rn, and a time bound T > 0, the safety verification
problem is to check whether Reachu(Θ, [0, T ])∩unsafe =
∅.
Safety verification of nonlinear ODEs and hybrid models
is difficult even in the absence of inputs. For closed mod-
els (without inputs), recently developed simulation-driven
verification algorithms decide the safety verification ques-
tion rigorously by combining numerical simulations with
sensitivity analysis of the trajectories with respect to their
initial states (Donze´, 2010; Duggirala et al., 2013; Fan
et al., 2016). These approaches are most effective when the
sensitivity of the solutions to initial states can be precisely
approximated.
These existing approaches do not support models with
inputs. The seemingly natural idea of explicitly model-
ing the input u as a state variable, i.e., its controlling
ODE, and then verifying the resulting closed model does
not work. This is because inputs often model unstable
signals—like the pulse u in Example 1—and in such cases
the trajectories of the resulting closed system will turn
out to be extremely sensitive with respect to the ini-
tial states and render simulation-driven verification in-
effective. In Example 1, if we treat u as a state variable,
the over-approximation reach set of x1(t) using C2E2 is
shown in Figure 2. The (prohibitive) blow-up in the over-
approximation is due to the unstable input u˙ = u(1.8 −
1.5u) + 0.0015 that models the rising transition of the
smoothed pulse.
3. SENSITIVITY ANALYSIS FOR OPEN SYSTEMS
We formalize sensitivity using discrepancy functions as in-
troduced in Duggirala et al. (2013). Given an input signal
u(t) for (1), a discrepancy function bounds the distance
between two neighboring trajectories, as a function of the
distance between their initial states and the time.
Definition 2. Given an input signal u(t), a continuous
function βu : R≥0 ×R≥0 → R≥0 is a discrepancy function
of (1) if
(1) for any pair of states x, x′ ∈ Rn, and any time t ≥ 0,
‖ξu(x, t)− ξu(x′, t)‖ ≤ βu(‖x− x′‖, t), and
(2) for any t, lim‖x−x′‖→0+ βu(‖x− x′‖, t) = 0.
Definition 2 generalizes the discrepancy functions de-
fined in Fan and Mitra (2015); Duggirala et al. (2013). Ob-
serve that at any time t, the ball with radius βu(δ, t) cen-
tered at ξu(x0, t) contains the reach set of (1) starting from
Bδ(x0). Therefore, by bloating the simulation trajectories
ξu(·) using the corresponding discrepancy function, we
can obtain reach set over-approximations. Several tech-
niques for computing discrepancy functions for closed
systems have been presented in the literature (see Fan and
Mitra (2015) and the references therein). The technique
discussed next works for open systems and exploits the
fact that the input signal is fixed for trajectories starting
from different initial states.
First, we introduce a basic result that follows from the
high-order mean value theorem (Lemma 3) to connect
the differential equation with its Jacobian matrices. Then
we show that the terms of the Jacobian matrix with re-
spect to the state variables are bounded over compact
sets (Lemma 4). Using these two results, we establish
that the distance between neighboring trajectories actu-
ally follows a differential equation related to the bound of
the Jacobian matrix (Lemma 5). Finally, we prove that the
upper bound on the largest eigenvalue of the symmetric
part of the Jacobian provides us with a suitable discrep-
ancy function (Theorem 6).
The Jacobian of f with respect to the state Jx and the input
Ju are matrix-valued functions of all the first-order partial
derivatives of f :
(Jx(x, u))ij =
∂fi(x, u)
∂xj
; (Ju(x, u))ij =
∂fi(x, u)
∂uj
.
The following lemma from Fan and Mitra (2015) relates f
with its Jacobian matrices based on the generalized mean
value theorem, see Fan and Mitra (2015) for the detailed
proof.
Lemma 3. For any continuously differentiable vector-valued
function f : Rn × Rm → Rn, x, r ∈ Rn and u,w ∈ Rm,
f(x+ r, u+ w)− f(x, u) =(∫ 1
0
Jx(x+ sr, u+ w)ds
)
· r +
(∫ 1
0
Ju(x, u+ τw)dτ
)
· w,
(2)
where the integral is component-wise.
If f is continuously differentiable, all terms in the Jaco-
bian matrix are continuous. Since the input signals are
bounded, i.e., ∀t > 0, u(t) ∈ U ⊂ Rm, the Jacobian matrix
Jx(x, u) over compact sets is also bounded:
Lemma 4. For any compact sets S, U there exists an inter-
val matrix [A, A¯] such that
∀x ∈ S, u ∈ U , Jx(x, u) ∈ [A, A¯].
The lemma follows from the fact that each term of Jx(x, u)
is a continuous function of x, u, and over the compact
domains S,U , the function has a maximum and minimum
value that defines the matrix pair [A, A¯]. The bounds of
such values can be computed for a broad class of nonlin-
ear functions using optimization and interval arithmetic
solvers.
Lemma 5. Fix an input signal u(t). Suppose there exists
a compact convex set S ⊆ Rn and a time interval [0, t1]
such that for any x ∈ Θ, ∀t ∈ [0, t1], ξu(x, t) ∈ S. Then
for any x, x′ ∈ Θ, for any fixed t ∈ [0, t1], the distance
yu(t) = ξu(x
′, t) − ξu(x, t) satisfies y˙u(t) = A(t)yu(t), for
some A(t) ∈ [A, A¯], where [A, A¯] is an interval matrix
satisfying Lemma 4.
Proof. Using Lemma 3 we have the following:
y˙u(t) = ξ˙u(x
′, t)− ξ˙u(x, t)
= f(ξu(x
′, t), u(t))− f(ξu(x, t), u(t))
=
(∫ 1
0
Jx(ξu(x, t) + syu(t), u(t))ds
)
· yu(t)
+
(∫ 1
0
Ju(ξu(x, t), u(t))ds
)
· (u(t)− u(t))
=
(∫ 1
0
Jx(ξu(x, t) + syu(t), u(t))ds
)
· yu(t) (3)
Given a compact convex set S and bounded set U , the
interval matrix [A, A¯] satisfies the conditions of Lemma 4.
For any fixed t,
∫ 1
0
Jx(ξu(x, t) + syu(t), u(t))ds is a con-
stant matrix. Because ξu(x, t), ξu(x′, t) are contained in the
convex set S, according to the convexity assumption of S,
∀s ∈ [0, 1], ξu(x, t) + syu(t) is also contained in S. Thus, at
t, Jx(ξu(x, t) + syu(t), u(t)) ∈ [A, A¯]. Since the integration
is from 0 to 1, it is straightforward to check that also∫ 1
0
Jx(ξu(x, t) + syu(t), u(t))ds ∈ [A, A¯].
We rewrite (3) as
y˙u(t) = A(t)yu(t), A(t) ∈ [A, A¯], (4)
which means that at any fixed time t ∈ [0, t1], we always
have y˙u(t) = A(t)yu(t), where A(t) is unknown but
A(t) ∈ [A, A¯]. 2
Using the differential equation in Lemma 5, we can get
a discrepancy function by bounding the eigenvalues of
[A, A¯]:
Theorem 6. Fix the input signal u(t) for system (1). Sup-
pose the assumptions in Lemma 5 hold, and ∃γ ∈ R such
that ∀A(t) ∈ [A, A¯],
eig(AT (t) +A(t))/2 ≤ γ; (5)
then for any x, x′ ∈ Θ and for any t ∈ [0, t1],
‖ξu(x, t)− ξu(x′, t)‖ ≤ ‖x− x′‖eγt.
Proof. Fixing the two initial states x, x′ ∈ Θ, from
Lemma 5, we know that y˙u(t) = A(t)yu(t), for some
A(t) ∈ [A, A¯], where yu(t) = ξu(x′, t) − ξu(x, t). By dif-
ferentiating ‖yu(t)‖2, we have that for any fixed t ∈ [0, t1],
d‖yu(t)‖2
dt
= y˙Tu (t)yu(t) + y
T
u (t)y˙u(t)
= yTu (t)
(
A(t)
T
+A(t)
)
yu(t).
(6)
If eig(AT (t) +A(t))/2 ≤ γ, then the eigenvalues of B =
AT (t) + A(t) − 2γI , where I is the identity matrix, are
all less or equal to zero, so B is negative semi-definit.
Therefore,
yTu (t)
(
A(t)
T
+A(t)− 2γI
)
yu(t) ≤ 0. Hence, (6) becomes
d‖yu(t)‖2
dt ≤ 2γ‖yu(t)‖2. After applying Gro¨nwall’s in-
equality, we have ‖yu(t)‖ ≤ ‖yu(0)‖eγt,∀t ∈ [0, t1]. 2
Theorem 6 obviously provides a discrepancy function
βu(‖x− x′‖, t) = ‖x− x′‖eγt.
However, computing one γ for the entire time horizon
is usually too conservative to be directly used. Algo-
rithm 2 in Fan and Mitra (2015) provides a method for
constructing a reachtube using one simulation trajectory
and initial partition size δ as input, and produces a se-
quence of coefficients that defines the piece-wise expo-
nential discrepancy function. The algorithm consists of
the following steps: a) First, using the Lipschitz constant,
a coarse over-approximation of the reachable set up to
a short time horizon Ts is constructed. Let this set be S.
b) Compute the interval matrix [A, A¯], which bounds the
possible values of the Jacobian matrix Jx(x, u). c) Com-
pute the largest eigenvalue eig
(
(A+ A¯) + (A+ A¯)T
)
/2.
From this value, an upper bound γ of the eigenvalue
of (A + AT )/2 for all A ∈ [A, A¯] is computed using a
theorem from matrix perturbation theory. d) The upper
bound γ (possibly negative) defines the discrepancy func-
tion βu(δ, t) = β′u(δ, t0)eγ(t−t0) over the simulation time
interval [t0, t0 + Ts], where β′u(·, ·) is the previous piece of
the discrepancy function. Using this piece-wise discrep-
ancy function, an over-approximation of the reachable set
is finally computed.
Example 7. For Example 1, restricting x1 to be within the
range [0.4, 0.6] and u to be within the range [0.1, 0.2]
provides Jx ∈ [A, A¯] for A =
[−3.06 0.2
1 −2
]
and A¯ =[−2.1 0.4
1 −2
]
. Using Algorithm 2 in Fan and Mitra (2015),
we get that γ = −1.05 satisfies Equation (5). Therefore,
βu(‖x− x′‖, t) = ‖x− x′‖e−1.05t is a discrepancy function
for this system with fixed input u(t).
4. VERIFYING SYSTEM WITH FIXED INPUTS
To implement our novel method for computing dis-
crepancy functions of open systems, the algorithm for
simulation-driven verification (see Algorithm 1) pub-
lished in Fan and Mitra (2015) can be used with minor
modifications. For sake of completeness, we briefly dis-
cuss the key features here; for more details the reader is
referred to (Fan and Mitra, 2015). Throughout this section,
we fix an input signal u(t) for the system (1).
Function Cover() returns a set of triples {〈x, δ, 〉}, where
x’s are sample states, the union of Bδ(x) covers Θ com-
pletely, and  is the precision of the simulation. Func-
tion Bloat() expands the simulation trace ψ by βu to get
the reachtube R = {(Oi, ti)}ki=1. That is, for each i =
Algorithm 1: Verification of systems with input
input: Θ, u(t), T, unsafe, 0, τ0
1 δ ← dia(Θ); ← 0; τ ← τ0;STB← ∅;
2 C ← Cover(Θ, δ, );
3 while C 6= ∅ do
4 for 〈x, δ, 〉 ∈ C do
5 ψ = {(Ri, ti)ki=0} ← Simulate(x, u, T, , τ);
6 R ← Bloat(ψ, δ, );
7 ifR∩ unsafe = ∅ then
8 C ← C\{〈x, δ, 〉} ;
9 STB← STB ∪R ;
10 else if ∃j, Rj ⊆ unsafe then
11 return (UNSAFE, ψ)
12 else
13 C ← C ∪ Cover(Bδ(x), δ2 , 2 ), τ ← τ2 ;
14 return (SAFE,STB);
1, . . . , k, Oi ← hull(Ri−1, Ri)⊕maxt∈[ti−1,ti] βu((δ+), t).
From Theorem 6, it follows that Bloat(ψ, δ, ) contains
Reachu(Bδ(x), [0, T ]). There are two important data struc-
tures used in Algorithm 1: C is a collection of the triples
returned by Cover(), which represents the subset of Θ
that has not yet been proved safe, and STB that stores the
bounded-time reachtube.
Initially, C contains a singleton 〈x0, δ0 = dia(Θ), 0〉,
where Θ ⊆ Bδ0(x0) and 0 is a small positive constant.
For each triple 〈x, δ, 〉 ∈ C, the while-loop from Line 3
checks the safety of the reachtube from Bδ(x), which is
computed in Line 5-6. ψ is a (, τ, T )-simulation from x
with input u(t), which is a sequence of time-stamped
rectangles {(Ri, ti)}ki=0 and is guaranteed to contain the
trajectory ξ(x, T ). Bloating the simulation result ψ by the
discrepancy function βu we getR, a (Bδ(x), T )-reachtube
with input u(t). If R is disjoint from unsafe, then the
reachtube fromBδ(x) is safe and the corresponding triple
can be safely removed from C. If for some j, Rj (one
rectangle of the simulation) is completely contained in
the unsafe set, then we can get a counterexample of a
trajectory that violates the safety property. Otherwise,
the safety of Reachu(Bδ(x), [0, T ]) is inconclusive and a
refinement of Bδ(x) is made with some smaller δ and
smaller , τ .
Recall that the safety verification problem requires us to
check whether Reachu(Θ, [0, T ])∩ unsafe = ∅. If there ex-
ists some  > 0 such thatB(Reachu(Θ, [0, T ]))∩unsafe =
∅, we say the system is robustly safe. If there exists some
 > 0, x ∈ Θ, such that B(Ri) ⊆ unsafe for some
Ri in the simulation from x, {(Ri, ti)}ki=0, we say the
system is robustly unsafe. The algorithm returns SAFE if
Reachu(Θ, [0, T ]) has no intersection with unsafe, along
with a robustly safe reachtube STB. It returns UNSAFE
upon finding a counter-example, i.e., the simulation ψ
with an interval fully contained in unsafe.
According to Theorem 6, if δ gets smaller, the value of
the discrepancy function βu becomes smaller (i.e., the
reachtube is arbitrary close to the simulation), which
guarantees that the algorithm always terminates.
Theorem 8. (Soundness & completeness). Given an unsafe
set unsafe, time bound T and fixed input u(t) for sys-
tem (1), if Algorithm 1 using the discrepancy of Theo-
rem 6 returns SAFE or UNSAFE, then (1) is safe or unsafe,
respectively. It terminates if (1) is robustly safe or unsafe.
When extending this verification algorithm to work for
open hybrid models, the main complication is that spu-
rious transitions may arise from the over-approximations
in the computed reach sets. Thus, we have to keep track
of possibly spurious mode changes from genuine ones.
This is what is implemented in the new version of C2E2
used in Section 6 for verifying hybrid circuit models.
5. MODELING OF CMOS CIRCUITS
To investigate the feasibility of our approach, we ana-
lyzed models of complementary metal-oxide-semiconductor
(CMOS) circuits, the most common technology nowa-
days. Its basic components are two types of transistors
(nMOS and pMOS), which can be used to build any de-
sired logic. Essentially, both deliver current based on the
voltages applied to their gate (G), drain (D) and source (S)
contact. Modern digital simulation tools like Modelsim or
NC-Verilog consider transistors as simple switches, how-
ever. Such tools allow fast functional and timing analysis
of complex circuits, but lack sufficient accuracy for critical
parts of a circuit design. The latter is provided by analog
simulations, using state-of-the-art tools like Spice. They
are capable of handling very detailed transistor models,
consisting of tens to hundreds of equations and config-
ured by hundreds of manufacturer-provided parameters.
However, analog simulations quickly reach their limits in
terms of simulation complexity for circuits consisting of
more than a few tens of transistors and/or signal traces
beyond milliseconds in real-time.
In order to decrease simulation times, simplified models
have been developed (e.g. Arora, 1993). They are smaller
than Spice models (at most six equations are required),
and thus amenable to general simulation tools like MAT-
LAB. Despite the reduced complexity, these models can
still capture subtle phenomena like channel length mod-
ulation and carrier velocity saturation.
1
2
Vin
Vout
CLVDD
Fig. 3. Internal structure
of CMOS inverter
Vm
CM
VDD
1
Va
Vb
23
a
Vout
4
Vb CL
Fig. 4. Internal structure of
NOR gate
Actually, NMOS and PMOS transistors differ substan-
tially in physical and, hence, electrical properties. In our
model (Maier, 2017), every transistor operate in one of
three different operation regions: the sub-threshold (ST)
region, where very little current is delivered, the ohmic
region (OHM), where the current scales linearly, and the
saturation region (SAT), where the current only changes
moderately. The actual behavior within every region is
described by a set of differential equations, which involve
several fitting parameters. These differ for NMOS and
PMOS transistors and are either inferred directly from
Spice model variables or fitted to Spice simulations.
5.1 Hybrid inverter model
The simplest CMOS gate is an inverter (see Figure 3),
which consists of two transistors stacked above each
other. Its output voltage Vout is the inverse of the input
voltage Vin, ideally Vout = VDD − Vin with VDD denoting
the supply voltage. In reality, Vout is determined by
V˙out =
1
CL
Iout (7)
where CL is the external load capacitance seen by the
output. The output current Iout is the difference between
the current delivered by 1 and the current consumed by
2 , which both depend upon Vin and Vout. Since each of
the two transistors can operate in three different regions,
our basic hybrid inverter model has nine modes. As two
of those modes are unreachable in reality, the hybrid
model (called InvHy shown in Figure 5 in the sequel) has
only 7 modes.
A
PMOS: (OHM)
NMOS: (ST)
B
PMOS: (OHM)
NMOS: (SAT)
C
PMOS: (SAT)
NMOS: (ST)
D
PMOS: (SAT)
NMOS: (SAT)
E
PMOS: (SAT)
NMOS: (OHM)
F
PMOS: (ST)
NMOS: (SAT)
G
PMOS: (ST)
NMOS: (OHM)
Fig. 5. Hybrid model automata of a CMOS inverter. The nodes repre-
sent the different modes, each involving specific transition guards
and invariants. The label shows the operation regions of the tran-
sistors, the arcs indicate the possible transitions.
5.2 Uniform model
Given that the number of modes increases exponentially
with the number of transistors in a circuit, it is natural
to consider ways of avoiding multiple modes already
in the transistor models: If the behavior of a transistor
could be described by a single, possibly more complex
equation that is valid for all operation regions, the need
for a hybrid model vanishes altogether.
Our uniform model InvUni (Maier, 2017) accomplishes this
by smoothening the boundaries between different re-
gions, using suitably chosen continuous functions. This
results in a single non-linear equation (involving expo-
nentials and logarithms), which describes the current
through the transistor over the whole operation range. In
conjunction with equation (7), this finally leads to a non-
linear ODE that describes the behavior of Vout depending
on Vin. Empirical validations using Spice simulations re-
vealed a surprisingly good modeling accuracy.
Apart from dramatically reduced model complexity, a
key feature of our uniform model is the straightforward
development of models for multi-transistor circuits like
the NOR gate shown in Figure 4. In a hybrid model, this
gate would blow up to a system of 34 = 81 states; here,
we end up with a system of two non-linear ODEs only:
V˙m =
1
CM
(I1 − I2); V˙out = 1CL (I2 − I3 − I4)
Herein, IX represents the current through transistor X .
The change of Vm is proportional to the current charging
CM (cp. eq. (7)) and is just the difference between the cur-
rents flowing through the transistors 1 and 2 . Note that
CM represents the capacitances of the transistor contacts
only, and is hence several orders of magnitude smaller
than CL. The derivative of Vout is finally determined by
the current passing through 2 minus the ones consumed
by the transistors 3 and 4 .
6. EXPERIMENTS AND RESULTS
We have implemented the discrepancy computation and
verification algorithm for open models in the new version
of C2E2 and used it to verify several challenging CMOS
circuits (see footnote 1). Due to lack of space, we restrict
our discussion here to a few examples that demonstrate
the principal feasibility, as well as particular strengths,
of our approach. Experimenting with larger and more
complex circuits, which is mandatory for validating scal-
ability, for example, will be part of our future work.
6.1 Input, simulation and verification
As external input signals, we use both ramp (Ramp) and
sigmoidal signals (Sig), which are generated using two
separate hybrid automata; a 4-state one for Ramp and 2-
state one for Sig. We successfully verified several prop-
erties of InvHy, InvUni, NOR-gate, and OR-gate models
using the tool. For all the models, we set the unsafe set
to be Vout > 1.32 V and the time horizon to be 6.4 s. The
first one uses the hybrid model presented in Section 5.1,
so we end up with 7×4 = 28 modes in the Ramp case and
7 × 2 = 14 in the Sig case. All other circuits are based on
the uniform model. The OR gate is easily derived from
the NOR shown in Figure 4 by appending an inverter.
All circuit models based on the uniform model have very
complex descriptions, i.e., hundreds of logarithmic and
exponential terms in their ODEs. Figure 6 shows some
simulation results for the NOR-gate.
Fig. 6. NOR gate output voltage over-approximation set for Vin =
Ramp (left) and Vin = Sig (right). Different colors indicate differ-
ent modes in the model.
In addition, we also investigated a two-inverter loop,
where the input of one inverter is connected to the output
of the other one, implementing a simple state-holding
device. In contrast to the other circuits used in our ex-
periments, however, it does not have an external input.
Consequently, we just set the output voltages to some
initial values and let the circuit run.
Generally, all the simulations behave as expected and
show smooth output transitions even when activated by
a ramp at its input. Verification shows that, despite ini-
tial state uncertainty, the unsafe set Vout > 1.32 V is not
reached and simultaneously provides the complete reach-
tube within the safe set. For example, Fig. 6 shows that
the reachtube converges quickly to a deterministic sig-
nal trace. Total verification time, split between simulation
(Sim.) and discrepancy computation (Discr.), is shown in
Table 1.
Table 1. Verification of InvHy, InvUni, NOR-gate and OR-gate with
Ramp (top) and Sig (bottom) input and InvLoop without input on a
standard laptop (16G RAM, Intel Core i7 CPU). All verification results
are safe.
Model
Verification parameters Timing split [s]
time [s]
Steps Initial Set Sim. Discr. I/O
InvHy 25.6k Vout ∈ [1.15, 1.2] 7 5 2 14
InvUni 12.8k Vout ∈ [1.15, 1.2] 7 12 2 21
NOR 320k Vout ∈ [1.15, 1.2] 223 708 108 1039
OR 320k Vnor ∈ [1.199, 1.201]
Vout ∈ [0, 0.002] 766 1406 122 2294
InvHy 25.6k Vout ∈ [1.15, 1.2] 7 1 1 9
InvUni 12.8k Vout ∈ [1.15, 1.2] 3 13 2 18
NOR 320k Vout ∈ [1.15, 1.2] 112 822 66 1000
OR 320k Vnor ∈ [1.199, 1.201]
Vout ∈ [0, 0.002] 384 1617 74 2075
InvLoop 64k V1 ∈ [1.0, 1.2]
V2 ∈ [0.5, 0.6] 18 119 2 139
6.2 Metastability analysis
Any bistable digital circuit can be driven into a metastable
state (Marino, 1981) in which it may output voltage val-
ues in the forbidden region between 0 and 1 or experience
very high-frequency oscillations for an arbitrary time, be-
fore it resolves to a proper digital state again. Verifying
whether a circuit may experience metastable behavior
is challenging because it arises in highly nonlinear and
sensitive parts of its state space.
In order to demonstrate the capability of C2E2 to predict
metastable behavior correctly, we use an OR-gate with
its output fed back to one of its inputs. This circuit im-
plements a storage loop, which is capable of memoriz-
ing a rising transition on its second input. It has been
shown in (Fu¨gger et al., 2015) that it can be driven into a
metastable state, namely, by an input pulse that is shorter
than the delay of the feedback loop.
Figure 7 shows input (top) and simulation traces (mid-
dle) of this circuit computed by C2E2 for different initial
values of Vout. The reachtube (bottom), corresponding to
the output trace sticking longest to a value around 0.6 V,
shows a blow up to several thousand Volts, which is
physically impossible but indicates the very high sensi-
tivity of the underlying system of ODEs in the metastable
region: Even the slightest disturbances of the initial state
results in very different trajectories, in particular, in very
different metastability resolution times, after which Vout
resolves to 0 or 1. Albeit this is in accordance with what is
Fig. 7. Metastability analysis of fed back OR gate
known about metastability, to the best of our knowledge,
this is the first reachability analysis of circuits demon-
strating metastable behavior.
6.3 Comparison with existing verification tools
We provide a comparison with several state-of-the-art
nonlinear 2 hybrid system verification tools, namely, Flow*
(Chen et al., 2013), dReach (Kong et al., 2015) and CORA (Al-
thoff and Grebenyuk, 2016). A comparison of C2E2 with
these tools on systems without inputs was previously
reported in Fan and Mitra (2015); Duggirala et al. (2013).
Flow* is a reachability-based verification tool for hybrid
systems. It over-estimates the reachable states for non-
linear systems directly on the vector field and computes
Taylor model flowpipes for the ODEs. While C2E2 per-
forms safety verification for a time horizon of 20 s with
a runtime of 0.1 s for the cardiac oscillator in Example 1,
Flow* finishes the flowpipe computation (compare Fig-
ure 8 (left)) with a runtime of 5.96 s.
We managed to transfer four models from C2E2 to Flow*,
however, none could be verified, for example, on the
same set of parameters. InvUni with ramp input runs for
more than 10 minutes for the initial mode with the initial
set Vout ∈ [1.18, 1.20] and a time step of 5× 10−5 s and
quits with the error message “divided by 0” at a simu-
lated time of 0.44 s. Any changes on these initial param-
eters (either larger initial set range or time step) resulted
in either a “divided by 0” or “segment fault” error. Sim-
ilar problems occurred with InvUni and sigmoidal input.
With InvHy, the flowpipe computation keeps oscillating
between the modes B and D and the process was man-
ually killed after 60 minutes. For the remaining models,
we were not able to avoid the “divided by 0” and the
“segment fault” errors by any choice of parameters. We
suspect that some of these problems are arising from the
large size and complexity of these models.
CORA is a MATLAB toolbox for reachability analysis of
nonlinear dynamical systems and polynomial differential
inclusions (Althoff, 2013). We modeled the cardiac oscilla-
tor from Example 1 in CORA as a hybrid system with two
modes, with nonlinear dynamics in each, representing
the system receiving an upward and a downward input
2 A comparison with tools like SpaceEx and Coho, which support only
linear systems, is omitted.
stimulus. Since the initial sets are represented as boxes or
zonotopes, we needed to also specify a small interval (we
chose the smallest possible) for the initial conditions of
the stimulus. As Figure 8 illustrates, the reach set com-
puted by CORA for this example is less precise in the first
mode compared to C2E2 (Figure 2). The implementation
of our models with CORA was a much harder task than
initially anticipated. Only with tremendous support from
the author of the tool, who had to adapt the original
CORA version, we were able to run at least the cardiac
oscillator and InvUni. However, the results for these sim-
ple examples already revealed a quite poor performance
compared to C2E2: For the InvUni, performing the reacha-
bility analysis for a time-horizon of 0.1 s and a time step of
0.01 s took 222 seconds, which caused us to refrain from
further experiments with CORA.
dReach is an SMT-based δ-reachability analysis tool for
hybrid systems. In contrast to C2E2, dReach picks a single
start state in the initial set and attempts to finds a counter-
example that reaches the unsafe set. If it succeeds, a
(spurious or real) counter-example has been found and
the tool finishes. Otherwise, it picks a suitable starting
state for the next trace to be processed. Before it can assure
that the goal condition is unsatisfiable, i.e., the system is
safe, the entire initial range has to be covered. In sharp
contrast to C2E2, however, dReach does not display any
information of the reachtubes in that case. To achieve a
similar output as provided by C2E2, one would have to
(1) check that no unsafe state is reachable, (2) determine
the reachtube for each start state to the complement of the
goal condition (i.e., the safe set), and (3) plot their union.
Since the basic operations of dReach and C2E2 are fun-
damentally different, a fair comparison is hard. We man-
aged to build models for the cardiac oscillator in Exam-
ple 1 (see Figure 8 (right)), InvUni and InvHy, whereas the
latter had to be split in up and down transition to work
properly. The simulation times, despite the fact that only
a single trace from initial is computed, is up to 4× slower
than C2E2.
On the other hand, operationally, dReach is well-suited
for metastability analysis, as bad traces, i.e., ones that end
up in the metastable region, are of interest here. With
dReach, this could be achieved by defining the metastable
region as the goal condition. Unfortunately, however, it
was not possible to implement any of the models—NOR,
OR or InvLoop—which are the required for metastability
analysis: The tool issued a “log(): domain error” after
short time, which indicates, according to the developers,
that the differential equations are too complex for effec-
tively controlling the errors.
7. CONCLUSIONS AND FUTURE WORK
In this paper we introduced a novel approach suitable for
verifying highly sensitive non-linear ODEs with arbitrary
external inputs. Its modeling power was shown by suc-
cessfully implementing several CMOS circuit models like
inverter, NOR gate and memory elements, based on both
a hybrid and a uniform non-linear transistor model with
highly sensitive ODEs and hundreds of nonlinear terms.
Moreover, we also succeeded to verify the metastable
 0
 0.2
 0.4
 0.6
 0.8
 1
 1.2
 0  2  4  6  8  10  12  14
x 1
t 0 5 10 15t
0.0
0.5
1.0
x
x1
x2
0 5 10 15t
0.0
0.5
1.0
x
x1
x2
Fig. 8. Reachability analysis results of cardiac oscillator model (see Example 1) in Flow* (left), CORA (middle) and dReach (right).
behavior of a memory element, which demonstrates the
ability of our approach to handle highly sensitive ODEs.
The results of this paper suggest several interesting di-
rections for future research. First, for addressing the rela-
tively large simulation time for complex models, it would
be worthwhile to investigate state-of-the-art robust ODE-
solvers for stiff ODEs. Another direction would be to
generalize the core verification algorithm in order to
handle infinite sets of input signals. Finally, we envi-
sion promising applications in the area of advanced
digital circuit analysis, where C2E2 could be used for
verifying metastable behavior of circuits like Schmitt-
Triggers (Steininger et al., 2016).
ACKNOWLEDGMENTS
We would like to thank the developers of CORA (espe-
cially Matthias Althoff), dReach and Flow* for their sup-
port while porting our models.
REFERENCES
Althoff, M. (2013). Reachability analysis of nonlinear sys-
tems using conservative polynomialization and non-
convex sets. In Proc. of HSCC ’13: the 16th International
Conference on Hybrid Systems: Computation and Control,
173–182. ACM. doi:10.1145/2461328.2461358.
Althoff, M. and Grebenyuk, D. (2016). Implementation of
interval arithmetic in CORA 2016. In ARCH Workshop,
91–105.
Arora, N. (1993). MOSFET models for VLSI circuit simula-
tion; theory and practice. Computational microelectron-
ics. Springer.
Chen, X., A´braha´m, E., and Sankaranarayanan, S. (2013).
Flow*: An analyzer for non-linear hybrid systems. In
CAV, 258–263.
Dang, T., Donze´, A., and Maler, O. (2004). Verifica-
tion of analog and mixed-signal circuits using hybrid
system techniques. In FMCAD, 21–36. doi:10.1007/
978-3-540-30494-4 3.
Dang, T., Le Guernic, C., and Maler, O. (2009). Computing
reachable states for nonlinear biological models. In
CMSB, volume 5688 of LNCS, 126–141. Springer. doi:
10.1007/978-3-642-03845-7 9.
Donze´, A. (2010). Breach, a toolbox for verification and
parameter synthesis of hybrid systems. In CAV, 167–
170.
Duggirala, P.S., Mitra, S., and Viswanathan, M. (2013).
Verification of annotated models from executions. In
EMSOFT, 1–10.
Fan, C. and Mitra, S. (2015). Bounded verification with
on-the-fly discrepancy computation. In ATVA, 446–463.
Fan, C., Qi, B., Mitra, S., Viswanathan, M., and Duggi-
rala, P.S. (2016). Automatic reachability analysis for
nonlinear hybrid models with C2E2. In CAV, 531–538.
Springer.
Fra¨nzle, M., Herde, C., Teige, T., Ratschan, S., and Schu-
bert, T. (2007). Efficient solving of large non-linear
arithmetic constraint systems with complex boolean
structure. JSAT, 1(3-4), 209–236.
Frehse, G. (2008). Phaver: algorithmic verification of
hybrid systems past hytech. International Journal on
Software Tools for Technology Transfer, 10(3), 263–279. doi:
10.1007/s10009-007-0062-x.
Frehse, G., Le Guernic, C., Donze´, A., Cotton, S., Ray, R.,
Lebeltel, O., Ripado, R., Girard, A., Dang, T., and Maler,
O. (2011). SpaceEx: Scalable verification of hybrid
systems. In CAV, 379–395.
Fu¨gger, M., Najvirt, R., Nowak, T., and Schmid, U. (2015).
Towards binary circuit models that faithfully capture
physical solvability. In DATE, 1455–1460.
Gupta, S., Krogh, B.H., and Rutenbar, R.A. (2004).
Towards formal verification of analog designs. In
ICCAD, 210–217. doi:10.1109/ICCAD.2004.1382573.
URL http://dx.doi.org/10.1109/ICCAD.
2004.1382573.
Henzinger, T.A., Ho, P.H., and Wong-Toi, H. (1997).
Hytech: A model checker for hybrid systems. In CAV,
460–463. Springer.
Kong, S., Gao, S., Chen, W., and Clarke, E. (2015). dReach:
δ-reachability analysis for hybrid systems. In TACAS,
200–205.
Lata, K. and Jamadagni, H.S. (2010). Formal verification
of tunnel diode oscillator with temperature variations.
In ASPDAC, 217–222. IEEE Press.
Maier, J. (2017). Modeling the CMOS inverter using
hybrid systems. Technical Report TUW-259633, E182-
TI; TU Wien. URL http://publik.tuwien.ac.
at/files/publik_259633.pdf.
Marino, L.R. (1981). General theory of metastable opera-
tion. IEEE ToC, 30(2), 107–115.
Steininger, A., Maier, J., and Najvirt, R. (2016). The
metastable behavior of a Schmitt-Trigger. In ASYNC,
57–64. doi:10.1109/ASYNC.2016.19.
Yan, C. and Greenstreet, M.R. (2008). Verifying an arbiter
circuit. In FMCAD, 7:1–7:9. IEEE Press, Piscataway, NJ,
USA. URL http://dl.acm.org/citation.cfm?
id=1517424.1517431.
