

Soutenance de thèse  
Université Claude Bernard Lyon 1

# Modèles formels des circuits intégrés pour la vérification électrique au niveau transistor

Oussama Oulkaid



21 novembre 2025

## Devant le jury composé de

|                     |                        |                                  |                         |                       |
|---------------------|------------------------|----------------------------------|-------------------------|-----------------------|
| Emmanuelle Encrenaz | Professeure            | Sorbonne Université              | LIP6                    | Rapporteure           |
| Katell Morin-Allory | Professeure            | Grenoble INP                     | TIMA                    | Rapporteure           |
| Arnaud Virazel      | Professeur             | Université de Montpellier        | LIRMM                   | Examinateur           |
| Lars Hedrich        | Professeur             | Goethe-Universität               | Institut für Informatik | Examinateur           |
| Xavier Urbain       | Professeur             | Université Claude Bernard Lyon 1 | LIRIS                   | Président du jury     |
| Matthieu Moy        | Maître de Conférences  | Université Claude Bernard Lyon 1 | LIP                     | Directeur de thèse    |
| Pascal Raymond      | Chargé de Recherche    | CNRS                             | Verimag                 | Co-encadrant de thèse |
| Bruno Ferres        | Maître de Conférences  | Université Grenoble Alpes        | Verimag                 | Co-encadrant de thèse |
| Mehdi Khosravian    | Ingénieur de Recherche | Aniah                            |                         | Co-encadrant de thèse |

# Errors in the Hardware



Credit: Andrew Huang (2007)

## Electrostatic discharge



Credit: Andrew Huang (2007)

## Electrostatic discharge



Credit: Andrew Huang (2007)

## Electrical overstress



Credit: Ed Hare (2020)

# Where do errors come from?

# Where do errors come from?



# Where do errors come from?



# Where do errors come from?



# Where do errors come from?



# Where do errors come from?



# Where do errors come from?



# Where do errors come from?



# Where do errors come from?



# Where do errors come from?



# Where do errors come from?



# Where do errors come from?



# Where do errors come from?



# Where do errors come from?



# Where do errors come from?



# Where do errors come from?



# Where do errors come from?



# Where do errors come from?



# Where do errors come from?



# Where do errors come from?



Part 1 of 5

# **Understanding Transistors and Electrical Errors**

# Transistor level, the basics

# Transistor level, the basics



# Transistor level, the basics



# Transistor level, the basics



# Transistor level, the basics



# Transistor level, the basics



# Transistor level, the basics



# Transistor level, the basics



# Transistor level, the basics



# Transistor level, the basics



# Transistor level, the basics



# The inverter circuit



# The inverter circuit



# The inverter circuit



inverter.cdl

```
.subckt inverter A Z supply ground  
M1 Z A supply supply PMOS ...  
M2 Z A ground ground NMOS ...  
.ends
```

# The inverter circuit



inverter.cdl

```
.subckt inverter A Z supply ground  
M1 Z A supply supply PMOS ...  
M2 Z A ground ground NMOS ...  
.ends
```

# The inverter circuit



inverter.cdl

```
.subckt inverter A Z supply ground  
M1 Z A supply supply PMOS ...  
M2 Z A ground ground NMOS ...  
.ends
```

Electrical simulation



# The inverter circuit



inverter.cdl

```
.subckt inverter A Z supply ground  
M1 Z A supply supply PMOS ...  
M2 Z A ground ground NMOS ...  
.ends
```



# Symbolic reasoning on the inverter

# Symbolic reasoning on the inverter



# Symbolic reasoning on the inverter



# Symbolic reasoning on the inverter



# Symbolic reasoning on the inverter



Can this happen on  
a real-life circuit?

## A buffer



# A buffer, a *buggy* one



# A buffer, a *buggy* one



# A buffer, a *buggy* one



# A buffer, a ~~buggy~~ one fixed



# A buffer, a ~~buggy~~ one fixed



How to detect such violation in the first place?

Part 2 of 5

# State of the Art in Electrical Rule Checking



**Modeling  
techniques  
for electrical  
rule checking**

# Modeling techniques for electrical rule checking

## ACM TODAES 2025

### A Survey on Transistor-Level Electrical Rule Checking of Integrated Circuits

Bruno FERBES, Univ Grenoble Alpes, CNRS, Grenoble INP<sup>2</sup>, VERIMAG, 38000 Grenoble, France  
OUSSAMA OULKAIID, Université Claude Bernard Lyon 1, CNRS, ENS de Lyon, Inria, LIP, UMR 5668, 69102, Lyon cedex 07, France; Univ Grenoble Alpes, CNRS, Grenoble INP<sup>2</sup>, VERIMAG, 38000 Grenoble, France; Anjali, Grenoble, France  
MATTHIEU MOY, GABRIEL RADANNE, and LUDOVIC HENRIO, CNRS, ENS de Lyon, Institut Universitaire Claude Bernard Lyon 1, LIP, UMR 5668, 69342, Lyon cedex 07, France  
PASCAL RAYMOND, Univ Grenoble Alpes, CNRS, Grenoble INP<sup>2</sup>, VERIMAG, 38000 Grenoble, France  
MEHDI KHOSEVATIAN GHADIRLAOUI, Anjali, Grenoble , France

Hardware verification is crucial to ensure the quality of integrated circuits, and prevent costly bugs down the manufacturing flow. Electrical Rule Checking (ERC) is a verification step used to assert that a circuit complies with specific rules. This survey aims at providing a comprehensive overview of ERC methods. We provide a global overview of existing ERC techniques at transistor-level, where voltage values are explicit. We propose a new classification method to compare the existing approaches based on their semantic modeling of circuits. This survey precisely describes transistor-level ERC research challenges and existing solutions. We believe it will help structure this research domain by positioning existing approaches with respect to each other. Otherwise, a survey could not facilitate technological transfer and this one should help CAD vendors choose the most relevant approaches to integrate in their tools. Finally, we highlight several promising directions to improve the existing solutions.

CCS Concepts: • General and reference → Surveys and overviews; • Verification; • Hardware → Electronic design automation; Design rule checking

Additional Key Words and Phrases: Electrical Rule Checking, Integrated Circuits, Electro-Static Discharge, Electrical Overstress, Static Verification

#### ACM Reference Format:

Bruno Ferbes, Oussama Oulkaid, Matthieu Moy, Gabriel Radanne, Ludovic Henrio, Pascal Raymond, and Mehdi Khosvatian Ghadirlouai, 2025, A Survey on Transistor-Level Electrical Rule Checking of Integrated Circuits, ACM Trans. Des. Autom. Electron. Syst. 1, Article 1 (January 2025), 39 pages. <https://doi.org/10.1145/318327>

Author's address: Bruno Ferbes, Univ Grenoble Alpes, CNRS, Grenoble INP<sup>2</sup>, VERIMAG, 38000 Grenoble, France; Unesco Grenoble Grenoble alps-E; Université Claude Bernard Lyon 1, CNRS, ENS de Lyon, Inria, LIP, UMR 5668, 69102, Lyon cedex 07, France; Univ Grenoble Alpes, CNRS, Grenoble INP<sup>2</sup>, VERIMAG, 38000 Grenoble, France; Anjali, Grenoble, France; oussama.oulkaid@inria.fr; matthieu.moy.mattmoy@ens-lyon.fr; gabriel.radanne@ens-lyon.fr; ludovic.henrio@ens-lyon.fr; pascal.raymond@ens-lyon.fr; mehdi.khosvatian@anjali.fr; mehdi.khosvatian.ghadirlouai@anjali.fr

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that the full copyright notice is preserved on all copies. For permission to make other use such as distribution to lists, reprinting, or redistribution of figures, or other reuse, please contact permissions@acm.org.  
2025 © Copyright Author(s). Publication rights licensed to ACM.  
ACM 0899-1506/25/1-ART1 \$15.00  
<https://doi.org/10.1145/318327>





































# Satisfiability (modulo theories)

## SAT

Let  $a, b, c \in \{\perp, \top\}$ , and  
a formula  $\phi = (a \vee b) \wedge \neg c$

*Is there an assignment of  $a$ ,  $b$ , and  $c$ ,  
such that  $\phi$  evaluates to  $\top$ ?*

# Satisfiability (modulo theories)

## SAT

Let  $a, b, c \in \{\perp, \top\}$ , and  
a formula  $\phi = (a \vee b) \wedge \neg c$

Is there an assignment of  $a$ ,  $b$ , and  $c$ ,  
such that  $\phi$  evaluates to  $\top$ ?



# Satisfiability (modulo theories)

## SAT

Let  $a, b, c \in \{\perp, \top\}$ , and  
a formula  $\phi = (a \vee b) \wedge \neg c$

Is there an assignment of  $a$ ,  $b$ , and  $c$ ,  
such that  $\phi$  evaluates to  $\top$ ?



# Satisfiability (modulo theories)

## SAT

Let  $a, b, c \in \{\perp, \top\}$ , and  
a formula  $\phi = (a \vee b) \wedge \neg c$

Is there an assignment of  $a$ ,  $b$ , and  $c$ ,  
such that  $\phi$  evaluates to  $\top$ ?



## SMT

Let  $a \in \{\perp, \top\}$ , and  $x, y \in \mathbb{Q}$ , and  
a formula  $\phi = (x + y \leq \frac{1}{2}) \wedge (x < y \vee a)$

Is there an assignment of  $a$ ,  $x$ , and  $y$ ,  
such that  $\phi$  evaluates to  $\top$ ?

# Satisfiability (modulo theories)

## SAT

Let  $a, b, c \in \{\perp, \top\}$ , and  
a formula  $\phi = (a \vee b) \wedge \neg c$

Is there an assignment of  $a$ ,  $b$ , and  $c$ ,  
such that  $\phi$  evaluates to  $\top$ ?



## SMT

Let  $a \in \{\perp, \top\}$ , and  $x, y \in \mathbb{Q}$ , and  
a formula  $\phi = (x + y \leq \frac{1}{2}) \wedge (x < y \vee a)$

Is there an assignment of  $a$ ,  $x$ , and  $y$ ,  
such that  $\phi$  evaluates to  $\top$ ?



# Satisfiability (modulo theories)

## SAT

Let  $a, b, c \in \{\perp, \top\}$ , and  
a formula  $\phi = (a \vee b) \wedge \neg c$

Is there an assignment of  $a$ ,  $b$ , and  $c$ ,  
such that  $\phi$  evaluates to  $\top$ ?



## SMT

Let  $a \in \{\perp, \top\}$ , and  $x, y \in \mathbb{Q}$ , and  
a formula  $\phi = (x + y \leq \frac{1}{2}) \wedge (x < y \vee a)$

Is there an assignment of  $a$ ,  $x$ , and  $y$ ,  
such that  $\phi$  evaluates to  $\top$ ?



# My circuit verification framework



# My circuit verification framework



## DATE 2023

### Electrical Rule Checking of Integrated Circuits using Satisfiability Modulo Theory

B. Ferre<sup>\*</sup>, O. Oukilaid<sup>†,‡</sup>, L. Henrion<sup>\*</sup>, M. Khosravian G<sup>‡</sup>, M. Moy<sup>\*</sup>, G. Radanne<sup>\*</sup>, P. Raymond<sup>§</sup>

<sup>\*</sup>Univ Lyon, Ens, UCB, CNRS, Inria, LIP, F-69342, LYON Cedex 07, France.

<sup>†</sup>Univ. Grenoble Alpes, CNRS, Grenoble INP, VERIMAG, 38000 Grenoble, France

<sup>‡</sup>Asilah, 38000 Grenoble, France

<sup>§</sup>[benoit.ferre, maitheu.moy, ludovic.henrion, gabriel.radanne]@ens-lyon.fr

pascal.raymond@univ-grenoble-alpes.fr, [m.khosravian, o.ukilaid]@minst.fr

**Abstract**—We consider the verification of electrical properties of circuits to identify potential violations of electrical design rules, also called Electrical Rule Checking (ERC). We present a general approach based on Satisfiability Modulo Theory (SMT) to verify that the circuit satisfies a set of constraints. The main advantage of our approach is that it is scalable and more precise than existing analyses, like voltage propagation. We applied these techniques to a specific type of errors: the so-called short-circuits. In this paper, we show that this technique is able to flag 31% of the warnings raised by the voltage propagation analysis as being false alarms.

**Index Terms**—Electrical rule checking, Integrated Circuits, SMT solving

#### I. ELECTRICAL RULE CHECKING

During hardware design processes, verification of the digital designs is a particularly important task since, unlike software, updates cannot be deployed after manufacturing, meaning that any bug left in the system can induce heavy additional costs. Simulation is a widely used method to verify a hardware design, but it can only prove the presence of bugs, not their absence, and highly depends on the test vectors that are defined by the designer. Formal methods like model-checking can, on the other hand, prove the correctness of a circuit or of any sub-circuit considered. While theoretically limited by algorithmic complexity or even undecidability, formal methods have successfully been applied in many contexts in practice<sup>1</sup>.

In a typical hardware design-flow, verification can happen at multiple stages. Algorithmic properties, such as temporal or logical behavior, can be checked at the highest level of abstraction, or even at C-level, before the start of the high-level synthesis. However, some properties can only be considered in the final steps of the design flow, where fewer abstractions are used to describe circuits. For example, when a circuit contains multiple power-domains operating at different voltages, design rules state that a specific circuit — a level-shifter — must be used at the interface between power-domains. Level-shifters are not described at RTL level, since power-supplies are not modeled at all at this level of abstraction. They are introduced later in the design-flow, typically using tools based on the Universal Power Format (UPF). It is a mostly automatic step, but uses user-provided configuration files and possibly user-provided sub-circuits. Therefore, this step may introduce bugs

in the design. It is important to check the presence of all required level-shifters after this step, hence after the synthesis stage of the flow. More generally, a complete and modern circuit usually contains hand-tuned parts, and it is crucial to check that these parts do comply with the design rules. Such verifications, which is usually referred to as Electrical Rule Checking (ERC) [5], typically operates on transistor netlists. These netlists are obtained by extracting the transistors from the layout of the circuit, and are required for another important verification step, called Layout Versus Schematic analysis. Consequently, ERC approaches generally operate on a transistor netlist, i.e. a description of the circuit using transistors (or other hardware components) connected by nets (i.e. wires).

To verify properties related to power supplies, a typical first step is called voltage propagation [3], [5], [6]. It computes, for each set of the circuit, which power-supply is potentially violated. This means that it checks if a source or drain of a transistor's behavior (i.e. considering that the source or the drain of a transistor are connected unconditionally). When the voltage propagation finds a transistor with a gate connected to a supply  $S_d$  and a source connected to a supply  $S_u$  with neither  $S_u$  nor  $S_d$  being the ground, and the voltage of  $S_d$  is lower than the one of  $S_u$ , that transistor is identified as being at the interface between power-domains, and must be protected with a level-shifter. The presence of a level-shifter can be checked by performing a simulation of the circuit. The presence of a sub-circuit known to behave as a level-shifter [5], or this transistor can be tagged as potentially problematic and included in some coverage criteria for simulation-based verification. Voltage propagation is relatively simple and identifies all potential problems for several properties, but it is also very imprecise and yields a lot of false alarms.

To perform a more precise analysis, one needs to take into account the fact that the source and drain of a transistor are not described at RTL level, since power-supplies are not modeled at all at this level of abstraction. Therefore, they are introduced later in the design-flow, typically using tools based on the Universal Power Format (UPF). It is a mostly automatic step, but uses user-provided configuration files and possibly user-provided sub-circuits. Therefore, this step may introduce bugs

<sup>1</sup>See e.g. the FM conference series: <https://fmconference.org/synopsis/>

Part 3 of 5

# **Switch-based Circuit Semantics**

# Switch-based circuit semantics



# Switch-based circuit semantics



Variables of the SMT formula

$\mathcal{V}: \text{Nets} \rightarrow \text{Voltages}$

$\mathcal{O}_n: \text{Transistors} \rightarrow \{\perp, \top\}$

# Switch-based circuit semantics



Variables of the SMT formula

$\mathcal{V}$ : Nets  $\rightarrow$  Voltages

$\mathcal{O}_n$ : Transistors  $\rightarrow \{\perp, \top\}$

# Switch-based circuit semantics



Variables of the SMT formula

$\mathcal{V}: \text{Nets} \longrightarrow \text{Voltages}$

$\mathcal{O}_n: \text{Transistors} \longrightarrow \{\perp, \top\}$

# Switch-based circuit semantics



Variables of the SMT formula

$\mathcal{V}: \text{Nets} \rightarrow \text{Voltages}$

$\mathcal{O}_n: \text{Transistors} \rightarrow \{\perp, \top\}$

# Switch-based circuit semantics



Variables of the SMT formula

$\mathcal{V}$ : Nets  $\longrightarrow$  Voltages

$\mathcal{O}_n$ : Transistors  $\longrightarrow \{\perp, \top\}$

Goal Define constraints on variables  $\mathcal{V}$  and  $\mathcal{O}_n$

# Switch-based circuit semantics



# Switch-based circuit semantics



Transistor states

for pMOS devices:

$$On(\text{device}) \stackrel{\text{def}}{=} \left( \begin{array}{l} \mathcal{V}(\text{gate}) < \mathcal{V}(\text{source}) - V_{th} \\ \vee \quad \mathcal{V}(\text{gate}) < \mathcal{V}(\text{drain}) - V_{th} \end{array} \right)$$

# Switch-based circuit semantics



Transistor states

for pMOS devices:

$$On(\text{device}) \stackrel{\text{def}}{=} \left( \begin{array}{l} \mathcal{V}(\text{gate}) < \mathcal{V}(\text{source}) - V_{th} \\ \vee \quad \mathcal{V}(\text{gate}) < \mathcal{V}(\text{drain}) - V_{th} \end{array} \right) (\mathcal{R}_{On}^{\text{pMOS}})$$

# Switch-based circuit semantics



Transistor states

for pMOS devices:

$$\mathcal{O}_n(M1) \stackrel{\text{def}}{=} \left( \begin{array}{l} \mathcal{V}(A) < \mathcal{V}(VDD) - V_{th} \\ \vee \quad \mathcal{V}(A) < \mathcal{V}(Z) - V_{th} \end{array} \right) \quad (\mathcal{R}_{\mathcal{O}_n}^{\text{pMOS}})$$

# Switch-based circuit semantics



Transistor states

for pMOS devices:

$$On(\text{device}) \stackrel{\text{def}}{=} \left( \begin{array}{l} \mathcal{V}(\text{gate}) < \mathcal{V}(\text{source}) - V_{th} \\ \vee \quad \mathcal{V}(\text{gate}) < \mathcal{V}(\text{drain}) - V_{th} \end{array} \right) (\mathcal{R}_{On}^{\text{pMOS}})$$

# Switch-based circuit semantics



Transistor states

for pMOS devices:

$$\mathcal{O}n(\text{device}) \stackrel{\text{def}}{=} \left( \begin{array}{l} \mathcal{V}(\text{gate}) < \mathcal{V}(\text{source}) - V_{th} \\ \vee \quad \mathcal{V}(\text{gate}) < \mathcal{V}(\text{drain}) - V_{th} \end{array} \right) (\mathcal{R}_{\mathcal{O}n}^{\text{pMOS}})$$

for nMOS devices:

$$\mathcal{O}n(\text{device}) \stackrel{\text{def}}{=} \left( \begin{array}{l} \mathcal{V}(\text{gate}) > \mathcal{V}(\text{source}) + V_{th} \\ \vee \quad \mathcal{V}(\text{gate}) > \mathcal{V}(\text{drain}) + V_{th} \end{array} \right) (\mathcal{R}_{\mathcal{O}n}^{\text{nMOS}})$$

# Switch-based circuit semantics



Transistor states

for pMOS devices:

$$\mathcal{O}n(\text{device}) \stackrel{\text{def}}{=} \left( \begin{array}{l} \mathcal{V}(\text{gate}) < \mathcal{V}(\text{source}) - V_{th} \\ \vee \quad \mathcal{V}(\text{gate}) < \mathcal{V}(\text{drain}) - V_{th} \end{array} \right) (\mathcal{R}_{\mathcal{O}n}^{\text{pMOS}})$$

for nMOS devices:

$$\mathcal{O}n(M2) \stackrel{\text{def}}{=} \left( \begin{array}{l} \mathcal{V}(A) > \mathcal{V}(\text{GND}) + V_{th} \\ \vee \quad \mathcal{V}(A) > \mathcal{V}(Z) + V_{th} \end{array} \right) (\mathcal{R}_{\mathcal{O}n}^{\text{nMOS}})$$

# Switch-based circuit semantics



Transistor states

for pMOS devices:

$$\mathcal{O}n(\text{device}) \stackrel{\text{def}}{=} \left( \begin{array}{l} \mathcal{V}(\text{gate}) < \mathcal{V}(\text{source}) - V_{th} \\ \vee \quad \mathcal{V}(\text{gate}) < \mathcal{V}(\text{drain}) - V_{th} \end{array} \right) (\mathcal{R}_{\mathcal{O}n}^{\text{pMOS}})$$

for nMOS devices:

$$\mathcal{O}n(\text{device}) \stackrel{\text{def}}{=} \left( \begin{array}{l} \mathcal{V}(\text{gate}) > \mathcal{V}(\text{source}) + V_{th} \\ \vee \quad \mathcal{V}(\text{gate}) > \mathcal{V}(\text{drain}) + V_{th} \end{array} \right) (\mathcal{R}_{\mathcal{O}n}^{\text{nMOS}})$$

# Switch-based circuit semantics



# Switch-based circuit semantics



Net neighbors

Net  $a$  reaches net  $b$  through some device  $M$ :

$$\text{NEIGHBORS}(a) = \{a \xrightarrow{M} b, \dots\}$$

# Switch-based circuit semantics



Net neighbors

Net  $a$  reaches net  $b$  through some device  $M$ :

$$\text{NEIGHBORS}(a) = \{a \xrightarrow{M} b, \dots\}$$

$$\text{NEIGHBORS}(A) = \emptyset$$

# Switch-based circuit semantics



Net neighbors

Net  $a$  reaches net  $b$  through some device  $M$ :

$$\text{NEIGHBORS}(a) = \{a \xrightarrow{M} b, \dots\}$$

$$\text{NEIGHBORS}(A) = \emptyset$$

$$\text{NEIGHBORS}(Z) = \{Z \xrightarrow{M1} \text{VDD}, Z \xrightarrow{M2} \text{GND}\}$$

# Switch-based circuit semantics



Net neighbors

Net  $a$  reaches net  $b$  through some device  $M$ :

$$\text{NEIGHBORS}(a) = \{a \xrightarrow{M} b, \dots\}$$

$$\text{NEIGHBORS}(A) = \emptyset$$

$$\text{NEIGHBORS}(Z) = \{Z \xrightarrow{M1} \text{VDD}, Z \xrightarrow{M2} \text{GND}\}$$

# Switch-based circuit semantics



# Switch-based circuit semantics



Local voltage constraints

for every net *self*:

**current enters *self***

$\Leftrightarrow$

**current leaves *self***

# Switch-based circuit semantics



Local voltage constraints

for every net *self*:

$\exists \text{ } \textcolor{red}{self} \xrightarrow{\textcolor{blue}{M}} n \in \text{NEIGHBORS}(\text{self}),$   
**current enters *self* via *n***

$\Leftrightarrow$

$\exists \text{ } \textcolor{red}{self} \xrightarrow{\textcolor{green}{M'}} n' \in \text{NEIGHBORS}(\text{self}),$   
**current leaves *self* via *n'***

# Switch-based circuit semantics



Local voltage constraints

for every net *self*:

$\exists \text{ } \textcolor{red}{self} \xrightarrow{\textcolor{blue}{M}} \textcolor{blue}{n} \in \text{NEIGHBORS}(\textcolor{red}{self}),$   
 $\text{On}(\textcolor{blue}{M}) \wedge (\mathcal{V}(\textcolor{red}{self}) < \mathcal{V}(\textcolor{blue}{n}))$

$\Leftrightarrow$

$\exists \text{ } \textcolor{red}{self} \xrightarrow{\textcolor{blue}{M}'} \textcolor{green}{n}' \in \text{NEIGHBORS}(\textcolor{red}{self}),$   
**current leaves *self* via *n'***

# Switch-based circuit semantics



Local voltage constraints

for every net  $\text{self}$ :

$$\exists \text{self} \xrightarrow{M} n \in \text{NEIGHBORS}(\text{self}), \\ \mathcal{O}n(M) \wedge (\mathcal{V}(\text{self}) < \mathcal{V}(n))$$

$\Leftrightarrow$

$$\exists \text{self} \xrightarrow{M'} n' \in \text{NEIGHBORS}(\text{self}), \\ \mathcal{O}n(M') \wedge (\mathcal{V}(n') < \mathcal{V}(\text{self}))$$

# Switch-based circuit semantics



Local voltage constraints

for every net *self*:

$$\begin{aligned} & \bigvee_{\substack{\text{self} \xrightarrow{M} n \\ \in \text{NEIGHBORS}(\text{self})}} \mathcal{O}_n(M) \wedge (\mathcal{V}(\text{self}) < \mathcal{V}(n)) \\ & \Leftrightarrow \end{aligned}$$

$$\exists \text{self} \xrightarrow{M'} n' \in \text{NEIGHBORS}(\text{self}), \mathcal{O}_n(M') \wedge (\mathcal{V}(n') < \mathcal{V}(\text{self}))$$

# Switch-based circuit semantics



Local voltage constraints

for every net *self*:

$$\begin{aligned} & \bigvee_{\substack{\text{self} \xrightarrow{M} n \\ \in \text{NEIGHBORS}(\text{self})}} \mathcal{O}_n(M) \wedge (\mathcal{V}(\text{self}) < \mathcal{V}(n)) \\ \Leftrightarrow & \bigvee_{\substack{\text{self} \xrightarrow{M'} n' \\ \in \text{NEIGHBORS}(\text{self})}} \mathcal{O}_n(M') \wedge (\mathcal{V}(n') < \mathcal{V}(\text{self})) \end{aligned}$$

# Switch-based circuit semantics



Local voltage constraints

for every net *self*:

$$\begin{aligned} & \bigvee_{\substack{\text{self} \xrightarrow{M} n \\ \in \text{NEIGHBORS}(\text{self})}} \mathcal{O}_n(M) \wedge (\mathcal{V}(\text{self}) < \mathcal{V}(n)) \\ \Leftrightarrow & \bigvee_{\substack{\text{self} \xrightarrow{M'} n' \\ \in \text{NEIGHBORS}(\text{self})}} \mathcal{O}_n(M') \wedge (\mathcal{V}(n') < \mathcal{V}(\text{self})) \end{aligned}$$

$(\mathcal{R}_{\text{local voltage}})$

# Switch-based circuit semantics



# Switch-based circuit semantics



for net  $Z$ ,  
 $\mathcal{R}_{\substack{\text{local} \\ \text{voltage}}}$  is satisfied with

$$\mathcal{O}n(M1) \wedge \neg\mathcal{O}n(M2) \wedge \mathcal{V}(Z) = \mathcal{V}(VDD)$$

$$\neg\mathcal{O}n(M1) \wedge \mathcal{O}n(M2) \wedge \mathcal{V}(Z) = \mathcal{V}(GND)$$

$$\mathcal{O}n(M1) \wedge \mathcal{O}n(M2) \wedge \mathcal{V}(GND) < \mathcal{V}(Z) < \mathcal{V}(VDD)$$

$$\mathcal{O}n(M1) \wedge \mathcal{O}n(M2) \wedge \mathcal{V}(VDD) < \mathcal{V}(Z) < \mathcal{V}(GND)$$

# Switch-based circuit semantics



for net **Z**,  
 $\mathcal{R}_{local\ voltage}$  is satisfied with

$$\mathcal{O}n(M1) \wedge \neg\mathcal{O}n(M2) \wedge \mathcal{V}(Z) = \mathcal{V}(VDD)$$

$$\neg\mathcal{O}n(M1) \wedge \mathcal{O}n(M2) \wedge \mathcal{V}(Z) = \mathcal{V}(GND)$$

$$\mathcal{O}n(M1) \wedge \mathcal{O}n(M2) \wedge \mathcal{V}(GND) < \mathcal{V}(Z) < \mathcal{V}(VDD)$$

$$\mathcal{O}n(M1) \wedge \mathcal{O}n(M2) \wedge \mathcal{V}(VDD) < \mathcal{V}(Z) < \mathcal{V}(GND)$$

T

# Switch-based circuit semantics



for net Z,  
 $\mathcal{R}_{\text{local voltage}}$  is satisfied with

- $\mathcal{O}n(M1) \wedge \neg\mathcal{O}n(M2) \wedge \mathcal{V}(Z) = \mathcal{V}(VDD)$
- $\neg\mathcal{O}n(M1) \wedge \mathcal{O}n(M2) \wedge \mathcal{V}(Z) = \mathcal{V}(GND)$
- $\mathcal{O}n(M1) \wedge \mathcal{O}n(M2) \wedge \mathcal{V}(GND) < \mathcal{V}(Z) < \mathcal{V}(VDD)$
- $\mathcal{O}n(M1) \wedge \mathcal{O}n(M2) \wedge \mathcal{V}(VDD) < \mathcal{V}(Z) < \mathcal{V}(GND)$

T

# Switch-based circuit semantics



for net  $Z$ ,  
 $\mathcal{R}_{local voltage}$  is satisfied with

$$\mathcal{O}n(M1) \wedge \neg\mathcal{O}n(M2) \wedge \mathcal{V}(Z) = \mathcal{V}(VDD)$$

$$\neg\mathcal{O}n(M1) \wedge \mathcal{O}n(M2) \wedge \mathcal{V}(Z) = \mathcal{V}(GND)$$

$$\mathcal{O}n(M1) \wedge \mathcal{O}n(M2) \wedge \mathcal{V}(GND) < \mathcal{V}(Z) < \mathcal{V}(VDD)$$

$$\mathcal{O}n(M1) \wedge \mathcal{O}n(M2) \wedge \mathcal{V}(VDD) < \mathcal{V}(Z) < \mathcal{V}(GND)$$

T

T

# Switch-based circuit semantics



for net Z,

$\mathcal{R}_{\substack{\text{local} \\ \text{voltage}}}$  is satisfied with

$$\mathcal{O}n(M1) \wedge \neg\mathcal{O}n(M2) \wedge \mathcal{V}(Z) = \mathcal{V}(VDD)$$

$$\neg\mathcal{O}n(M1) \wedge \mathcal{O}n(M2) \wedge \mathcal{V}(Z) = \mathcal{V}(GND)$$

$$\mathcal{O}n(M1) \wedge \mathcal{O}n(M2) \wedge \mathcal{V}(GND) < \mathcal{V}(Z) < \mathcal{V}(VDD)$$

$$\mathcal{O}n(M1) \wedge \mathcal{O}n(M2) \wedge \mathcal{V}(VDD) < \mathcal{V}(Z) < \mathcal{V}(GND)$$

T

T

# Switch-based circuit semantics



for net Z,  
 $\mathcal{R}_{local voltage}$  is satisfied with

- |                                                                                    |                                                               |
|------------------------------------------------------------------------------------|---------------------------------------------------------------|
| $On(M1) \wedge \neg On(M2) \wedge \mathcal{V}(Z) = \mathcal{V}(VDD)$               | <span style="border: 1px solid green; padding: 2px;">T</span> |
| $\neg On(M1) \wedge On(M2) \wedge \mathcal{V}(Z) = \mathcal{V}(GND)$               | <span style="border: 1px solid green; padding: 2px;">T</span> |
| $On(M1) \wedge On(M2) \wedge \mathcal{V}(GND) < \mathcal{V}(Z) < \mathcal{V}(VDD)$ | <span style="border: 1px solid green; padding: 2px;">T</span> |
| $On(M1) \wedge On(M2) \wedge \mathcal{V}(VDD) < \mathcal{V}(Z) < \mathcal{V}(GND)$ |                                                               |

# Switch-based circuit semantics



for net Z,  
 $\mathcal{R}_{\text{local voltage}}$  is satisfied with

- |                                                                                                        |                                                               |
|--------------------------------------------------------------------------------------------------------|---------------------------------------------------------------|
| $\mathcal{O}n(M1) \wedge \neg\mathcal{O}n(M2) \wedge \mathcal{V}(Z) = \mathcal{V}(VDD)$                | <span style="border: 1px solid green; padding: 2px;">T</span> |
| $\neg\mathcal{O}n(M1) \wedge \mathcal{O}n(M2) \wedge \mathcal{V}(Z) = \mathcal{V}(GND)$                | <span style="border: 1px solid green; padding: 2px;">T</span> |
| $\mathcal{O}n(M1) \wedge \mathcal{O}n(M2) \wedge \mathcal{V}(GND) < \mathcal{V}(Z) < \mathcal{V}(VDD)$ | <span style="border: 1px solid green; padding: 2px;">T</span> |
| $\mathcal{O}n(M1) \wedge \mathcal{O}n(M2) \wedge \mathcal{V}(VDD) < \mathcal{V}(Z) < \mathcal{V}(GND)$ | <span style="border: 1px solid green; padding: 2px;">T</span> |

# Switch-based circuit semantics



for net  $Z$ ,  
 $\mathcal{R}_{\text{local voltage}}$  is satisfied with

- |                                                                                                                                    |   |
|------------------------------------------------------------------------------------------------------------------------------------|---|
| $\mathcal{O}n(M1) \wedge \neg\mathcal{O}n(M2) \wedge \mathcal{V}(Z) = \mathcal{V}(VDD)$                                            | T |
| $\neg\mathcal{O}n(M1) \wedge \mathcal{O}n(M2) \wedge \mathcal{V}(Z) = \mathcal{V}(GND)$                                            | T |
| $\mathcal{O}n(M1) \wedge \mathcal{O}n(M2) \wedge \mathcal{V}(GND) < \mathcal{V}(Z) < \mathcal{V}(VDD)$                             | T |
| <del><math>\mathcal{O}n(M1) \wedge \mathcal{O}n(M2) \wedge \mathcal{V}(VDD) &lt; \mathcal{V}(Z) &lt; \mathcal{V}(GND)</math></del> | ⊥ |

# Switch-based circuit semantics

$$\begin{aligned}\mathcal{S}^t &\stackrel{\text{def}}{=} \mathcal{R}_{\mathcal{O}n}^{\text{pMOS}} \\ &\wedge \mathcal{R}_{\mathcal{O}n}^{\text{nMOS}} \\ &\wedge \mathcal{R}_{\substack{\text{local} \\ \text{voltage}}} \\ &\wedge \mathcal{R}_{\text{supplies}} \\ &\wedge \mathcal{R}_{\text{inputs}} \\ &\wedge \dots\end{aligned}$$

# Switch-based circuit semantics

$$\begin{aligned}\mathcal{S}^t &\stackrel{\text{def}}{=} \left( \begin{array}{l} \mathcal{R}_{On}^{\text{pMOS}} \\ \mathcal{R}_{On}^{\text{nMOS}} \end{array} \right) \text{devices} \\ &\wedge \mathcal{R}_{\substack{\text{local} \\ \text{voltage}}} \\ &\wedge \mathcal{R}_{\text{supplies}} \\ &\wedge \mathcal{R}_{\text{inputs}} \\ &\wedge \dots\end{aligned}$$

# Switch-based circuit semantics

$$\begin{aligned}\mathcal{S}^t &\stackrel{\text{def}}{=} \boxed{\mathcal{R}_{\mathcal{O}n}^{\text{pMOS}}} \text{ devices} \\ &\wedge \boxed{\mathcal{R}_{\mathcal{O}n}^{\text{nMOS}}} \\ &\wedge \boxed{\mathcal{R}_{\text{local voltage}}} \text{ nets} \\ &\wedge \mathcal{R}_{\text{supplies}} \\ &\wedge \mathcal{R}_{\text{inputs}} \\ &\wedge \dots\end{aligned}$$

# Switch-based circuit semantics

$$\begin{aligned}\mathcal{S}^t &\stackrel{\text{def}}{=} \boxed{\mathcal{R}_{\mathcal{O}n}^{\text{pMOS}}} \text{ devices} \\ &\wedge \boxed{\mathcal{R}_{\mathcal{O}n}^{\text{nMOS}}} \\ &\wedge \boxed{\mathcal{R}_{\text{local voltage}}} \text{ nets} \\ &\wedge \boxed{\mathcal{R}_{\text{supplies}}} \\ &\wedge \boxed{\mathcal{R}_{\text{inputs}}} \text{ environment} \\ &\wedge \dots\end{aligned}$$

# Switch-based circuit semantics

$$\mathcal{S}^t \stackrel{\text{def}}{=} \begin{array}{l} \wedge \boxed{\mathcal{R}_{On}^{\text{pMOS}}} \\ \wedge \boxed{\mathcal{R}_{On}^{\text{nMOS}}} \end{array} \text{devices}$$
$$\begin{array}{l} \wedge \boxed{\mathcal{R}_{\text{local voltage}}} \\ \wedge \boxed{\mathcal{R}_{\text{supplies}}} \\ \wedge \boxed{\mathcal{R}_{\text{inputs}}} \end{array} \text{nets}$$
$$\wedge \dots$$
$$\text{environment}$$



# Switch-based circuit semantics



# Switch-based circuit semantics



# Switch-based circuit semantics



**DATE 2024**

A Transistor Level Relational Semantics for  
Electrical Rule Checking by SMT Solving

Oussama Oulkaid<sup>1,2\*</sup>, Bruno Ferre<sup>3†</sup>, Matthieu Moy<sup>1</sup>, Pascal Raymond<sup>1</sup>, Mehdi Khosravian<sup>4</sup>,

Ludovic Henrion<sup>3</sup>, Gabriel Radanne<sup>5</sup>

<sup>1</sup>Univ. Lyon, EasiL, UCBL, CNRS, Inria, LIP, F-69342, LYON Cedex 07, France

<sup>2</sup>Univ. Grenoble Alpes, CNRS, Grenoble INP\*, VERIMAG, 38000 Grenoble, France

\*Anisah, 38000 Grenoble, France

## Case study: missing level-shifter (MLS)

# Case study: missing level-shifter (MLS)



# Case study: missing level-shifter (MLS)



# Case study: missing level-shifter (MLS)



$$\begin{aligned} \text{Error}_{\text{MLS}}(\mathcal{M}) &\stackrel{\text{def}}{=} \mathcal{O}_n(\mathcal{M}) \\ &\wedge \mathcal{V}(g) < \mathcal{V}(s) \\ &\wedge \mathcal{V}(g) \neq 0 \text{ V} \\ &\wedge \mathcal{V}(s) \neq \mathcal{V}(d) \end{aligned}$$

# Case study: missing level-shifter (MLS)



$$\begin{aligned} \text{Error}_{\text{MLS}}(\mathcal{M}) &\stackrel{\text{def}}{=} \mathcal{O}_n(\mathcal{M}) \\ &\wedge \mathcal{V}(g) < \mathcal{V}(s) \\ &\wedge \mathcal{V}(g) \neq 0 \text{ V} \\ &\wedge \mathcal{V}(s) \neq \mathcal{V}(d) \end{aligned}$$



ADC

Analog-to-digital converter  
197 unique subcircuits  
20 distinct power supplies  
22 598 suspect devices to analyze

# Case study: missing level-shifter (MLS)



$$\begin{aligned} \text{Error}_{\text{MLS}}(\mathcal{M}) &\stackrel{\text{def}}{=} \mathcal{O}_n(\mathcal{M}) \\ &\wedge \mathcal{V}(g) < \mathcal{V}(s) \\ &\wedge \mathcal{V}(g) \neq 0 \text{ V} \\ &\wedge \mathcal{V}(s) \neq \mathcal{V}(d) \end{aligned}$$



Analog-to-digital converter  
197 unique subcircuits  
20 distinct power supplies  
22 598 suspect devices to analyze

Task



analyze a set of suspect  
transistors against MLS

## Case study: missing level-shifter (MLS)

- ⚠ 10 277 suspects classified as erroneous
- ✓ 12 321 suspects classified as not erroneous

# Case study: missing level-shifter (MLS)

- ⚠ 10 277 suspects classified as erroneous
- ✓ 12 321 suspects classified as not erroneous



# Case study: missing level-shifter (MLS)

- ⚠ 10 277 suspects classified as erroneous
- ✓ 12 321 suspects classified as not erroneous



Very efficient for analyzing small-to-medium circuit cells

# Case study: missing level-shifter (MLS)

⚠ 10 277 suspects classified as erroneous

✓ 12 321 suspects classified as not erroneous

Part of Aniah  
ONECHECK



Very efficient for analyzing small-to-medium circuit cells

# Case study: electrical overstress (EOS)

# Case study: electrical overstress (EOS)



Credit: Ed Hare (2020)

# Case study: electrical overstress (EOS)



# Case study: electrical overstress (EOS)



$$\begin{aligned} \text{Error}_{\text{EOS}}(M) &\stackrel{\text{def}}{=} \mathcal{V}_{gs}(M) \notin \text{ALLOWEDINTERVAL}(M) \\ &\vee \mathcal{V}_{gd}(M) \notin \text{ALLOWEDINTERVAL}(M) \end{aligned}$$

# Case study: electrical overstress (EOS)



Is there a too  
low/high voltage  
applied on M?

$$\text{Error}_{\text{EOS}}(M) \stackrel{\text{def}}{=} \mathcal{V}_{gs}(M) \notin \text{ALLOWEDINTERVAL}(M) \vee \mathcal{V}_{gd}(M) \notin \text{ALLOWEDINTERVAL}(M)$$



RF

Radio frequency circuitry  
549 unique subcircuits  
11 distinct power supplies  
3144 transistors analyzed

# Case study: electrical overstress (EOS)



Is there a too  
low/high voltage  
applied on M?

$$\begin{aligned} \text{Error}_{\text{EOS}}(M) &\stackrel{\text{def}}{=} V_{gs}(M) \notin \text{ALLOWEDINTERVAL}(M) \\ &\vee V_{gd}(M) \notin \text{ALLOWEDINTERVAL}(M) \end{aligned}$$



Radio frequency circuitry  
549 unique subcircuits  
11 distinct power supplies  
3144 transistors analyzed

Task  
enumeration  
erroneous devices  
in each subcircuit

## Case study: electrical overstress (EOS)

⚠ 2956 errors found

✓ 188 devices classified as not erroneous

# Case study: electrical overstress (EOS)

⚠ 2956 errors found

✓ 188 devices classified as not erroneous



# Case study: electrical overstress (EOS)

⚠ 2956 errors found

✓ 188 devices classified as not erroneous



# Case study: electrical overstress (EOS)

⚠ 2956 errors found

✓ 188 devices classified as not erroneous



# A simpler switch-based semantics variant?

# A simpler switch-based semantics variant?

for each nMOS device M:

$$\begin{aligned}\mathcal{O}_n(M) \stackrel{\text{def}}{=} \mathcal{V}_g(M) &> \mathcal{V}_s(M) + V_{th} \\ \vee \mathcal{V}_g(M) &> \mathcal{V}_d(M) + V_{th}\end{aligned}$$

Semantics  $\mathcal{S}^t$

# A simpler switch-based semantics variant?

for each nMOS device M:

$$\begin{aligned}\mathcal{O}_n(M) \stackrel{\text{def}}{=} & \mathcal{V}_g(M) > \mathcal{V}_s(M) + V_{th} \\ & \vee \mathcal{V}_g(M) > \mathcal{V}_d(M) + V_{th}\end{aligned}$$

Semantics  $\mathcal{S}^t$

$$\xrightarrow{V_{th} = 0}$$

$$\begin{aligned}\mathcal{O}_n(M) \stackrel{\text{def}}{=} & \mathcal{V}_g(M) > \mathcal{V}_s(M) \\ & \vee \mathcal{V}_g(M) > \mathcal{V}_d(M)\end{aligned}$$

Semantics  $\mathcal{S}^s$

# A simpler switch-based semantics variant?

for each nMOS device M:

$$\begin{aligned}\mathcal{O}_n(M) \stackrel{\text{def}}{=} & \mathcal{V}_g(M) > \mathcal{V}_s(M) + V_{th} \\ \vee \mathcal{V}_g(M) > \mathcal{V}_d(M) + V_{th}\end{aligned}$$

Semantics  $\mathcal{S}^t$

$$V_{th} = 0$$

$$\begin{aligned}\mathcal{O}_n(M) \stackrel{\text{def}}{=} & \mathcal{V}_g(M) > \mathcal{V}_s(M) \\ \vee \mathcal{V}_g(M) > \mathcal{V}_d(M)\end{aligned}$$

Semantics  $\mathcal{S}^s$



# $\mathcal{S}^t$ versus $\mathcal{S}^s$ — empirical evaluation

## missing level-shifter

| $\mathcal{S}^s$ | $\mathcal{S}^t$ | count |
|-----------------|-----------------|-------|
| ⚠               | ⚠               | 9623  |
| ⚠               | ✓               | 70    |
| ✓               | ⚠               | 654   |
| ✓               | ✓               | 12251 |

# $\mathcal{S}^t$ versus $\mathcal{S}^s$ — empirical evaluation

## missing level-shifter

| $\mathcal{S}^s$ | $\mathcal{S}^t$ | count |
|-----------------|-----------------|-------|
| ⚠️              | ⚠️              | 9623  |
| ⚠️              | ✓               | 70    |
| ✓               | ⚠️              | 654   |
| ✓               | ✓               | 12251 |

70 false alarms raised by  $\mathcal{S}^s$

# $\mathcal{S}^t$ versus $\mathcal{S}^s$ — empirical evaluation

## missing level-shifter

| $\mathcal{S}^s$ | $\mathcal{S}^t$ | count |
|-----------------|-----------------|-------|
| ⚠️              | ⚠️              | 9623  |
| ⚠️              | ✓               | 70    |
| ✓               | ⚠️              | 654   |
| ✓               | ✓               | 12251 |

70 false alarms raised by  $\mathcal{S}^s$   
654 possibly errors missed by  $\mathcal{S}^s$

# $\mathcal{S}^t$ versus $\mathcal{S}^s$ — empirical evaluation

## missing level-shifter

| $\mathcal{S}^s$ | $\mathcal{S}^t$ | count |
|-----------------|-----------------|-------|
| ⚠               | ⚠               | 9623  |
| ⚠               | ✓               | 70    |
| ✓               | ⚠               | 654   |
| ✓               | ✓               | 12251 |

70 false alarms raised by  $\mathcal{S}^s$   
654 possibly errors missed by  $\mathcal{S}^s$



# $\mathcal{S}^t$ versus $\mathcal{S}^s$ — empirical evaluation

## missing level-shifter

| $\mathcal{S}^s$ | $\mathcal{S}^t$ | count                                         |
|-----------------|-----------------|-----------------------------------------------|
| ⚠️              | ⚠️              | 9623                                          |
| ⚠️              | ✓               | 70 false alarms raised by $\mathcal{S}^s$     |
| ✓               | ⚠️              | 654 possibly errors missed by $\mathcal{S}^s$ |
| ✓               | ✓               | 12251                                         |

## electrical overstress

| $\mathcal{S}^s$ | $\mathcal{S}^t$ | count |
|-----------------|-----------------|-------|
| ⚠️              | ⚠️              | 2956  |
| ⚠️              | ✓               | 0     |
| ✓               | ⚠️              | 0     |
| ✓               | ✓               | 188   |



# $\mathcal{S}^t$ versus $\mathcal{S}^s$ — empirical evaluation

## missing level-shifter

| $\mathcal{S}^s$ | $\mathcal{S}^t$ | count                                         |
|-----------------|-----------------|-----------------------------------------------|
| ⚠️              | ⚠️              | 9623                                          |
| ⚠️              | ✓               | 70 false alarms raised by $\mathcal{S}^s$     |
| ✓               | ⚠️              | 654 possibly errors missed by $\mathcal{S}^s$ |
| ✓               | ✓               | 12251                                         |



## electrical overstress

| $\mathcal{S}^s$ | $\mathcal{S}^t$ | count |
|-----------------|-----------------|-------|
| ⚠️              | ⚠️              | 2956  |
| ⚠️              | ✓               | 0     |
| ✓               | ⚠️              | 0     |
| ✓               | ✓               | 188   |



# $\mathcal{S}^t$ versus $\mathcal{S}^s$ — empirical evaluation

## missing level-shifter

| $\mathcal{S}^s$ | $\mathcal{S}^t$ | count                                         |
|-----------------|-----------------|-----------------------------------------------|
| ⚠️              | ⚠️              | 9623                                          |
| ⚠️              | ✓               | 70 false alarms raised by $\mathcal{S}^s$     |
| ✓               | ⚠️              | 654 possibly errors missed by $\mathcal{S}^s$ |
| ✓               | ✓               | 12251                                         |

## electrical overstress

| $\mathcal{S}^s$ | $\mathcal{S}^t$ | count |
|-----------------|-----------------|-------|
| ⚠️              | ⚠️              | 2956  |
| ⚠️              | ✓               | 0     |
| ✓               | ⚠️              | 0     |
| ✓               | ✓               | 188   |

In practice,  $\mathcal{S}^s$  is neither faster nor sound



# $\mathcal{S}^t$ versus $\mathcal{S}^s$ — empirical evaluation

## missing level-shifter

| $\mathcal{S}^s$ | $\mathcal{S}^t$ | count                                         |
|-----------------|-----------------|-----------------------------------------------|
| ⚠️              | ⚠️              | 9623                                          |
| ⚠️              | ✓               | 70 false alarms raised by $\mathcal{S}^s$     |
| ✓               | ⚠️              | 654 possibly errors missed by $\mathcal{S}^s$ |
| ✓               | ✓               | 12251                                         |

## electrical overstress

| $\mathcal{S}^s$ | $\mathcal{S}^t$ | count |
|-----------------|-----------------|-------|
| ⚠️              | ⚠️              | 2956  |
| ⚠️              | ✓               | 0     |
| ✓               | ⚠️              | 0     |
| ✓               | ✓               | 188   |

In practice,  $\mathcal{S}^s$  is neither faster nor sound



Can we have more precise semantics?

# $\mathcal{S}^t$ versus $\mathcal{S}^s$ — empirical evaluation

## missing level-shifter

| $\mathcal{S}^s$ | $\mathcal{S}^t$ | count                                         |
|-----------------|-----------------|-----------------------------------------------|
| ⚠️              | ⚠️              | 9623                                          |
| ⚠️              | ✓               | 70 false alarms raised by $\mathcal{S}^s$     |
| ✓               | ⚠️              | 654 possibly errors missed by $\mathcal{S}^s$ |
| ✓               | ✓               | 12251                                         |

## electrical overstress

| $\mathcal{S}^s$ | $\mathcal{S}^t$ | count |
|-----------------|-----------------|-------|
| ⚠️              | ⚠️              | 2956  |
| ⚠️              | ✓               | 0     |
| ✓               | ⚠️              | 0     |
| ✓               | ✓               | 188   |

In practice,  $\mathcal{S}^s$  is neither faster nor sound



Can we have more precise semantics?

Will it degrade performances? By how much?

Part 4 of 5

# **Quantitative Circuit Semantics**

## The problem with $\mathcal{S}^t$ and $\mathcal{S}^s$

# The problem with $\mathcal{S}^t$ and $\mathcal{S}^s$

nMOS



$\mathcal{R}_{local}$  allows  
an interval of  
voltage drop  
values

pMOS



# The problem with $\mathcal{S}^t$ and $\mathcal{S}^s$

nMOS



pMOS



$\mathcal{R}_{local}$  allows  
an interval of  
voltage drop  
values



# Transistor's regions of operation: I-V characteristics

nMOS



pMOS



# Transistor's regions of operation: I-V characteristics

nMOS



Cut-off

$$I_{sd}(M) = 0$$

pMOS



# Transistor's regions of operation: I-V characteristics

nMOS



Saturation

$$I_{sd}(M) = K_p \frac{W}{L} (1 + \lambda V_{ds}(M)) \times (V_{ds}(M) - V_{th})^2$$

pMOS



# Transistor's regions of operation: I-V characteristics

nMOS



Linear

pMOS



# Transistor's regions of operation: I-V characteristics

nMOS



pMOS



# Transistor's regions of operation: I-V characteristics

nMOS



approximation



pMOS



approximation



# Transistor's regions of operation: I-V characteristics

nMOS



approximation



pMOS



approximation



# Transistor's regions of operation: I-V characteristics

nMOS



approximation



pMOS



approximation



# Transistor's regions of operation: I-V characteristics

nMOS



approximation



pMOS



approximation



# Transistor's regions of operation: I-V characteristics

nMOS



approximation



pMOS



approximation



# Transistor's regions of operation: I-V characteristics

nMOS



approximation



pMOS



approximation



## Quantitative semantics rules

## Quantitative semantics rules

$$\bigwedge_{M \in \text{Transistors}} \left( \begin{array}{l} \text{Cut}_M(\mathcal{V}, \mathcal{I}) \\ \vee \quad \text{Sat}_M(\mathcal{V}, \mathcal{I}) \\ \vee \quad \text{Lin}_M(\mathcal{V}, \mathcal{I}) \end{array} \right) \quad (\mathcal{R}_{regions})$$

## Quantitative semantics rules

$$\bigwedge_{M \in \text{Transistors}} \left( \begin{array}{l} \vee \quad \text{Cut}_M(\mathcal{V}, \mathcal{I}) \\ \vee \quad \text{Sat}_M(\mathcal{V}, \mathcal{I}) \\ \vee \quad \text{Lin}_M(\mathcal{V}, \mathcal{I}) \end{array} \right) \quad (\mathcal{R}_{regions})$$

$$\bigwedge_{n \in \text{Nets}} \left( \sum_{\substack{n \xrightarrow{M} p \\ \in \text{NEIGHBORS}(n)}} \mathcal{I}(n \xrightarrow{M} p) = 0 \right) \quad (\mathcal{R}_{Kirchhoff})$$



## Quantitative semantics rules

$$\bigwedge_{M \in \text{Transistors}} \left( \begin{array}{l} \vee \quad \text{Cut}_M(\mathcal{V}, \mathcal{I}) \\ \vee \quad \text{Sat}_M(\mathcal{V}, \mathcal{I}) \\ \vee \quad \text{Lin}_M(\mathcal{V}, \mathcal{I}) \end{array} \right) \quad (\mathcal{R}_{regions})$$

$$\bigwedge_{n \in \text{Nets}} \left( \sum_{\substack{n \xrightarrow{M} p \\ \in \text{NEIGHBORS}(n)}} \mathcal{I}(n \xrightarrow{M} p) = 0 \right) \quad (\mathcal{R}_{Kirchhoff})$$



$$I_1 + I_2 + I_3 = 0$$

# Quantitative circuit semantics

# Quantitative circuit semantics

$$\begin{aligned}\mathcal{S}^q &\stackrel{\text{def}}{=} \mathcal{R}_{regions} \\ &\wedge \mathcal{R}_{Kirchhoff} \\ &\wedge \mathcal{R}_{supplies} \\ &\wedge \mathcal{R}_{inputs} \\ &\wedge \dots\end{aligned}$$

# Quantitative circuit semantics

$$\begin{aligned}\mathcal{S}^q &\stackrel{\text{def}}{=} \boxed{\mathcal{R}_{regions}} \text{ devices} \\ &\wedge \mathcal{R}_{Kirchhoff} \\ &\wedge \mathcal{R}_{supplies} \\ &\wedge \mathcal{R}_{inputs} \\ &\wedge \dots\end{aligned}$$

# Quantitative circuit semantics

$$\begin{aligned}\mathcal{S}^q &\stackrel{\text{def}}{=} \boxed{\mathcal{R}_{regions}} \text{ devices} \\ &\wedge \boxed{\mathcal{R}_{Kirchhoff}} \text{ nets} \\ &\wedge \mathcal{R}_{supplies} \\ &\wedge \mathcal{R}_{inputs} \\ &\wedge \dots\end{aligned}$$

# Quantitative circuit semantics

$$\begin{aligned}\mathcal{S}^q &\stackrel{\text{def}}{=} \boxed{\mathcal{R}_{regions}} \text{ devices} \\ &\wedge \boxed{\mathcal{R}_{Kirchhoff}} \text{ nets} \\ &\wedge \boxed{\mathcal{R}_{supplies}} \text{ environment} \\ &\wedge \boxed{\mathcal{R}_{inputs}} \\ &\wedge \dots\end{aligned}$$

# Quantitative circuit semantics

$$\begin{aligned}\mathcal{S}^q &\stackrel{\text{def}}{=} \boxed{\mathcal{R}_{\text{regions}}} \text{ devices} \\ &\wedge \boxed{\mathcal{R}_{\text{Kirchhoff}}} \text{ nets} \\ &\wedge \boxed{\mathcal{R}_{\text{supplies}}} \text{ environment} \\ &\wedge \boxed{\mathcal{R}_{\text{inputs}}} \\ &\wedge \dots\end{aligned}$$



# Quantitative circuit semantics



# Quantitative circuit semantics

$$\mathcal{S}^q \stackrel{\text{def}}{=} \begin{array}{l} \boxed{\mathcal{R}_{regions}} \text{ devices} \\ \wedge \quad \boxed{\mathcal{R}_{Kirchhoff}} \text{ nets} \\ \wedge \quad \boxed{\mathcal{R}_{supplies}} \\ \wedge \quad \boxed{\mathcal{R}_{inputs}} \\ \wedge \quad \dots \end{array}$$

IEEE TCAD 2025

Modeling Techniques for the Formal Verification  
of Integrated Circuits at Transistor-Level:  
Performance Versus Precision Tradeoffs

Oussama Oulkaid<sup>1,4</sup>, Bruno Ferre<sup>2</sup>, Mathieu Moy<sup>3</sup>, Pascal Raymond<sup>4</sup>, Mehdi Khosravian<sup>4</sup>

<sup>1</sup>Univ. Lyon, Inria, UCBL, CNRS, Inria, LIP, F-69342, LYON Cedex 07, France

<sup>2</sup>Univ. Grenoble Alpes, CNRS, Grenoble INP, VERIMAG, 38000 Grenoble, France

<sup>3</sup>Anaith, 38000 Grenoble, France



**Abstract**—The behavior of any electronic system can be traced back to how its constituting components physically interact with each other. Such low-level interactions explain how specific states of a given circuit are physically possible. Some circuit states can be erroneous, e.g., applying a voltage stress greater than what the device can withstand. Formal methods can help us know whether such errors can happen on a given circuit, so that required corrections can be made. Identifying errors requires executions can cover a representative subset. Formal methods, on the other hand, can explore an abstraction of the state-space more exhaustively. To ensure soundness, one therefore needs to consider conservative assumptions about the circuit behavior. However, the more coarse the modeling used in a verification tool is, the more the rate of false alarms the tool reports is likely to be high. False alarms can only be avoided by being

## Semantics comparison: case of the inverter

## Semantics comparison: case of the inverter



## Semantics comparison: case of the inverter



## Semantics comparison: case of the inverter



## Semantics comparison: case of the inverter



## Semantics comparison: case of the inverter



# Formal comparisons of semantics

# Formal comparisons of semantics



## Formal comparisons of semantics



$$\forall \mathcal{V}, \forall \mathcal{I}, (\mathcal{V}, \mathcal{I}) \models \mathcal{S}^q \Rightarrow \mathcal{V} \models \mathcal{S}^t$$

$$\exists \mathcal{V}, \forall \mathcal{I}, (\mathcal{V}, \mathcal{I}) \models (\mathcal{S}^t \wedge \neg \mathcal{S}^q)$$

$$\exists \mathcal{V}, \mathcal{V} \models (\mathcal{S}^s \wedge \neg \mathcal{S}^t)$$

$$\exists \mathcal{V}, \mathcal{V} \models (\mathcal{S}^t \wedge \neg \mathcal{S}^s)$$

$$\exists \mathcal{V}, \mathcal{V} \models (\mathcal{S}^s \wedge \neg \mathcal{S}^q)$$

$$\exists \mathcal{V}, \mathcal{V} \models (\mathcal{S}^q \wedge \neg \mathcal{S}^s)$$

# Formal comparisons of semantics



- ▶  $\forall \mathcal{V}, \forall \mathcal{I}, (\mathcal{V}, \mathcal{I}) \models \mathcal{S}^q \Rightarrow \mathcal{V} \models \mathcal{S}^t$
- $\exists \mathcal{V}, \forall \mathcal{I}, (\mathcal{V}, \mathcal{I}) \models (\mathcal{S}^t \wedge \neg \mathcal{S}^q)$
- $\exists \mathcal{V}, \mathcal{V} \models (\mathcal{S}^s \wedge \neg \mathcal{S}^t)$
- $\exists \mathcal{V}, \mathcal{V} \models (\mathcal{S}^t \wedge \neg \mathcal{S}^s)$
- $\exists \mathcal{V}, \mathcal{V} \models (\mathcal{S}^s \wedge \neg \mathcal{S}^q)$
- $\exists \mathcal{V}, \mathcal{V} \models (\mathcal{S}^q \wedge \neg \mathcal{S}^s)$

## Formal comparisons of semantics



$$\forall \mathcal{V}, \forall \mathcal{I}, (\mathcal{V}, \mathcal{I}) \models \mathcal{S}^q \Rightarrow \mathcal{V} \models \mathcal{S}^t$$

- $\exists \mathcal{V}, \forall \mathcal{I}, (\mathcal{V}, \mathcal{I}) \models (\mathcal{S}^t \wedge \neg \mathcal{S}^q)$
- $\exists \mathcal{V}, \mathcal{V} \models (\mathcal{S}^s \wedge \neg \mathcal{S}^t)$
- $\exists \mathcal{V}, \mathcal{V} \models (\mathcal{S}^t \wedge \neg \mathcal{S}^s)$
- $\exists \mathcal{V}, \mathcal{V} \models (\mathcal{S}^s \wedge \neg \mathcal{S}^q)$
- $\exists \mathcal{V}, \mathcal{V} \models (\mathcal{S}^q \wedge \neg \mathcal{S}^s)$

# Formal comparisons of semantics



$$\forall \mathcal{V}, \forall \mathcal{I}, (\mathcal{V}, \mathcal{I}) \models \mathcal{S}^q \Rightarrow \mathcal{V} \models \mathcal{S}^t$$

$$\exists \mathcal{V}, \forall \mathcal{I}, (\mathcal{V}, \mathcal{I}) \models (\mathcal{S}^t \wedge \neg \mathcal{S}^q)$$

$$\exists \mathcal{V}, \mathcal{V} \models (\mathcal{S}^s \wedge \neg \mathcal{S}^t)$$

$$\exists \mathcal{V}, \mathcal{V} \models (\mathcal{S}^t \wedge \neg \mathcal{S}^s)$$

$$\exists \mathcal{V}, \mathcal{V} \models (\mathcal{S}^s \wedge \neg \mathcal{S}^q)$$

$$\exists \mathcal{V}, \mathcal{V} \models (\mathcal{S}^q \wedge \neg \mathcal{S}^s)$$

## IEEE TCAD 2025

### Modeling Techniques for the Formal Verification of Integrated Circuits at Transistor-Level: Performance Versus Precision Tradeoffs

Oussama Oukaid<sup>1,4</sup> Bruno Ferre<sup>2</sup> Matthieu Moy<sup>3</sup> Pascal Raymond<sup>4</sup> Mehdi Khosravian<sup>4</sup>

<sup>1</sup>Univ. Lyon, Ens., UCB, CNRS, Inria, LIP, F-69342, LYON Cedex 07, France

<sup>2</sup>Univ. Grenoble Alpes, CNRS, Grenoble INP\*, VERIMAG, 38000 Grenoble, France

\*Aniah, 38000 Grenoble, France

**Abstract**—The behavior of any electronic system can be traced back to how its constituting components physically interact with each other. Such low-level interactions explain how specific states of a given circuit are physically possible. Some circuit states can be considered as erroneous, i.e., they do not represent what some device can tolerate. It is of particular importance to know whether such errors can happen on a given circuit, so that required corrections can be made. Identifying errors requires some circuit modeling that is able to explore the large state space of the circuit model (which may be finite or not, if all finite). In this work, we show the limitations of classical verification techniques, and propose a new approach based on formal methods to overcome them. We propose new circuit semantics for transistor-level simulations: (1) introducing more precise semantics than existing semantics, and (2) introducing novel alternate ones. We then demonstrate their usage in one verification framework—which makes use of a satisfiability modulo theories (SMT) solver—to tackle open-loop problems of circuit verification. We also address the problem of the search for circuit transistors that are subject to electrical overstress (EOS). We draw interesting conclusions by comparing the presented circuit semantics, both formally and via experimental benchmarks.

**Index Terms**—Electrical overstress (EOS), Electrical rule checking (ERC), Formal verification, Integrated circuits, Satisfiability modulo theories (SMT) solving

#### I. INTRODUCTION

VERIFICATION is an essential phase in the design flow of integrated circuits. It represents 50–60 % of the entire project time [1]. Albeit existing verification techniques are numerous, new Application Specific Integrated Circuit (ASIC) designs are still subject to logical and functional flaws, among which 60 % are caused by design errors [2]. The ideal verification flow is both sound (i.e., never misses an actual error) and scalable. However, in practice, it is very hard to achieve both properties, which leads to many design errors only being discovered after tape-out. Unsoundness in a verification tool is due, in practice, to either (1) wrong hypotheses about the circuit behavior, which lead to some circuit states not being captured in the abstract modeling of the circuit [3], or (2) not considering the full circuit's state-space (which can be very large, or even infinite if we consider continuous intervals of possible voltages). In practice, the concrete state-space of a non-trivial circuit cannot be covered enumeratively, but concrete

<sup>1</sup>Institute of Engineering Univ. Grenoble Alpes  
Accepted for publication at IEEE TCAD in September, 2025.

executions can cover a representative subset. Formal methods, on the other hand, can explore an abstraction of the state-space more exhaustively. To ensure soundness, one therefore needs to consider conservative assumptions about the circuit behavior. However, the more coarse the modeling used in a verification tool is, the more the rate of false alarms the tool reports is likely to be high. False alarms can only be avoided by being more precise. Yet, precise techniques (e.g., simulation) fail to scale to large designs. It is hence difficult to find a good performance/precision trade-off.

In this work, we focus on formally defining *rules* to generate abstract circuit modelings, with the intent of being sound. We propose two novel circuit semantics: (1) a more precise semantics, each, at a reasonable cost, capturing electrical properties of circuits to the specified level of granularity. We recall the switch-based modeling initially introduced in [4], and we propose enhancements to their semantics. We also propose new quantitative semantics to address limitations that were identified with switch-based semantics in some of the considered use-cases. Finally, we study the usability of each of the presented approaches, and conduct experiments on real-life circuits, namely, for the detection of electrical overstress (EOS) errors.

The paper is organized as follows: Section II presents some background on circuit behavior and the notation used throughout the paper. Section III shows the positioning of this work with respect to related work. Section IV then presents existing modeling techniques and introduces new ones. Section V compares all semantics formally and informally. A demonstration of the use of our semantic-based analyses in tackling the problem of verification of electrical overstress is presented in Section VI. The demonstration is backed by an experimental evaluation of the approach, conducted on an industrial circuits database. Finally, the paper is concluded with a summary and discussion of future work (Section VII).

#### II. CIRCUITS: NOTATION AND BEHAVIOR

##### A. Background and notation

A circuit description (or *netlist*—i.e., the set of devices the circuit is made of, and how they are interconnected) is structural information which alone does not say much about how the circuit behaves. It is only in the presence of some environment configuration (e.g., power supplies and

## $\mathcal{S}^q$ versus $\mathcal{S}^t$ : missing level-shifter

| $\mathcal{S}^t$ | $\mathcal{S}^q$ | count |
|-----------------|-----------------|-------|
| ⚠️              | ⚠️              | 7889  |
| ⚠️              | ✓               | 2388  |
| ✓               | ⚠️              | 0     |
| ✓               | ✓               | 12321 |

## $\mathcal{S}^q$ versus $\mathcal{S}^t$ : missing level-shifter

| $\mathcal{S}^t$ | $\mathcal{S}^q$ | count |
|-----------------|-----------------|-------|
| ⚠️              | ⚠️              | 7889  |
| ⚠️              | ✓               | 2388  |
| ✓               | ⚠️              | 0     |
| ✓               | ✓               | 12321 |

errors refuted by  $\mathcal{S}^q$

## $\mathcal{S}^q$ versus $\mathcal{S}^t$ : missing level-shifter

| $\mathcal{S}^t$ | $\mathcal{S}^q$ | count |
|-----------------|-----------------|-------|
| ⚠️              | ⚠️              | 7889  |
| ⚠️              | ✓               | 2388  |
| ✓               | ⚠️              | 0     |
| ✓               | ✓               | 12321 |

errors refuted by  $\mathcal{S}^q$   
expected, since  $\mathcal{S}^q \subseteq \mathcal{S}^t$



## $\mathcal{S}^q$ versus $\mathcal{S}^t$ : missing level-shifter

| $\mathcal{S}^t$ | $\mathcal{S}^q$ | count |
|-----------------|-----------------|-------|
| ⚠️              | ⚠️              | 7889  |
| ⚠️              | ✓               | 2388  |
| ✓               | ⚠️              | 0     |
| ✓               | ✓               | 12321 |

errors refuted by  $\mathcal{S}^q$   
expected, since  $\mathcal{S}^q \subseteq \mathcal{S}^t$



## $\mathcal{S}^q$ versus $\mathcal{S}^t$ : missing level-shifter

| $\mathcal{S}^t$ | $\mathcal{S}^q$ | count |
|-----------------|-----------------|-------|
| ⚠️              | ⚠️              | 7889  |
| ⚠️              | ✓               | 2388  |
| ✓               | ⚠️              | 0     |
| ✓               | ✓               | 12321 |

errors refuted by  $\mathcal{S}^q$   
expected, since  $\mathcal{S}^q \subseteq \mathcal{S}^t$



$\mathcal{S}^q$  globally slower



## $\mathcal{S}^q$ versus $\mathcal{S}^t$ : electrical overstress

| $\mathcal{S}^t$ | $\mathcal{S}^q$ | count |
|-----------------|-----------------|-------|
| ⚠️              | ⚠️              | 2804  |
| ⚠️              | ✓               | 152   |
| ✓               | ⚠️              | 0     |
| ✓               | ✓               | 188   |

## $\mathcal{S}^q$ versus $\mathcal{S}^t$ : electrical overstress

| $\mathcal{S}^t$ | $\mathcal{S}^q$ | count |
|-----------------|-----------------|-------|
| ⚠️              | ⚠️              | 2804  |
| ⚠️              | ✓               | 152   |
| ✓               | ⚠️              | 0     |
| ✓               | ✓               | 188   |

errors refuted by  $\mathcal{S}^q$   
expected, since  $\mathcal{S}^q \subseteq \mathcal{S}^t$



# $\mathcal{S}^q$ versus $\mathcal{S}^t$ : electrical overstress

| $\mathcal{S}^t$ | $\mathcal{S}^q$ | count |
|-----------------|-----------------|-------|
| ⚠️              | ⚠️              | 2804  |
| ⚠️              | ✓               | 152   |
| ✓               | ⚠️              | 0     |
| ✓               | ✓               | 188   |

errors refuted by  $\mathcal{S}^q$   
expected, since  $\mathcal{S}^q \subseteq \mathcal{S}^t$



## $\mathcal{S}^q$ versus $\mathcal{S}^t$ : electrical overstress

| $\mathcal{S}^t$ | $\mathcal{S}^q$ | count |
|-----------------|-----------------|-------|
| ⚠️              | ⚠️              | 2804  |
| ⚠️              | ✓               | 152   |
| ✓               | ⚠️              | 0     |
| ✓               | ✓               | 188   |

errors refuted by  $\mathcal{S}^q$   
expected, since  $\mathcal{S}^q \subseteq \mathcal{S}^t$



$\mathcal{S}^q$  promising to reduce false positives rate  
at the cost of performance



Semantics  $\mathcal{S}^s$ ,  $\mathcal{S}^t$  and  $\mathcal{S}^q$  are used to identify errors

Semantics  $\mathcal{S}^s$ ,  $\mathcal{S}^t$  and  $\mathcal{S}^q$  are used to identify errors

Designers fix the circuit . . .

That is not the end of the story

That is not the end of the story

Correct circuits are still faced with aging

Part 5 of 5

# Circuit Reliability Analysis

**Every circuit will eventually die**

Every circuit will eventually die

---

→ age

# Every circuit will eventually die



# Every circuit will eventually die



# Every circuit will eventually die



# Every circuit will eventually die



# Every circuit will eventually die



# Time-dependent dielectric breakdown (TDDB)

# Time-dependent dielectric breakdown (TDDB)



# Time-dependent dielectric breakdown (TDDB)



# Time-dependent dielectric breakdown (TDDB)



# Time-dependent dielectric breakdown (TDDB)



# Time-dependent dielectric breakdown (TDDB)



# Time-dependent dielectric breakdown (TDDB)



# Time-dependent dielectric breakdown (TDDB)



# Time-dependent dielectric breakdown (TDDB)



# Time-dependent dielectric breakdown (TDDB)



# Time-dependent dielectric breakdown (TDDB)



**What is the least reliable circuit state?**

# What is the least reliable circuit state?



# What is the least reliable circuit state?



Submitted  
IEEE TCAD 2026

Time-Dependent Dielectric Breakdown  
Worst-Steady-State Analysis of Integrated Circuits  
using Optimization Modulo Theories

Oussama Oualkaid<sup>†,‡</sup>, Matthieu Moy<sup>‡</sup>, Bruno Ferrier<sup>‡</sup>, Pascal Raymond<sup>‡</sup>, Mehdi Khosravian<sup>‡</sup>  
<sup>†</sup>Université Claude Bernard Lyon 1, CNRS, ENS de Lyon, Inria, LIP, UMR 5669, 69342, Lyon cedex 07, France  
<sup>‡</sup>Univ. Grenoble Alpes, CNRS, Grenoble INP\*, VERIMAG, 38000 Grenoble, France  
<sup>\*</sup>Ainah, 38000 Grenoble, France

**Abstract**—Integrated circuits are subject to aging, which eventually leads to the loss of their functionality. Their lifetime depends on both their conditions of operation, and devices' technological parameters. In this paper, we propose a novel method for the analysis of the lifetime of circuits, with respect to the Time-Dependent Dielectric Breakdown (TDDB) failure mechanism. Using reliability models, we reduce the circuit analysis into logical formulas, we leverage an Optimization Modulo Theories (OMT) solver to yield the circuit state which leads to the fastest aging. This makes it possible to identify the ‘worst state’ of a circuit, i.e., the state that will lead to the fastest aging if the circuit state did not evolve over time. This is a valuable information for engineers who want to increase the lifetime of their circuits and protect them against catastrophic events like TDDB. Such goal is formalized as an optimization problem (in terms of the variables of the logic encoding the circuit), which can be solved by the help of optimization features of monitors like Z3’s  $\nu$ -Z OMT engine. We demonstrate the usefulness of our approach on a database of industrial circuits, showing how it can be used to efficiently analyze small-to-mid size circuits (in the order of a hundred transistors).

**Index Terms**—Formal methods, Integrated circuits, Optimization Modulo Theories (OMT), Reliability, Time-Dependent Dielectric Breakdown (TDDB), Transistor-level analysis

each device as a function of circuit age. This function also depends on physical parameters that can directly be obtained from the foundry or may be derived from existing standard models like JEDEC [4] that describes the probability of failure as a Weibull distribution [5]. Moreover, some ways to use the optimization features of monitors allow the user to take into account the behavior of the circuit before breakdowns.

In the literature, the problem of the prediction of a circuit’s lifetime is mainly addressed considering execution traces (typically in simulation) and a physical model, to evaluate the aging of the circuit. These approaches typically reuse and extend Simulation Program with Integrated Circuit Emphasis (SPICE) [6], [7]. The main limitation of SPICE is that it cannot cover continuous intervals of input vectors.

In this work, we reuse a physical failure model (JEDEC), but use a formal, symbolic approach to reason about the behavior of the circuit. We compute the worst case of a circuit with respect to TDDB, i.e., the steady-state of the circuit that makes it age the fastest. Since TDDB depends on circuit state and not on switching activity, we restrict ourselves to the analysis of aging in a given steady-state. We use previously introduced approaches [8], [9] based on circuit semantics to symbolically model the behavior of the circuit.

## I. INTRODUCTION

When it comes to integrated circuits design, aging is a type of degradation which can negatively impact both lifetime and performances of a circuit [1], [2]. The exact impacts of aging depends on the nature of the failure mechanism in circuit. To cope with those failure mechanisms, designers must hence consider various failure mechanisms, to build circuits that are less prone to aging. In this work, we address the Time-Dependent Dielectric Breakdown (TDDB) failure mechanism — also called time-dependent oxide breakdown. The physics behind TDDB may be explained by the creation of defects in the transistor’s oxide film, as a result of long-time application of a high voltage. The accumulation of defects leads to a loss of dielectric properties, which causes permanent structural damage in the silicon oxide film [3].

Modeling the precise physics behind TDDB failures is a well studied problem, and can be summarized with models that compute the evolution of the probability of failure for

the main contribution of this paper is to formalize an objective function representing the circuit reliability, expressed in terms of variables of the circuit formula. We then use an Optimization Modulo Theories (OMT) [10] solver — i.e., Satisfaction Modulo Theories (SMT) [11] — with a support for optimization capabilities — to find the worst case circuit state showcasing a safe lower bound value of reliability, or to find the lifetime at which a specific reliability is achieved, based on the use-case.

## II. OVERVIEW OF THE APPROACH

Given a circuit description (i.e., transistor level netlist) and reliability model of devices, our approach first encodes the circuit into a logic formula  $\mathcal{S}$  that is built from circuit semantics extracted in previous sections. We introduce two kinds of circuit semantics: (1) switch-based semantics introduced in [8], and (2) quantitative semantics introduced in [9]. We recall these semantics, briefly, in Sections IV-A and IV-B. The

<sup>†</sup>Institute of Engineering Unit, Grenoble Alpes

Defining circuit reliability  $\mathcal{R}$ , to minimize

## Defining circuit reliability $\mathcal{R}$ , to minimize

$$\mathcal{R} = \prod_{M \in \text{Transistors}} \mathcal{R}_M$$

## Defining circuit reliability $\mathcal{R}$ , to minimize

$$\mathcal{R} = \prod_{M \in \text{Transistors}} \mathcal{R}_M$$

↓  
Weibull distribution

## Defining circuit reliability $\mathcal{R}$ , to minimize



# Defining circuit reliability $\mathcal{R}$ , to minimize



# Defining circuit reliability $\mathcal{R}$ , to minimize



# Defining circuit reliability $\mathcal{R}$ , to minimize



# Defining circuit reliability $\mathcal{R}$ , to minimize



$\mathcal{R}$  is hard to minimize (non-linear arithmetics)

# Defining circuit reliability $\mathcal{R}$ , to minimize



$\mathcal{R}$  is hard to minimize (non-linear arithmetics)

$$\text{minimize} \left( \prod_M \mathcal{R}_M \right)$$

# Defining circuit reliability $\mathcal{R}$ , to minimize



$\mathcal{R}$  is hard to minimize (non-linear arithmetics)

$$\text{minimize} \left( \prod_M \mathcal{R}_M \right) \rightsquigarrow \text{minimize} \left( \sum_M \ln(\mathcal{R}_M) \right)$$

# Defining circuit reliability $\mathcal{R}$ , to minimize



$\mathcal{R}$  is hard to minimize (non-linear arithmetic)

$$\text{minimize} \left( \prod_M \mathcal{R}_M \right) \rightsquigarrow \text{minimize} \left( \sum_M \ln(\mathcal{R}_M) \right)$$

still non-linear

## Defining circuit reliability $\mathcal{R}$ , to minimize



## Defining circuit reliability $\mathcal{R}$ , to minimize



# Defining circuit reliability $\mathcal{R}$ , to minimize



# Minimizing circuit reliability: empirical evaluation



ADC

# Minimizing circuit reliability: empirical evaluation



# Minimizing circuit reliability: empirical evaluation



ADC



# Minimizing circuit reliability: empirical evaluation



ADC



# Minimizing circuit reliability: empirical evaluation



ADC



# Minimizing circuit reliability: empirical evaluation



ADC



Very close results

$\mathcal{S}^s$  faster than  $\mathcal{S}^t$



$\mathcal{S}^t$  under-approximates reliability

$\mathcal{S}^q$  (surprisingly) faster than  $\mathcal{S}^t$ !



# Summary













Abstract: Electrical rule checking (ERC) is an important step in integrated circuit design. The focus of this paper is to propose a formal verification methodology for integrated circuits at the transistor level. The proposed methodology is based on the combination of two main pillars: (1) a time-dependent dielectric breakdown (TDB) model, which is able to predict the worst steady-state of a circuit's behavior over time, and (2) a time-dependent reliability analysis (TRA) model, which is able to predict the lifetime of a circuit's behavior over time. The proposed methodology is able to predict the worst steady-state of a circuit's behavior over time, and (2) a time-dependent reliability analysis (TRA) model, which is able to predict the lifetime of a circuit's behavior over time. The proposed methodology is able to predict the worst steady-state of a circuit's behavior over time, and (2) a time-dependent reliability analysis (TRA) model, which is able to predict the lifetime of a circuit's behavior over time.

Keywords: Electrical rule checking, integrated circuit design, time-dependent dielectric breakdown, time-dependent reliability analysis, optimization modulo theories.

Abstract: This paper is to propose a formal verification methodology for integrated circuits at the transistor level. The proposed methodology is based on the combination of two main pillars: (1) a time-dependent dielectric breakdown (TDB) model, which is able to predict the worst steady-state of a circuit's behavior over time, and (2) a time-dependent reliability analysis (TRA) model, which is able to predict the lifetime of a circuit's behavior over time.

Keywords: Electrical rule checking, integrated circuit design, time-dependent dielectric breakdown, time-dependent reliability analysis, optimization modulo theories.

Abstract: This paper is to propose a formal verification methodology for integrated circuits at the transistor level. The proposed methodology is based on the combination of two main pillars: (1) a time-dependent dielectric breakdown (TDB) model, which is able to predict the worst steady-state of a circuit's behavior over time, and (2) a time-dependent reliability analysis (TRA) model, which is able to predict the lifetime of a circuit's behavior over time.

Keywords: Electrical rule checking, integrated circuit design, time-dependent dielectric breakdown, time-dependent reliability analysis, optimization modulo theories.





### ACM TODAES 2025

### IEEE TCAD 2025

### Submitted IEEE TCAD 2026

This paper presents a new approach for the analysis of time-dependent dielectric breakdown (TDDB) in integrated circuits. The main idea is to model TDDB as a constraint satisfaction problem (CSP) and solve it using optimization modulo theories (OMT). The proposed method can handle TDDB in various circuit topologies, including 3D stacked structures. It also provides a way to analyze TDDB in real-world scenarios, such as during the manufacturing process or in the field. The results show that the proposed method is able to predict TDDB events with high accuracy and reliability. This work has the potential to revolutionize the design and reliability analysis of integrated circuits, making them more robust and reliable.

1. Introduction  
 When it comes to integrated circuit design, safety is a major concern. One of the most critical issues is the reliability of the circuit, which is often measured in terms of reliability of the circuit's lifetime. In this paper, we propose a new approach for the analysis of time-dependent dielectric breakdown (TDDB) in integrated circuits. The main idea is to model TDDB as a constraint satisfaction problem (CSP) and solve it using optimization modulo theories (OMT). The proposed method can handle TDDB in various circuit topologies, including 3D stacked structures. It also provides a way to analyze TDDB in real-world scenarios, such as during the manufacturing process or in the field. The results show that the proposed method is able to predict TDDB events with high accuracy and reliability. This work has the potential to revolutionize the design and reliability analysis of integrated circuits, making them more robust and reliable.

The main contribution of this paper is to introduce an efficient and reliable method for the analysis of TDDB in integrated circuits. We show that the proposed method is able to handle TDDB in various circuit topologies, including 3D stacked structures. The proposed method is also able to handle TDDB in real-world scenarios, such as during the manufacturing process or in the field. The results show that the proposed method is able to predict TDDB events with high accuracy and reliability. This work has the potential to revolutionize the design and reliability analysis of integrated circuits, making them more robust and reliable.

© 2026, Springer Nature Switzerland AG

Open Access This article is licensed under a Creative Commons Attribution License, which permits use, distribution, and reproduction in other forms, without prior permission or written permission from the copyright holders, provided the original author and source are credited.

The images or other third party material in this article are included in the article's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holders.

45/45

Thank you for listening!  
 Questions?

