Formal verification of safety properties in timed circuits by Peña Basurto, Marco Antonio et al.
Formal verification of safety properties in timed circuits 
Marco A. Pen˜ay, Jordi Cortadellaz, Alex Kondratyev and Enric Pastory
y Department of Computer Architecture
Technical University of Catalonia
08034 Barcelona, Spain
fmarcoa, enricg@ac.upc.es
z Department of Software
Technical University of Catalonia
08034 Barcelona, Spain
jordic@lsi.upc.es
 Theseus Logic Inc.
710 Lakeway Drive, Suite 230
Sunnyvale, CA 94086
alex.kondratyev@theseus.com
Abstract
The incorporation of timing makes circuit verification compu-
tationally expensive. This paper proposes a new approach for the
verification of timed circuits. Rather than calculating the exact
timed state space, a conservative overestimation that fulfills the
property under verification is derived. Timing analysis with abso-
lute delays is efficiently performed at the level of event structures
and transformed into a set of relative timing constraints.
With this approach, conventional symbolic techniques for
reachability analysis can be efficiently combined with timing anal-
ysis. Moreover, the set of timing constraints used to prove the
correctness of the circuit can also be reported for backannotation
purposes. Some preliminary results obtained by a naive imple-
mentation of the approach show that systems with more than 106
untimed states can be verified.
1. Introduction
The correctness of speed-independent and delay-insensitive
circuits can be proved by only considering the sequencing of
events and abstracting time as nondeterministic delays. However,
the correctness of timed circuits depends on the actual values of
event delays. Typically, timing behavior is specified by a set of
delays that determine the time duration between the initiation and
the completion of an event. This is the valid model for the gates
in a circuit, in which gate delays denote the time between the en-
abledness of the gate and the actual change at the output.
The calculation of the language generated by a timed system is
proven to be PSPACE-complete [1], and demonstrated to be highly
complex in several contexts such as real-time systems [1, 15] and
asynchronous circuits [13, 9, 16, 18, 24, 27]. Difference bounds
matrices [5] and decision diagrams [8] have been used to effi-
ciently represent timed polyhedra. Even though these techniques
have been combined with partially ordered sets [7], the size of the
untimed state space is still the major bottleneck for the analysis of
highly concurrent systems.
This paper proposes a novel approach that extends the applica-
bility of the conventional methods based on symbolic reachability
analysis to timed circuits. The approach is based on the following
observation: the set of traces of a transition system can be covered
by a set of marked graphs. Rather than calculating the exact timed
state space, our approach performs an off-line timing analysis on a
set of event structures that covers the traces leading to circuit fail-
ures. This timing analysis can be efficiently performed by using
This work has been partially funded by a grant from Intel Corporation,
ACiD-WG (ESPRIT 21949), and the Ministry of Education of Spain under
contracts CICYTs TIC 98-0410 and TIC 98-0949.
McMillan and Dill’s algorithm [20]. If some of the failure traces
cannot be proven to be timing inconsistent, then the system is in-
correct.
The idea of using event structures for timing analysis was al-
ready proposed in [17]. However, no algorithm was presented that
can handle a general class of transition systems for verification.
The approach presented in this paper not only verifies the cir-
cuit, but also provides a set of timing constraints required for its
correctness. For speed-independent circuits, the method does not
involve any additional overhead with regard to the conventional
symbolic methods (e.g. [10]). In [21], an approach with similar
goals, but limited to the comparison of circuit paths that start at the
same point, was proposed.
With a very naive implementation of a preliminary prototype,
circuits with more than 106 untimed states have been verified in
few minutes of CPU time.
2. Overview
This work presents a formal approach to verify that a circuit
with certain timing constraints satisfies a given safety property
P . The circuit is modeled by means of a timed transition sys-
tem (TTS), A, composed by an underlying transition system (TS),
A
 
, and two functions, Æl and Æu, which associate minimal and
maximal delays, respectively, to each event of the system. A given
sequence of events of a TTS (a trace) is said to be timing con-
sistent if it is possible to assign increasing time values to all the
events such that their firing times are within the allowed bounds.
The verification problem is posed in terms of the following lan-
guage inclusion question: L(A)  L(P ) [14]. The approach
consists in building successive approximations of L(A) starting
from L(A ), by adding relative timing constraints [26] in an it-
erative manner. We start from the TS A
0
= A
  and try to
prove the inclusion L(A
0
)  L(P ) by applying well-known
symbolic model checking techniques [10, 12]. If this is true, then
L(A)  L(A
0
)  L(P ) and A satisfies P without any timing
assumption. The verification succeeds.
If P is not satisfied in some state, a trace  that leads to a failure
is generated. If the trace is timing consistent, then the system is
incorrect, i.e. violates the required property. However, if the trace
is not timing consistent, it can be used to refine the untimed state
space and remove other inconsistent traces leading to failure states.
To do this, a suffix 0 of the trace  is taken and an event structure
(acyclic marked graph) that covers 0 is built. Timing analysis of
the event structure is performed by using the algorithm in [20].
The state space of the event structure is composed with the un-
timed abstraction of the system A
0
, in such a way that at least the
wrong trace is removed and no timing consistent trace is removed.
aa
a
c
b
c
c
c g
gg
c
b
b
x
g
g
b
d
b
dy
s6
s5s8
s3
s13
s11
s7
s14
s10
s2
s0
s1
s4
s9
(a)
b a
g
d
x
c
y
(b)
a
g
d
b
c
x
y
(c)
[2.5,3](    )
[1,2]
[0.4,0.4]
(    )
(    )
(    )
[1,2]
aδ
c
b
∋
∋
∋
∋
δ
δ
δ
g
(d)
a
a
c
b
c
c
c
c g
g
x
g
b
b
a
g
g
b
d
b
dy
s6
s5s8
s3
s13
s11
s7
s14
s10
s0
s1
s4
s9
s2
(e)
Figure 1. Example 1. (a) Timed transition system with delay intervals specified in (d). (b,c) Event structures covering the
traces starting from s
0
. (e) Timed state space (shaded states are unreachable).
s0
s1
s2
s7
s10
s14
s13
x
c
a
b
d
g
(a)
8[0,     )
8[0,     )
[2.5,3]
[0.5,0.5]
[1,2][1,2]b
d
g
a
x
c
(b)
C12
C11
C10
C9
C8
C7
C5
C4
C3
C2
C1
C6
g
b
b
dy g
b
b
g g
gc
c
c
c
x
b
a
a
d
(c)
Wrong
orderingd
c
g
c
c
y
cg
gd
c
a
a
y
d
x
a
c
c b
g
g
b
b
(s0,      )
(s1,C1)
(s11,       )
(s2,C2)
(s13,C12)
(s5,C7)
(s11,C10)
(s9,       )
(s3,C3) (s4,C6)
(s10,       )
(s6,C8) (s6,       )
(s5,       )
(s14,       )
(s13,       )
(d)
Figure 2. Example 1: first iteration. (a) A wrong trace and its corresponding event structure (b) annotated with timing arcs.
(c) State space of the event structure (shaded states are unreachable). (d) TS obtained after composition.
A series of successive approximations A
i
of A are constructed
iteratively, with containment L(A)  L(A
i
) and monotonic con-
vergence, L(A
i+1
)  L(A
i
). At every step L(A
i
)  L(P ) is
checked. Verification stops successfully if the inclusion holds, or
fails if a counterexample trace is found.
Iterative approaches for the verification of real-time systems
have also been presented in [2, 6]. The major novelty of the ap-
proach in this paper is the use of event structures to perform ef-
ficient timing analysis, and to incorporate the resulting timing in-
formation in the form of relative timing constraints.
2.1. An example
This section illustrates the verification approach by means of
a simple example. Figure 1 depicts the TTS modeling a system.
Figure 1(a) shows its underlying TS, while Figure 1(d) shows the
delay intervals of events a, b, c and g. The delay interval for the
rest of events is [0;1). Figure 1(e) depicts the state space of the
system when the delays are taken into account. A crucial observa-
tion is that all traces that start and end at s
0
can be covered by the
two event structures depicted in Figures 1(b) and (c). Black states
are covered by the event structure (b). White states are covered by
the event structure (c). Grey states are covered by both.
Assume that the property to be verified indicates that event g
must always precede event d in any possible trace after having
visited state s
0
. It can be seen that the property holds in the timed
state space. However, it does not hold in the untimed state space.
By exploring the state space of Figure 1(a) we see that the prop-
erty does not hold in state s
10
if d fires before g. A failure trace
from s
0
to s
10
followed by the firing of d before g can be gen-
erated (Figure 2(a)). From this trace, an event structure with the
same causality relations can be derived (Figure 2(b)). Note that, in
the event structure, c is only triggered by a but not triggered by b.
This corresponds to the causal relations derived from the trace, i.e.
c is not enabled in s
1
and is enabled after having fired a from s
1
.
By timing analysis, we find that b and g always precede c.
These timing relations are shown by dotted arcs. Such timing anal-
ysis is only valid for the causal relations expressed in the event
structure, but it is not valid, for example, in the case when b trig-
gers c. Figure 2(c) depicts the state space of the event structure.
Event c is prevented to fire in some states, where its firing would
be inconsistent with the timing analysis.
Finally, we incorporate all this information into the system
(s1,C1)
(s9,       )
(s10,       )
(s14,       )
(s13,       )
(s0,       )
(s4,C6)
c
b
a
d
g
x
(a)
8[0,     )
8[0,     )
[2.5,3]
[1,2] [1,2]
[0.5,0.5]
b
d
g
a
x
c
(b)
X11
X10
X9
X8
X6
X5
X3
X2
X1
X4
X7
g
b
dy
b
g
gc
c
x
b
a
a
d
g
c
(c)
b
bc
g
c
y
d
g
c
c
a
c
c
y
c
d
g
b
a
x
(s0,      ,       )
(s6,       ,X6)
(s5,C7,X5)
(s1,C1,X1)
(s2,C2,X2)
(s3,C3,X3)
(s13,       ,X11)
(s6,C8,X6)
(s13,C12,X11)
(s11,       ,X9)(s11,C10,X9)
(s4,C6,X4)
(s5,       , X5)
(d)
Figure 3. Example 1: second iteration. (a) A wrong trace and its corresponding event structure (b) annotated with timing arcs.
(c) State space of the event structure (shaded states are unreachable). (d) TS obtained after composition.
(Figure 2(d)) by composing the original system and the event
structure. An event structure being derived from a particular trace
gives only partial behaviors of the original system. When the be-
haviors of the system and the event structure mismatch, the spe-
cial symbol ? is used. Some states in the composed system are
split into two instances depending on whether they are reached by
traces matching (enabling compatible) the event structure or not
(see states s
5
, s
6
, s
11
and s
13
). Figure 2(d) shows the resulting
system. One can easily check that the set of traces is smaller than
that of the original system, but larger than that of the actual state
space in Figure 1(c), and that only timing inconsistent traces have
been removed.
This first step has removed some wrong traces but not all of
them. Figure 3 depicts one more refinement. In the resulting sys-
tem all the wrong traces have been removed, which proves that the
system satisfies the property. Although it is not generally true, in
this case the final state space contains exactly the same traces than
the actual state space shown in Figure 1(c).
The following sections describe the theoretical aspects of the
presented approach.
3. Transition systems
This section presents the main models used in the paper. Fig-
ure 4 shows the relationship among them.
Definition 3.1 (Transition System) [4]
A transition system (TS) is a quadruple A = hS;; T; s
in
i,
where S is a non-empty set of states,  is a non-empty alphabet of
events, T  SS is a transition relation, and s
in
is the initial
state. Transitions are denoted by s e !s0. An event e is enabled at
state s if 9 s e !s0 2 T . We will denote by E(s) the set of events
enabled at state s.
Definition 3.2 (Firing region)
Given a TS A = hS;; T; s
in
i , the firing region of event e is
defined as Fr(e) = fs 2 S j e 2 E(s)g .
In the sequel, we will only consider transition systems with the
following properties:
TS
Timed TS
Enabling
interval
delay
Lazy
bounds
Enabling Firing
Firing
Transition
system
region
Lazy TC
run
(TS)
Timed domain
Time consistent(TC) run
Run
Figure 4. Major notions of Section 3 and their relations.
 S and  are finite.
 s
e
 !s
0
2 T ^ s
e
0
 !s
0
2 T ) e = e
0 (no multiple arcs
between any pair of states).
 s
e
 !s
0
2 T ) e 62 E(s
0
) (events are self-disabling).
Definition 3.3 (Run)
A run of a TS A = hS;; T; s
in
i is a sequence  =
s
1
e
1
 !s
2
e
2
 !   , such that s
1
= s
in
and 8i  1 : s
i
e
i
 !s
i+1
2
T . Event e
i
is said to fire at step i.
With an abuse of notation, the expressions s
i
2 ,
s
i
e
i
 !s
i+1
2 , s
i
e
i
 ! 2 ,
e
i
 !s
i+1
2 , etc, will be often
used to denote the fact that different fragments of a sequence be-
long to a run.
Definition 3.4 (Enabling interval)
Let A = hS;; T; s
in
i be a TS and let  = s
1
e
1
 !s
2
e
2
 !   be a
run of A. Given an event e and a state s
i
2  such that s
i
2 Fr(e),
FirstEnabled(s
i
; e) is defined as the state s
j
, j  i, such that
 j  k  i ) s
k
2 Fr(e) ( e is continuously enabled
between s
j
and s
i
)
 j > 0 ) s
j 1
62 Fr(e) ( e is not enabled before s
j
)
The sequence s
j
e
j
 !  
e
i 1
 !s
i
is called the enabling interval of e
with respect to s
i
.
Time is incorporated to transition systems by assuming that
transitions happen instantaneously, while minimal and maximal
delay bounds restrict the times at which they may occur.
Definition 3.5 (Timed Transition System) [15]
A timed transition system (TTS) is a triple A = hA ; Æl; Æui,
where A  = hS;; T; s
in
i is a TS called the underlying tran-
sition system, Æl :  ! <+ and Æu :  ! <+ [ f1g re-
spectively associate a minimal and a maximal delay bound to each
event, such that 8 e 2  : Æl(e)  Æu(e) .
Definition 3.6 (Timing-consistent run)
Let A = hA ; Æl; Æui be a TTS and let  = s
1
e
1
 !s
2
e
2
 !   be a
run of A .  is timing consistent with A if a sequence t
1
t
2
   of
real-valued time stamps can be found such that:
 t
1
 t
2
   
 8s
i
e
i
 !s
i+1
2  such that FirstEnabled(s
i
; e
i
) =
s
j
: Æ
l
(e
i
)  t
i+1
  t
j
 Æ
u
(e
i
)
 8s
i
2  such that s
i
2 Fr(e) and FirstEnabled(s
i
; e) =
s
j
: t
i
  t
j
 Æ
u
(e)
The previous definition characterizes those runs which are pos-
sible according to the delay bounds of the system. The time stamp
t
i+1
is assigned to state s
i+1
and corresponds to the firing time of
event e
i
along . Similarly, t
j
corresponds to the enabling time.
Thus, the firing time of an event only depends on its enabling time
plus certain delay amount within the bounds.
Next, lazy transition systems [11] are introduced. The notion of
laziness explicitly distinguishes among the enabling and the firing
of an event, assuming certain implicit delay between them.
Definition 3.7 (Lazy Transition System)
A lazy transition system (LzTS) is a five-tuple A =
hS;; T; s
in
;Eni , where hS;; T; s
in
i is a TS, and the func-
tion En :  ! 2S defines the enabling region of each event, in
such a way that Fr(e)  En(e) for any e 2 . Thus, event e is
said to be enabled at state s 2 S if s 2 En(e) . An event e is
said to be lazy if Fr(e) 6= En(e).
Notice that a TS is just a particular case of LzTS in which both
enabling and firing regions coincide for all the events. Figure 1(e)
shows an example of lazy transition system where event c is lazy
since it is enabled in states s
2
, s
3
, s
4
, s
5
and s
6
, but is allowed to
fire only in s
6
.
The notions of FirstEnabled(s
i
; e) and enabling interval of e
with respect to s
i
are naturally extended to lazy transition systems
from Definition 3.4, by considering En(e) instead of Fr(e) for the
enabledness of event e.
4. Traces and languages
A common semantics that unifies all the models above can be
defined in terms of traces. Based on traces, we will derive several
notions that formalize our refinement approach for verification.
This flow, depicted in Figure 5, covers the contents of Sections 4
and 5.
We extend the usual notion of trace [19] by associating the set
of enabled events to the firing of each event in a run. Thus, each
element of the trace keeps track of which events are enabled and
which event fires at each step.
Separation
times
Enable
compatible
traces
delay
bounds
Ordering
Causal event
structure
Trace
suffix
Trace
Language
Language(CES)
relations
Projection
TS
CESLazy
Refinement
Figure 5. From traces to language refinement.
Definition 4.1 (Trace)
Let  be an alphabet of events. A trace  = E
1
e
1
 !E
2
e
2
 !   is
a sequence such that 8i  1 : E
i
  and e
i
2 E
i
, where E
i
denotes the set of events enabled when e
i
fires.
Remark: Henceforth, and for the sake of simplicity, all events in
a trace will be assumed to be distinct. This assumption can always
be enforced by renaming different occurrences of the same event.
This renaming does not affect the validity of the theory presented
in this paper.
Definition 4.2 (Traces in LzTSs)
Each run  = s
1
e
1
 !s
2
e
2
 !   of a LzTS defines a trace 

=
E
1
e
1
 !E
2
e
2
 !   where E
i
is the set of events enabled at s
i
, i.e.
E
i
= E(s
i
).
Definition 4.3 (Languages)
The language L(A) of a LzTS A is the set of traces defined by
all runs of A. The language L(A) of a TTS A = hA ; Æl; Æui is
the set of traces defined by all timing-consistent runs of A .
Lemma 4.4
Let A = hA ; Æl; Æui be a TTS. Then, L(A)  L(A ) .
The proof directly follows from Definition 4.3.
The following definition is the cornerstone of the verification
strategy presented in this paper.
Definition 4.5 (Enabling-compatible trace mapping)
Let  =     !E
0
e
0
 !E
1
e
1
 !E
2
e
2
 !  
e
n
 !E
n+1
 !  
be a trace over the alphabet of events  and let 0 =
E
0
1
e
0
1
 !E
0
2
e
0
2
 !  
e
0
m
 !E
0
m+1
be a trace over the alphabet 0  .
Let 
t
= E
1
e
1
 !E
2
e
2
 !  
e
n
 !E
n+1
be a fragment of . An
enabling-compatible mapping of 
t
onto 0 is a function map :
fE
1
; : : : ; E
n+1
g 7! fE
0
1
; : : : ; E
0
m+1
g such that:
a) map(E
1
) = E
0
1
(initialization)
b) 8 1  i  n; map(E
i
) = E
i
\ 
0 (projection)
c) 8 1  i  n; (map(E
i
) = map(E
i+1
) ^ e
i
62 
0
) _
(map(E
i
) = E
0
j
^ map(E
i+1
) = E
0
j+1
^ e
i
= e
0
j
) (firing)
The mapping of  onto 0 is a function that preserves the en-
abledness of the events in 0. Initially, the events enabled in E0
1
must also be enabled in E
1
(initialization condition). Next, the
events of 0 enabled along  and 0 must be the same (projection
condition). Moreover,  may fire events that are not relevant to 0
mapping
Σ’={a,c,d,g} Σ’={b,c,d}
ø
ø
x
a
b
g
c
d
b
{c}
{b}
{c,g}
{c}
{d}
{a}
d
c
g
a
c
d
y
{x}
{a,b}
{b,c,g}
{c,g}
{c}
{d}
{y}
y
enable-compatible non-enable-compatible
mapping
{d}
Figure 6. Example of enabling-compatible and non-
enabling-compatible mapping.
(when map(E
i
) = map(E
i+1
) in the firing condition). Since the
firing time of an event only depends on its enabling time and its
delay (see Section 3), this notion will allow us to apply the timing
analysis of 0 to  in the fragment 
t
.
Figure 6 shows an example of trace mapping of the shadowed
fragment. The mapping at the right, with 0 = fb; c; dg, is
not enabling-compatible since it violates the projection condition
when taking E
i
= fb; c; gg and map(E
i
) = fbg. Clearly, a en-
ables c in , whereas c is enabled by b in 0.
The notions of enabling interval and timing-consistent run with
respect to a pair of functions Æl and Æu that assign min/max delays
to the events (see Definitions 3.4 and 3.6 respectively), can be
naturally extended to traces. From this extension it can be easily
proved that a trace defined by a timing-consistent run is also a
timing-consistent trace with Æl and Æu.
The following is the main theoretical result of this work.
Theorem 4.6 (see proof in [23])
Let , 0 and 
t
be traces with the same conditions as in Def-
inition 4.5. Let map be an enabling-compatible mapping from

t
onto 0. Let Æl and Æu be two functions that assign arbitrary
min/max delays to the events in 0 and 0 and 1 delays to the
events in  n 0, respectively.
Then,  is timing consistent () 0 is timing consistent.
The previous theorem states that the timing analysis of a trace
can be reduced to the timing analysis of those events that are
causally related (events in 0). Therefore, the events that are con-
current with all the events of 0 can be abstracted out. Hence, the
timing analysis for one trace can be applied to all those traces that
have the same causality relations among the events in 0.
5. Event structures
This section presents the basic theory on causal event structures
and their traces. Event structures are the only object for which
we perform timing analysis, which is rather simple because event
structures are acyclic. Taking an event structure which partially
specifies the behavior of the original system, we map the timing
constraints back to the system behavior by means of composing
the system and the event structure.
Definition 5.1 (Causal event structure) [22]
A causal event structure (CES), CS = h;i, is a finite set
 of events and a precedence relation     (irreflexive,
antisymmetric and transitive) over  called the causality relation.
A causal event structure is usually depicted as a Hasse diagram
(Figure 8(a)).
Definition 5.2 (Words and prefixes)
A topological order (or simply a word) of the events of CS =
h;i is a sequence e
1
   e
n
2 
n
(n =j  j), such
that 8 1  i; j  n : e
i
 e
j
) i < j . Given a
word  = e
1
   e
i
e
i+1
   e
n
, the i-th prefix of  is denoted by

i
= e
1
   e
i
. The empty prefix is denoted by 
0
.
Definition 5.3 (Events enabled by a prefix)
Let CS = h;i be a CES and let  be a word of CS. The set
of events enabled by 
i
is defined as E(
i
) = fe
k
62 
i
j 8e
j
2
 : e
j
 e
k
) e
j
2 
i
g .
That is, an event e
k
is enabled by a prefix 
i
if all the prede-
cessor events (according to ) are in 
i
but e
k
is not.
Definition 5.4 (Traces generated by words)
Let CS = h;i be a CES and let  = e
1
e
2
   e
n
be a
word of CS. The trace generated by  is defined as: 

=
E(
0
)
e
1
 !E(
1
)
e
2
 !  
e
n 1
 !E(
n 1
)
e
n
 !; .
Definition 5.5 (CES generated by a trace)
Let  = E
1
e
1
 !E
2
e
2
 !  
e
n 1
 !E
n
e
n
 !E
n+1
be a finite trace.
The causal event structure CS

= h;i generated from  is
defined as follows:  = fe
1
; : : : ; e
n
g; e
i
 e
j
, i < j ^
6 9E
k
2  : fe
i
; e
j
g  E
k
.
Definition 5.5 is illustrated by Figure 7. Trace (b) is taken from
TS (a). The resulting CES, (c), captures the causality relations
of the events in the trace. Notice for example, how event c only
depends on a according to the trace, although b enables c along
other traces.
5.1. Timing analysis on event structures
CESs with timing assumptions can be derived from traces
with events annotated with minimum and maximum delay bounds
(see Definition 5.5). These assumptions are captured by the
notion of maximal separation time between the events of a
CES. The maximum separation time of two events e
1
and
e
2
is computed as the maximum difference between their fir-
ing times, provided any possible assignment of delays to the
events in the graph: Sep
max
(e
1
; e
2
) = maxfft(e
1
)  
ft(e
2
) j for any delay assignmentg, where ft denotes the firing
time of the event.
A simple and efficient algorithm for the calculation of the max-
imal separation between events of a CES can be found in [20]. We
can use this information to analyze whether two events are ordered
in the time domain, i.e. e
1
precedes e
2
if Sep
max
(e
1
; e
2
) < 0 .
It is important to point out that the minimum delay bound for all
the source events of a CES is conservatively set to 0, given that the
prehistory on the enabledness of the events is unknown. With this
strategy, timing analysis is still exact in case the CES has only one
source event, since the relative firing order of all other events does
not depend on the enabling time of their common predecessor.
cc
c
b
b
c
b
b
b
a
a
g
g
g
g
d
d
g
x
y
c
a
(a)
{ b, c, g }
{ x }
{ a, b }
{ c, g }
{ d, g }
{ g }
{ y }
x
b
a
c
d
g
(b)
x
b a
c
d
g
(c)
[0,     )8
8[0,     )
Lazy arc
[2.5,3]
[1,2] [1,2]
[0.5,0.5]
x
b
c
d
g
a
(d)
Figure 7. (a) TS, (b) trace and (c) CES obtained from it. (d) Lazy CES induced by delay bounds.
Definition 5.6 (Lazy CES genenerated by a trace)
Let  = E
1
e
1
 !  E
n
e
n
 !E
n+1
be a timing-consistent trace
of a TTS A = hA ; Æl; Æui , and let CS

= h;i. The pair
LCS = h;
0
i is called a lazy causal event structure (LzCES),
where 0 =  [ T , and T    is a set of lazy causal
relations such that T = f(e
i
; e
j
) 2  j e
i
6 e
j
^ e
j
6 e
i
^
Sep
max
(e
i
; e
j
) < 0g
A LzCES coming from certain delay bounds is shown in Fig-
ure 7(d) (the lazy arc is depicted by a dashed line).
6. Incorporation of relative timing constraints
This section describes how to refine the set of traces produced
by a lazy TS by considering the timing constraints coming from
event delay bounds. The timing constraints are derived by the
analysis of a causal event structure corresponding to an eligible
trace of a lazy TS in the untimed domain. The refinement is per-
formed through the parallel composition of a LzTS and a LzCES.
Defining the parallel composition requires both descriptions to be
represented in a uniform way. To satisfy this requirement we first
introduce a state-based representation for CESs.
6.1. State-based representation of a CES
Form a causal event structure one can obtain an underlying
transition system. This process relies on the notion of configu-
ration, which plays the role of global state.
Definition 6.1 (Configuration)
Let CS = h;i be a CES. C   is a configuration iff C is
left-closed, i.e. 8a 2 C all predecessors of a by  are in C.
Clearly, every prefix 
i
of word a  in CES is left-closed and
hence defines a configuration which is reached by firing the events
from 
i
. Consideration of all possible words and their prefixes
gives the set of reachable configurations, C, where the initial con-
figuration due to the empty prefix 
0
is denoted by >. The set of
reachable configurations together with a partial order  defines a
graph of reachable configurations.
Definition 6.2 (Graph of reachable configurations)
The graph of reachable configurations for CES CS = h;i is
a Hasse diagram over the set of reachable configurations of CS
and the partial order  interpreted in set-theoretical sense.
For the general case of a LzCES, LCS = h;i, the graph
of reachable configurations can be modeled by a LzTS G =
hC;; T;>;Eni where C
1
e
 !C
2
2 T iff C
2
is reached by fir-
ing e from C
1
, and En(e) = fC 2 C j e 2 E(C)g. An example of
a graph of reachable configurations is shown in Figure 8(c). In this
graph every arc (C
1
; C
2
) is attributed by an event which expands
configuration C
1
into C
2
(the firing event).
The following statement shows that in CES a configuration is
uniquely defined by the set of enabled events.
Theorem 6.3 (Configurations and enablings) [23]
Any pair of configurations C
1
and C
2
(C
1
6= C
2
) of a CES CS =
h;i has different sets E(C
1
) and E(C
2
) of enabled events, i.e.
C
1
6= C
2
) E(C
1
) 6= E(C
2
) .
In the sequel we will indistinctly use configurations or their
enablings to characterize the states of a CES. Based on this one-to-
one correspondence instead of a graph of reachable configurations
one could consider an isomorphic graph of reachable enablings
(Figure 8(c)).
6.2. Refining the reachability space by timing
constraints
At this moment we have two objects at hands: a lazy TSA, and
another lazy TS G obtained from an event structure CS

. CS

is derived by a particular trace  of A (actually by an appropriate
suffix, see Figure 5), thus giving only a partial specification of the
behavior of A. CS

is refined through the exact timing analysis
yielding the lazy TS G.
Refining the behavior of A by the timing constraints incorpo-
rated in G can be done by calculating the enabling-compatible
product of G and A, which is a particular case of transition system
product under the restrictions of making synchronization by the
same transitions and the same enabling conditions.
For sake of simplicity, before introducing the product rules we
will add the special configuration ? to G. ? denotes the fact that
the product is not synchronizing with the state space of the CES
and, therefore, no timing analysis is applied for the involved traces.
The enabling-compatible product of A =
hS;
A
; T
A
; s
in
;En
A
i, and G = hC [ ?;
G
; T
G
;>;En
G
i
with 
G
 
A
is a new LzTS hS0;
A
; T
0
; s
0
in
;En
0
i where:
gc
a
d
b
(a)
{a,b,c,d}
{a,c}
{b}
{a,b}
{a,g}
{a,b,g}
{a}
{a,b,c}
{a,b,c,g}
{a,b,c,d,g}
{a,c,g}
g
c
a
a
c
cg b
gb
b
b
g
b
d
d
c
g
(b)
O
{g}
{d,g}
{d}
{b,g}
{a}
{c,g}
{c}
{b}
{b,c}
{b,c,g}
{a,b}
g
c
c
c
c
b
a
a
g b
gb
b
b
g
d
d
g
(c)
Figure 8. (a) Causal event structure. Graph of reachable configurations (b) and enablings (c).
 S
0
 S  (C [ ?) ,
 s
0
in
= (s
in
;>) if E(>)  E(s
in
), and s0
in
= (s
in
;?) oth-
erwise, and
 8e 2 
A
; En
0
(e) = f(s; C) 2 S
0
j s 2 En
A
(e)g .
The transition relation T 0 is defined by the rules below. These
are implied by the conditions of Definition 4.5 on enabling com-
patibility of traces. The fact that (s; C) 2 S0 denotes that s and
C have been reached by prefixes that are enabling compatible, and
that map(E(s)) = E(C). Given a state (s; C) with C 6= ?, we will
say that the state is in the timed domain, indicating that the timing
analysis performed on CS

can be applied to s.
Transitions entering the timed domain
Transition Conditions
(s;?)
e
 !(s
0
;>) enter  s
e
 !s
0
2 T
A
^
E(>)  E(s
0
) \ 
G
These transitions are fired when the events enabled in > are
also enabled in s0. Thus, timing analysis can start being applied
from (s0;>).
Staying inside the timed domain
Transition Conditions
(s; C)
e
 !(s
0
; C) inside1  s
e
 !s
0
2 T
A
^
E(s) \ 
G
= E(s
0
) \ 
G
(s; C)
e
 !(s
0
; C
0
) inside2  s
e
 !s
0
2 T
A
^
C
e
 !C
0
2 T
G
^ E(s
0
) \ 
G
= E(C
0
)
Inside1 corresponds to the condition in which e does not syn-
chronize with G. Here the enablings of state C must be preserved,
i.e. the firing of e cannot disable or enable events in 
G
.
For inside2, both A and G make a synchronized move which
might affect the events from 
G
in exactly the same way: if a 2

G
becomes enabled in A due to this move, it should also become
enabled in G, and vice versa.
Exiting or staying outside the timed domain
Transition Conditions
(s; C)
e
 !(s
0
;?) exit  s
e
 !s
0
2 T
A
^
:(enter _ inside1 _ inside2)
It can be shown that, in the enabling-compatible product, only
the traces of the original TS which are enabling compatible with
the event structure are refined. This refinement excludes the traces
which are timing inconsistent with respect to timing constraints
coming from the event structure. All other traces are not changed,
thus guaranteeing the conservativeness of the approach.
7. Algorithm for timed verification
7.1. Timing refinement
The verification problem can be solved by checking the lan-
guage inclusion L(A)  L(P ) of a timed system described by a
TTS A and a property described by P .
Figure 9 shows the timed verification procedure. The function
untimed verification checks whether a trace violating P is present
in A0 . If such a trace exists, a finite prefix, , demonstrating
the wrong behavior is returned. This prefix is checked for timing
inconsistency by building and analyzing the corresponding event
structure (procedure build event structure. If no event structure
can disprove the feasibility of the trace  the verification returns
 as an example of violation of P . Otherwise the system is refined
through the composition with an event structure.
The timed verification procedure does not depend on any par-
ticular implementation of the untimed verification function. We
have implemented, however, an approach based on efficient sym-
bolic model checking techniques [10]. Basically, we explore
A
0 looking for failure states where P is violated. Then, a back-
ward traversal is performed to generate a trace, leading from the
initial state to the failure, reproducing the discrepancy with P .
7.2. Timing analysis of failures
Given the trace  generated by the function un-
timed verification, we search for the shortest suffix 00 (  =

0
 
00 ) such that 00 is timing inconsistent with the delay bounds
Æ
l and Æu . Let us illustrate the process by means of an example.
Consider the trace fxg x !fa; bg a !fb; c; gg c !fb; gg b !
fd; gg
d
 !fgg
g
 !fyg for the TS of Figure 1(a) and assume the
delay bounds specified in Figure 1(d). Recall that in this example,
the property being verified says that g must always fire before d.
The shortest possible suffix is given by the trace
fb; gg
b
 !fd; gg
d
 !fgg
g
 !fyg , from which the event structure
of Figure 10(a) is derived, according to Definition 5.5.
function timed verification ( A = hS
A
;
A
; T
A
; s
in
A
; Æ
l
; Æ
u
i, P )
A
0
= hS
A
;
A
; T
A
; s
in
A
i ;
repeat
 := untimed verification(A0 , P );
if (empty ) return(SUCCESS);
LCS := build event structure(A0, , Æl, Æu);
if (empty LCS) return(FAIL, );
A
00 := compose(A0, LCS);
A
0
:= A
00;
end repeat
end function
function build event structure ( A0 = hS;; T; s
in
i, , Æ
l
, Æ
u )

00 := shortest suffix();
repeat

00 := add predecessor(00 , );
CS := build event structure(A0, 00);
if (timing consistent(CS, Æl, Æu))
L := compute lazy arcs(CS, Æl, Æu);
LCS := add lazy arcs(CS, L);
return (LCS);
end if
while (00 6= );
return (empty CS);
end function
Figure 9. Algorithms described in Section 7.
The timing analysis can conclude nothing about the occurrence
order of events d and g , since both can fire concurrently. There-
fore the algorithm continues by moving one step backwards along
the trace and repeats the same process again. Figure 10 depicts
the three attempts needed to find the shortest sufficient suffix of
the original trace. According to it, timing analysis concludes that
b and g occur before c (and consequently before d ). This
is shown by the dashed arcs in the lazy event structure of Fig-
ure 10(c).
The function build event structure builds the shortest suffix

00 of the trace returned by the untimed verification procedure
such that the timing analysis shows a timing inconsistency with
the delays imposed by A . An event structure CS is constructed
by using the causal relations of the events in 00 .
Function timing consistent performs timing analysis over the
CS. It implements the algorithm described in [20] for timing anal-
ysis of an acyclic graph of events with min/max delay constraints.
If the trace is not timing consistent, function compute lazy arcs
also extracts a set of relative timing constraints from CS, i.e. a
set of additional orderings between the events of 00 imposed by
the delay bounds. These new constraints are added to the initial
CS as lazy arcs by function add lazy arcs. The resulting lazy
event structure LCS models only those orderings of the events
of 00 which are timing consistent with the delays imposed by A.
7.3. Incorporation of constraints
Finally, we develop the composition algorithm that implements
the enabling-compatible product between A0 and a lazy CES,
LCS, which derives A00 by removing from A0 all traces contra-
dicting the timing orderings of events in LCS. Thus L(A00) 
L(A
0
). The resulting A00 is a new lazy TS where:
[0,      )8 [0,0.5]
{ x }
{ a, b }
{ b, c, g }
{ b, g }
{ d, g }
{ g }
{ y }
d g
x
c
a
b
d
g
(a)
[0,0.5]
[0,4]
[0,       )8
{ x }
{ a, b }
{ b, c, g }
{ b, g }
{ d, g }
{ g }
{ y }
d
b
g
x
c
a
b
d
g
(b)
[0.5,0.5]
[2.5,3]
[0,4]
[0,       )8
{ x }
{ a, b }
{ b, c, g }
{ b, g }
{ d, g }
{ g }
{ y }
b
c
d
g
x
c
a
b
d
g
(c)
Figure 10. Example 1: generation of the shortest suffix
of the trace depicted in Figure 1(a), and corresponding
event structures. Three steps are needed.
 The state space may be split in two parts: one following
the enabling orders of the events in LCS , and the other
one where the enablings are not followed. The former cor-
responds to the state subspace where the constraints im-
posed by LCS apply (the timed subspace). In the latter,
LCS does not apply (the untimed subspace).
 In the timed subspace, some events are prevented to fire
when they are enabled. More precisely, the composition with
LCS allows only those firing orderings which are consistent
with the timing analysis.
7.4. Correctness
The correctness of the timed verification algorithm is guaran-
teed by the following facts:
(i) The language of the TTS being verified is a subset of the lan-
guage of the initial untimed abstraction (its underlying TS).
This condition is proved by Lemma 4.4.
(ii) Conservativeness: the compose function does not remove any
trace which is timing consistent with the delays Æl and Æu of
the verified TTS. This is guaranteed by the composition rules
of the enabling-compatible product (see Section 6.2).
(iii) Convergence: for a particular class of systems the verification
requires only few refinements to converge (more details in
next section). For the general class of systems a pre-defined
upper bound on the number of refinements can be imposed.
This could produce false negatives during verification. How-
ever it is in full correspondence to the conservative nature of
the suggested approach.
7.5. Convergence
Each composition step of the original LzTS A0 with the lazy
event structure LCS implicitly performs an unfolding of A0 sep-
arating traces that are enabling compatible with LCS and those
which are not.
The convergence of the refinement procedure for the class of
Marked Graphs is guaranteed by the known results on termina-
tion of separation times analysis in a finite number of unfolding
iterations [16]. Nevertheless the upper bound on the number of
iterations could be quite high (depends on the ratio of critical and
sub-critical cycles). This is an inherent limitation of exact sepa-
ration analysis and, for practical applications, it is better to work
with pre-established separation bounds and do not unfold beyond
those bounds. Though it gives only conservative verification, an
acceptance of pre-defined upper bounds seems to be a reasonable
option because the largest class of systems for which the separa-
tion times analysis could be performed exactly are free and unique
choice systems [16] (beyond them the calculation of separation
times is inherently conservative).
However there is an important practical class of systems for
which the refinement procedure is especially simple and is exact
for few unfolding iterations. The characterization of this class is
done in terms of the so-called nodal states.
Definition 7.1 (Nodal state)
A state s of a TS is called nodal if 8s0; s0 e !s, jE(s0)j = 1.
Definition 7.1 points that all direct predecessors of a nodal state
are synchronized in that state, i.e. to the moment when a system
arrives to a nodal state all concurrent activities have been finished.
Nodal states are natural points from which the timing analysis
is convenient to start. Any event enabled somewhere in a path to a
nodal state must fire before reaching this state and, hence, timing
analysis from a nodal state does not depend on the prehistory of the
process behavior. We will call a TS in which every trace passes
through at least one nodal state as strongly synchronized. Note
that the requirement of breaking traces by a set of nodal states is
essential here because it is easy to construct an example of TS
with choices, in which different branches of a choice would have
different nodal states and none of them could serve as a “global
synchronizer” for the whole TS. For strongly synchronized TSs,
timing analysis can always be performed on event structures with
only one source node. Thus, timing analysis can be exact in those
cases (see section 5.1).
In the TS in Figure 1, states s
0
, s
1
and s
13
are nodal, this TS
has no conflicting events (no choice) and therefore each nodal state
is a “global synchronizer” because it breaks all the TS cycles.
In a strongly synchronized TS, given a faulty trace  with an
“improper” ordering of the pair of events a and c, checking the
timing consistency by a and c might be reduced to the analysis of
the suffix 
t
starting from the nodal state closest to a and c.
By 
t
one can construct the corresponding CES to check
whether a and c might occur in the order they have in . How-
ever in case of cyclic behavior,  might continue in such a way
that the first n occurrences of events a and c satisfy the checked
properties while their n+1 occurrences have an “improper” order-
ing. The nice feature of strongly synchronized TS is that timing
analysis made for trace  can be equally applied for “later” oc-
currences of a and c because the analysis, started at a nodal state,
does not depend on prehistory. Therefore timing inconsistency of
 implies also timing inconsistency for any cyclic unfolding of  ,
from which it immediately follows the exactness and convergence
of the suggested procedure for verification.
The practical significance of the class of strongly synchronized
TS could be shown by analyzing the known set of asynchronous
benchmarks: more than 80% of the specifications are strongly syn-
chronized.
Beyond the class of strongly synchronized TSs our verification
procedure would be conservative in general. Still in many cases
name  S G S
u
S
f
TC C cpu
sbf-rd-ctl 8(5) 19 10 74 16 4 Y 2
rcv-setup 5(2) 14 6 78 34 2 N 1
alloc-outbnd 9(5) 21 11 82 20 4 Y 3
ebergen 5(3) 18 9 83 22 1 N 1
mp-fwd-pkt 8(5) 22 8 186 70 8 Y 5
dff 3(1) 14 6 255 164 6 N 3
half 4(2) 14 7 227 133 1 N 1
chu133 7(4) 24 9 288 204 2 N 1
converta 5(3) 18 12 408 244 10 N 12
nowick 6(3) 20 10 510 292 4 Y 3
chu150 6(3) 26 8 520 339 3 N 1
sbuf-snd-ctl 8(5) 27 13 1592 1081 18 N 54
vme 6(3) 24 12 1736 1460 21 Y 30
rpdtf 5(1) 22 8 2612 1841 2 N 2
tsend-bm 9(4) 40 12 3880 2999 3 N 46
sbf-snd-pkt2 9(5) 28 13 4544 4044 19 Y 103
sbf-ram-wrt 12(7) 64 15 14016 12362 34 N 415
ram-rd-sbuf 11(6) 39 16 19328 17488 36 Y 550
mr1 9(5) 190 16 21076 11574 29 Y 317
mr0 11(6) 302 20 727304 642291 2 N 48
trimos-send 9(6) 336 24 2.1 e6 1.8 e6 1 N 127
mmu 8(4) 174 22 5.6 e6 5.2 e6 3 N 480
Table 1. Experimental results for the verification of ab-
sence of hazards in asynchronous circuits.
it might require just few iterations in unfolding the TS to reach
the exact separation analysis. For example, [3] shows the fast con-
vergence of separation times analysis for pipelined specifications,
which are inherently not strongly synchronized.
8. Experimental results
A naive prototype of the proposed method has been imple-
mented by using state-of-the-art symbolic BDD-based techniques
for reachability analysis.
The following experiments have been performed on a set
of specifications given as Signal Transition Graphs. A speed-
independent complex-gate implementation (i.e. one complex gate
per output) of each specification has been obtained by using pet-
rify. The complex gates have been decomposed and mapped
into a library with only 2-input gates (NAND2, NOR2 and in-
verter). Conventional decomposition for synchronous circuits has
been used for technology mapping (map command in SIS). None
of the examples were hazard-free under the unbounded delay
model after decomposition.
Next, the following interval delays were assigned to the
events of the system: [0:9; 1:1] for inverters, [1:35; 1:65] for
NAND2/NOR2 gates and [9; 11] for the events produced by the
environment. The property verified for each circuit was absence of
hazards with the given delays. Formally, the property was modeled
as semi-modularity for each event. The composition of the envi-
ronment with the circuit defines the transition system that must be
verified.
Although most specifications were marked graphs (choice-free
Petri nets), the transition system obtained after the composition
with the circuit manifested a great variety of causality relations
among the events (OR, AND and complex combinations of both)
produced by the funcionality of the gates.
Table 1 reports the obtained results. Columns  and S con-
tain the total number of signals (outputs are shown in parenthesis)
and states of the specification. Columns G and S
u
indicate the
number of gates and the number of untimed states of the circuit.
Column S
f
indicates the number of untimed failure states (only
failure states reachable from non-failure states are generated). The
column TC indicates the number of event structures (timing con-
straints) generated for timing analysis. This corresponds to the
number of iterations of the algorithm. The column C indicates
whether the circuit is correct or not. Finally, CPU times are given
in seconds.
The results show that, even with a naive implementation, sys-
tems with more than 106 untimed states could be verified. The
computational cost of the algorithm highly depends on the num-
ber of timing constraints required to refine the untimed state space.
Some heuristics to improve the strategies to select adequate event
structures will be explored in the future.
The three largest examples were proved to be hazardous. Only
few iterations were required to find an erroneous trace. On the
other hand, some circuits required a lot of timing constraints to
prove its correctness (e.g. ram-rd-sbf and mr1). We believe
that many of these constraints can be redundant and simplified
when considering the complete set of constraints as a whole.
In the future we intend to implement clever strategies for state
encoding, variable ordering, state traversal, etc, that should pro-
duce tangible improvements on the size of the systems that will be
handled by the tool. We also want to explore strategies to simplify
the set of constraints required for correctness.
9. Conclusions
We believe that the conventional symbolic methods for reach-
ability analysis can be efficiently extended for timed systems. In
this paper we have presented the basic theory and some prelimi-
nary experiments for the verification of timed circuits.
Even though timed systems have an inherent delay for each
event, it is evident that, in practice, many of the timing constraints
imposed by these delays are not required for the correctness of a
system. The proposed approach is not only useful to verify cor-
rectness, but also to backannotate the set of timing constraints that
have been used to prove it. These constraints correspond to the
timing arcs derived from the analysis of event structures. This
information is crucial in frameworks in which synthesis and ver-
ification are iteratively invoked to design systems that must meet
functional and non-functional constraints.
The fact that timing analysis is performed by event structures,
while verification can be performed in systems with any type of
causality relation, opens the door to symbolic analysis. This can
be achieved by using techniques similar to those proposed in [3]
and based on quantifier-free Presburger arithmetic [25].
References
[1] R. Alur and D. Dill. A Theory of Timed Automata. Theoretical
Computer Science, 126:183–235, 1994.
[2] R. Alur, A. Itai, R.P. Kurshan, and M. Yannakakis. Timing Verifi-
cation by Successive Approximation. Information and Computation,
118(1):142–157, 1995.
[3] T. Amon and H. Hulgaard. Symbolic time separation of events.
In Proc. International Symposium on Advanced Research in Asyn-
chronous Circuits and Systems, pages 83–93, April 1999.
[4] A. Arnold. Finite Transition Systems. Prentice-Hall, 1994.
[5] E. Asarin, M. Bozga, A. Kerbrat, O. Maler, A. Pnueli, and A. Rasse.
Data structures for the verification of timed automata. In O. Maler,
editor, Proc. HART’97, volume 1201 of LNCS, pages 346–360.
Springer-Verlag, 1997.
[6] F. Balarin and A.L. Sangiovanni-Vincentelli. An iterative approach to
verification of real-time systems. Formal Methods in System Design,
6:67–95, January 1995.
[7] W. Belluomini and C.J. Myers. Verification of timed systems using
POSETs. In Proc. International Conference on Computer Aided Ver-
ification, pages 403–415, 1998.
[8] M. Bozga, O. Maler, A. Pnueli, and S. Yovine. Some progress in
the symbolic verification of timed automata. In O. Grumberg, editor,
Computer-Aided Verification’97, volume 1254 of LNCS, pages 179–
190. Springer-Verlag, 1997.
[9] J. R. Burch. Delay models for verifying speed-dependent asyn-
chronous circuits. In International Workshop on Timing Issues in
the Specification and Synthesis of Digital Systems, March 1992.
[10] J. R. Burch, E. M. Clarke, K. L. McMillan, D. L. Dill, and L. J.
Hwang. Symbolic model checking: 1020 states and beyond. In Proc.
of the Fifth Annual Symposium on Logic in Computer Science, June
1990.
[11] J. Cortadella, M. Kishinevsky, A. Kondratyev, L. Lavagno, and
A. Yakovlev. Lazy transition systems: application to timing opti-
mization of asynchronous circuits. In Proc. ICCAD, November 1998.
[12] O. Coudert, J. C. Madre, and C. Berthet. Verifying temporal prop-
erties of sequential machines without building their state diagrams.
Computer-Aided Verification’90, pages 75–84, 1990.
[13] S. Devadas, K. Keutzer, S. Malik, and A. Wang. Verification of asyn-
chronous interface circuits with bounded wire delays. In Proc. IC-
CAD, pages 188–195, November 1992.
[14] A. Gupta. Formal Hardware Verification Methods: A Survey. Formal
Methods in System Design, 1:151–238, 1992.
[15] T. Henzinger, Z. Manna, and A. Pnueli. Temporal proof methodolo-
gies for real-time systems. In Proc. of the 18th ACM Symposium on
Principles of Programming Languages, pages 353–366, 1991.
[16] H. Hulgaard and S. M. Burns. Bounded delay timing analysis of a
class of CSP programs with choice. In Proc. International Sympo-
sium on Advanced Research in Asynchronous Circuits and Systems,
pages 2–11, November 1994.
[17] H. Kim and P.A. Beerel. Relative timing based verification of timed
circuits and systems. In International Workshop on Logic Synthesis,
June 1999.
[18] O. Maler and A. Pnueli. Timing analysis of asynchronous circuits
using timed automata. In P.E. Camurati and H. Eveking, editors,
Proc. CHARME’95, volume 987 of LNCS, pages 189–205. Springer-
Verlag, 1995.
[19] A. Mazurkiewicz. Basic notions of trace theory. In J. W. Baker, W. P.
de Roever, and G. Rozenberg, editors, Linear Time, Branching Time,
and Partial Order in Logics and Models for Concurrency, volume
354 of LNCS, pages 285–363. Springer-Verlag, 1988.
[20] K. L. McMillan and D. L. Dill. Algorithms for interface verifica-
tion. In Proc. of the International Conference on Computer Design,
October 1992.
[21] R. Negulescu and A. Peeters. Verification of speed-dependences in
single-rail handshake circuits. In Proc. International Symposium on
Advanced Research in Asynchronous Circuits and Systems, March
1998.
[22] M. Nielsen, G. Plotkin, and G. Winskel. Petri Nets, Event Structures
and Domains. Theoretical Computer Science, 13:85–108, 1981.
[23] M.A. Pen˜a, J. Cortadella, A. Kondratyev, and E. Pastor. Formal
verification of safety properties in timed circuits. Technical Report
RR-99/49 http://www.ac.upc.es/homes/marcoa/TechReports.html,
UPC/DAC, October 1999.
[24] A. Semenov and A. Yakovlev. Verification of asynchronous circuits
using time Petri-net unfolding. In Proc. Design Automation Confer-
ence, 1996.
[25] R.E. Shostack. A practical decision procedure for arithmetic with
function symbols. Journal of the ACM, 26(2):351–360, April 1979.
[26] K. Stevens, R. Ginosar, and S. Rotem. Relative timing. In Proc. In-
ternational Symposium on Advanced Research in Asynchronous Cir-
cuits and Systems, pages 208–218, April 1999.
[27] E. Verlin, G. de Jong, and B. Lin. Efficient partial enumeration for
timing analysis of asynchronous systems. In Proc. Design Automa-
tion Conference, 1996.
