






















Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners 
and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. 
 
• Users may download and print one copy of any publication from the public portal for the purpose of private study or research. 
• You may not further distribute the material or use it for any profit-making activity or commercial gain 
• You may freely distribute the URL identifying the publication in the public portal  
 
If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately 
and investigate your claim. 
   
 
Downloaded from orbit.dtu.dk on: Dec 17, 2017
Characterizing speed-independence of high-level designs
Kishinevsky, Michael; Staunstrup, Jørgen
Published in:
Proceedings of the International Symposium on Advanced Research in Asynchronous Circuits and Systems





Publisher's PDF, also known as Version of record
Link back to DTU Orbit
Citation (APA):
Kishinevsky, M., & Staunstrup, J. (1994). Characterizing speed-independence of high-level designs. In
Proceedings of the International Symposium on Advanced Research in Asynchronous Circuits and Systems (pp.
44-53). IEEE. DOI: 10.1109/ASYNC.1994.656285
Characterizing Speed-independence of Nigh-Level Designs * 
Michael Kishinevsky Jrzlrgen S taunstrup 
Department of Computer Science 
Technical University of Denmark 
DK-2800 Lyngby, Denmark 
email: {mikjst}@id.dtu.dk 
Abstract 
Thi s  paper characterizes the speed-independence of 
high-level designs. T h e  characterization i s  a condition 
o n  the design description ensuring that the behavior 
of the design i s  independent of the speeds of i t s  com- 
ponents. T h e  behavior of a circuit i s  modeled as a 
transition system, that allows data types, and internal 
as well as external non-determinism. Th i s  makes it 
possible to verify the speed-independence of a design 
without providing a n  explicit realization of the envi- 
ronment .  T h e  verification can be done mechanically. 
A number of experimental designs have been verified, 
including a speed-independent RAM, a complex switch 
of a data path, various Muller C-elements, FIFO reg- 
isters,  and counters. 
1 Introduction 
A circuit is speed-independent if its behavior does 
not depend on speeds of its components (gates). These 
circuits are very robust to  parameter variations, such 
as supply voltage or temperature, and this may have 
significant practical advantages [8], for example, a po- 
tential reduction of power dissipation [13]. It is impor- 
tant to find a characterization of speed-independence 
that allows the designer to  discover speed dependen- 
cies as early as possible in the design process. Such a 
characterization is presented in this paper as a suffi- 
cient condition on a high-level description of the cir- 
cuit. The condition is formulated in such a way that 
the transition system can be checked in a modular way, 
i.e., by checking the design module by module. 
Most characterizations of speed-independence as- 
sume that the circuit is autonomous which means that 
it is a self-contained circuit without external input. 
*This work has been supported by The Danish Technical Re- 
search Council and ACiD-WG (Esprit Basic Research Working 
Group 7225). 
0-8186-6210-7/94 $ .00 0 1994 IEEE 
To check a component with external input (and out- 
put) an explicit environment is constructed and the 
combination of component and environment is then 
checked. Our Characterization allows us to  check a 
component in isolation, however, it is possible (and 
often necessary) to state assumptions about the en- 
vironment. In the paper [7] it has been shown how 
the proposed check can be mechanized, however, in 
the present paper the emphasis is on the character- 
ization itself. Circuit efficiency sometimes makes it 
necessary to compromise the speed-independence of a 
well-defined part of a circuit. Our characterization of 
speed-indeplendence makes it possible to  state some 
speed assumptions about well defined parts while still 
making it plossible to  check the rest of the design. 
This paper is organized as follows. First, we present 
a short review of previously published characteriza- 
tions of speled-independence. Section 3 describes the 
design language used in this paper for modeling cir- 
cuits. Section 4 presents the characterization of speed- 
independence as a condition called persistency. Sec- 
tion 5 gives two examples of experimental designs 
where the proposed technique has been used to verify 
speed-independence. Finally, in Section 6 it is argued 
that the persistency condition is a sufficient condition 
for speed-independence. 
2 Previous work 
This section gives a brief overview of the character- 
izations of speed-independence that have been pub- 
lished previously. 
2.1 Mu1:ler’s model 
In David Muller’s theory [ lo]  a logic gate is mod- 
eled by a logic function followed by an unbounded in- 
ertial delay element. Formally, a circuit consists of 
a set of boolean variables, { ,q,z2 ,..., z,) ( n  2 l), 
44 
Authorized licensed use limited to: Danmarks Tekniske Informationscenter. Downloaded on July 07,2010 at 13:53:50 UTC from IEEE Xplore.  Restrictions apply. 
each of which ha.s an associated boolean function: 
f i ( q , z ~ , .  . . ,zn) ,  1 5 i 5 n and an initial state. A 
variable is either stable, if its value is equal to the new 
value computed t ~ y  the corresponding boolean func- 
tion, zl = zi, or ezcited if zi) # zi. For example, an 
OR-gate with both inputs 0 and output 1 is excited. 
An excited variable is indicated by following its value 
with an "*". An excited variable can either perform 
the enabled transition or be disabled because the gate 
inputs change (e.g., if at least one input go to 1 before 
the output has been changed). 
A circuit traveirses states by changing values of ex- 
cited variables either one at a time or in parallel. In 
other words, given an initial state or a set of initial 
states a circuit defines a state graph (a Transition Di- 
agram [lo]), that captures all states reachable from 





Speed-independent (by Muller) but not 
Figure 1 shows a simple autonomous circuit with one 
OR-gate and two inverters. 
A state < z1, z2,.  . . , zn > is a conflict state [5] if 
changing one excited variable disables another vari- 
able. Conflict states indicate that the local behavior 
of the componenits depends on their relative speed. A 
circuit with no reachable conflict states is called semi- 
modular. Since there are two conflict states reachable 
from the initial s1,ate O*O*O in the state graph in Fig. 1, 
this circuit is not semimodular. 
In Muller's original work a circuit is defined to be 
speed-independent if it has exactly one final class of 
behaviors that itre reachable from the initial state. 
The final class i s  a closed set of reachable states in- 
side which each excited variable must change its value. 
This definition allows for disabling of excited variables 
as exemplified in Fig. 1. Here all states form only one 
final class, since all states are reachable from any other 
state. Therefore, this is an example of a circuit meet- 
ing Muller's definition of speed-independence which is 
not semimodular. 
In later work, the notion of semimodularity is of- 
ten used as a characterization of speed-independence, 
because: 
e semimodularity is easier to analyze than Muller's 
definition of speed-independence, 
0 semimodularity is robust with respect to the delay 
model used for gates [l]. 
2.2 Speed-independence in trace theory 
Trace theory is based on characterizing properties 
of traces obtained by computations of the circuit [2, 
3, 4, 141. The designer is assumed to describe a design 
with trace commands [3]. Figure 2.a shows the circuit 
from Fig. 1. The circuit consists of two components: 
an initiated fork (implemented by a wire fork and two 
inverters) and an OR-gate. 
Figure 2: Design with computation interference (a), 
and state graphs for initiated fork (b), OR (c), and 
OR 1 )  Fork (d). 
Regular trace structures can only represent regular 
sets. Therefore, an automaton can be constructed for 
each of the components, which will accept the same 
regular set. A state graph for the initiated fork is 
given in Fig. 2.b and for the OR-gzte in Fig. 2.c. In 
circuits that have components with symmetric opera- 
tions for rising and falling signals, one abstract state 
might correspond to several binary signal values. This 
is, for example, the case for the initiated fork. The be- 
havior of the OR-gate is not symmetric. Therefore, a 
state graph for the OR-gate (Fig. 2.c) has eight states, 
q0 - q7, which correspond to the eight possible bi- 
nary states of a two input OR-gate. The trace com- 
mand specification of the OR-gate requires internal 
state variables and is similar to the structure of the 
state graph from Fig. 2.c. This indicates a drawback 
of trace commands as a specification language for cir- 
cuits: the size of the specification grows exponentially 
even for simple gates such as OR, AND, NOR, NAND. 
45 
Authorized licensed use limited to: Danmarks Tekniske Informationscenter. Downloaded on July 07,2010 at 13:53:50 UTC from IEEE Xplore.  Restrictions apply. 
A circuit cannot control the transitions on its in- 
puts, since these are made by the environment. There- 
fore, any input transition can occur in any state of the 
state graph (receptiveness) [2]. However, some of the 
traces, called failure traces, may induce hazards. Af- 
ter an input transition on a has occurred in the state 
q0 the OR-gate goes to  state q l ,  and it is ready to 
produce an output on c and go to state q6. This cor- 
responds to  the state 10*0* (in Fig. 1). However, if 
the same input a changes in state q l ,  this causes a 
transition to the failure state. This corresponds to 
disabling of the OR-gate by changing the input a back 
to 0. Such a failure trace is called computation inter- 
ference [14] or choking [2]. 
To analyze the behavior of the complete circuit the 
state graphs of the components are composed. In the 
example states in the composed state graph (Fig. 2.d) 
are labeled by pairs of states of the OR-gate and the 
initiated fork, e.g., the initial state of the composed 
graph is < q0,ql ’  >. A transition between states la- 
beled with a common symbol of several components 
may occur only if all circuit components that have 
this symbol in their alphabet can perform this tran- 
sition. In the state graph for the complete circuit 
(Fig. 2.d), the failure state is reachable from the states 
< ql ,q2’  > and < q2,q3’ > that correspond to the 
conflict states 10*0* and 0*10* in Fig 1. This indicates 
that computation interference in a trace structure cor- 
responds to  violation of semimodularity in the Muller 
model. 
2.3 Tools for speed-independence 
There are several model-checking tools for checking 
speed-independence based both on the Muller model 
of circuits and the trace model [l, 2, 4, 51. A compari- 
son of these tools is given in [5]. The rest of this paper 
is devoted to  a characterization of speed-independence 
making it possible to  check high-level design descrip- 
tions. This characterization gives some new possibili- 
ties compared with the techniques mentioned above: 
non-autonomous designs are handled without giv- 
ing an explicit environment. This makes it pos- 
sible to  check large designs piece by piece in a 
modular fashion, 
higher level designs with non-binary data types 
can be handled, 
verification of other (safety) properties of a design 
can be done using exactly the same approach and 
the same tools. Hence, speed-independence does 
not require separate and specialized tools, 
0 
3 
no distinction is made between control and data 
dominated designs; both can be handled with the 
same approach. 
High-level design descriptions 
This section describes how to model circuits as for- 
mal transition systems using the design language SYN- 
CHRONIZED TRANSITIONS [12]. Such transition sys- 
tems consist of a set of transitions and a set of state 
variables (both are fixed and do not change during a 
computation). 
3.1 Desigin descriptions 
A transition, t ,  describes a component of a circuit 
and has the form <<Ct -> zt  := Et>>, wbere Ct -is a 
predicate called the precondition, zt is a state variable, 
and Et is an expression, that has a unique value in 
any state. As an example, consider a C-element, this 
is described as; follows: << U = b -> c := a >>. In 
this example, a ,  b, and c are boolean state variables, 
and whenever a = b, it is possible to  assign the value 
of a to  c. I f a  # b, then c keeps its current value. 
A circuit with many components (operating in par- 
allel) is described by composing a number of such tran- 
sitions (one for each component). The oscillator from 
Figure 1 is described as follows: 
<<a:=-c>> 1 )  < < b : = 7 c > >  ] I  
< < c : = a  \’ b>> 
When a precondition is the constant TRUE, it can 
be omitted as illustrated by the three transitions of 
this design. State variables are introduced by a vari- 
able declaration that defines a type of the variable and 
this type determines the set of values that the state 
variable can talke. By using other types than boolean, 
e.g., integers or arrays, it is possible to model compu- 
tations on composite values. An integer multiplication 
is, for example, described as follows: <<z := s * t >> 
where s , t ,  and z are state variables of type integer. 
Further details on SYNCHRONIZED TRANSITIONS are 
given in the book [12]. 
3.2 Terminology 
This section defines a number of concepts that are 
used to charactierize speed-independence. 
The transition t is enabled in a state s if Gt is satis- 
fied in s, and t is active if it is enabled and z t  # Et in 
s. The predicate activet is: activet E C t A ( z t  # Et) .  
46 
Authorized licensed use limited to: Danmarks Tekniske Informationscenter. Downloaded on July 07,2010 at 13:53:50 UTC from IEEE Xplore.  Restrictions apply. 
When this predicate is explicitly applied in a particu- 
lar state, s, it is written as: act ive t ( s ) .  
A transition d e h e s  a set of ordered pairs of states; 
for each such pair the first element is called the pre- 
state and the second the post-state. For every transi- 
tion, t ,  there is a corresponding predicate t ( p e ,  post)  
defined on the pairs of states. This predicate is true 
if and only if the transition t can change the state 
from pre to post.  zt.post denotes the value of zt  in 
the post-state, and similarly Et.pre is the value of an 
expression E in the pre-state, so zt.post = Et.pTe. 
The write set ,  W t ,  of a transition, t ,  is the set of 
state variables appearing on the left-hand side of as- 
signments. Similarly, the read set ,  Rt,  of a transition 
is the set of state variables that appear in the precon- 
dition and on the right-hand side of the assignment. 
SYNCHRONIZELI TRANSITIONS has syntactic con- 
structs for encapsulating parts of a design into cells 
which may have internal state variables that are in- 
visible outside the cell. In this paper, the following 
simplified distinct Lon is made between state variables. 
If the variable a does not belong to any of the write 
sets, i.e., no transition can change its value, then it 
is called an ezternal variable. Otherwise z is called 
an internal variable. External variables correspond to 
the input signals of a design. Some of the internal 
variables serve as outputs. 
The following definitions describe a restricted set 
of design descriptions, called well-behaved designs, for 
which it is possible to ensure a one-to-one correspon- 
dence between the design description and a circuit re- 
alization. 
Definition 1 The transitions t l ,  t a r .  . . t ,  meet the 
exclusive write condition if and only if: 
V i , j  E [ ~ n ]  : wti n wtj # 0 j 1(ct; A ctj) 
This condition ensures that there are no states where 
different enabled transitions can assign to the same 
state variable. 
Definition 2 The transitions t l ,  t 2 , .  . . t ,  meet the 
unique write condition if and only if for  each state 
variable a and fo:r each value U in the domain of state 
variable z there is a unique transition that can assign 
value U to the starte variable z .  
This condition ensures that for each value that a state 
variable may get, it is possible to identify a unique 
transition assigning that value. 
Definition 3 A design is called well-behaved if i t  
obeys the exclusive write and unique write conditions. 
It can be shown that it is possible to describe any 
asynchronous circuit as a well-behaved design. 
3.3 Operational model 
The computation of a design can be modeled as 
repeated non-deterministic selection isnd execution of 
an enabled transitions. Transitions are executed: one 
at a time, i.e., as an indivisible operation, repeatedly, 
each time one has been executed, it is immediately 
ready to be selected again, independe,ntly, of the order 
they appear in the design description. There is no 
upper bound on when a transition is selected. 
A design defines a set of computations that are se- 
quences of states, called trajectories. The formal def- 
inition of trajectories is given in Section 6.2. 
3.4 Invariants and protocols, 
Invariants and protocols describer; properties of a 
design that can be verified formally. 
Invariants: are predicates over the state variables, 
defining restrictions (subsets) on the state space. 
Protocols: are predicates on pairs of states, pre ,  post ,  
defining restrictions on the allowable transitions 
between states. 
For example, the following invariant states that a and 
y cannot be true simultaneously (mutual exclusion). 
(8 A Y )  
The following is an example of a protocol stating that 
whenever a changes, it gets the valule of y. 
x.pre # x.post 3 x.post=y.pre 
3.5 Environments 
In general, the computation of a dlesign depends on 
the behavior of its environment. Protocols and invari- 
ants are used as implicit specifications of environments 
expressing constraints on the state space and possible 
transitions changing ezternal state variables. 
Example: a pipeline latch. Consider a pipeline 
latch, it is described as a design wit,h four state vari- 
ables: two booleans, ai,ao, to modiel the binary ac- 
knowledgment signals and two duals, Di, Do, to model 
a one bit data path. The domain for ,the duals contains 
three possible values { E ,  T ,  F }  (“empty”, “true”, and 
“false”). The value E is used to reset the latch before 
it can adopt the next valid data value, T or F .  The 
Authorized licensed use limited to: Danmarks Tekniske Informationscenter. Downloaded on July 07,2010 at 13:53:50 UTC from IEEE Xplore.  Restrictions apply. 
variables ao (the output acknowledgment) and Di (in- 
put data) are external. Figure 3.a shows the structure 
of the latch; figure 3.b shows one possible gate-level 
realization based on two C-elements and one NOR- 
gate. 
Do 1 
Figure 3: A structure of the latch (a) and its gate-level 
implementation (b) 
Let empty be a predicate which returns TRUE when 
the value of the dual parameter is equal to E. Then 
the latch is described as follows: 
<< ai:= empty(Do) >> 1 1  
<< ao # empty(Di) -> Do:= Di  >> 
The duals Di and Do alternate between the value E 
and T or F ,  and they must only change after the pre- 
vious change has been acknowledged. These assump- 
tions are expressed with the following protocol on Di 
and ao: 
PE 3 (Di.pre#Di.post + 
(ai.post# empty(Di.post)) A 
(ai.post=empty(Di.pre))) A 
(ao.pre# a o . p o s t j  (ao.post=empty(Do.post))) 
The protocol constrains any change of Di to start in a 
pre-state where ai.post=empty(Di.pre). This prevents 
Di from changing directly from one non-empty value 
to another. Note that a latch for a wider data path is 
specified by substituting another type instead of dual. 
End of example 
3.0 Internal non-det erminism 
Protocols and invariants are also used to specify 
components with internal non-determinism, for exam- 
ple an arbiter. As an example, consider a simple ar- 
biter serving two clients. Each client indicates a re- 
quest by making the state variable Reg,  true, the ar- 
biter gives an acknowledgment by making Ackl true. 
The behavior of the two-input arbiter is defined im- 
plicitly by the invariant l ( A c k 1  A Ackz) and the pro- 
tocol: 
(Ackl .pTe f Ackl .post j 
lAck2.pre A ~ A c k 2 . p o s t  A Ackl.post = Reql.pre) A 
(Ack2.pe :+ Ack2.post j 
1Ackl .pre A 1Ackl.post A Ack2.post = Req2.pre) 
The internal behavior of the arbiter is not a subject of 
verification ([it cannot be verified by logic means any- 
way), but a cooperative behavior of the arbiter with 
other components is verified. This allows us to  check 
the speed-independence of designs with internal non- 
determinism. 
3.7 Design 
A design, D, is a five-tuple < Z,T ,  PE,U,I >, 
where Z is a, finite set of state variables; T is a finite 
set of transitions; PE is an external protocol, restrict- 
ing possible transitions of external state variables, U 
is a set of initial states, and I is an invariant. 
Formally, the protocol and invariant of a design 
constrains both the internal and external state vari- 
ables. However, in practice it can be useful to distin- 
guish the external constraints from the internal. The 
external serves as an implicit characterization of the 
environment and this is usually needed to  carry out 
the verification. On the other hand, the internal con- 
straints can often be derived automatically. In [7] 
it is described how model-checking is used for auto- 
matically deriving an invariant defining the reachable 
states. 
Example: the pipeline latch (continued). The 
invariant for the pipeline latch with the external pro- 
tocol PE is characterized by the following expression: 
I (Di = Do) V (ai A empty(Do)) V 
(-1 ai  A empty(Di)) 
End of example 
For simple designs, it is possible to derive the invari- 
ant manually, but for more challenging designs this is 
often too labcirious and automatic derivation is there- 
fore useful. 
4 The persistency condition 
This secticm presents a characterization of the 
speed-independent designs. It is formulated as a con- 
dition on a design; when it is met, the design allows for 
a speed-independent circuit realization. In Section 6 
it is argued thizt the condition is sound, i.e., that it en- 
sures that a computation is independent of the speed 
48 
Authorized licensed use limited to: Danmarks Tekniske Informationscenter. Downloaded on July 07,2010 at 13:53:50 UTC from IEEE Xplore.  Restrictions apply. 
of its components. The condition is used for checking 
designs and this has influenced the formulation of the 
condition. It is expressed as a protocol which makes 
it possible to  use existing verification techniques and 
tools to check the (condition. 
The protocol Persisten@(pTe, post)  defines the con- 
straint that transition t stays active, providing the 
same post value for the write variable, while other 
transitions occur. It is defined as follows: 
Persistentt(pre,  post) E 
Act i ve t (pre )  j ,(Activet  (pos t )  A Et .pre  = Et .post) 
The persistency pirotocol generalizes the notion of a 
conflict state from the Muller model (see Section 2.1) 
for high-level designs with variables of any finite type 
and with internal and external non-determinism. 
Example: The pipeline latch (continued). The 
persistency protocol for the last transition of the latch 
from Fig. 3 is: 
(ao.pre#empty(Di.pre)) A (Do.pre# D i p r e )  3 
(ao. post# empty  (Di.  post))  A (Do. post# Di.post) 
A (Di.pre=D i.post) 
End of example 
A design is persistent if the persistency protocol is met 
for all transitions of the design, i.e., if any state change 
by an internal trarisition or in the environment meets 
the persistency protocols of all transitions 
Definition 4 Lei‘ D be a design < 2, T, PE, U, I >. 
Then  D satisfies t,he persistency condition, if the fol-  
lowing can be shoum: 
( I )  f o r  all pairs of transitions t l , t 2  in T ,  tl # t 2 :  
tl (pre ,  pos t )  A I ( p e )  j Persis tent ta(pre,  post) 
(2) for any  trazrsition t in T :  
P E ( p e ,  post)  A I ( p r e )  3 Persistentt(pTe, post). 
When a design meets the persistency condition, it is 
ensured that no active variable is disabled by the state 
changes of other transitions or by the state changes of 
the external variables. 
Example: an oscillator (continued). To illus- 
trate a non-persistent design consider the oscilla- 
tor Fig. 1 and its description in Section 3. In the state 
a, b, y = FALSE,  FALSE, F A L S E  both the first and 
the second transitions are active. If the first transi- 
tion changes c to TRUE, then the second is no longer 
active; therefore, the implication in the persistency 
protocol does not hold, and hence the design is not 
persistent. 
4.1 Mechanizing the check 
The paper [7] describes tools for mechanically 
checking the persistency condition. They consists of: 
0 a translator for transforming design descriptions 
into a list of proof obligations corresponding to 
the persistency condition; 
a tool for generating reachability invariants; 
0 a theorem prover (the LARCH F’ROVER) that is 
used to verify the proof obligations. 
Note that the persistency condition yields a separate 
implication for each transition. Hence, the verification 
is broken into a number of independe:nt steps. 
Example: the pipeline latch (continued). The 
invariant, called I in Section 3.7, can be used to  verify 
that the pipeline latch meets the persistency condi- 
tion. The external protocol, P E ,  for the latch was 
defined in Section 3.5. 
For each (of the two) transitions of the design, it 
must be shown that it satisfies the persistency protocol 
of the other transitions (in this case thtere is only one), 
and the external protocol P E  
I(pre) A 
I(pre) A PE (pre, post)  j Persistent 
(pre, post)  =+ Persistent t j  (pre, post)  
(pre, post)  
Where i, j E 1 , 2  A i # j .  Given the design descrip- 
tion, the tools mentioned above, generates similar im- 
plications and verifies them which shows that this is a 
speed-independent design. 
5 Applications 
This section describes two particular designs: (1) 
a switch used in the data-path of a imultiplier - this 
illustrates the use of high-level designs with variables 
of non-boolean type, and (2) a self-timed RAM design 
- this illustrates how to do a partial check of a design 
with a delay assumption about a well defined part. 
5.1 A switch of a data-path 
The asymmetric switch shown in Figure 4 is used 
in a speed-independent vector multiplier design [ll]. 
This switch either lets both data signals pass through, 
or it crosses one of them over and ignores the other. 
All signals in this design follows a four-phase proto- 
col. The data lines, I n A ,  InB ,  Ou tA ,  and OutB,  are 
part of a dual-rail encoded data pat,hs (of arbitrary 
Authorized licensed use limited to: Danmarks Tekniske Informationscenter. Downloaded on July 07,2010 at 13:53:50 UTC from IEEE Xplore.  Restrictions apply. 
width) and one single-rail acknowledgement signal to 
(for InA, InB) or from (for OutA, 0u tB)  the environ- 
ment. The control input, Ctl, also follows a four-phase 
protocol, and it is a dual-rail input signal. Finally, 
there is a boolean acknowledgement signal to the en- 
vironment. 




Figure 4: Asymmetric data-path switch 
Details of this design are given in [ll]. Here, only 
a part of the design description is shown, it specifies 
the behavior of the data paths for transferring one 
dual-rail encoded word (word width n). Each of the 
dual-word variables is implemented by 2n wires and 
can take Zn + 1 different values: one empty vdue, 
E ,  and Zn valid combinations. Note that we do 
not need to  explicitly enumerate states corresponding 
to  all valid code combinations. Instead, a predicate 
~(empty( InA))  is used to  characterize all valid values 
of the variable InA. 
<< (Ctl=T) # empty(InB) -> ai:= InB >> 1 1  
<< ( C t k F )  # empty(InA) -> aO:= InA >> ( 1  
<< ( C t k F )  # empty(InB) -> OutB:= InB >> 1 1  
<< OutA:= IF aO=E THEN a i  ELSE a0 >> 
The switch is apparently very simple, but it was quite 
difficult to  find a correct speed-independent design. 
The formal verification revealed several mistakes in 
designs that were believed to be correct and where 
careful simulations had not uncovered any errors. 
5.2 A RAM cell 
This section describes the design of a RAM cell, and 
it is shown how to do a partial check of speed-indepen- 
the RAM cell is not speed-independent. However, this 
part can be excluded from the check, and the rest of 
the design can be verified. 
The major difficulty in designing a speed-indepen- 
dent RAM is in the implementation of the write op- 
eration. It is non-trivial to  organize a completion de- 
tection after a new value has been written into the 
dence. It turns out that a small well-defined part of 
memory cell. Figure 5.a shows a design (for the write 
operation on1,y) of a self-timed memory that has been 
made by Lars Nielsen, DTU, in 1993. 
.. _..__._. . Write completion tdetectorl 
Figure 5: Self-timed RAM (write operation) 
Each static memory cell contains 10 transistors, and 
each column d the memory array includes one write 
completion detector. The memory cell is described as 
follows: 
t,, :<< x':= -1 ((Dit A W )  V x) >> 1 1  
t ,  :<< x := 7 ((Dif A W )  V x') >> 1 1  
tbof:<< x ' A  W -> Dof:= TRUE >> 1 1  
thof:<< 7 W -> Dof :=FALSE >> 1 1  
tbOt:<< x A w -> Dot:= TRUE >>\I 
tDot :<< 7 W -> Dot :=FALSE >> 
The completion detector is specified as follows: 
t1wack :<<DitA Dot V DifA Dof -> Wack:=TRUE >>I[ 
t2Wack :<< T(DitV DotV DifV Dof )  -> Wack:=False>> 
A check of the design shows that the transitions t1 Dof 
and tbot do not meet persistency, and hence, this de- 
sign is not spteed-independent. Moreover, the mutual 
exclusion condition for variables Dot and Dof is not 
met, and theirefore two '1' values can appear at the 
output data hines. If the RAM-cell stores a '0' value, 
i.e., a = 0 and 5' = 1, and the input data value is '1' 
(Di t= l  and L;kf=O), then immediately after arrival of 
the write control signal W two transitions start: writ- 
ing a '1' value into the cell, and driving the output 
data line Dof'to become 1. Depending on the rela- 
tive speeds of these processes either a short voltage 
spike appears at the line Dof (non-persistency) or this 
line will hold a '1' value until the next cycle (where 
50 
Authorized licensed use limited to: Danmarks Tekniske Informationscenter. Downloaded on July 07,2010 at 13:53:50 UTC from IEEE Xplore.  Restrictions apply. 
Dot may take a 'I' value which implies that mutual 
exclusion is violated). 
However, the FLAM cell operates correctly if it is 
assumed, that the write control signal W always goes 
high with a delay of at  least T after Dit ,  Dif gets a valid 
value ( 0 , l  or l , O ] ,  where T is bigger than the dellay 
of the memory cell. Such an assumption is typical 
for some asynchronous and self-timed design styles, 
e.g., micro-pipelines and systems with a bundled data 
protocol. For such designs, it is possible to do a partial 
check for speed-independence. For example, in the 
RAM cell design, we can exclude the two transitions, 
tbot and tboj, from the persistency check and verify 
that the rest of the design is speed-independent. 
6 Soundness of the characterization 
This section shows how to formulate the intuitive 
notion of speed-independence and relates the class of 
persistent designs to this definition. 
6.1 Delayed (designs 
The intuitive notion of gate delays is modeled by 
the notion of a delayed design. 
Definition 5 Lei D be a design with transitions T 
and external protocol PE and let t be a n  arbitrary state 
variable of a design. A design with a delayed variable 
t i s  constructed in three steps: 
(1)  One  transition i s  added to the design 
<<zd := z>> where zd i s  a new  variable. 
(2) In all traniritions ti E T where z E Rti all oc- 
currences of the state variable z are replaced by z d .  
(3) Occurrences of z . p e  in the external predicate 
P E ( p e , p o s t )  are replaced by zd.pre. 
Applying this o!efinition iteratively, one gets a ver- 
sion of the design wi th  multiple delays including mul- 
tiple delays of a single state variable z .  
In the underlying circuit, the delay of z corresponds 
to inserting a delity element before the fork of a wire 
delivering the value of z to  other components and to  
the environment. If z is an internal variable, then the 
delay is inserted before any forks of the internal wire. 
If t is an external variable, then the delay is inserted 
before the fork of the input wire. 
6.2 Equivalence of designs 
A design defines a set of computations that are tra- 
jectories of states,  SO, SI,. . ., where SO E U is an ini- 
tial state, each stahe S; satisfies the invariant I ( S ; )  and 
for each pair of states, Si, S+l, one of the following 
conditions is met: 
0 Si+l differs from Si by the value of an internal 
variable, z ,  and there is a transition, t ,  such that 
z E Rt and t (&,  &+I), i.e., Si is a pre-state o f t ,  
and Sit1 is a post-state o f t  or 
Si+l differs from Si by the value of an external 
variable and PB(S;, Si+l) is satisfied. 
The set of all trajectories of a design D is denoted 
T?(D) .  If Sit1 differs from Si by the value of a vari- 
able z ,  and if ;e has the value v in the state then 
we will say that variable a can perform an assignment 
z := v in the state Si and denote it 2; '< Sitl. 
A projection operator on trajectoiries is defined as 
follows: 
Definition 6 Let T r ( D )  be the trajectories of design 
D and Z' c Z be a subset of the variables. 
( I )  a projection of a state S ontlo Z ' ,  S J. Z' ,  i s  
a state S' derived from S by deletimg all components 
corresponding to the variables z E Z - 2'; 
(2) a projection of a trajectory i s  constructed in two 
steps: first, all states of the trajectory are projected 
and then  equal adjacent state projections are collapsed; 
(3) a projection of the trajectories on Z ' ,  T r ( D )  .j, 
Z', i s  a set of all trajectory projections {s J. 2'1s E 
TT(D) l*  
The projection is used to  defined the equivalence of 
a design and its delayed version. 
Definition 7 Design D wi th  a set o f  state variables 
Z and i t s  delayed version D;,, where 2' c 2, are 
observation equivalent i f  T r ( D )  = T'r(Dg,) -1 2. 
6.3 Persistency of the environment 
The persistency condition encourages an approach 
where a component and its environment are checked 
independently. If the component and the environment 
are both specified as transition systems then the per- 
sistency condition can be used on both. However, if 
the environment is specified by other means, it should 
still behave persistently. This section defines a restric- 
tion called external persistency. If the external persis- 
tency is met by a design, then the design is speed- 
independent for any environment satisfying the exter- 
nal protocol of the design. It must. be stressed that 
transition systems satisfying the persistency condition 
automatically satisfies the restrictioin; it is only rele- 
vant for environments specified by other means. 
51 
Authorized licensed use limited to: Danmarks Tekniske Informationscenter. Downloaded on July 07,2010 at 13:53:50 UTC from IEEE Xplore.  Restrictions apply. 
ENVIRONMENT 
___.. ~ ..... .......................... 
DESIGN 
, ..................................... ~. 
Figure 6: A speed-independent (a), and delay-insensi- 
tive (b) composition of a design and its environment. 
The Foam Rubber Wrapper property [9] is often 
used for delay-insensitive circuits. It states that if 
arbitrary delays are attached to  the input and out- 
put lines of the implemented system, the new interface 
created must have the same behavior as the originally 
specified (Fig. 6.b). 
A corresponding property for a speed-independent 
environment would be to attach arbitrary delays to 
the input and output lines before wire forks such that 
the environment (in case of input lines) or the de- 
sign (in case of output lines) observes delayed signals 
(Fig. 6.a). This requirement to a speed-independent 
environment can be captured by the external persis- 
t ency  condition. The external persistency is weaker 
than persistency, since it allows non-deterministic be- 
havior of the environment. 
Similar to the persistency condition the external 
persistency condition consists of two requirements. 
These constrain the behavior of external variables. In- 
tuitively, the first requirement states that if two exter- 
nal variables, are concurrentzy active in a state of the 
design then they can change their values in any or- 
der. The second requirement states that transitions 
of internal variables cannot disable external variables. 
Definition 8 T h e  design D meets the external per- 
sistency condition i f  two  requirements hold: 
I .  If two external variables, z and x can per form 
the assignments z := v and iz := w according t o  
the external protocol PE in a reachable state SI 
such that S1 '3 S2, S1 x-w S3 and furthermore 
S2 x:=w S4, i.e., the assignment x := w i s  still 
possible in S, after z has changed i t s  value, then  
t can perform the same assignment z := v in state 
s3: s3 '3 s4. 
2. If some external variable z can per form a n  assign- 
m e n t  z := v according t o  the external protocol PE 
in a reachable state SI and arbitrary transition 
ti i s  active in S1 such that t i (&,  Sa), then  z can 
per form the same assignment z := v in the state 
s 2 .  
It is important to notice that verification of the com- 
plete design does not  require a check for the external 
persistency condition in those cases where all modules 
of the design are expressed as transition systems. 
6.4 Soundness of persistency 
This section defines the notion of a speed-indepen- 
dent design and states a theorem relating the persis- 
tency condition to  speed-independence. 
Definition 9 A design in D i s  speed-independent, if 
any  delayed version of design D i s  observation equiv- 
alent t o  D. 
Although this; definition requires all possible delayed 
versions to  be observation equivalent to  the original 
design, it is not necessary to compare all multiple de- 
layed versions. It can be shown that only single de- 
layed versions need to be considered. Furthermore, in- 
stead of checking an observation equivalence one can 
simply check the persistency condition. 
Theorem 1 If a well-behaved design satisfies the per- 
sistency condition and i t s  environment satisfies the ex- 
ternal persistency condition, then  the design i s  speed- 
independent. 
The proof of this theorem is given in [6]. 
A sketch 0 j F  the proof. The theorem is first proved 
(by contradiction) for a case when one variable is de- 
layed. Let Dl be a delayed version that is not ob- 
servation equivalent to D,  although both the persis- 
tency and the external persistency hold. Let s be the 
shortest possible trajectory in the delayed design D: 
that has no equivalent projection in the original de- 
sign D. It ccan always be represented in the form 
s = r ,  SO -% q, SI -% Sz, where r ,  q are trajecto- 
ries (both T and q might be empty), So, S1 and S2 are 
states of the delayed design, z is a delayed variable, y 
is another variiable of the design, and So -% q is the 
last assignment to z in s. 
Assume that q is not empty. No transitions in q can 
read z in the delayed design. Hence, instead of the tra- 
jectory s one 'can always consider another trajectory 
of the same length, which is obtained from s by swap- 
ping the last assignment to z and all the others assign- 
ments to  the variables that occurs along the trajectory 
q. Therefore, we can restrict consideration to trajec- 
tories where q is empty: s = r ,  So --% S1 -% Sa. 
52 
Authorized licensed use limited to: Danmarks Tekniske Informationscenter. Downloaded on July 07,2010 at 13:53:50 UTC from IEEE Xplore.  Restrictions apply. 
Four cases are possible: (1) z ,  y are internal vari- 
ables, (2) z is external and y is internal, (3) both z and 
y are external, and (4) z is internal and y is external, 
Let us consider the first case. Since by assumption 
z and y are internal variables, then there is a unique 
transition tl : <<z := Et,>> that is active in SO and 
there is a unique transition t 2  : <<y := Et,>> that 
is active in SI. By construction of a delayed design 
the values of Rta in the state SI for design Df are 
exactly the same as values of Rta in the state SO $ 2 
for design D. Therefore, for design D, t 2  is active in 
the state So J, 2 but it is either not active in S1 $ 2 
or Et,.(S1 $ 2 )  # lSta.(So $ Z).  By definition the first 
requirement of the persistency condition for t 2  is not 
satisfied. We have reached a contradiction. 
Similarly, for the second case the contradiction is 
reached with the second requirement of the persistency 
condition for the transition t 2 ,  for the third and forth 
cases a contradiction is found with the first and the 
second requirements of the external persistency con- 
dition. 
The case with more than one variable delayed is 
reduced to the case with one variable to  be delayed. 
U 
In [6] it is also shown that the persistency and ex- 
ternal persistency conditions are necessary for a well- 
behaved design to  be speed-independent for all envi- 
ronments satisfying the external protocol. 
7 Conclusion 
This paper has presented a sufficient condition for 
the speed-independence of a high-level design. The de- 
scription of such high-level designs allow variables of 
any finite type and hierarchical structure with both 
external (input choice) and internal (arbiters) non- 
determinism. The formulation of the condition was 
related to other characterizations of speed-indepen- 
dence. The major difference of the condition presented 
here is the emphasis on independent verification of 
separate components/modules of a design. 
Acknowledgement s 
We are grateful to  Alex Kondratyev and Alexander 
Taubin for numerous discussions on speed-indepen- 
dence, to  Michael Mendler for discussions of this pa- 
per, and to Niels Maretti for his work on automatic 
generation of reachability invariants. 
References 
P.A. Beerel and T.H.-Y. Meng. Semi-modularity and 
test ability of speed-independent circuits. Integra ti on, 
the V L S I  journal, 13(3):301-322, September 1992. 
D.L. Dill. Trace Theory for  Autom.atic Hierarchical 
Verification of Speed-Independent Circuits. The MIT 
Press, Cambridge, Mass., 1988. 
Jo C. Ebergen. A formal approach to designing delay- 
insensitive circuits. Distributed Computing, 5 (3) : 107- 
119, 1991. 
Jo C .  Ebergen and S. Gingras. A verifier for network 
decompositions of command-based specifications. In 
PTOC. Hawaii International Conf. System Sciences, 
pages 310-318. IEEE Computer Society Press, 1993. 
M. Kishinevsky, A. Kondratyev, A. Taubin, and V. 
Varshavsky. Analysis and identification of speed- 
independent circuits on an event model. Formal Meth- 
ods in System Design, 4(1):33-75, 1'394. 
M. Kishinevsky and J. Staunstrup. Checking speed- 
independence of high-level designs i(full version). In- 
ternal Technical Report, Department of Computer 
Science, Technical University of Denmark. May 1994. 
M. Kishinevsky and J. Staunstrup. Mechanized veri- 
fication of speed-independence. In lDroceedings of the 
2nd Workshop on Theorem Provers in Circuit Design, 
Germany, September 1994. 
A. Martin, S. Burns, T. Lee, D. Borkovic, and P. 
Hazewindus. The first asynchronous microproces- 
sor: the test results. Computer Architecture News, 
17(4):95-110, June 1989. 
C.E. Molnar, T.P. Fang, and F.U. Itosenberger. Syn- 
thesis of delay-insensitive modules. In H. Fuchs, ed- 
itor, Proceedings of the 1985 Chapel Hill Conference 
on VZSI. Computer Science Press, 1985. 
D. E. Muller and W. C. Bartky. I\ theory of asyn- 
chronous circuits. In Annals of Com.puting Laboratory 
of Harvard University, pages 204-243, 1959. 
J. Spars0 and J. Staunstrup. Delay-insensitive multi- 
ring structures. INTEGRATION,  ilhe V L S I  Journa1, 
15(3), 1993. 
J. Staunstrup. A Formal Approach to Hardware De- 
sign. Kluwer Academic Publishers, 1994. 
K. van Berkel, R. Burgess, J. Kessels, A. Peeters, M. 
Roncken, and F. Schalij. A Fully-Asynchronous Low- 
Power Error Corrector for the DCC Player. In ISSCC 
1994 Digest of Technical Papers, vollume 37, pages 88- 
89, San Francisco, 1994. 
J. L. A. van de Snepscheut. Trace Theory and V L S I  
Design, volume 200 of Lecture Notes in Computer Sci- 
ence. Springer Verlag, Berlin, 1985. 
53 
Authorized licensed use limited to: Danmarks Tekniske Informationscenter. Downloaded on July 07,2010 at 13:53:50 UTC from IEEE Xplore.  Restrictions apply. 
