Interval temporal logic QDDC is a highly succint and visual notation for specifying patterns of behaviours [Pan00] . In this paper, we propose a practically useful notation called SeCeNL which enhances negation free fragment of QDDC with features of nominals and limited liveness. We show that timing diagrams can be naturally (compositionally) and succintly formalized in SeCeNL as compared with PSL-Sugar and MTL. We give a linear time translation from timing diagrams to SeCeNL. As our second main result, we propose a linear time translation of SeCeNL into QDDC. This allows QDDC tools such as DCVALID [Pan00,Pan01] and DCSynth to be used for checking consistency of timing diagram requirements as well as for automatic synthesis of property monitors and controllers. We give examples of a minepump controller and a bus arbiter to illustrate our tools. Giving a theoretical analysis, we show that for the proposed SeCeNL, the satisfiability and model checking have elementary complexity as compared to the nonelementary complexity for the full logic QDDC.
Introduction
A timing diagram is a collection of binary signals and a set of timing constraints on them. It is a widely used visual formalism in the realm of digital hardware design, communication protocol specification and embedded controller specification. The advantages of timing diagrams in hardware design are twofold, one, since designers can visualize waveforms of signals they are easy to comprehend and two, they are very convenient for specifying ordering and timing constraints between events (see figures Fig. 1 and Fig. 2 below) .
There have been numerous attempts at formalizing timing diagram constraints in the framework of temporal logics such as the timing diagram logic [Fis99] , with LTL formulas [CF05] , and as synchronous regular timing diagrams
[AEKN00]. Moreover, there are industry standard property specification languages such as PSL/Sugar and OVA for associating temporal assertions to hardware designs [EF16] . The main motivation for these attempts was to exploit automatic verification techniques that these formalisms support for validation and automatic circuit synthesis. However, commenting on their success, Fisler et. al. state that the less than satisfactory adoption of formal methods in timing diagram domain can be partly attributed to the gulf that exists between graphical timing diagrams and textual temporal logic -expressing various timing dependencies that can exist among signals that can be illustrated so naturally in timing diagrams is rather tedious in temporal logics [CF05] . As a result, hardware designers use timing diagrams informally without any well defined semantics which make them unamenable to automatic design verification techniques.
In this paper, we take a fresh look at formalizing timing diagram requirements with emphasis on the following three features of the formalism that we propose here.
Firstly, we propose the use of an interval temporal logic QDDC to specify patterns of behaviours. QDDC is a highly succinct and visual notation for specifying regular patterns of behaviours [Pan00, Pan01, KP05] . We identify a quantifier and negation-free subset SeCe of QDDC which is sufficient for formalizing timing diagram patterns. It includes generalized regular expression like syntax with counting constructs. Constraints imposed by timing diagrams are straightforwardly and compactly stated in this logic. For example, the timing diagram in Fig. 1 stating that P transits from 0 to 1 somewhere in interval u to u + 3 cycles is captured by the SeCe formula [ 
¬ P]^<u>^(slen=3 ∧ [¬P]^[[P]])^[[P]].
The main advantage of SeCe is that it has elementary satisfiability as compared to the non-elementary satisfiability of general QDDC. Secondly, it is very typical for timing diagrams to have partial ordering and synchronization constraints between distinct events. Emphasizing this aspect, formalisms such as two dimensional regular expressions [Fis07] have been proposed for timing diagrams. We find that synchronization in timing diagram may even extend across different patterns of limited liveness properties. In order to handle such synchronization, we extend our logic SeCe with nominals from hybrid temporal logics [FdRS03] . Nominals are temporal variables which "freeze" the positions of occurrences of events. They naturally allow synchronization across formulae.
Thirdly, we enhance the timing diagram specifications (as well as logic SeCe) with limited liveness operators. While timing diagrams visually specify patterns of occurrence of signals, they do not make precise the modalities of occurrences of such patterns. We explicitly introduce modalities such as a) initially, a specified pattern must occur, or that b) every occurrence of pattern1 is necessarily and immediately followed by an occurrence of pattern2, or that c) occurrence of a specified pattern is forbidden anywhere within a behaviour. In this, we are inspired by Allen's Interval Algebra relations [All83] as well as the LSC operators of Harel for message sequence charts [DH01] . We confine ourselves to limited liveness properties where good things are achieved within specified bounds. For example, in specifying a modulo 6 counter, we can say that the counter will stabilize before completion of first 15 cycles. Astute readers will notice that, technically, our limited liveness operators only give rise to "safety" properties (in the sense of Alpern and Schneider [AS87] ). However, from a designer's perspective they do achieve the practical goal of forcing good things to happen.
Putting all these together, we define a logic SeCeNL which includes negationfree QDDC together with limited liveness operators as well as nominals. The formal syntax and semantics of SeCeNL formulas is given in §2.3. We claim that SeCeNL provides a natural and convenient formalism for encoding timing diagram requirements. Substantiating this, we formulate a translation of timing diagrams into SeCeNL formulae in §3. The translation is succinct, in fact, linear time computable in the size of the timing diagram. (A textual syntax is used for timing diagrams. The textual syntax of timing diagrams used is inspired by the tool WaveDrom [CP16] , which is also used for graphical rendering of our timing diagram specifications.) Moreover, the translation is compositional, i.e. it translates each element of the timing diagram as one small formula and overall specification is just the conjunction of such constraints. Hence, the translation preserves the structure of the diagram.
With several examples of timing diagrams, we compare its SeCeNL formula with the formula in logics such as PSL-Sugar and MTL. Logic PSL-Sugar is amongst the most expressive notations for requirements. Logic PSL-Sugar is syntactically a superset of MTL and LTL. It extends LTL with SERE (regular expressions with intersection) which are similar to our SeCe. In spite of this, we a show natural examples where SeCeNL formula is at least one exponent more succinct as compared to PSL-Sugar.
As the second main contribution of this paper, we consider formal verification and controller synthesis from SeCeNL specifications. In §3.1, we formulate a reduction from a SeCeNL formula to an equivalent QDDC formula. This allows QDDC tools to be used for SeCeNL. It may be noted that, though expressively no more powerful than QDDC, logic SeCeNL considerably more efficient for satisfiability and model checking. We show that these problems have elementary complexity as compared with full QDDC which exhibits non-elementary complexity. Also, the presence of limited liveness and nominals makes it more convenient as compared to QDDC for practical use.
By implementing the above reductions, we have constructed a Python based translator which converts a requirement consisting of a boolean combination of timing diagram specifications (augmented with limited liveness) and SeCeNL formulae into an equivalent QDDC formula. We can analyze the resulting formula using the QDDC tools DCVALID [Pan00, Pan01] as well as DCSynthG for model checking and controller synthesis, respectively (see Fig. 11 for the tool chain). We illustrate the use of our tools by the case studies of a synchronous bus arbiter and a minepump controller in §4. Readers may note that we specify rather rich quantitative requirements not commonly considered, and our tools are able to automatically synthesize monitors and controllers for such specifications.
Logic QDDC
Let Σ be a finite non empty set of propositional variables. A word σ over Σ is a finite sequence of the form P 0 · · · P n where P i ⊆ Σ for each i ∈ {0, . . . , n}. Let len(σ) = n + 1, dom(σ) = {0, . . . , n} and ∀i ∈ dom(σ) :
The syntax of a propositional formula over Σ is given by:
and operators such as ⇒ and ⇔ are defined as usual. Let Ω Σ be the set of all propositional formulas over Σ. Let σ = P 0 · · · P n be a word and ϕ ∈ Ω Σ . Then, for an i ∈ dom(σ) the satisfaction relation σ, i |= ϕ is defined inductively as expected: σ, i |= 1; σ, i |= p iff p ∈ σ(i); σ, i |= ¬p iff σ, i |= p, and the satisfaction relation for the rest of the boolean combinations defined in a natural way.
The syntax of a QDDC formula over Σ is given by:
where ϕ ∈ Ω Σ , p ∈ Σ, c ∈ N and ∈ {<, ≤, =, ≥, >}. 
We call word σ a p-variant, p ∈ Σ, of a word σ if ∀i ∈ dom(σ), ∀q = p :
Example 1. Let Σ = {p, q} and let σ = P 0 · · · P 7 be such that ∀0 ≤ i < 7 : P i = {p} and
Example 2. Let Σ = {p, q, r} and let σ = P 0 · · · P 10 be such that ∀0 ≤ i < 4 : P i = {p}, ∀4 ≤ i < 8 : P i = {p, q, r} and ∀8 ≤ i ≤ 10 :
because for i ∈ {8, 9, 10} the condition ∃0 ≤ i ≤ 10 :
Entities slen, scount, and sdur are called terms in QDDC. The term slen gives the length of the interval in which it is measured, scount ϕ where ϕ ∈ Ω Σ , counts the number of positions including the last point in the interval under consideration where ϕ holds, and sdur ϕ gives the number of positions excluding the last point in the interval where ϕ holds. Formally, for
and
In addition we also use the fol-
A formula automaton for a QDDC formula D is a deterministic finite state automaton which accepts precisely language L = {σ | σ |= D}. Proof. We observe that for any chop expression D we can construct a language equivalent N F A which is at most exponential in size of D including the constants appearing in it (for a detailed proof see [BP12] wherein a similar result has been proved). But this implies there exists a DF A of size 2 Corollary 1. For any SeCe D of size n we can effectively construct a language equivalent DF A A of size Ω(2
Proof. Proof follows from the definition of SeCe, lemma 1 and from the fact that the size of the product of DF A's can be atmost exponential in the size of individual DF A's.
DCVALID and DCSynthG
The reduction from a QDDC formula to its formula automaton has been implemented into the tool DCVALID [Pan00,Pan01]. The formula automaton it generates is total, deterministic and minimal automaton for the formula. DC-VALID can also translate the formula automaton into Lustre/SCADE, Esterel, SMV and Verilog observer module. By connecting this observer module to run synchronously with a system we can reduce model checking of QDDC property to reachability checking in observer augmented system. See [Pan00,Pan01] for details. A further use of formula automata can be seen in the tool called DCSynthG which synthesizes synchronous dataflow controller in SCADE/NuSMV/Verilog from QDDC specification.
Logic SeCeNL: Syntax and Semantics
We can now introduce our logic SeCeNL which builds upon SeCe by augmenting it with nominals and limited liveness operators.
Syntax : The syntax of SeCeNL atomic formula is as follows. Let D, D 1 , D 2 and D 3 range over SeCe formulae and let Θ, Θ 1 , Θ 2 and Θ 3 range over subset of propositional variables occurring in SeCe formula. The notation D : Θ, called a nominated formula, denotes that Θ is the set of variables used as nominals in the formula D.
An SeCeNL formula is a boolean combination of atomic SeCeNL formulae of the form above. As a convention, D : {} is abbreviated as D when the set of nominals Θ is empty.
Limited Liveness Operators : Given an word σ and a position i ∈ dom(σ),
Thus, the interpretation is that the past of the position i in execution satisfies D. We say σ ≤ pref ix σ if σ is a prefix of σ, and σ < pref ix σ if σ is a proper prefix of σ.
We first explain the semantics of limited liveness operators assuming that no nominals are used in the specification, i.e. Θ, Θ 1 , Θ 2 and Θ 3 are all empty. A set S ⊆ Σ * is prefix closed if σ ∈ S then ∀σ : σ ≤ pref ix σ ⇒ σ ∈ S. We observe that each atomic liveness formula denotes a prefix closed subset of (2 Σ ) + .
Operator init(D 1 /D 2 ) basically states that if j is the first position which satisfies D 2 in the execution then there exists an i ≤ j such that i satisfies D 1 . Thus, initially D 1 holds before D 2 unless the execution (is too short and hence) does not satisfy D 2 anywhere.
is no observation sub interval of the execution which satisfies D.
D 2 ) states all observation intervals which satisfy
Based on this semantics, we can translate an atomic SeCeNL formula ζ without nominals into equivalent SeCe formula ℵ(ζ) as follows.
The proof follows from examination of the semantics of ζ and the definition of ℵ(ζ). We omit the details.
Nominals : Consider a nominated formula D : Θ where D is a SeCe formula over propositional variables Σ ∪ Θ. As we shall see later, the propositional variables in Θ are treated as "place holders" -variables which are meant to be true exactly at one point -and we call them nominals following [FdRS03] .
Given an interval [b, e] ∈ Intv(N) we define a nominal valuation over [b, e] to be a map ν : Θ → {i | b ≤ i ≤ e}. It assigns a unique position within [b, e] to each nominal variable. We can then straightforwardly define σ,
We state that ν 1 over Θ 1 and ν 2 over Θ 2 are consistent if ν 1 (u) = ν 2 (u) for all u ∈ Θ 1 ∩ Θ 2 . We denote this by ν 1 ν 2 . We now give the semantics of SeCeNL.
Semantics of SeCeNL
Based on the above semantics, we now formulate a QDDC formula equivalent to a SeCeNL formula. We define the following useful notations ∀
From SeCeNL to QDDC : We now define the translation ℵ from SeCeNL to QDDC.
Theorem 2. For any word σ over Σ and any ζ ∈ SeCeN L we have that σ ∈ L(ζ) iff σ ∈ L(ℵ(ζ)). Moreover, the translation ℵ(ζ) can be computed in time linear in the size of ζ.
The proof follows from the semantics of ζ and the definition of ℵ(ζ). Proof. The formula ζ can be written in terms of a negation and two existential quantifiers. Note that each application of existential quantifier will result in an N F A and each time we determinize we get a DF A which is at most exponential in the size of N F A. Since that both A(D 1 ) and A(D 2 ) are DF A's to start with, this implies we can construct a DF A A(ζ) of size at most 2 2 m 1 m 2 for ζ.
In an similar way we can show that the size of formula automata for other SeCeNL atomic formulae are also elementary.
Lemma 4. For any ζ ∈ SeCeN L the size of the automaton A(ζ) for ζ is elementary.
In this section we give a formal semantics to timing diagrams and formula translation from timing diagrams to SeCeNL. We begin by giving a textual syntax for timing diagrams which is derived from the timing diagram format of WaveDrom [CP16, Wav16] .
The symbols in a waveform come from Λ = {0, 1, 2, x, 0|, 1|, 2|, x|} and Θ, an atomic set of nominals. Let Γ = Θ ∪ Λ. The syntax of a waveform over Γ is given by the grammar:
where u ∈ Θ and π ∈ Λ. We call the elements in Θ the nominals. As we shall see later, when we convert a waveform to a SeCeNL formula the nominals that appear in the formula are exactly the nominals in the waveform and hence the name. Let Wf be the set of all waveforms over Γ . An example of a waveform is 01a:2x011xb:x2|220c:00 with Θ = {a,b,c}. Intuitively, in a waveform 0 denotes low, 1 high, 2 and x don't cares (there is a subtle difference between 2 and x though) and "|" the stuttering operator.
Let Σ be a set of propositional variables. A timing diagram over Σ is a tuple W, Σ, C, Θ where W = {W p ∈ Wf | p ∈ Σ} and C ⊂ Θ × Θ × Intv(N) a set of timing constraints. The shared nominals have to be renamed in WaveDrom as commented in §2.3, in this case a and c in W q have been renamed g and h respectively. As in the case with SeCeNL formulas, nominals act as place holders in timing diagrams which can be shared among multiple waveforms. For example, in the figure W p and W q share the nominals a and c. As a result a timing constraint in one timing diagram can implicitly induce a timing constraint in the other. For instance, even though there is no direct timing constraint between a and c in W p the constraints between a and d, and d and c together impose one on them.
waveform Wp -01a : 2x011xb : x2|220c : 00 waveform Wq -00a : 0|d : 11|e : xxx|f : 01c : 11 timing constraints: d-a∈ 
and ν 1 ||ν and ν 2 ||ν.
|= ν W p and ν |= C.
Waveform to SeCeNL translation
We translate a waveform W p to SeCeNL as follows: every 0 occurring in P is translated to {{¬ P}}, 1 to {{P}}, 2 and x to slen=1, 0| to pt∨[¬ P], 1| to pt∨[P], 2| to true, and x| to pt∨[P]∨[¬ P]. A nominal u that is appearing in W p is translated to <u>. For instance, the waveform W p =01a:2x011xb:x2|220c:00 in T of Fig. 3 will be translated to SeCeNL formula as below.
({{¬ P}}ˆ{{P}}ˆ<a>ˆ(slen=1)ˆ(slen=1)ˆ{{¬ P}}ˆ{{P}}ˆ{{P}}ˆ(slen=1)ˆ<b>( slen=1)ˆtrueˆ(slen=1)ˆ(slen=1)ˆ{{¬ P}}ˆ<c>ˆ{{¬ P}}ˆ{{¬ P}}).
We denote the translated SeCeNL formula by ξ(T, W p ). Similarly we can translate W q to get the formula ξ(T, W q ). The timing constraints in C is roughly translated to the SeCeNL formula ξ(T, C) as follows. We define Proof. Proof is not difficult and is by induction on the length of the waveform.
Due above theorem we can now use timing diagrams in place of nominated formulas with liveness operators. We call such timing diagrams live timing diagrams. For an example of a live timing diagram see Fig. 2 .
Comparision with other temporal logics
In previous section, Lemma 3 showed that timing diagrams can be translated to equivalent SeCeNL formulas with only linear blowup in size. In this section we compare our logic SeCeNL with other relevent logics in the literature viz, LTL, discrete time MTL, and PSL-Sugar. Of these, PSL-Sugar is the most expressive and discrete time MTL and LTL are its syntactic subset. We show by examples that SeCeNL formulae are more succint (smaller in size) than PSL-Sugar and we believe that they capture the diagrams more directly. Appendix A gives several more examples which could not be included due to lack of space.
Example (Ordered Stack) Let us now consider the timing diagram in Fig. 4 adapted from [CF05] . Rise and fall of successive signals follow a stack discipline. The language described by it is given by the SeCeNL formula: Fig. 4 . Example 1.
Note that first five conjuncts exactly correspond to the five waveforms. The last constraint enforces the ordering constraints between waveforms. In general, if n signals are stacked, its SeCeNL specification has size O(n).
An equivalent MTL (or LTL) formula is given by:
where a UU b is the derived modality a ∧ X(aUb). For a stack of n signals, the size of the MTL formula is O(n 2 ). Above formula is also a PSL-Sugar formula. We attempt to specify the pattern as a PSL-Sugar regular expression as follows: For a stack of n signals, the size of the PSL-Sugar SERE expression is O(n 2 ). We believe that there is no formula of size O(n) in PSL-Sugar which can express the above property. Compare this with size O(n) formula of SeCeNL.
Example (Unordered Stack)
In ordered stack signal a turns on first and turns off last followed by signals b, c, d, e in that order. We consider a variation of the ordered stack example above where signals turn on and off in first-on-last-off order but there is no restriction on which signal becomes high first. This can be compactly specified in SeCeNL as follows. (ua, ub, uc, ud, ue, va, vb, vc, vd, ve, u1, u2, u3, u4, u5, v1, v2, v3, v4, v5) where formula Bijection below states that there is one to one correspondence between positions marked by ua, ub, uc, ud, ue, va, vb, vc, vd, de and positions marked by u1, u2, u3, u4, u5, v1, v2, v3, v4, v5. Moreover, it states that if u a maps to say u 3 than v a must map to v 3 and so on.
Note that, in general, if n signals are stacked, then the above SeCeNL specification has size O(n 2 ). Now we discuss encoding of unordered stack in PSL-Sugar. In absence of nominals, it is difficult to state the above behaviour succinctly in logics PSLSugar even using its SERE regular expressions. Each order of occurrence of signals has to be enumerated as a disjunction where each disjunct is as in the example ordered stack (where the order was a, b, c, d, e) . As there are n! orders possible between n signals, the size of the PSL-Sugar formula is also O(n!). We believe that there is no polynomially sized formula in PSL-Sugar encoding this property. This shows that SeCeNL is exponentially more succint as compared to PSL-Sugar.
In general, presence of nominals distinguishes SeCeNL from logics like PSLSugar. In formalizing behaviour of hardware circuits it has been proposed that regular expressions are not enough and operators such as pipelining have been introduced [CF05] . These are a form of synchronization and they can be easily expressed using nominals too.
Case study: Minepump Specification
We first specify some useful generic timing diagram properties which would used for requirement specification in this (and many other) case studies.
-lags(P, Q, n): it is defined by Fig. 5 . It specifies that in any observation interval if P holds continuously for n + 1 cycles and persists then Q holds from (n + 1) th cycle onwards and persists till P persists. -tracks(P, Q, n): defined Fig. 6 . In any observation interval if P becomes true then Q sustains as long as P sustains or upto n cycles whichever is shorter. -sep(P, n): Fig. 7 defines this property. Any interval which begins with a falling edge of P and ends with a rising edge of P then the length of the interval should be at least n cycles. -ubound(P, n): Fig. 8 defines the property. In any observation interval P can be continuously true for at most n cycles.
Note that we have presented these formulae diagrammatically. The textual version of these live timing diagrams can be found in Appendix C. We now state the minepump problem. Imagine a minepump which keeps the water level in a mine under control for the safety of miners. The pump is driven by a controller which can switch it on and off. Mines are prone to methane leakage trapped underground which is highly flammable. So as a safety measure if a methane leakage is detected the controller is not allowed to switch on the pump under no circumstances.
The controller has two input sensors -HH2O which becomes 1 when water level is high, and HCH4 which is 1 when there is a methane leakage; and can generate two output signals -ALARM which is set to 1 to sound/persist the alarm, and PUMPON which is set to 1 to switch on the pump. The objective of the controller is to safely operate the pump and the alarm in such a way that the water level is never dangerous, indicated by the indicator variable DH2O, whenever certain assumptions hold. We have the following assumptions on the mine and the pump. 5. lags(P, Q, n) . Fig. 6. tracks(P, Q, n) . Fig. 7. sep(P, n) . Fig. 8 . ubound(P, n).
-Sensor reliability assumption:
) . If HH2O is false then so is DH2O. -Water seepage assumptions: tracks(HH2O, DH2O, κ 1 ). The minimum no. of cycles for water level to become dangerous once it becomes high is κ 1 . -Pump capacity assumption: lags(P U M P ON, ¬HH2O, κ 2 ). If pump is switched on for at least κ 2 + 1 cycles then water level will not be high after κ 2 cycles. -Methane release assumptions: sep(HCH4, κ 3 ) and ubound(HCH4, κ 4 ).
The minimum separation between the two leaks of methane is κ 3 cycles and the methane leak cannot persist for more than κ 4 cycles. -Initial condition assumption: init(<¬HH2O> ∧ <¬HCH4>, slen = 0). Initially neither the water level is high nor there is a methane leakage.
Let the conjunction of these SeCeNL formulas be denoted as M IN EASSU M E. The commitments are:
-Alarm control: lags(HH2O, ALARM, κ 5 ) and lags(HCH4, ALARM, κ 6 ) and lags(¬HH2O ∧ ¬HCH4, ¬ALARM, κ 7 ). If the water level is dangerous then alarm will be high after κ 5 cycles and if there is a methane leakage then alarm will be high after κ 6 cycles. If neither the water level is dangerous nor there is a methane leakage then alarm should be off after κ 7 cycle.
) . The water level should never become dangerous and whenever there is a methane leakage pump should be off.
Let the conjunction of these commitments be denoted as M IN ECOM M IT . Then the requirement over the minepump controller is given by the formula
A textual version of this full minepump specification, which can be input to our tools is given in Appendix C. Note that the require consists of a mixture of timing diagram constraints (such as pump capacity assumption above) as well as SeCeNL formulas (such as Safety condition above).
We can automatically synthesize a controller for the values say κ 1 = 10, κ 2 = 2, κ 3 = 14, κ 4 = 2, and κ 5 = κ 6 = κ 7 = 1. The tool outputs a SCADE/SMV controller meeting the specification. A snapshot of SCADE code for the controller synthesized by DCSynthG for minepump can be found in Appendix D. If the specification is not realizable we output an explanation.
A second case study of synchronous bus arbiter specification can be found in Appendix. E. We can automatically synthesize a property monitor for such requirement and use it to model check a given arbiter design; or we can directly synthesize a controller meeting the requirement. The appendix gives results of both these experiments.
A Examples of Comparision with other logics
Example 1 (Ordering with timing) Consider the timing diagram in Fig. 9 which says that a holds invariantly in the interval [0, i] where i ≥ 1, b holds invariantly in the interval [i, j], j ≥ i + 1, and c holds at j and j ≤ n. Fig. 9 . Example 1.
-The language described by the above timing diagram is given by the SeCeNL
It is assumed that all timing constants such as n are encoded in binary and hence they contribute size log(n).
, whose size is O(n 2 ).
-Equivalent PSL-Sugar formula is (a∧¬b[+]; b∧¬a∧¬c[+]; c)∧((a|b)[< n]; c) with size O(log(n)).
We also give examples of complex dependancy constraints. Consider the timing diagram in Fig. 10 . In this diagram, ua occurs before ub and uc, and uc occurs before ud and ue. The point vc occurs after vd and ve, and va occurs after vb and vb. The behaviour is described straightforwardly by the SeCeNL formula:
This formula is linear in the size of the timing diagram. Unfortunately, specifying these dependancies in PSL-Sugar is complex and formula size blows up at least quadratically.
B Implementation
We propose a textual framework with a well defined syntax and semantics for requirement specification (of the form assumptions ⇒ commitments). Our framework is heterogeneous in the sense that it supports both SeCeNL formulas and timing diagrams with nominals for system specification. It can also handle all of our limited liveness operators. (see Appendix. C for the code for minepump in our framework).
We have also developed a Python based translator which takes requirements in our textual format as input and produces property monitors as well as controllers as output. Fig. 11 gives a broad picture of the current status of our tool chain. 
C Minepump Code
The example code for minepump is written using textual syntax for QDDC which can be found in [Pan00, Pan01] . #lhrs "minepump" interface { input HH2O, HCH4; output ALARM monitor x, PUMPON monitor x; constant delta = 1, w = 10, epsilon=2 , zeta=14, kappa=2; auxvar DH2O; softreq (!YHCH4)||(!PUMPON); } #implies lag(P, Q, n) { td lagspeclet1(P, n) { P:<u>1|<v>1|; @sync:(u, v, n); } td lagspeclet2(Q) { Q: 2|<v>1|; } } #implies tracks(P, Q, n) { td tracksspeclet1(P, n) { P: 0<u>1|<v>1|; @sync: (u,v,[n,)); } td tracksspeclet2(Q) Q: 2<u>1|<v>0|; } #implies tracks2(P, Q, n) td tracks2speclet1(P, n) { P: 0<u>1|<v>0|; @sync: (u,v,[,n]); } td tracks2speclet2(Q) Q:2<u>0|<v>2|; } #implies sep(P, n) { td sepspeclet1(P) P: 1<u>0|<v>1; td sepspeclet2(n) { @null: 2<u>2|<v>2; In this section we illustrate another application of our specification format and associated tools. For this we use the standard McMillan arbiter circuit given in NuSMV examples and do the model checking against the specification below.
A synchronous 3-cell bus arbiter has 3 request lines req1, req2 and req3, and corresponding acknowledgement lines ack1, ack2 and ack3. At any time instance a subset of request lines can be high and arbiter decides which request should be granted permission to access the bus by making corresponding acknowledgement line high. The requirements for such a bus arbiter are as formulated below. ] ∧ slen = n, true^<ack>^true ). One of the most important property of an arbiter is that it any request should be granted within n cycles, i. e. if a request is continuously true for sometime then it should be heard. -Deadtime: to specify this property we first specify lost cycle as follows:
This specifies the maximum number of consecutive cycles that can be lost by the arbiter is n.
The requirement ARBREQ is a conjunction of above formulas. We ran the requirement through our tool chain to generate NuSMV module for the requirement monitor. This module was then instantiated synchronously with McMillan arbiter implementation in NuSMV and NuSMV model checker was called in to check the property G(assumptions ⇒ commitments).
Model checking : Experimental results show that the deadtime for 3-cell McMillan arbiter is 3. If we specify the deadtime as 2 cycles then a counter example is generated by NuSMV as depicted in Fig. 12 . This counter examples show that even though there is an request line high in 4 th , 5 th and 6 th cycle, but no acknowledgment is given by arbiter. Similarly, the response time for 1 st request is 3 cycles whereas for 2 nd and 3 rd cell it is 6 cycles. If we specify the response time of 2 and 5 cycles for 1 st and 2 nd then NuSMV generates counter examples in Fig. 13 and Fig. 14 respectively. Fig. 14 shows that the request line for cell 2 (i. e. req2) is high continuously for 5 cycles starting from 3 rd without an acknowledgement from the arbiter. Controller synthesis : We have also synthesized a controller for the arbiter specification using our tool DCSynthG. We have tightened the requirements by specifying the response time as 3 cycles uniformly for all three cells and deadtime as 0 cycles, i. e. there is no lost cycle. The tool could synthesize a controller in 0.03 seconds with 17 states.
