Specifying Hardware Timing with ET-LOTOS (extended version) by He, Ji & Turner, Kenneth J
Ji He and Kenneth J. Turner. Specifying Hardware Timing with ET-LOTOS
(extended version of article published by and copyright Springer-Verlag).
In Tiziana Margaria and Thomas F. Melham, editors, Proc. 11th Conference
on Correct Hardware Design and Verification Methods (CHARME 2001), Lecture




Ji He and KennethJ. Turner
ComputingScienceandMathematics,Universityof Stirling, Stirling FK9 4PU,Scotland
h.ji@reading.ac.uk, kjt@cs.stir.ac.uk
Abstract. It is explainedhow DILL (Digital Logic in LOTOS) canbe usedto
specifyandanalysehardwaretiming characteristicsusingET-LOTOS(Enhanced
Timed LOTOS), a timedextensionof the ISO standardformal languageLOTOS
(Languageof TemporalOrderingSpecification).Hardwarecomponentfunction-
ality and timing characteristicsare rigorouslyspecifiedand then validated.As
will beseen,subtletiming problemscanbefoundby usingthis approach.
Keywords: DILL (Digital Logic in LOTOS), ET-LOTOS (EnhancedTimed LO-
TOS), formal method,LOTOS (Languageof TemporalOrderingSpecification),
timing characteristic
1 Intr oduction
DILL (Digital Logic in LOTOS [2–8,13]) is anapproachfor specifyingdigital circuits
usingLOTOS (LanguageOf TemporalOrderingSpecification[1]). DILL hasbeende-
velopedover six yearsto allow formal specificationof hardwaredesigns,represented
using LOTOS at variouslevels of abstraction.DILL addressesfunctional and timing
aspects,synchronousandasynchronousdesign.Thereis supportfrom alibrary of com-
moncomponentsandcircuit designs.AnalysisusesstandardLOTOS tools.
LOTOS is a formal languagestandardisedfor usewith communicationssystems.
DILL, which is realisedthroughtranslationto LOTOS, is asubstantiallydifferentappli-
cationareafor this language.Thenovelty of thepaperis thusin theuseof a language
from thecommunicationsfield in hardwaredesign.LOTOS canbeusedto supportrigor-
ousspecificationandanalysisof hardware.LOTOS is neutralwith respecto whethera
specificationis to berealisedin hardwareor software,allowing hardware-softwareco-
design.LOTOS inheritsa well-developedverificationtheoryfrom the field of process
algebra,andhasa theoryfor testingandtestgeneration.
ThepaperusesET-LOTOS (EnhancedTimedLOTOS [9]). Sincethereadersof this
paperareunlikely to befamiliar with (ET-)LOTOS, a summaryof thenotationusedin
the paperis given in figure 1. BecauseET-LOTOS tools arecurrentlyunderdevelop-
ment,theauthorshave alsousedTE-LOTOS (Time ExtendedLOTOS [12]) for valida-
tion.
Thespecificationandanalysisof communications ystemswith LOTOS is well un-
derstood.The work reportedhereon hardwaretiming is new. To explain the method
clearlywithout thecomplicationof a largeproblem,only a simplecasestudyis given.
However themethodis generallyapplicableto all sizesandlevelsof hardwaredesign.
LOTOS Meaning
processP [gates](parameters): noexit : non-terminatingprocessdefinition
B1 where ... endproc with subsidiarydefinition
P [gates](parameters) instanceof process
let var : sort= valuein local variabledefinition
i internalevent
gate? var : sort! value observableeventatgatewith inputandoutput
event[condition] conditiononevent
event{min, max} rangeof timesfor event
event@var recordtime of eventin variable
event; B eventthenbehaviour
delta(time) delay
[guard] > B conditionalbehaviour
B1 B2 choiceof behaviours
B1 >> B2 behavioursin sequence
B1 ||| B2 parallelbehavioursinterleaved
B1 |[gates]| B2 parallelbehaviourssynchronisedon eventgates
exit successfultermination
stop deadlock
Fig.1. Summaryof (ET-)LOTOS Syntax
In particular, it is suitablefor giving very high level timing characteristics(say, at the
level of asystemblockdiagram)andrelatingtheseto timing characteristicsat interme-
diatelevelsof design.
It will beseenhow TimedDILL canbeusedto specifyandanalysedigital designs
that are time-sensitive. Tools supportingET-LOTOS wereunderdevelopmentduring
thework reportedhere.Theauthorsthereforemadeuseof TE-LOLA (Time Extended
LOTOS Laboratory[11]), whichsupportsTE-LOTOS (TimeExtendedLOTOS [12]).
It hasbeenpossibleto useTE-LOLA to analysethe specificationsgeneratedby
TimedDILL. AlthoughET-LOTOS andTE-LOTOSadoptdifferentsemanticmodels,the
equivalencebetweenthemhasbeenestablished[10]. It is thereforepossibleto trans-
late the generatedET-LOTOS specificationsinto TE-LOTOS syntax.Becauseof their
similarity, the translationis alwayspossiblealthoughsomesubtledifferencesneedat-




ET-LOTOS is a timedLOTOS thatallows themodellingof time-sensitive behaviour. It
supportsboth discreteanddensetime domains.Threenew operatorsrelevant to time
are introducedin ET-LOTOS: delay, life reducerand time measurement.The formal
semanticsof ET-LOTOS is givenby a labelledtransitionsystem.Therearetwo kinds
2
of transitions:discreteandtimed.A discretetransitioncorrespondsto theexecutionof
anactionandtimedtransitionscorrespondto thepassageof time.
Thedelayoperatordelta(time)meansthatthesubsequentbehaviourwill bedelayed
by time. In ET-LOTOS a time valueis relative to the instantwhenthepreviousaction
occurs.The behaviour e; delta (d); B will delay for d after event e occursand then




andobservableevents(e). i {d} meansthat i mustoccurnon-deterministicallywithin
thenext d timeunits.Necessityandnon-determinismapplybecauseinternalactionsare
not controlledby the environment;in particular, the time of occurrenceis decidedby
thesystem.In thecaseof observablebehaviour e {d}; B, theeventmayhappenwithin
d time units. If so the behaviour evolvesto B, otherwisethe processdeadlocks.The
default life reducerfor internaleventsis 0, while for observableeventsit is themaximal
valueof thetimedomain.
ET-LOTOS adoptsmaximal progressfor hidden actions,with important conse-
quencesfor Timed DILL. Maximal progressmeansthat if a hiddenactioncanoccur,
it must happenat once(unlessan alternative action occurs).In other words,hidden
actionsareurgentin ET-LOTOS. In DILL, eachdigital componentis modelledasapro-
cesswhich is usuallyconnectedto others.Inputor outputportsaremodelledby LOTOS
eventgates.Portswithin a designarehidden,so their eventsbecomeurgentunderthe
assumptionof maximalprogress.
2.2 Modelling Timed Hardware
Beforedevelopinganabstractmodelto specifytimeddigital components,therequired
timing characteristicsmustbeconsidered.Thesedefinetiming relationshipsamongin-
puts,outputs,andinputs/outputs.The timing relationshipfrom input to outputis nor-
mally calleddelay. It is the time interval betweena signalchangeon an input andthe
resultingsignalchangeonanoutput.A timing relationshipamonginputsis calleda tim-
ing constraint, meaningthatthedigital circuit canwork correctlyonly if theconstraints
aremet.Thereis no needto specifythetiming relationshipsamongoutputsdirectly, as
they aredeterminedby delaysandtiming constraints.
Thereareseveralpossibleapproachesto specifyingatimeddigital component,clas-
sified as integratedmethodsor combinedmethods. In an integratedmethod,a digital
componentis specifiedin oneprocessthat dealswith both functionality and timing.
Althoughtheintegratedmethodmayresultin compactspecifications,it is not a ‘struc-
tural’ methodandis hardto apply. Theapproachis not compositionalin thesensethat
functionalandtemporalcharacteristicsof a componentarenot merelycombined.It is
alsoimportantto haveuntimedbehaviour asasimplecaseof timedbehaviour, i.e. to be
ableto isolatepurefunctionality. Attentionhasthereforebeenfocusedon developing
combinedmethods.Theideais to separatethefunctionalityandthetiming characteris-
tics into differentprocesses,andthento combinethemin anappropriateway.
Themodeladoptedfor TimedDILL wasarrivedat afterconsiderableexperimenta-





















Fig.2. TheSpecificationModel for a TimedComponent
shown in figure2, thefunctionality is assumedto bespecifiedwith zerodelay. Timing
constraints(TC) areplacedin parallelwith thefunctionalspecificationto checkif input
requirementsaremet.Delaysareplacedin serieswith thefunctionalityto providedelay
for eachoutput.Thesectionsthatfollow explaineachaspectin moredetail.
Notethat theErr eventgatesin thefigureareonly for analysisof errors;they have
no counterpartin a real physicalcomponent.If an Err action is offered, it indicates
thata timing constrainthasnot beenmet.However, thebehaviour of thecomponentis
not influencedby errorssincethe functionality part alwaysassumesthat inputsmeet
theconstraints.Theoutputsof thecomponentarethusalways‘correct’ in termsof the
component’sfunction.
This modellingdecisionwasmadeaftercarefulconsideration.The ideais that in-
steadof trying to specifybehaviour underall kinds of input conditions,behaviour is
specifiedonly for correctinputs.Behaviour undererrorconditionsis ‘wrong’ andthus
not very meaningful.Violation of timing constraintsmeansthatthereis a designerror.
Realhardwarewill do somethingundertheseconditions,but theresultis not really in-
terestingor relevant.It is moreimportantto detectandcorrectdesignerrors,notmodel
thebehaviour of componentsundererroneousconditions.Theaimof analysisis to find
outwhetherthedesignis correct,particularlyin thepresenceof timing conditions.Dur-
ing asimulation,theoccurrenceof anErr offer is immediatelyobvious.Forverification,
theabsenceof Err offerscanbecheckedbeforeverifying otherproperties.
Finally, notethat if thetiming constraintsarevoid andthedelaysarebetweenzero
andarbitrarily largethenthe timedmodelis equivalentto the untimedmodel.An un-
timedspecificationis thusjusta specialcase.
3 ComponentFunctionality
As shown in figure 2, the block dealingwith componentfunctionality is supposedto
have zerodelay. This block canbe easilyobtainedfrom its untimedcounterpart.To
changeanuntimedspecificationto onewith zerodelay, a life reducer{0} is appended
to eachoutputeventoffer. Thefollowing illustratesa two-inputandgate:
4
processAnd2 [Ip1, Ip2, Op] (DataIp1,DataIp2,DataOp: Bit) : noexit :
Ip1 ? NewDataIp1: Bit; (* input 1 change*)
And2 [Ip1, Ip2, Op] (NewDataIp1,DataIp2,DataOp) (* continue*)
(* or ... *)
Ip2 ? NewDataIp2: Bit; (* input 2 change*)
And2 [Ip1, Ip2, Op] (DataIp1,NewDataIp2,DataOp) (* continue*)
(* or ... *)
(
let NewDataOp: Bit = DataIp1andDataIp2in (* setnew output*)
Op ! NewDataOp[NewDataOpneDataOp]{0}; (* outputatonce*)
And2 [Ip1, Ip2, Op] (DataIp1,DataIp2,NewDataOp) (* continue*)
)
endproc (* And2 *)
4 Delays
4.1 BasicDelayTypes
Becausethephysicalstructuresof digital componentsdiffer, their delaysareof differ-
ent typesandvalues.Thereare two basicdelay types:pure delayand inertial delay.
Supposethe delayof a digital componentis D. If a componenthaspuredelay, all in-
put changeswill have aneffect on output.In otherwords,outputsfollows inputsafter
delayD. If thecomponenthasinertial delay, outputwill respondonly to input changes
which have persistedfor time D. In otherwords,input pulseswhosewidth is lessthan
D will be absorbedby the component.This reflectsthe fact that shortpulsescontain
insufficientenergy to triggera statechangein a realcomponent.
Sometimes,the delayof a componenthasa moregeneralform. Theremay exist
a thresholdT < D suchthat the componentabsorbsinput pulseswhosewidth is less
thanT. Howeveroutputfollows input if thepulsewidth is morethanT. In DILL this is
termedgeneral delay. In fact,it couldbeconsideredasinertialdelayT cascadedwith a
puredelayD − T. Figure3 shows how inputsarerelatedto outputsfor differentdelay
types.Thescaleof thefiguretakesT as2 andD as4 timeunits.
4.2 DelayElementsin DI L L
TheDILL library includethefollowingdelayelementsthatactlikepseudo-components.
Unlike fixeddelays,all delayshave a non-deterministicrangefrom MinDel (themin-
imum delay) to MaxDel (the maximumdelay). For generaldelay, MinWidth corre-
spondsto the thresholdT in the lastsection.It is obvious that theassumptionof non-
deterministicdelaysis morerealisticandflexible thanthatof fixeddelays.Besidesthe









2 5 81 3 4 6 7
Fig.3. BasicDelayTypes
Inertial Delay A naive attemptat specifyinginertial delaywould usethe ET-LOTOS
generalisedlife reducer. If the interval betweentwo input transitionsis lessthan the
delay, outputmustnotoccur. Theexactdelaywouldbedeterminedby theenvironment
becausethe delay rangeis associatedwith an observable action.But in DILL what
shouldreally be specifiedis that the delay is decidedby the componentitself. If the
delayis connectedto othercomponentsin a larger design,an outputport might well
be hidden.This would meanthat the delaytime is exactly MinDel insteadof beinga
non-deterministicvaluesinceET-LOTOS adoptsmaximalprogressfor hiddenevents.
A betterspecificationof inertial delayis givenby:
processDelayInertial[Ip, Op] (MinDel, MaxDel: Time) : noexit :
DelayInertialAux[Ip, Op] (MinDel, MaxDel,0 of Bit, 0 of Bit)
where
processDelayInertialAux[Ip, Op] (* auxiliary definition*)
(MinDel, MaxDel : Time,DataIp,DataOp: Bit) : noexit :
Ip ?NewDataIp: Bit; (* input change*)
DelayInertialAux[Ip, Op] (MinDel, MaxDel,NewDataIp,DataOp)
(* or ... *)
[DataIpneDataOp] > (* outputmustchange?*)
i {MinDel, MaxDel}; (* allow delayto pass*)
Op ! DataIp{0}; (* outputchangesatonce*)
DelayInertialAux[Ip, Op] (MinDel, MaxDel,DataIp,DataIp)
endproc (* DelayInertialAux*)
endproc (* DelayInertial*)
The specificationtakes advantageof internal events.The internal event i introduces
non-deterministicdelay, which meanstheoutputport canchangeits valueat any time
betweenMinDel andMaxDel. Theexactdelayvalueis determinedby the component
itself andnotby theenvironment.Moreoverevenif thecomponentis connectedto other
components,thedelayis still non-deterministicsinceonly hiddeneventsareurgent.
PureDelay A puredelaymaybespecifiedwith:
6
processDelayPure[Ip,Op] (MinDel, MaxDel : Time) : noexit :
DelayPureAux[Ip, Op] (MinDel, MaxDel,0 of Bit, 0 of Bit)
where
processDelayPureAux[Ip, Op] (* auxiliary definition*)
(MinDel, MaxDel : Time,DataIp,DataOp: Bit) : noexit :
Ip ?NewDataIp: Bit; (* input change*)
(
[NewDataIpeqDataOp] > (* no outputchange?*)
DelayPureAux[Ip, Op] (MinDel, MaxDel,NewDataIp,DataOp)
(* or ... *)
[NewDataIpneDataOp] > (* outputmustchange?*)
(
i {MinDel, MaxDel}; (* allow delayto pass*)
Op ! NewDataIp{0}; (* outputchangesatonce*)
stop (* delaybehaviour now done*)
||| (* interleavedwith ... *)






may output‘strange’sequenceslike Op ! 0; Op ! 0; Op ! 1; . . . In this sequence,the
secondOp ! 0 overtakesOp ! 1 andresultsin the two consecutive Op ! 0 events.The
phenomenonof catch-uparisesif a later input changetakeslesstime to reachtheout-
put thanan earlier input change.Figure4 illustratesthe reasonfor the phenomenon,
assumingthat thedelayis between3 and9 time units. If botheventsOp ! 0 andOp !
1 happenwithin theoverlappedregion thencatchup canhappen.Supposethewidth of




3 time7 8 11 12 15 17 22
Op!1 region Op!0 region
Fig.4. Catch-UpPhenomenonwith PureDelay
7
Catch-upmay exhibit variousforms in real hardwareif delaysvary significantly.
However, digital componentsgenerallyoperatein astableenvironmentsothevariation
in delaysis in anarrow range.Thusthecatch-upconditionis rarelymetin practice.The
phenomenonexistsin any delaymodelthatisbasedonpuredelay(e.g.thegeneraldelay
componento bediscussedsoon).But it doesnotappearin theinertialdelaymodelsince
aninputchangewill preventany pendingoutput;it is thereforenotpossibleto catchup
a pendingoutput.
General Delay As mentionedbefore,generaldelayhasa thresholdMinWidth. Input
pulseswhosewidth is lessthanMinWidth will be absorbedby the component.They
will appearat theoutputif theirwidth is greaterthanor equalto MinWidth. Thegeneral
delayelementin DILL is specifiedsuchthat it canmodelnot only a generaldelaybut
alsoinertial or puredelay. This is achievedby choosingappropriatetiming parameters.
The specificationof the generaldelaywill not be given in detail becauseit is just the
combinationof inertialandpuredelay. Thefollowing givestherulesof usingthetiming
parameters.HereInf is themaximalvalueof thetimedomain(takenasarbitrarily large):
0 < MinWidth < MinDel≤ MaxDel< Inf This describesgeneraldelay. The general
delaymodelmeaningfulonly whenMinWidth is a positive numberlessthanMin-
Del.
MinWidth = 0, MinDel≤ MaxDel< Inf This is puredelay. The differencebetweena
pureanda generaldelayis thatfor puredelay, MinWidth is zerosothecomponent
doesnot absorba narrow pulse.
0≤ MinDel≤ MaxDel< Inf, MinWidth > MinDel This is inertial delay. It appliesif
the thresholdMinWidth is greaterthan MinDel. MinWidth is often set to Inf for
inertial delay.
MinDel = 0, MaxDel= Inf, MinWidth > 0 Thisis equivalentto anuntimeddelaycom-
ponent.UsuallyMinWidth is giventhevalueInf.
5 Timing Constraint Components
Timing constraintsin DILL areusedto checkif theinputsof acomponentsatisfysome
conditions.Commontiming constraint‘components’have beenaddedto the DILL li-
brary, includingthosefor setup,hold,pulsewidth andperiod.
Setupandhold timesarealwaysassociatedwith flip-flops. For a D flip-flop, setup
timeis thetimeinterval betweenachangein inputD andthetriggerthatstoresthisdata
(e.g.apositive-goingtransitionof theclockCk). Thedatasignalmustthenremainstable
for aminimumtime interval if correctoperationof theflip-flop is to beguaranteed.For
aflip-flop, theholdtimeis theinterval in whichinputdatamustremainunchangedafter
triggeringby theclock. Again, this minimummustbe respectedfor correctoperation.
A timing diagramshowing setuptime andhold time is givenin figure5.
The setuptime constraintis specifiedas follows, assumingthat the active clock
transitionis positive-going.A similarapproachis usedto specifyaholdtimeconstraint,





Fig.5. SetupandHold Timesfor D Flip-Flop
processSetupDel[D, Ck, Err] (SetupTime: Time) : noexit :
D ? NewDataIp:Bit; (* new datainput *)
AfterD [D, Ck, Err] (SetupTime,SetupTime) (* checksetuptime *)
(* or ... *)
Ck ? NewClock : Bit; (* new clock input *)
SetupDel[D, Ck, Err] (SetupTime) (* no setuptime to check*)
endproc (* SetupDel*)
processAfterD [D, Ck, Err] (SetupTime,SetupRem: Time) : noexit :
delta(SetupRem)i; (* enforcemin. setuptime *)
SetupDel[D, Ck, Err] (SetupTime) (* restartsetupcheck*)
(* or ... *)
Ck ? NewClock : Bit @ t; (* new clock input *)
(
[NewClockeq0] > (* negative-goingclock?*)
AfterD [D, Ck] (SetupTime,SetupTime- t) (* checksetuptime left *)
(* or ... *)
[NewClockeq1] > (* positive-goingclock *)
Err ! SetupError; (* min. setuptime violated*)
SetupDel[D, Ck, Err] (SetupTime) (* restartsetupcheck*)
)
(* or ... *)
D ? NewDataIp:Bit; (* new datainput *)
AfterD [D, Ck, Err] (SetupTime,SetupTime) (* restartsetupcheck*)
endproc (* AfterD *)
6 Timed DI L L Example: 2-to-1Multiplexer
As an example,a 2-to-1 multiplexer will be specifiedandanalysed.This component
hastwo datainputsA andB, a selectioninputSandanoutputC. A selectioninputof 0
or 1 choosesinput A or B, which appearsat C aftersomedelay. Thedelaysusedin the
exampleareinertial,mainly becausethey areeasyto handlebut aregeneralenoughto
representdelayin mostdigital circuits.
9
The multiplexer is specifiedat two levels.The higher level specifiesthe required
behaviour andtiming performance.The lower level specifiesthestructureof thecom-
ponentby connectingbasiclogic gates.The lower level implementsthe higher level.
Thetimedspecificationswereanalysedthroughsimulationandtesting.
6.1 Behavioural Specification
Thebehaviouralspecificationof the2-to-1multiplexer in DILL is asfollows:
define(MinDel, 10) # min. delayvalue
define(MaxDel,15) # max.delayvalue
include(dill.m4) # includeDILL library
circuit( # circuit description
Multiplexer2to1 BB [A, B, S,C], # circuit nameandports
hide InC in # internalgateto delay
Multiplexer2to1 BB 0 [A, B, S, InC] # multiplexer instance
|[InC]| # syncwith delay
Delay[InC, C] (Inf, MinDel, MaxDel) # delayinstance
where
Multiplexer2to1 BB 0 Decl # multiplexer from library
)
DILL providesa veneeron top of LOTOS – mainly a library of componentsthat
can be combinedusing LOTOS operators.The circuit declarationnamesthe overall
specificationand its parameters.It thengivesa LOTOS behaviour expressionfor the
whole circuit. Library componentsaredeclaredandautomaticallyincludedby giving
their names(ComponentDecl). In theabove,Multiplexer2to1 BB 0 is a 2-to-1multi-
plexer in behaviouralstyle(BB= blackbox) thatexhibitszerodelay(0). It wasderived
from the correspondingcomponentusingthe approachin section3. The behavioural
specificationdefinesaninertialdelaybetweenMinDel (10)andMaxDel(15).
ThebehaviouralspecificationwasvalidatedusingtheTE-LOLA step-by-stepsimu-
lator. Basically, thebehaviourof themultiplexeris simulatedfor eachinputcombination
to seeif it is asexpected.Theresultsof simulationareregardedasthecriteriaagainst
which simulationof thelower-level specificationshouldbejudged.
Becausetestresultsfrom TE-LOLA becomeinconclusive if testshave actionswith
intervalssuchasi {5,7}, it is possibleto useonly singledelayvaluesin theteststhem-
selves.For a higher-level specificationlike the behavioural one,suchan assumption
would beunrealistic.Thereareseveralpathsfrom the inputsto a output,so thedelay
associatedwith theoutputhasa rangeof values.
6.2 Structural Specification
Thestructureof the2-to-1multiplexer is shown in figure6. Thelogic gatesin thedia-
gramaretimedgates.Eachof themconsistsof zero-delaylogic andadelaycomponent.
Theinsetin thefigureshows thestructureof theandgateG2; 0 D in thefiguremeans



















Fig.6. Structureof 2-to-1Multiplexer asTimedLogic Gates
canbe found in a standardtextbook. However, aswill be seenlater this designcon-
tainshazards.Assumingthedelayof eachgateis 5 timeunits,thecorrespondingDILL
specificationis:
define(DelayData,Inf, 5, 5) # MinWidth, MinDel, MaxDel
include(dill.m4) # includeDILL library
circuit( # circuit description
timed, # declaretimeddesign
Multiplexer2to1[A, B, S,C], # circuit nameandports
hide AIn, BIn, SIn in # internalgates
Inverter[S, SIn] # inverterinstance
|[S,SIn]| # syncwith selectionsignals
(
And2 [SIn, A, AIn] # two-inputand instance
|||
And2 [S, B, BIn] # two-inputand instance
)
|[AIn, BIn]| # syncwith inputs
Or2 [AIn, BIn, C] # two-inputor instance
where
Inverter Decl # inverterfrom library
And2 Decl # two-inputandfrom library
Or2 Decl # two-inputor from library
)
This specificationfirst definesthedelayof thebasiclogic gates.Herethedelayis
fixed at 5 and is inertial becauseMinWidth is Inf. The first parameterof the circuit
declarationis optional.In this exampleit is timed, indicatingthatbasiclogic gatesuse
the delaydatadefinedby the specifier. The logic family name(e.g.CMOS) mayalso
begiven,asdelaysfor suchfamiliesarepre-definedin TimedDILL. Thedefault value
11
for acircuit is untimed, whichappendsInf, 0, Inf to every instantiationof abasiclogic
gate.For ahigher-levelspecificationliketheonein section6.1thereis noneedto define
the delayparametersbecausebasiclogic gatesarenot used.But this doesnot means
thatthecomponentis untimed.
Timedbehaviour wasinvestigatedusingtheTestExpandfunctionof TE-LOLA that
automaticallyexploresa testin parallelwith a specification.Testingwasdoneby com-
posingtestprocessesin parallelwith the specification.If the testprocesscanbe fol-
lowed for all executionsof the composedspecification,the result of testingis must
pass. If the testprocesscanbe followed only for someexecutions,the result is may
pass. Otherwisethetestis consideredto berejected.
Firstly, thefunctionalityof themultiplexerwastested.Testprocessesweredefined
to checkif theoutputcorrectlycorrespondsto eachpossibleinputcombination.For ex-
ample,for A=1, B=1, S=0 theoutputshouldbeC=1 after10or 15 timeunits(because
the input-outputpathscontain2 or 3 levelsof basicgate).Thusthecorrespondingtest
processis asfollows.Thetestsuccessfullypassedasexpected.Theotherinput combi-
nationsweretestedin a similarway.
processTest1101 [A, B, S,C, OK] : noexit : (* inputs110,output1 *)
A ! 1 {0}; B ! 1 {0}; S ! 0 {0}; (* acceptinputs*)
(
C ! 1 @ t [t = 10]; OK; stop (* outputat time10 *)
(* or ... *)
C ! 1 @ t [t = 15]; OK; stop (* outputat time15 *)
)
endproc (* Test110 1 *)
Secondly, therewere teststo seeif the designhada timing hazard.Hazardsare
unwantedtransitionsthat appearon the outputsof digital circuits in responseto the
changeson inputs.For example,supposethat theoutputshouldstaythesame(e.g.1)
after the input statechangesfrom I1 to I2. However, in an actualimplementationthe
outputmaychangefrom 1 to 0 andbackagainafteraninput transition.Theconsecutive
unwantedtransitions1 to 0 and0 to 1 arehazards.Figure7 illustrateskindsof common
hazardsin circuitsandtheir correspondingLOTOS specifications.Cases(a)and(b) are
calledstatichazards,while (c) and(d) arecalleddynamichazards.The1-0-1example
correspondsto (b) in thefigure.
(a) (b) (c) (d)
Op ! 0






Fig.7. Hazardsandtheir LOTOS Specifications
12
Transition Type of Hazard ChangedInputs
000to 101 static0 2
010to 101 static0 3
011to 100 static1 3
011to 110 static1 2
111to 100 static1 2
111to 110 static1 1
Fig.8. Hazardsin the2-to-1Multiplexer
The multiplexer has3 input ports and thus 8 input states.Each input statemay
changeto oneof theother7 input states,sothereare56 possibleinput transitions(8×
7) in total. Thesetransitionswerechecked with teststhat deliberatelyrisked hazards.
If thedesignof themultiplexer is hazard-free,thenthehazardtestsshouldberejected.
Unfortunately6 of the 56 transitionspassthe tests,i.e. they exhibit hazards.Figure8
lists thesetransitionsandthecorrespondinghazards.Thetestresultsindicatethatwhen
thedelaysof eachgatesarefixed,thecircuit exhibitsstatichazards.Oneof thehazards
happenswhenthereis asingleinputchange;theothersoccurwhenmorethanoneinput
changessimultaneously.
Thetestcorrespondingto thetransitionfrom ABS111to 110lookslike:
processTest111110Hazard[A, B, S,C, OK] : noexit : (* inputs110to 110*)
(
A ! 1 {0}; B ! 1 {0}; S ! 1 {0}; (* acceptinputs*)
(
C ! 1 @ t [t = 10]; exit (* outputat time10 *)
(* or ... *)
C ! 1 @ t [t = 15]; exit (* outputat time15 *)
)
) (* now state111*)
>> (* continuewith ... *)
(
S ! 0 @ t [t = 2]; (* input change,state110*)
(
C ! 0 @ t [t = 10]; (* hazard*)
C ! 1 @ t [t = 5]; OK; stop
(* or ... *)
C ! 0 @ t [t = 15]; (* hazard*)
C ! 1 @ t [t = 5]; OK; stop
)
)
endproc (* Test111 110Hazard*)
The output transitionsC ! 0 and C ! 1 in the processindicatea hazardbecausethe
output shouldremainat 1 for the transition111 to 110. By simulatinga passedtest
13
sequence,the reasonfor the hazardsis discovered:the inputsfollow differentlengths
of pathto reachtheoutput.Figure9 is a convenientsolution,althoughperhapsnot the
bestone.Threeredundantrepeatersareusedto guaranteethat eachinput-outputpath
hasexactly threegatedelays.It is obvious that the delayof eachrepeatershouldalso










DILL allows formal specificationandanalysisof digital hardware.It hasextendedthe
experiencewith LOTOS in the communicationsfield. Timed DILL offersa numberof
importantbenefits.It cancheckwhethertiming requirementsarerespectedby adesign,
makinguseof timing constraintcomponents.Potentialtiming errorslike hazardscan
bediscovered,asin themultiplexerexample.TimedDILL canalsobeusedto analyse
performancesuchasminimum/maximumdelaysandtiming oncritical paths.Although
the paperhasdeliberatelybeenillustratedwith only a small example,the approach
is applicableto much larger problems.A future goal is supportof Timed DILL with
verificationbasedon KRONOS, HYTECH or timedautomata.
References
1. ISO/IEC. Information ProcessingSystems– OpenSystemsInterconnection– LOTOS – A
FormalDescriptionTechniquebasedontheTemporal Orderingof ObservationalBehaviour.
ISO/IEC8807.InternationalOrganizationfor Standardization,Geneva,Switzerland,1989.
2. Ji He. FormalSpecificationandAnalysisof Digital HardwareCircuitsin LOTOS. PhDthesis,
Departmentof ComputingScienceandMathematics,Universityof Stirling, UK, April 2000.
3. Ji He. Formalspecificationandanalysisof digital hardwarecircuitsin LOTOS. TechnicalRe-
port CSM-158,Departmentof ComputingScienceandMathematics,Universityof Stirling,
UK, August2000.
4. Ji He andKennethJ. Turner. ExtendedDILL: Digital logic with LOTOS. TechnicalReport
CSM-142,Departmentof ComputingScienceandMathematics,Universityof Stirling, UK,
November1997.
14
5. Ji He andKennethJ. Turner. Timed DILL: Digital logic with LOTOS. TechnicalReport
CSM-145,Departmentof ComputingScienceandMathematics,Universityof Stirling, UK,
April 1998.
6. Ji He andKennethJ. Turner. Modelling andverifying synchronouscircuits in DILL. Tech-
nical ReportCSM-152,Departmentof ComputingScienceandMathematics,Universityof
Stirling, UK, April 1999.
7. Ji He andKennethJ.Turner. Protocol-inspiredhardwaretesting.In GyulaCsopaki,Sarolta
Dibuz, andKatalin Tarnay, editors,Proc. TestingCommunicatingSystemsXII, pages131–
147,London,UK, September1999.Kluwer AcademicPublishers.
8. Ji He andKennethJ. Turner. Specificationandverificationof synchronoushardware us-
ing LOTOS. In JianpingWu, SamuelT. Chanson,andQuiangGao,editors,Proc. Formal
Methodsfor ProtocolEngineeringandDistributedSystems(FORTEXII/PSTVXIX), pages
295–312,London,UK, October1999.Kluwer AcademicPublishers.
9. Luc LéonardandGuy Leduc. An enhancedversionof timedLOTOS andits applicationto a
casestudy. In RichardL. Tenney, Paul D. Amer, andM. Ümit Uyar, editors,Proc. Formal
DescriptionTechniquesVI, pages483–500.North-Holland,Amsterdam,Netherlands,1994.
10. Luis LlanaandGualbertoRabayFilho. Definingequivalencesbetweentime/actiongraphs
andtimedactiongraphs.Technicalreport,Departmentof TelematicSystemsEngineering,
PolytechnicUniversityof Madrid,Spain,December1995.
11. SantiagoPavón Gomez,David Larrabeiti,andGualbertoRabayFilho. LOLA usermanual
(version3R6).Technicalreport,Departmentof TelematicSystemsEngineering,Polytechnic
Universityof Madrid,Spain,February1995.
12. GualbertoRabayFilho andJuanQuemada.TE-LOLA: A timedLOLA prototype.In Zmago
BrezocnikandTatjanaKapus,editors,Proc.COST247InternationalWorkshopon Applied
FormalMethods, pages85–95,Slovenia,June1996.Universityof Maribor.
13. KennethJ. TurnerandRichardO. Sinnott. DILL: Specifyingdigital logic in LOTOS. In
RichardL. Tenney, Paul D. Amer, and M. Ümit Uyar, editors,Proc. Formal Description
TechniquesVI, pages71–86,Amsterdam,Netherlands,1994.North-Holland.
15
