Timed logic conformance and its application by Stevens, Kenneth & Young, Frank C. D.
TIMED LOGIC CONFORMANCE AND ITS APPLICATION
Frank C. D. Young Kenne th  S. S tevens" Robert  P. Graham -Jr."
1A ir Force R esearch L aboratory , W righ t-P a tte rson  A FB , OH 45433, USA 
2 SCL, In tel C orpora tion , H illsboro O R, 97124, USA 
3 A ir Force In s titu te  of Technology, W righ t-P a tte rson  A FB , OH 45433, USA
A B S T R A C T
T im ed Logic C onform ance (T L C ) is a bisim ulation-sty le 
p a rtia l order re la tionsh ip  defined over th e  s ta tespace  of 
T im ed Safety A u to m a ta  (TSA ) w ith  real-valued clocks. In 
con trast to  tim ed  sim ulation , C alculus of T im ed Refine­
m ent (C T R ), and T im e-A bstrac ted  bisim ulation , T L C  de­
fines w hen one system  is an acceptable im plem en ta tion  of 
ano ther by asym m etric  b isim ulation-sty le  requ irem ents for 
specification in p u ts  and im plem en ta tion  o u tp u ts . W hile 
T L C  does no t necessarily preserve tim ed  p roperties, it  in tu ­
itively  and pragm atica lly  suppo rts  w riting  ab s trac t specifi­
cations and verifying them  against im plem en tations. T LC  
scales up by su b s titu tin g  verified specifications for im ­
plem enta tions and h ierarchically  verifying larger system s. 
T L C  verification is an a lte rna tive  to  assum es-guarantees 
reasoning process. T L C  verification depends on explicitly  
cap tu ring  environm ental tim ing  p roperties in  th e  specifica­
tion  and insuring they  are satisfied in  the  T L C  relation . T he 
reg ion-au tom ata-based  T L C  System  (T L C S) im plem ents 
TSA  paralle l com position  and a T L C  decision procedure 
which is used to  h ierarchically  verify th e  STA R I queue.
1. I N T R O D U C T I O N
In con trast to  tim ed  sim ulation  [TAKB96], C alculus of 
T im ed Refinem ent (C T R ) [C95], and T im e-A bstrac ted  
bisim ulation  [LY93] T im ed Logic C onform ance (T L C ) de­
fines w hen one system  is an acceptable im plem en ta tion  of 
ano ther by associating  asym m etric  sim ulation  requirem ents 
for m atch ing  specification (spec) in p u ts  and im plem en ta­
tion  (im p) ou tp u ts . In general, th e  im p m ust m atch  all spec 
in p u ts  and ou tp u ts , and th e  spec m ust allow all reachable 
o u tp u ts  th a t  th e  im p produces. E x tra  im p in p u t deriva­
tives do no t m a tte r , and reachable im p o u tp u ts  m ust be a 
tim ed  subset of spec o u tp u ts  (i.e. no im p o u tp u ts  m ay oc­
cur outside th e  tem pora l bounds of th e  sam e o u tp u t in  the 
spec). U ntil it  m ust o u tp u t, th e  im p m ust accept all inpu ts  
th a t  th e  spec accepts, so spec in p u ts  m ust be a tim ed  sub­
set of im p inpu ts. T L C  does no t necessarily preserve tim ed  
properties because it  accepts im ps th a t m ay accept m ore 
in p u ts  th a n  the  spec. T L C  is weaker th a n  trad itio n a l weak 
tim ed  bisim ulation  b u t no t d irectly  com parable to  m ost 
o ther tim ed  equivalence re lations because of T L C ’s asym ­
m etry. T L C  and paralle l com position  h ierarchically  b reak 
verification down in to  independen t T L C  re lations betw een 
subcom ponent specs and im ps to  lower levels of abstrac tion .
2. T IM E D  S A F E T Y  A U T O M A T A
In  th is research, we use a flavor of T SA  w ith  b o th  loca­
tion  and tran s itio n  p red icates and action-labeled  tran s i­
tions. For a form al exposition  of T SA  expressiveness and 
com pu ta tiona l com plexity  see [AD94]. O ur T SA  defini­
tion  is based on Sokolsky’s [SS95], and suppo rts  a dense­
tim e m odel of tim e w ith  th e  non-negative real num bers 
IR =  [0,oo), and tim e constan ts from  th e  non-negative in ­
tegers Z  =  {0, 1, 2 ,...} .
2 .1 . B a s ic  T S A  D e fin it io n s
Let T  denote th e  set of all T SA  au to m ata . Given: C lock : a 
iR-valued variable, and le t C be th e  set of all clock variables. 
C lo ck  co n str a in t:  C  is an expression of the  form  x R  c 
w here x G C and c G Z  and R  G { < ,> ,< ,> } •  C lo ck  
a ss ig n m e n t:  7r =  ( x i , . . . , x „ )  an n-dim ensional po in t in 
IR’1, w here each real num ber x,  is the  IR-value m apped  from  
clock c, in  th e  n-sized set of clocks used to  constra in  the 
T SA . Id lin g : 7? +  d =  ( i i  +  d, ..., x„ +  d) d G M.  C lo ck  
rese t: 7?[jj :=  0], C C w here V i ,  £  7r[c,: G r] => x,  =  0]; 
o therw ise x,  is th e  sam e before and after th e  reset. R eg io n :  
p C IR’1 form ed by a conjunction  of clock constra in ts. Let 
2  be th e  set of all regions. I n p u t  a c t io n — n a m e: a G A. 
O u tp u t  a c t io n — c o n a m e: a G A, a =  a. L ab els: C =  
A  U A. In v is ib le  in te r n a l a c tio n : r  0  C. L o ca tio n :  
(I, pi), w here I is unique location  nam e, and pi is a past- 
closed region called a lo c a t io n  in v a r ia n t. A region p is 
p a s t -c lo s e d  w hen it  includes tim e 0 i.e.
V p G p[V d G !Rn [0 <  d <  p => d G p]]
A T SA  T  is a 5-tuple (A, A c t , (lo, po) , '— -), 1. A a finite 
set of locations. 2 . A c t  =  C U {r} , a set of actions ranged 
over by a.  3 . ^ C C, a size-n set of iR-value clocks. 4 . 
(lo,Po) G A, th e  s ta r t location , w here in itia lly  7? G po =  0.
5. i— A x A c t  x  S  x P ( 0  x  A, the  tran s itio n  rela­
tion , w here each tran s itio n  is labeled  by an action, a region 
(called a g u a rd ), and a set of clocks w hich are reset to  0 
w hen th e  tran s itio n  occurs.
G uards are in te rp re ted  as necessary conditions for the 
tran s itio n  to  occur, and invarian ts are in te rp re ted  as suf­
ficient conditions for a tran s itio n  to  occur [HNSY94]; i.e. 
tim e passing forces a change of location  to  avoid 7t ^  pi. In ­
varian ts are also necessary conditions for th e  T SA  to  be in 
th e  associated  location . U nspecified guards and invarian ts 
are defined to  be always satisfied. Inform ally, T SA  take
in s tan taneous tran sitio n s from  location  to  location . W hen 
no tran sitio n s occur, T SA  idle in  a location  (I, pi) passing 
tim e by increm enting  all clocks x,  G 7? by d G IR such th a t 
Vs location  invarian t is satisfied— i.e. 7? +  d G pi. W ithou t 
loss of generality, we consider only non-Zeno TSA . Non- 
Zenoness is a liveness condition  th a t  asserts tim e can always 
progress [HNSY94].
F igure 1 is an inverter T SA  w ith  delay bounds from  MinD 
to  MaxD, clock k, in p u t a, o u tp u t b_, (underscores denote 
o u tp u t labels) and four locations labeled  w ith  th e  value 
of th e  in p u t and o u tp u t signals. U n sta b le  lo c a t io n s 1 0 0  
and 11 have invarian t k<MaxD, o u tp u ts  from  those locations 
have guard  k>MinD, th e  inverter initia lizes in  stab le  loca­
tions 0 1  or 1 0 , and th a t  stab le-location  a in p u t tran sitions 
reset clock k.
F ig u r e  1. S im p le  In v e r te r  L o g ic  S y m b o l a n d  T S A
Specifying th e  behavior of com plex im ps as single flat 
TSA  is too  tedious. Precise m a th em atica l definitions for 
h ierarchical paralle l com position  based on DLTS sem antics 
and E B N F productions defining th e  syn tax  of TLC S parallel 
T SA  are included in  [Youss].
2 .2 . T S A  S e m a n t ic s
We define th e  T SA  sem antics via a Dense Labeled T ransi­
tion  System  (DLTS) au to m a ta  w ith  uncountab le  s ta te  sets.
Let V  denote th e  set of all DLTS au to m ata . Every TSA  
T  =  (A, Act ,  (lo, po ) , '— -) induces a DLTS au tom aton
D  = (S, A c t , ----(l0, 0 }} such th a t:
1. S' is a set of tim ed  s ta te s  defined by th e  following rule:
V(f, pi) G A[7? G pi =>• (1,7?) G 5] (1)
We som etim es use S i  and S s  to  d istinguish  betw een the 
im p and spec DLTS state-spaces. 2 . A c t  =  C U { r}  a 
set of actions ranged over by a.  3 . (lo,0)  th e  s ta r t s ta te
assigning 0 to  every clock. 4 . ----S  x  (A ct U IR) x  S  is
a tran s itio n  re la tion  defined by th e  following two rules for 
every (I, pi) G S:
(I, Pi) (l', Pi') A 7? G p A 7? G pi A w[t] : =  0] G pv => (2)
(I, 7T> (I', 7r[f} :=  0]>
8 G IR A 7T, 7? +  8 G pi =>■ (1,7?) — (1,7? +  8) (3)
In Rule 2, D  tran sitio n s from  location  I to  I' v ia action  a.  
No tim e passes, b u t all clocks in r] C £ are reset to  0. Clock 
assignm ent jr m ust satisfy  (be an elem ent of) regions pi and
1 An unstable location is a location with an output or internal 
transition. Consequently, a s ta b le  lo ca tio n  is a location with 
no output or internal transitions.
p, and clock reset 7?[jj :=  0] m ust satisfy pii . U nder rule 2, 
we call tim ed  s ta te  (I ' , 7?[jj :=  0 ]} a tr a n s it io n  su c c e s so r  
of tim ed  s ta te  (I, 7?}.
In Rule 3, D  stays in  location  I w ith  tim e delay 8 if b o th  
7r and 7? +  8 satisfy pi. U nder rule 3, we call tim ed  s ta te  
(I ' , 7? +  8) a t im e  su c c e s so r  of tim ed  s ta te  (I, jr).
P o ss ib le  F u n c tio n  (\tf): T he overloaded function  \tf 
com putes sets of possible actions from  T SA  locations and 
DLTS tim ed  s ta te s  as follows (underscores in  tup les are 
d o n ’t-cares): 1. Let \tr : A —*■ IP (Act )  re tu rn  th e  set 
of actions possible from  a T SA  location: \tf(Z) =  {<r | 
(I, <r, -, -, -) G'— 2 . Let ’L : S  —*■ IP (Ac t  U IR) re tu rn  
th e  set of actions possible from  a DLTS tim ed  s ta te  such 
th a t ’L(.s) =  {a  \ ( s ,a ,  _} G----
2 .3 . R e g io n  A u to m a ta
Since DLTS sta tespace  is uncountab le  we adopt a finite 
rep resen ta tion  of th e  DLTS called re g io n  a u to m a ta  from  
A lur and Dill [AD94]. T he uncountab le  num ber of tim e- 
vectors representing  th e  different possible com binations of 
DLTS real-valued clock assignm ents are represen ted  finitely 
by a collection of open and closed in tervals in  th e  region au­
to m ata , one in terval for each clock, and a re la tion  on clocks 
th a t  orders them  according to  the  m agn itude  of th e  frac­
tional p a r t of the  clock value. Hence, th e  “s ta te ” of a region 
au to m a ta  consists of a label represen ting  th e  T SA  location , 
a collection of tim e in tervals, and th e  frac tio n a l-p art re la­
tion . T he in tervals and th e  frac tio n a l-p art together define 
equivalence classes for th e  tim e vectors. S ta rtin g  from  the 
in itia l s ta tes , TLC S decides if th e  m utually  reachable set of 
s ta te s  satisfy th e  T L C  relation , and it  produces counterex­
am ples w hen T L C  does no t hold.
3. T IM E D  L O G IC  C O N F O R M A N C E
Based on the  b isim ulation-sty le  Logic C onform ance rela­
tion  ^ i  of Stevens [Ste94], we define a tim ed  relation  
called T im ed Logic C onform ance C C t for T im ed Safety 
A u to m a ta  (TSA ) based on DLTS sem antics. C C t en­
forces a tim e-in terval-based  re la tionsh ip  betw een im p ac­
tions and spec actions. I t also m ain ta ins ^ ; ’s p a rtia l or­
der re la tionsh ip  betw een specs and im ps. C C t loosens 
th e  s tan d a rd  b isim ulation-sty le  s tr ic t tim ed-equivalence re­
quirem ent form alized by C erans [C92], A lur, C ourcoubetis, 
H enzinger [ACH94], and o thers [LY93]. Ins tead  of s tric t 
tim ed-equivalence we define a weaker re la tion  over the 
sta tespaces of two system s based on th e  tim e in tervals when 
actions are enabled. T he re la tion  requires th a t im p inpu ts  
are enabled over a tim ed  superset of spec in p u ts” , and th a t 
im p o u tp u ts  are enabled over a tim ed  subset of spec o u t­
pu ts . C C t induces a p a rtia l order re la tion  (w ritten  
for b o th  DLTS and th e ir inducing T SA ) over V  x  V . For 
exam ple, i re lates T SA  Im p ( I )  and Spec (S)  such th a t 
I  i S  w hen I  ^ i  S  and all o u tp u ts  of I  occur w ith in  
th e  tim e in tervals observed for S ’s o u tp u ts  and all inpu ts  
of S  occur w ith in  th e  tim e in tervals observed for / ’s in ­
pu ts . CC* is different from  o ther loose tim ed-refinem ent
2 Exceptions to the / y , S  half of the C C f relationship 
are allowed under certain circumstances—see output-bound (ob) 
definition.
re la tions [Dan92, C95]. In  particu la r, C C t tu rn s  around 
th e  s tan d a rd  definition th a t  typically  requires im p inpu ts  
to  be a tim ed  subset of spec inpu ts. T h is change is m o ti­
vated  by th e  need to  determ ine w hen an im p can be used 
to  replace a spec, and it  agrees w ith  com m on sense th a t 
argues one cannot safely su b s titu te  an im p th a t  does not 
accept all of th e  in p u ts  accepted  by the  spec.
Like we ab s trac t in te rn a l behavior in to  r- tran s itio n s  
and ignore in te rn a l s ta te  changes th a t  are m atched  by stay ­
ing in  an equivalent s ta te . Recall r is a d istinguished  ele­
m ent of Act', h a tte d  actions form alize w hen r actions m ay 
be m atched  by staying in  th e  sam e s ta te  and passing zero 
tim e as follows: T a u -a b str a c tio n  : ( a ) :
u ^ A j  0 , 0  =  7'VaeActUJR a — < .I a , a  r
To fu rth e r loosen ac tion-m atch ing  requirem ents, we ex­
tend  th e  tran s itio n  re lations of th e  system s by transitive ly  
closing them  over certa in  action  sequences.
r -c lo su r e  ( P  = ^ T Q)'- A DLTS tran s itio n  re la tion  R  C 
( S  x  (Ac t  U IR) x  S)  is r- tran s itiv e  if
P( —  )* — ( —  )*<? A 0- G A c t  U M  V 
P  —  ( —  )* —  Q A a  = 6i + 62
exists in  R  th en  P  Q  also exists in  R.
T he r-closure of a DLTS tran s itio n  re la tion  R  C ( S  x 
[Act  U M)  x  S),  is th e  re la tion  R '  such th a t
1. R '  is r- tran s itiv e .
2. R '  D R.
3. For any r- tran s itiv e  re la tion  R " , R "  D R  =>• R "  D R ' .
T he pred ica te  P  =±?T is tru e  w hen there  is a t least one 
a - tra n s itio n  from  s ta te  P.  No actions are tim e ab strac ted  
in  r-closure, b u t it  ex tends tran s itio n  re lations and ignores 
in te rn a l actions th a t  do no t m a tte r .
I n p u t-6 -r -c lo su r e  ( P  ==>,: Q):  In add ition  to  those 
tran sitio n s added to  R  by r-closure, in p u t-6-r-c losu re  adds 
a P  Q  tran s itio n  to  R  w henever there  is a tran sitio n  
sequence P  — Q  and a  G A ,  6 i , 6 2  G M.  T he  pred ­
ica te  P  ==>,: is tru e  w hen there  is a t least one a -tra n s itio n  
from  s ta te  P.  In p u t-6-r-c losu re  tim e-ab strac ts  inpu ts, and 
extends spec tran s itio n  re lations to  m atch  im p inpu ts.
O u tp u t-6 -r -c lo s u r e  (P  = $ 0  Q)'- In add ition  to  those 
tran sitio n s added to  R  by r-closure, o u tpu t-6 -r-c lo su re  adds 
a P  — Q  tran s itio n  to  R  w henever there  is a tran sitio n  
sequence P  — Q  an(J <7 g  *4, 6 1 , 62 E IR. T he  pred ­
ica te  P  =kb  is tru e  w hen there  is a t least one a -tra n s itio n  
from  s ta te  P.  O u tpu t-6 -r-c lo su re  tim e-ab strac ts  o u tp u ts  
and extends im p tran s itio n  relations to  m atch  spec ou tpu ts .
In  add ition  to  th e  closures, we define th e  following two 
projections, w hich are subsets of th e  DLTS tran s itio n  rela­
tion  ----i-. T hey  define the  sets of spec and im p tim e-passing
actions th a t  m ust be subsets of each o th e r’s tim e actions.
I n p u t  p r o je c t io n  ( 0--, C  S  x IR x S =) :
{ « ^ ,  7T,:>, 6, (I, 7 T j »  I
3{{l, 7Tk), a , _} G----i- [71-,: <  7Tk A 7Tj <  7Tfc A a  G A  U { r } ] }
O u tp u t  p r o je c t io n  (o-^Q C  S x  IR x  S  = ):
{<</, 7T,:>, 6, </, TTj}} |
3 {{I, 7Tfe } , /?, _} G----r [71-,: <  7Tk A 7Tj <  TTk A j3 G A  U { r } ] }
N ext, we define a p red ica te  th a t  relaxes th e  superset re­
la tionsh ip  betw een im p and spec in p u ts  w hen sim ultaneous 
in p u ts  and o u tp u ts  are possible from  a spec location .
O u tp u t-b o u n d  (ob):
ob : 5 /  x IR x  S s  x  P ( ( 5 j  x S s )) — - {t,  f j  =  
o b ( I , 6 , S , H )
I  A (4)
^ 6 1 ZJR,!' £ S i ,(3€.Au { t } \ J  = ^ o I  A f3 G ^ ( 1  ) A (5)
V«3 >«1 iS-€s Sij» €s J 5  S'  => ( I ' US'  A (6 )
( i  1 " ^  i"ns ') )]]  (7)
C onjunct 4 requires th a t th e  im p cannot do 6. C onjunct 5 
requires th e  im p system  to  be constrained  by an invarian t to 
p roduce an o u tp u t or r .  C onjunct 6 insures th a t  fu tu re  spec 
actions are m atched  by th e  im p w hen it  produces th e  o u t­
p u t, and conjunct 7 specifies th a t  there  are no o ther fu tu re  
im p locations th a t  do no t also m atch  th e  spec’s behavior 
(b isim ulation).
T he notion  o u tp u t-b o u n d  form alizes is th a t  as long as an 
im p ’s o u tp u t occurs w ith in  th e  bounds of th e  sam e o u tp u t 
in  the  spec, it  can occur in  accordance w ith  a stronger loca­
tion  invarian t even though  th e  spec could rem ain  in  its  lo­
cation  longer and subsequently  accept fu tu re  inpu ts. W ith ­
ou t th is exception, we generally cannot accept im ps w ith  
less o u tp u t varia tion  in  locations w here o therw ise uncon­
stra ined  in p u ts  are also possible. M odeling locations w ith  
b o th  in p u ts  and o u tp u ts  possible is im p o rtan t for accurate  
m odeling of real system s as well as ab strac tin g  behavior 
in to  sim pler m achines w ith  fewer locations.
A T im e d  L o g ic  C o n fo r m a tio n  (CC* C S i  x  S s )  is a 
b inary  re la tion  over DLTS au to m a ta  s ta te s  betw een an im p 
DLTS { S i , A c t i , — -j, (lo , 7t0 > i > ,  / , / '  G S i  and spec DLTS 
( S s , A c t s , —  s,  ( l o, *o)s) ,  S, S ’ G S s  iff
V I C & S ,  a  e A , l 3  e A \ J  { r} , 6 G 1R[
s  —  s ' => I  =kb P  A I'CC^S' A (8)
S s ' => I  = 4 0 P  A I'CC^S' A (9)
/ ' a  S = ^ r ) => s  S' A P e e k s '  A (10)
I  / ' => s  = 4 , : s '  a  P e e k s '  a ( ID
S o t ,  s ' => ( (/  =4-0 p  a  P e e k s ' )  v
ob(P 6, S, CC!*)) A
(12)
T 6 T’ 1 0—*o 1 => s  =4>,: s ' a  P e e k s '] (13)
Form ulas 8 and  9 require th a t  the  im p sim ulates th e  ob­
servable behaviors of th e  spec. Form ulas 10 and 11 require 
th a t  th e  spec sim ulate  observable behaviors of th e  im p. For­
m ula 1 0  weakens s tan d a rd  weak b isim ulation  allowing im ps 
to  have ir re lev a n t in p u ts; i.e. in p u ts  the  spec does not 
accept in  s ta te  S  or its  r-derivatives. T h is can save consid­
erable tim e w hen com puting  T L C . Form ula 11 requires the 
spec to  sim ulate  all im p o u tp u ts  and rs . Form ula 12 insures 
th a t th e  im p sim ulates all spec-input tim e derivatives w ith  
o u tp u t-b o u n d  exceptions allowed, and Form ula 13 insures 
th a t th e  spec sim ulates all im p -o u tp u t tim e derivatives.
We in troduce  th e  following T SA  m odeling constra in ts to  
insure th a t  T L C  is tran sitiv e  over th e  s ta tespace  of DLTSs 
induced from  constra in t-sa tisfy ing  TSA:
1. A location  I has an invarian t pi iff it  is a from -location  
for one or m ore o u tp u t or ta u  transitions.
2. No upper bounded  guards exist in  o u tp u t or ta u  tr a n ­
sition  guards. In p u ts  m ay have such guards.
3. No to -location  of a tran s itio n  has a stronger invari­
an t th a n  th e  from -location  unless th e  streng thened- 
invarian t-clause clock is reset.
These are reasonable m odeling co nstra in ts— especially for 
th e  hardw are dom ain  w here devices do contro l th e  occur­
rence of th e ir o u tp u ts  b u t no t th e ir inpu ts. T he constra in ts 
s treng then  th e  causal re la tionsh ip  of th e  m odels and the ir 
o u tp u ts  and they  increase th e  fidelity betw een th e  m od­
els and th e  physical devices they  represen t. U nder these 
m odeling constra in ts, the  T L C  re la tion  is a p a rtia l order 
w ith  respect to  weak tim ed  bisim ulation  equivalence be­
tw een DLTSs [Youss].
We m ust narrow  down th e  definition of CC* so th a t  it 
uniquely defines one of th e  m any possible re lations betw een 
DLTS s ta te s  (e.g. 0 is a useless CC*).  T he  CC* re la tion  we 
desire is th e  union of all subsets of S i  x  S s  th a t  are tim ed  
logic conform ations, or CC*’s m a x im u m  fix p o in t  denoted 
C C f  We can safely su b s titu te  an im p DLTS I  for a spec 
DLTS S  w hen th e ir in itia l s ta te s  are in L C t .
A n im p T SA  I  is t im e d  lo g ic  c o n fo r m a n t to  spec TSA  
S  (w ritten  I  c d tli S)  w henever th e  DLTSs induced from  I  
( / '  =  {Si ,  Ac t i ,  — n ,  {lo, 0}/}) and S  (S '  = {Ss,  A c t s ,  — >s 
,(^o ,0 )s}) are tim ed  logic conform ant (w ritten  I '  i S' ) .  
A pair of DLTS au to m a ta  are tim ed  logic conform ant to  
each o ther w hen th e ir in itia l s ta te s  are in  th e  m axim um  
fixpoint T L C  s ta te  re la tion  over th e ir statespaces; i.e.:
l ' a-<y, S' = « Z o , 0 ) i , ( Z o , 0 ) s )  G  CC*
4 . H I E R A R C H IC A L  V E R IF IC A T IO N
Top-dow n h ierarchical T L C -verification  s ta r ts  a t th e  m ost 
ab s trac t level w ith  a spec th a t  inco rpora tes th e  environm en­
ta l tim ing  issues (e.g. in p u t frequency, stim ulus-response 
constra in ts) in to  its  behavior. T he spec is our con trac t w ith  
th e  environm ent; as such it  defines th e  behavior required  
for the  in p u ts  it  accepts. O nly im ps th a t satisfy th e  T LC  
re la tion  w ith  th e  spec fulfill th e  con trac t; T L C  failures are 
design errors. A paralle l com position  w ith  an o u tp u t offered 
in  a non-accepting  s ta te  is a design error called computa­
t ion interference  (C l). A com position  is Cl-free w hen all
receivers accept every o u tp u t offered by tra n sm itte rs  in  the 
com position ’s reachable sta tespace. All non-parallel TSA  
are C l-free by definition. A top-level parallelly-com posed 
spec m ust be Cl-free.
A h ierarchical system  can be top-dow n verified by defin­
ing (usually  by paralle l com position) a set of sub-specs th a t 
are TLC -verified against th e  spec. Sub-specs m ust also be 
C l-free, b u t only in  th e  subset of th e ir s ta tespace  explored 
by th e  T L C -re la tion  w ith  th e  spec’s reachable sta tespace. 
We continue down th e  hierarchy TLC -verifying each sub- 
spec against its  sub-sub-spec un til T L C  holds w ith  im ps 
com posed entirely  of design prim itives. T he reverse m ethod  
can be used from  th e  bo tto m -u p  to  crea te  system s (as done 
in  th e  STA R I exam ple [Youss]). We believe T he C l-free 
p roperty  preserves th e  T L C  re la tion  across paralle l com ­
position  and frees us from  having to  specify behaviors for 
all possible in p u ts  in  all possible s ta te s  for all possible 
tim es. T h is g rea tly  simplifies the  m odeling and verification 
task , and d irectly  suppo rts  ab strac tly  verifying com ponents 
across levels of hierarchy.
5. A P P L IC A T IO N
T he flexible tim e and behavior m odeling capabilities of 
T im ed Safety A u to m a ta  (TSA ) express th e  re la tionsh ip  be­
tw een tim e passing and behavior a t m any different levels of 
ab strac tion . We in troduce  two canonical form s for m odel­
ing logic gates; the  first is called m o n o to n ic . A m onotonic 
m odel reflects every possible o u tp u t change th a t  can oc­
cur from  all unstab le  locations. T he sim ple inverter shown 
earlier in  F igure 1 is m onotonic. In  con trast, an in e r t ia l  
m odel accepts stabilizing  in p u ts  in  unstab le  s ta te s  and will 
no t reflect an o u tp u t change w hen a stabilizing  in p u t oc­
curs. A n in ertia l inverter is iden tical to  th e  T SA  in Fig­
ure 1 , except th a t  it  includes two add itional a-transitions,
00----TO and 00----TO, guarded  by k< M inD . A spike on the
a in p u t to  th e  in ertia l inverter m ay occur and no t generate 
a b_ o u tp u t action; th is  inverter has inertia l-delay  sem an­
tics during th e  in terval [0,M inD). In  practice , it  m ight be 
th e  case th a t an even sm aller in ertia l tim e period, and not 
th e  whole tim e in terval [0,M inD) would be b e tte r  for high 
fidelity m odeling, and such a m odel can be accom m odated  
by adding ano ther tim ing  param ete r to  the  TSA , b u t for 
sim plicity, and in  agreem ent w ith  the  general b i-bounded 
delay m odel [BS91, Bur92], we will no t describe m ore de­
ta iled  m odels in  th is paper.
5 .1 . S im p le  N a n d -In v e r te r  A n d -g a te  E x a m p le
Figure 2 depicts th e  logic sym bol and th e  T SA  defining the 
behavior of an in ertia l tw o-input and-gate. In  th is m odel, 
locations are labeled  w ith  th ree-d ig it b inary  codes in d ica t­
ing th e  values of th e  an d -g a te ’s two in p u ts  and o u tp u t in 
th a t location . For exam ple, the  location  101 is an u n sta ­
ble location , w here in p u t a is asserted , and in p u t b is de­
asserted , and o u tp u t c_ is asserted . Every T SA  in p u t from  
a stab le  to  unstab le  location  resets k and every unstab le  lo­
cation  has th e  invarian t k <  M axD for some in teg ra l delay 
M axD. T he and-gate  can s ta r t from  any stab le  location .
A nand-gate  is very sim ilar to  an and-gate, except th a t 
th e  and-gate  s tab le /u n s tab le  locations are nand-gate  un­
s ta b le /s ta b le  locations. Hence, th e  location  invarian ts are
F ig u r e  2. T w o -In p u t  A n d -G a te
sw apped from  th e  unstab le  and-locations to  the  unstab le  
nand-locations, and tran sitio n s are reversed.
O ne and-gate  im p is a coupled nand-gate  and inverter as 
shown a t th e  top  of F igure 3. D epending on the  tim ing  of 
th e  gates, th is  paralle l and-gate  is an acceptable im p of the 
and-gate  “spec” in  F igure 2. I t is in teresting  to  com pare the
F ig u r e  3. A n d -g a te s  in  P a ra lle l
tim ing  re lationsh ips T L C  accepts. G enerally, given and- 
g a te ’s m inim um  and m axim um  delays A ndM in and A nd- 
M ax, one expects th a t  th e  tim ing  rela tionsh ip  is satisfied 
w henever N andM in +  InvM in >  A ndM in and N andM ax +  
InvM ax <  A ndM ax. T h a t is th e  case w hen m onotonic gates 
are used, b u t, th a t  is no t th e  case w ith  ine rtia l gates! T he 
p aralle l-and  im p can o u tp u t a c_ earlier th a n  th e  and-gate  
spec allows w hen N andM in +  InvM in =  A ndM in w ith  iner­
tia l gate  models! For exam ple, assum e th a t th e  nand-gate  
and inverter m inim um  and m axim um  delays are 1  and 2 
tim e un its, and th a t  th e  and-gate  spec m inim um  and m ax­
im um  delay is 2 and 4 tim e un its  respectively. Im agine the 
im p and spec in p u ts  w ired in  paralle l together as d iagram ed 
in  F igure 3, and refer to  th e  tim ing  d iagram  in F igure 4.
Let T  be our po in t of reference for tim e passing, and let 
T  =  0 ju s t w hen th e  las t in p u t is asserted  from  0 to  1. It 
is possible th en  th a t a t T  =  1.5 th e  T SA  can be in  loca­
tions Im p :[n a n d lll ,  invlO], and Spec:andllO , w here bo th  
th e  Im p and Spec are in  unstab le  locations. T hen , rCmid-) 
de-asserts m oving to  locations Im p:[nand llO , invOO], and 
Spec:andllO  w here only th e  nand-gate  T SA  is in a stab le  
location . If ano ther a in p u t occurs a t T  =  1.75, before 
th e  and-gate  can assert its  o u tp u t, then  th e  and-gate  spec 
stabilizes in  s ta te  andOlO, and th e  nand-gate  destabilizes 
to  nandOlO. Eventually, if no m ore in p u ts  occur before 
T  =  3.75, th e  nand-gate  will assert 7'(m id _ )an d  stabilize 
in  s ta te  nan d O ll. B ut un til i t  does, the  inverter is still 
u nstab le  in  s ta te  invOO, and it  can generate  a c_ o u tp u t
T 0 I 1 J 4
F ig u r e  4 . A n d -g a te  I m p -S p e c  T im in g  D ia g ra m
for T  G [2.5, 3.5]. T he spec cannot generate  th is c_ o u t­
p u t. T h is difference betw een th e  spec and im p o u tp u ts  is 
h ighlighted  by th e  shaded area in  F igure 4. If however we 
change tim ing  param eters  such th a t  th e  spec delay is [1,4] 
(or some superset of [1, 4]), and th e  nand  and inverter delays 
are [1,2], T L C  is satisfied because th e  im p cannot then  pro­
duce any o u tp u ts  outside th e  tim e bounds allowed by the 
spec. Discovering problem s a t delay boundaries like th is is 
th e  key to  build ing reliable circuits.
In general, for in ertia l gates w ith  non-zero gate  delays, 
given th a t  PM in =  N andM in +  InvM in and PM ax  =  N and­
M ax +  InvM ax, T L C  holds w henever PM in >  A ndM in A 
P M ax <  A ndM ax A A ndM in <  N andM in.
V erification resu lts are very dependent on th e  m odels cho­
sen as illu s tra ted  in  th is exam ple. In particu la r, T L C  ver­
ification resu lts are different for th e  m onotonic and iner­
tia l gate  m odels. Some of the  m ost difficult errors to  track  
down in hardw are devices are those associated  w ith  u n sta ­
ble s ta te s  and th e ir upper and lower delay bounds; since we 
are in te rested  in creating  designs th a t  do no t suffer from  ob­
scure defects like th is, we recom m end verifying w ith  inertia l 
gate  m odels. Discovering w hen there  are dependencies in 
real designs th a t  keep these kind of problem s from  occurring 
is th e  key to  build ing  h ierarchical system s th a t  are efficient. 
B oth  are suppo rted  by T L C  verification w ith  appropria te ly  
deta iled  m odels.
5 .2 . S T A R I Q u e u e  a n d  P e r fe c t  B u ffer
STA R ! (Self T im ed a t R eceiver’s In p u t) is an asynchronous 
queue designed fab rica ted  by G reenstree t [Gre93]. STAR! 
connects two system s th a t  opera te  a t th e  sam e clock ra te  
b u t w ith  some clock skew. T he general problem  is to  size 
th e  queue such th a t  it  buffers th e  d a ta  betw een the  clock- 
skewed system s allowing the  tra n sm itte r  to  o u tp u t and 
th e  receiver to  in p u t a new d a ta  value every clock cycle 
w ithou t w aiting  for th e  queue. We h ierarchically  m odel 
and verify STA R ! opera tion  against a perfect buffer spec 
in  [Youss]. G enerally, we m odel system s in m ore detail 
th a n  th e  o ther STA R ! queue verifications we are aware of 
[Gre93, BM 98, TB97], and we are able to  com pute com pa­
rable results . Using the  asynchronous STA R ! verification 
problem  as a benchm ark, we confirm  Berkeley researchers 
resu lts [TB97]; we ex tend  th e  verification to  include d a ta  
values passing correctly  th rough  th e  queue and we do not 
use assum es-guarantees reasoning to  accom plish th e  verifi­
cation . C om paring our w ork w ith  French researchers from  
V ER IM A G  [BM98], we generally  confirm  th e ir resu lts bu t
poin t ou t an im p o rtan t counterexam ple w hen set-up  and 
hold tim e requ irem ents of th e  receiver are taken  in to  ac­
count. O ur m odel is m uch m ore deta iled  th a n  th e  orig­
inal proof of STA R I correctness [Gre93], proving p roper­
ties abou t the  ac tua l d a ta  tran sfe rred  as well as showing a 
counterexam ple to  th e  form ula derived for allowable skew 
betw een sender and receiver clocks.
6. C O N C L U S I O N
TSA  are well su ited  for m odeling system s a t various levels of 
ab strac tion , and th e  T L C  re la tionsh ip  is useful for verifying 
w hen one T SA  is an acceptable im plem enta tion  of another. 
T L C  verification is an a lte rna tive  to  assum es-guarantees- 
based verification. T SA  allow one to  n a tu ra lly  incorpo­
ra te  th e  environm ental constra in ts in to  specs and th e  T LC  
decision procedure insures those environm ental constra in ts  
are satisfied by acceptable im plem en tations. T he environ­
m en ta l constra in ts  re s tric t th e  num ber of s ta te s  th a t  m ust 
be exam ined and they  m ake a fair tradeoff possible be­
tw een m odel fidelity and com pu ta tiona l com plexity. Once 
im p /sp ec  pairs satisfy T L C , th e  spec can be safely and effi­
ciently  su b s titu ted  for th e  im p in  higher-level verifications 
w ithou t reaccom plishing assum es-guarantees proof obliga­
tions. T L C  helps efficiently build  h igh-perform ance h ie ra r­
chical system s by discovering tim ing  dependencies in real 
designs th a t  keep real hazards safely under control.
O ur con tribu tions are:
•  A form al definition of a p rac tica l re la tionsh ip  th a t  de­
signers can use to  decide w hen an im p satisfies a spec.
•  A verification process th a t  suppo rts  using m ore de­
ta iled  m odels and discovers m ore problem s because 
th e  T L C  re la tion  n a tu ra lly  re s tric ts  th e  verification to  
s ta te -p a irs  th a t  m a tte r .
•  A sim ple verification process w here th e  environm ent 
constra in ts are m odeled in  th e  spec ra th e r th a n  in sep­
ara te  m odels of the  environm ent. T h is avoids assumes- 
guaran tees proof-obligations th a t  a ren ’t p a rt of the 
equivalence checking process itse lf and th a t  m ust be 
reaccom plished w hen th e  environm ent m odel changes 
or a connected p a rt of th e  design changes.
•  C anonical ine rtia l and m onotonic m odeling techniques.
•  A form al definition for T SA  paralle l com position  and 
a p rocedure im plem enting  it.
•  A n au to m ated  decision procedure for com puting  the 
T L C  re la tion  and generating  counterexam ples.
•  STA R I verification using m ore deta iled  m odels to  ex­
pose po ten tia l problem s no t revealed by others.
R E F E R E N C E S
[ACH94] R. A lur, C. C ourcoubetis, and T . H enzinger.
T he observational power of clocks. In Proceed­
ings o f  C ON C UR  '9 4 . LNCS 836, 1994.
[AD94] R ajeev A lur and D avid L. Dill. A theory  of 
tim ed  au to m ata . Theoretical Computer  Science ,
12 6 (2): 18 3—2 3 5, 1994.
[BM98] M arius Bozga and O ded M aler. M odeling and 
verification of the  s ta ri chip using tim ed  au­
to m ata . In Proceedings of  Cav '98, 1998.
[BS91] J.A . Brzozowski and C -J. H. Seger. A dvances 
in asynchronous circu it theory  p a rt ii: B ounded 
in ertia l delay m odel, mos circuits, design tech­
niques. In E A C T S  Bul let in 4-3, pages 199-263. 
1991.
[Bur92] Jerry  B urch. Delay m odels for verifying speed- 
independen t asynchronous circuits. In  Proceed­
ings o f  the In t ernat i onal  Conference of  Com­
put er  Design ( ICCD),  pages 270-274. IE E E  
C om puter society Press, oct 1992.
[Dan92] M ats D aniels. M odelling real-tim e behavior w ith  
an in terval tim e calculus. In Formal Techniques  
in Real -Time and Fault -Tolerant  Sys t ems .  Sec­
ond In t ernat i onal  Symposium  Proceedings,  1992.
[Gre93] M ichael R. G reenstree t. S T A R I :  A  Technique 
f o r  High-Bandwidth Communicat ion.  PhD  th e ­
sis, P rinceton , January  1993.
[HNSY94] T hom as A. H enzinger, X avier N icollin, Joseph 
Sifakis, and Sergio Yovine. Sym bolic m odel 
checking for rea l-tim e system s. In forma t ion  and  
Computat ion,  111:193-244, 1994.
[LY93] K im  G. Larsen and W ang Yi. T im e-ab strac ted  
b isim ulation: Im plicit specifications and decid­
ability. In  Proceedings o f  Mathemat ical  Foun ­
dations of  Programming Seman t i cs  (MFP S)  '93, 
pages 160-176, 1993.
[SS95] Oleg V. Sokolsky and Scott A. Smolka. Local 
m odel checking for real-tim e system s. In Pro­
ceedings o f  CAV'95,  1995.
[Ste94] K enneth  S. Stevens. Practical Verif ication and  
Synthes is  o f  l o w  l a t e n c y  Asynchronous  Sy s ­
tems.  PhD  thesis, T he U niversity  of Calgary, 
Calgary, A lb e rta  C anada, Septem ber 1994.
[TAKB96] Serdar T asiran , R ajeev A lur, R obert P. K ur- 
shan, and R obert K. B ray ton . Verifying ab strac ­
tions of tim ed  system s. In Proceedings o f  7th I n ­
ternat ional  Conference on Concurrency Theory,  
pages 546-562. Springer-V erlag, 1996.
[TB97] Serdar T asiran  and R obert K. B rayton. Stari: 
A case study  in com positional and hierarchical 
tim ing  verification. In  Proceedings of  the Com­
put er  A ided Verif ication Conference,  1997.
[C92] K. C erans. D ecidability  of b isim ulation  equiva­
lences for paralle l tim er processes. In Proceed­
ings of  C A V  '92. LNCS 663, 1992.
[C95] K arlis C erans. C tr: A calculus of tim ed  refine­
m ent. In  I. Lee and S. Smolka, editors, Proceed­
ings of  C O N C UR  '95, pages 516-630, 1995.
[Youss] F rank  C. D. Young. Timed Safe t y  Au toma ta  
and l ogi c Conformance.  PhD  thesis, A ir Force 
In s titu te  of Technology, W rig h t-P a tte rso n  A FB, 
OH 45433, 1999 (In Progress).
T IM E D  LO G IC  C O N FO R M A N C E  AND IT S A P P L IC A ­
T IO N
Frank C. D. Young1 , Kenne th  S. S tevens2 and Robert  P.  
Graham Jr."
1A ir Force R esearch L aboratory , W righ t-P a tte rson  A FB, 
OH 45433, USA
2 SCL, In tel C orpora tion , H illsboro O R, 97124, USA 
" A ir Force In s titu te  o l Technology, W righ t-P a tte rson  A FB, 
OH 45433, USA
T im ed Logic C onform ance (T L C ) is a bisim ulation-sty le 
p a rtia l order re la tionsh ip  defined over th e  s ta tespace  ol 
T im ed Safety A u to m a ta  (TSA ) w ith  real-valued clocks. In 
con trast to  tim ed  sim ulation , C alculus o l T im ed Refinem ent 
(C T R ), and T im e-A bstrac ted  bisim ulation , T L C  defines 
w hen one system  is an acceptable im plem en ta tion  o l ano ther 
by asym m etric  b isim ulation-sty le  requirem ents for specifi­
cation  in p u ts  and im plem en ta tion  o u tp u ts . W hile T LC  
does no t necessarily preserve tim ed  p roperties, i t  in tu itive ly  
and pragm atica lly  suppo rts w riting  ab s trac t specifications 
and verifying them  against im plem en tations. T L C  scales 
up by su b s titu tin g  verified specifications for im plem en ta­
tions and h ierarchically  verifying larger system s. T L C  ver­
ification is an a lte rna tive  to  assum es-guarantees reason­
ing process. T L C  verification depends on explicitly  cap­
tu rin g  environm ental tim ing  p roperties in  th e  specification 
and insuring  they  are satisfied in  th e  T L C  relation . T he 
reg ion-au tom ata-based  T L C  System  (T L C S) im plem ents 
T SA  paralle l com position  and a T L C  decision procedure 
which is used to  h ierarchically  verify th e  STA R ! queue.
