Framework of timed trace theoretic verification revisited by Myers, Chris J. & Zhou, Bin
Framework of Timed Trace Theoretic Verification Revisited 
Bin Zhou 
Cadence Design Systems, Japan 
binzhou@cadence.com 
Tomohiro Yoneda* 
Tokyo Institute of Technology 
yoneda@cs.titech.ac.jp 
Chris Myers t 
University of Utah 
myers@ee.utah.edu 
Abstract 
This paper develops a framework to support trace theo-
retic verification of timed circuits and systems. A theoretical 
foundation for classifying timed traces as either successes 
or failures is developed. The concept of the semimirror is 
introduced to allow conformance checking thus supporting 
hierarchical verification of timed circuits and systems. Fi-
nally, we relate our framework to those previollsly proposed 
for timing verification. 
1 Introduction 
For the formal verification of asynchronous circuits, a 
method called trace theoretic verification is proposed [I]. 
In this method, both specification and implementation are 
given by automata, Petri nets, or similar formal models. 
The advantages of this method are (I) its decision proce-
dure is simple and efficient, (2) performance improvement 
by partial order reduction can be quite large [2, 3], and (3) 
verification can be done hierarchically. 
Recently, designers often use timed circuits in order to 
implement fast and compact circuits [4, and others]. Thus, 
for the formal verification of such timed asynchronous cir-
cuits, it is desired to extend the verification methods so that 
they can handle timed circuits. Since it is not easy to ap-
ply symbolic methods based on BDDs to timing verifica-
tion, partial order reduction is one of the most promising 
solutions to the state explosion problem. Thus, methods in 
which partial order reduction is well-suited are preferred. 
One direction is model checking based on real-time logics 
and timed transition systems [5, 6, and others]. The partial 
order reduction is applied to the timed LTL model check-
ing in [7, 8], but it seems that the cost to handle LTL can 
be quite high. The second direction is the language con-
tainment checking based on timed automata [9]. In order 
to use this method for circuit verification, input generators 
are often required on the circuit side which makes hierar-
chical verification difficult. Furthermore, to our knowledge, 
* This research is supported by JSPS award. 
tThis research is supported by NSF CAREER award MIP-9625014. 
NSF Japan Program award INT-008728 I. and SRC grant 99-TJ-694. 
1081-7735/01 $10.00 © 2001 IEEE 
437 
partial order reduction has not yet been applied to it in the 
timed domain. As the third direction, we have proposed 
a framework of timed trace theoretic verification based on 
time Petri nets [10, II, 12]: The works most related to ours 
are [13, 14] and [15]. However, in the former work, the 
models are restricted such that a single transition has only 
one behavioral place, and in the latter work, the notion of 
mirrors is not discussed. 
In [12, 16], safety failures and timing failures are de-
fined, and the notion of pseudo failures is introduced. And 
then, the decision procedure based on pseudo failures is 
shown. Although this approach is certainly one extension 
of the trace theoretic verification, it differs from the original 
trace theoretic method in the following two points. 
I. Failures are defined between modules, i.e., a module is 
defined without the failure trace set. 
2. In timed trace theory, a mirror module obtained by 
swapping the inputs and the outputs of the original 
module is not equivalent to maximal environment of 
the original module. Hence, the decision procedure 
based on. mirroring cannot be used for conformance 
checking. 
In this paper, we reformalize the framework of the timed 
trace theoretic verification in accordance with the origi-
nal untimed trace theory, and introduce the concepts of 
the semi module and the semimirror to allow conformance 
checking. 
2 Trace theoretic verification 
We briefly recall the idea of the trace theoretic verifica-
tion from [I] for the discussion of the next section. 
A Petri net N is four-tuple, N = (P, T, F, /-lo), where 
P is a finite nonempty set of places, T is a finite set of 
transitions (P n T = 0), F <:;; (P x T) u (T x P) is 
the flow relation, and /-lo <:;; P is the initial marking of the 
net. For any transition t, .t = {p E P I (p, t) E F} and 
t. = {p E P I (t, p) E F} denote the source places and the 
destination places of t, respectively. For a place p, .p and 
p. are defined similarly. 
A marking /-l of N is any subset of P. A transition t is 
enabled in a marking /-1 if et ~ /-1 (all its source places have 
tokens in /-1); otherwise, it is disabled. Let enabled(/-1) be 
the set of transitions enabled in /-1. In marking /-1, transition 
tf E enabled(/-1) can fire, and a new marking /-1' = (/-1 -
et f) U t f e is obtained. 
A run p = /-10 ~ /-11 ~ /-12 ~ ... of N is a finite or 
infinite sequence of markings and transitions such that /-10 is 
the initial marking, and /-1i+1 is obtained from /-1i by firing 
transition tiH . We assume that every prefix of a run is also 
a run. A Petri net is one-safe, if in any marking /-1i of any 
run p = /-10 ~ /-11 ~ /-12 ~ ... , (/-1i - etiH) n tiH e = 0. 
In the sequel, a net is always a one-safe Petri net. 
A trace is a finite or infinite sequence of transitions. A 
run p = /-10 ~ /-11 ~ ... generates a trace t1 t2 . ... Let 
trace(N) be a set of all the traces generated by a Petri net 
N. Note that the set trace(N) is prefix-closed and always 
includes an empty trace. 
A module is a tuple (I, 0, N), where 1 is a set of input 
wires, 0 is a set of output wires, and N == (P, T, F, /-10) 
is a net, satisfying 1 U 0 = T. Note that we may call a 
transition a wire, since the firing of a transition t represents 
the change of value on a wire. We use a module as a formal 
model for a circuit element (e.g., a gate) or a specification. 
In the rest of this section, we use A (or A 2 , •.. ) to represent 
1 U 0 (or 12 U Oz,·· .). A (canonical) trace structure of 
a module M == (/,0, N), denoted by T(M), is a tuple 
(I, 0, S, F), where S is the set of success traces, and F is 
the set of failure traces, satisfying 
1. S == trace(N), and 
2. F == {X'f/ I x E ({yi lyE S, i E I} - S), 'f/ E A *}. 
The above definition of failure traces can be interpreted 
such that if a trace obtained by appending an input to a suc-
cess trace is not a success, then the trace is considered to 
be a failure. That is, an input which cannot be accepted al-
ways causes a failure. Thus, for yES, i E I, 0 E 0, and 
P=SUF, 
yi (j 5 * yi E F, 
yo (j S * yo (j P 
(I) 
(2) 
hold. A trace in P is called possible. Furthermore, a trace 
extended from a failure is also a failure, and a trace extended 
from an impossible trace is also impossible. Hence, for a E 
A, we have 
Y E F * ya E F, 
y (j P * ya (j P. 
(3) 
(4) 
A trace structure is calledJailure-free if its failure set is 
empty. 
We use the following definitions in this paper. For a trace 
x = e1 e2e3 ... and a set D of wires, 
del(D,x) = { y 
elY 
if e1 ED 
else, 
438 
where y = del(D, e2e3 ... ). For a set X of traces, 
del- 1 (D, X) is the set {x I del(D, x) E X}. For X whose 
elements do not contain any wires in D, del- 1 (D,X) is 
the set of all traces that can be generated by inserting mem-
bers of D* between any consecutive wires in traces of X. 
This is extended for a trace structure T = (I, 0, 5, F) such 
that del-1 (D, T) = (Iu D, 0, del-1 (D, S), del-1 (D, F)). 
Note that the inserted wires are always considered to be 
the inputs. The intersection of two trace structures T1 
(h,01,51,F1) andT2 = (h,02,S2,F2) such that Al 
A2 and 0 1 n O2 == 0 is a trace structure 
The composition of Tl and T2 such that 0 1 n O2 == 0 is a 
trace structure 
Now, we show the core notions of the trace theoretic 
verification. For two modules 1\11 = (II, 0 1, Nd and 
Nh = (h, O2 , N z ), we say M1 conforms to Nh, if h ~ h, 
0 1 2 O2 , and for any (composable) trace structure E = 
(IE, OE, SE, FE) such that h ~ OE and O2 2 Ie, if 
EIIT(1\1z) is failure-free, so is EIIT(Nh). This is the cor-
rectness criterion of trace theoretic verification. That is, we 
consider that a circuit Me is correct with respect to a spec-
ification !vIs, if NIe conforms to !vIs. For a trace struc-
ture T == (I, 0, S, F), its maximum environment is called 
a mirror of T, denoted by Tm, which is also a trace struc-
ture (I', 0',5', F') satisfying I' = 0, 0' == I, 5' = 5, 
and F' = A* - P. The following lemma holds. 
Lemma 1 Suppose that Ml = (II, 0 1 ,NI) and M2 
(h, O2 , N z) are modules such that h ~ 12 and 0 1 2 O2 . 
!vh conforms to Nh iffT(!vh)IIT(!vh)m is failure free. 
Lemma I is very important, because we can check con-
formance without considering all possible environments E. 
But, it is useful only when the mirror of a trace structure is 
easily obtained. This is guaranteed by the following lemma. 
Lemma 2 For a module M = (I, 0, N), T(M)m is 
T(M'), where M' = (0,1, N). 
We say that a module (0, I, N) is the mirror of a module 
M = (I, 0, N), denoted by NIm. Note that NIm is sim-
ply obtained by swapping inputs and outputs of !vI. These 
two lemmas straightforwardly derive the following theo-
rem, which actually allows us to implement the decision 
procedure for conformance checking. 
Theorem 1 Suppose that Ml = (II, 0 1, Nd and Nh 
(I2, O2, N 2 ) are modules such that h ~ 12 and 0 1 2 O2. 
Ml conforms to M2 iffT(!vh)IIT(M2m) is failure free. 
3 Timed trace theoretic verification 
3.1 Definitions 
Let Q+ be the domain of nonnegative rational numbers 
for time-points. For a transition t and T E Q+, (t, T) 
is called a timed event. T represents the time when the 
transition t fires, or the corresponding wire changes. A 
timed trace x is a finite or infinite sequence of timed events 
x = eOel'" where ei = (ti, Ti) such that monotonicity 
(i.e., Ti ~ Ti+! for all i 2: 0) and progress (i.e., if x is infi-
nite, then for any T E Q+ there exists an i such that Ti > T) 
are satisfied. 
A time Petri net N is a six-tuple, N = (P, T, F, Eft, 
Lft, flO)' where P, T,F, and flo are the same as a Petri net, 
and Eft : T ---+ Q+.,'Ut : T ---+ Q+ U {oo} are functions for 
the earliest and ICJt(!~t firing times of transitions, satisfying 
Eft(t) ~ Lft(t} for all t E T. 
A state a of a time Petri net is a pair (fL, clock), where fL 
is a marking and clock'is a function T ---+ Q+. The initial 
state ao is (flO, clocko), where clocko(t) = 0 for all t E T. 
The states of a time Petri net change, if time passes or if a 
trartsition fires. In state a = (fL, clock), time T E Q+ can 
pass, if for all t E enabled(fL), clock(t) +T ~ Lft(t). In this 
case, state a' = (fL', clock') is obtained from a by passing 
T, if fL' = fL, and for all t E T, clock'(t) = clock(t) + 
T. Instate a = (fL, clock), transition tf E T can fire, if 
tf E enabled(fL) and clock(tf) 2: Eft(tf). In this case, 
state a' = (fL', clock') is obtained from a by firing t f, if 
/1' = (fL - .t f) U t f., and for all t E T, clock' (t) = 0 for 
newly enabled transitions t and clock' (t) = clock( t) for the 
others. 
A run p = aO 4 al ~ (T2 ~ ... of N is a finite or infi-
nite sequence of states and transitions such that (To is the ini-
tial state, and (Ti+1.is obtained from (Ti by passing some time 
and then firing transition ti+!. timei (p) is the sum of all 
times passed between (To(p) and (Ti(p); that is, timeo(p) = 
o and timei+l (p) = timei(p) + clocki+dt) - clocki(t) for 
some t which is not newly enabled in fLi+!. I Thus, a run p 
generates a timed trace (tl , ti mel (p) ) (t2, ti me2 (p») .. '. Let 
trace(N) be a set of all timed traces generated by a time 
Petri net N. In order to satisfy the progress condition, we 
assume that time certainly passes in any loop structure that 
N contains. In the sequel, a time net is always a one-safe 
time Petri net satisfying the above restriction. 
Suppose that a timed trace y is an element of trace( N). 
Let enabled(y, N)denote a set of transitions (of N) which 
are enabled in the state obtained by y. For a transition 
t E enabled(y, N); EN_time(t, y, N) is the time when t 
got newly enabled in y most recently. TL(y, N) = min{ 
EN_time(t, y, N) + Lft(t) I t E enabled(y, N)} is the lat-
est time until when the firings of all enabled transitions can 
be postponed. If enabled(y, N) is empty, we assume that 
I In order to define time; (p) precisely. we may consider an auxiliary 
transition faux which never becomes enabled. 
439 
TL(y,N) is 00. limit(y,N) = {t I t E enabled(y,N), 
EN_time(t, y, N) + Lft(t) = TL(y, N)} is a set of enabled 
transitions which determine TL(y, N). We say that a timed 
trace y( w, T) is overstepped, if it satisfies T :> TL(y, N). 
3.2 Timed trace structures 
A module is defined similarly except that N is a time 
net. A timed trace structure for a module (1,0, N) is also a 
tuple (1,0, S, F), but Sand Fare now sets oftimed traces. 
We classify non-overstepped timed traces into S, F, or nei-
ther of them in the same way as the un timed cases. That 
is, S always includes an empty timed trace, and for a timed 
trace y(w, T) such that yE trace(N) and T ~ TL(y, N), 
• if y(w, T) E trace(N), then y(w, T) E S, 
• elseifw E I, then Y(W,T) E F(from property (I», 
• else (i.e., w EO), y(w, T) (j. P (from property (2). 
On the other hand, it has never been considered which set 
an overstepped timed trace belongs to. Actually, Sand F 
cannot be determined as simply as in the untimed cases, 
because some timed events cannot occur after a certain time 
point due to the timing constraints on the transitions. Thus, 
before classifying overstepped timed traces, we intuitively 
discuss when failures should and should not occur. 
We basically consider that modules interacting with each 
other have some kind of failure, if either an output produced 
by a module cannot be accepted by some other module or an 
input expected by a module is not given in time by any other 
module. In the example shown in Figure 1, the output of 
Ml is safely accepted by M 2 , and the input of Ml is given 
in time. Note that input transitions fire in synchronization 
with the corresponding output transitions. In the example 
shown in Figure 2, the output w of Nh can be accepted 
by M 1 , if it occurs before u, and otherwise, the firing of 
w is disabled by that of u. Since these properties hold for 
the other transitions, it is natural to consider that there exist 
no failures in these examples. On the other hand, in the 
modules shown in Figure 3(a),(b), the input expected by Ml 
is never given by M2 , because the corresponding output is 
disabled. Neither does the input u of M2 in Figure 3(a). 
This is a situation called deadlock, and so, there must exist 
some kind of failure between them. In Figure 4, (w, 8), for 
example, can be produced by M 2 , but it cannot be accepted 
by Ml due to its latest firing time. Thus, a failure exists also 
in this case. 
The key criterion to classify overstepped timed traces is 
whether limit(y, N) includes an output or not. If an output 
is included in limit(y, N), then N itself does not allow time 
to pass after TL(y, N) without firing any transitions. It is 
under the control of N. Thus, we should consider that the 
overstepped timed traces are not in P. On the other hand, 
if every wire in limit(y, N) is an input, N can only wait for 
the other modules to produce the expected outputs. In other 
Figure 1. Example 1. 
1=,., M1 O=u 1= u M2 0=,., 
wAu uAw (1.5) ) 1.5) (I,IO( (I,IO( 
Figure 2. Example 2. 
words, if no outputs are produced, the only action that N 
can do is to fail. Thus, it is natural to consider that those 
overstepped timed traces are in F. 
Consider the modules Ml and M2 shown in Figure 1, 
We have TL(c, N l ) = 5 and TL(c, N2) = 10, and 
limit(c, Nd has an output wand limit(c, N2 ) has an out-
put u, Thus, for 7 > 5, either (w, 7) or (u, 7) is not in Pi, 
and for 7 > 10, either (w, 7) or (u, 7) is not in P2 , From 
this, the overstepped timed traces of Ml and M2 cannot be 
in the failure set of T(Nh)IIT(M2 ), The non-overstepped 
timed traces cannot be, either. Hence, we can conclude that 
T(Ml)IIT(M:?) is failure-free, Thus, the above criterion is 
consistent to our intuition, A similar discussion holds for 
the example in Figure 2, Note that y(w, 7) is not in P in-
dependent of the attribute (i,e" input or output) of w, if it is 
overstepped and limit(y, N) n 0 i- 0, 
In the modules shown in Figure 3(a), on the other hand, 
limit(c, N l ) contains only an input w, According to the 
above criterion, we consider that (w, 7) E Fl for 7 > 5, 
However, if (w, 7) ~ P2 holds, we cannot put this timed 
trace into the failure set ofT(MdIIT(Nh), Thus, we pro-
pose to consider that (w, 7) E F2 , even if w is disabled 
in Nh, Note that this is consistent to the above criterion, 
because limit(c, N 2 ) contains only an input, and (W,7) is 
overstepped in M 2 , Then, we have T(MdIIT(M2 ) whose 
failure set contains (W,7) for 7 > 5, The same discus-
sion holds for (U,7), Unfortunately, we still have a prob-
lem in the example shown in Figure 3(b) where some fail-
ure must exist too, Since there are no enabled transitions 
in M 2 , which implies TL(y, N 2 ) = 00, it's impossible to 
put some timed trace except for c into P2 , and so, it's diffi-
cult to force T(MdIIT(M2) to have a failure, In order to 
overcome this problem, we further propose to assume that 
every module has a virtual output which is always disabled, 
and that every other module has the corresponding virtual 
input which is also always disabled, In the example of Fig-
ure 3(b), we assume that Ml has a disabled virtual output 
Vi and M2 has a disabled virtual input Vi as shown in Fig-
ure 5, Similarly, V2 is the disabled virtual output of M2 and 
the disabled virtual input of M l , Then, according to the 
440 
1=,., M1 O=u 1= u M2 0=,., 
wT 2u uT 2w (0,5) (1,1] (0,5] (1,1) 
(a) 
1=,., M1 0= 1= M2 0=,., 
wT 2w (0,5( (1,1] 
(b) 
Figure 3. Example 3. 
1= ,., 
M1 0= 1= M2 
0=", 
wT Tw (0.5) (4,101 
Figure 4. Example 4. 
above criteria, we have (Vi, 7) E Fl with 7 > 5 because 
this is overstepped, and we have (Vi, 7) E F2 because this 
is neither overstepped nor in trace(N2 ). 
In Figure 4, limit(c, N l ) includes only an input, while 
limit(c, N2) has an output. Thus, we have (W,7) E Fl 
for 7 > 5 and (w, 7') ~ P2 for 7' > 10. Our in-
tuition is satisfied also in this case, because (w, 7") for 
5 < 7" :S 10 is included in Fl and S2, and is in the failure 
set ofT(Md//T(M2). 
FinaIly, criteria CI can be used for both non-overstepped 
and overstepped timed traces. 2(b) and (c) are for the over-
stepped timed traces. 2(b) is for the case that the limit set 
consists of only inputs, and handles the failures explained 
for Figure 3 and Figure 4. 3 and 4 below are from proper-
ties (3) and (4) of Section 2. 
eI: 1. S = trace(N) 
2. fory E S andy(w,7) ~ S, 
(a) if 7 :S TL(y), then 
i. ifw E I,theny(w,7) E F 
ii. else y(w, 7) ~ P 
(b) else if limit(y, N) ~ I, then y(w, 7) E F 
(c) else y( w, 7) ~ P 
3. fory E F, Y(W,7) E F 
4. fory ~ P, y(W,7) ~ P 
where wEI U 0, and 7 E Q+. 
3.3 Mirroring 
For untimed systems, Theorem 1 aIlows us to decide the 
conformance between a circuit and a specification very eas- . 
ily by using a mirror module. Here, we present a similar 
approach for timed systems. 
, l={w v2} M1 o=(v l} ,--_-'-'l="-'(Iv~l} M2 O={w v2} 
wT 2V12v2 
10,51 10,01 10,01 
w2 2V12v2 
I!,II [0,01 10,01 
Figure 5. Virtual transitions for Example 3(b). 
Also for a timed trace structure (I, 0, 5, F), its mirror is 
defined as a timed trace structure (0, I, 5, A* - P), where 
P = 5UF, A = {(W,T) 1 w E IuO,T E Q+}, andA* is 
a set of all timed traces over A. Thus, Lemma I holds also 
in timed cases, However, Lemma 2 does not hold in general. 
Suppose that Ml = ({ w}, {u}, N l ) is the module shown in 
Figure2,andT(Md = ({w},{u},5l,FdwithPl = 5 l U 
Fl. According to C I above, we have, for example, (w, 6) (j. 
Pl. If we consider M{ = ({u},{w},Nd, and T(MD = 
({u},{w},5~,F{)withP{ = 5~UF{, we have (w,6) (j. PI 
again from CL This derives (w,6) (j. F{ and so F{ f= 
Ai - PI, and that T(M;) is not a mirror ofTUvh), Hence, 
Lemma 2 does not hold in this case. Actually, there does 
not exist a module whose timed trace structure is exactly 
the same as the mirror of this T(Md. 
However, we can still construct an algorithm to decide 
the conformance of timed systems as follows, We first de-
fine a semimodule (I, 0, N), which is the same as a mod-
ule except that its timed trace structure is defined differ-
ently from that of a module. The timed trace structure 
(1,0, S, F), denoted by Ts(M), of a semimodule M 
(I, 0, N) is defined as follows. 
C2: I. 5 = trace(N) 
2. fory E 5 andy(w,T) (j. 5, 
(a) ifT:::; TL(y), then 
i, ifw E I, then Y(W,T) E F 
ii, else yew, T) (j. P 
(b) else if limit(y, N) ~ 0, then yew, T) (j. P 
(c) else yew, T) E F 
3. fory E F,y(W,T) E F 
4, fory (j. P, Y(W,T) (j. P 
wherew E IUO,andT E Q+. 
Note that only 2(b ),( c) are different from C 1. If we consider 
a semimodule ({ u}, {w}, Nd in the previous example, its 
timed trace structure is exactly a mirror of T(Md. Actu-
ally, we have the following lemma. 
Lemma 3 For a module M = (I, 0, N) and a semimodule 
M' = (0, I, N), T(M)m = Ts(M') holds, 
Proof: Let T(M) = (I,0,5,F) and Ts(M') = (I', 0', 
5', F'), where I' = 0 and 0' = I. Then, T(M)m = 
(O,!, 5, A* -P). From 5 = trace(N) and 5' = trace(N), 
we have 5' = 5. Thus, we only have to show F' = A * - P, 
441 
that is, both x E F' :::} x E A* - P and x (j. F' :::} 
x (j. A * - p, If x is non-overstepped, the proof is similar 
to that of Lemma 2, Thus, we only consider the case that 
x is overstepped, This can be proven by induction on the 
length of 17, denoted by 1171, where x = Y17 and y is the 
longest prefix of x such that y E 5', First, suppose x E F'. 
We show that x E A * - P holds. If 1171 = 1, then from 
2(b) and 2(c) ofC2, limit(y, N) Cl. 0' == I must hold in 
Ts(M'). Thus, in T(M), from 2(c) of CI, x (j. P holds, 
and it implies that x E A* - P holds. If 1171 > 1, let x = 
Y17 = y' a with a E A. From 4 of C2 and Y17 E F', we have 
y' E F'. From the induction hypothesis, we can assume 
that y' E A * - P. This implies that y' (j. P. Thus, from 4 
of C I, y' a (j. P, which derives y' aE A * - P. Hence, we 
have shown x E F' :::} x E A * - P. Similarly, we suppose 
x (j. F' and show that x (j.,A* - P holds. If 1171 = 1, then 
from 2(b) and 2(c) of C2, limit(y, N) ~ 0' = I must hold 
in Ts(M'). Thus, in T(M), from 2(b) ofCI, x E F holds, 
and it implies that x (j. A* - P holds. If 1171 > 1, let x = 
Y17 = y' a with a E A. From 3 of C2 and Y17 (j. F i , we have 
y' (j. F'. From the induction hypothesis, we can assume 
that y' (j. A* - P. This implies that y' E P and so y' E £. 
Thus, from 3 ofCI, y'a E F, which derives y'a (j. A* - P. 
Hence, we have shown x (j. F' :::} x (j. A* - P. Q.E.D. 
We say that a semimodule (0, I, N) is the semimirror of a 
module M = (1,0, N), denoted by NI 8 m. From Lemma 3 
and the timed version of Lemma I, we have the following 
theorem. 
Theorem 2 Suppose that Ml = (h, 0 1 , N 1) and NI2 = (h, O2 , N 2 ) are modules such that It ~ 12 and 0 1 ;2 O2 . 
Ml conforms to M2 iffT(Nh)IITs(Mlm ) is failure free. 
From this theorem, the decision procedure of conformance 
between timed systems can be actually implemented, if the 
failure trace sets of modules and semi modules are con-
structed differently. 
4 Comparison with the previous framework 
In this section, we compare the above framework with 
the one we proposed in [II]. The related works are pre-
sented in [12,16]. In [II], when a set of modules are given, 
the safety failures and timing failures are defined among 
those modules. Then, the conformance is defined similarly. 
Let failure(Ml , M2 ) denote all safety and timing failures 
between NIl and M2 , In order to distinguish the confor-
mance defined in this paper and the one defined in [II], 
we call the latter p-conformance. That is, for two mod-
ules Ml = (Il,Ol,Nl ) and Ah = (h,02,N2 ), we say 
that Ml p-conforms to M2 , if II ~ h, 0 1 ;2 O2 , and 
for any (composable) module E = (IE, 0 E, N E) such that 
h ~ OE and O 2 ;2 Ie, if failure(E, M 2 ) is empty, so is 
failure(E, Md, 
According to [I I], if an input u with Lft( u) = 00 is 
enabled in M 1 , and M2 has no enabled transitions, then 
failure(M1 , M 2 ) has a timing failure. On the other hand, 
T(M1 )IIT(M2) is failure-free from CI. Whether a failure 
should exist in this case or not depends on the purpose of 
verification. Since we want to compare both frameworks 
independent of this situation, we assume below that every 
transition has a finite latest firing time. This does not mean 
that those frameworks are insufficient to handle transitions 
with infinite latest firing times. 
Under this restriction, failure(M1 , M 2 ) is still not equal 
to the failure trace set ofT(M1 )IIT(M2 ). However, we can 
prove the following lemma. 
Lemma4 Let Tl = (11,01,Sl,Fd and T2 = (12,02, 
S2, F2) be the timed trace structures of Ml = (11,01 , N 1 ) 
and M2 = (h,02, N2) such that h ~ O2 and h ~ O2 . 
'l\IIT2 is failure-free, ifffailure(M1 , M 2 ) = 0. 
The proof of this lemma can be found in [17]. This lemma 
directly derives the following theorem, which shows the 
equivalence between the two frameworks. 
Theorem 3 Ml conforms to M 2 , iff Ml p-conforms to Jvh, 
5 Conclusion 
In this paper, we have proposed a framework to support 
trace theoretic verification of timed circuits. First, we have 
developed a criteria to classify timed traces of time Petri 
nets as successes, failures, or impossible, and then intro-
duced the notions of semimodules and semimirrors which 
allow us to 'implement conformance checking procedures. 
This framework is simpler and more comprehensible than 
what we proposed previously, but the theorem shown in this 
paper shows that these two frameworks are equivalent in the 
final decisions. 
The direct implementation of the conformance checking 
procedure shown in this paper is not difficult, but we know 
that it is easily faced with the state explosion problem. In 
order to overcome this problem, we are now developing a 
partial order reduction algorithm for conformance checking 
using this framework, and we will implement it in our tool 
VINAS-P[18] in the future. 
References 
[1] D. L. Dill. Trace Theory for Automatic Hierarchi-
cal Verification of Speed-Independent Circuits. MIT 
press, 1988. 
[2] T. Yoneda and T. Yoshikawa. Using partial orders 
for trace theoretic verification of asynchronous cir-
cuits. Proc. of Second International Symposium on 
Advanced Research in Asynchronous Circuits and Sys-
tems, pages 152-163, 1996. 
442 
[3] T. Yoneda and H. Ryu. Timed trace theoretic verifica-
tion using partial order reduction. Proc. of Fifth Inter-
national Symposium on Advanced Research in Asyn-
chronous Circuits and Systems, pages !O8-121, 1999. 
[4] K. Stevens, S. Rotem, R. Ginosar, P. Beerel, C. Myers, 
K. Yun, R. Kol, C. Dike, and M. Roncken. An asyn-
chronous instruction length decoder. IEEE Journal of 
Solid-State Circuits, 35(2):2 I 7-228, February 2001. 
[5] R. Alur, C. Courcoubetis, and D. Dill. Model-
checking for real-time systems. Proc. of 5th IEEE 
LlCS, 1990. 
[6] R. Alur and T. A. Henzinger. A really temporal logic. 
Proc. of 30th IEEE FOCS, 1989. 
[7] T. Yoneda and H. Schlingloff. Efficient verification of 
parallel real-time systems. Formal Method in System 
Design, pages 187-215, 1997. 
[8] M. Minea. Partial order reduction for verification of 
timed systems. PhD thesis, Carnegie Mellon Univer-
sity, 1999. 
[9] R. Alur and D. Dill. The theory of timed automata. 
LNCS 443 (17th ICALP), pages 322-335, 1990. 
[10] T. Yoneda, B. Zhou, and H. Schlingloff. Verification 
of bounded delay asynchronous circuits with timed 
traces. LNCS 1548 AMAST'98, pages 59-73,1999. 
[I I] B. Zhou and T. Yoneda. Verification of asynchronous 
circuits with bounded delay model. IEICE Trans. (in 
Japanese) Vol.J82-D-I, No.7, pages 819-833,1999. 
[12] B. Zhou, T. Yoneda, and H. Schlingloff. Conformance 
and mirroring for timed asynchronous circuits. Proc. 
of ASP-DAC'O 1, pages 34 I -346, 2001. 
[13] T. Rokicki. Representing and modeling circuits. PhD 
thesis, Stanford University, 1993. 
[14] T. Rokicki and C. Myers. Automatic verification of 
timed circuits. LNCS 818 Computer Aided Verifica-
tion, pages 468-480, 1994. 
[15] J. R. Burch. Trace Algebra for Automatic Verifica-
tion of Real-Time Concurrent Systems. PhD thesis, 
Carnegie Mellon University, 1992. 
[16] B. Zhou, T. Yoneda, and H. Schlingloff. Conformance 
and mirroring for timed asynchronous circuits. TIT CS 
Technical Report, TRO I -000 I, 2001. 
[17] B. Zhou, T. Yoneda, and C. Myers. Framework of 
timed trace theoretic verification revisited. TIT CS 
Technical Report, TROI-0015, 2001. 
[18] T. Yoneda. VINAS-P: A tool for trace theoretic ver-
ification of timed asynchronous circuits. LNCS 1855 
Computer Aided Verification, pages 572-575, 2000. 
