Abstract. In this paper we present a method for modeling asynchronous digital circuits by timed automata. The constructed timed automata serve a s \ m e c hanical" and veri able objects for asynchronous sequential machines in the same sense that (untimed) automata do for synchronous machines. These results, combined with recent results concerning the analysis and synthesis of timed automata provide for the systematic treatment of a large class of problems that could be treated by conventional simulation methods only in an ad-hoc fashion. The problems that can be solved due to the results presented in this paper include: the reachability analysis of a circuit with uncertainties in gate delays and input arrival times, inferring the necessary timing constraints on input signals that guarantee a p r oper functioning of a circuit and calculating the delay characteristics of the components required i n o r der to meet some given behavioral speci cations. Notwithstanding the existence of negative theoretical results concerning the worst-case complexity of timed automata analysis algorithms, initial experimentation with the Kronos tool for timing analysis suggest that timed automata derived from circuits might not be so hard to analyze in practice.
Introduction
Digital circuits can be viewed at various levels of abstraction. This paper is concerned with the level situated between the transistor di erential model and the purely-discrete model of synchronous sequential machines. At t h i s i n termediate level, the underlying continuous dynamics of the gates is not completely ignored, but rather encapsulated into real-time constraints that serve as an approximation of this dynamics. Unlike the synchronous modeling style where time is abstracted away i n to a sequence of points where nothing exists between them, time is viewed here as a continuous entity whose progress interferes with discrete state transitions.
At this intermediate level of timed B o olean functions 3 the primary objects are Boolean signals de ned over the real time axis, unlike Boolean sequences de ned over the integers. In this model the output of a gate is a combinatorial function of the inputs, shifted in time. These delays could have been inferred from the di erential dynamics of the components, but we will not be concerned with these low-level details (unlike KM91]) in this paper and consider them as given.
We will present a fairly general model of asynchronous digital circuits consisting of Boolean gates and delay e l e m e n ts and show h o w this model translates naturally into the timed automata formalism of AD94]. After this translation timed automata techniques can be applied to the analysis of the circuits (this was, in fact, the primary motivation for the introduction of timed automata in D89]).
The main advantage of this formalism is that it allows automatic analysis of all the possible behaviors of the circuit. 4 The novel feature of these analysis methods compared to more conventional simulation techniques currently employed in timing analysis, is that it can capture uncertainties in the input arrival times, in the initial conditions or in the delay parameters of the gates, without any problem. This is because the \simulation" is global in the sense that instead of simulating one possible execution of the circuit, we simulate in one \step" an in nite (and even uncountable) number of executions (see also BM83], L89], D89], BD91], AD94] for the origins of this \geometric" simulation method for timed systems, and ACH + 95] AMP95-a] for the application of this approach in the more general setting of hybrid systems).
The core of this paper is a careful translation of circuits, de ned via a system of delay equations into a network of interacting timed automata whose set of possible behaviors is exactly the set of signals satisfying the equations. The translation is done using two t ypes of basic components and it re ects the structural properties of the circuit, including the functional and temporal dependencies between the state-variables. As such it can serve as a basis for further optimizations and algorithmic ne-tuning.
The rest of the paper is organized as follows: in section 2 we p r e s e n t signals, delay equations and circuits. Section 3 consists of a presentation of a modi ed version of timed automata communicating via shared variables, which w e nd to be the most suitable for circuit modeling. In section 4 we s h o w h o w to translate between the two models and conclude in section 5 with the potential applications of these results.
Signals and Circuits
Let T denote the set of non-negative reals and let Q be any set. 3 We adopt the term, but not the techniques, which are essentially deterministic, from LB94]. In fact, our formalism could be called timed B o olean relations.
De nition1 (Piecewise-continuous Signals). A Q-valued p i e cewise continuous signal is a function : T ! Q admitting a (possibly nite) countable increasing sequence L( ) = t 0 t 1 : : :such that t 0 = 0 and is continuous at T ; L ( ) and discontinuous at L( ).
We use t to denote (t) and let I( ) = I 0 I 1 : : := t 0 t 1 ) t 1 t 2 ) : : :be the sequence of left-closed right-open intervals induced by the signal. We call L( ) the boundary points of . C o n tinuous signals are obtained as a special case when L( ) = 0 1 and I( ) = 0 1).
Let IB = f0 1g. A Boolean signal is a IB k -valued signal for some k. I n t h i s case the above properties of signals specialize into:
{ t 1 t 2 2 I i ) t1 = t2 , { t 1 2 I i^t2 2 I i+1 ) t1 6 = t2
One can see that the conditions above prevent a non-countable numb e r o f d i screte variations in the value of the signal as well as the so-called Zeno phenomenon in which in nitely many discrete transitions happen within a bounded real-time interval. We denote the set of all such Boolean signals by S k .
A Boolean function is a function f : IB k ! IB for some k 0. We will use the same notation for the temporal extension, f : S n ! S, o f f, de ned as = f( ) i for every t 2 T, t = f( t ). We call this an instantaneous signal function. De nition2 (Ideal Deterministic Delay). Let . This is because has always to \remember" all the possible variations in the value of that could have occurred in the last temporal window of length d. It is common to assume that every change in has to persist for a minimal interval of time (latency) 5 in order to be \noticed" by the delay element. In order to simplify the presentation we unify these two constants and assume that the latency associated with d is equal to d. More generally it could be any n umber not greater than d (otherwise the function becomes non-causal as the value of at time t might depend on the value of at time greater than t).
De nition3 (Deterministic Latency Delay). Let the latest boundary point (which could be as well the point t = 0 if no change in persisted long enough since the beginning). Every non-ideal delay c a n b e decomposed into a \d-lter" (an element that ignores variations that persist less than d), and an ideal delay { see signals s 1 , s 2 and s 4 in gure 1.
Remark: In certain physical settings the e ects on of high-frequency variations in is not predictable. Consequently the value of in the corresponding instants can be any v alue and the delay operator is non-deterministic. We h a ve chosen a \lazy" version of the latency delay s u c h that no state-transition takes place unless it must. The suitability of this modeling decision is applicationdependent and our theory could be developed under di erent assumptions.
Delay c haracteristics of real components cannot be known precisely. The most one can expect from a speci cation of such components is a delay i n terval l u] expressing lower and upper-bounds on the time it takes for a change in the input to propagate to the output. This motivates the following de nition:
De nition4 (Non-Deterministic Delay). Let l and u be two non-negative numbers such that l u. The non-determinisitic delay associated with l u is a function l u] : IB S ! 2 S de ned as: 2 l u] (b ) i 1. t = b for every t 2 0 l ), 2. For every t l, t 2 L ( ) ) 9 t 0 2 L ( ) \ t ; u t ; l] such that t 0 = t and (t 0 t 0 +l)\L( ) = . (Every change in must be preceded by a n l-persistent change in ).
(Every u-persistent c hange in must be re ected in ). All these notions are depicted in gure 1. Non-deterministic delays pose problems to traditional simulation methods as the next \event" in the simulation can take place anywhere within an interval. A circuit appears in gure 2. Such a decomposition of gates into the combinatorial and the delay part is common (e.g., LB94]). The correspondence between a circuit and the system of equations (1) is straightforward and we will refer to (1) as the description of the circuit. In practice gates have a limited fan-in and each f i refers only to a small subset of the wires. However for proving our results it is simpler to assume that all functions are k-ary. The syntactic structure of F re ects the topology of the circuit and it will certainly play a role in any e cient implementation of analysis algorithms. In the sequel, in order not to drag with us too much notation, we will omit the reference to the initial value from the delay equations and their corresponding automata, and use equations of the form x i 2 li ui] (f i (x 1 x 2 : : : x k )):
De nition5 (Circuit)
Needless to say, the system of equations (1) need not have unique solution. For the readers who wonder where have t h e input signals disappear in our model, the answer is that in a non-deterministic framework inputs can be treated as any other signal, having the property of being independent of other signals. We will use S = Q H where Q = IB jVj and H = T jCj to denote the set of all global states, i.e. all (V C)-state. All the signals we will use henceforth are S-valued. Such a s i g n a l x : T ! S induces for every v 2 V (resp. C 2 C ) a n interpreted signal For every k-wire circuit described by a system of equations (1) 1010 C1 < u 1^C2 l2 C1 < u 1^C2 < u 2 C1 l1^C2 l2 C1 l1^C2 < u 2 fC2g fC1 C 2g fC2g 0100 C1 l1
0110 C1 l1^C2 l2 C1 l1^C2 < uC1 < u 1^C2 l2 C1 < u 1^C2 < u 2 fC1 C 2g fC1g fC2g A Table 3 . A = A1 A 2. synthesis 9 ( HWT92], MPS95] AMP95-b]). We will brie y present these results and discuss their usefulness.
Analysis
Given a timed automaton A, one can decide whether a state q 0 is reachable from a state q. T h i s i s d o n e b y an algorithm that calculates, using simple linearalgebra techniques, the set of successors of a given con guration. More generally, the satisfaction of properties expressed in various real-time temporal logics can be veri ed as well. Such properties go beyond simple reachability and allow o n e 9
The word \synthesis" is used in the hardware community for a kind of \compila-tion" between an abstract representation into a more concrete one. In the software veri cation community t h e m e a n i n g i s l i k e i n c o n trol theory, namely, constructing a system from its speci cations. This is the sense in which w e use the word. to express, for example, a fact like every visit of the system in state q is followed within d time units by a visit in state q 0 . All these features are already implemented in the tool Kronos ( HNSY94], DOY94]) developed at Verimag. As an initial experiment w e h a ve used it to verify that a MOS circuit with 8 elements 10 and 4 input signals never reaches a certain \short-cut" state. This property has been veri ed against a nondeterministic speci cation of the relative rising and falling times of the input signals.
Synthesis
The synthesis problem for timed automata can be roughly phrased as follows:
Given an automaton A = ( V A C A R O), nd a systematic way to restrict its behavior such that some property is satis ed. By \restricting the behavior" we mean to modify A into A 0 = ( V A C A R 0 O) s u c h that for every0 2 Q A , R 0 (0 ) ) R (0 ). A typical example of a restriction is to replace an inequality 10 In this paper we h a ve presented the model using Boolean gates, but any other basis consisting of functions over nite domains can be treated as well.
of the form l C u in R by l 0 C u 0 such t h a t l l 0 u 0 u. Clearly, by restricting R the set of signals generated by the automaton decreases and
The algorithm presented in MPS95], AMP95-b], which is based on the same geometric ideas as the analysis algorithms for timed automata, can extract a restricted automaton all of whose behaviors satisfy a given property. I f n o s u c h automaton exists, the algorithms can point out a con guration (state + clocks) from which the transition to the bad state cannot be avoided. We will demonstrate how this result can be used for solving two concrete problems in circuit analysis.
Consider a circuit with given delay c haracteristics. We w ant t o k n o w w h a t constraints must be imposed on the input signals in order that some state q will never be reached. We built the equations for the internal signals and let the input signals be unconstrained (or speci ed by x i 2 d 1] (:x i ) for some minimal propagation constant d). Then, after translating the system into an automaton A, our algorithm will search f r o m q backwards, trying to eliminate bad transitions by putting further restrictions on the formulae. The restrictions can be made only for those parts of a formula which originate from the equations that correspond to the input. In the ideal case, we will get as a solution an automaton A 0 admitting a reverse translation into a similar system of delay equations where possibly smaller delay i n terval are associated with the input signals. This would mean that it is su cient to restrict the variability o f e v ery input signal individually.In more complicated cases we will have restrictions that relate several input signals. For example the condition in A 0 corresponding to a transition that changes some value of x i may refer to a clock C j for some i 6 = j.
In this case the set of input signals should satisfy more complicated constraints, such a s : input signal x i will never change unless some time has elapsed since the last change in input x j .
In more complicated cases, a formula that corresponds to an input x i in the solution A 0 may refer to clocks of internal signals. This will indicate that the input cannot be constrained in a feed-forward manner, but that we need a feedback from the internal components in order to select admissible inputs. This will generally indicate bad design. It should be noted, however, that if the gate delays are deterministic, the problem of calculating the maximal set of input signals against which the circuits operates properly can be solved without reference to the clocks associated with the gates, as the values of those can be inferred from other variables. In a similar manner we can solve the opposite problem: given a circuit and a class of input signals, nd the delay c haracteristics of the gates that will satisfy some reachability property. H e r e w e will start with the most general delay parameters of the non-input signals and use our algorithm to restrict them and obtain a good automaton. As in the previous problem, ideal solutions could be translated back i n to delay equations (gate parameters are independent) while in more complicated cases the relation between gate delays will be of a more intricate and dynamic nature.
The classi cation of these problems and solutions as well as the implementation of e cient data-structures and algorithms for timed reachability analysis is subject of an ongoing research. We believe that, as in the case of synchronous circuits and ordinary untimed automata, the translation into automata claries the issues, allows a uniform treatment of a class of problems that might look di erent at a rst glance, and helps to focus on practical solutions of the algorithmic issues.
