Relative timing based verification of timed circuits and systems by Stevens, Kenneth & Kim, Hoshik
R e l a t i v e  T i m i n g  B a s e d  V e r i f i c a t i o n  o f  T i m e d  C i r c u i t s  a n d  S y s t e m s
H o s h ik  K im * a n d  P e te r  A . B e e re l K en  S tev en s
A sy n c h ro n o u s  C A D  G ro u p  S tra te g ic  C A D  L a b s
U n iv e rs ity  o f  S o u th e rn  C a lifo rn ia  Tntel C o rp o ra tio n
L o s  A n g e le s , C A , U S A  H illsb o ro , O R , U S A
{ h o sh ik , p a b e e re l} @  u sc .ed u  k s te v e n s @ ic h ip s .in te l .c o m
Abstract
Aggressive timed circuits, including synchronous and 
asynchronous self-resetting circuits, are particularly chal­
lenging to design and verify due to complicated timing con­
straints that must hold to ensure correct operation. Identi­
fying a small, sufficient, and easily verifiable set o f  relative 
timing constraints simplifies both design and verification. 
However, the manual identification o f  these constraints is a 
complex and error-prone process. This paper presents the 
first systematic algorithm to generate and optimize relative- 
timing constraints sufficient to guarantee correctness. The 
algorithm has been implemented in our RTCG tool and has 
been applied to several real-life circuits. In all cases, the 
tool successfully generates a sufficient set o f  easily verifi­
able relative timing constraints. Moreover, the generated 
constraint sets are the same size or smaller than that o f the 
hand-optimized constraints.
1. Introduction
Aggressive timed synchronous and asynchronous circuit 
familes, including self-resetting domino circuits and GasP 
circuits, have demonstrated impressive performance gains 
[16, 21, 17, 18, 13] at the cost of requiring complicated 
two-sided timing constraints. These timing constraints must 
be considered during fanout optimization, transistor sizing, 
floorplanning, and routing. They must also be carefully ver­
ified pre- and post-layout. For these circuits to be widely 
adopted comprehensive CAD support is required.
One approach is to constrain the design of these circuits 
to simplify the problem. In particular, Sutherland et al. 
[22] suggested constraining the transistor sizing of GasP 
circuits to yield unit delays, thereby generating correct- 
by-construction transistor-level circuits and simplifying the
T h is  work was partly done during his internship at Strategic CAD 
Labs, Intel Corporation.
pre-layout verification. This is an effective approach but 
overly constrains the circuits, reducing their potential bene­
fit.
Other research has focused on the pre- and post-layout 
verification of these circuits. In particular, given a timed 
circuit with bounded-delays on all components, advanced 
verification tools can determine whether they will work cor­
rectly [3, 2]. These tools are limited to relatively small cir­
cuits because of the double exponential complexity of the 
exact timed state space based verification problem (state 
space + timing) [1]. Because timing margins must be char­
acterized as min-max delays over all devices and environ­
ment delays that should be valid for all delay variations seen 
in today’s deep-submicron processes [9], designers must be 
relatively conservative on how they set these delays. More­
over, even minor changes in transistor sizing, floorplanning, 
and/or routing that affect any of the delay bounds currently 
requires complete re-verification.
To overcome the above double exponential complexity 
problem of explicit timing, Pena et al. [ 14] proposed an ap­
proach performing an off-line timing analysis on a set of 
timed event structures that cover the failure traces rather 
than calculating the exact timed state space. In fact, as a 
side benefit of their verification approach the set of timing 
constraints used to prove the correctness of circuits can be 
reported for back-annotation. These constraints, however, 
are derived with given min-max delays on all gates. Conse­
quently, this approach still suffers from overly conservative 
delay bounds and does not support incremental verification.
Recently, a relative timing based verification method­
ology was proposed to address these limitations. This 
methodology is based on the observation that the key prop­
erty needed for correctness is often the relative ordering of 
signal transitions [11, 19, 16]. The idea is to decompose 
the timing verification problem into two parts. First, iden­
tify relative timing (RT) constraints sufficient to guarantee 
the correctness of a circuit using no min-max delays. Sec­
ond, analyze the post-layout circuits to validate these tim­
ing constraints using a standard simulation technique or a
Proceedings of the Eighth International Symposium on Asynchronous Circuits and Systems (ASYNC'02)
1522-8681/02 $17.00 © 2002 IEEE
known polynomial-time bounded delay analysis technique 
given extracted min-max delays. Designers can also rely 
on the simpler simulation and/or analysis techniques to ver­
ify incremental changes to transistor sizing, floorplanning, 
and routing. Moreover, because the constraints are sym­
bolic and thus not tied to min-max delays, it may also be 
feasible for the designers to verify the constraints using a 
technique that can take into account correlations among de­
lays (e.g., random simulation), allowing them to design the 
circuits more aggressively.
The basic problem that this paper addresses is the gener­
ation of relative timing constraints. Currently the generation 
of relative timing constraints has been done manually rely­
ing on designers* intuition. While these manually generated 
constraints can be checked for sufficiency using an untimed 
verification tool [ 10,20], the process is time-consuming and 
error-prone. This paper presents the first systematic algo­
rithm to generate and optimize easily verifiable relative tim­
ing constraints sufficient to guarantee correctness. Both the 
generation and optimization of the constraints are based on 
an untimed analysis of the state space which uses state-of- 
the-art symbolic techniques to reduce run-time. The algo­
rithm has been implemented in our RTCG tool and has been 
applied to several real-life circuits. In all cases, the tool suc­
cessfully generates a sufficient set of easily verifiable timing 
constraints. Moreover, the generated constraint sets are the 
same size or smaller than that of the hand-optimized coun­
terparts.
The organization of the rest of this paper is as follows. 
Section 2 describes the basic notions and formalism used 
throughout this paper. Section 3 and 4 describe the theory 
and algorithms for our relative timing constraint generator 
called RTCG in detail. Section 5 and 6 describe experimen­
tal results and conclusions.
2. Basic notions
This section introduces our formalism for modeling the 
behavior of circuits and their environment. We will also de­
scribe how we define the failure transitions that our relative 
timing constraints must avoid and several useful notions of 
reachability analysis.
We will use the GasP FIFO control circuit [21], illus­
trated in Figure 1, as a running example. Each PATH cir­
cuit controls the flow of data between pipeline stages imple­
mented with single-rail logic. In particular, it latches single­
rail data from its predecessor place to its successor place 
when its predecessor PLACE is FULL (encoded LO) and 
its successor PLACE is EMPTY (encoded HI). The latch 
signal is a pulse that must be wide enough to pass through 
data but not be too wide to allow the passing of two consec­
utive data tokens.
To analyze the behavior of the circuit, the behavior of the
F ig u re  3. L abel sp littin g
left and right environments must also be precisely defined. 
To do this, we have used signal transition graphs (STG) [5], 
as illustrated in Figure 2. To simplify the circuit, we have 
not modeled the keeper inverters on each PLACE because 
they do not affect the analysis of the circuit.
2.1. Transition systems
A transition system (TS) [12, 6] is a quadruple TS = 
(S', E .T .  s in ), where S  is a non-empty set of states, E  
is a non-empty set of events, T  is a transition relation, 
T  = S  x  E  x  S , and ,s';„ is an initial state. We will denote 
the set of events corresponding to input and gate signals by 
E i  and E q respectively. Therefore, E  = E i  U E q . A  state 
transition («, e, s') € T  may be denoted by ,s s'.
A  transition system provides a natural formal framework 
to describe the behavior of sequential circuits as well as be­
haviors that the circuit should not exhibit. Note that a state 
graph is simply a binary interpreted transition system where 
its transitions are labeled with an event in TS.
The transition system can be generated from the com­
position of the circuit and environment using standard un­
timed reachability analysis techniques [4, 7, 15, 24], To 
avoid generating T S  with OR causality, we use the well- 
known technique of label splitting to distinguish between 
different causes of the same event, that is, any event with 
multiple causes is separated into multiple events, each hav­
ing a unique cause. For example, the event c in the TS 
shown in Figure 3 has two causes: u and b. By splitting this 
event into c l  and c2, each has its own unique cause. This 
splitting can easily be implemented during the generation 
of the TS and will simplify our subsequent analysis steps. 
Splitting, however, does make the interpretation of derived 
timing constraints on split events somewhat more challeng­
ing.
A simplified T S  of the GasP FIFO control circuit and 
its environment shown in Figure 4. In particular, the TS 
is a projection of the entire T S  onto a subset of the original 
signals (hiding signals a, b and r) to simplify the illustration. 
Interestingly, there was no OR causality in this circuit and 
thus label splitting was not necessary.
Proceedings of the Eighth International Symposium on Asynchronous Circuits and Systems (ASYNC'02)
1522-8681/02 $17.00 © 2002 IEEE
F ig u re  1. A  G a s P  FIFO
F ig u re  2. A  G a s P  FIFO  c o n t ro l  c i rc u i t  w ith  t h e  le ft a n d  r ig h t  e n v i r o n m e n ts  m o d e le d  a s  S T G s
2.2. Failure transitions
In our technique, fa ilure transitions  are assumed to be 
either explicitly or implicitly specified by designers. They 
are state transitions which designers do not want their cir­
cuits to execute. In the most common scenario, these tran­
sitions are implicitly specified to be state transitions leading 
to failure states, in which a circuit enables a signal transi­
tion that is not acceptable by the environment [15], They 
are also often implied to be transitions which cause short- 
circuit currents in the circuit or transitions which violate 
the semi-modularity [23] of a signal in the circuit indicat­
ing the possibility of a runt pulse. In general, however, this 
set can be any subset of a transition relation, T, in a TS and 
denoted by T/0;/. In practice, these failure transitions will
be identified via untimed reachability analysis of the circuit 
using existing mature formal verification techniques (e.g., 
[4,7, 15,24]).
As an example, consider the GasP control circuit in Fig­
ure 2. After the first PATH modeled in the left environment 
uses the N-type transistor to drive the state conductor node 
le LO, the second PATH will take at least three gate-delays 
to drive le HI again using the P-type transistor. By the time 
the second PATH turns on the P-type transistor by trigger­
ing signal ou t LO to drive le HI, the first PATH will have 
turned off the N-type transistor. Otherwise, the circuit will 
be assumed to have a failure due to a short-circuit current 
on both transistors. In other words, if a signal transition 
out- fires earlier than .t-, the circuit will have a failure. In 
the T S  illustrated in Figure 4, this failure is modeled with
Proceedings of the Eighth International Symposium on Asynchronous Circuits and Systems (ASYNC'02)
1522-8681/02 $17.00 © 2002 IEEE
F ig u re  4. A  s im p lif ie d  T S  fo r  th e  G a s P  c o n t ro l  
c i rc u i t  a n d  i ts  e n v iro n m e n t .
two failure transitions labeled out- enabled at states s21 and 
s22  that lead to the symbol “± ”.
e. Correspondingly, we will let B ^C(S ')  denote the set of 
states that can reach S ' without firing e for a set of states S' 
and event e. That is, B ^C(S ')  = {ts £  S  | 3,s' £  S ' : ts ^  
,s'}. Similarly, we define B r^ c =  B r fi B ^c .
Lastly, it will be useful to define the one-step image com­
putations. The forward image set Im g c (S ')  of a set of states 
S ' C S  for a given event e £  E  is the set of next states of 
S ' by non-failure transitions labeled e. That is, Im g c (S ')  = 
{.s e  S  I 3 .s' e  S ' : ( s ',e ,s )  £  T  -  TfoU} .  Similarly, The 
backward image set I m g J 1( S ' ) of a set of states S ' C S  for 
a given event e £  E  can be defined. That is, I m g J 1 (S ')  = 
{,s £  S  | 3 .s' £  S ' : { ts ,e ,s ')  £  T  -  T {aU}.
3. Automatic generation of RT constraints
We divide the generation of relative timing (RT) con­
straints into two steps. In the first step, initial relative tim­
ing constraints are derived that guarantee no failure transi­
tion is reachable. These constraints effectively reduce only 
the necessary concurrency in the circuit to remove failure 
transitions. In the second step, the set of RT constraints is 
optimized through transformations that move and merge the 
constraints into a smaller or more easily verifiable set of RT 
constraints. This section describes the theory and algorithm 
for initial constraint generation. The subsequent section is 
devoted to constraint optimization.
The section starts with some definitions and formalism 
used in the followina sections.
2.3. Reachability
To describe our methods we must introduce the follow­
ing notations related to reachability analysis. A state .s' is 
said to be reachable  from a state ,s, denoted ts ^  ts', if 
there is a (possibly empty) sequence of non-failure transi­
tions starting in ts and ending in ts'. In addition, a state ts' 
is said to be reachable  from a state ts within a set of states 
r  C S , denoted ts ts', if there is a (possibly empty) se­
quence of non-failure transitions that remains within a given 
set of states r .
The forward reachability set of a set of states S ' C S , 
denoted ^ (5 " ) , is the set of states reachable from S '. That
is, f ( S ' )  = {ts £  S £  S ' ts}. Similarly, its
backward reachability set B (S ')  of a set of states S ' C S  is 
the set of states that can reach S '. That is, B (S ')  = {ts £  S  |
3 ts' £  S ' : ts ,s'}. In addition, the forward reachability 
set F r (S ')  o f a set of states S ' C S  constrained to a set of 
states r  is the set of states reachable from S ' within r . That 
is, F r (S ')  = {.s' £  S  | 3,s' £  S ' : ts' ,s}. Similarly, a 
constrained backward reachability set B r (S ')  is defined as 
B (S ')  =  {.s £  S  | 3,s' £  S ' : .s .s'}.
It will also be useful to define the predicate ,s ,s' to 
hold if ts can reach ts' without fi ri n a a transition labeled
3.1. Qsets
A Q set o f an event e, denoted Qset(e), is a set of states 
where a set o f failure transitions labeled e  are enabled to 
fire. A Qset is a set of dangerous states from which a fail­
ure transition may occur. Therefore, once the circuit enters 
the region of Qset(e) in a TS, the circuit must avoid such a 
failure transitions. Note that there can be different Qsets for 
one event.
We will define some notions and predicates here which 
are necessary to the formal definition of Qsets.
Definition 3.1 (Excitation region [8]) A se t o f  sta tes S  is 
ca lled  an excitation  region o f  even t e, den o ted  by  E R (e), if  
it is a m axim al (possib ly  disconnected) se t o f  sta tes in which  
fo r  a ll ts £  S  there is a transition ts A .
For example, in the TS illustrated in Figure 4, 
ER(.t +)={,s1, ,s2, ,s3, ,s'4. ,s5, ,s6, ,s7, ,s8, ,s32, ,s33, ,s34, ,s35}.
Definition 3.2 L et TS = (S , E .T ,  tsin ) be a TS. L et S ' C
S  b e  a se t o f  sta tes an d  e £  E  be  an event. L et T ' =  
T  — T fa.u be  a non-failure transition relation. The fo llow in g  
p red ica tes  are defined f o r  e  an d  S ' :
Proceedings of the Eighth International Symposium on Asynchronous Circuits and Systems (ASYNC'02)
1522-8681/02 $17.00 © 2002 IEEE
i n  (a, S ')  =  3 ( s .e .s ')  G T ' : s. s ' G S'
e n t e r  (a, S ')  =  3 ( s .e .s ')  G T ' : s ^ S ' A s ' G S'
e x i t  (a ,S ' )  =  3 ( s .e .s ')  G T ' : s G 5" A s' ^ S'
f a l s e _ e x i t ( e .  5") =  ( in (e .  5") V e n t e r ( e ,  S"))A 
e x i t ( e .  S ')
Definition 3.3 (Qsets) A se t o f  sta tes q C T { s i n ) in TS = 
(S , E , T , Sj„) is ca lled  a Q se tfo r  event e G E  an d  den oted  
by Q set(e) i f  q C E R (e)  A Ve' G E ,  ->f a l s e _ e x i t ( e '1 q) 
holds. The even t e is ca lled  the target even t o f  the Qset.
We restrict our Qset(e) to be only a proper subset of 
ER(e) because we want to have at least one transition la­
beled e that is potentially fireable in some reachable state. 
We restrict Qset(e) to have no false exit events to ensure 
that any exit event always exits the Qset. The motivation of 
this will be more clear when we discuss our specification of 
RT constraints in terms of event triples in Section 3.3.
Now let us consider a GasP circuit in Figure 2. The cir­
cuit will have a failure if the left environment tries to pull 
down the state conductor le by firing x+ before signal out 
has been reset, that is, ou t+ . This failure is represented in 
the TS depicted in Figure 4 as the transitions labeled x+ 
from states s32, s33, s34 and s35. This set of states satisfies 
the definition of a Qset for event x+, denoted by Qset(x+) 
because it is a subset of ER (.r+) and the only exit event, 
o u t+ , is not a false exit.
3.2. M a k in g  a  Q se t
A key function in our algorithm involves finding the 
smallest Qset for a target event t  that includes a given subset 
r  of E R (f). The m ake-Q set function shown in Figure 5 per­
forms this function by recursively adding to r  only essen tia l 
sta tes  that must be included in any Qset that includes r .  In 
particular, as shown in Proposition 3.1, the forward image 
set Irngc, (r )  of r  for a false exit event e' consists of essen­
tial states. The basic intuition behind this result is that the 
only way to remove the false exit events in a Qset that must 
include r  is to add to r  the sink states of any corresponding 
exit transition.
Proposition 3.1 (Essential states) L et TS = (S'. E , T , s in )
be a TS with a se t o f  fa ilu re  transitions T ;au C  T . Let 
r  C E R (e) f o r  an even t e G E  an d  r' C S  be a Q set(e) 
such that r  C r'. L et e' G E  be an even t such that e' ^  e. 
The fo llo w in g  p red ica te  holds:
f a l s e _ e x i t ( e ' .  r )  =$■ Im g c, ( r )  C r '
P ro o f  Consider a state s G Im g c, ( r )  such that 
( s '.e '.s )  G T  — Tfait where s ' G r . ( in ( e ' .r )  V 
e n t e r ( e ' .r ) )  A e x it ( e ' .r )  from f a l s e _ e x i t ( e ' . r).
function make-Oset(c, r)
/* e is the target event of a potential Qset */ 
if (r C ER(e))
if (3e; € E  : f a l s e _ e x i t ( e /,r));
/* Recur adding essential states to r */ 
return  make-Oset(e, r U Im ge, (■/•));
else
/* r  is a Qset */ 
return  r; 
end if
else
/* No Qset can be found */ 
return  0; 
end if 
end function
F ig u re  5. A lg o r ith m  fo r  m a k in g  a  Q s e t  f ro m  a  
g iv e n  s e t  o f s t a t e s
We have i n ( e '. r ')  V e n t e r ( e ' . r ' )  from in ( e '. r )  V 
e n t e r  ( e '.r )  because of r  c  r' and the definitions of i n  
and e n t e r .  Then, -> e x it( e '.  r ' ) because of Definition 3.3 
of Qsets. s ' G r' because of s ' G r  and r  c  r '. Therefore, 
s G r ' because of - i e x i t ( e \  r ') .  ■
3.3. Event triples
To formalize the definition of even t tr ip les , we first de­
fine a decomposition of a set of states into two parts, be­
fore and after the occurrence of some transition e. S ^ c =  
BSj^c(E R (r)) and S yc  =  S  — S ^ c . We then apply this 
to constrain the ordering of events by letting S  be the ex­
citation region of some event. That is, when we wish to 
constrain e to occur before t  we must avoid firing any tran­
sition of t  from the set of states E R ( t ) ^ c . Notice that this 
set of states does not include states in E R ( t )  that occur be­
fore e. That is, the notion of before is reset by the presence 
of the e.
An event triple is an ordered triple (L . t .  U ) associated 
with a Qset q for a target event t  that causes a failure from 
some state in q. It consists of a set of en ter events, the target 
failure event, and a set of escape  events. An enter event 
Z G L  is an event associated with a non-failure transition 
entering q. An escape event u G U  is an event that must 
satisfy two conditions: 1) u  must be associated with non­
failure transition that exits q and 2) q <u equals q. Intuitively, 
an escape event u  is an event for which if constrained to 
occur before t, all failure transitions of t  from q are avoided. 
This is formalized below.
Definition 3.4 (Event triple) L et TS = (S . E . T . s ;,,) be a 
TS with a se t o f  fa ilu re  transitions T fau C  T . Let L , U  C E  
an d  t  G E . Let q C ,F(sj„) be a Q set fo r  even t t  G T fau,
Proceedings of the Eighth International Symposium on Asynchronous Circuits and Systems (ASYNC'02)
1522-8681/02 $17.00 © 2002 IEEE
den o ted  Q se t(t). The trip le (L , t ,  U ) is an even t trip le fo r  q 
i f  a ll I £  L  and u £  U  satisfy:
• e n te r  (l.q)
•  e x i t (u .q )  A q<u = q
•  I f t  £  E i  then u £  E q
The intuition of an event triple is that a failure will occur 
if t  fires after any I £  L  and before all u £  U . As long as 
this condition is not satisfied, the failure associated with this 
Qset is avoided. In particular, we observe that the subset of 
states of ER (t)  that occur after any I £  L i s  U /g l ^R  W y i  
and the subset of states of ER (t)  that occur before all escape 
events is fluer/ E R (£)^U. Our intuition implies that it is 
sufficient to remove only those transitions of t  from states in 
the intersection of these two sets. However, this is not true if 
all I £  L  also occur after q in such a way that states in q from 
which we need to remove transitions of t  are considered to 
occur before I. Consequently, for this case, we propose to 
expand the set of states from which we remove transitions 
of t  to those that occur before all u £  U  and, in particular, 
do not check their relationship with I. £  L .
The fact that a Qset must not have any false exit events 
ensures that the transition of an escape event leaves the Qset 
as desired. In addition, for Qsets with target events that are 
inputs, we find a non-input escape event. Otherwise, the 
event triple would imply a constraint that restricts the order­
ing of inputs signals and thus alter the circuit specification.
To prove failure-freedom, let T l ^ i^ u  denote the set of 
transitions we will associate with the event triple (L , t .  U ). 
Our goal is to define this set such that we can prove that if 
this set of transitions are avoided, the failure associated with 
the Qset is circumvented. Let T c  be the constrained transi­
tion relation derived from T  by removing the transitions in 
T l ^ i ^ u  associated with each event triple. Let .Fc (.s'j„) be
the set of reachable states from nin through the constrained 
* * ctransition relation T c . Similarly, let ER ( t)  represent the
constrained excitation region of t  derived from E R ( t)  by 
removing states from which transitions of t  have been re­
moved from T . We then have the following theorem.
Theorem  3.1 L et TS =  (S , E , T , ,sin ) be a T S  with a se t o f  
fa ilu re  transitions T fau C  T . G iven a Q set q C ,F(.s;in ) with  
an even t trip le (L , t ,  U ), let be  defined a s follow s:
1. I f  31 £  L  such that ER(t)^i  fl q =  0, then =  
{ ( , S \ M ' )  I .s' £ ( J l£L ER(t)yi nf].u£U ER(t)<u}.
2. O therwise, T L<I<U =  { ( n , t ,n ' )  | .s € ( \ e i /  EFl(t)< u }-
Then, T c {nin ) H E R c (t)  fl q =  0, i.e., failures a ssoc ia ted  
with q are circum vented.
Proof (By contraposition): Consider ,s £  q fl .Fc (.s'j„). 
We know that .s £  q =$■ .s £  q<u for any u £  U  be­
cause the definition of u  implies that q<u =  q This means 
that ,s £  E R (f)xu  because q C E R (t). Consequently,
■s' € fluGfj
Now consider the case for which 31 £  L  such that 
E R ( t)^ [  n q =  0. This implies that .s' ^  E R (f)x / because 
.s' £  q. It then follows that .s' £  E R (t) — E R (f)x / because 
.s' £  q and q C E R (t)  .s' £  E R ( t) . This means that 
.s' £  E R (t-)yi which implies that .s' £  (J leL  E R (t-)yi.
Consequently, we can conclude that the transition of t  
from .s' is in T i^ i^ u  and thus .s' ^  ERf (t). ■
Consider the Qset(.t+) q for a target event x+  we dis­
cussed earlier for the GasP circuit in Figure 4. le+  is an 
enter event because there are three non-failure transitions 
labeled le+  which enter the Qset through s32, s33 and s35 
respectively. ou t+  is an escape event because 1) there is a 
non-failure transition ou t+  which exits the Qset from s35 
and 2) q ^ oui+  is {^32, s33, s34, ^35} which equals q. Thus, 
( l e + ,  x + . o u t + ) 1 is an event triple for Qset(.t+).
Let us now evaluate T l ^ i^ u . Note that 
E R (.t+ )x /c+ = ^ER (a-+ ),-/c-(E R ^ e + ^  =  
% R (i+ )  s30, »31}) =  0, where E R (.r+)
= {.si, .s2, ,s3, .s4, .so, .s6, .s7, .s8, .s32, ,s33, .s34, ,s35}. 
Thus, E R (.t+ )^ /c+ =  E R (.t+ ) — E R (.t+ )x /c+ = 
E R (.t+ ). Similarly, it can be shown that E R (.r+ )^ 0U/.+ 
= {.s32. .s'33. .s34. .s'35}. Consequently, T l^ i^ u  = 
{ ( x , t ,  .s') | .s £  E R (.t+ )^ /c+ H E R (.r+ )xoui+} =  
{.s'32. ,s33. .s34. .s'35} and all failure transitions of x +  from 
Qset(.t+) will be removed. That is, the timing constraint 
represented by this event triple effectively prunes these 
failure transitions from the reachable state space. Conse­
quently, if the Qset is entered, ou t+  must always be taken 
before the target event x+.
Note that the transition ou t+  enabled at state s34 in the 
Qset(.t+) is another failure transition. This failure transi­
tion will be effectively pruned by the event triple of the 
Qset(o«r+) that consists of state s34.
One potential issue with the semantics of an event triple 
is that while the constrained ordering of events is necessary 
to avoid a failure only in the Qset for which it is defined, the 
constraint applies to the entire state space. Consequently, 
the constraint may unnecessarily make some states unreach­
able, reducing concurrency, in many other parts of the state 
space. In practice, however, we have not found this unnec­
essary reduction in concurrency to be a significant problem.
3.4. Finding Initial Qsets and Event Triples
Our algorithm for finding the initial Qsets and corre­
sponding event triples is as follows. First, for each prop-
'For simplicity, we omit the set notation for singleton L 's and IJ's.
Proceedings of the Eighth International Symposium on Asynchronous Circuits and Systems (ASYNC'02)
1522-8681/02 $17.00 © 2002 IEEE
erty of interest we identify the events involved in the cor­
responding failure transitions. For each such event, we use 
the m ake-Q set function to create a Qset that includes the 
source state of the corresponding failure transitions. Note 
that multiple Qsets of the same event may be created if that 
event violates multiple properties. The decomposition of 
Qsets based on property violations, however, increases the 
chance of finding reasonable escape events. Note that if 
m ake-Q set fails to find a Qset, the algorithm aborts indicat­
ing that no relative timing constraints can be found that are 
sufficient for correctness.
For any Qset q with no escape event, we create a new 
Qsets for each enter event e of q. In particular, we use 
m ake-Q set to create a Qset for e that includes the source 
of all the entering state transitions. The basic idea is that 
the constraints associated with the event triples of the new 
Qsets will implicitly ensure that the failure transitions from 
q cannot occur. We say the new Qsets co ver q. We repeat 
this procedure until all Qsets have either at least one escape 
event or no enter events. If, however, during this procedure, 
a Qset with no escape event is encountered that contains 
sin , the algorithm aborts indicating that no relative timing 
constraints could be found.
We further examine Qsets obtained that have no enter 
event. There are three cases to consider. The first case is 
where we have a Qset with no enter event that does not in­
clude the initial state. The only possibility for this Qset is 
that the transitions that enter this set are newly defined fail­
ure transitions. In this case, this Qset can only be reached by 
failure transitions which implies that it is covered by other 
Qsets and can be discarded from consideration. The second 
case is where the Qset has the initial state s in and has an es­
cape event. In this case, the Qset is assigned a special reset 
enter event that represents the initial power up of the circuit. 
The last case is where the Qset contains s in but has no es­
cape event. In this case, upon reset, there is no constraint 
that can avoid the failure, and the procedure aborts indicat­
ing that no relative timing constraints could be found.
If the above procedure is successful, each remaining 
Qset has one target event and possibly many escape and en­
ter events. Consequently, it follows from Theorem 3.1 that 
the set of relative timing constraints implied by the identi­
fied event triples guarantees the circuit avoids all failures. 
When the specification is mirrored, forming a closed sys­
tem, this also implies that the circuit conforms [7,15] to the 
specification. The number of initial constraints, however, 
may be very large, motivating the constraint optimizations 
discussed in the next section.
4. Optim ization of relative timing constraints
The relative timing paradigm [19] allows the existence of 
many possible sets of timing constraints that are sufficient
to guarantee the correctness of circuits. Each relative timing 
constraint effectively reduces the concurrency allowed by 
the circuit by constraining the relative ordering of otherwise 
concurrent signal transitions. The initial constraint genera­
tion method described above finds a set of relative timing 
constraints whose goal is to minimally reduce concurrency 
while still ensuring correctness. The result, however, is a 
set of constraints which may be very large and difficult to 
validate. This section discusses methods to optimize the set 
of initial constraints into a smaller set of typically stronger 
constraints which is more easily verifiable. These methods 
can be used to tradeoff additional reduction in concurrency 
for reduced complexity of constraints.
In particular, we present two basic procedures for 
strengthening a RT constraint by manipulating Qsets. The 
first involves creating new failure transitions and a new 
Qset that covers an existing Qset in a procedure we call 
m ove-Q set. The second involves merging existing Qsets 
for the same target event, yielding a typically smaller set 
of event triples for the merged Qset, in a procedure we call 
m erge-Q sets.
4.1. Moving a Qset
Consider a constraint implied by an event triple 
( x + ,  l e —, ,s'+) (implying that le- should not fire before s+ 
and after ,t+) for the Qset (le-) q = {si 1, si 2} in Figure 4. 
This timing constraint can be strengthened  by constraining 
the preceding transition s+ enabled at s i , s2, s3 or s4 to oc­
cur before ,t+. In general, the process of strengthening a 
constraint for a target event f2 involves creating a Qset that 
contains the sources of all state transitions of some event 
t i  that preced e  transitions of t -2 and avoiding t -2 by creat­
ing constraints that avoid t i .  Note that timing constraints 
associated with input target events should not be strength­
ened since this may result in improperly altering the circuit 
specification.
Function m oveJQ set, shown in Figure 6, implements this 
strengthening process. Let us consider the Qset(fe-) q =  
{si 1, si 2} again and try to move q to a new Qset for a target 
event x + . The function first verifies that q ’s target event le ­
ys. not an input event. It then determines that q is unreach­
able from the initial state si 6 without firing a transition ,t+ 
because the backward reachability set of q without firing 
x + ,  B-,x+ (q )  =  {si 1, s i 2}, does not include s i 6. Thus, it 
calls m ake-Q set to try to make a new Qset q' for the target 
event x +  from the initial set of states Im(j~+{13^ x + (q )) =  
{si, s2, s3, s4}. Because Im g ~ + (B -ir+ (q ) )  already satis­
fies the Qset condition in Definition 3.3, m ake-Q set returns 
q' =  { si, s2, s3, s4}. Since there is an escape event s +  
from q', m ove-Q set returns the Q set(.r+) q' as a new Qset 
which covers q. The constraint implied by the event triple 
( o u t + ,x + ,  s + )  from the new Qset q' means that.x+ should
Proceedings of the Eighth International Symposium on Asynchronous Circuits and Systems (ASYNC'02)
1522-8681/02 $17.00 © 2002 IEEE
function move-Oset(c,q) 
t := the target event of q\
/* Do not move a Qset for an input target event */ 
if (t i  E ,)
if (.s,-„ f  B^(q))
q' := make-Oset(c, Im y ^ 1 (B-,c (</))); 







F ig u re  6. A lg o r ith m  fo r  m o v in g  a  Q s e t  t o  a  
n e w  t a r g e t  e v e n t
not fire before s+ and after o u t+ . As expected, this con­
straint avoids the failure transitions.
4.2. Merging a Qset
Consider a constraint implied by an event triple 
{ o u t + ,x + ,n + )  for the Qset(x+), {si, s2, s3, s4}, re­
labeled q i for convenience, that is newly created by mov­
ing q in the previous section and a constraint implied by 
an event triple ( l e + ,  x + ,o u t + )  for the Qset(x+) q2 = {s32, 
s33, s34, s35} in Figure 4. These two constraints can be 
satisfied if a transition s+ enabled at states in qi is con­
strained to occur before x +  enabled at states in qi U q2 after 
firing le+ . This effectively merges the two constraints im­
plied by the neighboring event triples ( o u t + ,x + ,n + )  and 
( l e + , x + , o u t+ ) .
Function m erge-Q sets, shown in Figure 7, implements 
this merging process. Observe the Qsets qi = {si, s2, s3, 
s4} and q2 =  {s32, s33, s34, s35} again in Figure 4. Be­
cause they have the same target event x+, it calls m ake-Q set 
to try to create a new Qset q' for event x +  from qi U q2. 
Because qi U q2 already satisfies the Qset condition in Def­
inition 3.3, m ake-Q set successfully returns q' =  {si, s2, s3, 
s4, s32, s33, s34, s35}. Since there is an escape event s+  
from q', m erge-Q sets  returns Q set(.r+) q' as a new Qset 
which covers both qi and q2 . Now the event triple for q', 
( l e + ,  x + ,  n + ) ,  implies a new RT constraint. The failure is 
avoided if x+  does not fire before s+ and after le+ . How­
ever, because l e +  is the causal predecessor of x + ,  l e +  will 
always fire before x + .  Thus, the constraint effectively only 
imposes the ordering that s+  should fire before x + .  As 
expected, this constraint makes the constraints associated 
with qi and q2 redundant. Note that strengthening a con­
straint may also be able to make other unrelated constraints 
redundant.
function merge-Qsets(qi, q i) 
c\ := the target event of q i; 
e -2 '■= the target event of q i; 
if (ei =  eL>)
q' := make-Oset(e,\. q\ U q i ); 
if there is an escape event from q' 





F ig u re  7. A lg o r ith m  fo r  m e rg in g  Q s e t s  fo r  t h e  
s a m e  t a r g e t  e v e n t
4.3. Top level algorithm
The optimization procedures m ove jQ se t and 
m erge-Q sets are used both to reduce the overall num­
ber of constraints and to support hierarchical verification by 
moving Qsets to primary input target events. For example, 
a constraint that refers to an internal signal, which may be 
difficult to observe and control, can be converted to one 
that refers to primary inputs to simplify the validation of 
the constraints and support hierarchical timing analysis. In 
particular-, such constraints may make it possible to con­
strain only the environment of the circuit and not require 
the circuit to be re-designed. In the future, the moving of 
Qsets can be guided by rough timing analysis (e.g, using 
timed event structures such as in [14]) that could identify 
which constraints can be strengthened without unduly 
constraining the relative delays of circuit components. 
Currently, our application of these optimizations is rather 
straightforward. We try to move all Qsets to primary inputs 
and then merge Qsets with the same target events, removing 
any constraint that becomes redundant.
5. Experim ental results
We have implemented the algorithms described in the 
previous sections into our tool RTCG using symbolic BDD- 
based techniques for reachability analysis. All experiments 
have been performed on a 450Mhz 1GB Ultra SPARC60 
machine. The properties verified for each circuit consist of 
semi-modularity, conformance to its specification, and the 
absence of prolonged short-circuit current. In all cases, we 
have formally verified that the derived relative timing con­
straints guarantee failure-freedom by performing reachabil­
ity analysis on the constrained transition system.
We applied our algorithm to the asynchronous bench­
mark circuits generated using standard synchronous tech­
nology mapping of speed-independent complex-gate cir-
Proceedings of the Eighth International Symposium on Asynchronous Circuits and Systems (ASYNC'02)
1522-8681/02 $17.00 © 2002 IEEE
cuits [14]. Consequently, these examples are not hazard- 
free under the unbounded delay model. We also tested sev­
eral real-life industrial circuit blocks [16, 21, 17] for which 
our generated RT constraints have been further verified us­
ing Analyze [20], Moreover, the generated constraint sets 
for these circuits are the same size or smaller than that of 
the hand-optimized constraints. For all circuits tested, the 
tool successfully generated a sufficient set of relative tim­
ing constraints.
Table 1 shows the obtained results. The second and third 
columns lists the number of signals and gates in the circuit. 
The fourth column reports the number of untimed reachable 
states. The fifth and sixth columns report the numbers of 
initial and optimized Qsets. Finally, the last column labeled 
cpu shows run times given in seconds.
5.1. A GasP FIFO control circuit
This section discusses the RTCG generated RT con­
straints for the GasP FIFO control circuit in Figure 2. Note 
that although our running example used a simplified TS, the 
tool generated these results from the complete TS. The re­
sults are given in Table 2 which shows a list of Qsets and 
corresponding event triples generated for this circuit. The 
second column indicates the size of the Qset in terms of 
number of states and the last column lists the associated 
event triples.
Consider the constraint implied by the event triple 
( x + , x —, l e —) for Qset q \. It captures the timing assump­
tion we need to have for the left environment, stating that 
once x  turns on the N-type transistor to drive le  LO, x  
should not go LO before le  goes LO. In addition, consider 
the event triple ( r e —, y —, b—) for Qset q-2 - This constraint 
avoids the short-circuit current on the state conductor re , 
stating that once re  goes LO, by the time the right environ­
ment turns on the P-type transistor by firing y —, the N-type 
transistor driving r e  should have been turned off by firing 
b - .
6. Conclusions
This paper presented a novel relative-timing technique to 
facilitate the design and verification of emerging high per­
formance circuit design methodologies that rely on com­
plex two-sided timing constraints. In particular, this paper 
presents the first automatic procedure for generating and 
optimizing a set of RT constraints sufficient to ensure cor­
rectness from the untimed specification of the circuit. The 
procedure has been implemented in our tool RTCG and has 
been applied to several real-life circuits. For all circuits 
tested, the tool successfully generates a sufficient set of 
relative timing constraints. Moreover, the generated con­







<li 29 x+ X — le —
m 33 r e — y - b -
<13 21 le+ , o u t— x + o u t+
<li 24 y - y + re+
<15 8 «+• y — re+ H +
<16 5 u + , re + , x + o u t— x —
<n 3 H — o u t+ re —
m 8 r+ s — a —
<19 12 l e —,r e + (l~b s+
<110 7 o u t— b+ y +
T a b le  2. RT c o n s t r a in t s  fo r  th e  G a s P  c irc u it
hand-optimized constraints. Our future work includes the 
characterization of the class of circuits for which the rela­
tive timing constraints are appropriate and the exploration 
of techniques to guide practical design choices that satisfy 
these constraints.
Acknowledgement
The authors would like to thank Jordi Cortadella for pro­
viding his asynchronous benchmarks for invaluable com­
ments on this work. We also thank the anonymous review­
ers of earlier versions of this work who have motivated 
numerous theoretical and practical improvements. This 
research has been partly supported by NSF grants CCR- 
9812164 and 53-4503-0640 and gifts from TRW and Ful­
crum Microsystems.
References
[11 R. Alur and D. L. Dill. A theory of timed automata. Theo­
retical Computer Science, 126(2): 183-235, 1994.
[21 W. Belluomini. Algorithms fo r  Synthesis and Verification 
o f Timed Circuits and Systems. PhD thesis. Department of 
Computer Science, University of Utah, Sept. 1999.
[31 W. Belluomini, C. J. Myers, and H. P. Hofstee. Verifica­
tion of delayed-reset domino circuits using ATACS. In Proc. 
International Symposium on Advanced Research in Asyn­
chronous Circuits and Systems, pages 3-12, Apr. 1999.
[41 J. R. Burch, E. M. Clarke, D. E. Long, K. L. McMillan, and 
D. L. Dill. Symbolic model checking for sequential circuit 
verification. IEEE Transactions on Computer-Aided Design, 
13(4):401—424, April 1994.
[51 T.-A. Chu. Synthesis o f Self-Timed VLSI Circuits from  
Graph-Theoretic Specifications. PhD thesis, MIT Labora­
tory for Computer Science, June 1987.
[61 J. Cortadella, M. Kishinevsky, L. Lavagno, and A. Yakovlev. 
Synthesizing Petri nets from state-based models. Technical 
report, Universitat Politecnica de Catalunya, 1995.
Proceedings of the Eighth International Symposium on Asynchronous Circuits and Systems (ASYNC'02)
1522-8681/02 $17.00 © 2002 IEEE
name # signals # gates # untimed states # init. Qsets # opt. Qsets cpu
GasP-control 9 7 148 17 10 2.74
global-STP-Natomic 6 5 77 14 10 1.42
global-STP-Nglobal 5 3 380 11 7 1.23
RAPPlD-ByteCtl 7 4 155 16 14 3.25
clk-gen 10 9 128 8 3 0.84
rcv-setup 11 8 105 12 8 4.17
sbuf-read-ctl 18 15 131 9 4 6.76
alloc-outbound 20 16 139 9 3 13.08
mp-forward-pkt 13 10 125 3 3 0.89
c h u l33 12 9 198 15 3 4.33
dff 8 6 173 32 28 27.17
sbuf-send-ctl 16 13 633 22 16 41.39
sbuf-send-pkt2 17 13 481 25 16 69.97
converta 14 12 559 25 24 113.12
ram-read-sbuf 23 18 2428 25 13 127.98
T a b le  1. E x p e r im e n ta l  r e s u l t s
[71 D. L. Dill. Trace Theory fo r  Automatic Hierarchical Verifi­
cation o f Speed-Independent Circuits. ACM Distinguished 
Dissertations. MIT Press, 1989.
[81 M. Kishinevsky. A. Kondratyev, A. Taubin. and V. Var­
shavsky. Concurrent Hardware: The Theory and Practice 
o f Self-Timed Design. Series in Parallel Computing. John 
Wiley & Sons, 1994.
[91 C. J. Myers, T. G. Rokicki, and T. H.-Y. Meng. Auto­
matic synthesis and verification of gate-level timed circuits. 
Technical Report CSL-TR-94-652. Stanford University, Jan. 
1995.
[101 R- Negulescu. Process Spaces and Formal Verification of 
Asynchronous Circuits. PhD thesis. Department of Com­
puter Science, University of Waterloo, Waterloo, Ontario, 
Canada, Aug. 1998.
[ I ll  R- Negulescu and A. Peeters. Verification of speed- 
dependences in single-rail handshake circuits. In Proc. 
International Symposium on Advanced Research in Asyn­
chronous Circuits and Systems, pages 159-170, 1998.
[121 M. Nielsen, G. Rozenberg, and P. S. Thiagarajan. Ele­
mentary transition systems. Theoretical Computer Science. 
96:3-33, 1992.
[131 K. J. Nowka and T. Galambos. Circuit design techniques for 
a gigahertz integer microprocessor. In Proc. International 
Conf Computer Design (IC.CD), pages 11-16. Oct. 1998.
[141 M. A. Pena, J. Cortadella, A. Kondratyev, and E. Pastor. 
Formal verification of safety properties in timed circuits. 
In Proc. International Symposium on Advanced Research 
in Asynchronous Circuits and Systems, pages 2-11. IEEE 
Computer Society Press, Apr. 2000.
[151 O. Roig. Formal Verification and Testing o f Asynchronous 
Circuits. PhD thesis, Univsitat Politecniade Catalunya, May 
1997.
[161 S. Rotem, K. Stevens, R. Ginosar, P. Beerel, C. Myers, 
K. Yun, R. Kol, C. Dike, M. Roncken, and B. Agapiev. RAP­
PID: An asynchronous instruction length decoder. In Proc.
International Symposium on Advanced Research in Asyn­
chronous Circuits and Systems, pages 60-70, Apr. 1999.
[171 D. Sager. G. Hinton. M' Upton. T. Chappel. T. D. Fletcher. 
S. Samaan, and R. Murray. A 0.18um CMOS IA32 micro­
processor with a 4GHz integer execution unit. In Interna­
tional Solid State Circuits Conference, pages 324—325, Feb. 
2001.
[181 S. Schuster. W. Reohr. P. Cook. D. Heidel. M. Immedi- 
ato, and K. Jenkins. Asynchronous Interlocked Pipelined 
CMOS circuits operating at 3.3-4.5GHz. In International 
Solid State Circuits Conference, pages 292-293, Feb. 2000.
[191 K. Stevens, R. Ginosar, and S. Rotem. Relative timing. In 
Proc. International Symposium on Advanced Research in 
Asynchronous Circuits and Systems, pages 208-218, Apr. 
1999.
[201 K. S. Stevens. Practical Verification and Synthesis o f Low 
Latency Asynchronous Systems. PhD thesis. Dept, of Com­
puter Science, University of Calgary, Canada, Sept, 1994.
[211 I- Sutherland and S. Fairbanks. GasP: A minimal FIFO con­
trol. In Proc. International Symposium on Advanced Re­
search in Asynchronous Circuits and Systems, pages 46-53. 
IEEE Computer Society Press. Mar. 2001.
[221 I- Sutherland and J. Lexau. Designing fast asynchronous cir­
cuits. In Proc. International Symposium on Advanced Re­
search in Asynchronous Circuits and Systems, pages 184— 
193. IEEE Computer Society Press, Mar. 2001.
[231 A. Yakovlev, L. Lavagno, and A. Sangiovanni-Vincentelli. 
A unified signal transition graph model for asynchronous 
control circuit synthesis. In Proc. International Conf 
Computer-Aided Design (ICCAD). pages 104—111. IEEE 
Computer Society Press, Nov. 1992.
[241 T. Yoneda and T. Yoshikawa. Using partial orders for trace 
theoretic verification of asynchronous circuits. In Proc. 
International Symposium on Advanced Research in Asyn­
chronous Circuits and Systems. IEEE Computer Society 
Press, Mar. 1996.
Proceedings of the Eighth International Symposium on Asynchronous Circuits and Systems (ASYNC'02)
1522-8681/02 $17.00 © 2002 IEEE
