DILL: Specifying digital logic in LOTOS by Turner, Kenneth J & Sinnott, Richard
Kenneth J. Turner and Richard O. Sinnott. DILL:  Specifying digital logic
in LOTOS. In Richard L. Tenney, Paul D. Amer, and M. Umit Uyar, editors,
Proc. Formal Description Techniques VI, pages 71-86.  North-Holland,
Amsterdam, Netherlands, 1994.
DILL: SpecifyingDigital Logic in LOTOS
K. J.Turnera, R. O. Sinnotta
a Departmentof ComputingScience,Universityof Stirling, Stirling FK9 4LA, Scotland
As a relatively new applicationareafor LOTOS (LanguageOf Temporal OrderingSpecifica-
tion), thespecificationof digital logic is investigated.A specificationapproachis evolvedand
justified,illustratedwith basiclogic gatesandthelargerexampleof a keyboardcontroller. The
constructionandvalidationof thedigital componentlibrary arediscussed,alongwith aretrieval
tool thatallowsaccessto thelibrary.
Keyword Codes: B.2.1;B.6.1;F.4.3




1.1 Applications of LOTOS
Thispaperaddressesthespecificationandvalidationof digital logic componentsandcircuits
usingLOTOS(LanguageOf Temporal OrderingSpecification, [14]). LOTOShasbeenwidely and
successfullyusedto specifycommunicationsystemssuchasstandardsfor OSI (OpenSystems
Interconnection). This is hardly surprisingsinceLOTOS wasdevelopedfor just this purpose.
LOTOS hasalsobeenusedto specifystandardsin the areaof distributedsystemssuchas the
Traderof ODP(OpenDistributedProcessing, [15]) andTP (TransactionProcessing, [26]).
However, LOTOS might claim to be a general-purposelanguagefor applicationsthat are
sequentialor concurrent,closely-coupledor distributed,communicationsor otherwise. The
originsof LOTOS meanthat it hasso far seenlittle applicationoutsideOSI. Someforayshave
beenmadeinto relatedareassuchasmobilecommunications[8], spacecommunications[22],
telephony [6] andCIM (ComputerIntegratedManufacturing, [17]). However, completelynew
applicationareasareonly now beingsought. [10], for example,exploresthe valueof LOTOS
in the specificationof artificial neuralnetworks. This paperinvestigateshow LOTOS canbe
usedfor thespecificationandanalysisof digital logic designs.Othersimilar work onhardware
descriptionin LOTOS is reportedin [7].
1.2 Digital Logic Specificationin LOTOS
Digital logic designis well-understood;many textbooks(e.g.[16]) explain theoperationof
logic gatesandhow to combinetheminto larger circuits. Digital logic designis in practice
constrainedby the availability of specifichardwarecomponentsthat might be found in any
manufacturer’scatalogue.Thisallowsstandardcomponentsandcircuitsto beused.
Hardwaredescriptionhasbeenextensively studied. LanguagessuchasCIRCAL, ELLA,
HOL, LCF/LSM, RTL, temporallogic, VHDL andmany othershave beenusedto specifyand
analysehardware.Theliteratureon thissubjectis vast;a few selectedreferencesare[3, 9, 11–
13, 19, 20]. An interestingfoil to the work reportedin this paperis [24], which usesoccam
to specifyandsimulatelogic circuits. In commonwith all suchapproaches,the goal of the
work reportedin thispaperis to allow digital logic designsto bespecifiedandanalysedbefore
actuallybuilding hardware.So why try to tackletackledigital logic usingLOTOS whenthere
arealreadywell establishedandsuccessfulapproaches?Thereareseveralgoodreasons.
As a fully formal language,LOTOS supportsrigorousspecificationand analysisin a way
that semi-formallanguages(e.g.VHDL) do not. The formal basisof LOTOS alsoallows full
verificationof designs.LOTOS inheritsa well-developedtheoryof equivalencesandrelations
from thefield of processalgebras.Hardwaredescriptionlanguageswith a similar origin (e.g.
CIRCAL) have a similar advantage.However, becauseof its origin in datacommunications,
LOTOS alsohasa well-developedtheoryof testingandtestderivation(e.g.[2, 25]). Thisoffers
interestingalternativesto conventionalhardwaretestingandsimulation.
Somehardwaredescriptionlanguages(e.g.ARCHI, MIDL) areintendedfor specificationat
themicro-architecturelevel only. Others(e.g.CDL, DDL, ISPS,RTL) areusedat theregister
transferlevel only. LOTOS canbe usedin a wide-spectrummannerat a numberof levels of
abstraction.This allows a consistentformalismto be usedduring hardwaredesign,from the
high-level architecturedown to thegateor componentlevel. Refinementsbetweenlevels can
becheckedusingstandardLOTOS validationandverificationapproaches.
It is valuableto investigatethe applicability of a languageoutsideits original field (com-
municationsfor LOTOS). New applicationscanhelp to discover the strengthsandlimitations
of a language. LOTOS may be able to offer new insightsandbenefitscomparedto existing
approaches.LOTOS is supportedwith tools that allow differentanalysesfrom thosepossible
with otherhardwaredescriptionmethods.SincetheLOTOS philosophyis to write constructive
specifications(thoughthis is notenforced),simulationandrapidprototypingthroughtoolsoffer
attractivepossibilitiesfor hardwarevalidation.
[23] showshow a‘component-based’stylein LOTOScanbesuccessfullyusedtospecifydigital
logic designs.In particular, thisapproachfaithfully reflectstheview ahardwaredesignerwould
take,allowing a clearcorrespondencebetweencircuit designsandtheir LOTOS specifications.
As notedby [7], a key ingredientin thesuccessfuluseof LOTOS for hardwaredescriptionis its
supportof multi-waysynchronisation.ExtensionstoLOTOShavebeenproposedfor specification
of metric time andprobability (e.g. [1, 18]). Theseextensionswould allow timing (e.g.race
conditions)andperformance(e.g.reliability) to bespecifiedandanalysedformally in hardware
designusingLOTOS.
1.3 Overall Approach
Designis partly decompositional(top-down) andpartly compositional(bottom-up). Engi-
neeringexploits this by aiming to usecommoncomponentsin differentdesigns.Components
aredesignedandmanufacturedto definedinterfacesandstandards,enablingthemto beassem-
bledwith confidenceinto moreelaboratestructures.Anotherimportantaspectof engineeringis
thatready-madedesignsareoftenavailable.Thesecombineknown componentsin known ways
to achieve predictableresults.
Componentre-usehasbeenamajorthemein softwareengineeringfor many years.However,
in formal methodstherehasbeenlittle identificationof usefulspecificationcomponentsand
specificationstructuresusingthese.Thisis unfortunatesinceamajorpromiseof formalmethods
is verificationof thesystembeingspecified.Verificationis veryhardfor any but trivial systems,
soverificationof largeor complex systemsis usuallyinfeasiblein practice.A component-based
styleallowscomponentsto beverifiedindividually. Largercombinations(‘designs’)of trusted
componentscanthenbeverifiedmoreeasily. A component-basedstyleallows thespecifierto
takea higher-level, architecturalview of thespecification.This approachis elaboratedin [23],
wherea component-basedstylefor specifyingdigital logic is discussed.[21] givesa catalogue
of logic componentsanddesignsin LOTOS. Theearlierwork of [7] takesasimilar approach.
Thepurposeof thispaperis to presenttheessentialideasof DILL (Digital Logic in LOTOS),
asacomplemento thework reportedin [21,23]. TheDILL approachis explainedin section2,
alongwith the logic componentlibrary that is currentlysupported.Section3 discusses ome
fundamentalissuesfor useof LOTOS to specifydigital logic. As section4 shows, evensimple
logic gatescanbe modelledin a numberof differentways. A larger applicationof DILL in
section5 describeshow a keyboardcontroller can be specified. Validation andverification
issuesareconsideredin section6.
2 The DILL Approach
Thissectionexplainsthephilosophyandelementsof theDILL approach.
2.1 Philosophy
Thebasicphilosophyof DILL is thatit shouldbeeasyfor thehardwareengineerto translate
a circuit schematicinto a LOTOS specification,andthento analyseandverify thepropertiesof
this specification.Oncethe specificationis consideredto be correct,it shouldbe practicable
to realiseit usingthechosenhardwaretechnology. This approachhasseveral implicationsfor
DILL.
Thereis a needfor a componentlibrary – a collectionof LOTOS specificationfragmentsthat
describecommonlyavailablecomponents.To easethedesigner’s task,thecomponentlibrary
shouldmatchthehardwaretechnologythatwill beused.Forexample,theCMOSchipssupplied
by aparticularmanufacturermight bethetarget. Thelibrary shouldcontaingenericdefinitions
of componentsthat can be instantiatedin a specification. Sincecomponentsare specified
in LOTOS, the designermustbe familiar with how to combineLOTOS behaviour expressions;
fortunatelytherulesarereasonablystraightforwardanddo not requirean in-depthknowledge
of LOTOS.
It shouldbeeasyto referencethespecificationsof componentsin the library. This requires
documentationof the library, anda tool to extract the requiredspecificationfragments. The
designershouldnot needto know the internal constructionof the library. In particular, if a
componentis built from simplerones,thentheir definitionsshouldbe includedautomatically.
Thelibrary tool shouldalsoavoid multiple copiesof a componentspecification,asmight arise
if asimplercomponentis usedin severallargercomponentsthatareneeded.
It shouldbepossibletodescribelogicdesignsatdifferentlevelsof abstraction,andtorefineone
level into a moredetaileddesign.DILL doesnot provide guidelinesfor this, sincerefinements
will bemotivatedby normalhardwaredesignprocedures.However, DILL – throughLOTOS –
supportswide-spectrumspecificationat a varietyof levels,andhasa well-developedtheoryof
equivalencesandrelationsbetweenspecifications.
It shouldbepossibleto analyseandverify thespecificationgeneratedfrom adesign.Happily,
thereis a wealth of LOTOS tools to help here,so this aspectdoesnot requirespecificDILL
support.ExistingLOTOS toolssupporta varietyof analyses.Simulationcanbeusedto check
behaviour of acircuit manually. Unfoldingbehaviour to acertaindepthmightbeusedto detect
deadlocks.Checkingequivalencesandrelationsbetweenspecificationscouldverify correctness
of a lower-level designwith respectto a high-level one. Specificationsmight beanalysedfor
behavioural propertiessuchassafetyor liveness.
It shouldbepossibleto realisea specificationgeneratedby DILL fairly directly in hardware.
Thisisstraightforwardin thesensethatDILL mirrorsaconventionalhardwaredesign.However,
anexciting possibility thathasnot (yet) beenexploredwould beto designa ‘silicon compiler’
for LOTOS. VariousLOTOS compilersalreadytranslatelow-level LOTOS (with annotations)into
a programminglanguagesuchasC or Ada. In principle, a compilercould alsobe designed
that would turn LOTOS into, say, a maskto be etchedonto silicon or links to be setin a PLA
(ProgrammableLogicArray).
Thekey elementsin DILL arethusthecomponentlibrary andtheassociatedretrieval tool. A
theoryof refinementandgeneralLOTOS toolsalreadyexist. Only a silicon compilermight be
neededasaspecialdevelopment.
2.2 Library Components
A preliminary componentlibrary hasbeenproducedfor DILL. This is constructedin a
bottom-upfashion,from basicgatesto morecomplex components.The internalstructureof
compositecomponentsis hidden,sotheirbehaviour is observationallyequivalentto thedesired
behaviour and their constructionis hiddenfrom the user. The componentlibrary shouldbe
orientedtowardsparticularchip sets,but hasnot yet been. Insteadthe emphasishasbeenon
definingcommonlyavailablecomponents.Validationof thelibrary is discussedin section6.
The current library is summarisedin figure 1; the structureshown is for conveniencein
presentationonly. Thenamesof componentsarederivedfrom hardwaredesignpractice.The
library hassomefundamentalcomponents(e.g.agenericone-inputlogic gate)thatareunlikely
to be useful to a designerandso arenot shown. Componentswith a repeatedstructurehave
beensuppliedonly for limited cases(e.g.a two-inputdecoder, atwo-stageshift register).There
wouldbenodifficulty in generalisingthesecomponentsfor somesizen (e.g.a2n-inputdecoder,
ann-stageshift register).
2.3 Accessingthe Library
Theuseof a componentfrom theDILL library is declaredby giving its nameandthesuffix
‘Decl’. Thedocumentationeededtousethelibrary is little morethananelaborationof figure1.
Most componentshave unparameterisedeclarations(e.g.Inverter Decl for inverters).A few
have parametersdescribingtheir function(e.g.Gate Decl(nand,3)for three-inputnandgates).
All componentsarespecifiedasLOTOS processabstractions,thoughtherearesomesupporting
datatype definitions. An instanceof a componentis thusa LOTOS processinstantiation. A
completespecificationis generatedwith appropriate‘rubric’ usingthedeclaration:
circuit(specificationparameters,specification behaviour)
In fact, DILL is a ratherthin veneeron top of LOTOS, so the specificationparametersand
behaviour aregiven directly in LOTOS. Componentspecificationsare includedautomatically
by declaringthemafter thebehaviour, but it is up to thedesignerto sayhow thecomponents
arewired up. This is doneby combiningthe componentsin a LOTOS behaviour expression,
ComponentType Name Purpose
BasicLogic One Sourceof logic 1
Sink Sinkof logic signal
Zero Sourceof logic 0








3-InputGate And3,... Ternaryand, ...
4-InputGate And4,... Quaternaryand, ...
Coder Decoder2 Decode2 bits asoneof 4 outputs
Encoder2 Codeoneof 4 inputsas2 bits
Plexer Demultiplexer2 Selectoneoutputusing2-bit code
Multiplexer2 Selectoneinput using2-bit code
Adder HalfAdder Sumandcarryof 2 bits
FullAdder Sumandcarryof 2 bitsandpreviouscarry
ParallelAdder2 Parallelsumof 2 bit pairs




















A largerapplicationof DILL is givenin section5. As a simpleillustrationfor now, consider









A DILL descriptionis runthroughapre-processorto extracttherequiredcomponentdeclara-
tionsandproduceaLOTOSspecification.Thepre-processorrequirescommasin argumentsto be
quoted,whichexplainsthesyntaxabove. For theabove description,thegeneratedspecification
wouldhave thefollowing form; thespecificationwrappingandthecomponentdeclarationsare
generatedautomatically. Theauxiliary processesLogic1andLogic2arediscussedin section4.











DILL is supportedby a library of macroswritten in m4– a widely availablemacroprocessor
thatrunsonUnix andothersystems.Themacrosaremerelya convenientmeansof parameter-
ising andgeneratingLOTOS text for eachkind of logic gateor component.Thelibrary contains
about70 macrosin 900linesof m4to specifythecomponentsmentionedin this paper.
3 Digital Logic SpecificationStyle
Whenspecificationshave to bewritten in a new applicationarea,it is commonto find thata
significantamountof experimentationis neededto discover thebestapproach.For specifying
digital logic, the authorsevaluatedseveral approachesbeforefinding a satisfactorystyle. In
particular, it turnedout that the way in which even simple gateswere modelledwascritical
to combiningtheminto largercircuits. This is especiallytrue of circuitswith feedback(such
asflip-flops). It is easyto introduceinadvertentdeadlock1 if thespecifiedcomponentsdo not
quitefit togetherproperly, eventhoughthey seemto behave correctlyin isolation.See[21] for
examplesof thekindsof problemsthatarisewith anincorrectapproach.
1Realhardwaredeadlocksif it entersa statein which subsequentinputshave no effect. Livelock occurswhen
hardwareindefinitelyprocessesinternalsignalswithout reactingto externalones.
3.1 Modelling Digital Signals
In reality, digital signalstake on a rangeof analoguevalues(e.g. from 0 to 5 volts) but
thresholdsaresetso that they may be treatedaslogic 0 or 1. As a signalchangesfrom one
valueto another, it may passthroughan indeterminatestatethat is neitherlogic 0 nor 1. It
might thereforeseemthat tri-statelogic shouldbe used,allowing for an ‘undefined’stateof
signals. This, however, would makespecificationsmuchmorecomplex. An undefinedsignal
level shouldalwaysbe transientandthereforeshouldbe ignoredif possible. As a workable
abstraction,signalsareregardedashaving only two states.
Logic designproceedson thebasisof binarysignals.However, asanimplementationmatter,
thereis achoiceof how logic 0 and1 correspondto electricalsignals.Normally0/1corresponds
to low/high, called positive logic. However, negative logic may also be usedin which 0/1
correspondsto high/low. This is an implementationdecisionthatdependson thecomponents
available. Eitherapproachcanbeusedwith thesamelogic design.Sincethis is essentiallyan
implementationmatterit is ignoredin a functionalspecification,but is consideredin a lower
level specification.
Thereis alsoa choiceof whethera signal(a level) or a changein signal(anedge)shouldbe
modelledasa LOTOS event. Choosingto modelsignallevelsmeansthata gatemustrepeatedly
offer its currentoutputvalue in eventssincea signal level is continuous. LOTOS eventsare
discrete,soa level canberepresentedonly asasuccessionof arbitrarilycloseeventsgiving the
signalvalue. Specifyingthis would confusethebehaviour with identicalrepeatedevents. It is
thereforemoresatisfactoryto modelsignalchangesasLOTOS events.
Giventhatsignalchangesshouldbemodelled,thereis still a choicein LOTOS. Eventscould
simply indicateachangewithoutsayingwhetherthiswasfrom 0 to 1 or viceversa.Thiswould
not be a good reflectionof reality, wherethe direction of a changeis explicit. The overall
conclusionis thatLOTOS eventsshouldindicatethedirectionof a changeby giving thenewly
establishedlevel (e.g.g ! 1 for a transitionfrom 0 to 1).
Opencircuitshaveto beallowedfor. For example,aninputmaybeleft floating,acomponent
input maynot beused,or anunusedoutputmaynot beattachedto anything. A floatinginput
correspondsto somedefaultvalue. Signalson anunusedinput aresimply absorbed.Floating
outputsproducesignals,but they gonowhere;in LOTOS terms,thesearehiddeninternalevents.
3.2 Modelling Logic Gates
3.2.1 ReflectingRealGates
Logic functions(logic gates2) are the basiccomponentsof digital logic. Logic functions
couldperhapsbemodelledasADT (Abstract DataType) operationson inputvalues.However,
the time-dependentbehaviour of logic circuits is often important,so it is betterto useLOTOS
behaviour expressions.Moreimportantly, aspecificationusingADTs wouldnotreadilysupport
‘wiring up’ acircuit. Eachlogic gateis thereforespecifiedasaLOTOSprocess,instantiatedwith
appropriateparameters.
A real logic gateexhibits a propagationdelay from a changein input to the subsequent
output.Thisappearsnaturallyin a LOTOS specificationsinceoutputeventsfollow input events.
However, the actual time delay betweensuchevents is not modelledin LOTOS. For many
purposestheexactdelayis unimportant,sinceadesignthatassumedspecificpropagationdelays
in eachreal gatemight be proneto raceconditions. Many logic designsaresynchronousto
2Since‘gate’ hasbotha hardwaremeaninganda LOTOSmeaning,thetermis qualifiedwherenecessary.
avoid suchproblems,andthis removestheneedto modeldelaysexplicitly. If it werenecessary
to quantifythepropagationdelays,oneof severaltimedvariantsof LOTOS suchas[1, 18] could
beused. Suchanapproachmight be justified for asynchronouslogic or for investigatingrace
conditions.
Real gatesare connectedby wires from outputsto inputs. The wires (should)accurately
transmitsignals,but they canintroduceapropagationdelaythatis critical in high-speedcircuits.
Thewirescouldbeconsideredascomponentsaswell, but to do sowould makespecifications
very unwieldy. In virtually all logic designsthe wires canbe ignored,but wheretheir effect
is significantthen they canbe specifiedas delays. Ignoring the wires makesconnectionof
componentsvery easyin LOTOS: eventsat connectedoutputandinput gatesaresynchronised
by giving themthesameLOTOS gatename.In effect,agatenameis givento awire. Multi-way
synchronisationin LOTOS alsoallowsoneoutputto besentto severalinputs3.
Realgateshave a fan-out(themaximumnumberof othergatesthat canbeconnectedto an
output). This is an implementationrestrictionthat is bestignoredin a specification(thougha
staticanalysiscouldperhapsdeterminewhetherfan-outlimits have beencompliedwith). Real
gatesalsohavea fan-in (thenumberof inputs)thatis intrinsic andshouldbespecified.
In real life, andin a specification,switchingon a circuit leadsto a certainamountof settling
down. Fasterhardwaregateswill producetheiroutputsearlier, andthismaydeterminethestable
state(especiallyif the circuit hasfeedback).However, the circuit shouldentera stablestate
aftera shorttime. Thespecificationof sucha circuit will behave similarly, with internalevents
initially until the behaviour settlesdown. Sinceexact propagationdelaysarenot specifiedin
standardLOTOS, theremaybenon-determinismin which stablestateis reached– aswith real
hardware.
Switchingoff acircuit is likely toresultin complex behaviourassignalsandpowerdecay;such
behaviour isunlikely tobeinteresting.Theeffectof acleanswitch-off couldbemodelledsimply
asdisruptionin LOTOSterms.If atidy hardwarepower-downwererequired,thecircuitry would
bespecificallydesignedfor it; theLOTOS specificationwould thereforebewritten to match.
3.2.2 GateInputsandOutputs
Thedecisionto modelsignalchangesasLOTOSeventsmeansthatlogic gatesmustremember
thepreviousstateof inputs. This is realisticsincea hardwaregatewill be in somestate,with
currentflowingor not. Thepreviouslevelsoneachinputarethereforeparametersof theprocess
that modelsa logic gate. Default valuesmust be suppliedwhen the processis instantiated,
correspondingto thestateof a hardwaregatewhenswitchedon. Typically, inputswill initially
actasif 0, but this maybegate-dependent.Sincethedefaultsmaydependon thespecificgate,
they aregivenin its definitionratherthanasparametersof theprocessthatis instantiated.
Thereis a little subtletyin specifyingwhenoutputshouldoccur. In practice,a logic gate
reactsto a changein just oneof its inputs. The specificationof a logic gateshouldtherefore
reflectthis andshouldnot, for example,requireall input eventsto occurbeforeproducingan
output. Thespecificationof a logic gatemustalsonot forcetheoutputof a new valueafteran
input changes.In circuits involving feedback(e.g.a flip-flop), requiringoutputbeforefurther
input couldleadto deadlock.In practice,theremaybea shortinput pulse(say, from 0 to 1 to
0) to which a gatecannotreactquickly enough.Sincerealgateshave a propagationdelay, an
3Of course,no attemptshouldbe madeto synchronisetwo outputs,any morethanthe outputof two real gates
shouldbeconnected.
inputpulseof shortdurationmaynotproduceanoutput.Allowing a furtherinputbeforeoutput
is thereforebothrealisticandnecessary.
An importantcorollaryof modellingonly signalchangesmeansthata new input to a logic
gatemaynotproduceanew output,thoughinitially a logic gatemayproduceoutput.Consider,
for example,anandgatewith 0 and0 asinitial inputs;it mayat first produceanoutputevent
with value0. If one input subsequentlychangesto 1, the outputwill remainat 0 and there
will beno outputevent. A shortinput pulsemaynot resultin outputasdescribedabove. All
theseconsiderationsmeanthata logic gatemustknow its previousoutputaswell asits previous
inputs.
3.2.3 ParameterisingGates
LOTOS offers morepossibilitiesfor dealingwith inputsandoutputsthanare found in real
hardware. An obvious approachis to makeeachinput and output correspondto a LOTOS
gate.This might betermed‘physicalmultiplexing’, becauseeachLOTOS gatecorrespondsto a
physicalconnection(e.g.eventsg3 ! 0 andg4 ! 1). LOTOS alsoallowswhatmightbedescribed
as‘logical multiplexing’, in whichaLOTOS gateis qualifiedby aconnectionnumberparameter
in events(e.g.eventsg ! 3 ! 0andg ! 4 ! 1). Theadvantageof thesecondapproachis thataLOTOS
gatemaythencorrespondto anarbitrarynumberof inputsor outputs.This doesnot faithfully
reflectreal logic gates,however, which arebuilt with a fixed numberof connections.Also it
considerablycomplicateshow thewiring upof componentsis specified.With onegateperinput
or output,wiring upmerelyrequiresinputsandoutputsto besynchronised.With gatesqualified
by connectionnumbers,a ‘masterconfigurationprocess’wouldbeneededto synchroniseonall
eventsandallow only connectedoutputsandinputsto communicate.Physicalmultiplexing is
thereforepreferablein theinterestsof simplicity andrealism.
Althoughgateswith any numberof inputsabovetwoarepossible,preferrednumbersof inputs
(e.g.3, 4, 8) tendto beusual;unusedinputscanbewired to logic 0 or 1 asappropriateto make
themineffective. LOTOScouldallow alogic gateprocesshaveaparameterisednumberof inputs
by makinguseof logicalmultiplexing, but asarguedabove this is undesirable.A fixednumber
of inputsandoutputsis thereforespecified,eachbeinga LOTOS gate.
Hardwaregatesare designedto implementa fixed function4. Although eachkind of gate
couldbeseparatelyspecifiedin full, thiswouldleadto alot of duplicationsincethebehaviour of
agateis largelyseparatefrom its actuallogic function. LOTOS canbemoreflexible by allowing
genericlogic gatedefinitions,parameterisedwith their function. Suchanapproachappearsto
breakfrom a strict representationof realgates.However, the instantiationof a processis akin
to the fabricationof a real gate. Justas fabricationfixesthe function of a real gate,so does
instantiationof a logic gateprocess.
BecauseLOTOSdoesnotallow operationsto begivenasparametersto processes,theirnames
ratherthantheoperationsthemselvesaresupplied.An Applyoperationis usedto calculatethe
resultof a logic functionfrom its nameandoperands.For example,Apply(nor, 1, 0) yields0.
Thespecificationof ADTs for logic functionsis straightforwardandis notconsideredfurtherin
thispaper.
4A ULA (UncommittedLogic Array), PLA (ProgrammableLogic Array) or CLA (Configurable Logic Array)
mightbeconsideredasanexception.
4 BasicLogic Gates
Thissectiondiscusseshow basiclogic signalsandlogic gatesarespecified.
4.1 Logic Sourcesand Sinks
Sometimesit is necessaryto specifya sourceof logic 0 or 1, sayto tie aninput to a specific
level. This is anullary logic function,specifiedby theprocessSourcethatoutputsits parameter
once (since the signal never changes). ProcessesZero and One provide logic 0 and 1 by
instantiatingSource:
processSource[Op] (BOp : Bit) : noexit :
Op ! BOp; stop
endproc (* Source*)
It mayalsobenecessaryto absorbaninput signalwithoutusingit:
processSink [Ip] : noexit :
Ip ? b : Bit; Sink [Ip]
endproc (* Sink *)
4.2 One-Input Gate
A one-inputgatecanplay oneof two differentroles: asa repeater(amplifier, delay)or as
an inverter. The correspondinglogic functionsaresameandnot. The approachdiscussedin
section3 leadsto a surprisinglycomplex specificationof agenericone-inputgate:
processLogic1 [Ip, Op] (BOp: BitOp) : noexit :
Logic1A [Ip, Op] (BOp,0 of Bit)
where
processLogic1A [Ip, Op] (BOp: BitOp, BIn : Bit) : noexit :
Ip ? BInNew : Bit; Logic1A [Ip, Op] (BOp,BInNew)
( let BOutNew : Bit = Apply (BOp,BIn) in
Op ! BOutNew; Logic1B[Ip, Op] (BOp,BIn, BOutNew) )
endproc (* Logic1A *)
processLogic1B [Ip, Op] (BOp : BitOp, BIn, BOut : Bit) : noexit :
Ip ? BInNew : Bit; Logic1B [Ip, Op] (BOp,BInNew, BOut)
( let BOutNew : Bit = Apply (BOp,BIn) in
Op ! BOutNew [BOutNew neBOut]; Logic1B[Ip, Op] (BOp,BIn, BOutNew) )
endproc (* Logic1B*)
endproc (* Logic1 *)
This logic gateprocessis parameterisedby aunarylogic functionandhasadefaultinputvalue
of 0. Initially it mayinput valuesandoutputtheresultinglogic value. But onceit hasoutputa
value,it mayoutputonly if thevaluechanges.Althoughthis specificationis complex for good
reasons,the specifiercantreat it asa black box andnot be concernedwith its details. As a
concreteexampleof aone-inputlogic gate,aninverterhasthespecification:
processInverter[Ip, Op] : noexit :
Logic1 [Ip, Op] (not)
endproc (* Inverter*)
4.3 Two-Input Gate
A two-inputgatecanperformoneof 16 differentlogic functions. Only someof theseare
usuallygivennamessuchasand, or (inclusive or), xor (exclusive or). Certainlogic functions
areconvenientto implementin hardware,sonandandnor arealsocommon.Namescouldbe
given to the otherbinary logic functions,but would rarely be neededandwould be unlikely
to correspondto real gates. A generictwo-input gateis specifiedmuchasa one-inputgate,
andis parameterisedwith thenameof a binary logic function. Becauseof its similarity to the
one-inputgate,only anoutlinespecificationis given:
processLogic2 [Ip1, Ip2, Op] (BOp : BitOp) : noexit :
Logic2A [Ip1, Ip2, Op] (BOp,0 of Bit, 0 of Bit)
where
processLogic2A [Ip1, Ip2, Op] (BOp : BitOp, BIn1, BIn2 : Bit) : noexit : ...
processLogic2B[Ip1, Ip2, Op] (BOp: BitOp, BIn1, BIn2, BOut : Bit) : noexit : ...
endproc (* Logic2 *)
For this logic gate, thereare two inputs with default value 0. As a concreteexampleof a
two-inputgate,a nor gatehasthespecification:
processNor2 [Ip1, Ip2, Op] : noexit :
Logic2 [Ip1, Ip2, Op] (nor)
endproc (* Nor2*)
4.4 Higher-Level Components
Somelogic gatescanbebuilt in otherways.For example,anandgatecouldbebuilt from an
andgatefeedingintoaninverter. Thegatemightactuallybebuilt thisway, but theavailability of
nandgatesin practicemeansthatit is realistictospecifythemdirectly. However, theandnotgate
describedin section2.3 is not a normalhardwarecomponent,andsois specifiedcompositely.
Logic gateswith morethantwo inputs(e.g.a four-inputandgate)canbespecifiedlike simpler
gates,but usingn-aryBooleanoperations.Three-inputandfour-inputgateshavebeenspecified
in thecourseof thiswork.
More complex componentscanbe built progressively out of basiclogic gates. [23] gives
somerepresentativeexamples,while [21] presentsa catalogueof thecomponentspecifications
correspondingto figure1. Thenext sectionshowssomeof thesecomponentsatwork in alarger
example.
5 Designinga KeyboardController
Thissectionpresentsa largerapplicationof DILL for specifyinga keyboardcontroller.
5.1 Controller Design
A computerkeyboardis usuallya matrixof switchesthatareoperatedby pressingkeys. The
keyboardis associatedwith a keyboardcontroller that dealswith low-level hardwareaspects
andpresentsa simpleinterfaceto theCPU.For this example,theCPUtreatsthekeyboardasa
device thatcanbeperiodicallypolled to find out which key (if any) is currentlypressed.(In a
moresophisticated esignthekeyboardcontrollercouldinterrupttheprocessoronakey press.)
A computerengineeringreferencebookmight suggesthekeyboarddesignshown in figure2.
Thekeyboardcontrollerdoesnot includethekeyboardmatrix – a rectangularmatrix whose

















(say, a numerickeypad). In mostcasesthereareparallelconnectionsbetweenthe controller
components,carryinganumberof bits. Theconnectionnamesaregivenin figure2: C –column,
Ck – clock, H – horizontal,K – key, R – row, V – vertical. The componentsin the keyboard
controllerareasfollows.
Clock producesalternate0 and1 signalsat a ratewhich is unimportantin this example;in
practice,theratewould have to bemuchfasterthantheexpectedrateof key presses.Counter
cyclesthrougha sequenceof binaryvalues:00 to 11 in this examplesincethematrix hasfour
rows. Decoderproducesa 1 signal on the output that is uniquely determinedby its binary
input; a four-from-two decoderis needed. As an example, input of 10 to Decoderwould
resultin a 1 signalon R2. Encoderreversestheactionof Decoder, producingthebinarycode
correspondingto the input that is setto 1; a two-from-fourencoderis neededsincethematrix
hasfour columns5. As anexample,a1 signalonC1 to Encoderwouldresultin anoutputof 01.
Memoryis a four-bit memorythatstorestherow andcolumnnumbersof thecurrentlypressed
key. Valuesareperiodicallyclockedin, andmaybereadout independentlyby theCPU.The
sixteenkeysareidentifiedby a four-bit number, two bits giving therow andtwo bits giving the
column.
5.2 DILL Representation
Thetargetchipsetis likely to includecomponentscorrespondingdirectly to Clock, Counter,
Decoderand Encoder; in DILL terms theseare Clock, Divider4, Decoder2and Encoder2
components.Thespecificationof Memorycanbeput to onesidefor themoment,allowing the
currentdesignto bedeclaredin DILL as:
circuit(
‘K eyCon[C0, C1,C2,C3,K0, K1, K2, K3, R0,R1,R2,R3]’,‘
5To guardagainstkeys in differentcolumnsbeingpressedsimultaneouslyor no keys beingpressedat all, this
shouldbea priority encoder;however, thesimpleencoderin theDILL library hasbeenusedfor thisexample.














|[Ck, H0, H1, V0, V1]|






processMemory[Ck, H0, H1, V0, V1, K0, K1, K2, K3] : noexit : ...
’)
Memoryis likely to bebuilt from four instancesof DFlipFlop (a standardone-bitmemory
element),all sharingacommonclock input. Thenegatedoutputof eachflip-flop is not required
andcanbehidden.TheDILL declarationfor thewholedesigncanthereforebecompletedwith
thefollowing specificationof Memory:
hide NotK0, NotK1, NotK2, NotK3 in
DFlipFlop [H0, Ck, K0, NotK0] |[Ck]| DFlipFlop [H1, Ck, K1, NotK1]
|[Ck]|
DFlipFlop [V0, Ck, K2, NotK2] |[Ck]| DFlipFlop [V1, Ck, K3, NotK3]
The specificationfor thekeyboardcontrolleris generatedby runningtheDILL description
throughthepre-processor. TheresultingLOTOS text is about290 lines (includingblank lines)
and is not given herefor spacereasons.Ideally, the designerwill not needto even readthe
specification,andshouldbeableto simulateor analyseit directly. However, asthenext section
showstherearepracticaldifficultiesin handlingevenexamplesof this size.
6 Validation and Verification
Thespecificationof every DILL library componenthasbeencheckedin considerabledetail
by simulationwith theSMILE tool [5]. This requiredeachcomponento besynchronisedwith
a testharnessto drive it. Althoughthespecificationsusefull LOTOS, theeventsareof rathera
simpleform: agatewith parameter0or1. It mightthereforehavebeenpossibletodeterminethe
canonicaltesterautomaticallyusingresultsfrom LOTOS testingtheory[25]. Validationconsists
of steppingthespecificationof thecomponentandtestharnessthroughevery significantpath.
For largercomponents,this is a manageablebut tediousoperation.
The LOTOS simulatorsavailable to the authors(SMILE andhippo) causeddifficultieswith
internalevents,especiallywhensimulatinglargerspecifications.For example,aJK flip-flop at
switch-onpresents12 internaleventsthat shouldbe allowed to occurbeforethefirst external
input event. This is a reflectionof what actuallyhappenswith the hardware,but it placesa
heavy overheadon thesimulation.Theinternaleventsrepresentspontaneousestablishmentof
internalsignallevels. Componentswith feedback(suchasflip-flops) ‘race’ to establishoneof
thepossiblestablestates.Otherflurriesof internaleventsoccurafteraninput signal.
Whenthewholespecificationof thekeyboardcontrollerin section5 is simulated,theinitial
eventmenupresents81 eventsof which 69 areinternal! The internaleventsmustbe allowed
to happenfirst so that the circuit cansettledown. After initial settlingdown, the observable
eventsthatarepossibleare:strobingakeyboardmatrix row; readingoutasignalonakeyboard
matrix column;andreadingthecurrentstateof thekey memory. After eachobservableevent,
theremay be further internal eventsas new signal levels are communicatedand new stable
statesarereachedvia transientunstableones. The numberof internaleventsafter the initial
settlingis muchless,but it still placesa burdenon theuserof thesimulator. It requiresnearly
100 simulatorevent selectionsto go throughthe following behaviour: initial settling of the
keyboardcontroller; strobingthe keyboardmatrix once; registeringthe key pressed;reading
out the numberof the currentkey; andadvancingthe clock, readyfor the next strobe. Each
subsequentclock tick needsroughly10simulatoreventselections.
What is clearly requiredis a meansto control the simulatoras far as internal eventsare
occurred.Most internaleventsareuninteresting,andshouldbeallowedto happenin any order
until only observableeventshave to beselectedfor simulation.In fact,only oneinternalevent
in thekeyboardcontrollerspecificationis of any interestfor simulationpurposes:the internal
clock tick. In real life – and in an ideal simulation– the other internaleventswill occur in
a spontaneousand irrelevant fashionafter eachobservableevent. Anotherproblemwith the
simulatorsis that internaleventsin replicatedcomponentsarepresentedwith the samename
in theeventmenu,makingpreciseselectiondifficult. Simulatorlimitationsarea difficulty for
theDILL approach,thoughthetoolsratherthanDILL areat fault. Simulatordevelopershave
alreadyrecognisedtheproblemof eventcontrol. For example,a futureversionof SMILE [4]
will incorporateaToolControlLanguage;amongotherthingsthiswill allow automaticselection
of internaleventsuntil a new stablestateis reached.
The ultimate objective of this work is to have a fully verified library of componentsthat
can be usedin the designof arbitrarily complex logic systems. Verificationof components
by exhaustive testingis possiblein principle, thoughit is very time-consumingwith complex
circuits. Otherapproachesuchasmodel-checkingmay be attractive alternatives. As larger
circuits are considered,it becomesharderto seewhen two designsare equivalent; the same
behaviour may be obtainedfrom two designsthat at first sight are ratherdifferent. This is
an obvious role for equivalencesin LOTOS, particularlyobservationalcongruenceandtesting
congruence.AlthoughtoolsthatcheckLOTOSequivalencesgenerallyworkonlyonbasicLOTOS,
thesimpleeventstructureoffershopeof eitherenhancingthetoolsor translatingthefull LOTOS
specificationsinto basicLOTOS.
Hardwareengineersoftenusetechniquesfor minimisationof logic designsin orderto reduce
the numberof componentsneeded.Equivalencecheckingwould be useful to verify that the
simplifieddesignconformsto theoriginaldesign.Certainkindsof simplificationin LOTOS(e.g.
parameterisedexpansion)might berelevantto carryingoutminimisationdirectly.
7 Conclusions
A style for specifyingdigital logic in LOTOS hasbeenintroducedand justified. This has
beenusedto specifya variety of logic gatesand larger components.A particularlypleasing
outcomeis that componentscan be specifiedand analysedin isolation, and can be easily
built into larger combinations.However, sucha component-basedstyle dependscritically on
specifyingcomponentsthatfit togetherproperly. Theweakestaspectof thework at presentis
thedifficulty of checkingcomponentsby simulation,thoughplannedsimulatorimprovements
will helpgreatly.
Futurework requiredon digital logic specificationin LOTOS includesinvestigationof test
derivation, equivalencechecking,model checking,andLOTOS timing andprobability exten-
sionsfor analysisof performanceissues.DILL currently lacksa facility to declarearraysof
components,thoughthis wouldnotbedifficult to achieve.
If LOTOSwereto becomeaseriouscompetitorto establishedhardwaredescriptionlanguages,
muchmorework would be necessary. A wider rangeof casestudiesincluding ratherlarger
exampleswould be needed. A more comprehensive library would be essential. Efficient
simulationandtheorem-proving capabilitieswouldhave to bedeveloped.Nonetheless,it is felt
thatthepresentlevel of thiswork showspromisein thefield of hardwaredescription.
Acknowledgements
R.O.Sinnottwassupportedby theUK ScienceandEngineeringResearchCouncilduringthe
work describedin thispaper. TheauthorsthankDr. R. G. Clark for comments,andthereferees
for their valuablesuggestions.
References
1. Bolognesi,T. andLucidi, F.: ‘L OTOS-Like ProcessAlgebraswith Urgentor TimedInterac-
tions’, Proc.Formal DescriptionTechniquesIV, pp.249–264,North-Holland,Amsterdam,
NL, 1991.
2. Brinksma,E.: ‘A Theoryfor theDerivationof Tests’,Proc.ProtocolSpecification,Testing,
andVerificationVIII, pp.63–74,North-Holland,Amsterdam,NL, 1989.
3. Cohn,A.: ‘The Notion of Proof in HardwareVerification’, J. of AutomatedReasoning, 5
(2), pp.127–139,1989.
4. Eertink,H.: Privatecommunicationregardingfuturedevelopmentsin SMILE, University
of Twente,NL, 1993.
5. Eertink, H. andWolz, D.: ‘Symbolic Executionof LOTOS Specifications’,Proc.Formal
DescriptionTechniquesV, North-Holland,Amsterdam,NL, 1992.
6. Faci, M., Logrippo, L. and St́epien, B.: ‘Formal Specificationof TelephoneSystems
in LOTOS’, Proc.Protocol Specification,Testing,and Verification IX, pp. 25–34,North-
Holland,Amsterdam,NL, 1989.
7. Faci,M. andLogrippo,L.: ‘SpecifyingHardwarein LOTOS’, Proc.ComputerHardwareDe-
scriptionLanguagesandtheir ApplicationsXI, pp.305–312,North-Holland,Amsterdam,
NL, 1993.
8. Ferńandez,A. et al.: ‘PRODAT – The Derivation of an Implementationfrom its LOTOS
Formal Specification’,Proc.Protocol Specification,Testing,andVerification VIII, North-
Holland,Amsterdam,NL, 1988.
9. Filkorn,T.: ‘A Methodfor SymbolicVerificationof SynchronousCircuits’,Proc.Computer
Hardware DescriptionLanguagesandtheir ApplicationsIX, pp.229–239,North-Holland,
Amsterdam,NL, 1991.
10. Gibson, J. P.: ‘A LOTOS-BasedApproachto Neural Network Specification’,Technical
Report112,Departmentof ComputingScience,Universityof Stirling, UK, 1993.
11. Gordon,M. J. C.: HOL: A Proof Generating Systemfor Higher-Order Logic, Technical
Report103,Universityof Cambridge,UK, 1987.
12. Hunt, W. A.: TheMechanical Verification of a MicroprocessorDesign, TechnicalReport
CLI-6, ComputationalLogic Inc.,Austin,USA, 1987.
13. IEEE:VLSIHardwareDesignLanguage, Project1076,Instituteof ElectricalandElectronic
Engineers,New York, USA, 1987.
14. ISO: InformationProcessingSystems– OpenSystemsInterconnection– LOTOS– A Formal
DescriptionTechniquebasedon theTemporal Orderingof ObservationalBehaviour, ISO
8807,InternationalOrganisationfor Standardisation,Geneva,CH, 1989.
15. ISO: InformationProcessingSystems– OpenDistributed Processing– Formal Descrip-
tion of the Trader, ISO JTC1/SC21/WG7/N743Annex G, InternationalOrganisationfor
Standardisation,Geneva,CH, 1992.
16. Kline, R. M.: StructuredDigital Design, Prentice-Hall,USA, 1983.
17. McClenaghan,A.: ‘Experienceof usingLOTOSwithin theCIM-OSAProject’,Proc.Formal
DescriptionTechniquesIV, pp.109–116,North-Holland,Amsterdam,NL, 1991.
18. McClenaghan,A.: ‘DistributedSystems:Architecture-DrivenSpecificationusingExtended
LOTOS’, Ph.D.Thesis,Universityof Stirling, 1993.
19. Milne, G. J.: ‘The FormalDescriptionandVerificationof HardwareTiming’, IEEE Trans.
on Computers,40 (7), pp.811-826,1991.
20. Moskowski, B.: ‘A TemporalLogic for Multi-Level ReasoningaboutHardware’,Proc.
ComputerHardware DescriptionLanguagesand their ApplicationsVI, North-Holland,
Amsterdam,NL, 1983.
21. Sinnott,R. O.: TheFormallySpecifyingin LOTOSof ElectronicComponents, M.Sc.Thesis,
Universityof Stirling, UK, 1993.
22. Taylor, C. R. andGamble,M: ‘The CCSDSProtocolValidationProgrammeInter-Agency
TestingusingLOTOS’, Proc.FormalDescriptionTechniquesIII, North-Holland,Amsterdam,
NL, 1990.
23. Turner, K. J.: ‘An EngineeringApproachto FormalMethods’,Proc.ProtocolSpecification,
Testing,andVerificationXIII, North-Holland,Amsterdam,NL, 1993(in press).
24. Welch,P. H.: ‘EmulatingDigital Logic usingTransputerNetworks’,Parallel Architectures
andLanguagesEurope, LNCS 258,pp.357–373,Springer-Verlag,Berlin, D, 1987.
25. Wezeman,C. D.: ‘The CO-OPMethod for CompositionalDerivation of Conformance
Testers’,Proc.ProtocolSpecification,Testing,andVerificationIX, North-Holland,Amster-
dam,NL, 1989.
26. Widya,I., vanderHeijden,G.-J.andJuillot,F.: ‘SpecificationandImplementationof theTP
Protocol’, Lo/WP3/T3.1/N0077/V04,ESPRIT Project2304,Commissionof the European
Communities,Brussels,1992.
