Modular Synthesis of Timed Circuits using Partial Orders on LPNs  by Mercer, Eric G. et al.
Electronic Notes in Theoretical Computer Science 65 No. 6 (2002)
URL: http://www.elsevier.nl/locate/entcs/volume65.html 22 pages
Modular Synthesis of Timed Circuits using
Partial Orders on LPNs
Eric G Mercer and Chris J. Myers 1,2,3
Department of Electrical and Computer Engineering
University of Utah
Salt Lake City, USA
Tomohiro Yoneda 4
Department of Computer Science
Tokyo Institute of Technology
Tokyo, Japan
Hao Zheng 5
IBM Microelectronics
Essex Junction, USA
Abstract
This paper develops a modular synthesis algorithm for timed circuits that is dramat-
ically accelerated by partial order reduction. Each timed circuit module is speciﬁed
using a level-ruled Petri net (LPN), a new type of Petri net that allows timing
constraints and Boolean level expressions to be annotated between each place and
transition. The algorithm synthesizes each module in a hierarchical design indi-
vidually. It utilizes partial order reduction to reduce the state space explored for
the other modules by considering a single order on independent enabled transitions.
This approach better manages the state explosion problem resulting in more than
an order of magnitude reduction in synthesis time. The improved synthesis time
enables the synthesis of a larger class of timed circuits than previously possible.
1 This research is supported by NSF CAREER award MIP-9625014, NSF Japan Program
award INT-0087281, SRC contract 97-DJ-487 and 99-TJ-694, a grant from Intel Corpora-
tion, and JSPS Joint Research Projects.
2 Email: eemercer@ece.utah.edu
3 Email: myers@ece.utah.edu
4 Email: yoneda@cs.titech.ac.jp
5 Email: haoz@us.ibm.com
c©2002 Published by Elsevier Science B. V.
180
Open access under CC BY-NC-ND license.
Mercer
1 Introduction
In order to achieve high performance, designers are experimenting with aggres-
sive timed circuits [26,27,24,12]. Designing these circuits, however, in a fully
manual style is very diﬃcult; thus, CAD tools are essential for synthesis and
veriﬁcation. An important issue in developing such CAD tools is the avoid-
ance of state explosion. This paper presents two approaches to managing state
explosion: ﬁrst, a syntactic abstraction in the timed circuit speciﬁcation; and
second, an exact modular synthesis approach using partial order reduction.
Prior work has utilized a timed automaton to provide a low level model
for a circuit. It is a state based speciﬁcation language where transitions
between states are governed not only by Boolean functions deﬁned over in-
puts, but clock valuations too. Its expressiveness lends itself to veriﬁcation
[1,6,11,7,16,4,19]. The expressiveness, however, is not always required for syn-
thesis; thus, it needlessly complicates the analysis problem. A Petri net based
representation is an alternative circuit model to a timed automaton. It is
a transition based speciﬁcation language where transitions are governed by
time and the marked state of the net. Although it is less expressive than
timed automata, it is suﬃcient for not only synthesis but also veriﬁcation
[5,13,25,29,30,23]. Its structure, however, becomes very complicated when
modeling even simple logic functions [30]. This increases the size of the reach-
able state space and makes speciﬁcation diﬃcult [2].
This paper uses level-ruled Petri nets (LPNs) which are a hybrid of Petri
nets and timed automata. They are transition based but employ Boolean
functions. Unlike timed automata, the functions are only deﬁned over inputs,
not inputs and clock valuations. Boolean functions are a syntactic abstraction
in the model structure. Connectivity is no longer explicit in the edges, but
implied through the Boolean state of the inputs. This reduces the reachable
state space and simpliﬁes speciﬁcation. LPNs are a reﬁnement of TEL struc-
tures described in [2,3]. LPNs restrict conﬂict to the Petri net formalism and
facilitate a partial order reduction on the reachable state space.
Partial order reduction is an important tool in mitigating state explosion
in veriﬁcation [9,28,15,17,4,19]. Partial order reduction is applied to synthesis
in [25,31]. The approach in [25] is an unfolding technique that is applied
to untimed speciﬁcations. Not only is it not clear if the technique can be
eﬃciently applied to a timed model, the technique ignores hierarchy in the
speciﬁcation; thus, it is limited in the size of systems it can be applied to.
The approach in [31] exploits hierarchy in the speciﬁcation by applying a
partial order reduction to signals not on the interface of the target subcircuit.
It modiﬁes the partial order reduction method in [28,30] to always include
all allowed orders of signals on the interface and in the target subcircuit. It
then uses the state space based synthesis approach in [21] to produce an exact
circuit. The work demonstrates a signiﬁcant reduction in running time for
state space exploration in the synthesis problem and greatly increases the size
181
Mercer
of systems that can be analyzed. The approach, however, is tied to the time
Petri net. This negatively impacts the size of the reduced state space due to
the structural complexity of the model.
The work in this paper extends the modular synthesis approach in [31] to
LPNs to further reduce the size of the reachable state space through syntactic
abstraction. It ﬁrst presents a new timing analysis algorithm for LPNs that
can be applied to systems that are beyond the capacity of existing algorithms.
The new algorithm is required because existing algorithms in [22,3] only sup-
port a partial order in timing information and not a partial order in the state
space exploration. The partial order in the timing information in [22,3] is
similar to that found in [4,19], and like the approach in [19] does not require
extra reference clocks for synchronization. The basis for the new algorithm is
actually presented in [19] and is based solely on the time separation of transi-
tions, but an initial implementation on timed Petri nets in [18] shows it to be
incorrect for Boolean expressions and incomplete for partial order reduction;
thus, this work corrects the algorithm and completely derives the conditions
necessary to preserve correctness in the reduction. The partial order reduction
is restricted to safe nets and works for any type of choice structure. The partial
order reduction uses untimed methods from [28] and timed methods [30,4,19]
to determine independence between transitions. It augments these deﬁnitions
to incorporate the notion of independence in the presence of Boolean func-
tions. The deﬁnitions are not only tied to the structure of the net, but also
consider the timing of transitions. This paper proves the modular synthesis
approach on LPNs to produce exact circuits when the net is free of time de-
pendent choice. The approach results in an order of magnitude reduction in
the time cost of synthesis and enables the synthesis of a larger class of timed
circuits than previously possible.
Interface abstraction is a common approach to reduce the cost of state
based synthesis by exploiting hierarchy in the speciﬁcation. As performing
the abstraction by hand is error prone, work in [32] automates the abstraction
process. It alters the actual system model by removing from it transitions
that are not on the interface of the target subcircuit. Although the simpliﬁed
model structure reduces the reachable state space, the approach is limited in
the transitions it can remove, is not eﬃcient on speciﬁcations with Boolean
functions, and can produce nonexact circuits due to conservative timing be-
havior from the abstraction [32]. The work described in this paper does not
alter the speciﬁcation. It reduces the state space by exploring a single ﬁring
order on independent transitions not in the target subcircuit.
This paper is organized as follows. Section 2 introduces LPNs. Section 3
presents the new timed state space exploration algorithm. Section 4 formalizes
modular synthesis. Section 5 describes a partial order reduction for synthesis,
and proves that it is exact. The performance of the proposed method is eval-
uated in Section 6 using several examples including an experimental pipeline
from IBM.
182
Mercer
2 Level-Ruled Petri Nets
Each timed circuit module is speciﬁed using a level-ruled Petri net (LPN). An
LPN is a pair M = (N,E) where N is an ordinary Petri net and E is the
level-ruled extension. A Petri net is a four-tuple N = (T, P, F, µo). T is a set
of transitions. P is a set of places. F ⊆ (T ×P )∪ (P ×T ) is the ﬂow relation.
A marking is any subset of places. The initial marking of N is speciﬁed by µo.
For any transition t, •t = {p ∈ P | (p, t) ∈ F} and t• = {p ∈ P | (t, p) ∈ F}
denote the source places and the destination places of t respectively. Source
transitions and destination transitions are deﬁned similarly.
A level-ruled extension is a seven-tuple E = (I, O, νo,wire,Eft, Lft, Lsat). I
and O are ﬁnite sets of input and output wires, respectively. νo is the initial
Boolean state of the wires in O. Note that the initial value of a wire in I
must be deﬁned by some other module that produces transitions on that wire.
The function wire : T → (O × {+,−}) ∪ T is a mapping from transitions in
N to transitions on wires in O. A transition on a wire u ∈ O can be rising
(u+) or falling (u−) to change its Boolean state. If a transition is not a rising
or falling transition on a wire, then the function returns the transition itself.
Although such a transition does not aﬀect the state of the output wires, it does
aﬀect the state of the net. Again wires in I are not mapped to transitions as
input behavior must be deﬁned by some other module. At times, the function
wirename(t) may be used instead which returns the name of the wire associated
with the event t or it returns the transition itself (i.e., if wire(t) = u+, then
wirename(t) = u; and if wire(t) = t, then wirename(t) = t). R = F ∩ (P × T )
is a set of rules. For any rule r = (p, t) ∈ R, •r = p and r• = t are the
source place and destination transition of r respectively. Let Q+ be the set
of nonnegative rational numbers. Eft : R → Q+ and Lft : R → Q+ ∪ {∞}
are functions that return the earliest and latest ﬁring times of rules such that
Eft(r) ≤ Lft(r) for all r ∈ R. Lsat : R→ ({0, 1}|I∪O| → {true, false}) assigns a
Boolean function to each rule. This paper restricts the Boolean functions to
be simple conjunctions or disjunctions of signal values.
Fig. 1(a) shows an LPN that describes the behavior of an OR gate with
inputs a and b and output c. This LPN includes two transitions on the output
signal c, namely tc+ and tc−. In the initial state, the signal c is low. There are
two rules in this LPN. The rule from pc− to tc+ is annotated with an earliest
ﬁring time of 6, latest ﬁring time of 9, and a level expression of a ∨ b. The
rule from pc+ to tc−, similarly, is annotated with a earliest ﬁring time of 6
and latest ﬁring time of 9, and an expression ¬a∧¬b. Fig.s 1(b) and (c) show
LPNs that describe the behavior of the two inverting gates that take c as an
input and produce outputs a and b.
A timed circuit speciﬁcation is deﬁned by a collection of modules M =
{M1,M2, · · · ,Mn} where each module Mk is deﬁned by an LPN, (Nk, Ek). A
collection of modules, M , must be disjoint, which means that for any i and
j such that i = j, Ti ∩ Tj = ∅, Pi ∩ Pj = ∅, and Oi ∩ Oj = ∅. A disjoint
183
Mercer
tc+
pc−
pc+
tc−
a ∨ b
¬a ∧ ¬b
[6, 9]
[6, 9]
ta+
pa−
pa+
ta−
¬c
[4, 6]
[4, 6]
c
tb+
pb−
pb+
¬c
tb−
[4, 6]
[4, 6]
c
c
a
b
(a) (b) (c) (d)
Fig. 1. (a) An OR gate with inputs a and b and output c. (b) An inverter with
input c and output a . (c) An inverter with input c and output b. (d) The circuit
synthesized (a), (b), and (c).
collection of modules can be represented using a single LPN of the following
form: (
⋃n
i=1 Nk, E
′) where each element of E′ is simply the union over all the
modules except I′, which equals
⋃n
i=1 Ik −
⋃n
i=1 Ok. In other words, a signal
is no longer considered an input if it is an output in a constituent module.
A collection of modules is closed when I′ = ∅. The behavior of every wire
is deﬁned by some LPN in a closed set of modules. The remainder of this
paper assumes that all circuits of interest are deﬁned by a disjoint and closed
collection of modules. This is a requirement of the analysis procedures in this
paper. The implications of a closed system is that the output to input causality
is known for each signal in the module. The modules shown in Fig.s 1(a), (b),
and (c) form a disjoint and closed collection of LPNs. The synthesized circuit
from this collection of modules is shown in Fig. 1(d).
A timed state σ of an LPN is a three-tuple (µ, ν, clock) where µ is a marking,
ν is a Boolean state, and clock : R → Q+ is a function that records the time
a rule has been enabled. The initial state σo is (µo, νo, clocko) where µo in the
initial marking, νo is the initial Boolean state, and clocko(r) = 0 for all r ∈ R.
A rule r ∈ R is said to be level-satisfied in the state ν, deﬁned over O, if
Lsat(r)(ν) = true. A rule r is said to be enabled if its source place is in the
marking (•r ∈ µ), and it is level-satisﬁed in the Boolean state (Lsat(r)(ν) =
true). Let Ren(µ, ν) return the set of enabled rules given µ and ν, and R(t) =
{r ∈ R | r• = t} return the set of rules for transition t. A transition is said
to be enabled in the marking µ at the Boolean state ν if all of its rules are
enabled (R(t) ⊆ Ren(µ, ν)). Let enabled(µ, ν) be an ordered set of enabled
transitions given µ and ν. For the initial state shown in Fig. 1, with a and
b initially high and c low, the only enabled transition is tc+. Transitions tb−
and ta− are not enabled because c is low.
The state of an LPN can change if time passes or a transition ﬁres. Time
τ ∈ Q+ can pass in σ = (µ, ν, clock) if for all t ∈ enabled(µ, ν) there exists
a rule r ∈ R(t) such that clock(r) + τ ≤ Lft(r). Note that a rule is said
to expire if it exceeds its latest ﬁring time. This formalism allows rules for
enabled transitions to expire as long as a single rule exists for each transition
that can accept τ without expiring. The new timed state is derived from σ as
σ′ = (µ, ν, clock′) where µ and ν are the marking and Boolean state from σ;
184
Mercer
and clock′(r) = clock(r)+ τ for all r ∈ Ren(µ, ν). In the initial timed state for
the example, time can be allowed to advance up to 9 time units. After 9 time
units, the rule enabling tc+ expires; thus, tc+ is forced to ﬁre.
The transition tf ∈ T can ﬁre in σ = (µ, ν, clock) if two conditions
hold: ﬁrst, tf ∈ enabled(µ, ν); and second, every r ∈ R(tf ) is satisfied (i.e.,
clock(r) ≥ Eft(r)). The new state is derived from σ as σ′ = (µ′, ν′, clock′)
where µ′ = (µ− •tf) ∪ tf•, for all u ∈ O,
ν ′(u) = update(tf , ν)(u) =


1 if wire(tf ) = u+
0 if wire(tf ) = u−
ν(u) otherwise .
and for all r ∈ R,
clock′(r) =


clock(r) if r ∈ (Ren(µ, ν) ∩ Ren(µ′, ν′))
0 otherwise .
In this formalism, the ﬁring of a transition consumes no time. It only updates
the marking, the Boolean state, and the clock function. In the case of ﬁring
tf from σ above, µ is updated to remove source and to add the destination
places of tf to get µ
′; ν′ is the new Boolean state of the system after ﬁring
tf , which is unchanged if wire(tf ) = tf ; and rules that are still enabled in
the new state keep their same clock values while all other rules are reset. A
Petri net is safe if for each reachable marking from the initial state and for
each transition t enabled in each reachable marking the following condition
holds: (µ− •t) ∩ t• = ∅. A safe net does not have a marking in its reachable
marking set that enables a transition that when ﬁred, the marking update
adds to the new marking a place that already exists in the current marking.
In practice, this restriction has not impacted the type of systems that can be
analyzed using this approach. Firing tc+ from the initial marking shown in
Fig. 1, creates the new timed state where the marking is {pc+, pa+, pb+}, the
Boolean state is (1, 1, 1), and the clock function remains unchanged except
that clock((pc−, tc+)) = 0.
3 Timed State Class Construction
A timed state class (TSC) is a ﬁnite representation of an inﬁnite number of
timed states. It is used to capture the inﬁnite behaviors of an LPN. A TSC
for an LPN M = (N,E) is a three-tuple s = (µ, ν, Z) where µ is the marking,
ν is the current Boolean state of the wires, and Z is a set of relations called a
zone that represents a set of clock functions [8]. A relation in Z has the form
ta− tb ≤ c where ta and tb are transitions from N , and c is a rational number.
The relation is understood to mean that the time at which ta ﬁred minus the
time at which tb ﬁred is less than or equal to c; thus, it represents the time
separation between ta and tb. A timed state class transition is the three-tuple
185
Mercer
(s, t, s′) denoted as s t→ s′, and it means that from the TSC s, transition t ﬁres
to move the system to the TSC s′. The TSCs are constructed such that for a
timed state σ of M , if a transition t can ﬁre from σ after passing some time τ
to obtain a new state σ′, then there exists a TSC transition s t→ s′ such that
σ ∈ s and σ′ ∈ s′. A timed state class sequence (TSCS) is a connected set of
TSC transitions starting from the initial TSC of the system. This is written
as ρ = so
t1→ s1 t2→ · · · si−1 ti→ si · · · tn→ sn. The notation si−1 ti→ si ∈ ρ means
that the timed state transition si−1
ti→ si is found in the TSCS ρ as shown
above. This notation is also used for a set of TSCSs.
Let T (M) denote the set of all TSCSs allowed by M = (N,E), a closed,
disjoint LPN. This set is constructed starting from the initial TSC of M .
Recall that N = (T, P, F, µo) and E = (I, O, νo,wire,Eft, Lft, Lsat). The initial
TSC ofM is so = (µo, νo, Zo). µo and νo are taken directly fromM . The initial
zone Zo is a set of inequalities relating all the transitions that must have ﬁred
to create the initial marking. Let T (µo) be the set of these transitions such
that t ∈ T (µo) if there exists p ∈ µo such that t ∈ •p. If this set contains
multiple transitions, than one is randomly chosen to create the initial zone.
The transitions in T (µo) are assumed to have ﬁred at the same time to create
the initial marking; thus, Zo contains a relation ta − tb ≤ 0 for all pairs of ta
and tb where ta ∈ T (µo) and tb ∈ T (µo).
The function find(M, s, T ) in Algorithm 1 creates T (M) using bourne again
POSET (BAP) timing analysis. BAP implements a partial order reduction in
the zones of each TSC. This reduces the number of TSCs needed to capture
all the behaviors of the LPN [4,19,22,3]. The BAP algorithm, however, only
supports simple conjunctive or disjunctive expressions. This means that any
level expression can be a single conjunctive expression of any size, or it can
be a disjunctive expression with a single wire in each conjunctive member. If
an LPN contains a disjunctive expression with multiple wires in a conjunctive
member of that expression, then the BAP analysis below is not exact. It can
miss reachable TSCs. This paper is restricted to LPNs with this property.
The find(M, s, T ) function is called with an LPN M , s = so, and T = ∅ to
start at the initial TSC, and it returns the set of all possible state transitions
from which it is possible to construct T (M). The function find(M, s, T ) and
its various support functions are best understood by example. Consider again
the system in Fig. 1. Assume that the function find(M, s, T ) is started from
the initial TSC of the system in Fig. 1; thus, s0 = (µ0, ν0, Z0) with µ0 =
{pa+, pb+, pc−}, ν0 = (1, 1, 0) where the order is (a, b, c); Z0 = {0 ≤ ta+−tb+ ≤
0, 0 ≤ tc− − ta+ ≤ 0, 0 ≤ tc− − tb+ ≤ 0}; 6 and T = ∅.
The function find(M, s, T ) ﬁrst calls the function fireable(M, s) shown in
Algorithm 2. This function returns the set of transitions that can ﬁre con-
currently from s. This means that every transition tf ∈ fireable(M, s) can ﬁre
6 The two inequalities ta − tb ≤ c1 and tb − ta ≤ c2 can be expressed as −c1 ≤ tb − ta ≤ c2
where c1 and c2 are rational numbers. This transformation is used for all zones.
186
Mercer
Algorithm 1 find(M, s, T )
for all tf ∈ fireable(M, s) do
for all s′ ∈ successor(M, tf , s) do
s′ = remove non causal(M, s′)
if ((s
tf→ s′) /∈ T ) then
T = T ∪ {(s tf→ s′)}
T = find(M, s′, T )
end if
end for
end for
return T
Algorithm 2 fireable(M, s)
Ten = enabled(µ(s), ν(s))
if (| Ten |= 1) then
return Ten
end if
Tf = ∅
for all Cg ∈ causal groupings(Ten) do
for all Ca ∈ causal assignments(Cg, Z(s)) do
Z = set order(Cg, causal groupings(Ten), Z(s))
Z = set min separations(Cg, Ten, Z)
Z = set max separations(Ca, Ten, Z)
if (valid(Z) = true) then
Tf = Tf ∪ can fire first(Ten, Z)
if (Tf = Ten) then
return Tf
end if
end if
end for
end for
return Tf
before all other transitions in fireable(M, s). The function begins by deriving
the set of enabled transitions in s. The helper functions µ(s) and ν(s) return
the marking and Boolean state respectively from the TSC s = (µ, ν, Z) that
is passed in on the parameter list. 7 As fireable(M, s) is called with s = so in
this example, Ten = {tc+}. At this point the function returns the enabled set
Ten to find(M, s, T ) as it contains a single enabled transition tc+.
The function find(M, s, T ) then computes all successor TSCs that result
from ﬁring tc+ by calling the function successor(M, tc+, s) shown in Algo-
7 This notation is a type for how members are referenced in a tuple when only a symbol is
presented and is used throughout the rest of this presentation.
187
Mercer
Algorithm 3 successor(M, tf , s)
S = ∅
µ = (µ(s)− •tf ) ∪ tf•
ν = update(tf , ν(s));
for all cg ∈ causal groupings(tf) do
for all tc ∈ causal assignments(cg, Z(s)) do
Z = set order(cg, causal groupings(tf), Z(s))
Z = set min separations(cg, tf , Z)
Z = set max separations(tc, tf , Z)
if (valid(Z) = true) then
S = S ∪ {(µ, ν, Z)}
end if
end for
end for
return S
rithm 3. The function begins by creating an empty set S to hold the successor
TSCs of s and by updating the marking and Boolean state to reﬂect the ﬁring
of tc+. The function then begins to consider successor TSCs from s by look-
ing at the causal assignments to tc+ in each of its causal groupings. Each of
the causal assignments in each of the causal grouping can potentially create a
unique successor TSC to s.
A causal grouping for a transition t is a set of transitions that must have
ﬁred for t to be enabled. For a transition tc to be in a causal grouping for
t, it must be either place or level causal to t. A transition tc is said to be
place-causal to t if tc is directly connected to t, which means that there exists
a place p ∈ •t such that tc ∈ •p. A transition tc is said to be level-causal to t,
a transition that is enabled in the TSC s, if tc is a transition that causes a rule
for t to be level-satisﬁed, which means that there exists a rule r ∈ R(t) and
a transition t′ ∈ T such that wirename(t′) = wirename(tc), wire(t′) = wire(tc),
Lsat(r)(ν(s)) = true, and Lsat(r)(ν′) = false where ν′ = update(t′, ν(s)). Let
causal groupings(t) be the set of all causal groupings for transitions t. A tran-
sition can have multiple causal groupings if it is connected to any place that
has two source transitions or if it has a disjunctive level expression on any of
its rules. The function causal groupings(tc+) in this example returns two causal
groupings for tc+: {tc−, ta+} and {tc−, tb+}. The disjunctive level expression
a ∨ b on its rule creates the two groupings. The causal groupings imply that
either tc− and ta+ or tc− and tb+ are required to ﬁre tc+.
A causal assignment to a causal grouping for a transition t is the selection
of a transition in the causal grouping that is used to determine the separation
between t and the other transitions in the causal grouping. In the LPN se-
mantics, an enabled transition t can ﬁre as soon as each of its rules is satisﬁed,
which means that each of the rules r ∈ R(t) has been enabled at least Eft(r)
time units. When this condition is met, then the latest time that transition t
188
Mercer
can ﬁre is at the latest ﬁring time of one of its rules because it must ﬁre before
all of them expire. This means that for any rule r ∈ R(t), transition t could
ﬁre up to Lft(r) time units from becoming enabled; thus, a causal assignment
tc to t implies:
(i) the ﬁring of tc caused a rule in r ∈ R(t) to become enabled either through
a level or a place; and
(ii) the ﬁring of t happens up to Lft(r) time units after tc.
Let causal assignments(cg, Z) be the set of transitions from cg such that each
transition exists in a relation in the zone Z. If a transition for a potential
causal assignment is not found in any relation Z, then it is assumed to not be
causal in Z; thus, it is not considered. Given that the initial zone Z contains
relations for all transitions, there are two causal assignments for each grouping
{tc−, ta+} and {tc−, tb+} in the example. All of these causal assignments must
be considered since each valid one can create a unique successor state from s.
A causal grouping and assignment determine the orders and separations
amongst transitions in the zone, as well as the transitions being added to the
zone. Let cg be a causal grouping for an enabled transition t, and let Z be
a zone. The set order(cg, causal groupings(tf), Z) function changes relations in
Z to order the level-causal transitions of cg to occur before the level-causal
transitions in the other causal groupings of tf . This ordering ensures that each
grouping is actually causal in Z. This ordering is not required for place-causal
transitions because of the one-safe property of the LPNs. If there exists a
place in an LPN that has multiple source transitions creating multiple causal
groupings, then only one of those source transitions exists in the zone for the
LPN to be one-safe.
For the example of tc+ ﬁring from the initial state, let the causal grouping
cg be {tc−, ta+}. In this case, the set order function does not need to change
any relations in Z to order the level-causal transitions ta+ and tb+ because
all transitions ﬁre at the same time to create the initial zone; thus, both
groupings enable tc+ at the same time. If the zone Z, however, were given as
{−2 ≤ tb+ − ta+ ≤ 2}, then the call to set order would change the zone Z to
{0 ≤ tb+ − ta+ ≤ 2}, which means that tb+ always ﬁres between zero and two
time units after ta+; thus, the {tc−, ta+} grouping always causes tc+ to become
enabled from this zone. The set order function only changes relations in the
zone. It does not add any new relations. If a transition does not exist in any
relation in the zone, then it is not ordered in the zone by set order.
The earliest that a transition can ﬁre from a zone is when all of its rules
are satisﬁed. In the example, the earliest that tc+ can ﬁre is six time units
after tc− has ﬁred and its expression a ∨ b evaluates to true; thus, there is
at least a six time unit separation between the ﬁring of tc+ and tc−, ta+,
and tb+. If there had been another rule feeding into the tc+ transition, then
any transition associated with that rule would also set a minimal separation
on tc+. In the LPN semantics, a transition cannot ﬁre unless its rules are
189
Mercer
all either satisﬁed or expired. Let cg be a causal grouping for an enabled
transition t, and let Z be a zone. The function set min separations(cg, t, Z)
adds the necessary relations to Z to force the ﬁring of t to be delayed until
each of its rules are satisﬁed. Consider again the example of ﬁring tc+ from
the initial zone Z = {0 ≤ ta+− tb+ ≤ 0, 0 ≤ tc−− ta+ ≤ 0, 0 ≤ tc−− tb+ ≤ 0}.
Let the causal grouping cg be {tc−, ta+}. The set min separations(cg, tc+, Z)
function adds two relations to Z: 6 ≤ tc+ − tc− and 6 ≤ tc+ − ta+. These
relations set the separation between tc+ and the two transitions tc− and ta+ to
be at least six time units according to the rule for tc+; thus, regardless of the
causal assignment to tc+ in the causal grouping, the zone contains relations
to satisfy its rule. If the zone Z, however, is given as {−2 ≤ tb+ − ta+ ≤ 2},
then set min separations(cg, tc+, Z) will only add the 6 ≤ tc+ − ta+ relation
to Z because the tc− transition is not in Z. When a transition from a causal
grouping is missing in the zone, then no relations are added for that transition.
The latest time that a transition can ﬁre from a zone is before all of its
rules expire. This means that a transition can potentially ﬁre at the lat-
est ﬁring time of any of its rules. Let tc be the causal assignment for an
enabled transition t, and let Z be a zone. The set max separations(tc, t, Z)
function adds a relation to Z to set the latest ﬁring of t relative to tc accord-
ing to the latest ﬁring time on the rule associated with t and tc. Consider
the example of ﬁring tc+ from the initial zone Z = {0 ≤ ta+ − tb+ ≤ 0, 0 ≤
tc− − ta+ ≤ 0, 0 ≤ tc− − tb+ ≤ 0} in the successor(M, tc+, s) function. Let
the causal grouping cg be {tc−, ta+} and the causal assignment be ta+. The
set max separations(ta+, tc+, Z) function adds the relation tc+ − ta+ ≤ 9 to
Z. The ﬁnal state of Z in successor(M, tc+, s) for the given causal group and
assignment after set order, set min separations, and set max separations is


0 ≤ ta+ − tb+ ≤ 0, 0 ≤ tc− − ta+ ≤ 0,
0 ≤ tc− − tb+ ≤ 0, 6 ≤ tc+ − tc− ≤ ∞,
6 ≤ tc+ − ta+ ≤ 9,


.
If the function successor(M, tc+, s), however, is called from the initial marking
and Boolean state, but with the zone Z = {−2 ≤ tb+−ta+ ≤ 2}, then the ﬁnal
state of Z after set order, set min separations, and set max separations for the
same causal group and assignment is {0 ≤ tb+ − ta+ ≤ 2, 6 ≤ tc+ − ta+ ≤ 9}.
The set max separations(tc, tf , Z) function is conservative under timed de-
pendent choice semantics. Time dependent choice (TDC) semantics resolve
conﬂict through time. Consider the LPN shown in Fig. 2(a) where t1 conﬂicts
with t3. The event t3 never ﬁres in this LPN. The state reached after t2 is ﬁred
cannot time transition more than 9 time units without being forced to ﬁre t1;
thus, the LPN semantics implement TDC resolution by default. Consider now
the choice construct in Fig. 2(b). In this construct, both t1 and t3 are again
enabled, only this time the ﬁring of t3 can never happen at the latest ﬁring
time of its rule. This is because t1 is forced to ﬁre before its rule expires, and
190
Mercer
t2
p
t3
[6, 9] [10, 15]
t1
t2
p
t3
[6, 9] [9, 15]
t1
(a) (b)
Fig. 2. A timing that allows (a) only t1 to ﬁre and (b) both t1 and t3 to ﬁre.
the Lft(t1) ≤ Lft(t3). In this case, set max separations(t2, t3, Z) will allow t3 to
ﬁre at its latest ﬁring time; thus, it is conservative.
Invalid causal assignments are identiﬁed when the zone resulting from the
added ordering relations and separations for that causal grouping and assign-
ment is put into its canonical form. The canonical form for a zone is obtained
by applying a shortest-path algorithm to the graph structure implied by its
set of relations where each transition appearing in any relation of Z is a node
of the graph, and the nodes are connected by their deﬁned separations as
weighted directed edges. If two nodes in the zone are not related by an in-
equality, then their separation is inﬁnite. A zone is said to be valid if no
negative weight cycles exist in the graph structure implied by its set of re-
lations. Let the function valid(Z) put the zone Z in its canonical form and
return true if its canonical form is valid, otherwise it returns false. If a causal
assignment to t prevents a rule r ∈ R(t) from being enabled for at least Eft(r)
time units, then valid(Z) will return false because a negative weight cycle will
exist. The successor(M, tf , s) function adds to the set S all valid states from
all causal groupings and assignments for tf .
The function successor(M, s, tc+) called from the initial state returns a
single successor state from ﬁring tc+. This state is given as s
′ = (µ′, ν′, Z ′)
where µ′ is (pa+, pb+, pc+), ν ′ is (1, 1, 1), and Z is

0 ≤ ta+ − tb+ ≤ 0, 0 ≤ tc− − ta+ ≤ 0,
0 ≤ tc− − tb+ ≤ 0, 6 ≤ tc+ − tc− ≤ 9,
6 ≤ tc+ − ta+ ≤ 9, 6 ≤ tc+ − tb+ ≤ 9


.
All causal groupings and assignments lead to this state because ta+, tb+, and
tc− ﬁred at the same time in the initial state. The zone in this new state,
however, contains relations that are not important to successor states derived
from ﬁring transitions in this new state. As an example, any relation on the
ﬁring time of tc− is no longer useful as it is not used by any transition enabled
in the new state. The number of TSCs required to capture all behaviors of
an LPN can be reduced if unnecessary relations are removed from the zone in
each successor state. The function remove non causal(M, s′) in find(M, s, T )
deletes relations from the zone in s′ that are no longer required to derive new
future states from s′.
Consider the new state s′ = (µ, ν, Z) generated from ﬁring tc+ from the
191
Mercer
initial state of the LPN in Fig. 1. The function remove non causal(M, s′) in
this example removes from Z(s′) the relations for the transitions tc−, ta+, and
tb+. The new zone Z
′ in s′ is {0 ≤ tc+− tc+ ≤ 0}. The relations involving tc−
are removed because tc− is not needed in a causal grouping for any enabled
event. The relations involving ta+ and tb+ are removed because the relations
in Z ′ indicate that ta+ and tb+ can never be causal to ta− and tb− respectively.
This is because tc+ always ﬁres at least six time units after ta+ and tb+; thus,
the rules for ta− and tb− can never become enabled due to the ﬁring of ta+ or
tb+ respectively.
The new TSC from ﬁring tc+ is added to T in find and the recursive call
is made to compute the set of ﬁreable events from this new TSC. The Ten set
in this case is {ta−, tb−}; thus, the function must explore the causal groupings
and assignments for these transitions to ﬁnd those that can ﬁre concurrently
from s. The functions from Algorithm 3 are extended to sets to derive this
set of transitions. For an ordered set of transitions, Ten = (t1, t2, · · · , tn),
let causal groupings(Ten) be the set of all possible combinations of causal
groupings for transitions in Ten, which means that causal groupings(Ten) =
Πt∈Ten(causal groupings(t)) where Π is the Cartesian product; therefore, If
Ten = (t, u) and causal groupings(t) = {{a1, a2}, {b1}} and causal groupings(u)
= {{c1, c2}, {d1}}, then
causal groupings(Ten)= {({a1, a2}, {c1, c2}), ({a1, a2}, {d1}),
({b1}, {c1, c2}), ({b1}, {d1})};
thus, every combination of causal groupings is considered. For Ten = (ta−, tb−)
in this example, causal groupings(Ten) is {({ta+, tc−}, {tb+, tc−})} because there
is a single causal grouping for ta− and tb−. The Cg set is one combination in
causal groupings(Ten). The function causal assignments(Cg, Z(s)) returns all
combinations of causal assignments to the combination of causal groupings in
Cg. For Ten = (t, u), Cg = ({a1, a2}, {c1, c2}), and Z containing relations for all
of the transitions in Cg, causal assignments(Cg, Z) = { (a1, c1), (a1, c2), (a2, c1),
(a2, c2) }. For Ten = (ta−, tb−), its single causal grouping, and the zone con-
taining only tc+, causal assignments(Cg, Z(s)) = (tc+, tc+) because ta+ and tb+
are not found in Z. The set order, set min separations, and set max separations
functions are extended in a similar manner, only these functions do not con-
sider all combinations. Rather, they can be deﬁned to consider each member
of the Ten set separately; thus, the set order function orders the level-causal
signals in its causal grouping in Cg to occur before the level-causal signals in all
of its other causal groupings. The set min separations and set max separations
functions follow similarly. The resulting valid zone in its canonical form
for this example after set order, set min separations, and set max separations
is {4 ≤ ta− − tc+ ≤ 6, 4 ≤ tb− − tc+ ≤ 6,−2 ≤ ta− − tb− ≤ 2}.
The function can fire first(Ten, Z) in Algorithm 2 returns the set of transi-
tions from Ten that can ﬁre concurrently from Z. This set is derived from the
relations in Z. For each transition tf ∈ Ten, the can fire first function examines
all relations t− tf ≤ c in Z where t ∈ Ten. If c ≥ 0 in each of these relations,
192
Mercer
{pa+, pb+, pc−} 110
{pa+, pb+, pc+} 111
{pa−, pb−, pc+} 001
{pa−, pb−, pc−} 000
c−
b+
a−b−
c+
a−
a+
b−
b+
{pa+, pb−, pc−} 100
a+
{pa−, pb+, pc−} 010
{pa+, pb−, pc+} 101{pa−, pb+, pc+} 011
{pa+} 10
{pa+} 11
{pa−} 00
{pa−} 01
a+
c+
a−
c−
{pa+, pb+, pc−} 110
{pa+, pb+, pc+} 111
{pa−, pb−, pc+} 001
{pa−, pb−, pc−} 000
c−
b+
a−
c+
a+
b−
b+
{pa+, pb−, pc+} 101
a+
{pa−, pb+, pc−} 010{pa+, pb−, pc−} 100
(a) (b) (c)
Fig. 3. (a) The set of TSCs found by regular synthesis. (b) The reduced set of
TSCs for Fig. 1(b). (c) The set of TSCs found by modular synthesis.
then tf can ﬁre before all other enabled transitions; thus, tf is added to the
return set. For this example, can fire first(Ten, Z) returns {ta−, tb−} because of
the−2 ≤ ta−−tb− ≤ 2 relations denoting that ta− and tb− can happen in either
order within two time units of each other. The fireable(M, s) function adds
this set to the set of concurrently ﬁreable events and returns to find(M, s, T ).
Although this example contains a single combination for its causal grouping
and assignment, other examples have many combinations; thus, if Tf = Ten
the algorithm returns Tf to stop the exploration process as shown above.
Applying find(M, s, T ) to the collection of modules shown in Fig. 1 ﬁnds
eight TSCs with ten TSC transitions. The reachable states are shown in
Fig. 3(a) with the timing information omitted.
4 Synthesis of Timed Circuits
Consider a set M = {E, S1, · · · , Si, · · · , Sn} of modules which is closed, where
E is the environment of the whole circuit and Si is a speciﬁcation of the i-th
subcircuit. Let Si = (Ni, Ei). The goal of modular synthesis is to synthesize a
subcircuit speciﬁed by Si. Note that this method expects that the synthesized
subcircuit works correctly with respect to Si in M . It may, however, work
incorrectly with respect to Si in a diﬀerent module set; thus, the synthesis
procedure depends on the behavior of the other modules E, S1, · · ·, Sn.
For a set T of TSCSs and a module Si, a reduced state graph is as follows:
rsg(T , Si) = {(proj(s, Si), t, proj(s′, Si))
| t ∈ Ti ∨ wirename(t) ∈ Ii, s t→ s′ ∈ T }
where proj(s, Si) results in an untimed state that includes a marking with
only places from transitions in Si and a state vector composed of only the
values of input and output wires in Si (i.e., proj(s, Si) = (µ ∩ Pi, ν|Ii∪Oi) for
193
Mercer
s = (µ, ν, Z)). This represents the set of untimed state transitions projected
to Si that occur in T , and change the values of wires in Si; thus, rsg(T , Si)
speciﬁes a state graph of Si the does not include any timing information. If
Si is selected to be the module shown in Fig. 1(b), then applying rsg(T , Si)
to the state graph in Fig. 3(a) would result in the state graph in Fig. 3(b).
Let T (M) denote the set of TSCSs of M such that every TSCS starts
from the initial TSC s0 of M . A modular synthesis with respect to Si in M is
done by applying a synthesis algorithm for timed circuits in [21], denoted by
synthesis, to rsg(T (M), Si). Hence, Ci = synthesis(rsg(T (M), Si)) is our goal.
If we consider {S1, · · · , Sn} to be one module and assume that there are
no internal signals in the environment, it is equivalent to the non-modular
synthesis method. In modular synthesis, the state graphs (i.e., rsg(T (M), Si))
are much smaller than those for non-modular synthesis, because many vari-
ables are projected out in rsg(T (M), Si). In order to obtain T (M), however,
this method has to generate the full state space of the system, even if one
subcircuit Si is being considered at a time; thus, as long as this method uses
T (M), there is no advantage to modular synthesis. This paper proposes an-
other approach to generate a reduced state space TSi(M) by means of a partial
order reduction. The advantages of the partial order approach are two-fold:
ﬁrst, concurrent orders of invisible behavior are not considered; and second,
an optimal circuit is always synthesized. The disadvantage of the partial order
approach is that a portion of the invisible behavior still needs to be considered.
Note that it is possible to apply the abstraction technique and then to apply
the partial order reduction.
5 Partial Order Reduction
This section extends the partial order reduction algorithm shown in [4,19,28,31]
so that it can handle LPNs for synthesis of timed circuits.
T (M) is obtained by ﬁring every possible output transition from every
reachable timed state class. This total order exploration algorithm often suﬀers
from the state explosion problem. A partial order exploration algorithm
generates a set of reduced TSCSs with respect to Si that still has suﬃcient
information to synthesize a correct circuit for Si.
In order to explain the proposed idea more formally, this section deﬁnes
project. For a TSCS s
t→ s′ t′→ · · · with s = (µ, ν, Z) and a speciﬁcation Si,
project(s
t→ s′ t′→ · · · , Si) =

proj(s, Si)
t→ Y if t ∈ Ti ∨ wirename(t) ∈ Ii
Y else
,
where Y = project(s′ t
′→ · · · , Si). This deﬁnition can also be extended for a
set of TSCSs. The project function removes from T (M) any transition not
194
Mercer
t2
[1, 7]
t1
[1, 5]
t2
[1, 8] [1, 5]
t1
[1, 7] a
t1
[1, 5]
ta−
(a) (b) (c)
Fig. 4. An LPN fragment where t1 and t2 are (a) independent, (b) in place-conﬂict,
and (c) in level-conﬂict.
related to Si. It is subtly diﬀerent from the rsg(T (M), Si) function it that it
preserves timing information where the other removes timing information to
get the untimed subset of T (M).
Now, for a given set M of modules and a module Si for the speciﬁcation
of the target subcircuit, modular synthesis constructs a set TSi(M) of reduced
TSCSs such that the following proposition holds.
Proposition 5.1 project(T (M), Si) = project(TSi(M), Si).
If this proposition holds, then the following theorem can be proven showing
the proposed method gives the same solution as the method in Section 3.
Theorem 5.2 rsg(T (M), Si) = rsg(TSi(M), Si).
Proof. Suppose (proj(s, Si), t, proj(s
′, Si)) ∈ rsg(T (M), Si); thus, there ex-
ists a TSCS ρ = s0
t1→ · · · s t→ s′ · · · in T (M) such that either t ∈ Ti or
wirename(t) ∈ Ii. From Property 5.1, there also exists a TSCS ρ′ in TSi(M)
such that project(ρ, Si) = project(ρ
′, Si); thus, (proj(s, Si), t, proj(s′, Si)) ∈
rsg(TSi(M), Si). The other direction can be proven similarly. ✷
Next, this section shows how to construct TSi(M) such that Property 5.1
holds. The idea of partial order reduction is to prune some successor timed
state classes during state space exploration. This means that some ﬁring or-
ders between transitions are omitted. If some ﬁring orders between transitions
in Ti are missed, however, then Property 5.1 does not hold; thus, modular
synthesis has to guarantee that every possible ﬁring order between transitions
on signals in Si is generated. Let function visible(Si) return the set of these
transitions.
visible(Si) = {t | t ∈ Ti ∨ wirename(t) ∈ Ii}
Consider the simple example net shown in Fig. 4(a). If t1 and t2 are both
visible transitions, then both orderings are important and ignoring one of
them would result in an incorrect circuit.
Suppose that t1 and t2, which are outside Si, are in conflict (i.e., only t1
or t2 can occur). If ﬁring t1 is missed in TSi(M), then the behavior of Si that
is caused by the descendant of t1 may be missed too. This results in a wrong
195
Mercer
subcircuit. The function conflictp(t) returns the place-conflicts for t.
conflictp(t) = {t′ | •t ∩ •t′ = ∅, t′ = t}
An example of a place conﬂict is shown in Fig. 4(b). The ﬁrings of t1 and
t2 must be interleaved or behaviors of Si may be missed. This can result
in an incorrect circuit. For the LPN in Fig. 4(b), conflictp(t1) = {t2} and
conflictp(t2) = {t1}).
A level expression may also create conﬂict. If the ﬁring of a transition t1
could disable a level expression on another transition t2, then the algorithm
must consider ordering the ﬁrings of t1 and t2. If the ﬁring of a transition t1
can be disabled by another transition t2, then they must also be interleaved.
The function conflictl(t) returns the set of level-conflicts for transition t.
conflictl(t)= {t′ | ∃r . (t′ ∈ r • ∧ disable(Lsat(r), t))
∨(t ∈ r • ∧ disable(Lsat(r), t′)) ∨ disjunctive(Lsat(r), t, t′))}
where disable(Lsat(r), t) returns true if ﬁring transition t can potentially disable
the Boolean function Lsat(r), and disjunctive returns true if t and t′ appear in
diﬀerent product terms of a disjunctive expression. This is necessary in order
to consider all possible transitions that determine the latest ﬁring time of t.
An example of a level conﬂict is shown in Fig. 4(c). The ﬁrings of ta− and t1
must be interleaved to produce the correct circuit; thus, conflictl(t1) = {ta−}
and conflictl(ta−) = {t1}.
Thus, for a TSCS ρ in T (M), we have to guarantee that TSi(M) includes
ρ′ such that the same set of transitions eventually ﬁre in both ρ and ρ′. This
is guaranteed by the combination of these three requirements summarized in
the deﬁnition of the following set conflict(t) as the set of transitions that are
visible or in place or level-conﬂict with t.
conflict(t) = visible(Si) ∪ conflictp(t) ∪ conflictl(t)
The partial order algorithm for modular synthesis generates only one ﬁring
order for transitions not in the conﬂict set, and every possible ﬁring order
for transitions in the conﬂict set. Unfortunately, it is not quite this simple.
Consider the net in Fig. 5(a). In this case, t3 is not enabled; thus, only t1 can
ﬁre and not t3. The ﬁring sequence starting from t2, however, can enable t3 to
ﬁre if the ﬁring of t1 is postponed; thus, if t1 is ﬁred alone, then the possibility
of the ﬁring of t3 is missed. Modular synthesis must therefore interleave t1
and t2 to ﬁnd all behaviors of Si. This case must also be considered for level-
conﬂict too. Consider the LPN in Fig. 5(b). In this case, t1 and ta− are in
level-conﬂict, but ta− is not enabled. To enable ta−, t3 must ﬁrst ﬁre, but t3
is not enabled because c is low in the current state. The transition tc+ must
therefore ﬁre to enable t3. To enable tc+, however, the algorithm must ﬁrst
ﬁre t2; thus t1 must be interleaved with t2 to see if it is possible that it can
start a chain reaction resulting in the ﬁring of ta− before t1.
In order to handle these cases in general, if the method wants to ﬁre a
transition t at a timed state class s, it must compute dependent(s, t). It
196
Mercer
t3t1
t4
t2
[1, 5]
[0, 3]
[2, 5]
[1, 8] [2, 5]
t2
[1, 5]
[1, 5]
t3
[1, 5]
[1, 5]
t1
[1, 7]
c
a
tc+ ta−
(a) (b)
Fig. 5. (a) An LPN fragment where t1 and t3 are in place-conﬂict. (b) An LPN
fragment where ta− and t1 are in level-conﬂict.
is a set of enabled transitions such that the interleavings of the ﬁrings of
those transitions should be generated for the correct results. For example,
dependent(s, t1) = {t1, t2} for Fig.s 5(a) and (b).
A transition t is called firable in a timed state class s, if for some timed
state class s′, s t→ s′ ∈ T (M). For a ﬁrable transition t and a timed state
class s, dependent(s, t) must include t and satisfy the following:
if t′ ∈ dependent(s, t), then
for every u ∈ conflict(t′), active(s, u, t′) ⊆ dependent(s, t),
where active(s, u, t) is the set of transitions whose ﬁrings possibly lead the
LPN to a timed state class where u is enabled in time in the sense that u can
ﬁre earlier than t. If u cannot become enabled in time, then modular synthesis
does not have to interleave the ﬁrings of t and u. More formally,
active(s, u, t) = {x | (x, d) ∈ necessary(s, u, {t}),
x can ﬁre d time units earlier than t},
where necessary(s, u, TD) is a set of enabled transitions with some timing in-
formation such that in order to ﬁre u, the ﬁring of at least one transition in
this set is necessary. Intuitively, the computation of necessary(s, u, TD) is im-
plemented such that empty source places of transitions are searched upwards
from u until some enabled transition is found. For example, when modular
synthesis computes necessary(s, t3, TD) in Fig. 5(a), it searches upward in the
net until t2 is found. During the search, if a transition is reached in which its
source places are marked, but a level expression on one of its incoming rules is
not satisﬁed, the upward search must locate a transition that would contribute
toward making the expression satisﬁed. The upward search is then restarted
from this transition. For example, while calculating necessary(s, ta−, TD) in
197
Mercer
Fig. 5(b), the search encounters t3 that has its necessary token but is not
level-satisﬁed. In this case, the search determines that tc+ is needed to cause
the rule for t3 to be level-satisﬁed. It then locates a transition for c+ and con-
tinues the upward search from there until it ﬁnds t2 that is ﬁreable. If the level
expression is c ∧ d instead, nothing would change except that the algorithm
would have the option of searching for td+. This is because both transitions
must ﬁre to satisfy the expression; thus, the transition with the best necessary
set is used. If, however, the level expression is c ∨ d, then the algorithm must
calculate the necessary set for both the tc+ and td+ transitions and form the
union of the results. This is because only one of the two transitions is required
to satisfy the expression for t3. As it is not known which one will occur, both
must be considered together.
In the calculation of necessary(s, u, TD), TD is used to terminate loops.
necessary(s, t, TD) is actually the set of pairs (x, d) where x is a transition
found in the above search process, and d is the sum of the earliest ﬁring
times in the shortest path from x to u. The value of d denotes that it takes
at least d time units for u to become enabled after the ﬁring of x. If the
maximum time separation δ between x and t is less than d time units, it means
that u can never ﬁre before t. In other words, our method does not have to
consider the interleavings between t and u in this case; hence, active(s, u, t)
only contains those x which can ﬁre d time units earlier than t. For example,
necessary(s, ta−, {t1}) = {(t2, 3)} in Fig. 5(b), and so t2 is in the active set. If
the latest ﬁring time of t1 is 3 instead (i.e., δ = 2), there is no possibility for
ta− to ﬁre before t1, so t2 would not be included in the active set in this case.
Finally, our method constructs TSi(M) by ﬁring only transitions in ready(s)
in each s, where ready(s) is dependent(s, t) for some transition t returned by
fireable(M, s), such that all transitions in the set are ﬁrable.
Consider again the example shown in Fig. 1 where the module to synthesize
is shown in Fig. 1(b). In the initial TSC, there is only one ﬁreable transition,
tc+, so the algorithm certainly must ﬁre that one. After ﬁring tc+, there are
two ﬁreable transitions ta− and tb−. First, consider ﬁring ta−: conflict(ta−)
includes ta+, ta−, tc+. The transition tc− is not included in the dependent set
since ta− is needed to enable tc− resulting in a circular dependency. Circular
dependencies are found for all other transitions as well, so dependent(s, ta−) =
{ta−}. conflict(tb−) is obtained similarly, and they are all again eliminated due
to circular dependencies. This means that ready(s) can be set equal to either
ta− or tb−, and these signals do not need to be interleaved. One possible state
space found using this partial order approach is shown in Fig. 3(c). Note that
applying rsg(T , Si) to the state graph shown in Fig. 3(c) again results in the
state graph shown in Fig. 3(b) meaning that the synthesized circuit is the
same for the total order and this partial order method.
The above algorithm generates TSi(M) such that TSi(M) ⊆ T (M); thus,
project(TSi(M), Si) ⊆ project(T (M), Si) holds. The other direction—meaning
that for any ρ ∈ T (M), there exists ρ′ in TSi(M) such that project(ρ, Si) =
198
Mercer
Table 1
A comparison between ﬂat and modular synthesis.
Flat Modular
Example States BAP Synth States BAP Synth
ﬁfoN4 39317(130130) 1182.94 7.47 95 0.10 0.00
ﬁfoN39 251 0.48 0.00
stari12 41792(159248) 542.50 5.48 139(206) 0.30 0.00
stari18 349(1902) 9.15 0.00
isp 3 38113(38142) 82.25 19.78 14423(14664) 17.32 0.44
isp branch v2 62601(62632) 136.06 18.56
isp join 31622(32082) 54.89 9.2 8678(8688) 14.29 0.83
isp fork 38589(38590) 67.25 6.7 12306(12307) 18.55 1.02
isp priority 107481(107589) 181.21 22.59 17902(17904) 29.84 1.39
project(ρ′, Si)—can be proven by extending the approach used in the proof of
Lemma 1 in [31] so that it considers level-rules. Hence, we can prove that
Property 5.1 holds under the proposed algorithm.
6 Results and Conclusion
The BAP algorithm and modular synthesis approach are implemented by the
CAD tool ATACS. The performance of modular synthesis is best illustrated on
examples that can be dynamically changed to produce larger sets of TSCSs.
Although this type of example is not representative of all designs, for a pre-
liminary study, it does serve to establish the limits of a ﬂattened synthesis
approach and to demonstrate the beneﬁts of this modular synthesis approach.
A control circuit for a pipeline is an example of a design that can be easily
modiﬁed to create larger sets of TSCSs. Results from three such examples
are shown in Table 1. The ﬁfoN example is a ﬁfo from SUN [20]. The stari
example is another ﬁfo described in [10]. Finally, the isp examples are inter-
locked synchronous pipelines from IBM [14]. Table 1 compares ﬂat synthesis
and modular synthesis times. The States column is the number of unique
Boolean states found by the BAP algorithm followed by the number of TSCs
in parentheses. The BAP column is the running time spent ﬁnding the TSCs.
The Synth column is the amount of running time spent in synthesizing a single
component. The running time is in seconds reported on a Pentium III 930MHz
with 256Mb of memory. The blank entries in the table indicate that the ﬂat
synthesis did not complete in a reasonable amount time. These results show
that the idea of applying partial order reduction to the modular synthesis of
timed circuits can provide substantial improvements in synthesis time. This
includes several examples that could not previously be synthesized using a ﬂat
199
Mercer
synthesis approach.
References
[1] Alur, R., and D. L. Dill, A theory of timed automata, Theoretical Computer Science
126 (1994), 183–235.
[2] Belluomini, W., “Algorithms for synthesis and veriﬁcation of timed circuits and
systems,” Ph.D. thesis, University of Utah, Utah, 1999.
[3] Belluomini, W., C. J. Myers, and H. P. Hofstee, Timed circuit veriﬁcation using TEL
structures, IEEE Transactions on Computer-Aided Design of Integrated Circuits 20
(2001), 129–146.
[4] Bengtsson, J., B. Jonsson, J. Lilius, and W. Yi, Partial order reductions for timed
systems, Proc. International Conf. on Concurrency Theory (1998), 485–500.
[5] Berthomieu, B., and M. Diaz Modeling and Veriﬁcation of Time Dependent Systems
Using Time Petri Nets, IEEE Transactions on Software Engineering 17 (1991).
[6] Bozga, M., O. Maler, A. Pnueli, and S. Yovine, Some Progress in the Symbolic
Veriﬁcation of Timed Automata, International Conf. on Computer Aided Veriﬁcation
(1997).
[7] Daws, C., A. Olivero, S. Tripakis, and S. Yonine, The tool KRONOS, Lecture Notes in
Computer Science 1066 (1995).
[8] Dill, D. L., Timing assumptions and veriﬁcation of ﬁnite-state concurrent systems, Proc.
of the Workshop on Automatic Veriﬁcation Methods for Finite-State Systems (1989).
[9] Godefroid, P., Using partial orders to improve automatic veriﬁcation methods, Proc. of
Computer Aided Veriﬁcation Workshop (1990).
[10] Greenstreet, M. R., Implementing a STARI chip, Proc. International Conf. Computer
Design (1995), 38–43.
[11] Henzinger, T., X. Nicollin, J. Sifakis, S. Yovine, Symbolic model-checking for real-time
systems, Proc. of the 7th Symposium Logics in Computers Science (1992).
[12] Hofstee, H. P., S. H. Dhong, D. Meltzer, K. J. Nowka, J. A. Silberman, J. I. Burns,
S. D. Posluszny, and O. Takahashi. Designing for a gigahertz, IEEE MICRO 3 (1998),
66–74.
[13] Hulgaard, H., and S. M. Burns, Eﬃcient timing analysis of a class of Petri nets, Proc.
International Conf. on Computer Aided Veriﬁcation (1995).
[14] Jacobson, H., P. Kudva, P. Bose, P. Cook, S. Schuster, and E.G. Mercer, Synchronous
Interloced Piplined CMOS, Proc. of International Symposium on Advanced Research in
Asynchronous Circuits and Systems (2002).
[15] Katz, S., and D. Peled, Deﬁning conditional independence using collapses, Semantics
for concurrency BCS-FACS Workshop (1990).
[16] Maler, O., and A. Pnueli, Timing Analysis of Asynchronous Circuits using Timed
Automata, Proceedings of CHARME’95 (1995).
[17] McMillan, K. L., “Symbolic model checking : An approach to the state explosion
problem,” Ph.D. thesis, Carnegie Mellon University, Pittsburgh, 1992.
[18] Mercer, E. G., C. J. Myers, and T. Yoneda, Improved POSET timing analysis in timed
Petri nets, Proc. of Synthesis and System Integration of Mixed Technologies (2001),
127–134.
200
Mercer
[19] Minea, M., “Partial order reduction for veriﬁcation of timed systems,” Ph.D. thesis,
Carnegie Mellon University, Pittsburgh, 1999.
[20] Molnar, C. E., I. W. Jones, Bill Coates, and Jon Lexau, = A FIFO Ring Oscillator
Performance Experiment, Proc. of International Symposium on Advanced Research in
Asynchronous Circuits and Systems (1997), 279–289.
[21] Myers, C. J., “Computer-Aided Synthesis and Veriﬁcation of Gate-Level Timed
Circuits,” Ph.D. thesis, Stanford University, California, 1995.
[22] Myers, C. J., T. G. Rokicki, and T. H. Y. Meng, POSET timing and its application
to the synthesis and veriﬁcation of gate-level timed circuits, IEEE Transactions on
Computer-Aided Design 18 (1999), 769–786.
[23] Pen˜a, Marco A., J. Cortadella, A. Kondratyev, and E. Pastor, Formal veriﬁcation
of safety properties in timed circuits, Proc. International Symposium on Advanced
Research in Asynchronous Circuits and Systems (2000), 2–11.
[24] Schuster, S., W. Reohr, P. Cook, D. Heidel, M. Immediato, and K. Jenkins,
Asynchronous interlocked pipelined CMOS circuits operating at 3.3-4.5 GHz, Proc.
International Solid State Circuits Conf. (2000).
[25] Semenov, A., A. Yakovlev, E Pastor, M. Pe na, J. Cortadella, and L. Lavagno, Partial
order based approach to synthesis of speed-independent circuits, Proc. International
Symposium on Advanced Research in Asynchronous Circuits and Systems (1997), 254–
265.
[26] Stevens, K. S., S. Rotem, R. Ginosar, P. Beerel, C. J. Myers, K. Y. Yun, R. Koi,
C. Dike, and M. Roncken, An asynchronous instruction length decoder, IEEE Journal
of Solid-State Circuits 36 (2001), 217–228.
[27] Sutherland, I., and S Fairbanks, GasP: A minimal FIFO control, Proc. of International
Symposium on Advanced Research in Asynchronous Circuits and Systems (2001), pages
46–53.
[28] Valmari, A., A stubborn attack on state explosion, Proc. of Workshop on Computer
Aided Veriﬁcation (1990).
[29] Yoneda, T., and H. Schlingloﬀ, Eﬃcient veriﬁcation of parallel real–time systems,
Formal Method in System Design (1997), 187–215.
[30] Yoneda, T., and H. Ryu, Timed trace theoretic veriﬁcation using partial order reduction,
Proc. of Fifth International Symposium on Advanced Research in Asynchronous Circuits
and Systems (1999), 108–121.
[31] Yoneda, T., E. G. Mercer, and C. J. Myers, Modular synthesis of timed circuits using
partial order reduction, Proc. of Synthesis and System Integration of Mixed Technologies
(2001), 151–158.
[32] Zheng, H., E. Mercer, and C. Myers, Automatic abstraction for veriﬁcation of timed
circuits and systems, International Conf. on Computer Aided Veriﬁcation (2001).
201
