Level oriented formal model for asynchronous circuit verification and its efficient analysis method by Myers, Chris J. & Kitai, Tomoya
L e v e l  O r i e n t e d  F o r m a l  M o d e l  f o r  A s y n c h r o n o u s  C i r c u i t  V e r i f i c a t i o n  a n d  
i t s  E f f i c i e n t  A n a l y s i s  M e t h o d  *
Tomoya Kitai, Yusuke Oguro 
Tokyo Institute of Technology 
{kitai, yoguro} @yt.cs.titech.ac.jp 
Eric Mercer 
Brigham Young University 
egm@cs.byu.edu
Tomohiro Yoneda 
National Institute of Informatics 
yoneda@ nii.ac,jp 
Chris Myers 
University of Utah 
myers® vlsigroup.ece.utah.edu
A b s t r a c t
Using a level-oriented model for verification o f  asyn­
chronous circuits helps users to easily construct formal 
models with high readability or to naturally model data­
path circuits. On the other hand, in order to use such a 
model on large circuits, techniques to avoid the state ex­
plosion problem must be developed. This paper first intro­
duces a level-oriented fonnal model based on time Petri 
nets, and then proposes its partial order reduction algo­
rithm that prunes unnecessaty state generation while guar­
anteeing the correctness o f  the verification.
Key words Level-oriented model, timed asynchronous cir­
cuits, fonna l verification, time Petri nets.
1 I n t r o d u c t io n
Many formal verification algorithms for asynchronous 
circuits that are based on the exploration of reachable states 
use transition-oriented models such as Petri nets and CSP 
in order to model circuits and specifications [1, 2, 3, 4, 5]. 
In this approach, the behavior of an asynchronous circuit 
is represented using transitions o f  signals. This represen­
tation has the potential ability to model the real nature of 
asynchronous control circuits. It is, however, not easy for 
nonexpert users to construct good and comprehensive rep­
resentations on this model. Furthermore, in asynchronous 
circuit design, control signals are sometimes embedded in 
data-path circuits. An example of this is a dual-rail encod­
ing, which requires some (abstracted) data-path circuits to 
be formally modeled for verification. In this type of appli­
cation, a transition-oriented model is not suitable.
This paper tries to represent the behavior of asyn­
chronous circuits also using values o f  signals like those used
*This research is supported by NSF Japan Program award INT- 
0087281, SRC contract 99-TJ-694, a grant from Intel Corporation, and 
JSPS Joint Research Projects.
in the synchronous circuit design process. For this purpose, 
a level-oriented model is first introduced. Our model, which 
we call LTN (Level Time Petri Net), is obtained by extend­
ing time Petri nets such that firing an LTN transition can as­
sign values to a set of boolean variables and that the validity 
of an expression over the boolean variables is also used as 
an enabling condition of an LTN transition in addition to 
the marking. Thus, an LTN can easily model the behavior 
based on both changes of signals and values of signals.
On the other hand, an approach to analyzing this new 
model in a traditional total order manner is not acceptable 
for large circuits due to state explosion. In other words, 
a new model is useless without an efficient analysis algo­
rithm. For transition-oriented models, two major methods 
are proposed for this purpose, implicit state space enumer­
ation based on BDDs [3] and partial order reduction [4, 5]. 
Since our current interest is in verifying timed circuits with 
bounded delays and the implicit state representation method 
often fails to efficiently represent timed states (in particular, 
sets of inequalities), this work chooses the partial order re­
duction approach.
Timed automata [6] can also be used as a level oriented 
model, and partial order reduction has been applied to their 
analysis [7, 8]. Our experience, however, has found that 
the generality of timed automata comes at an increase in 
analysis complexity, and this increased generality does not 
appeal' to be necessary for verifying asynchronous circuits.
Several alternative level-oriented Petri net models have 
been proposed such as TEL structures [9], level-ruled Petri 
nets (LPNs) [10], and an extension of time Petri nets [11]. 
An LTN is obtained by refining the one proposed in [11], 
An LTN is somewhat less expressive than TEL structures 
and LPNs. In particular, timing annotations and Boolean 
conditions are placed on the transition in an LTN while they 
are placed on the edge between the place and transition in 
TEL structures and LPNs. This increased expressiveness, 
however, comes at a cost in the analysis algorithm’s com­
plexity. As a result, the algorithms for analysis of these nets 
have tended to be conservative rather than exact [9, 10], 
To the best of our knowledge, the work in [10, 12] is the
Proceedings of the 2002 Pacific Rim International Symposium on Dependable Computing (PRDC’02)
0-7695-1852-4/02 $17.00 © 2002 IEEE
only one that proposes a partial order reduction for a level- 
oriented Petri net model, namely the LPN model, though 
the algorithm is conservative. The goal o f this work is to 
obtain the exact verification results using the LTN model.
This paper is organized as follows. The next section 
introduces the LTN model. Section 3 briefly reviews the 
verification method used in this paper. Section 4 proposes 
the partial order reduction algorithm for an LTN. Section 5 
shows the experimental results obtained by verifying sev­
eral examples with the proposed algorithm. Finally, we 
summarize our results in Section 6.
2 Level Oriented Model
A traditional time Petri net consists o f transitions (thick 
bars), places (circles), and arcs between transitions and 
places. A token (large dot) can occupy a place, and when 
every source place o f a transition is occupied, the transition 
becomes enabled. Each transition has two times, the earli­
est firing time and the latest firing time. An enabled tran­
sition becomes ready to fire (i.e., firable) when it has been 
continuously enabled for its earliest firing time, and cannot 
be continuously enabled for more than the latest firing time,
i.e., it must fire unless it is disabled. The firing o f a transi­
tion occurs instantly. It consumes tokens in its source places 
and produces tokens into its destination places.
In an LTN, two additional functions assign and condition 
can be associated with a transition. The assign function re­
lates a transition to assignments on Boolean variables, and 
the condition function relates a transition to an expression 
over boolean variables. The enabling condition o f an LTN 
is extended, and a transition is enabled i f  both the expres­
sion given by condition is true and every source place is 
occupied. For example, in the LTN shown in Figure 1(a), 
t c is enabled only i f  bi  A b2 is true. The firing rule o f an 
LTN is also extended in that when a transition fires, the as­
signments specified by the assign function are done while 
consuming and producing tokens. For example, in an LTN 
shown in Figure 1(b), when t a fires, a\ and a2 are set to
1 and 0, respectively. Using assign and condition, a level- 




{(Il = 1,0,2 = 0}
Figure 1. An example of an LTN
2.1 Formal Definitions of LTN
An LTN N  is a ten-tuple, N  =  (P, T, F, Eft. Lft. V, 
assign.condition./ / ° .val0). The members P, T, F, Eft,
Lft, and ft0 are the same as those o f the time Petri net; 
although the members V, assign, condition, and val0 are 
newly added for an LTN and defined as follows:
•  V' is a finite set o f Boolean variables.
•  assign : T  ->■ 2A, where A  = {v  =  b\v £ V. b £ {0. 
!}}•
• condition : T  -¥ C, where C =  { / i  V f 2\ f i , f 2 £ 
CU J }  and T  =  {.91 A .92l.9i 1.92 £ T  VS V  U I ' } .  V  
denotes {wo. wj". v ^ , . . .} if V  = {voi « i 1 '<>21 • • •}•
•  val0 : V' —^ {0 .1 }  is for the initial values o f Boolean 
variables.
The assign function relates a transition to assignments on 
Boolean variables performed on the firing o f the transition. 
For example, assign(t) =  {a = 1 ,b = 0}. The condition 
function specifies a Boolean expression that should be true 
for the transition to be enabled. This expression is repre­
sented by a sum-of-products such as,
condition(t) =  a b c V  de,
where a, b, c, d, e are Boolean variables (A are omitted 
here).
A state o f an LTN is a tuple ( / / , / ,  val), where // is a 
marking, J is a set o f inequalities, and val is an assignment 
o f a value to each Boolean variable. For a transition t, two 
kinds o f timing variables, a past variable and a future vari­
able are used. A past variable represents its most recent fir­
ing time, and a future variable represents its next firing time. 
This paper uses t also for the past variable, and i for the fu ­
ture variable. Inequalities in I  are over these variables. For 
a Boolean expression /  and an assignment val, eval( / .  val) 
denotes the value o f /  under val. Thus, a set o f enabled 
transition in a state s =  (//. J. val) can be expressed as
enabled (//. vuZ) =
{t  I *t Q ll, eval(condition(£). val) = 1},
where denotes the set o f source places o f t. A transition 
is firable, i f  it is enabled and possible to fire earlier than any 
other enabled transitions. That is,
firable(.s) =
{t  | (J U { i  < i '  \ t '  £ enabled(fi,val)}) is consistent}.
In this work, only I-safe LTNs are considered, i.e., in 
any reachable state .s' =  (//. I .  val), no transition t such that 
(// — »t) f l  0 ' s firable. Similarly, it is assumed that no 
transition has vacuous assignment, i.e., for any variable v, 
and in any reachable state ,s = (fi .,I ,val) with val(v) = b, 
no transition t  such that “v = b" £ assign(t) is firable. 
These assumptions are just for simplification o f our algo­
rithm, and with an increase in complexity they can be re­
moved.
Figure 2(a) shows a NOR gate model with a hazard de­
tection mechanism represented by a time Petri net. The
Proceedings of the 2002 Pacific Rim international Symposium on Dependable Computing (PRDC’02)
0-7695-1852-4/02 $17.00 © 2002 IEEE
marking shown in this figure represents the state with input 
a =  0. b =  0 and output c = 1. I f  u or b goes high, c— is en­
abled. However, after a goes high, a — is not enabled until c 
goes low. Therefore, a hazard caused by u+ and a — before 
c— is detected as a failure (as described in the next section). 
Figure 2(b) shows the corresponding NOR gate model by a 
LTN. In this model, the enabling conditions are straightfor­
wardly represented by condition functions. When a hazard 
occurs, a dummy transition err+  is enabled, and it immedi­
ately fires resulting in a failure, because the corresponding 
input transition is always disabled. It can be seen that an 
LTN represents a model more concisely than a time Petri 
net.
N O R  gate
[0.01 
(a- A  b)
,  [ ° > ° ] , (a V  b)
(>)
Figure 2. NOR gate models expressed by a 
time Petri net and an LTN.
some different module. When an output transition fires, i f  
no input transitions are enabled in a module, a failure oc­
curs. This represents that a module tries to send an output 
but some other module cannot receive it as a corresponding 
input. Thus, it is the case that some bad output can be pro­
duced. In this sense, our verification method checks safety 
properties. Note that Boolean variables can be changed at 
any time without failures.
We define the following, where ,s =  (//, I ,  val):
• out_trans(#) is the output transition that corresponds 
to t. I f  t is an output transition, then out_trans(£) is t 
itself.
• in_trans(£) is a set o f input transitions that correspond 
to out_trans(t).
• sync_trans(.s,t) =  {out_trans(t)} U
(in_trans(£) fi enabled(fi.val)).
4 Verification Algorithm
The following shows a skeleton o f the verification algo­
rithm based on the partial order reduction. 
verify(.s') 
begin
if (.s' is already visited) then returnt/rae): 
if (.s' is a failure state) then return(/afce); 
Mark .s' as visited; 
forall (tj- € ready (.s'));
forall (.s' e successo (.s, i / ) ) ;













Although this algorithm is quite similar to the usual 
depth-first search algorithm, there are some major differ­
ences that characterize the partial order reduction. One is 
that ready(i) is the subset o f firable transitions, and the 
other is that multiple states are generated at the firing of 
t j  by successo (.s. t j ) .  We show how to construct ready(.s) 
and successo (.s, t / )  for an LTN in the next subsections.
3 Verification M ethod 4.1 ready(.s)
This paper uses the timed trace theoretic verification 
method [13]. A  module is a tuple (I . O . N ), where I  and
O are sets o f input and output wires respectively, and N  is 
an LTN. We use a module as a formal model for a circuit 
element (e.g., a gate) and a specification. Some transitions 
in N  correspond to wires, and the firing o f those transitions 
change the values o f the wires. A  transition related to an in­
put wire o f the module is called an input transition. An out­
put transition is defined similarly. Moreover, the Boolean 
variables o f an LTN correspond to input or output wires. A  
circuit consists o f a set o f modules. In a set o f modules, 
input transitions fire only in synchronization with the cor­
responding output transition with the same wire name in
ready(.s) is the set o f output transitions firable and nec­
essary to fire in .s' in order to determine i f  a circuit is cor­
rect. For a firable output transition t  and a state .s', i f  
dependent(.s, t) denotes the set o f output transitions (in­
cluding t) such that the interleaving o f the firings o f those 
transitions should be considered, ready(.s) is defined as
ready(.s) = minset(7Ti,firable(.s)
i f  m  >  0 
otherwise
where
{7T l,- . 7Tm} =  {dependent^, t) |
t G firable(.s),dependent^,£) C firable(.s)}.
3
Proceedings of the 2002 Pacific Rim international Symposium on Dependable Computing (PRDC’02)
0-7695-1852-4/02 $17.00 © 2002 IEEE
minset(7ri.7T2, • • •) chooses the set with smallest cardinality 
from 7Ti, /t-2, • • •• Since dependent^, t) may include tran­
sitions which are not firable, those dependent sets are not 
chosen.
dependent^. £/) is the smallest set which satisfies the 
following:
1. t j  £ dependent^,t f) .
2. I f  t  € dependent^, * /) ,  then
(a) V f, G U ,-GSync_trans(S,/)COnflict(^)-[ 
active(.s, t, necessa rf.s,tx ,{t}))  C
dependent^,t f )  ].
(b) V f, e U/'esync_trans(*,/) hide.fail(f').[ 
active(.s, t, necessa rf.s,tx ,{t}))  C
dependent^,t f )  ].
(C) V f, € U ,-Gsync_trans(S,/)aC-COnf(« ^ ') - [ 
active(.s, t, necessa rf.s,tx ,{t}))  C
dependent^,t f )  ].
(d) W 3. G {t-1 |
t' € sync_trans(.s, t), condition^') ^  0}.[ 
active(.s, t, ac_necessary(,s\ condition^*), 0. { t } ) )  
C dependent^,t f )  ].
(e) V f, € U / 'Gsync_trans(S,/)affeCted(^ )-[ 
active(,s\ t, ac_dependent(,s\ condition(tx ),t))
C dependent^,t f )  ].
As mentioned later, necessary, ac.necessary and 
ac_dependent contain sets o f pairs (u, r ) ,  where u is a tran­
sition and r  is the minimal time necessary to tire u. Thus, 
i f  r  is large enough, the algorithm does not have to con­
sider the tiring order o f t f  and u because u is enabled too 
late. Those transitions which tire too late are omitted from 
the sets by active. In other words, active(.s\*, T T )  repre­
sents a set o f transitions u such that (u ,r )  € T T  and u can 
tire r  time units earlier than t. Therefore, dependent^, t / )  
includes only those active transitions.
Now, we explain each o f the above conditions using ex­
amples. Conditions 2.(a) and 2.(b) are the same as those for 
the transition-oriented model, so we omit them here. The 
details can be found in [14], Condition 2.(c) states that the 
tiring order o f t  and tx should be considered, i f  t  is in the 
dependent set and t  makes the condition o f tx false. In this 
condition,
ac_conf(,s\t) =  { tc | eval(condition(*c), vul) =  1.
eval(condition(tc). newval(.s.t)) =  0}.
where newval(.s'.i) represents the assignment o f variables 
after t  tires. Consider the case shown in Figure 3(a). I f  t  
and t i  are tired only in this order and the initial value o f a 
is 0, the tiring o f t2 is missed. However, t2 can actually tire, 
i f  ti  and tx tire earlier than t. I f  the tiring o f t2 causes a 
failure, omitting Condition 2.(c) implies that the algorithm 
misses a failure that may actually occur. Thus, i f  t is in 
the dependent set, the algorithm must obtain t i  by using
necessary(,s. t x , { f })  so that the chance that t x tires earlier 
than t  is covered.
necessary(,s.t . T^)  contains the set o f pairs (u .r ) ,  
where u is an output transition enabled in ,s which must tire 
in order to tire t  under the condition that transitions in To  
are not tired, and r  is the minimal time difference between 
the firings o f u and t. necessary(,s\ t. To)  is defined as fo l­
lows. Note that t oui = out_trans(£), because i f  t  is an in­
put transition, its corresponding output transition should be 
considered.
1. I f  t out e Td  , then necessary(s, t, TD ) = 0.
2. I f  t oui G enabled(//. val),  then
necessary(.s, * ,T d ) =  {(*<,„/., 0 )}.
3. Otherwise,
necessary (,s. TD ) =
{ ( h .  Eft(tou,) +  Tl),- • •, (th Eh(toui) +  Tl)}, 
where
• { ( * i ,7 i  ) , • • • „ ( * / ,  7 7 )} =  minset(7n,---,7Ti ).
• {7ri ^ " ^ i }  =
{U/.-G.p necessa ri-s,t', TD U { t oui})  |
p  G •tou,. -  / / }  U 
{ t t ' | 7r' =  ac_necessa rf.s,
condition(*ou/. ) , l ,T D  U { t oui.} ) ,n ' #  0}
ac_necessary(.s', / ,  b, To)  also contains a set o f pairs 
( u , t ) .  The difference from necessa ry is that u is 
the transition enabled in .s' =  (ft.. I, vul), o f which 
tiring is necessary to let the expression /  take value 
b. ac.necessa rfs, f , b , T o )  is defined as follows, where 
assign_trans('«, b) =  { t  | "v =  b" e assign(f)}:
1. If? ; =  eval (f .vu l) ,  then ac_necessary(.s. / .  b. TD ) =
0.
2. I f  /  is a positive form o f variable v, then 
ac_necessary(,s\ / ,  b, TD ) =
U/'Gassign-transfv:b) necessary(.s, f , T o ) .
3. I f  /  is the negative form o f variable v, then 
ac_necessary(,s\ / ,  b, TD ) =
U /-Gassign_trans(l>,6) necessary(.s, t', T o ).
4. I f  /  is f i  A f 2 A • • • A f n with b = 1, or f i  V f 2 V • • • V / „  
with b = 0, then
ac_necessary(.s, f , b , T D ) =  minset(7Ti, • • • ,7rm), 
where {txi, • • •, irm}  = {tx[ | 1 <  i < n, tx[ = 
ac_necessary(.s',/(,?;,Ti)),7r' ^  0}
5. I f  /  is / i  A / 2 A • • • A f n with b = 0, or f i  V f 2 V • • • V / „  
with b =  1, then ac_necessary(.s, f , b ,T D) =  U i= i n 
ac_necessary(.s, TD).
On the other hand, for a transition t  in the dependent set. 
Condition 2.(d) o f dependent(.s, t / )  checks the tireability o f 
transitions that make the condition o f t  false. For example.
4
Proceedings of the 2002 Pacific Rim international Symposium on Dependable Computing (PRDC’02)
0-7695-1852-4/02 $17.00 © 2002 IEEE
Figure 3. Examples of 2.(c) and (d)
f [0, 0] (abc) tail, 1]{a = 1} f 6 [1 ■ 1]{t = 1} fell. 1]{= = 1}
o  o o o
t a [1.2] _ | _ t t [ l ,2 ] 
{» = !} I {!>=!}
(b)
tc[0, 0](a V fc)
(O
Figure 4. Examples for handling true parents
in Figure 3(b), i f  the output transition ft out) fires, the corre­
sponding input transition t i in) also fires synchronously, and 
no failure occurs. However, i f  t i  fires earlier than t( in), then 
f(in) is disabled, and a failure occurs when f(out) fires. I f  
f(out) is always fired earlier than f i ,  this failure is missed. 
Thus, we need Condition 2.(d) in order to fire transitions 
which make conditions o f other transitions false. This is 
done by ac.necessa ry
Conditions 2.(e) is for making it easier to decide true 
parents o f newly enabled transitions. A  true parent o f an 
enabled transition H s a transition that actually makes t  en­
abled and hence decides its firing time. For example, since 
t  has multiple source places in Figure 4(a), the transition 
that produces the final token to the source places o f t can 
be a true parent. Moreover, i f  condition(i) is a simple prod­
uct as shown in Figure 4(b), the transition that assigned true 
to a Boolean variable last can be a true parent. Note that 
even i f  f 3 fires last in a firing sequence that enables t  in Fig­
ure 4(a), it does not mean that only f 3 is a true parent o f t in 
that firing sequence. This is because the partial order reduc­
tion algorithm does not usually give the ordering relation 
among concurrent transitions such as f i ,  f 2< and h -  Thus, 
when t becomes enabled, the possibilities that each o f t\ ,  t -2 
and t-s is a true parent o f t is checked, and a new state is gen­
erated by giving timing constraints for such a transition to 
be a true parent. However, i f  condition(i) contains logical
OR operators, true parents should be decided in a different 
way. For example, in Figure 4(c), either a transition t a or 
t-b that fires earlier than the other can be a true parent o f 
f c, and the firing o f such a transition immediately makes t 
enabled. Therefore, the decision o f true parents cannot be 
postponed until all candidates o f true parents fire. Hence, 
in the case where condition(tc) is a sum o f product terms, 
when one o f the product terms becomes true by firing t , we 
check whether other product terms o f condition(£c) can be 
true by firing transitions f ',  and give the ordering relation 
between t  and t'. This implies that all o f possible true par­
ent candidates o f t c are explicitly ordered, and it allows us 




{ t c | var(assign(t)) n va recondition(fc)) ^  0}
and
var( / )  =  {v  | v is a variable included in / } .
By using ac_dependent(,s\ / .  f), which is defined below. 
Condition 2,(e) checks the fireability o f the transitions that 
makes the other products true.
1. Tf /  =  f i  V f -2 V • • • V / „  and eval( f .va l)  = 0 and 
eval(/,newval(.s,f)) =  1, then
Proceedings of the 2002 Pacific Rim international Symposium on Dependable Computing (PRDC’02)
0-7695-1852-4/02 $17.00 © 2002 IEEE
ac_dependent(,s./ .  t) =
U = i,„ .  ac_necessary(,s'. f h L  {#})
2. Otherwise,
ac_dependent(,s. / .  t) =  0.
4.2 successo f.s 'J/)
When we fire t j  such that t j  £ ready(.s') in ,s =  (p., I .  
val), the following processes are needed.
•  For each u £ ready(.s), the constraint t j  < il is added 
to I ,  where i l  is the future variable o f u.
•  For a transition t„, newly enabled by firing o f t j ,  its 
true parent is decided, and the appropriate constraints 
for it are added to I .
We can consider two types o f true parents for t n, the 
transitions that produce tokens in source places of t n, and 
the transitions that satisfy cond ition(t„). The former are 
called place-related true parents, and the latter are called 
condition-related true parents. In order to decide true par­
ents o f t-n, true_parent(,s J „ ) ,  which is actually defined in
4.2.1, denotes a set o f pairs (tp, Ip), where tp is a true parent 
o f t-n, and Ip is a set of inequalities that are necessary for tp 
to be a true parent. Note that i f  adding Ip to J of the current 
state makes J inconsistent, such (tp, Ip) is discarded during 
the state generation process.
When a true parent tp o f newly enabled transition t„, is 
decided, the following constraint
E ft(tn ) < i n ~  tp <  Lft(*„.)
is added to J. In this case, i f  tp does not become a true 
parent o f any other transitions, tp can be removed from J 
by delete(J.D). delete(J.D) removes from I  the inequal­
ities including variables in the set D  without affecting the 
solution set projected to the remaining variables. Since the 
behavior o f the transition t„, can be represented by a future 
variable i n, failures are not missed by removing tp. Further­
more, i f  tp is not removed, the state enumeration process 
may not terminate.
On the other hand, for a transition t  which is not en­
abled in ,s% it is possible that J contains the past variables 
o f transitions that can be true parents o f t when it becomes 
enabled, e.g., the transitions which produce tokens in the 
source places o f t. Such past variables must not be re­
moved in general. need_to_keep(.s. t) shown in 4.2.3 de­
notes the set o f such transitions. Using this, the set o f vari­
ables that can be removed is defined as T  — {t | 31' £ 
T  — enabled(//. val).[t £ need_to_keep(.s. t')]}, where T  is 
the set o f all output transitions.
^.From these definitions, successo f.s 'J/) consists of 
states .s' =  ( / / . ' . / ',vuV) that satisfy the following condi­
tions.
1. //"  =  ft — •£ /.
2. //' =  //"  U t/».
3. val' =  newval(,s.t j ) .
4. Obtain Jo from J by replacing the future variable t j  
with the past variable t j .
5. J i =  J0 U { t f  <  i l  | u £ ready(.s)}.
6. J-2 =  delete(Ji.{i | t  £ enabled(fi .val) — enabled( 
p " , val')}).
1. For the set o f newly enabled transitions by firing t j ,  
E  =  enabled (ft',val') ^enabled (ft", val)  =  { tn i , 
■■■■tni}, the true parent assignment, {tPl, ■ ■ ■ , t Pl} 
such that (tpit, IPk) £ true_parent(.s. t „,k ) for 1 <  k <
I. is valid i f  J -2 U (J *= i / 's consistent, and in this 
case obtain J3 as follows.
Js =  J-2 LJ [Ipk U {E ft ( f „ l(i) <  ini, —tpil <  L f t ( t „ t, )}] 
k=i,i
8. For .s'" =  (//.', J3,val') and D = T  — {t \ 3t' £ T  — 
enabled(p',val').[t £ need_to_keep(.s". # ')]}, let I '  = 
delete( J3. D).
In 7., since more than one true parent assignment, 
{ t Pl, ■ ■ ■ , t Pl} , can exist, successo ( .s j /)  can contain 
more than one state. We define true_pa rents' , t„ ) and 
need_to_keep(.s. t) in the following subsections.
4.2.1 true.pa rent(.s'. t n)
Let ruler(t„. I)  = • • t„ n v a r (I )  denote a set o f candidates 
o f place-related true parents for t n, and a set o f the pairs of 
place-related true parents and their necessary constraints is 
denoted by
true_parent_place(.s. t„.) =
U/.p£ruier(in;/) { (tp* Ip ) | I p =  {?  <  t p | t ' £ ru le r( f„ ,/ ) } } .
Furthermore, for condition-related true parents, 
true_parent_cond(.s./ )  denotes a set o f pairs (tp, I p), 
similarly. The definition o f true_parent_cond(.s./ )  is given 
in the next subsection.
^.From these, for cases where a place-related true par­
ent becomes the actual true parent, t'p < t p is necessary 
foreach (tp, I p ) £ true_pa rentplace(.s , t„)  and (t'p,I'p ) £ 
true_parent_cond(.s. condition(t„)), and
TPi  =  { (tp, { t p <  tp} U Ip U Ip) |
(t p . Ip) £ true_parent_place(.s. t„),
(t'p.I'p) £ true_parent_cond(.s. condition(t„)) }
is obtained. Similarly, for cases where a condition-related 
true parent becomes the actual true parent, t p < t'p is nec­
essary, and
T P ‘2 =  { (tp, {tp  <  tp }  U Ip U Ip) |
(tp.Ip) £ true_parent_place(.s.t„),
(t'p.I'p) £ true_parent_cond(.s.condition(t„)) }
Proceedings of the 2002 Pacific Rim international Symposium on Dependable Computing (PRDC’02)
0-7695-1852-4/02 $17.00 © 2002 IEEE
is obtained. Therefore, true_parent(,s\t„) can be defined as 
follows:
1. I f  condition(t„) =  0, only place-related true parents 
exist, and hence
true_parent(,s'.t„) =  true_pa rentplace(,s\ t n ) 
holds.
2. Otherwise, by considering both cases,
true_parent(,s'.t„) =  TP\  U T P 2 
holds.
“ — = 1} -*-{6=1}
¥°\9L , I '=[1.2]fa V bc) _ ± _ {c = 1 }
Figure 5. Example of true_parent_cond(,s\/)
4.2.2 true_parent_cond(,s'./ )
The candidates o f true parent for the condition o f the form 
“ v =  b" is denoted by vruler(v. b. I) =  assign_trans(v. b) n 
va r(I). A set o f pairs o f the condition-related true parents 
for /  and their necessary constraints is obtained as follows:
1. I f  /  is a positive form o f variable v, then 
true_parent_cond(,s\/ )  =
{ ( f P, 0) | t p G vruler(w, L / ) } .
2. I f  /  is the negative form o f variable v, then 
true_parent_cond(,s\/ )  =
{ ( f P, 0) | t p G vruler(v. 0. / ) } .
3. I f  /  is f i  A f 2, then
true.pa rentcond(,s\ / )  =
{{tp, {tp < tp} U Ip U Ip) |
(tp , ip ) e TTi,(t 'p, i'p) e t t 2}u  
{{tp, {tp S tp} U Ip U Ip) |
( tp ,ip) e TTi,(t 'p,ip) e t t 2},
where T T i =  true.pa rentcond(,s\ f i ), and T T 2 = 
true_parent_cond(,s\ f 2)
4. I f  /  is f i  V f 2, then
•  Tf e va l(/i. mZ) =  1 and eval( f 2,val) = 0, then 
true_pa rentcond(,s\/ )  =  T T \
•  I f  eva \(fi,va l) =  0 and eval( f 2, val) =  1, then 
true_pa rentcond(,s'./ )  =  TT2
•  Tf e va l(/i. val) =  1 and eval(/2, va l ) =  1, then
true_pa rentcond(,s./ )  =
{(tp , Ip U {tp  <  t } )  | (tp, Ip) € T T i, t  € T2}U 
{(t'pJ'p  U {t'p <  t } )  | (t'p,I'p) G T T 2, t  G T i} ,
where T T \ =  true_parent_cond(,s. f i ), T T 2 = 
true_parent_cond(,s'. / 2), T\  =  { t p 
and T2 =  {t'p | (t'p. Ip) G / 12 }.
(tp , Ip ) G T T i} ,
Note that i f  /  consists o f more than two terms in (3) or (4), 
true_pa rentcond(,s\ / )  is applied recursively.
Consider the example shown in Figure 5. Suppose that 
the state ,s'i is obtained by the firing sequence t a, t b , t c, t i .  
Tn this case, for /  =  a V bc, we have T T i =  { ( fa, 0)} 
and T T 2 =  { ( t h, { t h > t c} ) , ( t c, { t c > t h})} .  Thus, 
true_pa rentcond(,s'i.aVbc) =  { ( t a, { ta <  t t } ) ,  (ta, { t a <
tc}), (tb, {tb ^  tc,tb  ^  ta }), ( tc, {tc ^  tb ,tc ^  ^a})}
holds.
4.2.3 need_to_keep(,s'.£)
For a disabled transition t, need_to_keep(,s'. t) is a set o f 
transitions that can be true parents o f t. First, let
last(Tp. I) =
|  ^ G TP, ({£ > t 1 \ f  £ TP} U J) is consistent}
denote the set o f transitions which can fire later than any 
other transitions in Tp.
There are two cases to consider: first, a place-related 
true parent becomes the actual true parent: and second a 
condition-related true parent becomes the actual true par­
ent. The set o f place-related true parents is TP\  =  
last(ruler(f, I ) .  J), and the set o f condition-related true 
parents is T P 2 =  need_cond(,s\ condition(i)), where 
need_cond(,s'. / )  is obtained as follows:
1. I f  /  is the positive form o f variable v, and
•  Tf eval(v. val) = 1, then
need_cond(,s'./ )  =  {vruler(v. 1. J )}
•  Otherwise, need_cond(,s\/ )  =  0
2. I f  /  is the negative form o f variable v, and
•  Tf eval(w. val) = 1, then
need_cond(,s'./ )  =  {vruler(v.O. J )}
•  Otherwise, need_cond(,s\/ )  =  0
3. I f  /  is o f the form / i  A / 2 A • • • A / „ ,  then
need_cond(,s\/ )  =  Iast((Ji=1 )7 need_cond(,s\/ , ) . / )
4. Tf /  is o f the form / i  V / 2 V • • • V / „ ,  then
need_cond(,s\/ )  =  (Ji=1 „  need_cond(,s\ / , )
The set o f true parents can be obtained by applying last 
to the union o f these two sets, that is, last(TP i U T P 2,I) .  
However, in order to make t enabled, the firings o f other 
transitions t' are necessary, and i f  tp G last(TP i U T P 2,1) 
cannot fire later than those transitions, tp cannot be the ac­
tual true parent. canJlreJast(s,t,tp,TD)  checks this pos­
sibility.
Therefore, need_to_keep(,s\ t) can be defined as follows
need_to_keep(,s'.£) =  {tp | tp G last(TP i U T P 2,I) ,
ca n _f i reJast
7
Proceedings of the 2002 Pacific Rim international Symposium on Dependable Computing (PRDC’02)
0-7695-1852-4/02 $17.00 © 2002 IEEE
Table 1. Experimental results (1).
Total Partial
No. o f stages 6 7 8 9 6 7 8 9
No. o f states 9096 16376 24784 37728 270 324 334 402
CPU times (sec) 13.8 26.7 48.3 84.0 0.05 0.08 0.04 0.09
Memory usage (MB) 17.2 37.4 68.5 116 0.28 0.32 0.33 0.38
Table 2. Experimental results (2).
Proposed VINAS-P
No. o f stages 15 16 17 18 15 16 17 18
No. o f states 1205 3598 13765 19861 3348 19146 22382 27742
CPU times (sec) 0.29 0.85 3.71 6.00 1.52 12.8 13.9 19.0
Memory usage (MB) 1.24 3.27 12.0 18.8 1.82 10.9 12.8 16.9
can_fire_last(,s'.t.t.p.Tu) checks all enabled transitions 
t", and returns true i f  it is possible that tp can fire later 
than any other descendant transitions o f t" that make t en­
abled. can_fire_last(,s'. tp, TD) is similar to necessary, but 
can_fire_last(.s',* , tp,To )  considers all f " ,  while necessary 
checks some selected paths using minset.
5 Experim ental Results
We have naively implemented the proposed method in 
the C language. Here, we demonstrate the verification o f the 
STARI example [15, 16,14] by using LTN models. In these 
experiments, the time Petri net models used in [14] are just 
replaced with LTN models, e.g., a NOR gate is modeled as 
shown in Figure 2(b) instead o f Figure 2(a). The remaining 
verification settings are not changed.
In Table 1, the column labeled “ Partial”  shows the num­
ber o f generated states, CPU times (Pentium III, 866MHz, 
360MB, on VMware), and memory amount required for the 
verification o f various sizes o f STARI circuits. For compar­
ison, the results by the total order algorithm where the set o f 
all firable transitions is used as a ready set are also shown in 
the column labeled “ Total” . The results show a significant 
performance improvement o f the partial order reduction al­
gorithm over the total order algorithm.
Table 2 shows the performance comparison between the 
level-oriented method and the transition-oriented method. 
For this experiment, VINAS-P[17], which works for time 
Petri net models, is used as the transition-oriented method. 
Both methods use a partial order reduction algorithm. Since 
the LTN models are much simpler than the time Petri net 
models as shown in Figure 2, our naive implementation out­
performs VINAS-P.
6 Conclusion
This paper proposes a level-oriented model, LTN  for 
formal verification that naturally models the behavior o f 
asynchronous circuits. This new model allows for the speci­
fication o f causality through both transitions and signal val­
ues. This paper also develops a partial order verification 
algorithm for this new model. In particular, the ready set 
construction is enhanced to be aware that disablings can 
now occur not only as a result o f conflict in the net but also 
through the change o f signal values in the level. The calcu­
lation o f true parents in disjunctive conditions must also be 
considered in the calculation o f the ready set. Finally, the 
necessary set construction used in the ready set calculation 
must be updated to allow for the recursion to proceed from a 
condition to the transition that assigns to the variables used 
in the condition. The zone construction used by the tim ­
ing analysis algorithm must also be enhanced. In particular, 
true parents may now be found in conditions and more care 
must be taken in deciding when transitions can be safely 
pruned from the zone. This updated algorithm has been im­
plemented and applied to the the timed circuit benchmark, 
STARI, and it has been found to outperform a verifier based 
on the time Petri net model.
References
[1] D. L. D ill. Trace Theory for Automatic Hierarchi­
cal Verification o f  Speed-Independent Circuits. M IT  
press, 1988.
[2] J. Ebergen and R. Berks. VERDECT: A verifier 
for Asynchronous Circuits. IEEE TCCA Newsletter, 
1995.
[3] Oriol Roig, Jordi Cortadella, andEnric Pastor. Verifi­
cation o f asynchronous circuits by BDD-based model 
checking o f Petri nets. LNCS 935 Application and 
Theory o f Petri Nets 1995, pages 374-391, 1995.
[4] K. L. M cMillan. Trace theoretic verification o f asyn­
chronous circuits using unfoldings. LNCS 939 Com­
puter aided verification, pages 180-195, 1995.
[5] T. Yoneda and T. Yoshikawa. Using partial orders 
for trace theoretic verification o f asynchronous cir­
cuits. Proc. o f  Second International Symposium on
Proceedings of the 2002 Pacific Rim international Symposium on Dependable Computing (PRDC’02)
0-7695-1852-4/02 $17.00 © 2002 IEEE
Advanced Research in Asynchronous Circuits and Sys­
tems, pages 152-163, 1996.
[6] R. A lu r and D. D ill. The Theory o f Timed Automata. 
LNCS 443 (17th ICALP), pages 322-335, 1990.
[7] Johan Bengtsson, Bengt Jonsson, Johan Lilius, and 
Wang Yi. Partial order reductions for timed systems. 
Proc. of CONCUR98, pages 485-500, 1998.
[8] Marius Minea. Partial order reduction for verification 
of timed systems. PhD thesis, Carnegie Mellon Uni­
versity, 1999.
[9] W. Belluomini, C. J. Myers, and H. P. Hofstee. Timed 
Circuit Verification Using TEL Structures. IEEE 
Transactions on Computer-Aided Design o f Integrated 
Circuits, 20(1 ):129-146, January 2001.
[10] Eric G Mercer, Chris J. Myers, Tomohiro Yoneda, and 
Hao Zheng. Modular Synthesis of Timed Circuits us­
ing PartialOrders onLPNs. Proc. ofTPTS2QQ2, 2002.
[11] Y. Oguro, O. Okano, and T. Yoneda. Verification of 
asynchronous circuits including data-paths. IEICE 
Technical Report (in Japanese) FTS2000(9), pages 
65-72, 2000.
[12] Eric G Mercer. Correctness and Reduction in Timed 
Circuit Analysis. PhD thesis. University of Utah, 
2002.
[13] B. Zhou, T. Yoneda, and C. Myers. Framework of 
Timed Trace Theoretic Verification Revisited. Proc. 
of I0th Asian Test Symposium, pages 437-442, 2001.
[14] Tomohiro Yoneda and Hiroshi Ryu. Timed trace the­
oretic verification using partial order reduction. Proc. 
of Fifth International Symposium on Advanced Re­
search in Asynchronous Circuits and Systems, pages 
108-121,1999.
[15] S. Tasiran and R. Brayton. STARI: A  case study 
in compositional and hierarchical timing verification. 
LNCS 1254 Computer Aided Verification, pages 191 — 
201,1997.
[16] W. Belluomini and C. Myers. Verification of timed 
systems using POSETs. LNCS 1427 Computer Aided 
Verification, pages 403-415, 1998.
[17] http://yoneda-www.cs.titech.ac.jp/~yoneda/pub.html.
Proceedings of the 2002 Pacific Rim international Symposium on Dependable Computing (PRDC’02)
0-7695-1852-4/02 $17.00 © 2002 IEEE
