We present the XDI Model for specifying delayinsensitive circuits, that is, reactive 
Introduction
We assume the reader is familiar with the basic ideas behind delay-insensitive (DI) circuits, a special class of asynchronous circuits (see e.g. [3] ). DI circuits can be viewed as reactive systems that correctly exchange signals with their environment in spite of unknown delays incurred by the wire interface (see Fig. 1 ).
Interface Delaying

Wire
Circuit Environment
Figure 1: Circuit-environment interface
The Extended DI Model-XDI Model for short-was first introduced in [20] . It extends (with progress concerns) the models introduced by Udding [17, 18] , Ebergen [5] , and Dill [4, Ch. 3] for specifying DI circuits. The DI Algebra by Josephs and Udding [10] and its trace-theoretic semantic model [7, 12] allow the expression of progress requirements for the circuit, but the XDI Model also allows the expression of such requirements for the environment. This symmetry makes it possible to definite reflection and factorization for XDI specifications. Dill's model based on complete traces [4, Ch. 7 ] also treats progress symmetrically, but it uses infinite traces, whereas the XDI model uses only finite traces. The XDI Model is applied in [14] and [21] .
We present the XDI Model in Section 2. The basic definitions appear in Section 2.1. In Section 2.2 we define XDI specifications and related concepts. We have chosen to present the XDI Model in some detail, because most technical points are not accessible outside [20] . We give mathematical definitions and mention important properties, but do not give proofs here. The presentation differs from [20] , though the essence is the same. In Section 2.3 we show how XDI specifications can be rendered as labeled state graphs. At the end of that section we explain our drawing conventions for such graphs. In Section 2.4, various examples are given to illustrate the features of the XDI Model. Section 3 deals with the analysis of XDI specifications. Finally, Section 4 concludes the paper with some ideas for further work.
The XDI Model for Specifying DI Circuits
We start off with some basic definitions and then introduce the XDI model by defining the space X D I of XDI specifications. Some useful operators on X D I are introduced as well. Next we explain how an XDI specification can be visualized by a labeled state graph. Finally, we give some examples of XDI specifications, highlighting the strong points of the XDI Model.
The naming and interpretation of the labels is as follows:
Label Name Interpretation top (safety) error due to circuit ∇ transient progress obligation for circuit indifferent no progress obligations demanding progress obligation for environment ⊥ bottom (safety) error due to environment Safety errors are also known as (computation) interference [16] . Operationally speaking, a top state is unreachable. The reflection of state label λ is denoted by vλ, and defined by (1) :
Reflection interchanges the role of circuit and environment. It is its own inverse. The refinement order on , denoted by , is defined by (2) :
which can be read as 'top' refines 'transient', and 'transient' refines 'indifferent', etc. This order is motivated by the testing paradigm for comparing specifications. Under this paradigm, a circuit is executed in a (test) environment with its own specification; λ is considered a refinement of µ when λ passes at least the tests that µ passes (and possibly more). For details, the reader is referred to [20] . Refinement is a total order, reversed by reflection:
Function application will be denoted by a dot and it binds weaker than trace catenation. Thus, f.tu means f.(tu).
XDI Specifications
An XDI specification X is a triple I, O, f , where
• I is a finite set of input terminal identifiers, inputs for short,
• O is a finite set of output terminal identifiers, outputs for short, and
• f is a trace function from (I ∪ O) * to , classifying all traces, satisfying nine conditions, for all symbols a, b ∈ I ∪ O and traces t, u ∈ (I ∪ O) * :
1. I ∩ O = ?: inputs and outputs are disjoint 2. f.t = ⇒ f.tu = : circuit errors are unrecoverable 3. f.t = ⊥ ⇒ f.tu = ⊥: environment errors are unrecoverable
circuit errors are caused only by outputs; this is equivalent to:
environment errors are caused only by inputs; this is equivalent to:
f.ta ∈ safe ): the circuit can make error-free progress when required 7. f.t = ⇒ (∃ a ∈ I : f.ta ∈ safe ): environment can make error-free progress when required 8. f.taa ∈ safe : two successive signals on the same terminal can cause transmission interference [16] 9. a ∈ O ∨ b ∈ I ⇒ f.tabu f.tbau: captures limitations of the wire interface between circuit and environment; the situation where the circuit has done tabu and the environment tbau with a ∈ I ∧ b ∈ O is impossible Conditions 1-5, 8 and 9 cast into the XDI Model the rules characterizing delay-insensitive communication as first introduced by Udding in [17] and later slightly rephrased in [18] . In fact, condition 8 corresponds to R 0 , and 9 generalizes R 1 , R 2 , and R 3 of [18] . Condition 6, concerning progress obligations for the circuit, is implicit in Josephs's model [7] , whereas condition 7, concerning progress obligations for the environment, is new. We come back to the more complicated condition 9, also called the Neighbor-Swap Rule, when discussing state graphs in Section 2.3.
The fundamental property of XDI specifications is that if circuit and environment adhere to their mutual specification X, then no errors and no deadlock will occur, even when they communicate over an interface of wires that incur unknown communication delays. Deadlock can arise when one party is demanding and the other is safe but not transient. The safety part of the fundamental property was proven for specifications without progress concerns (i.e., f.t ∈ { , , ⊥ }) in [17] . The generalization with progress is covered in [20] .
Given specification X = I, O, f we define its alphabet aX and its trace set tX by
The trace set consists of all traces where operation is errorfree. It is prefix-closed (cf. conditions 2, 3). The direction of symbols in I is called input, and of symbols in O output. Input and output are called opposite directions.
The set of all XDI specifications is denoted by X D I . 
and to X D I by
These lifted versions inherit many properties of their original, e.g., the lifted reflections are also their own inverse, and they also reverse the (lifted) refinement order. is the least specification in X D I (I, O) with respect to refinement: it is refined by everything, hence its name (if you ask for chaos, anything will do).
XDI State Graphs
In this subsection, we consider a fixed XDI specification X = I, O, f . Furthermore, let A = aX = I ∪ O. All traces are in A * unless stated otherwise.
In order to define an abstract notion of state for X, we use the 'after' operator on the trace function. For trace t, trace function f /t: A * → , pronounced as ' f after t', is defined by
The 'after' operator generalizes the derivative of a trace set with respect to a trace defined in [2] and the 'after' operator on CSP processes in [6] . Note that f /ε = f and f /t/u = f /tu. Two traces t, u are considered equivalent under X when f /t = f /u, that is, when f.tv = f.uv for all traces v (t, u have exactly the same 'future'). The equivalence class containing trace t is completely characterized by its common trace function f/t. Each trace function, characterizing an equivalence class, is considered an (abstract) state of X. Note that, in general, the number of states need not be finite.
The state graph of X is a directed, rooted graph with -labeled nodes and A-labeled arrows, defined as follows. The nodes (also called states) of the graph are the abstract states of X: { f /t | t ∈ A * }. The label of node f /t is ( f /t).ε = f.t (note that this is independent of the choice of representative t from the equivalence class). The labeled arrows (also called transitions) of the graph are given by { f /t
there is a transition from state f /t to state f /ta with label a. The root (also called initial state) of the graph is state f/ε = f .
Before showing example state graphs, it is good to note some properties (which will simplify the drawing considerably). First, on account of condition 2, there is at most one state labeled (any trace t with f.t = has a future completely consisting of : ( f.t)u = ). Similarly, condition 3 implies that there is at most one state labeled ⊥. Therefore, we may unambiguously speak of the -state and the ⊥-state, meaning the state with that label. Spec- 
Condition 6 for XDI specifications can be rephrased in terms of the reduced state graph as: each ∇-labeled state has an outgoing output transition; and condition 7 as: each -labeled state has an outgoing input transition. The reduced state graph of an XDI specification, other than I,O or ⊥ I,O , has the following seven properties:
1. All node labels are in safe .
2. For each node, the outgoing arrows have distinct labels; hence, given node p, each trace t defines at most one node q in the graph by spelling out the symbols of t as the arrow labels (if that succeeds, we write p t −→ q; note that p ε −→ p holds for all nodes p).
3. Each node is reachable from the root via the arrows.
4. It is minimal, that is, all nodes are distinguishable, in the sense that for each pair of distinct nodes p, p there exists a trace t such that the labels of nodes q, q in the complete graph with p t −→ q and p t −→ q differ.
5. Each ∇-labeled node has at least one outgoing output arrow, and each -labeled node has at least one outgoing input arrow.
6. There are no self-loops and no 'successive' arrows with the same label.
7. It adheres to rules X, Y, and Z defined below; these capture the Neighbor-Swap Rule.
Given a directed, rooted graph with -labeled nodes and A-labeled transitions satisfying the seven properties above, there exists exactly one XDI specification whose reduced state graph it is. The Neighbor-Swap Rule (condition 9 for XDI specifications) can be expressed in terms of the reduced state graph. For symbols a, b having the same direction, it implies f.tabu = f.tbau (apply the rule twice, once with a, b interchanged, and use antisymmetry of ), that is, f /tab = f /tba. Hence, the reduced state graph satisfies We adhere to the following drawing conventions for XDI state graphs. We draw the reduced state graph. The label of the initial state is drawn bold-filled. Input transitions are drawn dashed, and output transitions solid. For ease of reference, all states are numbered with a natural number, 0 for the initial state. We attempt to draw transitions with the same label in parallel. To avoid a cluttered picture, we may draw a transition not to its actual target but only show the identifying number of its target state at the arrow head. Again to avoid clutter, we may leave out some transition labels when they can be inferred from the remainder on account of the XDI conditions, in particular, the Neighbor-Swap Rule.
Examples of XDI Specifications
We consider circuits with inputs I = { b, b0, b1 } and outputs O = { c, c0, c1 } as depicted in Fig. 3 .
Figure 3: Circuit interface diagram
The first XDI specification E is given by the (reduced) state graph at the top in Fig. 4 . It describes a handshake circuit (see [1] ) with one passive handshake port { b, c } and two active handshake ports { c0, b0 } and { c1, b1 }. Specification E can be interpreted as follows. The environment may (but need not, since the initial state is labeled indifferent) initiate a handshake on the passive port via (request) input b. The circuit must then send a request signal on at least one of the active ports via outputs c0 or c1. It must do so because state 1 is labeled ∇. The circuit need not send both request signals, because states 2 and 3 are not labeled ∇. It may, however, send both requests, because state 2 has an outgoing c1-arrow and state 3 an outgoing c0-arrow. Because states 2, 3, 5, 7, and 8 are labeled , the environment has the obligation to complete each requested handshake by acknowledging on b0 and b1 (which it is allowed to do, because of the appropriate outgoing arrows in those states). In fact, the environment may acknowledge each request output any time after its arrival. The circuit must issue the second request after the first was acknowledged, because states 4 and 6 are labeled ∇. The environment must postpone a new request on b until it has received acknowledge signal c from the circuit. The circuit must produce acknowledge c once it has received both acknowledges b0 and b1, because state 9 is labeled ∇. After that the initial state is reached again.
XDI specification E (at the bottom in Fig. 4 ) is obtained from E by making the five demanding states indifferent. This relieves the environment from its obligation to complete the active handshakes, but does not change the circuit's obligations. We have E E , that is, E refines E : every implementation of E also implements E . The reverse does not hold. Demanding states are to some extent irrelevant for circuit design; however, they play a crucial role in [20] relating refinement and parallel composition through reflection. Furthermore, they may help in verifying composite systems containing the circuit, similar to the role of preconditions in programming. Finally, recording that a state is demanding may encourage the designer to investigate the appropriateness of a dynamic rather than a static VLSI implementation.
Next we consider three related XDI specifications P, S 0 , and S 1 with the same inputs and outputs as E and E (see Fig. 3 ). The state graphs are given in Fig. 5 . P differs from E only in states 2 and 3, which are transient in P. After receiving the initial request, P must respond with requests on both active ports. P specifies the handshake PAR-element defined in [1] .
Similarly, specifications S 0 and S 1 describe SEQelements of [1] , which sequence the active handshakes within the passive handshake. The difference between S 0 and S 1 is the order of the passive handshakes. S 0 does { c0, b0 } before { c1, b1 }, whereas S 1 does the reverse order.
We have P E, S 0 E, and S 1 E. Thus, E can be implemented by either of P, S 0 , or S 1 . Note that P, S 0 , and S 1 are mutually incomparable under . Specifications E , E, P, S 0 , and S 1 all satisfy the stronger Rules Y and Z .
Note that E does not suffice to specify a PAR-element, because E may deadlock in an environment that insists on receiving both requests before acknowledging either of them, whereas a PAR-element should not do so. For all one knows, E could have been implemented by an SEQelement. Consider, for instance, an environment with communication between the components attached to the active ports, such as a C-element with inputs { c0, c1 } and forked outputs { b0, b1 }. Specification E is, however, useful to postpone a design decision as illustrated by a decomposition for the Decision-Wait given in [19] . E only specifies that every passive handshake surrounds handshakes on each of the active ports, without imposing any order restrictions.
The following two specifications have yet again the same interface (see Fig. 3 ), but they use it differently. The state graphs of these specifications are given in Fig. 6 . On the left is specification M NR for the Non-Receptive Mixer of [1] , having two passive ports { b0, c0 } and { b1, c1 }, and one active port { c, b }. The environment chooses to request a handshake on one of the passive ports (after a request on either b0 or b1, states 1 and 2 allow no further input). The circuit then must start a handshake on the active port, by outputting on c, and, after receiving acknowledge b, complete the passive handshake (states 1, 2, 7, and 8 are labeled ∇). Specification M NR satisfies the stronger Rule Y but not Z (inputs b0 and b1 disable each other in the initial state).
Specification M (Fig. 6, right) describes the (Receptive) Mixer of [1] , with the same port structure as M NR . In this case, the environment may initiate handshakes on both passive ports (states 1 and 2 now allow further input, leading to the 'new' state 3, where both requests are pending). For each handshake on a passive port, the circuit must initiate a handshake on the active port. In case of contention, the circuit must order (by arbitration) the active handshakes and the completions of the passive handshakes. Specification M satisfies the stronger Rule Y but not Z (outputs c0 and c1 disable each other in states 9 and 10). Note that M refines M NR . The state graph of M is harder to grasp than the others. We will get back to it in Section 3.4.
Our final example illustrates the relevance of Rule Y. 
Analyzing XDI Specifications
Two reasons to analyze specifications are validation and design guidance (see Fig. 8 ). When developing a new circuit, it is good practice to establish its specification first. For complicated circuits, it is not immediately obvious that a tentative specification is indeed as desired. When designing a circuit implementation from a specification, it may again be helpful to know the key properties of the specification, because they may provide guidance in making appropriate design decisions.
As an additional example, we consider the Nacking Arbiter, whose interface is given in Fig. 9 . The idea is that there are two parties, one using { r0, a0, n0 } and the other { r1, a1, n1 }, where each party either cycles through r i , a i , r i , a i (for 'request', 'grant', 'release', 'acknowlr0 r1 a0 n0 a1 n1 Figure 9 : Interface for Nacking Arbiter edge') or r i , n i (for 'request', 'negative ack'), such that the (resource) grants are mutually exclusive. The negative ack should be given to a request when the resource has already been granted. It is surprisingly hard to give an XDI specification Narb that captures all requirements. When drawing a state graph of more than a few states, one already feels the need for some help to make sure that it properly captures all intended restrictions.
In this section, we look at four important classes of properties of XDI specifications that can be used for validation and design guidance. A tool has been built to extract these properties from finite XDI state graphs. It is explained and applied in [19] .
Automorphisms
An automorphism of XDI specification X = I, O, f consists of an alphabet permutation ϕ and a state permutation ψ preserving symbol direction (i.e., ϕ.I = I and ϕ.O = O) and state labeling (i.e., (ψ. p).ε = p.ε; recall that a state is a trace function p and that its label is p.ε). In terms of the (reduced) state graph of X, an automorphism is a graph isomorphism between the state graph and itself, preserving symbol direction and state labeling. Note that an automorphism need not map the initial state to itself.
State permutation ψ is completely determined by ϕ and ψ. f , the image of the initial state, because ψ.( f/t) = (ψ. f )/(ϕ.t), where ϕ.t is obtained from t by applying ϕ to each of the symbols in t.
The set of all automorphisms of X forms a (mathematical) group under permutation composition. It is called the automorphism group, and captures the symmetries in the specification. Example specifications E , E, P, M NR , and M of Section 2.4, all have the same automorphism group consisting of two elements, viz. the identity automorphism (with ϕ.a = a and ψ. p = p) and the automorphism that exchanges the roles of b0, c0 with b1, c1 and leaves the states unchanged. These automorphisms can be tabulated as follows:
Each row lists the image of the initial state and the images of all symbols. The identity automorphism is always present and listed in the first row as reference. Specifications S 0 and S 1 have an automorphism group of three elements. For S 0 it is: 0 b c b0 c0 b1 c1 2 b0 c0 b1 c1 b c 7 b1 c1 b c b0 c0
This reveals a three-fold symmetry that may guide the design process. Specifications Y and Y (Fig. 7) have only one automorphism: the identity. Certain desirable symmetries of a specification are often known beforehand. One way of validating a specification is to corroborate these symmetries. For example, the specification Narb for the Nacking Arbiter is expected to be symmetric in the two parties. It should therefore have two automorphisms: the identity, and the exchange of 0 and 1.
Independent Environment Partitions
Some circuits need to operate in an environment split into independent parts. This is, for instance, the case for handshake circuits, whose handshake ports are connected independently. Each part of the environment communicates with the circuit without directly seeing the communications of the other parts. To guarantee error-free operation, in spite of the more limited information that each part of the split environment has, the specification must be set up properly. Partitions into two independent parts were introduced in [17] .
Given XDI specification X = I, O, f and partition P of aX, the following properties are necessary, though not sufficient, for independence of P: These properties are easy to verify. In fact, a union-find algorithm can construct the finest partition satisfying the two properties above, called the finest semi-independent partition (FSP). XDI specifications E , E, P, S 0 , S 1 , and M of Section 2.4 all have FSP { { b, c }, { b0, c0 }, { b1, c1 } }, as is to be expected for a handshake circuit. Note that specification M NR (Fig. 6 ) has FSP { { b, c }, { b0, c0, b1, c1 } }: since inputs b0 and b1 disable each other initially, the environment cannot operate the two passive handshake ports of M NR completely independently. The two properties above are not sufficient to guarantee complete independence of the parts, as is shown by the following counterexample. XDI specification F (see Fig. 10 ) has FSP { { a0, a1, b }, { c, d0, d1 } }, but in order to send input d0 or d1 without causing interference, the environment must observe output a0 or a1, and output c.
Determining the FSP can provide insight into a specification, as in the case of the Nacking Arbiter. In [9] , a DI Algebra specification is given:
It happens to differ from the XDI specification given in EDIS [19] (also see Fig. 11 ), which has 28 states. The DI Algebra specification NA, when converted into XDI by 'DIGG' [13] , has 30 states. It turns out that NA has FSP { { r0, a0, n0, r1, a1, n1 } } whereas Narb has { { r0, a0, n0 }, { r1, a1, n1 } }. That is, in the DI Algebra version, the handshake ports are not independent. Indeed, Handshake Algebra [11, 8] was developed specifically to avoid these kinds of over-constrained specifications that arise in DI Algebra.
Autocomparison Matrix
It is relatively straightforward to decide the refinement relation between two specifications given by state graphs. For specifications X = I, O, f and X = I, O, f , we are interested in determining X X , that is f f . It is convenient to generalize the comparison problem to determining
for all states f /t and f /t , because of the recurrence relation The answer to the original comparison problem is found by taking t = t = ε in (14) . The result of (14) can be tabulated in a (comparison) matrix, with rows indexed by the states f /t of X and columns indexed by the states f /t of X . When this is done for X = X one obtains, what we call, the autocomparison matrix of X, containing the value of f/t f /t for all state pairs. The diagonal is not interesting as it is always true. The rest, however, is useful to verify minimality: Rule Y is not satisfied. This situation also arises in the Nacking Arbiter, but this is not easy to verify manually.
Choice, Order Dependence, and Nondeterminism
We classify the various kinds of choice, order dependence, and nondeterminism that can be present in XDI specifications and mention some relevant theorems. For XDI specification X = I, O, f , we define several predicates. X is maximally transient ([20] ), if, whenever it may do output, it must do so; that is, when for all traces t and symbols a we have
A specification that is not maximally transient leaves a choice between doing output or waiting (for input). All example specifications-except E , E (Fig. 4, states 2, 3) , and Y (Fig. 7, state 4) -are maximally transient (see Table 1) . X has no disabling ( [17] ) between symbols in A ⊆ aX when for all traces t and distinct symbols a, b ∈ A we have ta ∈ tX ∧ tb ∈ tX ⇒ tab ∈ tX (18) If X has no disabling outputs, we say it satisfies Rule Z out . Dually, Rule Z inp excludes disabling inputs. Disabling inputs require a choice from the environment. A circuit must somehow implement a choice between disabling outputs.
Rule Z inp is violated only by example specification M NR (Fig. 6 , state 0), and Z out only by M (Fig. 6 , states 9, 10), F (Fig. 10 , state 0), and Narb (Fig. 11 , e.g. state 5). We have
X is called (output) deterministic ( [20] ) when it is maximally transient and has no disabling outputs. In that case, the output obligations leave no choice (other than order). Only example specifications P, S 0 , S 1 (Fig. 5) , M NR (Fig. 6 ), and Y (Fig. 7) are output deterministic.
The following rules classify input-output order dependence ( [20] ). X satisfies Rule Y out when for all traces t, u and symbols a ∈ I , b, c ∈ O we have tabuc ∈ tX ∧ tbau ∈ tX ⇒ tbauc ∈ tX (20) (Fig. 7 , output c is enabled in state 4 but not in 5) and Narb (Fig. 11, states 3 and 11 ). Every output deterministic specification satisfies Y out (theorem in [20] ).
In fact, an even stronger statement holds. Define operator on specifications by trace functions by
where
that is, f .t yields ∇ whenever that does not violate condition 6 and otherwise f.t. We have
Example Y (Fig. 7) indeed satisfies the right-hand side of (25). X has static (output) nondeterminism ([20] ). when it is not deterministic but has an output deterministic refinement; the latter means a deterministic specification X exists with X X. X has dynamic (output) nondeterminism ( [20] ), when it has no deterministic refinement. Since refinement is reflexive, this also implies that X is not deterministic. Nondeterministic example specifications E , E, Y , and F have static nondeterminism, since they have deterministic refinements.
In CSP [6] , every specification has at least one deterministic refinement. This is not the case in X D I . Example specification M (Fig. 6 ) has dynamic nondeterminism, which can be verified as follows. A nondeterministic specification can be refined into something more deterministic in only a few ways:
1. In a non-transient state allowing output, one may either (a) omit some outputs, or (b) guarantee output by making the state transient.
2. In a transient state with disabling outputs, one may omit all but one of the mutually exclusive outputs.
When making such changes one must also see to it that the resulting state graph is valid. M fails to be deterministic because of disabling outputs c0 and c1 in states 9 and 10. If we omit output c0 in state 9, then it must also be omitted from state 7 (cf. Rule Z), which then must be relabeled or less (cf. condition 6), which contradicts the original specification. Therefore, M has no deterministic refinement. The same reasoning holds for Narb, which has dynamic nondeterminism as well.
Static output nondeterminism can be eliminated by the designer. The nondeterminism is then resolved at designtime. Dynamic output nondeterminism can only be resolved at run-time. It is intertwined with the behavior of the environment, hence the name. Whether or not such nondeterminism is actually encountered during operation depends on the interaction between the circuit and its environment. For instance, the operation of M is deterministic as long as no more than one request on b0, b1 is made at a time. Nondeterminism only plays a role when two requests are made "simultaneously". It cannot be resolved at design-time precisely because simultaneity is not a welldefinable concept under DI operation. Dynamic nondeterminism in a specification indicates that some form of arbitration plays a role. A relation to 'confusion' in Petri nets [15] is suspected.
Giving a simple efficient algorithm for recognizing dynamic nondeterminism is still an open problem. We do have the following theorem ( [20] ): A specification satisfying Rules Y out and Z out has a deterministic refinement and, consequently, no dynamic nondeterminism.
Concluding Remarks
We have presented the XDI Model for specifying delayinsensitive circuits. The major improvement over Udding's model is that it allows the expression of progress requirements, both for the circuit and for its environment. A set of conditions has been formulated that an XDI specification must satisfy in order to be acceptable. XDI specifications can be visualized as labeled state graphs. The state labels distinguish between: no progress obligation (indifferent: ), a progress obligation for the environment (demanding: ), and a progress obligation for the circuit (transient: ∇). Since the model uses finite traces, it is not suitable for specifying fairness concerns.
Furthermore, we presented several classes of specification properties that can be interesting for the purpose of validation (when inventing a specification) or design (when implementing a specification). These properties can be automatically extracted from finite state graphs.
A tool has been developed to validate, analyze, and compare XDI state graphs expressed in AND/IF (Andover Interchange Format for the description of finite automata; see [19] .) This tool is being applied in the development of the Encyclopedia of Delay-Insensitive Systems [19] . It is available through an e-mail interface described in [19] . All specifications and refinements in this paper have been verified by the tool.
Interesting topics for further work are the partitioning of environments into independent (not just semiindependent) parts and the distinction between static and dynamic nondeterminism. Concerning the latter, it is particularly interesting to study the relations with 'confusion' in Petri nets and to find an efficient algorithm to recognize dynamic nondeterminism in specifications.
