Automatic abstraction for synthesis and verification of deterministic timed systems by Myers, Chris J. & Zheng, Hao
Automatic Abstraction for Synthesis and Verification of 
Deterministic Timed Systems
H ao Z hen g  C hris M yers
Electrical Engineering Dept. Electrical Engineering Dept.
University of Utah University of Utah
h ao @ v lsig ro u p .e len .u ta h .ed u  m y ers@ v lsig ro u p .e len .u tah .ed u
A B S T R A C T
This paper presents a new approach for synthesis and ver­
ification of asynchronous circuits by using abstraction. It 
attacks the state explosion problem by avoiding the gener­
ation of a flat state space for the whole design. Instead, 
it breaks the design into sub-blocks and conducts synthesis 
and verification on each of them. Using this approach, the 
speed of synthesis and verification improves dramatically. 
This paper introduces how abstraction is applied to timed 
Petri-nets to speed up synthesis and verification.
1. IN T R O D U C T IO N
In order to continue to produce circuits of increasing speed, 
designers are considering aggressive circuit design styles such 
as self-resetting or delayed-reset domino circuits. These 
design styles can achieve a significant improvement in cir­
cuit speed as demonstrated by their use in a gigahertz re­
search microprocessor (guTS) at IBM [?]. Designers are 
also considering asynchronous circuits due to their potential 
for higher performance and lower power as demonstrated 
by the RAPPID instruction length decoder designed at In­
tel [22]. This design was 3 times faster while using only 
half the power of the synchronous design. The correctness 
of these new timed circuit styles is highly dependent upon 
their timing. Extensive verification is also necessary during 
the design process. Unfortunately, these new circuit styles 
cannot be efficiently and accurately synthesized, analyzed, 
and verified using traditional static timing analysis meth­
ods. This lack of efficient analysis tools is one of the reasons 
for the lack of mainstream acceptance of these design styles.
The synthesis and verification of timed circuits and espe­
cially timed asynchronous circuits often requires state space 
exploration which can explode even for modest size exam­
ples. In [13], a direct synthesis method is proposed which 
synthesizes timed circuits directly from signal transition graphs
' This research is supported by NSF CAREER award MIP- 
9625014, SRC contract 99-TJ-694, and a grant from Intel 
Corporation.
Permission to make digital or hard copies of all or part of this work for 
personal or classroom use is granted without fee provided that copies are 
not made or distributed for profit or commercial advantage and that copies 
bear this notice and the full citation on the first page. To copy otherwise, to 
republish, to post on servers or to redistribute to lists, requires prior specific 
permission and/or a fee.
TAU’00, December 4-5, 2000, Austin, Texas.
Copyright 2000 ACM 1-58113-306-5/00/0012 ..$5.00
without state exploration, but a similar approach cannot 
easily be applied to verification. To reduce the complexity 
incurred by state exploration, abstraction is necessary. In 
[1 , 2, 21], safe approximations of internal signal behavior are 
presented to reduce the state space under consideration, but 
these methods suffer exponential complexity in the number 
of memory elements. In VIS [7], non-determinism is used 
to abstract the behavior of some circuit signals. It is of­
ten too conservative, and can introduce unreachable states 
which may exhibit hazards. In [20], a model checker is pro­
posed based on hierarchical reactive machines. By taking 
advantage of the hierarchy information, it only tracks active 
variables so that the state space is reduced and verification 
time is improved. This approach, however, is best suited 
for software which has a more sequential nature. In [9], 
an abstraction technique is proposed for validation cover­
age analysis and automatic test generation. It removes all 
datapath elements which do not affect the control flow and 
groups the equivalent transitions together, thus resulting in 
a dramatic reduction in the state space. It is difficult, how­
ever, to distinguish the control from the datapath without 
help from the designers. In [14], an abstraction approach for 
the design of speed-independent asynchronous circuits from 
change diagrams is described. In this approach, each subcir­
cuit is designed individually, and they are then recombined 
to produce the final circuit. This approach, however, does 
not address timing issues. [11] presents a divide-and-conquer 
method for synthesis of asynchronous circuits. This method 
breaks the state graph for a given problem into a number of 
simpler modular subgraphs for each output. Each modular 
subgraph is solved individually. The result of these small 
subgraphs are then integrated together contributing to the 
solution of the given problem. Although this makes synthe­
sis and verification easier, the quality of the final solution 
may depend on the order in which the outputs are processed. 
Also, this method generates a complete state graph before 
it breaks the state graph, which is highly undesirable for 
large complex designs. In [5], Belluomini described the ver­
ification of domino circuits using ATACS. She found out that 
verifying flat circuits even of a moderate size is too diffi­
cult to be done by ATACS, but with some hand abstraction, 
the verification is completed quickly. Although doing ab­
straction by hand is possible, it requires an expert user and 
methods must be developed to check that the abstractions 
are a reliable model of the underlying behavior. This is the 
major motivation of this work.
Our approach begins with a high-level language, such as 
VHDL, which models a system hierarchically, and our method
utilizes the hierarchy information to compile each individual 
component into a graphical representation for synthesis and 
verification. This paper proposes an abstraction technique 
applied to timed Petri-nets. This approach partitions the 
design into blocks of manageable size. Then, a block is cho­
sen as a target of synthesis or verification, and the rest of 
the blocks and the environment are merged for the target. 
By taking advantage of the hierarchical information, the en­
vironment for the block is simplified, and the state space of 
the target block is reduced resulting in a substantial savings 
in synthesis and verification time.
2 . T IM E D  P E T R I-N E T S
This section briefly introduces timed Petri-nets (TPN), 
the graphical model to which our high-level specification 
language is compiled [19]. A one-safe TPN is modeled by 
the tuple (P,T, F, Mo, A) where P  is the set of places, T  is 
the set of transitions, and F  C (P  x T) U (T x P) is the 
flow relation, Mo C P  is the initial marking, and A is an 
assignment of timing constraints to places. There are three 
kinds of transitions: s+ changes signal s from 0 to 1 , and s— 
changes s from 1 to 0, and $ which is a sequencing transi­
tion. A  marking is a subset of places. For a place p £ P, the 
preset of p  (denoted »p) is the set of transitions connected 
to p (i.e., »p — {t e T  \ (t ,p ) e F}), and the postset of p 
(denoted p») is the set of transitions to which p  is connected 
(i.e., p» — {t e T  \ (p , t) e F}). Presets and postsets for 
transitions are similarly defined. A timing constraint con­
sisting of a lower and upper bound is associated with each 
place in the TPN (i.e., A (p») — (U,ui)). The lower bound 
is a nonnegative integer while the upper bound is an integer 
greater than or equal to the lower bound or oo. A marked 
graph is a TPN in which every place has at most one transi­
tion in its preset and postset. A choice place is one in which 
there are multiple transitions in its postset (i.e., | p» |> 1).
A transition t is enabled in a marking M  if all of the 
places in t's  preset are in the marking (i.e., C M ). A  
clock a  is associated with each place p» in a marking. The 
clock is initialized to zero when the place is put into the 
marking. All clocks in a marking increase uniformly. A 
clock is satisfied when it reaches the lower bound on the 
corresponding place (i.e., c» > h). A  clock is expired when 
it reaches the upper bound on the corresponding place (i.e., 
Ci > Ui). A  transition cannot occur until it is enabled and all 
clocks on places in its preset are satisfied. A transition must 
occur when all clocks on places in its preset are expired. The 
result of a transition firing is that all places in its preset are 
removed from the marking and the corresponding clocks are 
discarded. Next, all places in its postset are added to the 
marking and the corresponding clocks are introduced and 
initialized to zero (i.e., M  — M  — +  £•)■
3 . FU N D A M E N TA L S O F  T R A C E  T H E O R Y
This section provides a brief overview of trace theory. 
Trace theory was first applied to the verification of the speed- 
independent circuits by Dill [10]. Later, timing was added 
so that trace theory can be applied to the verification of 
timed circuits [8, 26]. We show some useful properties and 
lemmas which are used in the later proofs in this paper.
A timed trace, x, for a circuit is a finite or infinite sequence 
of events (i.e., * =  eoei...). Each timed event is of the 
form e» =  (W i , U ) where w is a wire name in the circuit,
which represents a logic value change on that wire, and t is 
a rational number indicating when that change happens. A 
timed trace must also satisfy the following two properties:
• Monotonicity: U < t i+i  for all i > 0, and
• Progress: if * is infinite then for any time t there exists 
an % such that t; > t.
Given a trace * =  eie2... and a set of signals D, the func­
tion del(D)(*) is defined as follows:
del(D)(*) =  eiy if Wi £ D  (1)
del(D)(e) =  y  if Wi G D  (2)
where y  — del(Z?)(e2e3...) and ei =  (w i,ti). This function 
deletes all events of a trace whose wire names are in D. 
It is extended naturally to sets of traces. Given a set of 
traces X, the function inverse delete del_1(D)(X) is the 
set {*'|del(D)(*') £ X}. This function returns the set of 
traces which would be in X if all events with wire names 
in D  are deleted. Intuitively, if * is a trace not containing 
symbols from D, del-1  (£?)(*) is the set of all traces that 
can be generated by inserting events in D  at any time into 
*. Some useful properties of these two functions are below:
del(D)(X) =  0 X  =  0 (3)
del(Z?)(del_1 (.D')(X)) =  d e r 1(D')(del(D)(X))
when D  D D' — 0 (4)
d e l(D )(d e r1(D)(X)) =  X (5)
del(D)(X n X ') C  del(D)(X) n del(D)(X ') (6)
A prefix-closed trace structure T  is a four-tuple (I, O, S, F). 
I  is a set of input wires, and O is a set of output wires where 
I  fl O =  0. A  — I  U O is the alphabet of the structure. S  
is the success set which contains all successful traces of a 
system. F  is the failure set which contains all failure traces 
of a system. P  — S  U F  is the set of all possible traces of a 
system. A trace structure must be receptive, meaning that 
P I  C P. Intuitively, this means a circuit cannot prevent the 
environment from sending an input.
Composition (||) combines two circuits into a single cir­
cuit. Composition of two trace structures T  — (I, O, S, F) 
and T' =  {!', O', S', F') is defined when O D O' =  0. To 
compose two trace structures, the alphabets of both trace 
structures must first be made the same by adding new inputs 
as necessary to each structure. Inverse delete is extended to 
structures for this step as follows:
del_1 (D)(T) =  { I U A O ,d e r 1 (D )(S ) ,d e r 1(D)(F)) (7)
This is defined only when D  D A  — 0.
After the two alphabets of the two structures are made 
to match, we need to find the traces that are consistent 
with the two structures. The intersection of these two trace 
structures is defined as follows:
t  n t ' =  ( i  n / ',  o  u o ',  s  n s ',  (f  n p ') u (p  n f')>  (8)
This is defined only when A  — A ' and O D O' =  0. Prom 
this definition, a success trace in the composite must be a 
success trace in both components. A failure trace in the 
composite is a possible trace that is a failure trace in either 
component. The possible traces for the composite is P O P '.
T  \\T ' — d e F 1 (A' -  A )(T) n del-1  (A -  A ')(T ') (9)
Another useful operation is hide which is used to make 
some wires internal to the circuit. Given a trace structure 
T, hide(D)(T) is defined as follow:
hide(D)(T) — (1 ,0  — D, del(D )(S) , del(D )(F)) (10)
where D is the set of wires to be hidden.
A trace structure is failure-free if its failure set is empty. 
Given two trace structures, T  and T ', we say T  conforms to 
T ' (denoted T  < T ') if I  — I ' , 0  — O', and for all environ­
ments E ,  if E  || T ' is failure-free, so is E  || T. Intuitively, if 
a system using T ' cannot fail, neither can a system using T.
The following lemma gives a simple sufficient condition to 
determine conformance between two trace structures.
l e m m a  1. T  < T ' if  I  =  J ' , 0  =  O', F  C F ', andP  C P '.
The condition F  C  F ' assures that if the environment does 
not cause a failure in T ', it does not cause a failure in T. 
The condition P  C  P '  assures that if T ' does not cause a 
failure in the environment, T  does not cause one.
The next lemma shows that if T  conforms T ' , this confor­
mance is maintained in any environment.
l e m m a  2. I f  T  < T ' and T "  is any trace structure, then 
T  || T " T ' || T"
Proofs of these lemmas can be found in [10].
4 . A U T O M A T IC  A B S T R A C T IO N
Synthesis and verification of timed systems are based on 
complete state space exploration. The state space can be de­
rived by exhaustively firing all possible transition sequences 
in the system. The number of states grows exponentially 
as the complexity of the design grows. Therefore, synthe­
sis and verification of large and complex systems is difficult 
or even impossible because of state explosion. In general, 
a large and complex design consists of multiple subsystems 
(blocks) which are connected by signals. To synthesize or 
verify a timed system, an environment describing the input 
behavior of the system needs to be provided. This environ­
ment is referred to as system environment. Each block either 
connects to other blocks, the system environment, or both. 
Since the size and complexity of each block is often much 
less than the whole system, we would like to synthesize or 
verify each block individually to reduce the total time taken 
to finish the process for all blocks. After the results for all 
blocks are available, they are integrated together to form the 
solution of the whole system. If a block is chosen as the tar­
get of synthesis or verification, the rest of the blocks and the 
system environment together form the environment for the 
target block, which is referred to as the block environment. 
Although the state space of the block is reduced, the state 
space of the block environment is increased, and the total 
state space remains unchanged. Before synthesis or verifi­
cation starts, the block environment needs to be simplified. 
This is where abstraction comes into play.
In general, the block environment for a block contains 
two groups of signals: interface signals connecting the block 
environment to the block; and internal signals which may 
include interface signals or internal signals of the system.
Composition can now be defined as follows: To synthesize or verify a block, however, only the behavior 
of the interface signals is of concern. If the information of 
the internal signals of the block environment can be can­
celed while the interface behavior is kept in a conservative 
way, the block environment can be simplified and the total 
state space can be reduced. Therefore, the basic idea be­
hind abstraction is to choose a block with manageable size 
and complexity, group the rest of the blocks and the sys­
tem environment as the block environment for the target 
block, identify all internal signals of the block environment 
by using the specified structural information, and remove all 
information related to them in such a way that the essential 
behavior of the interface signals is maintained.
We have incorporated the above idea into the synthesis 
and verification tool ATACS. This tool reads a high-level spec­
ification in a language such as VHDL and translates it to a 
TEL structure [4, 27]. To simplify the description in this 
paper, we describe the approach taken on a more common 
data structure, TPNs. To apply abstraction to TPNs, first 
all transitions on internal signals of the block environment 
are abstracted to sequencing transitions; then a safe trans­
formation procedure is called to remove sequencing transi­
tions and the related places from the TPN, when possible.
The following figures show how abstraction works. Fig­
ure 1 is the block diagram of a 2-stage FIFO. Figure 2 is the 
TPN of the 2-stage FIFO before abstraction. In order to 
simplify the diagram, we have removed the places between 
the transitions. The bullets on arcs between two transitions 
indicate that the place between these transitions is initially 
marked. If we want to consider ftfoO only, the left and right 
environments and fifol form the block environment for ftfoO, 
and signals req(2) and aek(2) are now internal signals of the 
block environment. Abstraction changes all transitions on 
those signals into sequencing transitions. Figure 3 shows the 
TPN for ftfoO after abstraction.
F igure 1: Block D iagram  of a  2-stage FIFO .
5. S A F E  T R A N S F O R M A T IO N S
The last section describes how the internal signals of the 
environment are identified. This section describes the pro­
cedures to remove those internal signals. Some techniques 
have been presented to simplify untimed Petri nets. Suzuhi 
and Murata [23, 24] present a method of stepwise refinement 
of transitions and places into subnets. They show a suffi­
cient condition that such subnets must satisfy, which are 
dependent on the structure and initial marking of the net. 
The resulting net has the same liveness and safety properties 
as that of the original net. However, this refinement process 
has to be repeated every time the initial marking is changed. 
This makes automating the refinement difficult. Berthelot
[6] presented several transformations that depend only on 
the structure of the net. In [18, 12, 17], several transforma­
tions for marked graphs are presented. These transforma­
tions cut places and transitions in the graph while preserv­
ing liveness and safety. These transformations, however, are 
only applied to untimed Petri nets.






Figure 2: T P N  of 2-stage FIFO  before abstraction .
[90,inf]
ack(0)-
Figure 3: T P N  of 2-stage FIFO  after abstraction .
vironment can be removed during synthesis and verification 
as long as the interface behavior of the environment with the 
internal signals are preserved. Abstraction converts internal 
signals of the environment into sequencing transitions. Safe 
transformations remove sequencing transitions from TPNs 
under certain conditions. First, removal of a sequencing 
transition should never change the untimed semantics of the 
environment. The environment accepts signal transitions 
from the circuit and responds sometime later with transi­
tions on its signal wires. The environment’s signals either 
depend on the circuit’s signals directly, or depend on some 
internal signals which then depend on circuit signals. Af­
ter transformations, it is required that the environment still 
generates the same signal transitions in response to the sig­
nal transitions from the circuit. After transformations, all 
environment signal transitions depend directly on the circuit 
signals. Second, the timing information of the signal tran­
sitions produced by the environment must be preserved in 
a conservative fashion. When the environment sees transi­
tions on the circuit’s signals, it fires transitions on its signals 
after some delay. The firing sequence depends on the rela­
tive timing bounds of the environment and circuit signals. If 
these relative timing bounds are preserved conservatively af­
ter transformations, the environment generates all the same 
traces as before transformations. It may, however, also pro­
duce some new traces since timing is only preserved con­
servatively. We call the environment after the abstraction 
and safe transformations the abstracted environment. The 
circuit synthesized from the block with the abstracted envi­
ronment accepts a superset of inputs of the unabstracted 
environment. The synthesized circuit may be redundant 
compared with the one synthesized with the unabstracted 






\ li+ h , U1+U2]
(b)
Figure 4: Safe transfo rm ation  1.
[/;, u,]
[ I1+ I2,  U l+ 'i  + I3,  U l + U j \
lh, u2y  \JV3, %] 
b c
(a) (b)
F igure 5: Safe transfo rm ation  2.
ment, the circuit behaves in the same way as specified. For 
verification, the result might be a false negative, but never 
a false positive.
The correctness of safe transformations can also be de­
scribed by using trace theory. Suppose N e  is the TPN de­
scribing the behavior of the environment, and T e  is the cor­
responding trace structure to N e - The interface behavior of 
T e  is described by del( D ) ( P e ),  where D  is the set of signals 
internal to the environment, and P e  is the set of possible 
traces. Now, if the internal signals in D  are removed from 
N e , we define the trace structure for the abstracted envi­
ronment as T a  — abs ( D ) ( N e )- This function first removes 
signals in D  from N e , then it creates the corresponding 
trace structure. The interface behavior of the abstracted 
environment is defined as P a - Therefore, a safe transforma­
tion must satisfy del( D ) ( P e ) C P a , where D  contains the 
internal signals of the environment to be removed.
Transformation 1 is used when there is a single place in the 
preset, pi, and postset, p2, of a sequencing transition. This 
transformation requires the preset and postset of p  1 and 
p 2 to contain exactly one transition. This transformation 
removes the sequencing transition and these two places. We 
introduce a new place, P3 , with 13 — h + h  and v.3 — iti +U2 - 
We also introduce (•p ijps) and (P3,P2») to the flow relation. 
This transformation is illustrated in Figure 4.
l e m m a  3. Transformation 1 is a safe transformation.
Proof: Let N e  be the TPN of the environment, T e  be 
the trace structure of the environment before the transfor­
mation, and T a  — ab s ( D ) ( N e ) be the trace structure af­
ter the transformation where D  — {$}. It is obvious that 
del( D ) ( P e ) — P a - Therefore, transformation 1 is safe. □
Transformation 2 is depicted in Figure 5. In this case, the 
sequencing transition has a single place in its preset, pi, and 
two places in its postset, P2 and p%. Again, all places must 
have only a single transition in its preset and postset.
a[b. U,
|  U3,u3\ [h+k, w/+wj]\ /[I2 +I3, U2 +U3 ]
(a) (b)
Figure 6 : Safe transfo rm ation  3.
l e m m a  4. Transformation 2 is a safe transformation.
Proof: There are two possible untimed traces in the orig­
inal net: a%bc and a%cb. These map to the traces abc and 
acb in the abstracted net, so the first condition is satisfied. 
Next, we must show that the timed traces produced by the 
abstracted net contains all the timed traces produced by the 
original net with the sequencing transition deleted. Consider 
a timed trace * =  eie2 . . .  in which e» =  (a ,ta), ej — ($,*$), 
ek — (b,tb), and ej =  (c, tc) with i < j ,  j  < k, and j  < I. 
The value of tb falls in the following range:
ta +  1^ +  1'2 < tb < ta +  Ui +  U2-
The value of t c comes from the range:
tb +  h  ~  U2 < tc < tb +  u .5 — fa.
(1 1 )
(12)
After abstraction, the value of tb can still be drawn from 
Equation 11, but the value of tc comes from the range:
tb + (^ 1 + k )  — ("Ml +  1*2) < tc < tb + (iti +  1 1 3 ) — (h  +  fa). 
This can be rewritten as follows:
tb +  (h  — U2)  +  (^ 1 — Ml) < t c < tb +  (it3 — I2 ) +  (iti — h ) .
Since 11 — ui < 0  and m  — h  > 0, the range of values after 
abstraction is a superset of those before abstraction. This 
means that the abstracted net produces a superset of traces 
of the unabstracted net, so it is a safe transformation. □
It needs to be pointed out that this transformation cre­
ates extra interleavings between b and c not seen before the 
transformation. For example, after the transformation, the 
system could generate a trace (a ,ta)(b,ta +  h  +  h )(c ,ta + 
■ui +  U3 ), where t a is when a fires. This trace is impossible 
in the system before the transformation.
Figure 6 shows transformation 3 which removes a sequenc­
ing transition with two places in the preset and single place 
in the postset.
l e m m a  5. Transformation 3 is a safe transformation.
Proof: There are two possible untimed traces in the orig­
inal net: ab%c and ba%c. These map to the traces abc and 
bac in the abstracted net, so the first condition is satisfied. 
Next, we must show that the set of timed traces produced 
by the abstracted net contains all the timed traces produced 
by the original net with the sequencing transition deleted. 
Consider a timed trace * =  eie2 . . .  in which e» =  (»,*«), 
Cj -  (b, tb), ek -  ($,*$), and et — (c, tc) with i < k, j  < k, 
and k < I. The value of t$ falls in the following range:
m ax{ta + h ,tb  + h }  < t$  < max{*0 + u i,tb  + u2} (13)




t2 =[h+U, U2 +U4] 
k—\h+h U1+U4]
t4 =\h+h, u2+u3\ 
(b)
Figure 7: Safe transfo rm ation  4.








F igure 8: Safe transfo rm ation  5.
I = h + hu = t$+max(ui>u2)
Substituting Equation 13 into Equation 14 yields:
m a x { ta + h , t b  +  I2 }  +  h  <  tc 
< max{*0 + u i,tb  + U2 } + u3. (15)
After abstraction, the value of t c comes from the range:
m a x { ta +  h  +  h , t b +  I2 +  h }  <  tc 
< m a x { t a +  u i + l 3, t b + U 2 + h } .  (16)
This is equivalent to Equation 15, so the range of values for 
t c before and after abstraction are equal. This means that 
the abstracted net produces the same timed traces as the 
unabstracted net, so it is a safe transformation. □
Transformation 2 and 3 can be naturally extended to more 
than two places in the postset and preset of the sequencing 
transition. Transformation 4 shown in Figure 7 is the combi­
nation of transformations 2 and 3. It removes a sequencing 
transition with two places in both its preset and postset. 
From above conclusions, we can prove the following lemma 
easily.
l e m m a  6. Transformation 4 is a safe transformation.
A  more complicated case is when a self loop appears on 
a sequencing transition, as shown in Figure 8(a). Self loops 
must be removed before the other safe transformation can 
be used. This transformation changes the upper bound of 
the delay on each of the places in the preset of the sequenc­
ing transition to the maximum of the original upper bound 
and the upper bound of the place in the self loop. The lower 
bounds remain the same. This ensures that no matter when 
the last instance of the sequencing transition occurred, the 
self loop token would be expired when the other places in 
the preset become expired. This makes the self loop redun­
dant. The new TPN is shown in Figure 8(b). After removal 
of the self loop, the new TPN can be transformed as de­
scribed above, and the result is shown in Figure 8(c). This 
is transformation 5.
t$ +  h  < t c < t$ +  U3 . (14) l e m m a  7. Transformation 5 is a safe transformation.
a $'
{111 Ul\\ /[l2,U2\
M J  
b
(a)
F igure 9: Unroll th e  self loop rule.
Proof: These nets clearly have the same untimed traces. 
Next, we must show that the timed traces produced by the 
abstracted net contains all the timed traces produced by 
the original net with the self loop deleted. Consider a timed 
trace * =  ei&2 . ..  in which e» =  ($,*$ 1)J e-j — (a, to), e-k — 
($,*$), and ej =  (Mfc)> with i < j  < k < I. The value of t$ 
falls in the following range:
max{*0 +  h , t ^  + l2} < t$  < m ax{ta + u i , t § 1 +  u2} (17)
where 1 represents the time of the previous $ transition. 
Figure 8(a) is redrawn in Figure 9 to show this relationship 
where $' is the last $ transition. After abstraction, the value 
of t$ falls in the following range:
t a +  *i < *$ < ta +  max{tti,tt2} (18)
Since * < max{®, y} for any values of * and y, this means 
that ta + h < max { ta +  h , ^ 1 +  h}- Since ta > *, this 
means that t a +  max{tti,t»2} > max{ ta +  w ijt j1 +  ^ 2}- 
Therefore, the range of values for t$ after abstraction is a 
superset of those before abstraction. This means that the 
abstracted net produces a superset of traces of the unab­
stracted net, so removing the self-loop in this way is a safe 
transformation. After removing the self loop, the TPN in 
Figure 8(b) can be processed using transformation 1, which 
is safe. Therefore, transformation 5 is safe. □
Our verification procedure uses the function fail(P)(P) to 
check correctness of a circuit. P  is a predicate which takes a 
trace and returns whether or not the trace results in a fail­
ure. This predicate can be defined to check for properties 
such as hazard-freedom, minimum or maximum time sepa­
rations between transitions, deadlock freedom, etc. P  is a 
set of traces. The function fail(P)(P) checks each property 
using P  for each trace in P, and returns a set including all 
traces in P  that fail to satisfy P. For hierarchical verifica­
tion to succeed, the definition P  must preserve the following 
property:
fail(P)(X) C fail(P)(X ') if X  C X ' (19)
This property states that for two sets of traces, correctness 
checking using the same predicate does not affect the rela­
tion of the two sets.
After safe transformations, del( D ) ( P e ) C P a  where T a  — 
ab s ( D ) ( N e ) and D  contains the internal signals to be re­
moved. This indicates that the interface behavior of the en­
vironment after transformations is a superset of that before 
transformations. From Equation 19, we get the following:
fail(P)(del(D)(PB)) C fail(F)(Pa) (20)
This means that the failure set of the abstracted environ­
ment is a superset of the failure set of the unabstracted 
environment with internal signals hidden. Now we show an 
important lemma.
l e m m a  8 . A system is described by a TPN, N e , its cor­
responding trace structure is T e ,  and D contains internal 
signals of the system. I f  the function ahs(D )(N e) uses only 
safe transformations, then h idb(D )(Te) -< ab s (D )(N e).
Proof: Lemma 1. □
6 . H IE R A R C H IC A L  V E R IF IC A T IO N
As mentioned above, hierarchical verification picks a block 
in a system as the target for verification and treats the rest 
of ths blocks as the environment of the target block. Next, 
the abstraction technique is used to reduce complexity of 
the environment. If each block is verified individually to 
be failure-free with its abstracted environment, then we can 
prove that the entire system is failure-free. This idea is 
formalized in the following theorems.
Given two modules Mi — (I i ,O i,P i)  and M 2 =  { I 2, O2, 
P2 ), we would like to verify their composition, Mi || M 2, 
is failure-free. In the following theorem, X i  and X 2 are the 
internal signal sets of Mi and M 2 , respectively (i.e., Xi = 
Oi -  h ,  x 2 = C h -  h ,  and Xi n X2 =  0).
T h e o r e m  1. Let Xi and X 2 be the internal signal sets 
of M i and M 2 , respectively. I f  M i || hide(X 2)(M2) is 
failure-free, and h i d e ( X i ) ( M i )  || M 2 is failure-free, then 
M  =  M i || M 2 is failure-free.
Proof: First, the failure set of Mi || M 2 is
(d e F 1 (X2)(fail(P)(Pi)) fl d e r 1(X1)(P2))U
( d e r 1(X1)(fail(P)(P2)) n d e F 1(X2)(Pi)) (21)
Suppose Mi || hide(X 2)(M2) is failure-free. This means its 
failure set is empty.
(fail(P)(Pi) n d e r 1(X1)(del(X2)(P2)))U
(Pi n d e r 1(X1)(fail(P)(del(X 2)(P2)))) =  0 (22)
Therefore,
fail(P)(Pi) n d e r 1(X1)(del(X2)(P2)) =  0 (23)
Pi n d e r 1(X1)(fail(P)(del(X 2)(P2))) =  0 (24)
Using Equation 5, Equation 23 can be transformed to:
del(X 2) ( d e r 1 (X2)(fail(P)(P1)))n
d e r 1 (X1)(del(X2)(P2)) =  0 (25)
Using Equation 4, Equation 25 becomes:
del(X 2) ( d e r 1 (X2)(fail(P)(P1)))n
del(X2) ( d e r 1(X1)(P2)) =  0 (26)
From Equation 6, Equation 26 can be transformed to:
del(X 2) ( d e r 1(X2)(fail(P)(P1)) n d e r 1(X1)(P2)) =  0
(27)
Finally, from Equation 3, we get the following result:
d e r 1 (X2)(fail(P)(P1)) n d e F 1(X1)(P2) =  0 (28)
Similarly, suppose M2 || hide(X i)(M i) is failure-free. Thus, 
its failure set is also empty.
(fail(P)(P2) n d e r 1(X2)(del(Xi)(Pi)))U
(P2 n d e r 1(X2)(fail(P)(del(Xi)(Pi)))) =  0 (29)
fail(P)(P2) n deT ^X aX del(X i)(P i)) =  0 (30)
P2 n d e r 1(X2)(fail(P)(del(X 1)(P1))) =  0 (31) 
By applying the same steps to Equation 30, we derive:
d e l- 1(X1)(fail(P)(P2)) n d e l- 1 (X2)(P1) =  0 (32)
The union of Equation 28 and 32 is the failure set of M i || 
M2. Since both Equation 28 and 32 are empty, the failure 
set of Mi || M2 is empty. □
Calculation of P  is an exponential problem. Prom Lemma 8, 
we know that hide(D)(I5) -< ab s (D)(T). Therefore, com­
bined with Lemma 2, we know M i || hide(X 2)(M2) -< M i || 
abs(X 2)(AT2) and hide(X 1)(M1) || M2 X abs(X 1)(M1) || 
M-2 - Using the above conclusions, we show another very 
important theorem.
T h e o r e m  2 . Let X i and X2 be internal signal sets of Mi 
and M 2 , respectively. I f  Mi || abs(X 2)(M2) is failure-free, 
and abs(Xi)(M i) || M2 is failure-free, then M  — M i || M2 
is failure-free.
Proof: Lemma 2 and Lemma 8. □
7 . P R E L IM IN A R Y  R E S U L T S
We have implemented the abstraction technique intro­
duced above and incorporated it into our VHDL and HSE 
compiler [27] frontend to the ATACS tool. We have applied 
our abstraction method to several examples. These exam­
ples contain multiple duplicates of simple elements, and they 
are easy to expand. The following charts show the compar­
isons between the times for flat synthesis and synthesis using 
abstraction (similar results have been obtained for verifica­
tion). All the examples have the same feature that when 
the number of stages grows, the state space and the synthe­
sis time grow exponentially, and very quickly the synthesis 
process exits because of memory exhaustion.
The first example is a dataless version of the precharge 
half buffer (PCHB) from [15] (the TPN for a 2-stage version 
is shown in Figure 2). For this example, ATACS finishes suc­
cessfully on 7 stages on the flat design; but with abstraction 
turned on, it easily synthesizes 100 stages in about 6.5 min­
utes. Comparative runtimes for the synthesis of 1 through 
9 stages is shown in Figure 10.
The second example is a multiple stage controller for a 
self timed FIFO. In [16], a highly optimized hand designed 
timed circuit implementation is presented. The correctness 
is highly dependent on timing parameters. By using ATACS, 
the same efficient circuit is derived [25]. We first synthesized 
it using our POSET timing technique [3] without abstrac­
tion, and we can only synthesize the FIFO up to 4 stages. 
For the 5-stage FIFO, we had to kill the process after it ran 
for over a day. With abstraction, however, we can easily pro­
ceed to 100 stages, which takes approximately 23 minutes. 
Comparative results upto 6 stages are shown in Figure 11.
From both charts you may notice that the synthesis time 
with abstraction for the first few stages is a little bit larger 
than that by using POSETs alone. This is because abstrac­
tion contributes to part of the runtime. As the designs 
become more and more complex, the time for abstraction 
dominates the total synthesis time. However, since abstrac­
tion runtime grows polynomially in the size of the specifi­
cation, the total synthesis time with abstraction grows in
Figure 10: Synthesis tim e for PC H B  exam ple.
F igure 11: Synthesis tim e for FIFO  exam ple.
an approximately polynomial manner. This is substantially 
better than the exponential growth in the analysis of flat 
designs. We have also found that synthesis with abstrac­
tion is not only several orders of magnitude faster than flat 
synthesis, but also successful on several orders of magnitude 
more complex designs than flat synthesis.
8 . C O N C L U SIO N S
State space explosion is the bottleneck of current synthe­
sis and verification methods. This paper presents a new 
approach to avoid it by partitioning the designs into man­
ageable blocks and considering the blocks one by one. By 
using the hierarchy information provided in the specifica­
tion, the environment is simplified, and the state space for 
each block is reduced by orders of magnitude. Experimental 
results show that synthesis and verification with abstraction 
is not only several orders of magnitude faster but also capa­
ble of analyzing systems several orders of magnitude more 
complex than flat analysis. Currently, our technique is un­
able to abstract transitions involved in choices, so we plan 
in the future to extend our technique to general TPNs.
9. R E F E R E N C E S
[1] P. A. Beerel, J. R. Burch, and T. H.-Y. Meng. 
Checking combinational equivalence of 
speed-independent circuits. Formal Methods in System 
Design, Mar. 1998.
[2] P. A. Beerel, T. H.-Y. Meng, and J. Burch. Efficient 
verification of determinate speed-independent circuits. 
In Proc. International Conf. Computer-Aided Design 
(ICCAD), pages 261-267. IEEE Computer Society 
Press, Nov. 1993.
[3] W. Belluomini and C. Myers. Verification of timed 
systems using posets. In International Conference on 
Computer Aided Verification. Springer-Verlag, 1998.
[4] W. Belluomini and C. J. Myers. Timed event-level 
structures. In Proc. International Workshop on 
Timing Issues in the Specification and Synthesis of 
Digital Systems (TAU), Austin, Texas, USA, Dec. 
1997.
[5] W. Belluomini, C. J. Myers, and H. P. Hofstee. 
Verification of delayed-reset domino circuits using 
ATACS. In Proc. International Symposium on 
Advanced Research in Asynchronous Circuits and 
Systems, pages 3-12, Apr. 1999.
[6] G. Berthelot. Checking properties of nets using 
transformations. In Lecture Notes in Computer 
Science, 222, pages 19-40, 1986.
[7] R. K. Brayton. Vis: A system for verification and 
synthesis. In Proc. International Conf.
Computer-Aided Design (ICCAD), pages 428-432, 
1996.
[8] J. R. Burch. Trace Algebra for Automatic Verification 
of Real-Time Concurrent Systems. PhD thesis, 
Carnegie Mellon University, 1992.
[9] Y. H. D. Moundanos, J. Abraham. Abstraction 
techniques for validation coverage analysis and test 
generation. IEEE Transactions on Computers., 
47(1):2-14, 1998.
[10] D. L. Dill. Trace Theory for Automatic Hierarchical 
Verification of Speed-Independent Circuits. ACM 
Distinguished Dissertations. MIT Press, 1989.
[11] J. Gu and R. Puri. Asynchronous circuit synthesis 
with boolean satisfiability. In IEEE Trans. CAD, Vol. 
14, No. 8 , pages 961-973, 1995.
[12] R. Johnsonbaugh and T. Murata. Additional methods 
for reduction and expansion of marked graphs. In 
IEEE Trans. Ciruits Systems, vol. CAS-28, no. 1, 
pages 1009-1014, 1981.
[13] S. T. Jung and C. J. Myers. Direct synthesis of timed 
asynchronous circuits. In Proc. International Conf. 
Computer-Aided Design (ICCAD), pages 332-337,
Nov. 1999.
[14] M. Kishinevsky, A. Kondratyev, A. Taubin, and 
V. Varshavsky. Concurrent Hardware: The Theory 
and Practice of Self-Timed Design. Series in Parallel 
Computing. John Wiley & Sons, 1994.
[15] A. J. Martin, A. Lines, R. Manohar, and M. Nystrom. 
The design of an asynchronous mips r3000 
microprocessor. In R. B. Brown and A. T. Ishii, 
editors, 1997 Michigan Conference on Very Large 
Scale Integration, pages 164-181, 1997.
[16] C. E. Molnar, I. W. Jones, B. Coates, and J. Lexau. A 
FIFO ring oscillator performance experiment. In Proc.
International Symposium on Advanced Research in 
Asynchronous Circuits and Systems, pages 279-289. 
IEEE Computer Society Press, Apr. 1997.
[17] T. Murata. Petri nets: Properties, analysis, and 
applications. In Proceedings of the IEEE 77(4), pages 
541-580, 1989.
[18] T. Murata and J. Y. Koh. Reduction and expansion of 
lived and safe marked graphs. In IEEE Trans. Ciruits 
Systems, vol. GAS-27, no. 10, pages 68-70, 1980.
[19] C. Ramchandani. Analysis of asynchronous concurrent 
systems by timed Petri nets. Technical Report Project 
MAC Tech. Rep. 120, Massachusetts Inst, of Tech., 
Feb. 1974.
[20] R. A. R.Grosu and M. McDougall. Efficient 
reachability analysis of hierarchical reactive machines, 
1999. Submitted.
[21] O. Roig. Formal Verification and Testing of 
Asynchronous Circuits. PhD thesis, Univsitat 
Politecnia de Catalunya, May 1997.
[22] S. Rotem, K. Stevens, R. Ginosar, P. Beerel,
C. Myers, K. Yun, R. Kol, C. Dike, M. Roncken, and 
B. Agapiev. RAPPID: An asynchronous instruction 
length decoder. In Proc. International Symposium on 
Advanced Research in Asynchronous Circuits and 
Systems, pages 60-70, Apr. 1999.
[23] I. Suzuki and T. Murata. Stepwise refinements for 
transitions and places. New York: Springer-Verlag,
1982.
[24] I. Suzuki and T. Murata. A method for stepwise 
refinements and abstractions of petri nets. In Journal 
Of Computer System Science, 27(1), pages 51-76,
1983.
[25] R. A. Thacker, W. Belluomini, and C. J. Myers.
Timed circuit synthesis using implicit methods. In 
Proc. International Conference on VLSI Design, pages 
181-188, 1999.
[26] T. Yoneda and H. Ryu. Timed trace theoretic 
verification using partial order reduction. In Proc. 
International Symposium on Advanced Research in 
Asynchronous Circuits and Systems, pages 108-121, 
Apr. 1999.
[27] H. Zheng. Specification and compilation of timed 
systems. Master’s thesis, University of Utah, 1998.
