Designing asynchronous circuits from behavioural specifications with internal conflicts by Cortadella, Jordi et al.
Designing Asynchronous Circuits from 
Behavioural Specifications with Internal Conflicts * 
J.  Cortadella L. Lavagno P. Vanbekbergen A. Yakovlev 
Dept. of Computer Architecture Dipartimento di Elettronica Synopsys Inc. Dept. of Computing Science 
Univ. Politkcnica de Catalunya 
08071 Barcelona, Spain 
Politecnico di Torino 
10129 Torino, Italy 
Abstract 
The paper presents a systematic method for synthe- 
sizing asynchronous circuits from event-based speciji- 
cations with conflicts on output signals. It describes a 
set of semantic-preserving transformations performed 
at the Petri net level, which introduce auxiliary signal 
transitions implemented b y  internally analogue compo- 
nents, Mutual Exclusion (ME) elements. The logic for 
primary outputs can therefore be realized free from haz- 
ards and external meta-stability. The technique draws 
upon the use of standard logic components and two- 
input MEs, available in a typical design library. 
1 Introduction 
Self-timed circuit design has been mainly aimed at 
the modelling and implementation of behaviour that 
is either speed-independent or delay-insensitive. To- 
day, there is more interest in mixed systems, where 
modules may have local clocks and interact asyn- 
chronously: hence the demand for corresponding mod- 
els and synthesis methods. Designers often want to 
represent the desired behaviour as a combination of 
causality and ordering (timing) constraints. Such a 
behaviour may not satisfy some of the initial require- 
ments imposed by the existing synthesis methods and 
tools. For instance, the asynchronous synthesis sub- 
system of SIS [9] requires that a Signal Transition 
Graph (STG), used to define the behaviour of a circuit, 
be output-persistent (only input signal transitions can 
be disabled). Moreover, the Forcage synthesis tool, 
described in [3], puts even stronger requirements on 
*For J. Cortadella this work was supported by ACiD-WG 
(Esprit 7225) and CICYT TIC 91-1036. The research of L. 
Lavagno was partially supportedby MURST under 40% project 
“VLSI Architectures”. For A.Yakovlev this work was partly 
done during his visit to Torino in March-Aprill994, sponsored 
by the British Council and CNR (Italy). 
Mountain View 
CA 94043-4033, USA 
Univ. of Newcastle upon Tyne 
NE1 7RU, UK 
the specification. It must be totally free from choice, 
allowing only concurrency and two types of causality 
(AND and OR). 
A simple example, the behaviour of a transparent 
latch considered in the next section, shows that both 
such restrictions are a serious limiting factor for the 
practical use of asynchronous design techniques. 
Our aim is to be able to derive such and similar 
designs mechanically (ultimately, using a CAD tool) 
from their formal behavioural specifications. This 
should ideally be done within the already existing 
framework of synthesis methods developed for STGs, 
without requiring any custom design. It is well-known 
that synchronization of causaly unrelated events and 
signal disabling unavoidably leads to hazards in com- 
binational logic and meta-stability in sequential logic. 
Hence the implementation of output disabling must 
use some circuitry (partly analogue) to resolve con- 
flicts at the logical level. Such circuits should prefer- 
ably be built using some standard library components, 
e.g., a two-input mutual exclusion (further called mu- 
tex or ME) element with an internal meta-stability de- 
tector [8]. Due to design methodology requirements, 
it is highly unlikely to expect designers to build their 
own special transistor interconnections, which would 
require putting effort extensive into analogue mod- 
elling and simulation. 
Thus, our goal is to be able to start from a specifica- 
tion of a most general class of behaviours describable 
by Petri nets and STGs (obviously bounded, to be im- 
plementable with finite memory), and then perform 
the following procedure: 
1. determine a set of output signal transitions that 
are not persistent (can be disabled by input or 
output signal transitions); 
2. insert an appropriate set of mutex elements (with 
internal analogue meta-stability detector), mak- 
ing semantic-preserving transformations at the 
specification level (i.e. S T G  or its State Graph); 
106 
0-8186-6210-7/94 $4.00 0 1994 IEEE 
3. factor them out of the model, making their out- 
puts to be additional inputs to the circuit, which 
should now be output-persistent; 
4. synthesise the “logical part” of the circuit by the 
present day STG-based methods and tools; 
5. combine the “mutex part” with the “logical part” 
by interconnecting the MEs and the gate net- 
work through the set of request-acknowledgement 
handshakes (if the standard n-input n-output 
M Es are used). 
In this paper, we make our first attempt on this 
challenging path. We present some techniques for: 
0 modelling the behaviour with conflicts and output 
non-persistency ; 
transforming the initial specification into one 
with mutex element actions; 
implementing the specification using standard 
MEs and logic synthesis techniques. 
I .  . I  :* >mold .~ , .  . .  , .  , .  , .  I .  
>Thold 
. .  . .  . .  
. I  . .  I .  
I .  
I .  
ID 
Ck 1 : .  /-\ 
@) 
Q 
Osetup,Thold 
Ck ..,+q------/ , 
( 4  
Q 
Nondeterministic behaviour 
Figure 1: Timing diagrams for transparent latch 
The timing diagrams shown in Figure 1 describe 
the three different situations that may occur when 
the latch is initially set at Q = 0 and subject 
to signal transitions at its inputs. The inputs 
are initially both at logical 0, so that Q is sta- 
ble. The first case, shown in ~i~~~~~ corre- 
sponds to the following sequence of signal transi- 
tions: c k + ,  D+, Q+, c k - ,  ck+, D-, Q - ,  . . ., where 
+ (.-) denotes the positive (negative) edge of 
signal 2. Here we assume that both D+ and 
The modelling and transformation are both shown 
at the STG level, because it is more suitable for de- 
scriptive purposes. An algorithmic implementation, 
though, may also be done at the SG level, which has 
the advantage of being canonical, albeit often expo- 
nentially larger than a corresponding STG. 
2 A Simple Example: the Transparent 
Latch 
Specification. We first provide an intuitive descrip- 
tion for a transparent latch (henceforth, simply re- 
ferred to as a “latch” unless it creates confusion) us- 
ing timing diagrams and plain English. The latch is 
a device with two inputs D and Ck, and one output 
Q. We assume throughout this discussion that D is 
temporally unrelated to Ck, but otherwise hazard-free 
and locked in handshake with Q. This means that 
D cannot change value twice without waiting for Q 
to change in between. This is a reasonable assump- 
tion, e.g., for the synchronizer for an interrupt input 
to a microprocessor. If D could change multiple times 
without Q changing in between, then we would need 
a more complex STG and timing assumptions, that 
would unnecessarily complicate the example. We will 
later need some further timing constraints, e.g., relat- 
ing the clock frequency to the meta-stability resolution 
time. 
- 
D- occur well ahead of the falling edge of Ck. 
The second case, shown in Figure l(b), corre- 
sponds to the following sequence of signal transitions: 
The assumption here is that transitions D+ and D- 
occur well af ter  the falling edge of Ck. The third case, 
shown in Figure l(c), in which D changes very close 
to Ck-, is nondeterministic. We cannot precisely say 
which state Q will assume. If we specified that Q had 
always to change to logical 1, it would be an unrealis- 
tic requirement. It is known from theory and practice 
of building synchronisers (e.g., [6]) that it is impossi- 
ble to construct such a device that would behave in 
determinate way when the asynchronous input edge is 
close to the edge of the strobe signal. 
The most difficult case to deal with, both in terms 
of its formal modelling and circuit implementation, is 
certainly the third one. Although the designer may 
clearly understand the impossibility of building a de- 
terminate implementation, and allow for two poten- 
tial alternatives in the subsequent action of the device 
and its environment, there is an additional issue to be 
looked at: meta-stability. 
Ck+, Ck-, D+, Ck+, Q+, Ck-, D-, Ck+, Q-, . . .. 
107 
Figure 2: S T G  description of the transparent latch (a) 
and its state graph (b) 
Incorrect implementation of the latch. We can 
be very naive and try to implement the above speci- 
fication using for example a formal method based on 
STGs (see Section 3 for a more precise definition of 
the S T G  syntax and semantics). The S T G  which com- 
pletely satisfies the informal specification given above 
in terms of timing diagrams is shown in Figure 2(a). 
It contains a transition vertex for each signal transi- 
tion and its arcs stand for causal relationship between 
transitions. Compared to the standard Petri net no- 
tation, we have replaced most place vertices, together 
with their incoming and outgoing arcs, with a single 
arc (from the cause to the effect). The only explicit 
place, denoted by p ,  is needed because we have sev- 
eral transitions incident to it. The placement of tokens 
on the arcs as shown in the figure corresponds to the 
initial state of the latch, D = Q = Ck = 0. 
If we now consider the behaviour of this STG, which 
can be represented by the corresponding State Graph 
(SG), we will see that all the cases of Figure 1 occur in 
it. The SG is shown in Figure 2(b). In this SG, vertices 
stand for the markings of the Petri net underlying our 
STG. Furthermore, these markings are labelled with 
binary codes, which correspond to vectors of values of 
the modelled circuit signals. 
It is easy to traverse the SG to find the specified 
cases. The first two cases are simply the feasible firing 
sequences in the STG. In analysing them we should 
bear in mind that the firing of either transition Q+ or 
transition Q- does not disable transition Ck- since 
we have two-way arcs connecting those two transitions 
to place p .  At the same time the arcs connecting the 
transitions of D with those of Q depict the assumed 
causality (when the switching of D causes the transi- 
tions of Q )  and ordering (when input D cannot change 
lations. As for the third case, consider the situation 
when, after firing Ck+, the S T G  reaches the marking 
in which the place p contains a token. This marking 
obviously enables transitions Ck+ and D+. Now, as- 
sume that D+ fires very close to Ck-, but before i t .  
In this case, the net reaches the marking (state 110) 
under which both Ck- and Q+ are enabled. Since 
before the corresponding change of Q has arrived) re- 
Q is an output signal, transition Q+ cannot fire in- 
stantaneously. The associated delay is at least the 
delay of a gate whose output produces Q. Thus we 
assume that the S T G  transitions labelled with signal 
Q have a non-zero enabling time. This time may how- 
ever be longer than the time difference between D+ 
and Ck-. Hence, there is a non-zero probability that 
transition Q+ may not manage to fire and thus can be 
disabled by Ck-.  A similar situation happens when 
D- arrives close enough before Ck-.  The SG of the 
S T G  thus correctly represent the nondeterminism in 
the behavioural specification. 
In order to build a circuit implementing this model, 
let us apply the same procedure for logical implemen- 
tation of an SG as described, e.g., in [2]. For each state 
label (the order of signals is D,Ck  and Q )  we write 
down the implied (next-state) value of the output sig- 
nal Q: 000 +. 0, 100 ---f 0, 010 +. 0, 110 +. 1, 001 --+ 
1, 101 +. 1, 011 ---i 0, 111 - 1. This produces the 
standard logic function for Q: 
It is well-known that this implementation works 
only assuming that transitions of D occur far enough 
from the falling edge of Ck (setup and hold times). In 
the asynchronous case, though, this is not satisfactory, 
because we cannot safely make such an assumption. 
The danger here is that the latch may reach a meta- 
stable state, lasting an unbounded amount of time, in 
which its output has a value which is neither logical 
0 nor logical 1. This intermediate value is even more 
dangerous because it can be interpreted differently by 
different logical gates driven by the latch. 
In order to ensure safe and correct operation while 
complying with the initial S T G  model, we have to alter 
our synthesis procedure so as to avoid non-persistency 
of output signal transitions. The approach that we 
pursue in the rest of the paper is based on the explicit 
use of ME elements, to protect the transitions of out- 
puts which are non-persistent in the initial specifica- 
tion. In this approach we assume that a ME is imple- 
mented safely and generates no hazards at its outputs 
if the input changes satisfy the basic handshake proto- 
cols on the request/acknowledgement terminals of the 
ME element. 
We are not eliminating meta-stability (this cannot 
be done), but we are limiting it to some specific cir- 
cuit component, the ME, which has a well-defined be- 
haviour and produces valid logic outputs even in the 
met a-stable state. 
108 
3 Signal Transition Graphs 
Signal Transition Graphs and Petri nets The 
Signal Transition Graph (STG) was independently in- 
troduced by [2] and [7] as a specification formalism for 
asynchronous sequential circuits. An S T G  is an inter- 
preted Petri net, and as such it is capable to explicitly 
capture causality, concurrency and choice. 
A Petri net is a triple N =< P I T ,  F >, where P 
is a set of places, T is a set of transitions and F C 
( P  x T)U(T x P )  is the flow relation. A place p E P is 
a predecessor of a transition t E TI and t is a successor 
of p ,  if (p , t )  E F .  Conversely, a transition t E T is a 
predecessor of a place p E PI and p is a successor o f t ,  
if ( t , p )  E F .  
An S T G  is an interpreted Petri net: transitions 
of the net are interpreted as value changes on in- 
put/output signals of the specified circuit. Positive 
transitions (labeled with a "+") represent 0 -+ 1 
changes, negative transitions (labeled with a "-") rep- 
resent 1 --+ 0 changes. Input transitions are those that 
occur on input signals of the circuit, output transitions 
are those that occur on its output signals. 
The conventional graphical representation of an 
S T G  (slightly different from the Petri net convention) 
is a directed graph, where transitions are simply iden- 
tified by their name, places are denoted by circles, and 
directed edges represent elements of the flow relation. 
Places with only one predecessor and one successor 
are usually omitted. Directed edges whose successor 
is a transition represent sequencing constraints, either 
on the circuit to be synthesized (if their successor is 
an output transition), or on the environment (if their 
successor is an input transition). They specify what 
set of transitions causes each transition. 
A token marking of a Petri net is a non-negative 
integer labeling of its places. A transition is enabled 
(i.e. the corresponding event can happen in the cir- 
cuit) whenever all its predecessor places are marked 
with at least one token. 
An enabled transition may fire. This means that 
the corresponding signal changes value in the circuit. 
When it fires, a token is removed from every prede- 
cessor place, and a token is added to every successor 
place. 
If a place marked with only one token has more 
than one enabled successor transition, then only one of 
them may non-deterministically fire. The other tran- 
sitions are disabled by its firing. 
A marking M" is reachable from another marking 
M' if there exists a sequence of enabled transition fir- 
ings that produces M" starting from MI. 
A marking M' is live if for all markings M" reach- 
able from MI,  every transition can be enabled through 
some sequence of firings from MI'. A marked net is 
live if its initial marking is live. 
A marking MI is bounded if the number of tokens 
that any place can be holding after any sequence of fir- 
ings from M' is bounded. A marking M' is safe (some- 
times referred to as 1-bounded) if it is 1-bounded. A 
marked net is bounded (resp. safe) if its initial mark- 
ing is bounded (resp. safe). 
A transition t is called persistent if there exist no 
such reachable marking M under which t can be dis- 
abled by the firing of some other transition t'. The 
Petri net and its corresponding S T G  is called persis- 
tent if all its transitions are persistent. An S T G  is 
called output-persistent if all of its transitions labeled 
with output signals are persistent. 
Note that our definition of output-persistency is 
rather conservative (cf., [12]). We do not allow to 
exploit the interleaving semantics of concurrency be- 
tween labeled actions at the S T G  level. For example, 
let t l  be a transition labeled with an output change 
t* and disabled by t z  under a reachable marking M .  
Let also exist another transition t 3  which is labelled 
with the same label and enabled after the firing of 
t z .  Thus, t3 "takes over" the signal transition t* and 
thus preserves its enabling. We classify this case as 
non-output-persistent . 
This restriction is important for our approach to 
model transformation, as will be described in the next 
section. This approach is entirely net-based. LFrom 
practical reasons this limitation is not crucial since the 
descriptive power of Petri nets allows keeping a one-to- 
one relationship between signal transition events and 
Petri net transitions. Furthermore, it disciplines the 
designer in an optimal utilisation of net transitions. 
State Graphs The reachability graph of a Petri net 
is a directed graph where each node corresponds to a 
marking and an edge joins a pair of markings MI,  M" 
if there exists a transition t* that firing from MI pro- 
duces M" (the transition labels the edge). 
The State Graph (SG) ([2]) of an S T G  is the reach- 
ability graph of the underlying net where each node 
(henceforth called state) is labeled with a vector v of 
signal values. This node labeling must be consistent 
with the SG edge labeling, in other words for each edge 
s' -+ s", for each signal t :  
1. if the edge is labeled t+ then signal t must be 0 
in v' and 1 in v" 
2. if the edge is labeled t -  then signal t must be 1 
109 
in v’ and 0 in v” 
3. otherwise signal t must have the same value in 
both v‘ and VI’. 
Another important property of the SG is its semi- 
modularity with respect to output signals. An SG is 
called semimodular if for each output signal t and any 
reachable state s in which t is enabled (there is an edge 
labelled with t* leading from s to some s’) t remains 
enabled in any other state reachable from s through 
the firing of some other signal transition enabled in s. 
The S T G  specification, generating the consistent 
and semimodular SG, can be implemented as a logic 
circuit as described in [2, 71. One combinational logic 
implements the next-state function of each output sig- 
nal, mapping each SG label into the corresponding im- 
plied value for each output signal. The implied value 
of an output signal t in an SG state s is defined as: 
e the value o f t  in the label of s if no transition of 
t is enabled in s. 
e the complement of that value otherwise 
Chu showed ([a]) that the next-state function is 
well-defined (i.e. it  has only one value for each point 
in the domain) if and only if for each pair (SI, s”) of 
SG states that have the same label, the same set of 
output signal transitions zs enabled in both markings 
corresponding to s’ and s”. If the SG has this charac- 
teristic, then we say that the S T G  from which the SG 
was derived has the Complete State Coding property 
It is clear that the SG produced by an STG can be 
non-semimodular for some output t only if the S T G  is 
not persistent with respect to some transition labelled 
with t .  One cannot derive the next-state function to 
produce a hazard-free logic for t ,  as was shown in Sec- 
tion 2. In the following section, we show how this 
problem can be resolved at the S T G  level, be means of 
adding special-purpose transitions, called semaphore 
actions. These transitions are aimed at  isolating all 
the output non-persistency from the logic part of the 
implementation. They can be implemented by stan- 
dard ME elements. 
(CSC). 
4 Conflict places and Petri net trans- 
formations 
Similarly to many situations in concurrent pro- 
gramming, the problem of guaranteeing a persistent 
behaviour in a Petri net can be solved by forcing a 
mutually exclusive access to conflicting places. Thus, 
a place becomes a critical section of the system, which 
has several processes (producers) adding tokens to the 
place and several processes (consumers) taking tokens 
from the place [l]. 
The problem of non-persistency arises when more 
than m consumers (transitions) are simultaneously en- 
abled by a place, while the place has only n (n  < m) 
tokens. Let us assume these m transitions signify 
changes in output signals. Since signal changes are 
not instantaneous in digital circuits, all m transitions 
may start their process of changing a signal. However 
only n of them (the fastest to complete) will be able 
to fire and, therefore, the other m - n transitions will 
have to be cancelled. This cancellation may produce 
undesirable effects on the circuit behaviour: hazards, 
manifested by glitches generated by the cancellation of 
the slowest signals, and meta-stability, perceived when 
the circuit is not able to decide the completion order 
of transitions. 
These circuit malfunctions will be avoided if at 
most n transitions are allowed to be enabled when 
the conflicting place has n tokens. 
4.1 The producer-consumer problem 
The problem to be solved in our domain of Petri 
nets is a simplified version of the consumer-producer 
problem in which 
messages (tokens) have no explicit meaning, i.e. 
they are not used for communication but only for 
synchronization, and 
the buffer (place) used to store messages is large 
enough to handle the maximum number of mes- 
sages that can be produced (this number must be 
bounded for the specification to be implementable 
as a logic circuit). 
Since producers will never find the buffer full, there 
is no need for them to have a mutually exclusive ac- 
cess with the other processes of the system. Only con- 
sumers, competing for tokens in the conflicting place, 
must be controlled. 
A classical solution to control the concurrent access 
to a critical section is the use of semaphores. The 
simplest implementation of a semaphore consists of a 
1-bit variable (sem), and two atomic operations: 
e wait (sem) , that halts the process until the value 
of sem is 1. After its execution the value of sem 
becomes 0. This operation grants the access to 
the critical section. 
110 
Figure 3: Behavioural description of a 2-input mutex 
0 signal (sem), that writes a 1 in sem, allowing 
other processes to access the critical section. 
Thus, a process willing to access a critical section 
c, protected by the semaphore sem must execute the 
following sequence of operations: 
. . . wait(sem); access(c); signal(sem); . . . 
An ME is the hardware implementation of a 
semaphore. Figure 3 depicts the behaviour of a 2- 
input ME in which place me plays the role of the 1-bit 
variable of the semaphore. The operation wait (sem) 
is implemented by the handshaking pair R+ --f A+, 
whereas signal (sem) is implemented by R- --+ A-.  
In general the behaviour of a semaphore controlling 
n concurrent processes can be implemented by an n- 
input ME, which can either be a primitive gate in a 
library, or be constructed from cascaded 2-input M Es. 
4.2 S T G- level transformations 
The next step in our methodology to solve the prob- 
lem of output non-persistence is to re-describe the be- 
haviour of the circuit by means of semantic-preserving 
transformations from the original description. This 
basically involves interleaving conflicting transitions 
with the primitives that guarantee mutual exclusion. 
The resulting Petri net has the property that no more 
ihan one of the original conflicting transitions can be 
enabled simultaneously. The problem of output non- 
persistence is thus moved out to the outputs of the 
ME (which are now inputs of the circuit being syn- 
thesized) and converted into a situation of input non- 
persistence. 
Figure 4 shows how the primitives wait and signal 
can be described at the STG level. Each primitive has 
two parameters: the number of the ME channel to 
which requests are done (i) and the ME used for that 
particular critical section (in general, several critical 
/ \  Ai+- / \  
Figure 4: 
primitives 
STG-level description of the semaphore 
... CL 0 i' 
S. 
0 
6 1  
Figure 5: (a) Original Petri net with a conflict place. 
(b) Transformed Petri net 
sections can be used in the same description). In or- 
der for each channel i to force a 4-phase handshake 
between signals Ri and Ai, a 1-safe place p;  is in- 
serted in such a way that a token in pi indicates that 
the handshake has completed and a new handshake 
can be initiated. 
Let us assume that we have a conflict place p such 
as the one depicted in Figure 5.(a), with n producer 
transitions (tl , . . . , tn) and m consumer transitions 
(e1 , . . . , em). In the transformed description (Figure 
5.(b)) no changes must be included for the producers, 
but mutually exclusive access must be guaranteed for 
the consumers1. 
A distinction between input and non-input transi- 
tions must be done when inserting primitives for mu- 
tual exclusion. Specifically the circuit must not put 
additional constraints on the behaviour of the environ- 
ment. This is illustrated by the different transforma- 
tions applied to c1 and e, (assumed to be non-input 
'Notice that a consumer can also be a producer at the same 
time (self-loop transition) 
111 
and input transitions respectively). 
More precisely, the enabling conditions of output 
signal transitions, that are under direct control, can 
be conditioned to follow the wait handshake. On the 
other hand, the enabling conditions of input signal 
transitions cannot be changed, because the environ- 
ment cannot be constrained in general. This means 
that the wait handshake corresponding to an input 
transition can be initiated only after the correspond- 
ing transition has fired. In consequence, the disabling 
of the output transitions can occur only after this 
wait. In Figure 5.(b) this is represented by an un- 
labeled, internal transition E that removes the token 
from p ,  and hence prevents c1 from potentially firing, 
only when we know for sure that c1 has lost the arbi- 
tration, and it is not currently enabled. In practice, 
this internal transition can be the AA transition of the 
corresponding wait 
Another interesting point to note is that in general 
we cannot control the marking of successor places of 
input transitions (e.g., sm). This means that, in prin- 
ciple, we cannot ensure that the resulting STG is safe, 
or even bounded. Moreover signals do not have a suc- 
cessor transition, implying a potentially non-strongly- 
connected STG. The first problem is the most serious, 
because it forces the introduction of timing constraints 
to ensure resolution of arbitration (and potentially of 
meta-stability) before places p and p ,  can be safely 
marked again. Otherwise, the resulting circuit could 
not be built in a hazard-free manner. 
The second problem can also be solved with tim- 
ing constraints, or, in the case of 1-safe conflict places, 
with simple transformations at the STG-level (see Fig- 
ure 6). Once the token of the conflict place has been 
consumed, no other “consuming” transition will be en- 
abled until a “producing” transition is fired. For this 
reason, there is no need to free the critical section af- 
ter consuming the token and, thus, signal operations 
can be delayed until after having put the token into 
the place. The appropriate sequencing between oper- 
ations of the same ME channel must be guaranteed by 
the net (denoted by dashed arcs in the figure). 
4.3 ME channel assignment 
Two transitions, t l  and t z ,  are called in conflict 
with respect to place p (denoted by t lC , t z ) ,  if t l ,  t z  E 
p* and there is a marking under which they are both 
enabled and the firing of one of them disables the other 
one. Note that this conflict may be asymmetric, i.e. 
one transition disables the other while not vice versa. 
Since t1,L2 E p’ ,  it is clear that such disabling can 
only take place when the marking of p changes. This 
signal (1,me) signal (m,me) 
4 \ ‘i ‘z ... 
E 
Figure 6: Transformed Petri net for a 1-safe conflict 
place 
P 
t6 
Figure 7: (a) Conflict place. (b) Conflict graph for 
M E channel assignment. 
implies that p is a critical resource that must protected 
by a semaphore mechanism. 
C, can be used to derive a conflict graph in which 
each node represents a transition ti E p’. There is an 
arc between ti  and ti iff tiCptj. Figure 7.(a) depicts a 
conflict place with all its successor transitions. Arcs 
denoted by ti crf t j  indicate that ti and t j  are never si- 
multaneously enabled. Figure 7.(b) shows the conflict 
graph for such a set of transitions. 
Given a conflict graph, the problem of assigning 
transitions to ME channels can be reduced to the prob- 
lem of colouring the conflict graph2. Therefore, to 
guarantee mutual exclusion between transitions, an 
n-input ME will be inserted, n being the number of 
colours required for the graph. 
In the example of Figure 7, a possible channel as- 
signment for a 3-input ME could be the following: 
a = {tl,t6}, = { t z ,  t4},  c = ( t 3 ) .  
2A dual approach would consist in deriving a c o m p a t i b i l i t y  
g r a p h  and reduce the problem to clique p a r t i t i o n i n g  
112 
--n I A b  
Figure 8: STG of Figure 2 after wait and signal in- 
sertion (w(a) stands for wait(a,me)). 
5 The Latch Example Revisited 
We can now revisit the latch example, and apply to 
The first step, illustrated in Figure 8.(a), consists 
it the transformations sketched in Section 4. 
of 
1. Analyzing which transitions are in conflict, build- 
ing a conflict graph and assigning ME channels to 
conflicting transitions. 
2. Protecting those transitions with a waitlsignal 
pair. 
Obviously Q* and Q- can never be enabled simul- 
taneously, so they can share channel a, while channel 
b is assigned to Ck-.  Note that: 
A place is required for each ME channel, between 
signals and waits, to ensure their proper order- 
ing. 
0 We have applied the 1-safe optimization outlined 
above, in order to obtain a reasonable implemen- 
tation. 
We must then add edges E + Ck* and s(b) + 
Ck- to obtain a strongly connected STG, as shown 
in Figure 8.(b). These edges are timing constraints 
that must be satisfied if the latch in order to properly 
operate the latch. Basically they state that the clock 
must wait long enough for the ME to resolve meta- 
stability. Otherwise, the ME would be operated in a 
manner that is different than its “legal” 1/0 protocol, 
represented in Figure 3. In this case, the Rb input 
may fall before the Ab output rises, and the Rb input 
may rise before the Ab output has fallen. This may 
or may not be a problem, depending on the circuit 
design used to implement the ME.  With the solution 
shown in Figure 9 neither case is problematic, because 
Figure 9: A possible CMOS implementation of an ME 
f ’  /-- s+ 
Figure 10: STG of Figure 8 after state encoding (a) 
and handshake expansion. (b). 
the former helps the ME leaving a meta-stable state, 
while the latter may drive it again into meta-stability 
while the previous meta-stability has not been resolved 
yet, which only adds to the length of a potentially 
unbounded process3 
This first STG does not have CSC, so state sig- 
nal transitions must be added to it to make it im- 
plementable [ l l ,  51. One possible solution, with one 
state signal s, is shown in Figure 10.(a). Redundant 
places (i.e., places whose removal does not affect the 
enabling/firing conditions of the net) have been re- 
moved, for the sake of clarity. 
We can now expand the symbolic actions wait and 
signal to full handshakes, thus obtaining the final 
STG shown in Figure 10.(b). This STG can be im- 
plemented, as shown in Figure l l . (a)  (where L ele- 
ments are “standard” transparent latches). This im- 
plementation is interesting, because it corresponds to 
an edge-triggered self-clocked f l ip - f lop ,  where the “in- 
ternal” clock is activated whenever there is a change 
We conjecture that this observation is generally applicable 
to the proposed design methodology? hiit we have not yet fidly 
investigated the issue. 
113 
Da 
Figure 11: Circuit implemented from the S T G  of Fig- 
ure lO(a) and an RGD arbiter built on its basis (b). 
in the input datum, but only when the external clock 
C k  is high. Otherwise, C k  locks the ME. This imple- 
mentation makes use of the fact that D must wait for 
Q to change before it can change again, in the original 
specification. 
Furthermore, we are not violating any physical 
principle, because this latch cannot be used to im- 
plement an ideal synchronizer, that is known to be 
impossible, even if it never produces a meta-stable 
output. The problem is that we don’t know when 
Q will change relative to the falling edge of C k ,  while 
if a latch is used respecting setup and hold times, we 
know that its output will be stable after a known set- 
tling time has elapsed since the falling edge of Ck. So 
if we use Q for driving combinational logic, we cannot 
reliably latch its output. 
We have two potential advantages from the use of 
this latch, and of the proposed methodology, though: 
1. No output will ever have an invalid logic value, 
except for the “standard’’ rising and falling tran- 
sients. 
2. If the clock can be stopped, then the Ab output of 
the ME can be used to do so and provide reliable, 
synchronous operation. 
Another useful byproduct of this design can be the 
implementation of a Request-Grant-Done (RGD) ar- 
biter (see, e.g., [lo]) shown in Figure l l (b) .  It makes 
the (0, Q, s ,  Ra, Aa) channel in the latch symmetric. 
6 Arbiter with reject 
The arbiter with reject is another interesting exam- 
ple of a circuit prone to suffer from meta-stability. Its 
behaviour is described by the STG of Figure 12. Ba- 
sically, this arbiter must respond to a request either 
Figure 12: STG for the arbiter with reject. 
/----) R 1 +  R~+I------, 
Figure 13: Transformed STG for the arbiter with reject 
with an A c k ,  if the resource is free, or with a Nack,  if 
the resource is busy, thus allowing the requester to do 
something else. 
In this case there are two conflict places, free and 
busy, with three possible situations of output non- 
semi-modularity: A l +  t free --+ A2+, Al- t busy * 
N2+ and A2- t busy * N1+ 
By applying the transformations presented in Sec- 
tion 4, a circuit with two MEs (one for each conflict 
place) would be obtained. Instead of this approach, we 
have chosen to use only one ME by considering both 
places as one critical section. Thus, all the aforemen- 
tioned transitions must be guaranteed an exclusive ac- 
cess to the places free and busy. 
By assuming the reader to be somewhat familiar 
with the STG-level transformations, we briefly sketch 
the resulting STGs in Figure 13. Although six differ- 
114 
NI 
A1 RI 
A2 Iu 
Nt 
Figure 14: Speed-independent realization of the ar- 
biter with reject 
ent transitions have access to the critical section, only 
two M E  channels are required after analysing the con- 
flict relation among them. In the final solution two 
state signals, s1 and s2, have been inserted to obtain 
an STG with the CSC property. After synthesis, a 
speed-independent realization such as the one shown 
in Figure 14 is obtained. 
An alternative implementation of the arbiter with 
reject was initially presented by Nowick and Dill in [4]. 
Both solutions have a similar structure, although the 
one presented in this paper is slightly simpler by the 
fact that the two toggle elements are substituted by 
two OR gates. The other significant difference is the 
use of two latches at the inputs instead of two C ele- 
ments (both gates roughly have the same complexity). 
7 Conclusions 
This paper tackles the problem of synthesizing cir- 
cuits from behavioural specifications with internal 
conflicts. Nowadays, conflicts are resolved by ad-hoc 
transistor-level circuitry usually developed by design- 
ers with high expertise in analogue methods. Other- 
wise, circuits obtained by direct synthesis from logic 
functions may suffer from hazardous or meta-stable 
behaviour. 
We have provided a methodology that allows to me- 
chanically solve this problem by using standard com- 
ponents devised and tested to avoid meta-stability (i.e. 
mutual exclusion elements). The original description 
is transformed into another one in which MEs can 
be directly inserted to resolve conflicts while existing 
CAD tools can be used to derive the logical part. 
It is worth to emphasize that the presented method- 
ology can be incorporated into automatic synthesis 
tools, thus helping even an inexperienced designer to 
correctly tackle synchronization problems. 
References 
[l] M. Ben Ari. Principles of Concurrent and Dis- 
tributed Programming. Prentice Hall Interna- 
tional, London, 1990. 
[2] T.-A. Chu. On the models for designing VLSI 
asynchronous digit a1 systems. Znt egrat ion: the 
VLSZ journal, 4:99-113, 1986. 
[3] M. A. Kishinevsky, A. Y. Kondratyev, A. R. 
Taubin, and V. I. Varshavsky. Concurrent Hard- 
ware. The Theory and Practice of Self-Timed De- 
sign. John Wiley and Sons Ltd., 1994. 
[4] S. M. Nowick and D. L. Dill. Practicality of 
state-machine verification of speed-independent 
circuits. In Proc. of the Znt. Conf. on Computer- 
Aided Design, Nov. 1989. 
[5] E. Pastor and J .  Cortadella. Polynomial algo- 
rithms for the synthesis of hazard-free circuits 
from signal transition graphs. In Proc. of the Int. 
Conf. on Computer-Aided Design, Nov. 1993. 
[6] F. U. Rosenberger, C. E. Molnar, T. J .  Chaney, 
and T.-P. Fang. &-modules: Internally clocked 
delay-insensitive modules. IEEE Transactions on 
Computers, 37:1005-1018,1988. 
[71 L. Y. Rosenblum and A. V. Yakovlev. Signal 
graphs: from self-timed to timed ones. In Znt. 
Workshop on Timed Petri Nets, 1985. 
[8] C. L. Seitz. Ideas about arbiters. Lambda, l(1, 
First Quarter) : 10-14, 1980. 
[9] E. M. Sentovich, K. J .  Singh, L. Lavagno, 
C. Moon, R. Murgai, A. Saldanha, H. Savoj, P. R. 
Stephan, R. K. Brayton, and A. Sangiovanni- 
Vincentelli. SIS: A system for sequential circuit 
synthesis. Technical Report UCB/ERL M92/41, 
U.C. Berkeley, May 1992. 
[lo] I.  E. Sutherland. Micropipelines. Comm. of the 
[ l l ]  P. Vanbekbergen, B. Lin, G. Goossens, and H. D. 
Man. A generalized state assignment theory for 
transformations on Signal Transition Graphs. In 
Proc. of the Int. Conf. on Computer-Aided De- 
sign, pages 112-117, Nov. 1992. 
ACM, June 1989. Turing Award Lecture. 
[12] A. V. Yakovlev, L. Lavagno, and A. Sangiovanni- 
Vincentelli. A unified signal transition graph 
model for asynchronous control circuit synthesis. 
In Proc. of the Znt. Conf. on Computer-Aided De- 
sign, Nov. 1992. 
115 
