Concurrent Specification and Timing Analysis of Digital Hardware using SDL (extended version) by Turner, Kenneth J et al.
Kenneth J. Turner, F. Javier Argul Marin and Stephen D. Laing. Concurrent Specification
and Timing Analysis of Digital Hardware using SDL (extended version of article published
by and copyright Springer-Verlag). In Jose Rolim et al., editors, Proc.  International
Parallel and Distributed Processing Symposium, Cancun, Mexico, LNCS 1800, pages
1001-1008, Spring Verlag, Berlin, Germany, May 2000.
Concurrent SpecificationAnd Timing Analysis
of Digital Hardware usingSDL




Digital hardware is treatedas a collection of interactingparallel components.This
permitsthe useof a standardformal techniquefor specificationand analysisof circuit
designs. The ANISEED method(Analysis In SDL EnhancingElectronicDesign)is pre-
sentedfor specifyingandanalysingtiming characteristicsof hardwaredesignsusingSDL
(SpecificationandDescriptionLanguage).A signalcarriesabinaryvalueandanoptional
time-stamp.Componentsandcircuit designsareinstancesof block typesin library pack-
ages. The library containsspecificationsof typical componentsin single/multi-bit and
untimed/timedforms. Timing may be specifiedat an abstract,behavioural or structural
level. Timing propertiesareinvestigatedusinganSDL simulatoror validator. Consistency
of temporalandfunctionalaspectsmaybeassessedbetweendesignsat differentlevelsof
detail. Timing characteristicsof a designmay alsobe inferredfrom validator traces. A







synchronisedvia exchangeof electricalsignals.AlthoughSDL (SpecificationandDescription
Language[15]) wasdevelopedfor specifyingcommunicationsystems,it is ageneral-purpose
languageof wide applicability. It is the contentionof this paperthat SDL is appropriate
andusefulfor specifyingandanalysingdigital hardwareascollectionsof interactingparallel
components.The approachparticularlyfocuseson timing aspects,which areoften tricky in
hardwaredesign.
HDLs (HardwareDescriptionLanguages)wereinitially developedonlyasdescriptivetools,
but they weresoonassociatedwith formal methods.Muchof theliteratureon formal methods
for hardwaredesignappearsin the proceedingsof CHDL (ComputerHardwareDescription
Languagesandtheir Applications,e.g.[8]).
SDLisof interesttohardwarespecifiersbecauseit offersrigorousspecification,goodsystem
structuringfeatures,high-level communication,andthe possibility of hardware-softwareco-
design. In theserespectsit complementsindustrial hardware descriptionlanguagessuchas
1
VHDL (VHSIC (Very High SpeedIntegratedCircuit) HardwareDescriptionLanguage[13])
andVERILOG [14].
Most usesof SDL for hardware descriptionhave aimedat synthesisusing standarden-
gineeringtools. As reportedin [2, 7, 9, 19, 20, 21], SDL hardware descriptionsare often
translatedinto VHDL. ThisallowsSDL to beusedfor high-levelhardwaredescription,coupled
with commontoolsfor hardwaresynthesisandfurtheranalysis.Hardware-softwareco-design
usingSDL hasalsobeeninvestigated[10, 17, 18]. Hardwareelementsareusuallygenerated
via VHDL, while softwareelementsaregeneratedvia C or similar. SDL toolsetsthatsupport
co-designincludeCOSMOS[6] andODE [11].
1.2 Goals
The authorsare engagedin the project ANISEED (Analysis In SDL EnhancingElectronic
Design[1, 5]). Its goalsarecomplementaryto thoseof otherswhohaveusedSDL for hardware
description.Specifically, translationto VHDL and/orC is assumedto be dealtwith by other
tools. Instead,theauthorshave concentratedon timing aspectsof hardwarespecificationand
analysis.Thegoalis to allow timing constraintsoncircuitsandcomponentsto bespecifiedand
analysedat variouslevels: abstract (overall sequencingconstraints),behavioural (black-box
viewpoint),andstructural (internaldesign).As well asbeingtheprojectname,ANISEED also
refersto thehardwaredescriptionmethodandthespecial-purposetools.




definition andspecification.The aim of ANISEED is thereforeto modela systembeforeit is
realisedasevenahardwareprototype.Thishigher-level,software-inspiredapproachallowsthe
feasibilityandcharacteristicsof acircuit to beevaluatedatanearlystage.
Section2 describesthe overall approachto specifying/analysingcircuits andtheir timing
characteristicsusing SDL. The use of validation and verification for SDL is discussedin
section3 Section4 explainshow SDL canbe usedto specifyabstracttiming constraintsof
variousstandardforms. Thepaperthenpresentsa gradedseriesof examplesto illustratethe
approach.Of necessityasthe level of complexity in theexamplesrises,theamountof detail
thatcanbegivenin thepaperfalls. More informationis availablein a separatereport[1]. As
asmallbut instructiveexample,section2.4showshow functionalityandtiming of anandgate
canbespecified.A morecomplex componentappearsin section5,whichdescribesaD (Delay)
flip-flop. Section6 showsasimplecircuit, theSinglePulserdrawn from acatalogueof standard
hardwareverificationbenchmarks[23]. Section7 showsamuchmorecomplex circuit, theBus
Arbiter thatis anotherstandardhardwareverificationbenchmark.
2 Approach
Thebehaviour of hardwarecomponentscanbemodellednaturallyusingSDL processes,since
theserun in parallelandcommunicatevia signals.Thecommunicationmodelof SDL requires
processesto receive inputs from a queueand is thus asynchronous,unlike real hardware.
It is still, however, possibleto useSDL for both synchronous(clocked) and asynchronous
2
(unclocked) logic. SDL is appropriatefor specifyinghardwaretiming sinceit supportsmetric
time. Thisisnotnecessarilyrealtimesincethepassageof timeisunderthecontrolof ascheduler.
For timing analysis,ANISEED canusea standardSDL simulatoror validator. However, the
authorshave also implementeda discreteevent simulationby automaticallymodifying the
schedulingstrategy of a standardSDL simulator. This givesmoreflexibility in the way that
timing analysisis performed.
2.1 SignalSpecification
A hardwaresignalis modelledasanSDL signalwith time-stamp(optional)andvalueparame-
ters:
Time-stampoptionallyrecordsthetimeatwhichasignalis consideredto havebeengenerated.
This is necessarypartly becausean outputsignalmay not be consumedimmediately;
it still, however, carriesthe time of its generation. If SDL timers causeoutput only
whenrequiredby thetiming parameters,a standardsimulatorcanbeused.However, as
discussedin section3.2a time-stampis usefulwhena signalis generatedin advanceof
its propertime.
Value is mandatoryandmay simply be a bit. However, in generalit may be multi-bit (i.e.
a list of bits). This is appropriateat a high level of specificationwherea bus or group
of wires is to be specifiedasa whole. For example,a 32-bit register is conventionally
regardedas having a 32-bit inputs and outputsrather than 32 individual wires. In a
very abstractspecificationit might even be desirableto carry arbitraryvaluessuchas
datastructures. ANISEED supportsuni-bit and multi-bit signals,suchthat a multi-bit
higher-level specificationmayberelatedto auni-bit lower-level specification.Although
binarysignalshave thevalueof 0 or 1, a bit variableis alsopermittedto have thevalue
X (meaningunknown). This is necessarywhendefiningthe initial stateof a circuit on
startup.Thebit operatorshave to dealwith X values(e.g.1 or X is 1, 1 andX is X).
ANISEEDallowsuni-bit/multi-bit anduntimed/timedspecifications.Librarycomponentsare
availablein all four bit/time combinations,with variantsbeingautomaticallygenerated.The
specifiercanthuschooselow-level(uni-bit)orhigh-level(multi-bit) modelsfor interconnection,
andcanchooseto omit or includetiming characteristics.Untimedspecificationsaresimply a
specialcaseof timedones:only therelativeorderingof eventsis specified,soa time-stampis
omittedfrom signals. It is usefulto write an untimedspecificationfirst in orderto checkthe
functionalcorrectnessof adesign.Timing constraintscanthenbeadded(by achangeof library
componentnames),allowing timing issuessuchasraceconditionsandhazardsto bestudied.
2.2 ComponentSpecification
The electronicsdesignercan choosefrom a wide rangeof componentsin variousfamilies.
Theserangefrom simple elementssuchas logic gates(and, or, etc.), throughintermediate
componentslikemultiplexersandflip-flops, to complex componentslike registersandparallel
adders.ANISEED is thereforesupportedby a library of commoncomponentsandcircuits(i.e.
designsconsistingof a numberof components.)Thesearestoredin SDL packages,forming a
3
modularandeasilyextendedlibrary. Someof thepackagesdependon others(for example,all
packagesusebits).
A typeof componentis modelledasablocktypein SDL. A blocktypeis a(parameterised)
blockdefinitionthatcanbestaticallyinstantiatedto yieldaparticularblock;anexampleappears
in section2.4. The motivation for choosingblock typesratherthanprocesstypesis mainly
thattheinternalconstructionof acomponentshouldbeinvisible. Thespecifiershouldnotneed
to know if the componentcontainsoneprocessor many interconnectedprocesses.This also
meansthat circuit designsaswell asblack-boxcomponentscanbe storedin the library. A
furtherconsiderationis that library block typesareinstantiatedstatically, bettermatchingthe
notionof usingaspecificcomponent.A blocktypeis parameterisedby its signalnamesandits
gates(in theSDL sense).Timedcomponentsarealsoparameterisedby characteristicsuchas
their propagationdelayor setuptime.
Some‘components’in the ANISEED library may not quite correspondto real hardware
elements.For example,asourceof logic 0 or 1 is apseudo-componentin thelibrary; in practice
it wouldbeaconnectionto thecircuit groundor supplylevel. For high-level timing constraints,
pseudo-componentsareavailableto definevariousinterrelationshipsamongsignals.Theseare
usedonly in theinitial stagesof design,andarelaterreplacedby specificcomponents.
Componentsareinterconnectedby no-delaychannels.Likerealwirestheseareconsidered
to convey signalsinstantaneously. If it is necessaryto modelthepropagationdelayof a wire,
asin high-speedcircuits,adelaycomponentcanbeused.A limitation of SDL is thatanoutput
cannotbe broadcastto arbitrary processes.To solve this problem,ANISEED usesjunction
‘components’thatmodelwherewiresconnect.Althoughtheseappearin a circuit diagramas
smallblobs,thespecifiermustinstantiatea junctionblock typeto link thecomponents.
Wheremulti-bit componentsareinterconnectedwith uni-bit components(e.g.a4-bit adder
feedinginto four inverters),asplit ‘component’is usedto separatethebits. Correspondinglya
merge‘component’is usedto combineuni-bit signalsinto amulti-bit signal.
2.3 ANISEED Library
It would have beenpossibleto specifyall the library componentsindividually. However this
would have beenvery tedious. For example, a two-input nand gatehas largely the same
specificationasonewith three,four or eight inputs. The gatesfor and, or, nor (not-or), xor
(exclusive-or)andxnor (exclusive-not-or)differ from nandonly in their logic function. Since
eachkind of logic gatehasuni-bit/multi-bit anduntimed/timedversions,a total of 4×6×2×2
(input×function×bit×timing) or 96variantswouldhave to bespecifiedexplicitly.
Asamorepragmaticsolution,all variantsaregeneratedautomaticallyfromanSDLtemplate
that is parameterisedby the logic function, thenumberof inputs,whethertimedandwhether
multi-bit. Thetemplateis anoutlinePR(SDL PhrasalRepresentation)specificationthatis pre-
processedto yield therequiredvariants.Althoughthemacrofacility of SDL wasinvestigated
for this, it is not sufficiently flexible. Insteadthe m4 macroprocessor[22] is used. The m4
library modulesare automaticallypre-processedto generatethe PR library packages.The
approachusingtemplatesmakesthem4 library muchsmaller(10%–15%in sizecomparedto
thegeneratedPR).Theapproachmakesthelibrary moremaintainable,sincea singletemplate
needsto be changedif the modelof a componentis changed. This is also importantsince
differentmodelsmay be usedfor differentpurposes(e.g.validationasopposedto synthesis,






coder decoders(binaryinput to outputs),encoders(inputsto binaryoutput)
flipflop flip-flops (simplememoryelements)
gate logic gates,logic sinks,logic sources
junction connectionsof wires
latch latches(simplestorageelementsthatdo notdecoupleoutputfrom input)
merge multipleuni-bit inputsto singlemulti-bit output
mux demultiplexers(oneinput,many outputs),multiplexers(many inputs,oneoutput)
seq abstractsequencingconstraints
split singlemulti-bit input to multipleuni-bit outputs
tristate tri-statedevices(outputdisconnectedwhendisabled,e.g.for connectionto abus)
Figure1: ANISEEDLibrary Packages
selectanappropriatemodelandalsotiming characteristicsfor aparticularfamily of logic gates.
The currentANISEED library is summarisedin figure 1. It containsover 400 standard
components uchasmight befoundin a typical logic family. Theaveragesizeof eachlibrary
componentspecificationis about80 SDL PR lines, varying from 9 to 300 lines. The library
componentshave all beenverified, with an averageof about300 statesper component. A
numberof otherlibrary packagesarecurrentlyunderdevelopment.
Explanatorycommentsareautomaticallygeneratedfrom them4 templateswhenSDL PR
is produced.The library packagesarethusquitehuman-readable.SinceGR (SDL Graphical
Representation)isoftenpreferredbySDLspecifiers,thelibrarytemplatescanalsoautomatically
generatecommentsin the style of CIF (CommonInterchangeFormat [16]). This allows an
SDL tool to produceanacceptablegraphicalrepresentationof thelibrary PRcomponents.(The
default graphicalrepresentationproducedby SDL toolswhenconvertingPRis oftennot very
readablesincegraphicallayout is a tricky task.) Most specificationsin this paperaregivenas
PR.Thisis partlybecausethelibrary is textualanyway, andpartlybecauseit is moreconvenient
to presenthespecificationswith comments.
2.4 A SimpleComponent: A NandGate
As a trivial exampleto illustrate the modellingapproach,a two-input timed nand (not-and)
gatehas input signalsSIp1/SIp0and output signal SOp. Thesecarry time and bit values.
Hardwarecomponentstypically have differentoutputdelaysTDel1andTDel0 for outputting
a 1 or a 0. Timing parametersdependon the family of hardwarebeingmodelled,e.g.CMOS
(ComplementaryMetalOxideSemiconductor)or ECL (Emitter-CoupledLogic). Accordingto
thespecifier’s choice,a particularsetof delayvaluesis imported. Hypotheticalvaluesmight
be:
synonymCMOSDel1= 5; /* 1 outputdelay*/
synonymCMOSDel0= 4; /* 0 outputdelay*/
5
TheANISEEDlibrary specificationof thenandgateis givenbelow. Delayandsignalnames
aregivenascontext parameters.Signallists for gatesandsignalroutesareimplicit. Thenand
gateacceptsinputsat any time andstoresthem. OperatorApply1calculatestheoutputfrom a
namedlogical operationandits parameters.(The‘1’ suffix indicatesthatit actson singlebits;
therearealsomulti-bit ‘M’ operators.)OperatorNewOut1decidesif theoutputmustchange
asa resultof new input. (If the inputschangefrom 0,0 to 0,1 a nandgatedoesnot needto
outputsincethepreviousvalueof 1 is still valid.) A timer is usedto delaytheoutputaccording
to its value. Any further input in themeantimecausestheoutputcalculationto startagain. In
hardwaredescriptionterminologythis is calledpuredelay:whenaninputdictatesanew output
value,this will appearafter thedelay. ANISEED alsoallows specificationof inertial delay: the
componentdoesnot respondto input changesthataretooshort(i.e. brief pulses).
The main complicationis what happenswhen the nandgatefirst powersup. With real
hardware,power-up resultsin an arbitraryoutputuntil this canbe properlydeterminedfrom
the inputs. If thenandhasreceivedno input or just oneinput thenits outputmayberandom.
For exampleif a nandgatehasreceived a 1 on just one input, the stateof its output is not
yet determined. OperatorAnyOut1decideswhetherany output is permitted,i.e. whethera
1 or 0 shouldbe chosennon-deterministically. The reasonfor outputtingsomethingin these
circumstancesariseswhenacomponentis usedin sequentiallogic. Suchdesignshavefeedback
so thatoutputsfeedinto earlier inputs. If a componentdid not outputuntil all its inputshad
beenreceived,therewouldbedeadlock.
block type Nand2T< /* timed2-inputnand*/
synonymTDel1,TDel0 Duration; /* context parametersfor timing ... */
signalSIp1(Time,Bit1), SIp0(Time,Bit1), SOp(Time,Bit1);> /* andsignals*/
gateIp1 in; gate Ip0 in; gateOpout; /* input/outputgates*/
processNand2T(1, 1); /* oneprocessinstance*/
signalsetSIp1,SIp0; /* inputsignals*/
dcl BIp1, BIp0, BOp,BNextOp Bit1 := X; /* input/outputvaluesstartunknown */
dcl TIp, Top Time; /* lastinput/next outputtime */
dcl TDel Duration; /* requireddelay*/
timer T; /* delaytimer */
start; /* componentpower-up*/
nextstateReady; /* now readyfor input */
stateReady; /* readyfor input */
input SIp1(TIp, BIp1), SIp0(TIp, BIp0); /* geteitherinput */
nextstate–; /* readyfor moreinput */
provided NewOut1(NandB,BIp1, BIp0, BOp); /* outputto change?*/
task BNextOp := Apply1 (NandB,BIp1, BIp0); /* setnext output*/
decisionBNextOp; /* decidedelay*/
(1): task TDel := TDel1; /* 1 outputdelay*/
(0): task TDel := TDel0; /* 0 outputdelay*/
enddecision; /* delaynow set*/
task TOp := TIp + TDel; /* setoutputtime */
set(now + TDel, T); nextstateWaiting; /* wait for delay*/
provided AnyOut1(NandB,BIp1, BIp0, BOp); /* any outputOK? */
decisionany; /* random1 or 0 */
(): task BOp := 1; /* choose1 */
(): task BOp := 0; /* choose0 */
enddecision; /* randomoutputnow set*/
output SOp(0, BOp);nextstate–; /* outputat time0, readyfor moreinput */
stateWaiting; /* wait for delay*/
6
input SIp1(TIp, BIp1), SIp0(TIp, BIp0); /* getanew input */
reset(T); nextstateReady; /* canceldelay, readyfor moreinput */
input T; /* delayexpired*/
task BOp := BNextOp; output SOp(TOp,BOp); /* outputresultat requiredtime */





its suitability for ANISEED. The axiomsof datatypes(the bit typesin the ANISEED library)
areignoredby theSDT simulatorandvalidator. This is understandablesinceit is difficult to
compileaxiomsinto efficient code. Instead,SDT allows datatypeoperatorsto bedefinedas
procedure-like SDL operatorsor directly in C. UnfortunatelySDT doesnot permit theformer
to be usedin continuoussignals(which ANISEED requires).The m4 library modulesfor bits
thereforegeneratetwo PRvariants:onehasaxioms,andtheotherhasC codefor operators.
A moresevereproblemis thatcommercialSDL tools(SDT, ObjectGeode)donotcurrently
supportcontext parametersfully. Theseareessentialfor block typessincethe actualtiming
parametersandsignalnamesarenotknown until ablocktypeis instantiatedin aparticularcon-
text. ANISEEDallowsuseof SDL context parametersasnormal.To overcometool limitations,
ANISEEDautomaticallyinstantiatestypesin thePRgeneratedfrom agraphicaldescription.For
example,aninstanceof thetimednandgatediscussedin section2.4:
block SomeNand: Nand2T<CMOSDel1,CMOSDel0, Ip1, Ip0, Op>;
is translatedinto ablockdefinitionwith context parametersubstituted:
block SomeNand;
processNand2T(1, 1);
... input Ip1 (TIp, BIp1), Ip0 (TIp, BIp0) ...
... task TDel := CMOSDel1 ... task TDel := CMOSDel0 ...
... output Op(TOp,BOp) ...
endprocessSomeNand;
endblockSomeNand;
3 Validation and Verification
3.1 CheckingSDL
SDL tendsto beusedin pragmaticways,sovalidationis usuallythemethodof choice.What
would normallybetermedverification(proof,model-checking)is comparatively rarefor SDL
[3, 12].
The SDL communityusesthe term validation to meanautomatedcheckingof an SDL
specification.Validationis usedto checkfor undesirableconditionssuchasunreachablestates,
unspecifiedreceptions,deadlocksandprocessinputqueuesgrowingwithoutbounds(asymptom
of livelock). A specificationmaybevalidatedin isolation;sucha checkis usefulbut doesnot
confirmfunctionalcorrectness.Alternatively a specificationmaybevalidatedagainstanMSC
(MessageSequenceChart[4]). The MSC maybe written by the specifier, in which casethe
7
validationamountsto testing. The MSC may alsobe derived from an earliervalidationrun.
Thiscanbeusedfor regressiontesting,i.e. to checkwhetherarevisedspecificationrespectsthe
samebehaviour aspreviously. More usefully, theMSC maybederivedautomaticallyfrom a
higher-level specification.TheMSC thencontainsall thebehaviour foundat thehigherlevel,
andcanthusbe usedto confirm that a lower-level specificationis a correctrefinement.The
confidencelevel in thiskindof validationdependsonthecompletenessof thehigher-levelMSC.
A typical SDL validatorlike SDT offersa numberof validationstrategies. In thecaseof
exhaustivevalidation,all statesandpathsof thespecificationarefollowed.Successfulvalidation
of this kind leadsto a completeMSC that canbe usedto verify correctnessof a refinement.
TheSDT validatorcancarryout exhaustiveanalysisof a typical library componentin abouta
minute,requiringsomehundredsof states.For full circuitdesigns,exhaustiveanalysisbecomes
computationallyinfeasible.
Instead,theSDT random-walk validationis employedfor realisticcircuits. This proceeds
multipletimesfrom agivenstartingpoint to agivendepth,makingrandomchoiceswherethere
is a branchin the statespace.Although this doesnot guaranteecompleteexplorationof the
statespace,it is very effective. By runningthevalidatorseveraltimes,hundredsof thousands
of statescanbecheckedin a matterof minutes.Thevalidatorhassettings(notablythesearch
depth)thatcanbeadjustedto achieve100%symbolcoverageafteranumberor runs.Thisgives




to checktiming behaviour accordingto thetester’sexpectations.Simulationis time-consuming
sinceit is drivenmanually. Instead,automatedvalidationis preferred.TheSDT validatorcan
carryoutexhaustiveanalysisof atypicallibrary componentin aboutaminute,but random-walk
validationis thenormfor typical circuit specifications.
MSCsarea convenientgraphicalmeansof showing how hardwarecomponentsinteract.
However, theMSCsresultingfrom validatingrealisticcircuits tendto be lengthyandhardto
follow. This is partlybecauseof thelargenumberof internalsignals,andpartlybecauseof the
largenumberof interactions.Theauthorsthereforedevelopeda tool thatconvertsMSCsinto
the moreconventionaltiming diagramsusedby electronicsengineers.An exampleappears
laterin figure5.
For hierarchicaltiming specifications,the validator is useful in checkingconsistency be-
tweendifferentdesignlevels. This is an importantpoint in real-world hardwaredesign,since
complex circuitsarecommonlydesignedin atop-down fashion.High-level functionalunitsare
progressively brokendown to thelevel of availablecomponents.Thereis a risk of introducing
anerrorduringrefinementof acomplex design.With theANISEEDapproach,errorsshow upas
inconsistenciesin timing or functionalitybetweenthedifferentdesignlevels. In suchacase,an
MSCtraceat thehigherlevel will notbeacceptedwhenvalidatingthelower level. Dueto state
spaceexplosion,it is usuallynot practicableto comparetwo specificationsat widely differing





TheMSCtracesproducedby thevalidatorarealsousefulin deriving timing characteristics.
Manufacturingtolerancesandenvironmentaldifferencesmeanthattwo ‘identical’ components
rarelyhave thesametiming characteristics.ANISEED canthereforebeusedto give a rangeof
valuesfor eachtiming parameter. Whenmany componentsareinterconnected,the resulting
validator tracescan be usedto determinethe rangeof high-level timing properties. As an
example,the1 and0 outputdelaysmaybeslightly differentfor eachlogic gate.In a complex
circuit it may not be obvious how thesevariationswill interact to produceoverall timing
characteristics.The validatoroutputfor a variety of tracescanbe analysedto determinethe
statisticalboundsonthesevalues.In effectthevalidatorcanbeusedfor Monte-Carlosimulation
andanalysis.That is, many (automated)validatorrunsgeneratestatisticaltiming information
from whichboundson timing characteristicscanbederived.
A standardSDLsimulationdealswith signalsin theorderthatthey aregenerated.For timing
simulationthis maybeincorrect,sincea signalshouldbeconsideredonly at thetimegivenby
its time-stamp.This situationcanarisein two circumstances:whensimulationinputsarenot
in thedesiredtimeorder, andduringautomatedvalidation.It is convenientfor someonetesting
a circuit to definea testscenarioin a human-orientedway (e.g.a truth tablefor combinational
logic or a transitiontablefor sequentialogic). In sucha case,testinputsmaynot beprovided
in correcttimeorder. Theotherpossibilityfor misorderingarisesduringautomatedvalidation.
TheSDT validatordoesnot advancetime duringvalidation,so the time-sequencingnormally
guaranteedby SDL timersis not applicable.In sucha case,eventsmustbeconsumedin order
of their timestamps.
Thesignalwith theearliesttime-stampmustbeconsumedfirst, evenif othersignalshave
beenplacedbeforeit in the input queueof a process.The normalprocedurefor interpreting
SDL maythereforeneedto bemodified. Whena signalis addedto an input queue,ANISEED
can be configuredto storeit accordingto the time-stampsof the signals. The usualFIFO
schedulingalgorithmthenselectssignalsin the correctorder. The SDT MasterLibrary was
modifiedto achieve this effect. Fortunatelythe MasterLibrary provides‘hooks’ that permit
there-schedulingof signals.AlthoughtheMasterLibrary is reasonablywell documented,the
changeprovedto beanintricatetaskrequiringanalysisof thecodegeneratedby SDT. ANISEED
can supply its own schedulingfunctionsfor discreteevent simulation. An SDL systemis
simulatedor validatedby linking thenew library with thecodeproducedfor thesystem.The
systemcanthenbesimulatedor validatedasnormal,whetherfrom thecommandline or via the
GraphicalUserInterfaceof SDT.
Discreteevent simulation introducesa numberof complications. Inputs with the same
time-stamp(evenfor differentprocesses)have to bescheduledat thesametime, thusavoiding
oneprocessstarvingothersof input. Carefulinvestigationwasalsorequiredto avoid execution
loopsdueto the queuere-orderingstrategy. SDT holdstimer signalsin a separatequeueso
they canbegivenpriority overnormalsignals.ANISEEDthereforeneedsto schedulethisqueue
aswell as the normal input queues.SDT treatscontinuoussignalsasspecialsignalsin the
input queue. As usual,thesearegiven lower priority over normalinput signalsfor the same




Constraintsatthehighestlevel maybegivenwithoutregardto functionality. Thisdefinesgross
sequencingrelationshipsamongthe inputsandoutputsof a component.Theconstraintsmay
be given in untimedform, but are most usefulwhenusedto expresstiming restrictions. It
is valuableto checkfor timing inconsistenciesbeforeany moredetailedfunctionaldesignis
undertaken. Forexample,acomponentmaynotbeableto produceits outputin timefor another
one.Abstracttiming constraintsareparticularlyhelpfulin asynchronousdesign,sincetheclock
pulsesof a synchronousdesignarenot availableto coordinateactions. Abstractsequencing
constraintsappearin thelibrary as‘components’of variousforms. Oncehigh-level sequencing
propertieshave beenvalidated,these‘components’arereplacedby realones. The following
examplesof sequencingconstraintsaredrawn from theANISEED library; theconstraintsexist
in untimedandtimedforms. For brevity thecorrespondingSDL is notgivenhere.
An N-Of constraintrequiresan input event to occurN timesbeforeoutputoccurs. As an
examplewithoutatiming constraint,adivide-by-4counterproducesoneoutputpulsefor every
four input pulses.A periodduringwhichcountingoccursmayoptionallybegiven.
A One-Ofconstraintacceptsjust oneinput beforeproducingoutput. For example,a bus
arbitermustservicejust oneclient requestduringa buscycle of someperiod. A secondinput
within thisperiodis retaineduntil thenext cycle. A variantof thisconstraintdiscardsadditional
inputsbeforetheperiodhaselapsed.
An All-Of constraintrequiresall inputs of a componentto be received beforeoutput is
produced. For example, the inputs to an addermust be received before its output can be
calculated.Theorderin which inputsarrive is unimportant,but all inputsmayberequiredin
someperiod.Unlessall theinputsarrive in time, thewholeconstraintis re-enforced.
Using the sameprinciplesas the sequencingconstraintsin the library, the specifiermay
alsodefinearbitraryconstraintsfor complex componentssuchassequencers,bus controllers
andinterfaceadaptors.Sequencingconstraintsdealonly with high-level aspects,andso are
considerablysimplerthanthefull functionalityof acomponent.
5 A Mor eComplexComponent: A DelayFlip-Flop
5.1 Intr oduction
As anexampleof hierarchicalspecification,a DFF (Delayor D Flip-Flop) is thebasicstorage
elementin many hardwaredesigns.For brevity, thedetailedSDL specificationsarenot shown
herebut appearin [1]. TheANISEEDlibrary includesotherkindsof flip-flops(andtheirsimpler
relatives,latches).Theconventionalsymbolfor a delayflip-flop is shown in figure2 (a). The
flip-flop storesonebit from thedatainput D undercontrolof a clock signalC. Thevariantto
bedescribedhereis positiveedge-triggered,whichmeansthatthedatainput is storedwhenthe
clockgoesfrom 0 to 1. After thedatahasbeenclockedin, it appearsat theoutputQ aftersome
propagationdelaythatdependsonthehardwarefamily. Thelogicalcomplementof theoutput,
QBar (Q), is alsoavailable. The outputvalueis preserved even if the D input subsequently
changes(i.e. theflip-flop storesits input). A new datavalueis readonly onthenext risingedge
of theclocksignal.
Apart from the obvious propagationdelay TProp, a D flip-flop also imposestwo other
timing constraints.It is requiredthatthedatainput besteadyfor a periodTSetupbeforeit can
10
(a) Symbol (b) Timing Diagram (c) Circuit Design


















beclockedin. Immediatelyafteraclock trigger, thedatainputmustremainsteadyfor aperiod
THold. Theseconditionsensurethat the flip-flop canreliably readin data. In particular, the
flip-flop cannotbeexpectedto dealwith veryshortpulsesof inputdata.Thetiming constraints
areshown graphicallyin figure2 (b).
5.2 Abstract Specification
Thetimingrulesof figure2canbereadilytranscribedintoSDL.Oncetheflip-flop hascommitted
to output (i.e. after setupandhold periods),a separateprocessinstancemust be createdto
produceoutput after the propagationdelay. During this period, it is necessaryto allow for
furtherinputsin parallelwith theoutputdelay. Theflip-flop thereforeconsistsof asingleinput
processinstanceplusoutputprocessinstancesasrequired.
5.3 Behavioural Specification
In hardwaredescriptionterminology, abehaviouralspecificationtreatsthecircuit or component
asa black box. Only the externally visible behaviour is specified. Sincethe D flip-flop has
very little functionality, timing considerationsdominateits specification. The behavioural
specificationof theflip-flop thusdifferslittle from theabstractone. In generalthis is not true:
a processoris anexamplewhosefunctionalspecificationis very muchmorecomplex thanits
sequencingconstraints.Apart from small changesto introducevariablesfor input andoutput
values,themainadditionfor theflip-flop behavioural specificationis how to calculatethenew
outputvalue. This is generatedon a rising clock edgeif the input datavaluediffers from the




may form a hierarchyof designsat progressive levels of detail. Designstopsat the level of
11
N1 : Nand2T < CMOSDel1, CMOSDel0, I4  ̀I2 ,̀ I1>
N2 : Nand2T < CMOSDel1, CMOSDel0, I1, C ,̀ I2>
N3 : Nand3T < CMOSDel1, CMOSDel0, I2 ,̀ C ,̀ I4 ,̀ I3>
N4 : Nand2T < CMOSDel1, CMOSDel0, I3 ,̀ D, I4>
N5 : Nand2T < CMOSDel1, CMOSDel0, I2 ,̀ I6 ,̀ I5>
N6 : Nand2T < CMOSDel1, CMOSDel0, I5 ,̀ I3 ,̀ I6>
J1 : Junction2T <C, C ,̀ C>̀
J2 : Junction3T <I2, I2 ,̀ I2 ,̀ I2 >̀
J3 : Junction2T <I3, I3 ,̀I3 >̀
J4:  Junction2T <I4, I4 ,̀ I4 >̀
J5 : Junction2T <I5, I5 ,̀ Q>









Figure3: SDL Specificationof D Flip-Flop Design
off-the-shelfcomponents.Dependingonthelogic family, theoff-the-shelfcomponentsmaybe
high-level suchasmemoriesandbuscontrollersor low-levelsuchaslogic gates.ANISEEDdoes
notattemptto modeldesigndown to thetransistorlevel. At eachlevel of thedesignhierarchy,
ANISEEDmaybeusedto specifybothtiming andfunctionality.
As an example,a typical designfor a D flip-flop is shown in figure 2 (c). The internal
signalsI1 to I4 areshown. This circuit usesa numberof nandgates(theD-shapedsymbols);
otherflip-flop designsarepossible.Thenandgatesareavailablefrom theANISEED library as
describedin section2.4.
Eachcomponentfrom thelibrary is instantiatedmuchasin section2.5. It is convenientto
useGRwhenspecifyingcircuitssincethestructureof theelectronicdesignandthestructureof
theSDL specificationareveryclose.Basicallyeachcircuit symbolcorrespondsto aninstance
of ablocktype. Thewiresarerepresentedasno-delaychannelsjoining theblocksjustasin the
circuit diagram.TheSDL equivalentof theflip-flop designis shown in figure3; comparethis
with thecircuit diagramin figure2 (c). SinceSDL allows channeldetailsto beinferredfrom
block inputsandoutputs,thesedo not strictly needto bedrawn andhenceareshown asgray
in figure3. For conveniencethe instantiationsof eachblock type arelisted separatelyin the
figure. Recallfrom section2.4 that thecontext parametersof a nandgateare: delays, inputs,
output. For a junctiontheparametersare: input, outputs. Primedsignalsreferto theoutputsof
a junction(e.g.outputI‘ wouldcorrespondto input I ).
5.5 Timing Analysis
Likeeachof theANISEEDlibrary components,theD flip-flop wassimulatedandvalidatedusing
theSDTtoolset.Usingthevalidatorit wasshown thatthedifferentlevelsof abstractionfor the
D flip-flop areequivalentin thesensethat they respectthesametraces.Exhaustivevalidation
of thegate-level specificationtakesaboutoneminuteand412states.Random-walk validation
of the gate-level specificationtakesabouttwo minutesto explore over 211,000states.More
12
statesarecoveredduringrandom-walk validationbecausethestatespaceis repeatedlyexplored
to afixeddepthfrom thestartingpoint. Howeverrandomwalksarenotguaranteedto coverthe
entirestatespace,unlikeexhaustivevalidation.Bothtiming andfunctionalityatdifferentlevels
of abstractionwereshown to beconsistentfor theD flip-flop. Of coursethis is not surprising
sincefigure2 (c) showsawell-known designfor aD flip-flop.
6 A SimpleCir cuit: The SinglePulser
The SinglePulseris a standardhardwareverificationbenchmarkcircuit [23]. It is a clocked
device with a one-bit input anda one-bitoutput. Thepurposeof thecircuit is to debouncea
push-button. The circuit mustsensethe depressionof the button andassertan outputsignal
for oneclock pulse.Thesystemshouldnot allow additionalassertionsof theoutputuntil after
theoperatorhasreleasedthebutton. Figure4 shows thecircuit designgivenin thebenchmark
document. It is simple andcan be modelleddirectly using the ANISEED library. The SDL











Thecircuit designwasinteractively simulatedandautomaticallychecked. An exampleof
thecircuit behaviour appearsin figure5; this timing diagramwasgeneratedautomaticallyfrom
a validator trace(MSC). The time basecorrespondsto a clock rateof 10 MHz (i.e. 100 ns
per clock cycle). Although the functionality is correct, it was found that thereis a flaw in
thesupposedlyprovenbenchmarkcircuit! Thefirst outputpulseafterpower-up is longerthan
expected(110ns,from 67 nsto 177ns)insteadof lastingoneclock cycle. Thereasonfor this
is thaton thefirst pulse,thesecondflip-flop doesnot needto completeits setuptime (10 nsin
this example). This causesthefirst outputpulseto appear10 nsearly. On subsequentpulses
thesecondflip-flop hasto allow its setupdelayto pass,sotheoutputpulselengthis correctat
100ns(e.g.from 277nsto 377ns).
Time




Figure5: Timing Behaviour of SinglePulser
13
7 A Mor eComplexCir cuit: A BusArbiter
TheBusArbiter is anotherstandardhardwareverificationbenchmarkcircuit [23]. It is a good
exampleof a control-dominantcircuit. The arbiteralsopresentsa scalabledesign,which is
a usefulway of evaluatingverificationtools. The numberof the arbitercells canbe chosen
accordingto the ability of the verificationtools. The purposeof the Bus Arbiter is to grant
accessoneachclockcycle to asingleclientamonganumberof clientsrequestinguseof abus.
Theinputsto thearbiterarea setof requestsignalsfrom eachclient. Theoutputsarea setof
acknowledgesignals,indicatingwhichclient is grantedaccessduringaclock cycle.
As shown in thestructuralspecificationof figure6, eachcell of thearbiter is moderately
complex. The whole circuit consistsof a numberof suchcells connectedcyclically, e.g. the
threeshown in figure7.
DFF




























Figure7: Interconnectionof Multiple BusArbiter Cells
Thedesignof thecircuit will beexplainedonly briefly here.Theti (tokenin) andto (token
out) signalsarefor circulationof the token. The to outputof the lastcell is connectedto the
ti input of the first cell to form a token ring. The gi (grantin) andgo (grantout) signalsare
relatedto priority. The grantof cell i is passedto cell i+1 , indicatingthatno client of index
lessthanor equalto i is requesting.Henceacell mayassertits acknowledgeoutputif its grant
14
Signal Cycle1 Cycle2 Cycle3 Cycle4
Req0 1 1 1 0
Req1 0 0 0 1
Req2 0 0 0 0
Ack0 1 1 1
Ack1 0 0 0 1 (behavioural)
0 (structural)
Ack2 0 0 0
Figure8: Exampleof Inconsistency betweenBusArbiter Specifications
input is asserted.The oi (overridein) andoo (overrideout) signalsareusedto overridethe
priority. Whenthe token is in a persistentlyrequestingcell, its correspondingclient will get
accessto thebus; theoo signalof thecell is setto 1. This signalpropagatesdown to thefirst
cell (numbered0) andresetsits grantsignalthroughaninverter. As aconsequencethegi signal
of every cell is reset,in otherwordsthepriority hasno effect during this clock cycle. Within
eachcell, registerT stores1 whenthetokenis present,andregisterW (waiting) is setto 1 when
thereis a persistentrequest.Initially thetokenis assumedto bein thefirst cell.
Thiscircuit is relatively challenging.In thedetaileddesign,theSDL specificationcontains
56components(over60concurrentprocesses)and93signals.Nonetheless,thestructureof the
SDL specificationcloselyresemblesthecircuit diagram,so translationto SDL is straightfor-
ward. All thecomponentsaredrawn from theANISEED library.
A behavioural specificationof theintendedbehaviour wasalsowritten, sothat it might be
comparedto thestructuralspecification.Thebehavioural specificationreflectsthearbitration
algorithmof the circuit. Validationof the supposedlyprovenbenchmarkcircuit uncovereda
problem. As an example,figure 8 shows client 0 requestingthe bus in the first threeclock
cycles. In thefourth cycle,client 0 cancelsits requestbut client 1 beginsto requestaccess.At
this point thetwo levelsof specificationsaredifferent: thestructuralspecificationoffers0 for
Ack1, whereasthebehavioural specificationoffers1 for Ack1.
After interactivesimulationof thiscase,it wasdiscoveredthatthecircuitof figure6provided
in thebenchmarkdoesnotproperlyresettheoo (overrideout)signalin thefollowing situation.
In the previousclock cycle, the W (waiting) registerof a cell is set. But in thecurrentclock
cycle,its clientcancelstherequestandthetokenhappensto moveinto thecell. In thissituation,
becausetheclient hasalreadycancelledits requestit shouldbepossiblefor anotherclient to
get thebus. However, thedesignstill setstheoo signalto overridethepriority asif this client
werestill requesting.This meansthatno otherclient hastheopportunityto accessthebus in
this clock cycle. Fixing the problemwasmucheasierthanfinding it. The correctionwasto
connecttheReqsignalto theAndgatethatfollows theW register. Theoutputof theAndgate
guaranteesthat theoo signalis alwayscorrectlysetor resetaccordingto therequestsignalin
thecurrentclockcycle.
A furtherproblemwasthendiscoveredduringautomatedvalidationusingtherandom-walk
approach. This achieves only 99.2%coveragedespiteincreasingthe searchdepthand the
numberof searchrepetitions.Analysiswith the interactive timing simulatorshowedthat this
is dueto thearbitermisbehaving whenthreeclientssimultaneouslyrequestaccess.In sucha
casethearbiterdesigngrantsrequeststo two of theclientsconcurrently!However thecircuit
15
behavescorrectlywith zero,oneor two simultaneousclient requests.Theproblemarisesfrom
a timing fault in thegivendesign(not respectingflip-flop setuptimes).
8 Conclusions
It hasbeenseenhow ANISEEDcansuccessfullymodeldigital hardwareasacollectionof inter-
actingparallelcomponents.Theemphasisin ANISEED is on timing specificationandanalysis.
This complementsthework of otherson hardwaredescriptionandsynthesisusingSDL. The
paperhasexplainedthe approachto modelling signals,wires, componentsand circuits. A
library of typicalcomponentsis automaticallygeneratedby them4macroprocessorfrom spec-
ificationtemplates.It wasexplainedhow abstract,behaviouralandstructuralspecificationscan
begiven– particularlyfor timing constraints.
The approachhasbeenillustratedwith a variety of samplecomponentsandcircuits. It
is goodthatANISEED cancopewith standardhardwareverificationbenchmarks.Theauthors
weregratifiedto find thattheapproachdiscoveredgenuineproblemswith theSinglePulserand
theBus Arbiter – standardcircuits thatmight have beensupposedto bewell verified. When
theauthorsreportedtheseproblems,thebenchmarkcircuit maintainersconsideredthemto be
timing ratherthanverification issues. This might explain why otherswho have verified the
benchmarkshave not reportedtheseproblems.Sinceany specificationmakesdecisionsabout
modellingandlevelof abstraction,it is alsopossiblethatothersdid notdiscovertheseproblems
dueto their differentapproaches.(Equally, theapproachof theauthorsmight fail to identify
deficienciesfoundby othermethods.)
Work is continuingon the ANISEED library and tools. A GUI editor will be written to
produceSDL hardwaredescriptionsmoredirectlyfrom circuit diagrams(thoughthetranslation
is relatively easy). Further casestudiesare being undertaken from hardware verification
benchmarks.Thesewill allow theANISEEDapproachto becomparedfully with thoseof other
hardwaredescriptionlanguages.Most SDL usersconcentrateon validation. Work at Stirling
is alsodevelopingSDL verificationtechniquesfor timing characteristicsof hardware.
Acknowledgements
Financialsupportfrom NATO undergrantHTECH.CRG974581is gratefully acknowledged.
This haspermittedcollaborationwith Dr. G. Adamis, Dr. Gy. Csopaki(who contributed to
section4 of this paper)andMr. T. Kaszaof theTechnicalUniversityof Budapest.F. J.Argul-
Marin thanksthe Faculty of Management,University of Stirling, for supportinghis work.
Mrs. Ji He, University of Stirling, discoveredand analysedthe first arbiter designproblem
mentionedin section7.
References
[1] F. J. Argul Marin andK. J. Turner. Extendinghardwaredescriptionin SDL. TechnicalReport
CSM-155,Departmentof ComputingScienceandMathematics,Universityof Stirling, UK, Feb.
2000.
[2] I. S. BonattiandR. J. O. Figueiredo.An algorithmfor thetranslationof SDL into synthesizable
VHDL. CurrentIssuesIn Electronic Modeling, 3, Aug. 1995.
16
[3] E. Bounimova,V. Levin, O. Başbuǧoǧlu, andK. İnan.A verificationenginefor SDL specification
of communicationprotocols. In S. Bilgen, M. U. Çaǧlayan,and C. Ersoy, editors,Proc. 1st.
Symposiumon ComputerNetworks, pages16–25,Istanbul, Turkey, 1996.
[4] CCITT. MessageSequenceChart (MSC). ITU-T Z.120.InternationalTelecommunicationsUnion,
Geneva,Switzerland,1996.
[5] G. CsopakiandK. J. Turner. Modelling digital logic in SDL. In T. Mizuno, N. Shiratori,T. Hi-
gashino,andA. Togashi,editors,Proc. Formal DescriptionTechniquesX/ProtocolSpecification,
TestingandVerificationXVII, pages367–382.Chapman-Hall,London,UK, Nov. 1997.
[6] J.-M. Daveau,G. F. Marchioro, T. Ben Ismail, and A. A. Jerraya. COSMOS:An SDL based
hardware/softwarecodesignenvironment.CurrentIssuesIn Electronic Modeling, 8:59–88,1997.
[7] J.-M.Daveau,G. F. Marchioro,C. A. Valderrama,andA. A. Jerraya.VHDL generationfrom SDL
specifications.In C. Delgado-KloosandE. Cerny, editors,Proc.ComputerHardwareDescription
Languagesandtheir ApplicationsXIII , pages20–25.Chapman-Hall,London,UK, Apr. 1997.
[8] C. Delgado-KloosandE. Cerny, editors. Proc. ComputerHardware DescriptionLanguagesand
their ApplicationsXIII . Kluwer AcademicPublishers,London,UK, Apr. 1997.
[9] W. Glunz, T. Kruse, T. Rössel,and D. Monjau. Integrating SDL and VHDL for system-level
hardwaredesign.In Proc.ComputerHardwareDescriptionLanguagesXI, pages187–204.North-
Holland,Amsterdam,Netherlands,Apr. 1993.
[10] W. Glunz, T. Rössel,and T. Kruse. Hardware/software co-designusing SDL. In Proc. 2nd.
InternationalWorkshopon Hardware/Software Codesign, pages5–21, Innsbruck,Austria, May
1993.
[11] T.HadlichandT.Szczepanski.TheODEsystem–An SDLbasedapproachtohardware-softwareco-
design.In C. Müller-Schl̈or, F. Geerinckx,B. Stanford-Smith,andR. vanRiet,editors,Embedded
MicroprocessorSystems, pages269–281.IOSPress,Amsterdam,Netherlands,1996.
[12] G. J.Holzmann.Practicalmethodsfor theformal validationof SDL. ComputerCommunications,
15(2):129–134,1992.
[13] IEEE. VHSICHardware DesignLanguage. IEEE 1076.Institution of ElectricalandElectronic
EngineersPress,New York, USA, 1993.
[14] IEEE. IEEE Standard Hardware DesignLanguage basedon the Verilog Hardware Description
Language. IEEE 1364.Institutionof ElectricalandElectronicEngineersPress,New York, USA,
1995.
[15] ITU. Specificationand DescriptionLanguage. ITU-T Z.100.InternationalTelecommunications
Union,Geneva,Switzerland,1996.
[16] ITU. Specificationand DescriptionLanguage – CommonInterchange Format. ITU-T Z.106.
InternationalTelecommunicationsUnion,Geneva,Switzerland,1996.
[17] A. A. Jerraya,M. Romdhani,C.A. Valderrama,P. Le Marrec,F. Hessel,G.F. Marchioro,andJ.-M.
Daveau.Languagesfor system-level specificationanddesign.In W. Wolf andJ. Staunstrup,edi-
tors,Hardware/Software Co-Design:PrinciplesandPractice, pages235–262.Kluwer Academic
Publishers,London,UK, 1997.
[18] V. Levin, E. Bounimova, O. Başbuǧoǧlu, andK. İnan. A verifiablesoftware/hardwareco-design
usingSDL andCOSPAN. In Z. BrezocnikandT. Kapus,editors,Proc. COST247 International
Workshopon AppliedFormal Methods, pages6–16,Slovenia,June1996.Universityof Maribor.
[19] B. Lutter, W. Glunz, andF. J. Rammig. Using VHDL for the simulationof SDL specifications.
In Proc. EuropeanDesignAutomationConference92, pages630–635,New York, USA, 1992.
Institutionof ElectricalandElectronicEngineersPress.
[20] O. Pulkkinen.SDL-VHDL integration. In K. Kronlöf, editor, MethodIntegration: Conceptsand
CaseStudies, pages271–307.JohnWiley andSons,Chichester, UK, 1993.
[21] M. Romdhani, A. Jefroy, P. De Chazelles, and A. A. Jerraya. Composing Activity-




[22] R. Seindal.GNU m4(version1.4). Technicalreport,FreeSoftwareFoundation,1997.
[23] J. Staunstrupand T. Kropf. IFIP WG10.5 benchmarkcircuits. http://goethe.ira.uka.de/hvg/
benchmarks.html,July 1996.
[24] Telelogic.TAU 3.5Manuals. Telelogic,Malmø,Sweden,June1999.
18
