Air Force Institute of Technology

AFIT Scholar
Theses and Dissertations

Student Graduate Works

6-1999

Timed Safety Automata and Logic Conformance
Frank C. D. Young

Follow this and additional works at: https://scholar.afit.edu/etd
Part of the Computer Engineering Commons

Recommended Citation
Young, Frank C. D., "Timed Safety Automata and Logic Conformance" (1999). Theses and Dissertations.
5129.
https://scholar.afit.edu/etd/5129

This Dissertation is brought to you for free and open access by the Student Graduate Works at AFIT Scholar. It has
been accepted for inclusion in Theses and Dissertations by an authorized administrator of AFIT Scholar. For more
information, please contact richard.mansfield@afit.edu.

DEPARTMENT OF THE AIR FORCE
AIR UNIVERSITY

AIR FORCE INSTITUTE OF TECHNOLOGY
Wright-Patterson Air Force Base, Ohio
*»WAUTY INSPECTED*

AFIT/DS/ENG/99-02

TIMED SAFETY AUTOMATA
AND
LOGIC CONFORMANCE
DISSERTATION
Frank Charles Duane Young
Major, USAF
AFIT/DS/ENG/99-02

Approved for public release; distribution unlimited

AFIT/DS/ENG/99-02

TIMED SAFETY AUTOMATA AND LOGIC CONFORMANCE

DISSERTATION

Presented to the Faculty of the Graduate School of Engineering
of the Air Force Institute of Technology
Air University
In Partial Fulfillment of the
Requirements for the Degree of
Doctor of Philosophy

Frank Charles Duane Young, B.S., M.S.C.E.
Major, USAF

June, 1999

Approved for public release; distribution unlimited

AFIT/DS/ENG/99-02

TIMED SAFETY AUTOMATA
AND
LOGIC CONFORMANCE
Frank Charles Duane Young, B.S., M.S.C.E.
Major, USAF
Approved:

t-zT^-tn^y ^ - JpvCtuv**

/' Q>t*r* JJ

Thomas C. Hartrum, Chairman

IKTL^

9f

Kenneth S. Stevens

IXi*41
Robert P. Graham Jr.

s

lYldL € OJL,

I L^ ?9

Mark E. Oxley

Larry W./Burggraf, Dean's Reiy/esentalive

Robert A. Calico, Jr
Dean, Graduate School of Engineering

Acknowledgements
I dedicate this dissertation to my wife Sharon and our children Lonnie, Andrew, Jonathan, Rachel,
and Michael. Without their loving support and encouragement, I would have given up long ago.
I deeply appreciate the wise counsel and guidance of the three committee chairmen, Lt. Col Paul
Bailor, Dr. Ken Stevens, and Dr. Thomas Hartrum who have patiently guided me through the rough
waters of my Ph.D. research at different times during the last six years. I sincerely appreciate
committee members Dr. Mark Oxley and Major Robert Graham Jr. for their support over the
long haul. I especially thank Dr. Graham for his rigorous and patient reflection during our many
proof-sessions; without him, I would never have been able to see the forest for the sake of the trees.
Thanks also to Mr. Jimmy Williamson and Mr. Darrell Barker, my Air Force Research Laboratory
supervisors who steadfastly supported continuing my research. Finally, thanks be to God, with
whom all things are possible—even AFIT doctorates.

Frank Charles Duane Young

m

Table of Contents
Page
Acknowledgements

iü

List of Figures

vü

List of Tables

ix

List of Definitions

x

Abstract
I.

II.

xü

Introduction
1.1

Background

1

1.2

Problem Statement

8

1.3

Organization

8

Existing Models and Relationships
2.1

2.2

2.3
III.

1

11

Untimed Models and Relationships

11

2.1.1

CCS

12

2.1.2

CCS Bisimulations

15

2.1.3

Logic Conformance

18

Timed Models and Relationships

20

2.2.1

TCCS

21

2.2.2

Calculus of Timed Refinement (CTR)

23

2.2.3

Timed Simulation and Assumes-Guarantees Reasoning ....

27

Summary

36

Timed Safety Automata

38

3.1

Basic TSA Definitions

38

3.2

TSA Semantics

40

iv

Page

IV.

3.3

TSA Modifications

41

3.4

Parallel TSA Composition

42

3.5

Summary

47

Timed Logic Conformance

48

4.1

Abstracting Internal Differences

49

4.2

Weak Timed Bisimulation

50

4.3

Abstracting Temporal Differences

54

4.4

Defining Timed Logic Conformance

58

4.5

Timed Logic Conformance Example

59

4.6

Comparing TLC to Other Relations

62

4.7

Properties of Timed Logic Conformance

62

4.8

Timed Logic Conformance as a Maximum Fixpoint

78

4.9

TLC, Parallel Composition, and Hierarchical Verification

79

4.10 Summary
V.

Timed Logic Conformance System

84
86

5.1

Background

86

5.2

Region Automata

87

5.3

TLC Decision Procedure

92

5.4

5.5

5.3.1

Behaviorally Checking TLC

93

5.3.2

Checking TLC Formulae

94

5.3.3

Temporally Checking TLC

96

TLCS User Interface

99

5.4.1

TLCS TSA

5.4.2

TLCS Parallel Composition

101

5.4.3

TLC Query

103

Summary

99

104

Page
VI.

Application
6.1

6.2

6.3
VII.

105

Gate-level Models

105

6.1.1

Canonical Gate-Level Models

105

6.1.2

Inverters, Ands, and Nands

106

6.1.3

Gate-Level Model Summary

Ill

Asynchronous Hardware Components

112

6.2.1

Hazards

113

6.2.2

C-Elements

116

6.2.3

STARI Queue Stage

119

6.2.4

STARI Queue and Perfect Buffer

123

6.2.5

Comparing Verification Methodologies

132

Summary

136

Conclusions

138

7.1

Summary

138

7.2

Contributions

140

7.3

7.4

7.2.1

Model of Computation

141

7.2.2

Formal Relationship Between Models

142

7.2.3

Verification Methodology

143

Future Work

144

7.3.1

TLCS Enhancements

144

7.3.2

TSA/TLC Theory Extensions

145

7.3.3

Promising TLC Applications

146

Concluding Remarks

148

Bibliography

149

Vita

155

vi

List of Figures
Figure

Page

1.

Simple State Machines

4

2.

Inertial Buffer Timed Process

29

3.

Assumes-Guarantees Example

34

4.

C-element Schematic

43

5.

Parallel C-element Example

43

6.

Simple Y 0^i X TSA

59

7.

Io^i S & IWXo^i S\\X

81

8.

Parallel Specification Hierarchy

83

9.

Region Automata Time Regions

88

10.

Fine-Grained TSA/DLTS

91

11.

Inconsistent Region Automata with Skewed ^-Transitions

91

12.

TLC Formulae Queries

94

13.

TLCS Spec-Beta Procedure

95

14.

TLCS Spec-Beta-Aux Procedure

96

15.

TLCS Inertial Inverter

101

16.

Monotonie Inverter Logic Symbol and TSA

107

17.

Inertial Inverter TSA

107

18.

Two-Input And Logic Symbol and TSA

108

19.

Two-Input Nand Logic Symbol and TSA

109

20.

Nand/Inverter And Implementation Circuit Diagram

109

21.

Parallel Nand and Inverter And Implementation

109

22.

And Implementation and Specification in Parallel

110

23.

And Implementation-Specification Timing Diagram

110

24.

Two-Input C-Element Logic Symbol and TSA Specification

117

25.

Wobbly Two-Input C-Specification TSA

118

26.

STARI FIFO Queue Stage

120

Vll

Figure

Page

27.

Abstract STARI FIFO Queue Stage Timed Process

121

28.

STARI FIFO Queue Stage TSA

122

29.

STARI Environment

124

30.

Perfect Buffer TSA

125

vm

List of Tables
Table

Page

1.

CCS Syntax for Agent P

12

2.

CCS Operational Semantic Rules

13

3.

CTR Operational Semantic Rules

24

4.

Delta Predicate Truth Table

76

5.

TLCS Time Region Representation

90

6.

C-element Function

117

7.

C-element Verification Results

119

8.

Dual Rail Encoding Scheme

120

9.

Perfect Buffer Input and Output

126

10.

STARIo^PB Results: Varying Skew & MT

127

11.

STARIor^iPB Results: Varying Imp Delays & # Stages

129

IX

List of Definitions
Definition

Page

1.

CCS strong bisimulation

15

2.

Strongly bisimilar CCS agents: P ~ Q

15

3.

CCS r-closure: P =^> P'

16

4.

CCS r-abstraction: P =^ P'

16

5.

CCS weak bisimulation

17

6.

Weakly bisimilar CCS agents: P « Q

17

7.

Logic Conformance

18

8.

Logically Conformant CCS agents: I y JS

19

9.

CTR Refinement Relation

25

10.

CTR Refinement: I <S

26

11.

Timed Process

28

12.

Timed Process Parallel Composition

30

13.

Assumes-Guarantees Rule

33

14.

TSA

38

15.

TSA Semantics

40

16.

TSA Modification Rules

41

17.

Parallel TSA

44

18.

Parallel TSA Composition Rules

45

19.

r-abstraction: a

49

20.

r-closure: P =^ Q

49

21.

Weak Timed Bisimulation: W

50

22.

Weak Timed Bisimulation Maximum Fixpoint: VV

53

23.

Weak Timed Bisimilar DLTS: w

53

24.

Input-<5-r-Closure: P =^{ Q

54

25.

Output-<5-r-Closure: P =^0 Q

55

26.

Input Projection: —»j

55

Definition

Page

27.

Output Projection: --■»„

56

28.

Output-Bound: ob

56

29.

O*

58

30.

TSA Modeling Constraints

63

31.

CI-free Parallel Composition

64

32.

Timed Logic Conformation Maximum Fixpoint: CC*

78

33.

Timed Logic Conformant DLTS: 10-±ii S

78

34.

Timed Logic Conformant TSA: 10dti S

79

35.

TLCS TSA Query Syntax

99

36.

TLCS Parallel Composition Query

101

37.

Hazard Assumptions

113

38.

Hazard Models

114

39.

General Hazards

115

40.

Sequential Hazards

116

xi

AFIT/DS/ENG/99-02

Abstract
Timed Logic Conformance (TLC) is used to verify the behavioral and timing properties of
detailed digital circuits against abstract circuit specifications when both are modeled as Timed
Safety Automata (TSA) with real-valued clocks. TLC is a bisimulation-style partial order relationship defined over TSA state space. In contrast to timed simulation, Calculus of Timed Refinement,
and time-abstracted bisimulation, TLC defines when one system is an acceptable implementation
of another by asymmetric action-matching requirements for specification inputs and implementation outputs. TLC intuitively and pragmatically supports writing abstract specifications and
verifying them against implementations. TLC scales up by substituting verified specifications for
implementations and hierarchically verifying larger systems. The TLC verification process is more
efficient than the circularly dependent assumes-guarantees verification methodology. Instead of
building models of the system's environment and using them in the verification process, the TLC
verification methodology explicitly captures environmental timing properties in the system specification and automatically ensures they are satisfied in the TLC relation. The region-automata-based
Timed Logic Conformance System (TLCS) implements TSA parallel composition and a TLC decision procedure. TLCS is used to hierarchically verify the STARI (Self-Timed at Receiver's Input)
asynchronous circuit for communicating safely between clock-skewed systems.

xu

TIMED SAFETY AUTOMATA AND LOGIC CONFORMANCE

/. Introduction
"Counting time is not nearly as important as making time count" —Anonymous

1.1

Background
As the practice of specifying, designing, and building computer-based systems evolves, ad-hoc

design methodologies are less and less practical. Integrated electronic circuit complexity is growing
exponentially. Today, designs with over a million transistors on a single silicon chip are being
fabricated, and the technology is doubling the number of transistors possible every 18 months. At
the same time more and more functions are being automated and our dependence on electronic
technology is increasing exponentially. For example, automotive engineers are working on computer
systems that will electronically steer, accelerate, brake—i.e., totally control the vehicle—without a
mechanical connection to the driver. Unfortunately, the ability to verify such complex systems has
not kept pace with the ability to fabricate them. The risk to life and safety imposed by error-prone
computerized systems in military, transportation, industrial, and household control applications
is unacceptable. Building custom systems from the ground up is also very expensive and time
consuming. Consequently, computer scientists and computer engineers incorporate math-based
engineering discipline into the process of specifying, designing, building, and verifying these systems
hierarchically by using and reusing mathematical models. This math-based computer engineering
discipline is generally called "Formal Methods" (LM91, HJ95, CW96).
Formal methods practitioners write formal specifications and prove that the models of the
systems they create satisfy those specifications. Then, they use the model to build the physical
system—usually by a combination of automatic (i.e., computerized) and manual transformations.
Hopefully, the physical system has the same properties that were proven about the model it was

derived from. In order to improve the correspondence between the model and the physical system,
more accurate models and more automated transformation processes are always in order. Formal
methods have been used successfully to verify the function (i.e., the logical or mathematical relationship between a system's inputs and outputs) of some relatively complex systems (Rus95, CW96).
In addition to verifying the systems function, one of the most demanding areas in formal
methods is specifying the system's timing requirements, modeling the timing of the behavior, and
deciding whether the system satisfies the timing requirements (CW96). For example, if the terrain
following control system of an aircraft cannot recognize a mountain looming in the foreground
and turn the aircraft or increase its altitude in time to avoid hitting the mountain, then it does
not matter that the control system is functionally correct. For over 15 years, the timing problem
has occupied the interests of theoretical computer scientists but with relatively little pragmatic
application to real-world size problems, especially with regard to a continuous rather than discrete
model of time.
Prior to 1991, this work was primarily concerned with temporal logic relationships between
system events (A1183, A1184, Das85, JM86, Lad86, HP87, Tsa87, GF88, BGS89, Jah89, GF90, LA90,
MC90). Standard temporal logic does not quantitatively relate events to each other; rather it qualitatively describes the relationship between two events; e.g., given events a and b, a precedes b
or b precedes a are two possibilities. Temporal logic also extends the relationships with quantifiers; e.g., event o sometimes (or always) proceeds event b. From 1991 to 1993, work proceeded
to specify quantitative timing relationships between events, but it was limited to computing integral timing relationships; e.g. b occurs between one and three time units after a might express
either a continuous or discrete time relationship (AR91, Dan92, GI91, RR92, Mol91, Cer92, CH92,
GI92, ACD93, CHLM93, Dav93, Jen93, LBGG94). Generally only discrete timing relationships
could be computed and verified. From 1993 to the present, representing and reasoning about realvalued timing relationships between events has been possible when integers are used to specify

time bounds (ACH94, CLK94, HNSY94, HB94, MRM94, Kan95, Hen95, MP95, SY96, TAKB96,
ABK+97, LLPY97, EAP98). Most of the work has focused on checking whether or not certain
quantitative temporal logic properties hold in a given model, but little work has been done to
formally define and compute the timing relationship between two system models.
The aim of this research is to advance the practical specification of and reasoning about the
timing properties of the models computer scientists and electrical engineers use to build systems.
In particular, this research is targeted at specifying the behavior and timing of a desired electronic
circuit and comparing it to timed models of circuit implementations to see if the behavioral and
timing properties of the circuit implementation are consistent with the desired circuit. Typically,
the desired circuit and implementation circuit models are at different levels of abstraction; i.e., the
desired circuit model is much less detailed than the implementation circuit model. This research
uses models with binary functional domains (i.e., voltage levels are either true or false) and a
continuous time domain (i.e., time is modeled and measured by real-valued clocks).
One of the most widely used models of behavior with formal semantics is the Finite State
Machine (FSM). FSMs are fundamental building blocks for defining and proving properties of
languages, protocols, computational complexity, etc. A basic FSM is a set of states and a set of
transitions between those states. For the purpose of modeling and building computer systems,
engineers typically associate a meaning with the FSM by labeling its transitions and/or states with
names that represent some action or process. The Basic FSM on the left of Figure 1 is an example
representing a process or agent that inputs a and outputs b_. Changes in input or output value
from true to false or vice versa are called events. In this document, events are distinguished by
labeling transitions with alpha-numerical input and output names; output names have overbars or
terminating underscores to distinguish them from inputs. Various flavors of FSM exist, and logics
called process algebras have been created to use intuitive and concisely-defined FSMs to model
and reason about behavior (Hoa85, Mil80, Mil89). The process algebra Calculus of Communicating

Systems (CCS) FSM in Figure 1 represents the same behavior as the Basic FSM with concise CCS
syntax.
.—W-—
S

^
S
S ::= a.b_.S

•-(

S::=a.[l,3].b_.S

>

* k:=0

SI

B asic FSJA

Jk>=2,

k>=l I
SI
k<=3

CCS FSM
Figure 1.

CTR FSM

TSA

Simple State Machines.

Since today's systems are composed of many different concurrently functioning subcomponents, often without a common reference to time, designers must be able to model and reason
about subcomponent interactions in a timed calculus. Naturally, this led to timed variants of process algebras (MT92, Kri92, CH92, Dav93, LBGG94, Cer95). The Calculus of Timed Refinement
(CTR) (Cer95) FSM in Figure 1 represents almost the same behavior as the Basic and CCS FSMs,
except that it constrains output b_ to occur between 1 and 3 time units after input a.
Untimed process algebras and FSM models have been widely used to build complex real-world
systems, but timed process algebras have not been effectively used to define and build real-world
systems because of the computational complexity of accurately representing and reasoning about
the relationship between time and behavior. Discrete models of time reduce the complexity enough
to computationally reason about timed FSMs, but since time passes continuously and not in discrete
steps, discrete models sacrifice fidelity. Discrete models only allow events to occur at discrete time
intervals with regard to each other—i.e., they are synchronized even when they share no causal
dependency. Discrete timing models ignore the temporal independence of events. The CTR FSM
in Figure 1 can be considered either a discrete or continuous semantic model. Discrete semantics

has a b_ transition either 1, 2, or 3 time units after a; continuous semantics has an infinite number
of b_ transitions between 1 and 3 time units after a. In the latter case the CTR FSM is not really
a finite state machine at all. If integers are used to specify delay bounds, time equivalence classes
can finitely represent indistinguishable infinite behaviors, so the term "FSM" will continue to be
used to generically refer to the different models of computation in this document.
There are basically two ways to reason about the behavior of FSMs: model checking and
equivalence checking. Model checking is the process of checking the state space of a single FSM
to verify that it satisfies or possesses a given property. Model checking properties are expressed in
a modal logic or modal p-calculus (SS94, ANB95). Modal logic is related to modal /j-calculus in
the way that propositional logic is related to predicate logic, except the distinguished modal carrier
elements are no-states and all-states and the distinguished propositional logic carriers are false and
true. If a FSM satisfies a given modal logic or modal /x-calculus property, the FSM "models" the
property. An example modal logic expression specifying a property of the FSMs depicted in Figure 1
is [a]{b.)T, i.e., after every a, there exists a b. action leading to some state. Properties like deadlock,
livelock, and virtually any temporal relationship between actions of FSM can be specified by \icalculus or temporal-^-calculus expressions and model checked against FSM. Relatively efficient
continuous-time model checking algorithms have been developed and implemented to support timed
model checking (FP93, CGL+94, SS95, CL96b, CL96a, LLPY97).
Equivalence checking is the process of comparing two FSMs to each other, and determining if the two machines are similar in some sense. There are various ways to unambiguously define
equivalence relationships between FSMs. Some equivalence relationships preserve behavioral properties, and some do not. R. J. van Glabbeek's work is a comprehensive discussion about the relative
strength of different equivalence relations between FSMs and the properties they preserve (van90).
Some equivalence relationships are simply too strong to be of practical use; others are too weak
to preserve some important properties. Typically the equivalence relations strong enough to pre-

serve all properties do not give designers enough freedom of implementation to design efficient
systems. Since designers cannot feasibly write down all the formulas necessary to specify all of the
important relationships between input and output, typical formal specifications consist of both
properties and an abstract model of the desired behavior. Developing an implementation that satisfies the specified properties, and which is "equivalent to" or "implements" the function described
by the abstract model is the designer's problem. Therefore, theoretically sound formal methods
tools for both model and equivalence checking are important (Pnu98).
Perhaps the first reason timed process algebras have not been effectively used to define and
build real-world systems is that timed process algebras add considerable complexity to the untimed
logics they are derived from; this makes it hard for humans to intuitively understand the properties
and the models. Perhaps the second reason is that timed process algebras are not expressive
enough to specify the kinds of timing requirements and properties inherent in today's concurrent
systems—especially asynchronous1 concurrent systems. The fundamental limitation has been the
fact that timed process algebras typically only allow one to express integral time passing and
then only between two successive events. To be truly useful, one must be able to specify the timing
relationship between any two events in a system, and model behavior that occurs over a continuum,
not just in discrete integral time steps.
For these reasons, since the early 90's, there has been a lot of work to formalize real-time
behavior using continuous models of time and behavior like Timed Safety Automata (AD94) and
implement decision procedures for timed model- and equivalence-checking. A Timed Safety Automaton (TSA) is a FSM that is augmented with real-valued clocks, location invariant clock
predicates, and transition guard clock predicates. The clocks and predicates support intuitive
specification of the time and behavior relationship. TSA are more expressive than timed process algebras because they express time relationships between any two events and also between
1

Asynchronous system components do not have a common clock.

events and states in the model. This expressiveness makes them syntactically more complex than
the concise notation of a process algebra. For example, the TSA in Figure 1 expresses the same
stimulus-response relationship between input a and output b_ as the CTR FSM, but it also relates
occurrences of a to each other via a stimulus-stimulus relationship; i.e., a actions are at least 2 time
units apart. TSA can specify any relationship between actions of a system because clocks (like k
in this example) can be reset and referenced arbitrarily.
Underlying the intuition of TSA is a semantically precise uncountable-state state machine. In
order to reason about the behavior of such a machine in a computer, behavior-distinguishing subintervals of multiple real-valued TSA clock times are symbolically represented in another FSM called
a Region Automaton (RA). For systems with multiple clocks, the different possible combinations
of subintervals are called regions. For an n-clock TSA, regions are subsets of W1. Unfortunately,
RA suffer from state explosion for systems with more than a few clocks. The requirement that
all clocks advance at the same rate and the data structures necessary to correctly maintain the
relationships between the clocks causes this state explosion.
Limiting the state-explosion problem in RA-based model-checking and equivalence-checking
algorithms has been of considerable interest in the past few years. The primary means of controlling
the state-explosion problem for model checking has been to limit the state space explored to only
that necessary to verify the property. But, since equivalence checking generally involves comparing
all of the reachable states of the models, it has been limited to those problems involving a handful of
clocks and very simple models, or to quite loose definitions of equivalence and extra proof obligations
(e.g., the assumes-guarantees proof requirements of Berkeley's COSPAN system (TB97)) defining
when users can rely on the loose equivalence relations.

1.2

Problem Statement
In the big picture, the most abstract problem statement is, "Incorporate timeliness into system

requirements and models and then design reliable constraint satisfying systems." This certainly
includes this research, but it more accurately describes the research efforts of hundreds of computer
scientists and electrical engineers over the past 15 years. The following research objectives narrow
the scope:

1. Adopt or create a simple modeling formalism rich enough to express discrete-valued behavioral
properties and timeliness requirements of digital circuits while modeling continuous time.
2. Canonically define how to model digital circuit components and specify required behaviors
and timing using the modeling formalism.
3. Formally define a practical relationship that expresses when one model satisfies the timing and
behavioral requirements of another. Prove that the relation has the necessary mathematic
properties for meaningful verification.
4. Write a tractable computational procedure that calculates when the relation holds between
two models.
5. Demonstrate the utility of the relation on benchmark digital circuit design problems.
6. Define a verification methodology for using the relation to efficiently and hierarchically verify
larger systems.

1.3

Organization
The remainder of this document discusses how the research objectives are met. Chapter II

reviews more formally how state machines are used by others to model and reason about behavior. It describes the foundation for this work and sets the stage for seeing and understanding the

contribution of this research. It does so by defining and critiquing the syntax, semantics, and
relationships for several example formalisms. Chapter II discuss the process algebra CCS in considerable detail and defines both strong and weak notions of "equivalence" between CCS automata.
It introduces and explains Ken Stevens' more practical untimed Logic Conformance relation, and
the timed formalism Timed CCS. Finally, it defines and explains the assumes-guarantees-based
verification methodology for timed processes as implemented in the COSPAN tools from U.C. at
Berkeley.
Chapter III defines the syntax and semantics of the modeling formalism used in this research.
The Timed Safety Automata (TSA) modeling formalism is successfully used by others for efficient
model checking, and it is extended to support this research. Chapter III defines an induced densetime semantic model for reasoning about TSA behavior called Dense Labeled Transition System
(DLTS). It defines how to generate one TSA from another one by restricting, hiding, or renaming
its actions. Finally, Chapter III defines how to compose TSA in parallel to make larger and more
complex circuit models.
Chapter IV defines the weak "equivalence" relationship called Timed Logic Conformance
(TLC). TLC is a timed version of Ken Stevens' Logic Conformance relation. TLC is actually
a partial order over the state space of DLTS. This definition introduces abstractions that allow
temporal, structural, and behavioral differences between the compared systems in a practical way.
Chapter IV establishes that TLC has the necessary mathematic properties to be a useful relationship
for efficiently proving when one model is "equivalent to" or "implements" another.
Chapter V describes a finite representation of DLTS that the Timed Logic Conformance
System (TLCS) uses to decide whether or not two TSA satisfy the TLC "equivalence" relationship.
It describes the TLCS rules and procedures that efficiently implement the TLC decision procedure,
and concludes with a description of the TLCS TSA input format, TLCS TSA parallel composition,
and TLCS user interface.

Once the TSA and TLC definitions and proofs have been completed in Chapters III and IV,
and the TLCS system is described in Chapter V, Chapter VI demonstrates how TLCS can be
used to compare models of electronic circuits in a practical way. It demonstrates TLCS's utility
on several examples, and it defines canonical modeling practices that increase the fidelity of the
circuit models. Chapter VI compares TLCS verification results with others in the literature and it
concludes with a summary of the benefits of the TLC methodology and tools.
Finally, Chapter VII summarizes this research, enumerates its contributions, and outlines
future work.

10

II. Existing Models and Relationships
This chapter prepares the reader to appreciate and understand the novel approach to the problem
of modeling the behavior and timing of a desired electronic circuit and verifying its consistency
with circuit implementation models in the subsequent chapters. This chapter reviews and explains
several example formalisms for modeling and reasoning about the "equivalent" behavior of concurrent systems. For each formalism, it defines the syntax of the model, model semantics, and
relationships between models.
Starting with untimed process algebraic models and mathematical relationships between these
models, Section 2.1 shows that these models are not expressive enough to capture the relationship
between time passing and action. It explains how equivalence relations between processes are
not structurally and behaviorally loose enough to give designers the freedom they need to design
efficiently. It gives an example partial order relation that provides a significantly more practical
notion of "equivalence" between untimed processes because it safely gives the designer structural
and behavioral looseness.
Section 2.2 and describes and defines three representative timed modeling formalisms and
several strong and loose "equivalence" relationships between timed models. It reveals some expressiveness problems with these formalisms, and it critiques the verification methodologies that they
support.

2.1

Untimed Models and Relationships
A process algebra is a mathematical behavior-modeling language with operational seman-

tics; i.e., semantics defined by rules used to evaluate the meaning of sentences in the language.
Process algebras are used to describe and reason about the behavior of concurrent systems. Hoare's
Communicating Sequential Processes (CSP) (Hoa85) and Milner's Calculus of Communicating Systems (CCS) (Mil80, Mil89) are process algebras. CSP and CCS were both originally conceived in

11

the early 1980's, and they are still widely used because of their firm theoretical foundation and
their simplicity.
Generally CSP is a more complex language than CCS and it uses traces (sequences of actions) to compare processes while generally ignoring the effects internal actions can have on trace
generation. If two CSP processes can generate the same set of traces, refusals, or failures, they are
considered weakly equivalent. CCS and CSP have the same theoretical expressive power; both are
Turing complete (Mil89). CCS models are called "agents". Instead of comparing agents by the
traces they can generate, CCS agents are distinguished from one another by notions of bisimulation
(i.e., comparing the agents on a state-by-state, action-by-action basis to see if they can always simulate one another or not). Since CCS's notion of equivalence is easier to compute and somewhat
more general, and the CCS language is simpler, the next section focuses on CCS.

2.1.1

CCS.

The set of CCS agents is denoted V. The complete syntax for defining a

basic CCS agent P is summarized in Table 1.
Table 1.

CCS Syntax for Agent P.

Symbol
Nil
Q
a.P
Pi+P2 + --- + Pn
Pi\P»\--\Pn
P\L

Name
empty process
constant
prefix
summation (choice)
composition
restriction
relabeling

P[f)

The special CCS agent Nil is "deadlocked" and performs no action; 0 and Nil are used
synonymously. The set of actions an agent can perform is its sort. Nil's sort is 0 (the null set).
The semantics of CCS agents (e.g., P,Q ep) are defined by states and action-labeled transitions
that move between states. Such transitions are written like P -^ Q to mean action a occurs on the
transition between states P and Q. The predicate P -^-» is true when there exists some Q such that

12

P -^-> Q. Let A be the set of input labels, and let A be the set of output labels. Overbarred labels
like ö € A are outputs1. Input and output actions are complementary; i.e., I = a. The language of
agents C = A U A includes both inputs and outputs2. The special label r £ C represents internal
action such that
e.g.,

Q

T = T,

and the action set Act =

JCö{T}.

Greek letters are used to denote actions;

G Act.

Given these definitions, the nine named rules in Table 2 define the operational semantics for
CCS over the labeled transition system (S, Act, —>} where S is a set of states, Act is the set of
transition labels, and the transition relation —^C S x Act x S. The rules are precisely semanticized
using mathematical arguments of the form:

hypothesis .
,. . .
;—:— (condition)
conclusion

Table 2.

Act

Suml
Coml

CCS Operational Semantic Rules.

Con

a.E-2+E

M = P)

E+F-2+E'

A-^P
FJ
Sum2 E+F-2+F'
V'

„.frrf' | F
E\F-^-yE'

Com2

g

~>/'

E\F-=+E\F'

Com3 E-^E'AF^F'
E\F-^E'\F'

Res

E-^E'
—(a,a$L)
E\L-Z+E'\L

Rel

E-Z+E'

Ein'-^E-if]

The CCS expression X = a.b.X defines the CCS agent X that according to rule Act, performs the following repeating action sequence: a.b.X -^ b.X -^ a.b.X. Each period, ".", in
X's definition corresponds to an unnamed state where X waits for the environment to supply the
next action label. The constant rule Con supports referring to processes by symbols like R—even
recursively to define non-terminating agents. The summation rules Sum* define nondeterministic
J

In some contexts, trailing underscores (e.g., a. also represent outputs).
The symbol = means "is defined as."

2

13

choice; allowing processes to execute one of several operations as defined by the summands. The
communication rules Com* define the behavior of processes operating in parallel. Parallel composition is denoted by the "|" operator. According to rules Coml and Com2, agents in parallel
continue to perform their individual actions without affecting each other. Rule Com3 formalizes
how two agents, one outputting and one inputting, cooperate to perform an internal action. Other
agents cannot participate in the cooperation because the result is a r-action. Since agents may
both continue to perform their individual actions and also cooperate two-at-a-time, CCS's parallel
composition is not synchronous. A synchronous calculus requires that all agents able to cooperate
in an action do so and it does not allow any agent to continue to perform common or cooperative
actions individually. The restriction rule Res deletes actions specified in set L C C. When used
in conjunction with Com3, Res eliminates the individual actions of the composed agents, but not
their cooperative r-action. For example, the two agents P = a.P' and Q = a.Q' composed in parallel with o restricted by (P \Q)\{a} results in the transition (P \ Q)\{a} -^> (P' \ Q')\{a} but no
—> or —> actions exist for the restricted composition. Finally, rule Rel relabels process actions.
The relabeling function (/) is defined by supplying tuples (new/old) specifying the old label and
the new label. For example, the process X = a.b.X[(tic/a), (toc/b)] performs the repeating action
sequence a.b.X[(tic/a), (toc/b)] -^> b.X[(tic/a), (toc/b)] -^ a.b.X[(tic/a), (toc/b)]...
The behavior of asynchronous hardware systems is defined and reasoned about by associating
the voltage changes on wires with instantaneous binary events. A voltage change from the false
voltage value to the true voltage value is represented by an instantaneous transition from 0 to 1 and
vice-versa for true to false voltage level changes. Transitions between states are labeled with the
name of the wire that voltage changes occur on to define the events. For example, the CCS agent
Inv = a.b.Inv defines the behavior of a logical inverter with input a and output b. It also defines the
behavior of a buffer, since outputs can be either 0 or 1 in any state. Every b transition toggles the
output from 1 to 0 or from 0 to 1. Input and output values can be associated with states by naming
the states of the inverter with input and output values; e.g., the CCS agents InvOl = a.b.InvlO

14

and InvlO = a.b.InvOl associate state names with values. The next section reveals that the states
InvOl and InvlO are both equivalent to state Inv and more efficiently represented and reasoned
about in CCS as the single state Inv.

2.1.2

CCS Bisimulations.

Milner formalizes two basic notions of equivalence between CCS

agents. He calls these equivalences strong bisimulation and weak bisimulation. Bisimulation
can be understood as requiring bi-directional simulation between agents; i.e., whatever actions one
agent can do, the other can do, and vice-versa. Strong bisimulation demands that even the internal
actions (r-actions) of each agent be matched exactly; weak bisimulation relaxes this requirement.

Definition 1. CCS strong bisimulation. A binary relation HCVxVisa strong bisimulation
iff {P, Q) € TZ implies for all a £ Act,

1. V P'[P AP'^3 Q'[Q AQ'A (P', Q') £ 11}]
2. V Q'[Q -2*Q'=>3 P'[P -^4 P' A <P', Q') e 11)}

Definition 2. Strongly bisimilar CCS agents: P ~ Q. CCS agents P and Q are strongly
bisimilar iff there exists a strong bisimulation 1Z such that (P, Q) £ %. Writing P ~ Q denotes
that P is strongly bisimilar to Q.
The largest strong bisimulation is

~=

M

{7£ | K is a strong bisimulation}

It contains all smaller strong bisimulations and specifies exactly which strong bisimulation must
contain (P,Q). Milner proves that ~ is an equivalence relation (Mil89:91).
The state relation {(InvlO,InvOl),(InvOl,InvlO),(b.Inv01,b.InvlO),{b.InvlO,b.Inv01)} is
a strong bisimulation relation between the states of the CCS inverter defined above. Given agent

15

Inv - a.b.Inv, the relation {{Inv, InvQl), (Inv, InvlO), (b.Inv, b.InvQl), (b.Inv, b.InvlO)} is also a
strong bisimulation, so the Inv definition can be substituted for both InvlO and InvOl definitions.
To define weak bisimulation, two abstractions must first be defined. The first abstraction is
the transitive reflexive r-closure: P(-^)*P' meaning zero or more r-actions occur between P and
P'. When there are no r-actions, P = P'. The transitive reflexive r-closure leads to a r-closure
over specified actions, which is a superset of the —> transition relation. The transitive closure
relation is denoted by the double-barred arrow, =$>.
Definition 3. CCS r-closure: P=^ P'.

\/aeActP=^P' = P(^Y -^ (^)*P'

Writing P =>■ P' denotes when there is a transition from P to P' by action a in the r-closure.
Note that P =?=$> P' means at least one r occurs between P and P'. Writing P =^> means there
exists some P' such that P =^- P'.
The second abstraction provides a way to match r-actions with zero or more r-actions and
visible actions by r-closure. The abstraction is called r-abstraction. Hatted action symbols (e.g.,
a) denote r-abstraction; r-abstraction is used in conjunction with r-closure to allow structural
differences between CCS agents.
Definition 4. CCS r-abstraction: P =M$. P'.

P(JL>yP>

{a = T)

P=^P'

(a^r)

VaeActP=^P'=t

CCS r-abstraction is used on the consequent side of bisimulation-style relation formulas to specify
that r-actions in the antecedent can be matched by zero or more r-actions in the consequent. In the
case that they are matched by zero r-actions, the agent on the consequent side does not perform

16

any action and stays in the same state. This abstraction allows systems being compared to have
zero or more structural differences between them and still be considered "equivalent."
Both Milner and Stevens define r-closure and r-abstraction over elements from the set of
all sequences of actions from Act (this set is denoted Act*), but for this chapter, the above definitions suffice. Stevens uses sequences from Act* to formally define trace equivalence and trace
conformance, his work is a practical discussion of the differences between labeled transition systems
distinguished by the different relations (Ste94:pp.111-136).
The r-closure and r-abstraction definitions are the basis for defining the weak bisimulation
relation for CCS agents. Weak bisimulation allows agents to have different structure but still be
considered equivalent based on the actions that they can perform.
Definition 5. CCS weak bisimulation. A binary relation 11 C V x V is a weak bisimulation iff
(P, Q) £ TZ implies for all a G Act,

i. vP'[P AP'^] Q'[Q =M>Q'A<P',Q') en}]
2. V Q'[Q AQ'^3 P'[P 4P'A <P', Q') e Tl\)
Definition 6. Weakly bisimilar CCS agents: P fs Q. CCS agents P and Q are weakly
bisimilar iff there exists a weak bisimulation "R such that {P, Q) € 72-. Writing P tu Q denotes
When P is weakly bisimilar to Q.
The largest weak bisimulation is

«=

(J
{72. | V, is a weak bisimulation}
TieP(Vxv)

It contains all smaller weak bisimulations and specifies exactly which weak bisimulation must
contain (P, Q). Milner shows that as is an equivalence relation (Mil89:110).

17

CCS bisimulation is a congruence relation; i.e., preserved in all algebraic contexts. Milner
proves this (Mil89:98) by showing

(1) a.Pi ~ a.P2

(2)Pi+Q~P2 + Q
Pi ~ Pi => < (3) Px | Q ~ P2 | Q

(4)Pi\L~P2\L
(5)Pi[f]~P2[f]

Weak bisimulation is not a congruence because summation does not preserve the weak bisimulation relation; e.g., 6.0 « r.b.O but a.0 + 6.0 56 a.O + r.&.O. However, for the set of CCS agents with
guarded actions—i.e., those where every r action is preceded by a visible action—weak bisimulation
is also a congruence.

2.1.3

Logic Conformance.

In an effort to further loosen the relationship between CCS

agents and safely give designers more freedom, Stevens defines a bisimulation-style partial order
relationship called Logic conformance (Ste94). Unlike Milner's strong and weak bisimulation, Logic
Conformance is not symmetric, so the implementation agent (/) must be distinguished from the
specification agent (5). Usually implementations are less abstract models than specifications. Ultimately, at the lowest level of abstraction, implementations are models of the design primitives
from which systems are constructed. In the case of electronic circuits, design primitives are models
of logic gates that abstract the voltage levels of the underlying transistor circuits to either true (1)
or false (0) and the changes in value from true to false or false to true occur instantaneously.

Definition 7. Logic Conformance. A binary relation 11 C V x V is a logic conformance iff
(I, S) G 72. implies for all a G Act, ß £ A U {r}, 7 G A,

1. V S'[S -£* S' => 3 I'[I =*> V A (/', S') G 11]]

18

2. V /'[/ A /' =► 3 S'[S =US'A (/', S') e ft]]
3. V /'[(/ -^ /' A 5 -4) =» 3 S'[S =2> 5' A (/', 5') e ft]]

Definition 8. Logically Conformant CCS agents: / £, S. CCS agents I and S are logically
conformant iff there exists a logic conformance 11 such that (I, S) G 11. Writing P hi Q denotes
when P is logically conformant to Q.
The largest logic conformance is

hi —

U

{H\1Z is a logic conformance}

TZeP(Vx7>)

It contains all smaller logic conformances and specifies exactly which logic conformance must contain
(I,S). Stevens proves that £t is a partial order (Ste94:143). Weak bisimulation is the equivalence
relation that exists whenever logic conformance holds in both directions; i.e., I ±i S A S ti I =>

The difference between weak bisimulation and logic conformance is the extra conjunct in the
implication antecedent of Definition 7 property 3. When S -^ is false, it does not matter that
I has a to-state V reachable by 7 (such to-states are called 7 derivatives). This means that /
may accept inputs that S does not. If these unmatched inputs are in the specification's language,
then the implementation accepts them more often than the specification does. In case they are
not in the specification's language, then they are truly irrelevant and cannot be required of any
implementation that replaces S. In either case, the specification defines the inputs that must be
accepted and the behavior that follows them. Therefore, in all contexts where the specification
accurately represents the desired behavior, logic conformant implementations behave "the same
as" the specification. This freedom allows detailed implementations that accurately model the
behaviors of design primitives to be considered satisfactory implementations of much less complex
specifications even though there are vast differences in their state spaces. Logic conformance
19

provides more freedom of implementation because implementation behavior in unreachable states
under the specification's input constraints is completely unrestricted (Ste94:p.l20).
Logic conformance does give designers more freedom of implementation, but it does not necessarily preserve all modal logic or modal /z-calculus properties as bisimulation and weak bisimulation
do. For example, given I = a.b..I+c.d..O and S = a.b-S, I >i S,I\= (c){d.)T but S does not. The
symbol "|=" is read "models" and means "satisfies property." Conversely, S (= (a)TA[-a]F (S can
do an a action and no other) but I ^ (a)T A [-a]F. In fact, I has a deadlock (J -^->-^> 0), and S
does not deadlock. Giving the designer this much freedom of implementation theoretically requires
confirming that specification properties specified by modal logic or modal /z-calculus formulae must
be model checked in addition to checking the Logic Conformance relation. From a practical point
of view if 5 completely defines J's input environment then conditions like J's deadlock or d. output
can never be reached and model checking is not required.

2.2

Timed Models and Relationships
Untimed process algebras do not provide any power to specify and reason about the timing of

different events. That leads us to examine how timing of actions might be specified and reasoned
about like CCS agents. There are many different formalisms, each with different syntax, and
some more expressive than others (ACD90, CH92, CL96b, Cer92, CGL93, Cer95, CLK94, Dan92,
FH92, GF90, GV95, GSSAL94, Hal92, HJ95, HB94, JM86, JU93, Kan95, Koy92, Kri92, Lad86,
LY93, LLPY97, LBGG94, MM91, MRM94, Mol91, Wan90). For each formalism slightly different
formal relationships have been defined. Three representative formalisms are examined: first, a
simple timed-process-algebra extension of CCS called Timed CCS; second, a more expressive timedprocess-algebra-based formalism for the Calculus of timed refinement (CTR) relation; third, a very
expressive Mealy-machine formalism called a timed process.

20

2.2.1

TCCS.

Wang's Timed CCS (TCCS) extends Milner's CCS with arbitrary integral

or real-valued delays (Wan90). Wang writes P —i Q to mean that after t units of time, P
becomes Q, where e stands for idling. Note that P —I P. TCCS actions other than idling are
instantaneous; i.e., no time passes as an action occurs unless the action is an idling action (e-action).
TCCS enjoys the same simple syntax of CCS, but it does not readily support specifying temporal
relationships between actions that are separated by other observable actions. Wang defines notions
of strong and weak timed bisimulation equivalence between TCCS agents. Definitions for Wang's
relations are not included here because they are the same as Milner's with the extension of a
ranging over both Act and e-actions. Both strongly and weakly bisimilar TCCS agents satisfy all
timed modal logic formulas that are true of each other (HLY91, LY93). Of course, this means that
no temporal differences between observable events can be distinguished between strong or weaklybisimilar TCCS agents as long as time passes continuously around r's (i.e., P —I (-^-*)* —I Q =>■
P

=>•

Q) in the weak case.

There are four special properties of TCCS agents. By definition, r-actions occur as soon as
they are enabled, resulting in a maximal progress assumption, i.e., no TCCS agent P will wait
unnecessarily to r:

3Q€V[P-^Q=>pt>0[P^]]
Maximal progress further distinguishes observable actions a.P from internal actions r.P because
T.P

has only one r-transition, and a.P has a chain of e(£)-transitions because a.P is willing to wait

for any t units of time for the environment to offer an a. The maximal progress assumption turns
all cooperative a and ä action pairs into instantaneous r-actions even though the a- and ä-capable
agents may individually be able to wait for arbitrary amounts of time before acting outside of the
parallel composition combining them.

21

Second, TCCS agents are determinant; i.e., idling leads to syntactically identical states:

P^%P1AP^P2=>P1 = P2

Third, TCCS agents are continuous; i.e., TCCS agents must pass through all intermediate
time values:
P^^

p2^3 P,[P n p, AP,n p2]

Fourth, TCCS agents are persistent; i.e., no agent looses its ability to perform an action it
was able to perform originally:

P^\P1AP-^P2=>3 PftP! -£» P{]

Persistence makes it impossible to specify an upper timing bound in TCCS without introducing
a r-transition that forces the agent into another state in accordance with maximal progress. For
example, the agent 50 = e(2).a + e(3).6.50 4- e(30).r.Nil can after t € [2,30) time units do a, and
after t € [3,30) time units do b, and repeat forever. However, if t = 30 time units pass without a
or b, then 50 is deadlocked.
The semantics of TCCS depend greatly on treating r and visible actions significantly differently, but there is little intuition behind the semantic leap from P -^> P' A Q -^ Q' to
P | Q -^ P' | Q'. Individually, P and Q can wait forever to perform a and ä, but P \ Q must
immediately perform r in accordance with maximal progress (Wan90).
Recall that specifying time relationships between two actions that have a third action between
them is not directly possible without resorting to describing the relationships via multiple parallel
agents. For example, assume a and 7 never occur closer than 3 time units from each other, but
that ß can occur at any time. Some possibilities for specifying this situation are P.a.e(3)^.ß.Q +

22

P.a.e(3).ß.'y.Q + P.ß.a.e(3).y.Q, and even P.a.e(1.75)./?.e(1.25)/y.Q, but no one can finitely specify
all the possible ways to split up the real-valued 3 in this fashion.
TCCS does preserve timed modal logic and //-calculus properties, but the semantic gap between visible and r-transitions, its limited provision for specifying upper time bounds, and its
constraints on specifying timing relationships between non-sequential actions tend to stifle its practical application and lead us in search of a higher fidelity and more expressive formalism—like the
one discussed in the next section.

2.2.2

Calculus of Timed Refinement (CTR).

TCCS relaxes the equivalence relation such

that the internal structure of the systems may be quite different for weak-timed-bisimilar agents,
but it does not allow the timing of the visible actions of those systems to vary. Timed-bisimulation
equivalence is too strong a relation for deciding whether or not one agent can be substituted for
another, and most agree that even weak-timed-bisimulation overly restricts the freedom of designers.
This notable attempt to give designers more expressiveness and freedom of implementation
focuses on the implementation half of the bisimulation relation. Ceräns' Calculus of Timed Refinement (CTR) relaxes the timing relationship between CCS-like agents such that the implementation's
timing is more precise than the specification's (i.e., the timing of implementation actions may be
a subset of those allowed for specification actions) (Cer95), and CTR provides a way to express
minimum and maximum time passing using time intervals.

2.2.2.1

CTR Agents.

The set of all CTR agents is denoted £. For CTR agents

E,F,G e £,a e Act the syntax used to define agent E is defined by the grammar:

nil | F | [c,e].F | a.F | F + G \ F\\G | F\L \ F[f]

The expression [c, e].F adds the timing delay before F for c G R+ = (0, oo), e e E+ Uoo, c < e. The
expression e(d).E is another notation for [d,d\.E. Time progresses by e(d) units when [c,e].E ^l

23

[b, e - d].E, e > d, and b = max{0, c-d}. CTR introduces another special internal action i & Act
where Act+ = Act U {i} and a+ e Act+ ranges over Act+. The special internal action i denotes
when an agent exits the delay prefix sometime after the lower timing bound has been reached, but
before the upper timing bound expires; i.e., [0,e].E -^ E. Once the upper bound of the delay
prefix expires, the delay prefix can be exited without i occurring; i.e., [0,0].E -^-» E'.
Unfortunately, CTR's operational rules defining the semantics of the expressions are considerably more complex than CCS and TCCS, requiring 21 different rules. Table 3 denotes the 12
rules CTR adds to CCS's 9 rules already defined in Table 2. CCS's Con, Coml, Com2, Res, and
Rel rules are extended over a+ e Act+, and a 6 Act applies to the rules in Table 3 for agents

E,Fe£.
Table 3.

nil—ynil

CTR Operational Semantic Rules.

*.sna.s

E-^E'
E+F-^-yE'+F

F-±F'
E+F-^E+F'

E+F^IE'+F'

|ggX*J)nM»D-<)
E'
E\L'-^E'\L

E'-^E'
E[f]L'-^E'[f]

;77j

E^XE'
[0,e].E-^yE

c,e].E'-^l[b,e-d\E

E'-^E'
[c,e].E',«(±K«)R,

[0,0].£Ä£'

(e > d A b = max{0,
c - d\)
l

"

CTR incorporates Wang's notion of maximal progress, so no further delay is possible when a
T-transition is enabled (Cer95:p519). CTR abstracts structural (r) and time-passing (i) differences
between transition relations by letting -^<= (-A)* and E -^ E' denote E -L^-H*-!^ E', and
letting also -^ (-^)* and -£»T denote -L>r-^-L>T) as well as -^>iiT=-i+i>T^ (-L+ u -%
Ar
and a, I,T—
r
T

tfT

Tl,T-

CTR defines matching delay transitions from delay prefixes (d G R+) to a CTR agent E e £
by functions /_, f+:[0,d]-+ £ such that:
• /-(0) = E

24

• And
-Vd'e[0,d][/_(d')-^)r/+(d')]
- 3 (fe, di,... ,dk € [0,d][do = 0Ad*=dAV0<i< fc[di+i > d{]] and
* V d! € [0, d] \ {do, di,...,dk}[f.(d') = f+(d')]
* V 0 < j < k,d' € (d^dj+illMdj) tl^s) f-(d')]
Under these conditions the pair of functions / = (/_, /+) is an (E, d)-trace. The set of (E, d)-traces
is denoted by E ^ii)T, and E ^lc E ^lrC E ^4ii7- are the sets of {E, d)-traces not involving
any internal transitions and not involving -^ respectively.
For two CTR agents / and 5, / € / ^,r and g e 5 e(-^T, and the relation 11 C £ x £ the
predicate (/, g) 6 71* is true if

Vd' e [o,d][(/+(d'),^(d')> eKA(f-(d'),g_(d')) eft]

The predicate (/,s) e ft* is used to require that 5 be able to match J's observable behavior
continuously while / passes time d.
T°°

The predicate E —>t denotes an infinite chain of -^ transitions starting at E: E -^{
Ei —>i E2 —>i ■ ■ •.
2.2.2.2

CTR Relations.

Definition 9. CTR Refinement Relation. A relation KC£x£ is a CTR refinement relation
iff

v ms[
I^I'

=» S^>i>TS'Al'KS'A

S^S' =» i^Ti>M>nS'A
25

(1)
(2)

fel'-Q

=►

J6S\A(/IS)€R«A

(3)

/^i

=*

5^]

(4)

Note that CTR asymmetrically specifies the requirements for action matching between specification S and implementation I. Formula 1 requires that all I -^ internal actions exiting delay
prefixes be matched by the specification S, but not conversely in Formula 2. In the same formulas, the specification is given more flexibility for matching the implementation, closing its relation
over i as well as r. Further, only implementation delays actions e(d) need be matched according
to Formula 3. There is nothing requiring the implementation to match specification delays actions. Formula 4 ensures that internal divergence by the implementation is also possible by the
specification.

Definition 10. CTR Refinement: I < S. CTR agent I refines CTR agent S iff there exists a
CTR refinement relation 11 such that (I, S) E 1Z. Writing I < S denotes when I refines S.
2.2.2.3 CTR Summary.

CTR preserves timed modal-logic and //-calculus prop-

erties. In fact, it implies TCCS weak-timed bisimulation when limited to the subset of timing
relationships expressed by TCCS agents (Cer95:p.525).
Ultimately for all its complexity, CTR's only real benefit over TCCS is the fact that CTR relaxes the time relationship between actions of the two systems. In CTR, the agent I ::= a.[l,3].b..I
refines S ::= a.[0,4].6_5 but they are not TCCS weakly bisimilar because 5 can do b. immediately
after a, but I cannot.
CTR's delay prefixes are a clean way to specify upper time bounds that cannot easily be
specified with TCCS agents. CTR is still limited to specifying timing relationships between sequential actions (e.g., separating occurrences of a in the TSA from Figure 1 by two or more time
units is not possible in CTR). Also, since CTR maintains TCCS's maximal progress property, CTR

26

does not close the semantic gap between visible and r-transitions. CTR refines the timing of both
input and output actions such that they are both "more-precise" in the implementation than the
specification. A refinement relation that allows an implementation not to accept every input that
the specification does is not very useful. For these reasons, and because of the computational complexity of algorithms to implement it, CTR is not used extensively to specify, design, and reason
about real designs.

2.2.3

Timed Simulation and Assumes-Guarantees Reasoning.

The second notable at-

tempt to give designers more freedom of implementation also focuses on the implementation half of
the bisimulation relation (TAKB96). These Bell Labs and Berkeley researchers have implemented
a system (timed COSPAN) for checking timed simulation relations and for doing hierarchical and
compositional verification with assumes-guarantee style proof rules. The primary difference between
their modeling formalism and CTR is the computational model.

2.2.3.1

Timed Processes.

The computational model of the COSPAN formalism is a

Moore machine called a timed process, not a CCS, TCCS, or CTR agent. Timed processes are
more complicated than TCCS or CTR agents, but they provide the capability to temporally relate
actions that do not occur sequentially by declaring and resetting clock variables on transitions and
using those clock variables in predicates that determine when actions may occur. The timed process
definition follows.
Let X be a finite set of real-valued clock variables. An X-valuation $ assigns a nonnegative
real value *(i) to each variable x £ X. Let $ be an X-valuation, and for each real-valued 8 > 0,
$ + 6 denotes the X-valuation assigning $(x) + 6 to each variable x, and 0 denotes the X-valuation
assigning 0 to every x G X. For Y C X, $[Y := 0] denotes the X-valuation assigning 0 to every
y G Y and $(x) to x £ Y (a projection). An X-predicate ip is a positive Boolean combination
of constraints of the form x o k for k an nonnegative integer constant, x £ X a variable, and
o G {<,>,=}• Writing $ |= <p denotes that $ satisfies the X-predicate (p.

27

For P a finite set of variables, each ranging over a finite domain, a P-valuation / is an
assignment of values to variables in P. For / and Q C P, f(Q) denotes the Q-valuation restricting
/ to the variables in Q. A P-event is a pair (/, /') denoting the old (/) and new (/') values of
variables in P. A P-predicate x is a subset of P-events. For example the P-predicate p' ^ p is
the set of all P-events (/,/') such that Vp € P[f'(p) # f(p)]- To ensure all variable assignments
stay the same, the predicate Stutter(P) is defined as:

Stutter{P) = /\p' =p
P€P

Definition 11. Timed Process. Let TV be the set of all timed processes. A timed process
A G TV is an eight-tuple (S,So,X,0,I,a,n,E) such that
• S is a finite non-empty set of locations.
• So is the non-empty set of initial locations.
• X is the finite set of real-valued clock variables.
• O and I are finite sets of output and input variables, each ranging over a finite type, IC\0 = 0.
• a is the invariant function assigning the X-predicate a(s) to each location s £ S.
• ß is the output function assigning fi(s) to each location s G S.
• E is the finite set of edges. Each edge e G E is a 5-tuple (s,t,ip,x,Y) with source and
destination locations s and t, clock predicate <p, input predicate x> and the set of clocks Y C X
to be reset. Two modeling constraints are:
1. V s e S[(s,s, true, stutter (I), 0) e E]
2. For every pair of locations there is at most one edge between them.
A state a of A is a pair (s,$) containing the location s and the X-valuation $ G a(s), and
the set of states is E^. A state (s, $) is initial if s G So

28

an

d V x G X[$(x) = 0].

Given state a = (s, $) of A, and positive time increment Ö, A can wait for 6 in state a, written
wait(a, 6), iff V 0 < 6' < 6[($ + S') \= a(s)]. A timed event 7 of A is a tuple {6, f, /') consisting
of a positive real-valued increment S and the observation event (/,/')• Such an event means that
A can wait for S time and then update its output from f(0) to f'(0) while the environment is
updating the input variables from /(/) to f'(I). The set of all A timed events is denoted rA.
The timed process A gives a labeled transition system over the state space Ex with the labels
IV For states a = (s, $) and r = (t, 0) in T,A, and a timed event 7 = (S, /, /') in TA, the transition
a -^>

T

is defined iff /(O) = /j(s), /'(O) = ß(t), wait(a, S), and there exists and edge (s, t, <p, x, Y)

such that ($ + 5) (= v?, (/, /') |= X, and 0 = ($ + <5)[Y := 0]. Writing a -^ denotes that «r -2» r
for some r.
Timed Processes are closed under stuttering; i.e., let 7 = (<5, /,/'), then:

a -2*

r

=* V 0 < <J' < <S[3 a', 7', 7> -^ a' -A r A 7' = (<*', /, /) A 7" = (5 - 6', /, /')]]

Figure 2 is an example timed process defining the behavior of an inertial buffer with input
i, output o, and delay in [MinD, MaxD]. The stutter-closing self loops are omitted in the figure.
Every process spends non-zero time in each location, and all transitions are instantaneous. Initial
locations are denoted by ►.
►

0=1

true
Delay in rMinD.MaxDl
i

J>

MinD <= k <= MaxD,

0

***?*S!

i=0,i'=l,k<=MaxD^

O=0

k <= MaxD

i=l,i'=0,k<=MaxD

1—v,i — I,K;—U

►
Figure 2.

-"

o=0

0=1

k <= MaxD
1V1U1L» *-— K •**- iviaxu

true

Inertial Buffer Timed Process.

29

,i'=0,k:=0

The following definition specifies how to model more complex systems by parallel composing
simpler timed process models together. Here, "\" denotes set subtraction.
Definition 12. Timed Process Parallel Composition. Two timed processes:

A = (SA,SA,XA,0A,IA,aA,ßA,EA)
B = (SB,SB,XB,0B,IB,aB,ßB,EB)

can be parallel composed iffOAC\0B = 0 (they share no common output). The parallel composition
P = A\\B is a timed process P = (Sp,S^,Op,Ip,ap,/j,p,Ep) such that

Sp
qP

°0

= SAxSB
_

~

c-A v
J

cB

0 * °0

Xp = XAUXB
Op

= 0AUOB

Ip =

(IAUIB)\0P

ap

= Vs£SA,teSB[ap((s,t))=aA{s)AaB{t)]

pp

= VseSA,teSB[ßP((s,t)) = iiA(s)Ufi,B(t)]

Ep

=

{((a, b), (a1, b'), <p A iff, X", YUY')\ {a, a', if, X, Y) € EA A (6,6', if', X', Y') 6 EB A
«/,/') € X" <=> ((/UßB(a'),/» UßB{b')) \=XA (/UßA(a), f UßA(b)) \= X'))}

The set of edges in the parallel composition consist of those edges where the outputs of each
individual process (ßA,(iB) satisfy the input predicates of the other process (X',X)- Timed process
parallel composition is commutative and associative.

30

2.2.3.2

Timed Process Relations.

Simulation relations between Timed Processes

are denned over timed event sequences. A timed event sequence 7 = [70,71,..., 7/t-i] is a finite
sequence of events 7* = {Si,fi,fl) such that V 0 < i < k - l[fi+i = //]. For such a timed event
sequence, define Ao = 0, and A* =

EJCJA

for 1 < i < k. Each such 7 uniquely defines a function

Fj from the closed interval [0, A*] to the observations given by Fy(t) = /$ for t G [A*, A^+i) and
FT(Afc) = fk_1.
A run of A on a timed event sequence 7 is a sequence of states [ao, 0-1,02, ■ ■ ■, o-*;], CT» G

SA

such that <7o -^» a\ -^ 02 -^> • •. -^ c/t- The timed event sequence 7 is called a trace of A if
there exists a run in A on 7 starting from an initial state and terminating in a state er* G XU. The
timed language of process A, denoted C(A), is the set of traces of A.
Consider Two timed processes:

A =

(SA,SA,XA,0A,IA,aA,fiA,EA)

B = (SB,SB,XB,0B,IB,aB,ßB,EB)

A is comparable to B iff 0B C 0A AIB C IA; i.e., B's outputs and inputs are subsets of A's.
If A is comparable to B, then a timed simulation relation from A to B is a binary relation
t) C Ex x Sß among the states of A and B such that

V (<7,r> G 0,7 € TA[a -1* <r' =► 3 r' €

EB[T

-2> r' A

(CT'.T')

6 fl]]

The timed simulation relation Q is initialized iff V a G SA [3 r G SB [(a, r) G fi]]. If A is comparable
to B and an initialized timed simulation relation from A to B exists, then A timed-simulates B
written A -<s B.

31

Let A be comparable to B, then A is said to timed-implement B iff

V 7^ € C(A)[3 7s €

B

C(B)[EJA (I

U 0B) = F^s]]

i.e., the traces of the two machines assign the same values to B's input and output variables at
all times. Timed implementation is denoted A <L B, and is also referred to as the language
inclusion relation. The relations <s and <L are reflexive and transitive. When A <s B and
B -<s A, then A and B are timed simulation equivalent, written A =s B; =5 is an equivalence
relation. Similarly, =1 is the equivalence relation induced by <i.
Timed simulation is a stronger requirement than timed implementation; i.e., A <s B =>
A

-<L

B. The timed simulation relation can be decided in an exponential algorithm when the

timing of the two processes are represented by finite equivalence classes, so timed simulation is the
relation checked by the COSPAN system to decide when system A can be substituted for system
B. UA<LB then A refines B.
Timed process parallel composition preserves both <s and -<L; i.e., VX[A ^s J5 =*• A\\X -<s
B\\X] and WX[A -<L B ^ A\\X

<L

B\\X).

SO

A\\B

-<S

P\\Q if A <s P A B <s Q; this allows

decomposing large verifications into smaller pieces.

2.2.3.3

Assumes-Guarantees Verification.

Timed Simulation verification involves

generating timed process models of the environment and composing them with timed process models
of the desired system and reasoning about their behavior together. Consequently, the behavior of
the system depends on the behavior of the environment which depends on the behavior of the
system in a circular fashion. To break this circular chain of dependency an assumes-guarantees
proof methodology is adopted. The methodology depends on the fact that a composed process is an
implementation of each of its components (i.e., A\\B ^s A). This fact is used to make assumptions
about the rest of the system's behavior when trying to determine if a component (the one being

32

designed) satisfies a more abstract specification of its own behavior. Composed timed processes
must be nonblocking for a consistent assumes-guarantees proof methodology.
A timed process A = {S, S0,X, O, I, a, n, E) is nonblocking iff

V a e VAt (SjJ) E TA[a ^W V (S,§J) e TA[g(0) = f(0) AflT(O) = ?{0) =* a «H\

Intuitively, this means that nonblocking processes should be able to generate a trace regardless of
the sequence of input events. In this case, if after 6 time passes A updates its output from f(0)
to f'(0) and at the same time the environment updates the inputs from g(I) to g'(I) there must
be an edge in E from a to a state for (tf,<f,<f)'s input condition with consistent output. Hence the
updating of O is independent from /, and there must be an edge to a state allowing them to be
independent. Generally, nonblocking requires defining edges for all possible input conditions from
all possible states (GSSAL94).

Definition 13. Assumes-Guarantees Rule. Given nonblocking timed processes A, B,C,D £
TV:
{{A\\D <L C) A (C\\B <L D)) => A\\B <L C\\D

The assumes-guarantees rule says that proving A is a refinement of C assuming that the environment
behaves like D and proving that B is a refinement of D assuming that the environment behaves
like C establishes that A\\B -<L C\\D. The assumes-guarantees rule does not hold for blocking
processes, and it does not hold if <s replaces <L. The rule also fails if time predicates defining
open sets are used; i.e., strict inequalities like k < 5 or k > 5 cannot be used in state invariants
a(<r) or edge clock predicates <p.
Timed simulation verification methodology using the assumes-guarantee rule is expensive in
practice requiring one or more processes to model the environment and at least 2n verifications and
3n timed process models for n-process compositions (n > 2). For example, given the structure of
33

the 3-process system (including the environment processes) shown in Figure 3, where there are two
timed process models for each of the three components, one concrete (e.g., Xc) and one abstract
(e.g., Xa), the problem is to decide whether or not the composition of the concrete models refine
the abstract composition. Three full-size verifications must be done.
5»

X

Y

Z

<s

«£

Figure 3.

—=>

Assumes-Guarantees Example.

In this case, to conclude Xc||yc||Zc -<L Xa||Fa||Za, the verifications Xc||Fa||Za <L JCa||ya||Z„,
^aimilZa <L Xa\\Ya\\Za, and Xa||ra||Zc <L Xa^Ya\\Za must all be successful. In practice, the
combined state space of both the concrete and abstract compositions is too large and the verification
takes too long, so a single abstract process is developed to represent the behavior of all of the
other systems in the composition (i.e., the environment from the perspective of any one of the
abstract processes in the composition), and it is used to reduce the state space of the verification
problem. For example, process models XY, YZ, and XZ modeling the environments Xa\\Ya,
Ya\\Za, and Xa\\Za are needed, and the verifications XC\\YZ -<L Xa\\YZ, and YC\\XZ -<L Ya\\XZ,
and Zc||Zy <L Za\\XY are required. These verifications are valid only if the environmental
abstractions are correct, so Xa\\Ya <L XY, Ya\\Za <L YZ, and Xa\\Za <L XZ must also be
verified. This requires total of 6 verifications and 9 different timed process models to verify a
3-element composition.
When any model changes, every verification involving it must be redone. If an abstract
model changes then at least n verifications must be redone, but if a concrete model changes,
only 1 verification need be redone. Unfortunately, the most difficult models to construct are the
abstraction models, and the assumes-guarantees methodology requires more abstract models than
concrete models. Clearly, when models are subject to change frequently, as they are in most design
and verification projects, assumes-guarantees verification is a significant effort.
34

Additionally, the timed COSPAN tool does not calculate the simulation relation; rather, the
user must input a map from location to location and COSPAN checks to see if the mapping is a
simulation relation. Commenting on this, the COSPAN users desire a capability for automatically
generating the simulation relation or checking if there is an initialized one without generating
it (TAKB96). They also describe the process of generating accurate abstract models as an iterative
process; hence the In verifications were redone many times, and each time they had to supply the
appropriate simulation relation.

2.2.3.4

Timed Simulation and Assumes-Guarantees Summary.

The timed process

formalism is more powerful than TCCS agents and CTR processes because it resolves the problem of
expressing timing relationships between any two actions by resetting clocks and referencing them in
clock predicates. Timed process definitions are quite complicated because they use state functions
to define outputs and invariants, and they use sequences of events to define process semantics.
The nonblocking property required for the assumes-guarantees rule also makes it difficult to
create simple timed process models. In order to be consistent in all verification contexts, the model
must define behavior for all inputs for all states for all times to ensure that the nonblocking property
holds. In contrast to CTR refinement, this means that input behaviors are not refined at all; they
must be continuously specified. This is like trying to formally define and derive programs and
subprograms using preconditions, postconditions, and Dijkstra calculus, but the only precondition
allowed is the weakest of all—i.e., true (Dro89).
Clearly, to simplify the modeling burden, and to distribute the burden of verification rationally, something besides weakening the input constraints in implementations (as in CTR refinement)
or specifying all inputs in all states for all time (as in the assumes-guarantees methodology) must be
done. A way to factor the timing properties of the environment into the verification process without
having to build many different models of the environment from each component's perspective must
be found.

35

2.3

Summary
This chapter introduced and denned several example formalisms for modeling and reasoning

about the "equivalent" behavior of concurrent systems. Some formalisms cannot express the relationship between time and behavior at all, while others that can are very complicated and hard to
define. Some equivalence relationships between models in those formalisms are strong and preserve
properties, but they do not give the designers enough freedom to design efficiently. Other weaker
relationships give designers structural and behavioral freedom to design and specify more efficient
implementations, but they do not necessarily preserve all possible properties.
Untimed CCS agents are not expressive enough to capture the relationship between time passing and action, and the equivalence relations bisimulation and weak-bisimulation between agents
are not loose enough to give designers the freedom they need to design efficiently.
The untimed partial order relation Logic Conformance provides a significantly more practical
notion of "equivalence" between untimed CCS agents but it does not generally preserve modal-logic
or /z-calculus properties.
The three representative timed modeling formalisms Timed Calculus of Communicating Systems (TCCS), Calculus of Timed Refinement (CTR), and timed processes have some expressiveness
problems:

• Upper and lower time bounds (bi-bounded delays) are difficult to define in TCCS.
• The maximal-progress semantic leap from two processes waiting individually to perform their
actions to cooperating processes that cannot wait to perform their cooperative actions is a
fidelity problem for both TCCS and CTR.
• General temporal relationships between actions that do not sequentially follow each other are
impossible to express in TCCS and CTR.

36

• Timed processes support expressing general temporal relationships between actions, but they
are quite complicated because they use state functions to define outputs and invariants, and
sequences of events to define process semantics.
This chapter referenced the timed "equivalence" relationships timed bisimulation and weak
timed bisimulation for TCCS agents. It defined the timed "equivalence" relationships: CTRrefinement for CTR agents; and timed-simulation and timed implementation between timed processes.
It also described, defined, and critiqued the assumes-guarantees verification methodology used
with the most expressive formalism—timed processes. At-best the most expressive and practical
modeling and verification task is formidable because of the circular dependencies between the environment and the system inherent in the assumes-guarantees verification methodology. The iterative
nature of generating accurate abstractions and using them to simplify verification computations
forces one to always consider the entire system in the verification or reaccomplish many "equivalence" checks to verify the verification. And, the most advanced tool, COSPAN, requires the user
to supply an untimed simulation relation between the states of the systems being compared instead
of directly computing it.
Designers need a "simple" modeling formalism that powerfully expresses the relationship
between behavior and time. There must be a way to factor the timing properties of the environment
into the verification process without building many different models of the environment and using
them to "verify the verification." Designers need a formal mathematical relationship that accurately
defines an acceptable implementation relation between models in a practical way that can be
computed efficiently without a lot of user input required.

37

III. Timed Safety Automata
The first step towards addressing the shortcomings revealed in Chapter II is choosing a simple and
expressive formalism as a timed model for concurrent systems. This chapter formally defines the
Timed Safety Automata (TSA) formalism used in this research to specify and model timed system
behavior. This TSA model is simpler than COSPAN timed processes, but at the same time it
suffers none of the expressiveness problems associated with untimed process algebras, TCCS and
CTR. The TSA formalism has been extensively studied and has been widely used. For a formal
exposition of TSA expressiveness and computational complexity see (AD94). In this research, a
flavor of TSA with both location and transition predicates and action-labeled transitions is used
to model digital circuits.
The chapter includes basic TSA definitions, TSA semantics, TSA modification rules, and
TSA parallel composition rules. The following TSA definition is based on Sokolsky's (SS95). It
supports a dense-time model of time with the non-negative real numbers E = [0,oo), and time
constants from the non-negative integers Z = {0,1,2,...}.

3.1

Basic TSA Definitions

Definition 14. TSA. Let T denote the set of TSA. Given

- clock: A clock £ is an R-valued variable. Let C be the set of clock variables.
- clock constraint: A clock constraint is an expression of the form £ R c where f e C,

■Re {<,>,<,>}, andc€Z.
- clock assignment: Given the ordered set E = (ft,&,...,£„) C C, a clock assignment
if = (xi,...,xn) € E" is an instantiation ofE.
- idling: fr + d = (xi + d,..., xn+d) d£R.

38

- clock reset: Given T) C E, a clock reset n[n := 0] projects a clock assignment 7? to a new
clock assignment where
A

I 0

(661?)

*fo:=0](*)< = ]

- region:

J4

region p is a connected subset ofW1 formed by a conjunction of clock constraints.

Let H be the set of regions in W1.
- input action—name: a £ A.
- output action—coname: ä £ A,a = a, (also, S = a. in this work).
- Labels: h = AUÄ~.
-

T

&h the invisible internal action.

- location: (I, pi), where I is unique location name, and pi is a past-closed region called a
location invariant. A region p is past-closed when it includes time 0 i.e., given that
p^ q<$ Vi6 [l..n][pii < qi] then

V p 6 p[V d 6 En[0 < d^ p =» d 6 p})

Note that only clock constraints with R 6 {<, <} result in past-closed regions.
A TSA T 6 T is a 5-tuple T = (C,Act,E, (l0,p0),>—►), where

- £ is a finite set of locations.
- Act = L U {r} is a set of actions ranged over by a.
- EC C is a set ofn R-valued clocks.
- Co > Po) 6 C is the start location, where initially ff 6 po = 0.

39

- '—>Q C x Act x K x P(E) x £ is a transition relation, where each transition is labeled by an
action, a region (called a guardj, and a set of clocks that are reset to 0 when the transition
occurs (note P(H) denotes the powerset ofS).
Transition guards are derived from clock constraints, and they are interpreted as necessary conditions for the transition to occur. Location invariants are also derived from clock constraints, and
they restrict the amount of time the automata can stay in the associated location. Location invariants are therefore interpreted as sufficient conditions to cause a transition to occur (HNSY94:209).
They cause transitions to occur when time passing forces a change of location to avoid 7? £ pi.
Location invariants are also necessary conditions for the TSA to be in the associated location.
Unspecified (empty) guards and invariants are defined to be the region Rn (always satisfied). Informally, TSA operate by taking instantaneous transitions from location to location. When no
transitions occur, TSA idle in a location (I, pi) passing time by incrementing all clocks Xi € 7T by
d € R such that Vs location invariant is satisfied—i.e., n + dG pi. Without loss of generality, only
non-Zeno TSA are considered. Non-Zenoness is a liveness condition that asserts time can always
progress (HNSY94:203). No generality is lost by excluding Zeno automata because any well-formed
Zeno TSA can be transformed to a non-Zeno one by strengthening invariants. Non-Zeno automata
consistently model the fact that time relentlessly progresses.

3.2

TSA Semantics
The semantics of TSA are defined via Dense Labeled Transition System (DLTS) automata

with uncountable state sets.

Definition 15. TSA Semantics. Let D denote the set of DLTS automata. Every TSA T =
(£, Act, E, (lo,Po), 1—►) induces a DLTS automaton V = (S, Act, —>, (l0,5)) such that:

40

- S is a set of timed states defined by the following rule:

V(l,pi)eC[Trepi^(l,n)eS]

(5)

Si C S and 5s C 5 are sometimes used to distinguish between the implementation and
specification DLTS state spaces.
- Act = L U {r} a set of actions ranged over by a.
- (/o)0) the start state assigning 0 to every clock.
- —>-C 5 x (Act U R) x S is a transition relation defined by the following two rules:

(l,pl)?^?(l',pv)Air£pAf£ptATr[r)~0]epi.

=>

(Z,T?)

-^ (J'.tffo := 0])

(l,pi)eSASeRAn,Tf + 6epi

=►

(l,Tt)-U (l,n + 6)

(6)
(7)

In Rule 6, DLTS V transitions from location / to I' via action a. No time passes, but all clocks in
T) C E are reset to 0. Clock assignment 7? must satisfy both pi and p, and clock reset w[rf := 0] must
satisfy pi>. Under rule 6, timed state (l',n[r) := 0]) is a transition successor of timed state (l,n).
In Rule 7, DLTS V stays in location I with time delay 8 if both ff and n + 5 satisfy pi. Under
rule 7, timed state (l',fi + 6) is a time successor of timed state

3.3

(Z,TT).

TSA Modifications
As in process algebras, TSA transition relations can be modified to generate new TSA. The

named process-algebra-style rules for generating new TSA are defined as follows:

Definition 16. TSA Modification Rules. Let A G C, L C L, then

V aehj eÄ
41

Res:
Hid:

Rel:

A?£? A'
——
(a 4. L)
A\La^A'\LK * '
A 1^2 A1
TZ

(IGLUL)

Aa^A'
f{

A[f]

?H«A>[f]

Rule Res deletes transitions by restricting the transition relation by a set of actions ICL (recall
that L is the set of visible actions not including r or S £ E). Only actions not in L remain in
(A \ Z/)'s transition relation.
Rule Hid turns output actions into hidden actions (r's). This rule makes it impossible for
other TSA to interface with A/L using /. Hid does not delete any transitions from A; it just relabels
outputs whose name or coname are members of L. Hid is particularly important for internalizing
the cooperative actions of parallel composed TSA as discussed in Section 3.4.
Rule Rel relabels transitions. The change is specified by a function / : L -> L, where the
convention is to specify / by a list of label pairs (new, old) relating old labels of A with the new
labels of A[f]. Relabeling does not change inputs into outputs or vice-versa; i.e., for n,o e L and
{n,o), a relabeling specification pair, then f(6) = n, and f(o) = n.

3.4 Parallel TSA Composition
Specifying the behavior of complex implementations as single flat TSA is too tedious. Generally, in hardware and software design processes, systems are built and understood hierarchically;
i.e., the entire system is composed of subsystems, which are composed of sub-subsystems, which
are composed of sub-sub-subsystems, ..., until at the lowest level of abstraction simple well defined
design primitives are used. Modern structured analysis leads to hierarchical software systems, and
the design primitives are typically programming language statements or library functions and procedures. The process is similar for hardware systems, except that the primitives are logic gates,

42

transistors, or standard cells. Logically, designers usually think of the components functioning in
parallel, generally independent of each other except for the specific dependencies implied by their
connections with each other. However, if the system is a software system on a uniprocessor, the
actual processes may run serially or in a time-sharing environment.
Figures 4 and 5 show the schematic for a C-element implementation and a corresponding
Timed Logic Conformance System (TLCS) parallel TSA specification.

ab
be

Figure 4.

C-element Schematic.

tsa([c_eltOOO,AndMin,AndMax,OrMin,OrMax],CE) :parallel([[[andOOO,AndMin,AndMax],[[ab.c]]],
[[andOOO,AndMin,AndMax],[[c,b], [ac,c]]],
[[andOOO,AndMin,AndMax], [ [b,a], [c,b], [be,c]]],
[[orOOOO.OrMin.OrMax], [[ab,a], [ac.b], [bc.c], [c,d]]]],
[ab, ac, be] ,
CE).
Figure 5.

Parallel C-element Example.

The C-element is composed of three 2-input Ands, and a single 3-input Or. The timing of
the And and Or TSA are specified with the variables AndMin, AndMax and OrMin, OrMax. The
list of pairs following each component instantiation (e.g., [new, old]) rename the default input and
output names to the new names in the circuit. The list of names following the list of components
(i.e., [ab, ac, be]) are the hidden internal connections of the C-element; they are not available
for connection to the world outside of C-element, and they become the internal r actions of the
C-element component.

43

Formally, the relationship between the parallel TSA definition and the definitions of its components is as follows:

Definition 17. Parallel TSA. Let Tp = {Cp,Actp,Ep,{l0)pQ)p,^-^p) be the parallel TSA constructed ofn TSA, each distinctly denoted byTi = {Ci,Acti,Ei,{l0,pQ)u\-^i) then,

Cp

C Ci x C2 x ... x Cn

Actp C

(J

AcU

(8)
(9)

»6{l...n}

SP C

(J

E<

(10)

(fo,A>)p = ((k,Po)l,(lo,Poh,-..,(lo,Po)n)

(11)

i€{l...n}

i—>p

C £px Actp xKx P(EP) x Cp

(12)

The locations of the parallel TSA (elements of the set Cp) are denoted by a sequence of locations
of its subcomponents called a location vector. The initial location vector of the parallel TSA
(Co, Po)p) consists of the initial locations of every component. Except for the initial location vector,
7^'s definition is not complete; the exact subsets are defined inductively based on the initial location,
subcomponent definitions, and the Definition 18 named rules governing communication between
Tps subcomponents. Parallel TSA location vector invariants are logically the intersection of time
regions formed by conjuncting the clock constraints of the sub-component location invariants. The
transition relation i—>p is derived from the transition relations of the subcomponents using the rules
starting from the initial location vector (l0,Po)P- The set of actions of the parallel composition Actp
are also derived from UActi as defined by induction over the rules. Reached location-vectors are
added to set Cp, and new actions possible from added locations are added to set Actp. Clocks
referenced in added locations and new transitions are all included in set Ep.

44

Definition 18. Parallel TSA Composition Rules. Let i,j £ [l..n],t ^ j,A £ S(,B € Sj be
locations of two subcomponents in the parallel TSA Tp, then the sets of locations Cp, actions Actp,
and transitions i—>p are defined inductively by rules:

V I € A,l G A,a e Act
A £*¥} A'
'
(<r,g^LB)
A\\B ^Pp A>\\B
B M B'
SingleB: —" „ ni"
(a,a 4 ~LA)
A\\B^npA\\B'y
'
Singlel:

Coml:

>M„

A'^-A'AB'^B'
A\\B

Com2:

'•>• W;u"* A'\\B'

A^A'AB^B'
A\\Blp'(&?;Uni A'\\B'

Com3:

A'P^A'AB^B'
A\\B

l

"'n^Ur»- A'\\B>

Output alphabets of the component TSA must be disjoint; i.e.,

V t,j € [l,n][t ? j =► ((Äi nÄj) = 0)]

More than one component outputting the same action is considered an error and the composition
is not defined.
Although the parallel composition rules are specified for only two TSA locations at a time,
they are commutative and associative1 and extend by composing two TSA locations at a time to
produce a new parallel TSA location which is again composed with the adjacent TSA locations
until the composition is complete.
1
The Boolean and set operations are all commutative and associative, and the rules are specified in symmetric
pairs where necessary.

45

TSA locations A and B composed by rules Singlel and Single2 continue to perform internal
actions and visible actions not in each other's language by name or coname. None of the actions for
the gate-level TSA composed together in Figure 4 are independent of each other, so rules Singlel
and Single2 do not induce any C-element transitions in this example.
Rule Coml allows multiple TSA to input together. Whenever the parallel TSA is in a fromlocation where the locations of all components sharing a common input action a can perform an a
action, there is a parallel TSA a action to a to-location vector where all components sharing the
a action are updated to the to-locations of their a transitions, and the non-a-capable component
locations are equal in the from and to-location vectors. Receiver transition guards are conjuncted
(i.e., their regions pa and pt are intersected), and reset sets are unioned together in the parallel
action. This case is illustrated by the a-input shared by the top two Ands in Figure 4. Whenever
both Ands (all receivers) are in a location that can perform an a, there is a parallel TSA a action
to the new location vector where both Ands (all a receivers) move to their a-transition destination
locations. If one or more receivers cannot perform the shared input action, no parallel transition
is denned.
Rules Com2 and Com3 generate output actions when two or more TSA cooperate on an
output and its complementary input action. Used with the Hid TSA modification rule, Com2 and
Com3 internalize cooperative actions, turning them into

T'S.

When the parallel output action is

not hidden, it remains an output of the composition. The unhidden case is illustrated by the Ore
output and the c-input shared by the bottom two .Ands in Figure 4. Whenever all three gates are
in a location where they can perform the core action, there is a parallel TSA c action where all
three gates move to their c-c-destination locations in the location vector. By convention, Com2
and Com3 keep the coname label; this supports building parallel TSA that can export an output
that communicates to TSA in the parallel composition as well as those external to the composition.
The hidden action case is illustrated by the top And ab output and the Or o6-input in Figure 4.

46

Whenever the top And is in a location where it can perform the ab and the Or can perform the
ab action, there is a parallel TSA r(ab) action where both gates move to their a6-o6-destination
locations in the location vector.
This formalization of parallel composition is synchronous since it does not allow the individual
CT-actions of one component to occur independently of other components when they can also perform
a or if. This means that they strongly influence each other's behavior, but it faithfully models the
reality of hardware components connected by wires strongly influencing each other.

3.5 Summary
This chapter formally defines a "simple" and expressive Timed Safety Automata (TSA) model
of computation. It includes basic TSA definitions, TSA semantics, rules for modifying TSA, and
rules and examples defining parallel TSA composition. TSA are well suited to modeling hardware
components because they does not suffer the deficiencies recognized in Chapter II.
This Mealy machine TSA model is simpler than the Moore machine COSPAN timed process
model because it does not define output by associating functions with locations, and it requires
about half of the rules CTR requires (10 vs. 21) to define model semantics and composition.
TSA suffer none of the expressiveness problems associated with untimed process algebras,
TCCS and CTR. Upper and lower time bounds (bi-bounded delays) are easily defined using TSA
location invariants and transition guards. The maximal-progress semantic leap (from two processes
waiting individually to perform their actions to cooperating processes that can not wait to perform
their cooperative actions) does not exist in the Definition 18 TSA parallel composition rules. And
general temporal relationships between actions that do not sequentially follow each other are easy
to express in TSA by resetting a clock and freely using clock predicates to define the relationship.

47

IV. Timed Logic Conformance
Following Ken Stevens' bisimulation-based Logic Conformance relation ^ (Ste94), this chapter
defines a timed relation called Timed Logic Conformance (TLC, also written as 0^ii) for Timed
Safety Automata (TSA) based on DLTS semantics. TLC enforces a time-interval-based relationship between times when implementation actions can occur relative to specification actions. It
also maintains V/'s partial order relationship between specification and implementation actions.
TLC loosens the standard bisimulation-based strict timed-equivalence requirement formalized by
Wang (Wan90), Ceräns (Cer92), Alur, Courcoubetis, Henzinger (ACH94), and others (LY93). Instead of strict timed-equivalence a partial order relating the states of two systems over the time
intervals when actions are enabled is defined. The partial order requires that implementation inputs
are a timed superset of specification inputs1, and that implementation outputs are a timed subset of
specification outputs. For example, 0^< will relate TSA implementation (I) and specification (5)
such that I o^Zi S iS I >zi S and all output actions of / occur within the time intervals observed
for S's output actions and all input actions of 5 occur within the time intervals observed for J's
input actions.
TLC is different from other loose timed-refinement relations (ACD90, Dan92, CGL93, Cer95).
In particular, 0^.i turns around the standard definition that typically requires implementation
input actions to be a timed subset of specification input actions. This change is motivated by
common sense that argues one cannot safely substitute an implementation that does not accept all
of the inputs accepted by the specification. TLC does not require designers to specify behaviors
for all possible inputs in all locations at all times and it allows implementations that accept more
inputs than the specification. In contrast to the assumes-guarantees verification methodology, TLC
supports declaring the input constraints of the specification and implementations and using them
to decompose the problem into independent pieces in a simple and powerful way. It does not
'Exceptions to the I >i S half of the TLC relationship are allowed under certain circumstances; see Def. 28.

48

require many different abstract models of each component's environment or iterating over extra
verifications to "verify the verification."
Before defining the TLC relation itself, the next section leads up to it by defining how to
abstract internal structural differences between TSA. Section 4.2 defines a weak timed bisimulation
equivalence relation that will be used later to show that TLC is a partial order. After that, Section 4.3 defines how to abstract temporal differences between TSA. Then Section 4.4 defines TLC,
and Section 4.5 explains an example. Section 4.6 compares TLC to other relations. Sections 4.7
and 4.8 define and prove the necessary properties of the TLC relation. Finally, Section 4.9 discusses
the TLC verification methodology.

4-1

Abstracting Internal Differences
As for ^/, internal behavior is abstracted into r-transitions, and internal state changes that

are matched by a TSA staying in an equivalent state are ignored. Recall r G Act is a distinguished
element of Act, and let hatted Greek letters like 3 formalize when r actions may sometimes be
matched by staying in the same state and passing zero time as follows:
Definition 19. T-abstraction: 3.

w
~ A .
Va€ActUR & = <

0, if a = T
a, ifa^r

To further loosen implementation and specification action-matching requirements, the transition relations of the systems are extended by transitively closing them over certain action sequences.
Definition 20. r-closure: P =£> Q. A DLTS transition relation R C (5 x (Act U R) x 5) is
T-transitive if whenever

P(-^)* -A i-^TQ A o-eActüRV
49

P J±> (-L+)* Jl> Q

A

a

= S1+62

exists in R then P -^-> Q also exists in R.
The T-closure of a DLTS transition relation RC(Sx (ActU E) x 5), is the relation R' such
that
1. R' is T-transitive.
2. R' D R.
3. For any T-transitive relation R", R" D R=> R" D R'.
Transitions from state P to state Q by action a in r-closure are denoted by P =^> Q. The predicate
P =^ is true when there is at least one transition from state P via action a G Act U K. No actions
are time abstracted in r-closure, but the r-closure relation models tau-abstracted actions. The
r-closure is used to extend transition relations and ignore internal actions resulting from structural
differences that do not matter.

4-2

Weak Timed Bisimulation
Weak Timed Bisimulation is an equivalence relation for DLTS automata that will shortly be

used to show that Timed Logic Conformance is a partial order.

Definition 21. Weak Timed Bisimulation: W.
A binary relation W C 5/ x Ss over DLTS automata states is a weak timed bisimulation
between two DLTS's (5/, Actj,—-»/.(ZO.TTO)/), and {Ss,Acts,—>s,(lo,no)s), iff

V (I,S) G W,7G4cfUR[
VS'[S^S'

=>

3I'[I^I'A{I',S')e W]]A

(13)

V /' [I -^ /'

=>

3 S' [S =4 S' A (/', S') G W}]]

(14)

Some properties of weak timed bisimulation are preserved by various operations on relations over
DLTS state spaces. Let the identity Id, converse Tl'1 of a binary relation 11, and the composition

50

Tli7l2 of binary relations be defined as follows:

Id = {{x,x)\xeS}
ft-1 = {{x,v)\tu,x)en}
^1^2

=

{{p,r) \{p,q)eTZ1A (q,r) G K2}

(15)
(i6)
(17)

Lemma 1 Assume that each W, (i = 1,2,...) is a weak timed bisimulation, then the following
relations are all weak timed bisimulations.

(i) id

(3) mm

(2)^

(4) \jm

Proof

1. Id: V P G 5,7 G Act U1 each transition P -^ P' can be matched by itself in the superset
transition relation P =^> P', and P -^ P' =*- (P -^ P -^ p' -i* p') => (p =£$. p ^
P' =^ P') ^ (P =^ p') ^ p ^ p', therefore, ((P,P) 6 Id A P -^> P') => P =4
P'(P', P') G Id, and therefore, Id is a weak timed bisimulation.
2. m~l: Given any weak timed bisimulation W{ V (5, J) G ^,7 G Acf U R all transitions
5 —> S' and / -^ P are matched by transitions I =^> P and 5 =^- 5' and (5', P) G Wf1
therefore Wr1 is a weak timed bisimulation.
3. WiW2: Given two weak timed bisimulations, Wi and VV2, and the composition of those
bisimulations, WiW2, the proof proceeds by assuming (P, Q) G Wi A (Q, P) G W2 A (P, P) G
VV1W2 and showing that for all possible actions that must be matched in Formulas 13 and 14
in Def. 21, the actions are matched across the composition and {P',R') G WiW2.

51

(a) Formula 14: Since Wi is a weak timed bisimulation all transitions P —^ P' are matched
by transitions Q ==*• Q'.
i- Qi^VQ"1 -2+ Qn(-^)*Q' (Def. 20, first disjunct): Since W2 is a weak timed
bisimulation , according to Formula 14, every Q1, Q -^ Q1 is matched by some
R1 such that R =k~ R1 A (Q1,^1) G W2. This is true inductively for more r € r*
and Q1 • • • Qm and R1 ■ ■ ■ Rm according to Formula 14. According to Formula 14
whether 7 = 0 or 7 = 7, Qm -^ Qn is matched by some Rn such that Rm =^>
Rn A (Qn,Rn) e VV2. Finally, by Formula 14 any sequence of r's in Qn -A Q1 is
matched by Rn ^> R' A (Q',R') G W2. And, by Def. 20, (R J^> Rm Jk> Rn ^)-

R')=>R=UR'
ii. Q -^ Qm(-^)*Qn A Q' A 7 = Ö1 + 62 (Def. 20, second disjunct): Since W2 is
a timed logic conformation, according to Formula 14, Qm, Q -^ Qm is matched
by some Rm such that R Ji> Rm A (Qm,Rm) £ W2. Likewise, by Formula 14
any sequence of r's in Qm -^-» Qn is matched by Rm =^> Rn A (Qn,Rn) 6 W2.
Finally, Formula 14 ensures that all Q', Qn -^» Q' are matched by some R' such
that RnJhR'A (Q',R'} e H>2. And, by Def. 20, (R Jk- Rm ^ Rn =^ #) =>

Therefore, ß =^ Ä' A (P'.fi') e WiW2 by the definition of composition (Formula 17).
(b) Formula 13: By reasoning from right to left in the same way, all transitions R -^» R'
are matched by transitions Q =h Q' and P =^> P' A (P',.R') G WiW2, so WiW2 is a
weak timed bisimulation.
4. U W<: V (7,5) € |J Wil7 G i4ct U R all transitions 5 -2» S' and J -2+ /' are matched by
transitions I =^>
I' and S =2» 5' from some Wj in the
th union and (/',5') eWj=!> (/',5') 6
=?*• 7'
U W, therefore |J W» is a weak timed bisimulation. D

52

Def. 21 does not uniquely identify a particular relation (e.g., 0 is a weak timed bisimulation). The
definition is strengthened here by referring to the largest weak timed bisimulation (i.e., maximal
fixpoint) or union of timed bisimulations.

Definition 22. Weak Timed Bisimulation Maximum Fixpoint: VV.
Given two DLTS's {Si, Actj, —>/, (/0,7i"o)/), and (Ss,Acts, —>s, (lo,^o)s),

VV =

|^J

71 is a weak timed bisimulation

7ee£>(SjxSs)

Theorem 1 Given Def. 22, VV is the largest weak timed bisimulation.
Proof
By Lemma 1(4), VV is a weak timed bisimulation and by definition it includes any other such.
D
Now DLTS automata are related to one another using maximum weak timed bisimulations.

Definition 23. Weak Timed Bisimilar DLTS: ta.
Two DLTS's I = (Si, Actj,—>/, </0,w0>/>, and S = (Ss.-Acts,—>S,(JO,TO}S), are weak
timed bisimilar (written I « S) iff

((Jo,7ro)/,(/o,7ro)s) g VV

Theorem 2 Given Def. 22, w is an equivalence relation.
Proof

1. Reflexivity: For any DLTS P, P « P by Lemma 1(1) since ({l0,vo)p, (k,^o)p) 6 VV.

53

2. Symmetry: For two DLTS P and Q, P « Q =>■ Q ss P since
«'O,7TO>Q,^O.TO)P)

((/0,TO>P,

(^0,^0)0) G W =>•

£ W"1 per Lemma 1(2) .

3. Transitivity: For three DLTS P, Q, and R, P as Q A Q « P =>• P « P by Lemma 1(3) since
(Co,7ro)p,(/o,7ro)o> € Wi A «fo,7ro)Q,(/o,7ro)fl> £ VV2 => ((*<>, »ojp, (Jo, *■<>)*) € VVYW2- Ü
Now, the equivalence relation as between DLTS is established.

It relates two DLTS that are

observationally equivalent with respect to their external actions despite the fact that they may
have significantly different internal action sequences. Weak timed bisimülation does not yet allow
the timing of two DLTS to vary.

4-3

Abstracting Temporal Differences
In order to allow the inputs of the implementation to be a timed superset of specification

inputs, and the outputs of the specification to be a timed superset of implementation outputs,
further abstraction operations are defined by closing transition relations over time-passing actions
under certain conditions.

Definition 24. Input-tf-r-CIosure: P =^ Q. A DLTS transition relation R C (5 x (Act U
R) x S) is input-S-T-transitive if whenever

P(-^)*-^ (-^)*Q

A

a G Act OR V

A(-^rAg A a = S1+ö2 V
P±+^±>Q A a£A,51,S2eR
exists in R then P -^-> Q also exists in R.
The input-8-T-closure of a DLTS transition relation RC(Sx (ActU R) xS), is the relation
R' such that
1. R' is input-8-T-transitive.
2. R' D R.
3. For any input-5-r-transitive relation R", R" D R=> R" D R'.

54

Transitions from state P to state Q by action a in input-tf-r-closure are denoted by P =^ Q.
The predicate P =^f is true when there is at least one transition from state P via action a 6
.ActUM. Input-tS-r-closure models time-and-tau-abstracted input actions. Outputs, r, and S actions
themselves are not time abstracted. Input-J-r-dosure extends specification transition relations to
match implementation behaviors, but it does not allow the timing of outputs, 6% or r's to vary.

Definition 25. Output-<5-r-Closure: P =*>„ Q. A DLTS transition relation R C (S x (Act U
E) x 5) is output-6-T-transitive if whenever

P(-L>)* JL+(-L+)*Q

A

o-eActURV

P Jl> (JL>y J2+Q

A

a = S1+S2 V

pll*JL*Jl+Q

A

a€Ä,SuS2€R

exists in R then P -^-> Q also exists in R.
The output-S-T-closure of a DLTS transition relation RC(Sx (ActU E) x S), is the relation
R' such that
1. R' is output-S-T-transitive.
2. R' D R.
3. For any output-6-T-transitive relation R", R" D R=> R" D R'.
Transitions from state P to state Q by action a in Output-5-r-closure are denoted by P =^0 Q. The
predicate P =£$>0 is true when there is at least one transition from state P via action a 6 Act U HL
Output-<5-T-closure models time-and-tau-abstracted output actions; i.e., the closure relation has
additional output transitions when they occur in conjunction with time-passing or internal-actions.
Input, r, and S actions are not time-abstracted, only tau-abstracted. Output-J-r-closure extends
implementation transition relations to match the specification output behaviors, but it does not
allow the timing of inputs, S's, or r's to vary.
In addition to the closures, the following two projections are defined. They are subsets of
the DLTS transition relation —y. They define the sets of specification and implementation time-

55

passing actions that must be subsets of each other's time actions—i.e., the —► transitions leading
to r's and inputs or r's and outputs respectively.

Definition 26. Input Projection: —*j.
■♦jCSxRxS =

{((l,iri),S,(ltirj)) | ((l,iri),6,(ltirs)) €—► A3((Z,7rfc>,a,_) €—► fo < «■*

ATT,

< 7Tfc A a e 411 {r}]}

Definition 27. Output Projection: — ■►<,
-■»„ C Sx 1x5 =

{((Z.TTJ), «.(/.Jr.,»

| «/,7ri>,<5, <;,7rj» G—► A3((Z,7rfc),^.) G—► fa <

TT* ATT,

<

TT*

A/? G 4U {r}]}

The following example illustrates projections. If X —> X' -^> X", and only input a is
possible from X', then X -*t X', but X /-•>„ X'. However, ifl-Al'-^ X", then X --n X'
and X -\0 X'.
Next, a predicate that allows implementation outputs to have tighter upper-bounds than
specification outputs is defined. It also relaxes the superset relationship between implementation
and specification inputs when simultaneous inputs and outputs are possible from the same location,
i.e., output timing constraints take precedence over input timing constraints when they conflict.
This is reasonable, because when the implementation must perform an output, it causes it to
happen. After that, whether or not the implementation's input behaviors satisfy the specification's
is determined by the TLC relation of the post-output to-locations.

Definition 28. Output-Bound: ob. ob : 5/ x R x Ss x P((Si x Ss)) —► {*,/} =

ob(I,6,S,K)&

56

/ #=*> A

(18)

3 *i € B,/' € Si,ß £ ÄU {T}[I 4„/'A/'AA

(19)

V S2 > 6U S' € Ss, I" e Si[S -^ S' => ((/', 5') e ftA

(20)

(/^/^(J",S')eR))]]

(21)

Conjunct 18 requires that the implementation cannot do S. Conjunct 19 requires the implementation system to be constrained by a location invariant to produce an output or r. Conjunct 20
ensures that future specification actions are matched by the implementation at the time it produces
the output, and conjunct 21 specifies that there are no other future implementation locations that
do not also match the specification's behavior (bisimulation).
Output-bound allows faster implementation outputs in TSA locations where both inputs and
outputs are possible. For example, output-bound allows us to accept an And with output delays
in [2,4] as an implementation of an And specification with delays [1,6]. Without output-bound,
only the lower bound of a delay could change, and in this example, only an And implementation
with an upper bound of 6 would satisfy TLC. Output-bound formalizes the notion that as long
as an implementation's output occurs within the bounds of the same output in the specification,
it can occur in accordance with a tighter location invariant even though the specification could
remain in its location longer and subsequently accept future inputs. Without this exception, TLC
generally cannot accept implementations with less output variation in locations where otherwise
unconstrained inputs are also possible. Modeling locations with both inputs and outputs possible
is important for accurate modeling of real systems as well as abstracting behavior into simpler
machines with fewer locations.

57

4-4 Defining Timed Logic Conformance
Based on the preceding definitions, the partial order that temporally and behaviorally relaxes
weak timed bisimulation is defined as follows.
Definition 29. CCl. A binary relation CC* C Si xSs over DLTS automata states is a timed logic
conformation between an implementation DLTS (Si,Acti,—>i,{lo,^o)i), and specification DLTS
(Ss,Acts,—>s,(lo,no)s), iff

V (7,5) G CC\ae A,ß G ÄU {T},6 G R [
V 5' [S -A S' => 3 1' [I =^0 I' A (/', S') G CC*]] A

(22)

\/S'[S-^S' =» 3 1' [I =4 /' A (/', S') G CC1]] A

(23)

V/'[/^/'AS=^ => BS'iS^iS'Ail^S^eCC^A

(24)

V /' [/Ar =»• 3 5' [5 =4, 5' A (/', S') G £C*]] A

(25)

V S' [S ~*i S' =*■ (3 /' [/ =^0 I' A (/', S') G £C*] V o6(/, 6, S, CC1))] A
V/'f/A,/' =* 3 5'[5=4i5'A(/',5')G>CCt]]]

(26)
(27)

Formulas 22 and 23 require the implementation to simulate the observable behaviors of the
specification. The implementation has considerable freedom for matching the specification via the
output-<5-r-closure; it can match inputs (a) or internal specification actions (ß = r) while doing
its own internal actions; and it can pass time and/or execute internal actions of its own to match
specification outputs (ß ^ r). Formulas 24 and 25 require the specification to simulate observable
behaviors of the implementation. Formula 24 weakens standard weak bisimulation by allowing
implementations with irrelevant inputs (i.e., inputs that are not possible from specification state
5) as long as there is a mapping from the relevant subset of the implementation's state space to the
specification's state space, just as Stevens formalized without timing (Ste94). Formula 25 requires
the specification to simulate all outputs and r's of the implementation. Formula 26 ensures that all
58

specification time derivatives leading to specification inputs or r's (i.e., those deltas where S —»<)
are simulated by the implementation with output-bound exceptions allowed, and Formula 27 ensures
that a/Hmplementation time derivatives leading to implementation outputs or r's (i.e., those deltas
where I —*0)

4-5

axe

simulated by the specification.

Timed Logic Conformance Example
TSA X and Y in Figure 6 serve to illustrate the CCl relation. X and Y are annotated with

intervals to help visualize their induced DLTS's.

a/x > 2, x := 0

Imp

Spec
Figure 6.

Simple Y 0^ti X TSA.

The DLTS automata for X and Y have uncountable states, but the intervals annotated in
the states of Figure 6 represent the value of the clocks x and y in X and Y states respectively. The
following formulas prove that

£C*

= {(Yy,Xx)\x,yeR}U
{(Y1,X1) I y 6 [0,3) A ((x e [0,1] Ax > y) V (x G (1,4) Ax < y + 1))} U
{(Yly,X2x) \y£ [0,3)Axe [0,4)Ax<2/ + l}U

59

{(Y2y,Xlx) I y G (0,5] A x G (1,4) A x < y + 1} U
{(Y2y, X2X) | y G [0,5] A x G [0,6] A x < y + 1}

is a Timed Logic Conformation and that (Ya,Xo) 6 £J&• Note that state-name subscripts represent
the timed state via the value of the clock, and that the following formulas are numbered according
to the corresponding formula number in Definition 29. Also note that formulas not shown are
vacuously true (e.g., specification states without inputs vacuously satisfy Formula 22).
Relating states (Yy,Xx)\f x, y G E

(22)

[Xx -±> Xl0 ^Yx^+ Yl0 A (Y10,X10) G £C(]

(24)

[(y^rioAX,^) ^Xx-^Xl0A{Yl0,Xlo)€CCt]

(26)

[Xx -♦, Xx+S =► Yy -A Yy+S A (Yy+s,Xx+s) G CCl]

Observe that F's location 0 need not be associated with any corresponding location in X, since
c

X j=^ satisfies Formula 24 implication antecedent vacuously. If location 0 had derivatives, it would
not matter that location 0 is not related to derivative locations of X; they are unreachable since
a

the specification declares that c shall not occur. Note also that for x € [0,2),XX ^=^ satisfies
Formula 24 vacuously, allowing {YX,XX) to remain in CC*.
Note however, CCl would be reduced to 0 if Y 4 0 instead of Y -4 0 because ^o^ -^* 0
falsifies Formula 25, removing {(1^, Xx) \ x, y e E} from CCK Without {(Yy,Xx) \ x,y G E} C CC\
(Y2y,X2x), (Yly,X2x), (Y2y,Xlx), (Yly,Xlx), cannot be in £Cf either, because the formulas
require the to-locations to be in the relation, so CCl = 0.
Relating states (Yl, X1)V y € [0,3) A ((x e [0,1] A x > y) V (x G (1,4) A x < y + 1))

(23) Vx6[ol4)lBe[o,3) \x < V + 1 A Xlx -^ X2X =» Ylv =^0 Y2y A (Y2y, X2X) G £C4]

60

(25) Vye[0)3)^e(il4) [x < y + 1A Y\v -^ Y2y => XI, A X2X A (F2„, X2X) G £C<]
(25) V„e[0l3),,e[o,i][*>VArisA]
(26)

Vxe[0)4),ye[o,3),Ä6R [(x > y V x < y + 1) A XI, -♦< Xlx+(5 =*■

(nv =40 Yly+i A (ri„+(5, Xlx+(5) e £C4) V ob(Ylv, S, Xlx, CC*)]
(27) Vsg[o,3),,e[o,i],*GR [as > y A Yly A F1,+, =» XI, =4; Xlx+(5 A (Yly+S, Xlx+S) G CC1}
(27) Vv6[oi3),xe[o,4),«eR [(a; > y V x < y + 1) A rij, —»0 Fl^ =*■
Xlx =4{ Xlx+l5 A (Yly+s,Xlx+s) G £C*]

If y 1 -^'s guard were y > 1 then Formula 25 would be false at time x = y = 1 for implementation
transitions Yli -A F2i because (F2i,Xli) £ £Ce and there is no Xlx =4j X2X transition in
X. This would mean that Formula 27 is also false for Yly -^ Yl2,y G [0,1],6 = 1 - y because (Fl!,Xli) gCCK This removes (yi„,Xlx) from CC1. Consequently (Yy,Xx), (Y2V,X2X),
(Yly,X2x), (y2!/,XlI), and the remaining (Fl^Xl,), cannot be in CC1 either, so £C* = 0.
Relating states (F 1„, X2X) | y G [0,3) A x G [0,4) A x < y + 1

(23)

[X2X Al^ Yly =40 Yy A (yvi Xx) G £C<]

(25)

[riy -^ F2B =» X2X =4« X2X A (Y2y, X2X) G £C*]

(27) V,5eR [Fly --'♦„ Yly+S => X2X =4, X2x+i A (yiy+,, X2x+(!> e £C<]

Relating states (Y2y, Xlx>V j/ 6 (0,5] A x € (1,4) A x < y + 1

(23)

[Xlx -^ X2X =► Y2y =40 Y2y A <y2„, X2X) € CC1]

(25) [y2„ Ar}^xix =4xxA(Fy,xx) ea*]
(27) [1% --♦„ Y2V+S =* Xlx =4i Xlx+« A (Y2y+S, Xlx+S) G £C<]

61

Relating states (Y2y, X2X)V y € [0,5] A x G [0,6] A x < y + 1

(23) [X2X AZ^ Y2y AyyA (Yv, Xx) 6 £C*]
(25) [1% Ä r, =► X2» A x* A (yy, xx) e ccl\
(27) V4eR [F2y »♦„ Y2y+S =» X2X =4* X2I+(5 A (F2ä,+i)X2x+(5) e £C*]

^.5 Comparing TLC to Other Relations
Theoretically, TLC's relationship with other formal equivalence, partial order, and refinement relations like TCCS's weak timed bisimulation, CTR, and timed simulation is important to
understand. Since TLC is asymmetrically defined over a different formalism, comparing them is
not generally rigorously possible. One can see that TLC is weaker than TCCS weak timed bisimulation because TLC ignores temporal differences between actions. TLC is not comparable in a
formal sense to CTR's refinement relation because they formalize the relationship between implementation and specification inputs in opposite directions; i.e., for CTR agents X = o.[l, 5].b.X and
Y = a.[2,4].6.r Y < X and X g Y, but the opposite is true for TLC: X „;£;< Y and Y 0-±_i X.
Comparing timed simulation to TLC raises similar issues. The fact that TLC allows constrained
inputs that violate timed simulation's nonblocking requirement makes TLC weaker than timed simulation in that situation. However, when used on models that define all inputs in all states for all
times, TLC is stronger in the sense that it requires the set of output variables of the two processes
to be the same, while timed simulation does not. Other than saying "TLC is weaker than weak
timed bisimulation," about all that can be said is "TLC is different from the rest."

4-7 Properties of Timed Logic Conformance
In the interest of applying TLC to a hierarchical design process, it must be shown to show that
CCl induces a partially ordered binary relation (reflexive, antisymmetric, and transitive) over the

62

set of DLTS automata induced from the set of TSA. Reflexivity is an important property for design
purposes, because it must always be possible to substitute a component for itself. Antisymmetry
is likewise important because models that can be substituted for each other are "equivalent" or
the same. Transitivity is the property that guarantees hierarchical verification of the CCl relation.
Unfortunately, without restricting TSA modeling, TLC is not transitive over the induced DLTS.
The following TSA modeling constraints are required to preserve transitivity:

Definition 30. TSA Modeling Constraints.

1. A location has a location invariant iff it has one or more output or r transitions from it. This
is similar to TCCS's persistence property, but only for outputs andr's.
2. No initial location has an invariant (all initial locations are stable). Hence, all TSA must
receive at least one input before generating an output.
3. No output or r transition is guarded by an upper-bound stronger than the from-location invariant.
4. No to-location of a transition has a stronger location invariant than the from-location unless
the clocks involved in the strengthened invariants are reset.
These are reasonable modeling constraints—especially for the hardware domain where devices control the timing of their outputs but not their inputs. The constraints strengthen the causal relationship of the models and their outputs and they increase the fidelity between the models and the
physical devices they represent. The first modeling constraint increases fidelity because devices that
are not broken cannot take an indefinite amount of time to produce an output. It also prohibits
the situation where a receiving device "forces" an input to occur by an expiring location invariant.
Note that a model can still place an upper-bound on an input, but the upper-bound constraint
for inputs may only be expressed by a guard, not a location invariant. Hence an upper-bounded
input guard can disable the input, but it cannot cause the input to occur. The second modeling

63

constraint increases fidelity by modeling the situation where all circuits must have logic that initializes them to a known state to be able to rely on the correct function of the device. Devices like
clocks are modeled by an initial state with a reset input transition before repeatedly toggling the
clock output. The third and fourth modeling constraints avoid locations that prohibit the passing
of time (i.e., locations that make the TSA Zeno). Constraints 3 and 4 prohibit Zeno locations with
no enabled transition as the location invariant expires.
Since parallel composition rules Com2 and Com3 relate inputs and outputs together, tighter
inputting component constraints can adversely constrain outputting component timing and violate
the fourth modeling constraint. To ensure that compositions continue to satisfy the modeling
constraints and that TLC is transitive for compositions, a condition on compositions that specifies
the necessary timing relationship between inputting and outputting components must be imposed.
A parallel composition with an output offered in a non-accepting location is a design error
called computation interference (CI). The following property excludes CI from compositions.

Definition 31. CI-free Parallel Composition.
1. All non-parallel TSA and their induced DLTS are CI-free.
2. The n-parallel TSA Tp = {Cp,Actp,Ep, «Zoi,Poi>,(/o2,A>2),-", (fon.Pon)),'—■>,,), and its induced DLTS automaton V = (Sp, Actp, —»p, <(/01,(Ji), (l02,52>, • • •, (Z0„,0„))>, are CI-free over
location:state space L:SLCCP,SCSP when:

V«/l,Pll>,<fe,P/a>,-",</n,Pln»:«/l,#l),(/2,ff2>,-",</n,*n» € I". S[
V (h, pi i) W'i {l'i,p\ i)[(Hi G pi A vT* G pi i A ifi[rn := 0] £p'H)^

(28)

Vl<i<n[07iAae Aj) =*■
3 (lj,pij) "^'j (Ipp'ij)^ e pj
6

AT?,

G PijAnjlrjj := 0] G p'^]]] A

V (k, ft) ~*oi (l'i,7f|), 1 < j < n\j ± i =» 3 (Ij,^) =^j {I'.rf.)]]

64

(29)

In words, a composition is CI-free when all composition receivers accept every output offered by
transmitters in the composition's reachable state space (Formula 28) and no agent in the composition prohibits the passing of time until an output occurs (Formula 29). All non-parallel TSA
are CI-free by definition. A top-level parallel-composed specification must be CI-free over its own
reachable state space.
With the modeling constraints and the CI-free property, the TLC partial-order properties
can be established. For the purposes of the following proofs and definitions, assume that each
subscripted £C* relation CC\ C Si x Ss is a timed logic conformation according to Def. 29.

Lemma 2 The relation
Id={(x,x)\xeS}

(30)

is a timed logic conformation.
Proof
Given any DLTS Automaton (S, Act, —>, so), P G S,7 G Act U R, every transition P -^ P' G—>
can be matched by itself in the superset transition relations P ==$■{ P', and P ==>0 P'; and for
P^P' G—* since P -^ P' =*- (P A P -^ P' A P') =>■ (P =*k P =5» P' =U P') => P =^>
P' =>• P =^> P', r-closure ensures P =?»< P', and P =^-0 P', therefore, (P,P) G Id =>• (P =2^
P' A P =^& P' A (P', P') G Jd) therefore Formulas 22 through 27 are satisfied and Id is a timed
logic conformation. D
Lemma 3 The composition relation

CC\CC\ k {(p,r) I (p,q) G £Ci A (g,r> G £C^}

is a timed logic conformation.
Proof

65

(31)

The proof proceeds by assuming that (P,R) G CC[CCi and showing that for all possible
actions that must be matched in each of the Formulas 22 through 27 in Def. 29, the actions are
matched across the composition and (P',R') G CC\CC\.

1. Formulas 22 and 23: Since CC\ is a logic conformation, according to Formulas 22 and 23,
every a G Act, R' G SR, R -A R' is matched by some Q' such that Q =U0 Q'A(Q', R'} G CC\.
Since Q =^0 Q' is not Q -^ Q', a Lemma of the following form is needed:

V a G Act[((P, Q) G CC{ A Q =40 Q') =» (P =4 P' A (P', g'> G £C«)]

The proof of this is deferred to Lemma 4. Applying Lemma 4, Q =^0 Q' => P =M>0 p> A
(P',Q') G CC\ and by the definition of the composition relation (P',R') G CC\CC\.
2. Formula 24: Since CC\ is a logic conformation, according to Formula 24, V a G A, P' G
SP[P

-^P'AQ=^is matched by some Q' such that Q =^< Q' A (P',Q'> € £C{]. Since

Q ==*■» Q' is not Q —► Q', a Lemma of the following form is needed:

V a € A[((Q, P) G £C£ A P =S> AQ =^ Q') =*. (P =^ P' A (Q', P') G £C<)]

The proof of this is deferred to Lemma 5.
(a) P =^>: Applying Lemma 5 implies P =^ P' A (<?', P') G CC\, and by the definition of
the composition relation {P',R') G tX\(£\.
a

(b) P j=$-\ R need not match Q's a and (P',R') is not required in (X\CC\.
3. Formula 25: Since £C* is a logic conformation, according to Formula 25, V ß G 34 U {r}, P' G
5P[P

-A P' is matched by some Q' such that Q =4,- Q' A (P',Q') G £C{]. Since Q =4* Q'

66

is not Q —> Q', a Lemma of the following form is needed:

V ß G AU{T}[((Q,R) <=£C*2AQ =4 Q') => (R 4>< R' A (Q',R') G CCft\

The proof of this is deferred to Lemma 6. Applying Lemma 6 implies R =4-* R! A (Q1, R') G
CC\, and by the definition of the composition relation (P',R') G CC[CC\.
4. Formula 26: Since CC2 is a logic conformation, according to Formula 26, every S G R, R' G SR,
R —+i R! is matched by some Q' such that Q =U0 Q' A (Q',R') G CC\ or the predicate
ob{Q,8,R,CC\)

is tru

e-

(a) Q =40 Q' A (Q', P'> G £C^: Since Q =40 Q' is not Q ~*t Q', a Lemma of the following
form is needed:

V 8 G E [(Q =40 Q' A 3 a G .4[Q' =^J) =»
(P =U0 P> A (P, Q'> G CC[ V o6(P, t5, Q, CC\))]
The proof of this is deferred to Lemma 7. Applying Lemma 7, 3 a G A[Q' =4,], because
Def. 26 requires that R' =^>0, and Q' must match R's future inputs, so (Q =4> Q') =t>
((P =4, p A (P, Q') G £C\) V o6(P, «5, Q, CC\)).
i. P =40 P'A(P, Q') G -CCj: By the definition of the composition, (P, P') G £C\CC*2.
ii. «^(P.iJ.g.rCj): Then o&(P,<J,P,£Ci£C^) from Def. 28 and the definition of the
composition.
(b) ob{Q,8,R,CC\): From Def. 28, for some 8X < 8, Q J^0 Q', and Formula 26 implies
(P =^0 p A (P,Q>) G £Ci) Vob(P,6ltQ,CC\).
i. P =^0 P A (P',Q') G CC\: Since ft < <5 and P conforms to every Q' reached by
every <5 > Si and those Q' logically conform to every R' reached by those same S,
ob(P, 5, R, CC\CC\) holds by Def. 28 and the definition of the composition.
67

ii. ob(P,Si,Qt£C[): Since S > du it is true that ob(P,*,Ä,£C{£C$) from Def. 28 and
the definition of the composition.
5. Formula 27: Since CC\ is a logic conformation, according to Formula 27, V 5 G K, P' G
5P[P

—»0 P' is matched by some Q' such that £ =4i Q' A (P\ Q>)

e

£<*]. Since Q =4< £'

is not Q —*0 Q', a Lemma of the following form is needed:

V S G R[«Q, R) G £C* A Q =4, Q' A 3 ß G 7U {r}[<?' =4,]) => (P =4, P' A <Q', P'> e £C|)]

The proof of this is deferred to Lemma 8. Since Q is required to match the outputs of P, it is
true that 3 ß G A U {T}[Q' =4*], and applying Lemma 8 implies R =44 P' A <Q', P') G £C|,
and by the definition of the composition relation (P', R') G £C*£C2- D
Lemma 4 Given inat £C* is a timed logic conformance:

V a G Act[((I, S) SCC'AS =40 5') =► (/ =40 /' A (/', S') G £C4)]

Proof
1. Case S(^)*Sm -A 5"(-^)*S' (Def. 25, first disjunct):
Since CCl is a timed logic conformation, according to Formula 23, every S1, S -^ S1 is
matched by some I1 such that / =40 I1 A (J1^1) G £C*. This is true inductively for more
r G r* and S1 ■ ■ ■ Sm and I1 ■ • ■ Im according to Formula 23.
According to Formulas 22 and 23, Sm -A Sn is matched by some In such that Im =40
In A </",S"> G £C*. When 5m A 5" is 5m A 5», Formula 26 applies, and since every
DLTS state has a S = 0 transition by definition, Im =\ In A (In,Sn) G £C*.
Finally, by Formula 23 any sequence of r's in Sn -A S' is matched by PA/'A (/', S') G
£C*. And, by Def. 25, (/ =40 J™ =40 j» =2.0 /') =» / =4, j'
68

2. Case S A Sm -*+ Sn A S' ACT G A, 61,82 G R (Def. 25, third disjunct):

(a) 7=40:
i. 5 —»j 5m: Since U? is a timed logic conformation, according to Formula 26,
S ~+i Sm is matched by some 7m such that 7 =^0 Im A (Im,Sm) G CCl. Since
(7m,Sm) G LCl A5m A Sn, Formulas 22 and 23 require some 7" such that

ImJ^0InA(In,Sn)e£Cl.
A. 7" J$0:
Case 5" --■»,• 5': Since CC* is a timed logic conformation, according to Formula 26, Sn ~%i S' is matched by some 7' such that 7" Jk» V A (/', S') e £C*.
And (7 Jk> Im =^0 7" =^0 I') =» / =2^ /' by Def. 25.
Case S"1 /-■►* 5': 7n need not match Sn's 82 and (7',£') is not required in CCl.
s2
B. In 7^, (ob(In,82,Sn,CCt) holds): Since CC* is a timed logic conformation,
according to Formula 26, and Def. 28, 3 7' G Si, 8'2 € l[7n =4-0 7' A Sn -^>
5' =* (/', 5') G £C*] And (7 =£* 7™ =40 7» =4> 7') => 7 =^0 7' by Def. 25.
ii. S y->i Sm then 7 need not match S's 81 and (7m,5m) is not required in CCK
(b) 7 5>^0, (o6(7,5!,5,£Cf) holds): Since £C* is a timed logic conformation, according to
Formula 26, and the Def. 28, 3 7m G Si,S[ G E[7 =4, 7m A S -^ Sm => (7m,Sm) G
£C']. Since (7m, Sm) G £C* A5m -2+ 5", Formulas 22 and 23 require some 7" such that
7m=l>b7nA(7",5n)G£Cf.
i. 7" =^0:
A. Sn —»j 5': Since £C* is a timed logic conformation, according to Formula 26,
Sn ~%i S' is matched by some I' such that 7n =^0 7' A (7', 5') G £C*. And
(7 =4, 7ro =4, In J^0 I') =>I=^0I' by Def. 25.
s2

B. 5" /->i 5': 7" need not match 5n's 82 and (7', 5') is not required in CCl.

69

s2
ii. J" ^0, (ob(In,S2,Sn,CCt) holds): Since CCl is a timed logic conformation, according to Formula 26, and the Def. 28, 3 V G S/,<5£ € E[Jn =4 I' A Sn -^ S' =>

(/', 5') € £C<] And (/ =4 Im =4 /" =4 /') ^ / =^0 /' by Def. 25.D
Lemma 5 Given that CC is a timed logic conformance:

VaeAj'e st[((i, S)e£CtAS=z> A/ =£« /') ^3S'e SS[S =*>t s' A (/', s') e CC1}]

Proof
1. I(-^)*Im -^ 7"(-^)*J' (from Def. 24, first disjunct): Since CC1 is a timed logic conformation, according to Formula 25, every I1, I -^ 71 is matched by some S1 such that
S ==>i S1 A (PtS1) G CC1. This is true inductively for more r G r* and I1 ••• Jm and
S1 • • • Sm according to Formula 25. According to Formula 24, Jm -^> Jn is matched by
some 5n such that 5m =^ 5n A (In,Sn) G £C'. And finally, by Formula 25 any sequence of r's in In A I' is matched by Sn A S" A (J',S") G £C*. And, by Def. 24,
(S J£< 5m =*>t Sn Mt S') =* S =^« S'.
2. I-^Im-^In-^I'AaeA,Su52eR (Def. 24, third disjunct):
(a) I -\0 Im: According to Formula 27, I --+„ Im is matched by some Sm such that
S =4 Sm A (Im,Sm) G CCK Since (Im,Sm) G £C* A Im -£* /«, Formula 24 requires
some Sn such that 5m =^f 5n A (Jn, 5n) G £C*.
i. In -%0 I'-. According to Formula 27, In ~%0 V is matched by some S' such that
S» =4 S' A (I',S') G CC1. Finally, by Def. 24, (5 =4 Sm =*n Sn =4 5') =►
S=^iS'
s2
n. Jn /-»0 /': 5n is not required to match S2 and (/',£') is not required in £C*.
(b) / /-■»„ Im: S is not required to match <$i and (Jm,5m) is not required in CC1. D
70

Lemma 6 Given that CC is a timed logic conformance:

Vß€ÄU{r}[((7,S) e£C*Al =44 /') =» (5 =44 5' A(/',5') G £C*)]

Proof
From Def. 24, first disjunct: 7(-^)*7m A 7n(-^)*7'. Since CC1 is a timed logic conformation, according to Formula 25, every 71, I -^ 71 is matched by some S1 such that 5 =^
S1 A (71,S1) G £C*. This is true inductively for more r 6 r* and 71 • • • Im and S1 • • • Sm according
to Formula 25. According to Formula 25, Im —> In is matched by some Sn such that Sm =^>j
Sn A

^ 5„)

e £Ct_ When

£ = r, £ = 0, 7m A 7", m = n, so, 5m =^< Sn A (/', 5') G CC1. And

finally, by Formula 25 any sequence of r's in 7n -^-> 7' is matched by Sn ■?—> S' A (7', 5') € £CJ.
And, by Def. 24, (5 =§>* Sm =4* 5" =5-, 5') =► S =4« 5'. D

Lemma 7 Given that CC is a timed logic conformance:

V 5 e R[«J,5) e £C* A 5 =40 5' A3 a € .4[S' =^,]) =» (7 =40 7' A (7', 5') G £C* Vob(1,6, S, CC1)))

Proof
1. Case 5(-^>)*5m A 5"(-^)*5' (Def. 25, first disjunct):
Since CC1 is a timed logic conformation, according to Formula 23, every Sl, S -?-¥ S1 is
matched by some 71 such that 7 =^0 71 A (71,S1) G CC1. This is true inductively for more
r G r* and S1 • • • Sm and 71 • • • 7m according to Formula 23, so 7 =40 7m A (7m, 5m) G CC1.
Since 3 a G A[S' =£>], 5m A 5n => Sm --♦, 5n by Def. 26, and 3 7" € 5/ such that
7m =40 7" A (7", 5") G £C* V o6(J, <5, S, CC1) according to Formula 26.

71

(a) 7m =40: Then Im =40 7" A (7n,S"> G CC* by Formula 26, and by Formula 23 any
sequence of r's in 5" -A S' is matched by 7n -^> 7' A (7',S') e £C*. And, by Def. 25,
(7 Ü.0 /"> =4.0 7» =§b 7') => 7 =4>0 7'

(b) 7™ A:
c

JE

i. 3i6{o...m}[7t =^o 7']: Then 7* is another Im and case 7m =*-0 (above) applies.
"• Ae{o...m}[7' =$■<>]'■ Then Vj6{0...m}[o6(/,,(J,S,,iCC')], and in particular according to
Def. 28 ofc(7,5, S,£C<).
2. Case 5 A Sm(-^)*S" A 5' A fc, <S2 G R A 5 = 5t + S2 (Def. 25, second disjunct):
(a) / =40: Since 3 a G A[S' =^-0], S A Sm =» 5 --♦, 5" by Def. 26. Since £C* is a timed
logic conformation, according to Formula 26, S --+< 5m is matched by some 7m such
that I =^0 7m A (7m,5m) € £C{. Since (Im,Sm) G £C4, by Formula 23, any sequence
of r's in Sm A Sn is matched by 7m -^ 7n A (7n, 5n) G £C*.
i. 7" =^0: Since 3 a G .4[5' =^0], 5" A 5' =* Sn -% S' by Def. 26. Since
CC1 is a timed logic conformation and (7n,5n) G CC1, according to Formula 26,
5n --\i S' is matched by some 7' such that 7n =^-0 7' A (7', 5') G CC1. And,
7 Jkt, Im M0 I" J^oI'^I =U0 7' by Def. 25.
ii. 7n T^b, (o&(7n, S2, Sn, CC1) holds): Since CC1 is a timed logic conformation, according to Formula 26, and the Def. 28, 3 7' G Si,6'2 G E[7n Jk0 V A Sn -£» S' =►
(7',S')G£C<]
A

- 3i€{m...n}[7i =!■<, 7']:Then P is another 7n and case 7n =^-0 (above) applies.

B- A6{m...n}[7* =!&]: Then Vie{m...n}[ob(Ii,62,Si,£Ct)], and in particular according to Def. 28 ob(Im,S2,Sm,CCt). The modeling constraints imposed in
Definition 30 on page 63 ensure that all 7 -4 transitions are derived from a location with a monotonically stronger invariant than 7m, so since 7m j=$0 there

72

can be no I =>0 such that 6 = 61 + &2- Therefore I -f=$0 for S = <Si + 62, and
ob(1,6, S, CCl) holds.
(b) / ,4b, (o6(/,*i,5,£C*) holds): By Def. 28, 6 > <*i =>■ o&(7,<5,5,£C') D

Lemma 8 Given that CC* is a timed logic conformance:

VSe R[«7, S) € £C* A / =Ui I' A 3 ß € 7 U {T}[/' =4<]) =» (5 =4* 5' A (/', S') € CC*)]

Proof
1. Case 7(-^)*7m A 7n(-^)*7' (Def. 24, first disjunct):
Since CCl is a timed logic conformation, according to Formula 25, every I1, 7 -^ 71 is
matched by some S1 such that 5 ==>j S1 A (71,51) € £C'. This is true inductively for more
r 6 T* and 71 • • • 7m and S1 • • ■ Sm according to Formula 25. Since 3 ß £ÄÖ {r}[7' =4;],
it is true that 7ra —*0 7n by Def. 27. According to Formula 27, 7ra —♦„ 7n is matched by
some Sn such that 5m =4i Sn A (7n, 5n) e CCl. And finally, by Formula 25 any sequence of
r's in In A 7' is matched by S"4S'A (7', 5') € £C*. And, by Def. 24, (S Mt 5m =44
5" Mi S') =► S =4j S'.
2. Case 7 A 7°(-^»)*7" A 7' A ft, <52 £ 1A (5 = St + S2 (Def. 24, second disjunct):
Since 3 ß £ ÄU {r}[7; =4*], it is true that 7 --+0 7° by Def. 27. Since CCl is a timed logic
conformation, according to Formula 27, every 7°, 7 --*„ 7° is matched by some S° such that
S Jk>i S° A (I°,S°) e CCK According to Formula 25, every I1, 7° -^ 71 is matched by
some S1 such that 5° =^i 51 A (71,51) 6 CC*. This is true inductively for more T e r* and
71•••7" and S1 • • • Sn according to Formula 25. Since 3 ß € ~ÄÖ {r}[7' =4f], it is true that
7" —+o 7' by Def. 27. According to Formula 27, 7n ~40 7' is matched by some S' such that
5" J|.< 5' A (7', S') € £C*. And, by Def. 24, (5 =^4 5" =^ 5n =^« 5') =>• 5 =4* 5'. D

73

Lemma 8 finally establishes that the composition of two timed logic conformances CC\CC\ is a
timed logic conformance.
Lemma 9 Given a timed logic conformation CCl, if its inverse CCt_1 is also a timed logic conformation, then CC1 is a weak timed bisimulation.
Proof
The proof is structured over the formulas denning CC\ deriving the formulas defining a weak
timed bisimulation when the CC* formulas hold in both directions.
1. Formula 22: Conjuncting Formulas 22 and 24 together and reversing the roles of S and I in
the transition predicates of Formula 24 yields

V5'[5-^4 5' =» 3I'[I^),rA(I',S')€£Ct\iA
V5'[5AS'A/=^

=» 3/'[l=^iJ,A</',5')e£Cf]]

Since / =^0 I', and a & A, the third disjunct of Def. 25 does not apply, so I =^0 I' => I =^>
resulting in

V 5'[5-^5' =* 3J'[J=^>J'A<J\S')€£C*]]A
VS'[S^S' => 3/'[/=^i/'A</',5'>e£C*]]

Combining implications results in

V S' [S -A S' =» 3 /' [I =\I'M =2>i I' A (I',S') e CC*]]

74

And since ß a 6 Act[a £ AAa € A], only the first two disjuncts of both Definitions 24
and 25 are consistent with each other, and they equal the definition of r-closure (Def. 20),

VS'IS^S' =» 3/'[/^/'A(J',S')G£Ci]]

2. Formula 23: Conjuncting Formulas 23 and 25 and reversing the roles of 5 and I in Formula 25
transition predicates yields

vs'is^s' =» 3r[;4/,A(r,s')6£ct]]A
\fs'[s-^s' =* 3j'[/=4j'A<j'„s')G£Cf]]
which by a subset of the a-case reasoning simplifies to

VS'[S-^S' => 3/'[/=4/'A(J',5')e£C*]]

3. Formula 26: Conjuncting Formulas 26 and 27 and reversing the roles of 5 and I in Formula 27
yields

V S' [S --'♦, S' => (3 /' [/ =4, /' A (/', 5') € £C'] V ob(I, S, S, a*))\ A
V S' [S ~\0 S' =» 3/'[/=4i/'A{/',5'}G£Cf]]

Since 6 G E transitions are added to all three extended transition relations in the same way
6
A ==
fi >
==>

' -

A

6

* » - ='!>

,
tne

,

consequents of the implications can be changed as follows:

V 5' [S --u S' =► (3 V [I=Ul'A (/', S') G £C<] V <*(/, <5, 5, £C<))] A
VS'[S~*0S' =» 3/'[/=4/'A(/',5')G£Ct]]

75

In order to unite the antecedents, Table 4 reports all possible combinations of truth values
for the three clauses under the assumptions that CC* and CC*'1 are both logic conformations
and that (/, S) e CC* A S -A 5'
Table 4.
S --♦„ S'
0
0
0
0
1
1
1
1

Delta Predicate Truth Table.

S -'♦< 5' ob(I,S,S,CC*) Conclusion
0
0
See case 000.
0
1
*See case 0X1.
1
0
I^Ul'Ail'^^eCC1
1
1
*See case 0X1
0
0
I=Ul'A{I',S')eCC*
0
1
'See case 1X1.
1
0
!=£*•/'A (/'.s'jerc'
1
1
*See case 1X1.
* Contradiction, impossible case.

S

6

(a) 000: Since S /-♦„ S' and S -/-*i S' there are no inputs, outputs, or r's possible from 5'
or its derivatives. Therefore there is no upper bound on 5 or S' ^-transitions because
modeling constraints restrict upper bounds to output- or T-capable locations. Since
only non-Zeno automatons are allowed, time must continue to progress forever. Further,
future /' states must exhibit the same behavior, for if there were any future non-delta
actions possible from some /' they would have to be possible from the corresponding S'.
This includes inputs, because Formula 22 has to hold over CC*'1, and it also includes
r's because the modeling constraints would upper-bound time progression from / and
o6(J, J,5,£C*) would have to be true, and ob(I, Ö, S, CC*) is not true. Therefore S -A

(b) 0X1: cb{It8,S,C&) => / =\ /' -A /" A (I',S') e CC*. Since S' must conform to /',
S' =>, and S —► 5" =>• =*• S —»0 S", a contradiction, so case 0X1 is impossible.
(c) 1X1: 5 —»0 S' =*• I =U I' =4> 100(7,6, S, CC*), a contradiction, so case 1X1 is impossible.

76

Since all of the possible cases conclude 7 => 7' A (7', S') € CCl the two implications can be
united and the antecedent can be generalized to all ^-transitions resulting in

V S' [S A 5' =► 3 7' [7 =4 7' A (I', S') e CC1]]

Since a e A, ß £ A U {r}, and 6 £M. cover the domain of 7 in Def. 21, and Va € A [a = a] and
V£ e K [5 = 5], the three results from above can be combined into the single formula:

V S' [S^S' =» 3J'[/4/'A (/', 5'} e CC1}]

Further, since the same pairs of formulas hold for all a-, ß-, and ^-transitions that 7 can do

V I' [I -I* 7' =» 3 5' [5 =4 5' A (/', 5') e CC1]]

therefore £C* is a weak timed bisimulation:

V (I,S)eCCt,^eActUR[
VS'[S^S' =» 3 7'[7=W'A(7',S')€£Ct]]A
V 7' [J -1* I' =► 3S'[54S'A (7',5') e £C*]]] □

The final property that must be established about timed logic conformations is that the union
of a set of timed logic conformations is a timed logic conformation.
Lemma 10
[}CC\
is a timed logic conformation.

77

(32)

Proof
For every pair of states (P,R) 6 \JCC\ and for every possible action the Formulas 22 through 27
hold for some CC\; so, by Def. 29, and the definition of union, they hold for \JCC\; therefore \J£C*is a timed logic conformation. D

4-8

Timed Logic Conformance as a Maximum Fixpoint
The definition of CCl must be narrowed down so that it uniquely defines one of the many

possible relations between DLTS automata states. There are many possible solutions to the relation
CCl as defined, including CC* = 0. The one CCl relation of particular interest is the largest
relation known as the maximum fixpoint of £Cl. CCus maximum fixpoint is useful because
implementation DLTS / can be safely substituted for a specification DLTS S when the initial
states of / and S are in the maximum fixpoint £Cl relation. The following definitions and claims
are made for DLTS induced from TSA conforming to the modeling constraints enumerated in
Definition 30.

Definition 32. Timed Logic Conformation Maximum Fixpoint: £C*.

CC =

yj

{TZ\TZ is a timed logic conformation}

Theorem 3 Given Def. 32, £C* is the largest timed logic conformation.
Proof
By Lemma 10, £C* is a timed logic conformation, and by definition it includes any other such.
D

Definition 33. Timed Logic Conformant DLTS: I„^ S. Two DLTS's I = (SI,ActI,—^I
, {lo, TO)/), and S = (Ss, Acts, —>s, (k,^o)s), induced from TSA conforming to the Definition 30

78

modeling constraints are timed logic conformant (written 10^i S) iff

(('o,To>/,(/o,7To)s>e-CCt

(33)

Theorem 4 Given Def. 32, 0^.i is a partial order.
Proof

1. Reflexive: For any DLTS P, P odti P by Lemma 2 since ((lo,n0)p,

(IO,TTQ)P)

G CC*.

2. Transitive: For three DLTS P, Q, and R, P 0^zi QAQ 0-±a R=> P 0-±n R by Lemma 3 since
<(/o,7ro)p,(/o,vr0)Q) G CC{ A ((l0,n0)Q,(l0,Tv0}R) G CC\ =»■ ((lo,n0)p,(l0,Tr0}R) G C£\CC\.
3. Antisymmetric: For two DLTS P and Q, P <,;♦;* Q A Q „^j P =» P « Q per Lemma 9 since
((^o,To)p,(/o,7ro)o> G £CiA((Z0,7ro>Q,<«o,7ro>p) € £C*

) =>

((JO.ITO)Q, (/O,7TO)P>

G W. D

Finally, 0^j is overloaded to relate TSA conforming to the modeling constraints enumerated
in Definition 30.

Definition 34.

Timed Logic Conformant TSA: I0^i S. An implementation TSA I is

timed logic conformant to specification TSA S (written 10^Zi S) iff both I and S conform to
the Definition 30 modeling constraints and the DLTS induced from I, I' = (Si, Acti, —>i, (IQ,0)I),
and the DLTS induced from S, S' = (Ss,Acts,—>s,{lo,v)s), are timed logic conformant (i.e.,
I'o±LiS').

4-9

TLC, Parallel Composition, and Hierarchical Verification
Historically, one of the most theoretically important properties of equivalence and partial

order relations between models of concurrent systems is whether or not they are preserved by
parallel composition operations. If a relation is preserved by the composition process, and the
input assumptions of each of the components in the composition are independently specified, then

79

the verification task can be broken down into independent pieces without resorting to assumesguarantees-style proof obligations.
If parallel composition does not preserve the relation then designers must verify every composition against a higher level of abstraction, and they should eventually have a top-level specification
that is not parallel composed. Often this is not practical for real-world designs because of the complexity of generating a monolithic top-level specification, and in that case one should carefully
simulate the top-level composition to ensure it behaves as expected. One should also employ model
checkers to prove it has the important properties they expect and that the composed specification
is free from deadlock and livelock.
When the input assumptions of each of the components are not independently specified, then
designers must do the extra assumes-guarantees-style verifications to determine whether or not
the implicit input assumptions of the components operating together and in an environment are
satisfied together.
Since the TSA formalism supports specifying the input assumptions of each component, and
the CI-free property of compositions ensures that the input assumptions of cooperating components do not interfere with outputs, an efficient top-down verification methodology can be realized.
Top-down hierarchical TLC verification starts at the most abstract level with a specification that
incorporates the environmental timing issues (e.g., input frequency, stimulus-response constraints)
into its behavior. The specification is the contract with the environment; as such it defines the
behavior required for the inputs it accepts. Only implementations that satisfy the TLC relation
with the specification fulfill the contract; TLC failures are design errors.
Then, a hierarchical system is top-down verified by defining (by parallel composition) a set of
sub-specifications that are TLC-verified against the specification. Sub-specifications must also be
CI-free, but only in the reachable subset of their state space explored by the TLC-relation with the
specification's reachable state space. Designers continue down the hierarchy, TLC-verifying each

80

sub-specification against its sub-sub-specification until TLC holds with implementations composed
entirely of design primitives. The reverse method can be used from the bottom-up to create systems
(as done in the STARI example 6.2.3).
Unfortunately, as currently defined, TLC is not preserved by parallel composition. Figure 7
illustrates the problem. I and S are nearly identical; the only difference is the guard ki > 1 on
II -^ 12. Formula 23 forgives this difference when verifying 10-±ii S, since V ks 6 [0, l)[Slfes -^
S2ks =*• Ilks ^ IU -£* /2i =* Ilkt =^4 72! A (/2ll52fc,> e CC*]. The difference is forgiven because Jl's o_ outputs are allowed to be a timed subset of Si's a_ outputs. Allowing the
implementation to match the specification using =>0 keeps (11*, SI*) in CC1 for k e [0,1).
I

S
tart,ki:=0

/
12
i_Jd>=l

\ start,ks:=(

\

/
11
ki<=3

Figure 7.

S2
a_

start,kx:=0

Q_kx>=l

SI
ks<=3

XI
kx<=3

10<Zi S & I\\X 0±:i S\\X.

However, in composition with XI, states {((I2\\Xl)1,(S2\\Xl)k) | ifc G [0,1)} cannot be in
£Cl because Formula 25 (checking that the specification can match implementation outputs) fails
when (J2||Xl)i -2=). and (S2\\Xl)k ^. State (S2\\Xl)kx cannot do XVs cfor kx € [0,1) because
the guard kx > 1 is false. This means that state pairs ({Il\\Xl)k, (Sl\\Xl)k) for k € [0,1) cannot
be in CC\ and neither can states {{I\\X)k, (S\\X)k). Therefore J||X0^:i S\\X does not hold.
In this example, allowing time to progress in II to match Si's o. output and the unmatched
changes in XVs behavior causes the problem. XI behaves differently when kx > 1 than it does
when kx < 1. The TLC relation cannot allow this difference in the composition even though it
accepted the difference between II and Si via II =$-0 while computing 10^:i S.
This example illustrates the conflict between parallel composition and relaxing the timing
relationship between implementation and specification outputs. The TSA time successor Rule 7 on
81

page 41 defines that time progresses equally for all DLTS's induced from parallel TSA, but neither
the TLC relation, nor the modeling constraints, nor the CI-free property prohibit transition guards
from becoming enabled (like XI ~:—r X's) while time progresses.
This is not a problem for CTR verification because a in Formula 2's antecedent 5 -^4 S" does
not range over {i} for the time prefix [0,3]. This means that [0,3].(51||X1) ■/->, so (51||X1) -^>
is not enabled. Only when J's delay prefix becomes [0,2].(/l||Xl) -^ does Formula 1 on page 25
require them to match, and then they do, because [0,2].X1 -^ is enabled for both compositions
at that point. If Formula 23 were changed to match CTR's semantics from

V S' [S A 5' =► 3 /' [/ =4, /' A {/', S') e CC1)]

to

sA ^ 3 5,1',I", S', S" [I=Ul' =4 I" A S =U S1 A S" A
{(/',5'),</",5")}C£Ct]

this formulation would not require the original state S* reached via S -^-» S* to be matched. It
relaxes TLC such that the example in Figure 7 would preserve the composition. Unfortunately, if
there were also an input transition XI '—¥ XI, TLC would hold, despite the fact that (S\\X)
leads to an input that (I\\X) cannot match. Such an error is not consistent with the notion of an
acceptable implementation; so TLC cannot be weakened like CTR.
In contrast, if the TLC relation is strengthened such that the implementation must match
output timing exactly (i.e., replace =>0 by =► in all Formulas 22 through 27), then composition
preserves TLC, but it makes the relation impractical. When implementations are required to
match specification output timing exactly, TLC generally rejects useful abstractions because typical
implementations do not always exhibit both the best-case and worst-case delays from all states.

82

Hence the TLC relation cannot generally be preserved in a practical way by strengthening output
timing matching.
The fact that TLC is not preserved by parallel composition is a practical problem only when
all compositions are not verified. All compositions are verified except when a monolithic top-level
specification cannot be constructed to verify the most abstract composition. In this case, one
should simulate and model-check the most abstract composition as described in Section 4.9, and
TLC verify it against the composition of the entire next level of abstraction TSA. For example,
referring to the TSA modeling hierarchy in Figure 8, in order to verify the top-level composition
J4||B||C,

verification of

^l||A2p3||ßl||ß2||ß3||Cl||C2||C30^i^||ß||(7

is required instead of relying on

(Al\\A2\\A30±i A) A (B1\\B2\\B3 0^i B) A (Cl||C2||<730^i C)

to separately satisfy the intended behavior of 4||.B||C. Any TLC failures in the large verification
should be carefully scrutinized to ensure the specification is requiring the appropriate behavior. If
not, then modify A, B, or C; if so, correct the offending At, Bit or Ct.

[ZZDL_ZI[ZZD[_D[
Figure 8.

ILTZI:

Parallel Specification Hierarchy.

Although this may seem just as expensive as the assumes-guarantees reasoning process, note
that all of the models in this example are models of the system being built, not of the environment.
83

In Figure 3, the problem depicted is the verification of a system being built—perhaps Y, where
X and Z are models of the environment interacting with Y. Here, the environmental constraints
are captured in the TSA 4||.B||C which is at the same level of abstraction as Y. The verifications
depicted in Figure 8 represent two levels of abstraction below Y, and reasoning about the system
itself, not the environment. If Y must be concretized to be implemented, then here are even more
assumes-guarantees verifications necessary for all the Y, timed processes in their environments.

4-10 Summary
This chapter formally defined the timed equivalence relation weak timed bisimulation that
relates DLTSs with different internal action sequences but the same observable action sequences
and timing. To relate systems that do not have the exact same timing, it defined how to abstract
away the temporal differences between TSA, and how to use those abstractions to weaken weak
timed bisimulation via the partial order Timed Logic Conformance.
With a few well-defined exceptions, Timed Logic Conformance requires that implementation
inputs are a timed superset of specification inputs and that implementation outputs are a timed
subset of specification outputs. Timed Logic Conformance formalizes these notions and specifies
when an implementation can safely replace a specification, and it has the necessary mathematical
properties to support hierarchical verification of large systems with the exception that one must be
careful when the most abstract specification is parallel composed.
The TLC verification process supports a powerful and efficient top-down verification methodology that also works bottom up. The TLC verification methodology is better than assumesguarantees reasoning because it simplifies and reduces the burden of building models, and it breaks
the verification down into less complex independent pieces.
TLC verification simplifies model building because fewer models have to be built; no models
of the environment itself need to be constructed, and no models of the rest of the system and the

84

environment (the environment from a particular component's point of view) need to be constructed.
Further, the system models that are constructed are simpler because not all inputs in all states for
all times have to be defined. Only the inputs necessary to satisfy the CI-free property have to be
added.
The TLC verification methodology is simpler because it can be independently decomposed
without the assumes-guarantee circular dependency verifications. This reduces the magnitude of
the verification task tremendously because iteratively changing models and specifications only affect
the verifications up and down the hierarchy, not across the breadth of it for every iteration.

85

V. Timed Logic Conformance System
This chapter describes the Prolog Timed Logic Conformance System (TLCS). After presenting some
background information, it describes the finite automata induced from Timed Safety Automata
(TSA) called region automata. Region automata are useful for reasoning about TSA behavior
using computers, and in particular for this research using TLCS. After describing the TLCS region
automata time representation, the chapter describes the TLCS rules and procedures that efficiently
implement the TLC decision procedure. Finally, it concludes with a description of the TLCS TSA
input format, TLCS TSA parallel composition, and TLCS user interface.

5.1

Background
TLCS is actually a second generation Prolog program. The first generation program computes

the TLC maximum fixpoint over a discrete projection of the induced DLTS. It directly computes
the =>i, =>b) —»i, and —>0 transition relations, takes the cross product of the discrete subsets
of implementation and specification DLTS states, and whittles the cross product down to the
maximum fixpoint CC*. TLCS uses predicates implementing the TLC definition (Formulas 22
through 27) to reject state-pairs that do not satisfy the relation. The first generation program is
quite useful for understanding the subtleties of the TLC definitions, but it is only practical for TSA
with handfuls of locations.
The second-generation program (TLCS) verifies whether or not the dense time behavior of
two TSA satisfy the TLC relation properties. Instead of verifying the cross product of the state
spaces, TLCS examines only the subset of the TLC maximum fixpoint relation that is reachable
between the two TSA being compared when they start in their initial locations, time progresses
the same for both of them, and they receive the same inputs. TLCS explicitly enumerates the
reachable states of the two region automata being compared using a common frame of reference for
time passing. TLCS renames the clocks of the two systems to ensure they are unique and unions

86

the renamed clock sets into a single clock set used as a common time reference. TLCS does not
directly compute the =*■*, =>0, —>f, and —»0 transition relations. Rather, it follows r and timepassing transitions (S's) when necessary and allowed by the TLC definition (Def. 29) formulae to
determine if TLC holds. For example, if S -^ S", but I /4 TLCS follows -^ or -^ transitions
in accordance with the =>„ relation definition (Def. 25) to determine if I =^0 I' and if I' and S"
satisfy the TLC relation properties.
TLCS depth-first explores the mutually reachable state space of the two automata by taking
transitions and advancing time from their initial states to determine if any TLC formula is violated
in any reachable state pair. If no TLC formula is violated and all of the reachable state space is
explored, TLCS succeeds and TLC holds. If a TLC formula is violated before examining all of
the reachable states, TLC fails, and TLCS can be queried to report a trace (sequence of actions)
or simulation (sequence of locations, times, and actions) leading to the failure. TLCS examines
all reachable states for all possible actions starting from the initial state pair, so it will detect
any failure that disqualifies the initial state pair (Jo,So)

from Dein

g

in

£C*- This is true because

{h, So) & CCl implies for some action a e Act U E either I0 -A I and S0 -^ S and (7, S) <£ Z?
or one of the systems could do a and the other could not match a according to the TLC formulae.
Both cases are detected by TLCS.
The following sections explain the TLCS implementation. First the region automata time
representation is explained, then TLCS data structures and the Prolog rules and procedures reveal
the TLCS algorithm that decides if TLC holds between a pair of implementation and specification
TSA.

5.2

Region Automata
Since the state space of a DLTS is uncountable, the DLTS semantic model cannot be used

to represent TSA and compute relationships between them on finite computer systems. Therefore

87

a finite representation of the DLTS called region automata from Alur and Dill (ACD90) and fullydeveloped in (AD94) is adapted for TSA semantics and computing TLC.
The main difference between DLTS and region automata is that the uncountable number of
clock assignments representing the different possible combinations of clock values in the DLTS are
represented finitely by a collection of open and closed intervals in the region automata, one interval
for each clock, and a relation on clocks that orders them according to the magnitude of the fractional
part of the clock value. Hence, the "state" of a region automata consists of a label representing
the TSA location, a collection of time intervals, and the fractional-part relation. The intervals and
the fractional-part together define equivalence classes for the clock assignments. Figure 9 serves as
an example. In this example there are two clocks, x and y. The largest integers used to constrain
clocks x and y are 2 and 1 respectively. While there are an uncountable number of real values
these two clocks can take on with respect to one another, only 28 different equivalence classes are
required to finitely represent the clock assignments as depicted in the figure. Hence, instead of
an uncountable number of (l,jr) timed states, and transitions between them, a finite number of
{I, EC{K)) tuples and transitions represent TSA behavior in the computer (where

EC{TT)

stands

for the Equivalence Class of the clock assignment n).
JO
y

14 Open segments e.g. 0<x = y<l

A

:EEC
0

1

2

-=».
x

Figure 9.

(1,1)

„„ /
(0,0) er

6 Closed Points, e.g. [1,1]

8 Open regions, e.g. 0 < x < y < 1

,, (LI)
/0)0)/' ' (l 0)

Region Automata Time Regions.

Since only integers are used to constrain TSA, as time progresses the truth of guards and
invariants can only change when a clock value changes from an integral to a real value or vice
versa. Consequently, when no clocks are integral, the algorithm need only keep track of which two
integers each clock is between and which clock(s) will reach their next integral value first (i.e., which

88

clock(s) has(have) the largest fractional part). When one or more clocks are integral, for time to
progress, their values will change next, and after the time changes, those clocks have the smallest
fractional part, and no clocks are integral. Note that once a clock value exceeds the largest integer
used to constrain it, the truth or falsity of guards and invariants referencing it do not change, so
there is no longer any need to reference the fractional parts of such clocks. Since time progresses
at the same rate in TSA clocks, it can only progress along trajectories parallel to the line x = y
in the 2-clock example in Figure 9; e.g., time progresses transitively from point [x = y = 0] to the
line segment [0 < x = y < 1] to the point [x = y = 1] to the open region [1 < x < 2, 1 < y < 2]
to the line segment [x = 2, y > 1] to the open region [x > 2, y > 1].
TLCS time equivalence classes are called time regions. A time region is a tuple [CV.CC],
where CV (Clock Values) is a sorted sequence of tuples [[CName,L,R] ,...]. CName is the clock
name, L is the lower integer bound on the clock CName's value, and R is either the upper integer
bound on clock CName's value or the atom 'i' representing infinity when CName's value is unbounded.
Only two kinds of intervals, closed and open are necessary; there is no representation for clopen
intervals. An interval is closed and represents a single point when L=R. An interval is open when
L^R. CC (Clock Classes) is a sequence of tuples containing alphabetically sorted lists of clock
names representing a descending-order sorted partition of bounded clock fractional values (e.g.,
[[cl,c3], [c2]] where cl and c3 have equal fractional parts, and c2 has a smaller fractional part
than cl and c3). Every CName in CV except those whose value is not bound will be in one and
only one element of CC. If no clocks are bound, (i.e., all clock values exceed the maximum values
constraining them) CC == []. TLCS time regions for the time progression example in the previous
paragraph are shown in Table 5.
Since neither x or y are reset and time progresses equally on both clocks from (x, y) = (0,0) in
the Table 5 example, the table does not include an example representation for a time region where
frac(x)^frac(y). TLCS uses [[[x,l,2] , [y.0,1]] , [[x] , [y]]] to represent the time region [1

89

Table 5.
Region
[x = y =
0 < x=
x=y=
1 <x <
x = 2, y
[x > 2, y

TLCS Time Region Representation.

0]
y < 1]
1]
2, 1 < y < 2]
> 1]
> 1]

Representation
[[[x,0,0],[y,0,0]],[[x,y]]]
[CCx,0,l],[y,0,l]],[[x,y]]]
[[[x,l,l],[y,l,l]],[[x,y]]]
[[[x,l,2],[y,l,i]],[[x]]]
[[[x,2,2],[y,l,i]],CW]]
[[[x,2,i],[y,i,i]],[]]

<x<2, 0<y<l] where frac(x)>frac(y). This region is the triangle interior defined by the
points {(1,0), (2,0), (2,1)}In order to ensure that clocks progress at the same rate, equivalence classes for clock values
that have not yet exceeded their maximum constraint are no coarser than open intervals between
two adjacent integral numbers. For example, the clock value x = 1.25 is represented by the open
interval [x, 1,2] in its equivalence class. Since, in general, clocks may be independently reset and
therefore will not always be in the same equivalence class, all combinations of equivalence classes
up to and including the class representing when their value exceeds the maximum integer used to
constrain them are possible. This means that the number of regions grows exponentially with the
largest clock constraint value. Given that C is the clockset, and cx is the largest integer constraining
clock ceC, the number of clock regions is bounded by [| C |! • 2^ ■ nCxeC(2cx + 2)] (AD94:p203).
Unfortunately, this fine equivalence class granularity is generally necessary to model time
progressing uniformly on all clocks and to eliminate region automata behaviors that would not be
possible in the corresponding DLTS. The following example illustrates why we need such a fine
granularity of equivalence classes. If instead of limiting the largest equivalence class to be less than
one time unit wide, the granularity of the region automata equivalence classes is increased to the
open intervals between the integers used to constrain the TSA, then some region automata models
exist that exhibit behaviors inconsistent with the induced DLTS semantics.

90

These inconsistencies arise when time is not constrained to pass at the same rate on all system
clocks. This is illustrated by the following example. In the Figure 10 TSA/DLTS, no c_ output
can occur before b_ is observed. This is the case because the guard on the c_ transition requires
cb-ca> 1, and ca and cb cannot ever be more than 1 time unit apart unless the a transition from
XI to X2 is taken. In the portion of the region automata state space and the example transitions
illustrated in Figure 11 the region where c_ can occur can be reached by following the a transition
from XI to X2 and returning to XI from X2 via the b_ transition. Unfortunately, the c_-capable
region can also be reached by following S from (0,0) to (1,1), a from (1,1) to (0,1), <5 from (0,1)
to region [0 < ca < 1,1 < cb < 2] where another 5 that does not necessarily keep time progressing
on both clocks equally can take the automata to region [0 < ca < 1,2 < cb < oo] where a c_ output
can occur even though X2 was never entered. This example illustrates why clock value equivalence
classes for clocks that have not yet exceeded their maximum constraint are no coarser than open
intervals between two adjacent integral numbers.
a,cb> l,ca:=0

Figure 10.

Fine-Grained TSA/DLTS.
c

cb
? /
1 ,

b_
a

5

/<

1

cb
?
*

A

1

V/

/
0 /

0
0

1

ca

0

XI
Figure 11.

}

1

ca

X2

Inconsistent Region Automata with Skewed ^-Transitions.

91

The time region is a fundamental data structure of the TLCS system. It is an important part
of understanding how the TLCS system finitely computes the TLC relationship for dense time.
The next important concept is the TLC decision procedure itself.

5.3

TLC Decision Procedure
This section describes and illustrates TLCS's novel and efficient region-automata-based TLC

decision procedure implementation. Starting from some basic definitions, the section uses important
TLCS code fragments to explain the decision procedure implementation. After the basic definitions,
the discussion is broken down into three subsections. The first subsection describes the TLC Prolog
query that checks the behavioral part of TLC; the second describes checking a particular formula
from the TLC definition, and the third describes how the TLC prolog query verifies time-derivatives.
TLCS inputs are Prolog atoms other than t that do not end in an underscore. Outputs are
Prolog atoms that end with an underscore (_). Taus are the Prolog atom t or Prolog terms t(X)
where X is a variable representing any Prolog atom. The TLCS queries input (X), output (X),
and tau(X) are true when X is an input, output, or tau action respectively.
In TLCS, a timed state of the implementation, specification, and their combined time
representation is an [I.S.T] tuple where I is a Prolog term representing the implementation
location, S is a Prolog term representing the specification location, and T is the time region. The
initial timed state is then the initial location of the implementation, the initial location of the
specification, and the zero time region of the combined clock set. Since the initial locations of
the two TSA being compared must be in the TLC relation between their induced DLTS's and
their corresponding region automata at time zero, TLCS starts checking whether or not the two
automata satisfy the TLC relation properties from the initial timed state.
TLCS keeps track of all the timed states it has or is currently checking, and once a timed
state is checked, it is not checked again. This avoids recomputing tlc/6 for timed states that have

92

already satisfied TLC and for those which are currently being examined in the depth-first trail. In
most cases TSA used in this research have recursive behavior patterns, so maintaining and checking
the list of visited timed states prevents nonterminating computation.

5.3.1 Behaviorally Checking TLC.

The tic(I,S.Tn,Matched,UnMatched, Parent) Pro-

log query (abbreviated by the functor tlc/6)1 investigates whether implementation location I and
specification S satisfy the TLC relation formulae at time Tn; i.e., given timed state [I, S, Tn], where
Tn{I) and Tn(S) are corresponding DLTS time points represented by equivalence class time region
Tn, tlc/6 computes whether or not {{I,Tn(I)), (S,Tn(S))) € CCK If so, the query succeeds and
TLC holds; if not, the query fails and TLC does not hold. The input parameter Matched is a list
of [Sigma,SJ tuples representing specification output actions Sigma and specification to-states
S_ that are matched earlier from implementation location I at some time Tm preceding time Tn.
The to-states S_ are recorded and checked to insure that behaviorally distinct to-states are not
overlooked. The input parameter UnMatched is a list of [Sigma,SJ tuples representing specification output actions Sigma and specification to-states S_ that have not yet been matched by the
implementation from location I for any time Tm preceding time Tn. Lists Matched and UnMatched
allow specification outputs to occur earlier or later than implementation outputs. If the implementation cannot match a specification output Sigma, TLCS adds the specification output Sigma
and reached location S_ to UnMatched, increments time to the next time value Tn_ and checks to
see if tic (I ,S,Tn_, Matched, [ [Sigma, SJ |UnMatched] .Parent) holds2. When the implementation matches [Sigma,SJ, then [Sigma,SJ is removed from UnMatched, and added to Matched.
When time passes all clock bounds (i.e., Tn=Tn_) or the implementation location invariant expires,
UnMatched must be empty, or else tlc/6 fails (i.e., the implementation never matched some specification output). The input parameter Parent is a timed state number (integer) that TLCS assigns
x
The name of a Prolog query is the Prolog atom preceding the left parenthesis. A Prolog functor is the query
name and number of query arguments separated by a forward slash.
2
The symbol | stands for list construction; e.g., [a|L] prepends the atom a on list L and [[a,b,c]|L] prepends
the triple [[a,b,c]|L] on list L.

93

to uniquely identify the time state C'l.'S.'Tn] that led to [I.S.Tn] by some action or time
progression. TLCS uses timed state numbers to generate error traces and simulations.
Figure 12 displays the queries from the tlc/6 procedure that implement the TLC definition
(Def. 29) formulae. The query names are derived from the system whose actions are being matched
and the type of action that is being matched. Alphas are inputs, betas are outputs, and taus are r's.
For example, specalpha/9 implements checking that specification inputs are matched according
to Formula 22. The parameters IActs and SActs are lists of [Sigma,Resets,ToState] triples
denoting locations reached from the implementation and specification states I and S respectively
at time T by action SigmafE Act; Resets denote the set of I or S clocks reset when the transition
is taken to ToState. N is the unique number TLCS assigns to timed state [I,S,T].
spec_alpha(I,S,T,SActs,IActs,Matched,UnMatched,Parent,N),
spec_beta(I,S,T,SActs,IActs,Matched,UnMatched,Parent,N),
spec_tau(I,S.T,SActs,IActs,Matched,UnMatched,Parent,N),
imp_beta(I,S,T,IActs,SActs,Matched,UnMatched,Parent,N),
imp_alpha(I,S,T,IActs,SActs,Parent,N),
imp_tau(I,S,T,IActs,SActs,Matched,UnMatched,Parent,N),
Figure 12.

5.3.2

Checking TLC Formulae.

TLC Formulae Queries.

The spec_beta/9 procedure requires allowing both struc-

tural and temporal differences and provides the most thorough example. Figure 13 is the TLCS
Spec-Beta Procedure implementing TLC Def. 29 Formula 23. Identifiers that are capitalized are
Prolog variables, [] denotes the empty list, and underscores without prepended atoms are "don't
care" variables.
The five different Prolog rules separated by periods in Figure 13 define the spec_beta/9
procedure. The first four spec.beta/9 rules can satisfy Formula 23. At runtime, Prolog checks
the rules in the order they are defined from the top to the bottom. The fifth spec_beta/9 rule
never succeeds (fail cannot succeed); it asserts a deficient fact (d/6) to assist in debugging TLC
failures and then fails. The exclamation points are "cuts" that stop Prolog from trying to satisfy

94

spec_beta(_,_,_,[],_,_,_,_,_) :- !.
spec_beta(I,S,T,[[Beta,_,_]ISActs],IActs,Matched,UnMatched.P.N) :not output(Beta),
i
•»

spec_beta(I,S,T,SActs,IActs,Matched,UnMatched.P.N).
spec_beta(I,S,T, [[Beta,SResets,S_]ISActs].IActs,Matched,UnMatched.P.N) :member([Beta,IResets,I_],IActs),
reset_time(IResets,SResets,T,T_),
tlc(I_,S_,T_,[],[J,N),
i

■ i

spec_beta(I,S,T,SActs,IActs,Matched,UnMatched.P.N).
spec_beta(I,S,T,[[Beta,_,S_]ISActs],IActs,Matched,UnMatched.P.N) :'/, Must do output before another visible action occurs—via tau or delta.
merge_set([[Beta,S_]].UnMatched.UM),
spec_beta_aux(I,S,T,IActs,Matched,UM,N),
i

spec_beta(I,S.T.SActs,IActs.Matched,UnMatched.P.N).
spec_beta(I,S,T,[[Beta,_,S_]|_],_,_,_,P,N) :retractall(c(I,S,T)),
assert(d(I,S,T,sb(Beta),P,N)),
fail.
Figure 13.

TLCS Spec-Beta Procedure.

spec_beta/9 with more than one rule. Once queries in a rule body are satisfied to the "!", the
remaining queries in the rule body must succeed or specbeta/9 fails regardless of the remaining
rules.
The first rule satisfies the query when there are no [Beta.Sj action and to-state pairs possible
from S. This is the case when S cannot do any actions, or when all of S's outputs have been checked.
The second rule satisfies the query when the action Beta is not an output. This is the case
when the list of actions SActs has a [Beta.SResets.Sj triple and Beta is not an output action.
The third rule satisfies the query when the implementation matches the specification's Beta
and the to-locations of the two systems also satisfy tlc/6.
The fourth rule satisfies the spec-beta query if it finds a matching output by following an
implementation tau or by allowing time to pass. In either case, it adds the unmatched [Beta.Sj
pair to the UnMatched list and calls spec_beta.aux/6 which is defined in Figure 14.

95

spec_beta_aux(_,S,T,IActs,Matched,UM,N) :■
'/. Via tau?
member([A,IResets.IJ.IActs),
tau(A),
reset_time(IResets,[],T,T_),
tlc(I_,S,T_,Matched,UM,N),
!#
spec_beta_aux(I,S,T,_,Matched,UM,N) :*/. Via delta?
next_time(T,T_),
tlc(I,S,T_,Matched,UM,N).
Figure 14.

TLCS Spec-Beta-Aux Procedure.

Functor spec-beta.aux/6 is defined by two rules. The first rule is satisfied when the implementation can do a tau action that leads to a TLC-satisfying state. It compares the current
specification state S against the tau derivative state I. by resetting the clocks associated with I's
tau action and calling tlc(I_,S,T_,Matched,UM,N). The second rule advances the time region to
the next possible time equivalence class and calls tlc(I,S,T_,Matched,UM,N) to see if I matches
S's output in the future. This completes the explanation of TLCS's spec.beta/9 formula.
The TLCS implementation of the remaining TLC formulae are all simpler than spec_beta/9.
The only novelty is the implementation of the extra conjunct in Formula 24's antecedent which is
implemented by the Prolog rule:
imp_alpha(I,S,T,[[Alpha,_,_]lIActs],SActs,P,N) :not member([Alpha,_,_],SActs),
i

• y

imp_alpha(I,S,T,IActs,SActs.P.N).
The above rule simply satisfies the imp.alpha/7 query when Alpha is not in the set of actions
possible by the specification.

5.3.3

Temporally Checking TLC.

After checking that all TLC formulae hold for all of the

actions and to-locations in IActs and SActs, tlc/6 does four things:

1. Creates the list AllMatched by adding specification outputs matched in the current timed
state to Matched.

96

2. Creates the list StillUnMatched by removing specification outputs matched in the current
timed state from UnMatched.
3. Calls next_time(T,T_) to increment the time region T to the next possible time equivalence
class T_.
4. Checks to see if [I,S,TJ satisfies TLC.
When T=T_ all clocks have exceeded their maximum time bound and time progresses infinitely.
Since [I,S,T]=[I,S,TJ, all future behavior from locations I and S are already verified. If there
are no unmatched specification outputs, TLCS asserts h(I,S,T,AllMatched) to log the fact that
TLC holds.
When T^T_, T. is a new time region, and TLC must be verified to hold in the future states.
There are four possibilities.

1. Neither I nor S can move forward to time T_. This is the case when both location invariants
are violated by time T_. In this case, as long as there are no unmatched specification outputs
TLC holds in timed state [I.S.T] and TLCS asserts h(I,S,T,EM) to log this fact.
2. T_ is valid for I but not for S. This means that S's invariant is violated by time T_. In this
case, TLCS uses the code fragment:
(no_future_imp_outputs(I,T_)
i

(member([Tau,SResets,S_],SActs),
tau(Tau),
reset_time([],SResets,T,T2),
tlc(I,S_,T2,AllMatched,StillUnMatched,N))
I

(retractall(c(I,S,T)),assert(d(I,S,T,[delta,s],Parent,N)).fail))

to execute one of three things (the ";" operator is Prolog disjunction):
(a) TLC succeeds if the implementation has no future outputs (no.futureJmp.outputs/2
succeeds).

97

(b) TLC succeeds if I does have future outputs and they are matched by S after it performs
a tau action; i.e., tlc(I,S_,T2,AllMatched,StillUnMatched,N) succeeds.
(c) TLCS retracts c(I,S,T) (the considering fact), asserts a debugging fact (d/6), and fails.
3. T_ is not valid for I but is valid for S. This means that I's invariant is violated by time T_.
In this case, TLCS uses the code fragment:
((StillUnMatched == [] ,
no_new_future_spec_act ions(S,SAct s,AllMat ched,T_),
(IActs == []
;(member([Beta,_,_],IActs),
output(Beta))))
(member([Tau,IResets,I_],IActs),
tau(Tau),
reset_time(IResets,[],T,T2),
tlc(I_,S,T2,AllMatched,StillUnMatched,N))
I

(retractall(c(I,S,T)),assert(d(I,S,T,[delta,i],Parent,N)),fail))

to execute one of three things:
(a) TLC is satisfied when output-bound (Def. 28) holds. Output bound is implemented here
by checking three things:
i. StillUnMatched == [] verifies there are no unmatched specification outputs,
ii. no_new_future_spec_actions(S,SActs,AHMatched,Tj verifies S has no new outputs or inputs in the future,
iii. Either a previous implementation state already matched all specification actions
(IActs == []) or this location is the one that matches the specification and does
the output (member ([Beta,., J ,IActs) and output (Beta)).
(b) If the specification does have future actions they are matched by the implementation after
it performs a tau action; i.e., tlc(I_,S,T2,AllMatched,StillUnMatched,N) succeeds.
(c) TLCS retracts the considering fact c(I,S,T), asserts a debugging fact (d/6), and fails.

98

4. T_ is valid for both I and S. Whether or not TLC is satisfied in the future is determined by the
query tlc(I,S,T_,NewMatches,StillUnMatched,N). If not, TLCS retracts the considering
fact c(I,S,T), asserts a debugging fact d(I,S,T,delta,Parent,N) and fails.
When all of the tlc/6 queries from new state pairs or new time derivatives have been satisfied,
tlc/6 succeeds. Otherwise tlc/6 fails. TLCS users do not input tlc/6 queries, rather, they interface
with the TLC decision procedure using a tlc/2 query that accepts two TSA names or definitions and
reports whether or not TLC holds between them. The tlc/2 query and other TLCS user interface
queries are explained in the next section.

5-4

TLCS User Interface
This section describes the user-level data structures, Prolog queries, and outputs from the

TLCS system. After describing how to define TSA for TLCS, the tlc/2 query and debugging
interfaces are described.

5.4.I

TLCS TSA.

Extended Backus-Naur Form (EBNF) productions in Def. 35 define

the syntax of Timed Logic Conformance System (TLCS) TSA queries. The symbols "[" and "]" in
the productions group optional constructs. Parenthesis "(", ")", "[" and "]" in these productions
are literal. Non-terminals start with uppercase letters, and terminals start with lowercase letters.
The terminal identifier is an alphanumeric Prolog atom.
Definition 35. TLCS TSA Query Syntax.
Tsa ::= tsa(TSAName,[Locations,StartName,Relation])
Action ::= Tau | VisibleAction
CCL ::= Q | [ClockConstraint {, ClockConstraint]*]
ClockConstraint ::= [ClockName,RelationalOperator,integer]
ClockName ::= identifier
FromLocation ::= StateName
Input ::= identifier
Locations ::= [State-CCL-Pair [, State-CCL-Pair}*]
Output ::= identifier.
RelationalOperator ::= 1 | leq \ geq | g
Relation ::= [] | [Transition [, Transition}*]
Resets ::= \\ | [ClockName [, Clockname}*]

99

StartName ::= StateName
State-CCl-Pair ::= [StateName,CCL]
StateName ::= identifier
TSAName ::= StateName \ [StateName [, TimeParameterJ*]
Tau ::= t1 t(VisibleAction)
TimeParameter ::= integer
ToLocation ::= StateName
Transition ::= [2^omLocation,Action,CCL,.Resets,ToLocation]
VisibieAction ::= Input | Output
A TLCS TSA is a 3-tuple [Locations.StartName,Relation] where:

• Locations: a list of [LocationName.CCL] pairs where CCL is a sorted past-closed Clock
Constraint List; e.g., a<6&b<4is encoded by CCL = [[a,1,6] , [b,leq,4]].
• StartName: Name of the starting location, either an atom or string corresponding to one of
the LocationName's in Locations.
• Relation: the transition relation 5-tuple list: [[F,Sigma,CCL,Resets,T] ,...] where:
- F,T : location names (atoms or strings from Locations tuples).
- Sigma : action (e.g., a,b = inputs, a_,b_ = outputs, t = tau).
- CCL : sorted Clock Constraint List.
- Resets : a sorted list (set) of clock names to reset.
TSA clock constraints are specified using non-negative integers, but TSA clocks are realvalued and TSA model system behavior over the positive real valued n-dimensional continuum (for
an n-clock TSA).
The tsa/2 predicate shown in Figure 15 defines a 4-location inverter TSA with minimum
(MinD) and maximum (MaxD) time delays on its response to input events. The inverter clockname
is k. Inverter locations are invOO, invOl, invlO, and invll specifying the value of the input
and outputs in each of the 4 locations. Possible initial locations are invOl and invlO (inverter's
stable locations). A stable location is a location from which no output or internal action transition
is defined. The inverter input label is a, and its output is labeled b_.

100

tsa([Inv,MinD,MaxD],
[[[invOO,[[k.leq.MaxD]]],[invOl,[]],[invlO,[]],[invll,[[k.leq.MaxD]]]],
Inv,
[[invOO,a, [[k,1,MinD]],[],invlO],
[invOO,b_,[[k.geq.MinD]],[], invOl],
[invOl.a, [],[k],invll],
[invlO, a, [] , [k] , invOO] ,
[invll,a, [[k.l.MinD]],[].invOl],
[invll,b_,[[k,geq,MinD]],[], invlO]]]) :member(Inv,[invOl,invlO]).
Figure 15.

TLCS Inertial Inverter.

Given the inverter definition in Figure 15, the Prolog query tsa([inv01,2,3] ,X). returns
the three-tuple TSA:
X= [[[inv00,[[c,leq,3]]], [invOl.D], [invlO, []], [invll, [[c,leq,3]]] ],
invOl,
[[invOO.a,[[c,l,2]],[],invlO], [invOO,b_,[[c,geq,2]],[].invOl],
[invOl.a,[],[c],invll], [invlO.a,[],[c].invOO],
[invll,a,[[c,l,2]],[].invOl], [invll,b_,[[c,geq,2]],[].invlO] ]]

5.4-2

TLCS Parallel Composition.

TLCS also parallel composes TSA to generate mod-

els of more complex systems. EBNF productions in Def. 36 define the syntax of TLCS parallel
composition queries. These productions rely on those productions already specified in Def. 35.
Definition 36. TLCS Parallel Composition Query.
Parallel-TSA-Composition ::= parallel(TSAList,Hidden,PTSA)
ActionPair ::= [NewAction,01dAction]
Hidden ::= Q | [VisibleAction [, VisibleAction}*]
NewAction ::= VisibleAction
OldAction ::= VisibleAction
PTSA ::= [Locations,StartName,Relation]
Renames ::= [] | [ActionPair [, ActionPair}*]
TSAId ::= TSAName | Tsa
TSAList ::= [[TSAW.Renames] [, [TSAId.Renames]]*]
The query parallel (TSAList .Hidden,PTSA) parallel composes together the TSA in TSAList
where:

• TSAList is the input list of TSA names or definitions and renaming tuples For example, the
list [[tsal, [[newsigl.oldsigl] ,...]]...] renames tsal's labels oldsigi to newsigj.

101

• Hidden is the input list of uncomplemented (no trailing underscores) actions; parallel/3 generates taus according to the actions in the list Hidden. The generated taus hide internal
actions of the parallel TSA so that they are not available for interaction with TSA outside
of the parallel composition (i.e., hidden actions make the parallel TSA a black box that can
only be accessed using its unhidden actions).
• PTSA is the returned three-tuple TSA, the location names are vectors of location names from
the component location names unless the query "state.vectors." is executed to toggle
TLCS to use abbreviated location names.
For example, the query:
parallel([[[andOOO,1,2],[[ab,c]]],
[[invOl.1,2],[[ab, a],[c,b]]]],
[ab],
Nand).
returns 3-tuple TSA Nand, which is the parallel composition of TSA andOOO with minimum and
maximum delay 1 and 2 and TSA invOl also with minimum and maximum delay 1 and 2. Renaming
andOOO's c output to ab and invOl's a input to ab connects them and names Nand's internal signal
ab. Since ab is restricted, it will appear in TLCS traces as t (ab). Nand's output is c_, accomplished
by renaming the inverter's b output to c.
Parallel/3 generates the reachable location space by starting from the initial location of each
subcomponent and generating transitions and new to-locations according to the TSA parallel composition rules defined in Def. 18 on page 45. Parallel/3 stops generating transitions and to-locations
when no new transitions are possible. Parallel/3 generates the reachable location space with regard
to the cooperating actions of the TSA being composed, but it does not eliminate location combinations that might actually be unreachable because of impossible clock combinations. Even though
parallel/3 generates temporally impossible location combinations, only timed states reachable under
the given clock conditions are examined by tlc/6.

102

5.4-3

TLC Query.

Given the Section 5.4.1 inverter TSA, the TLCS command-line entry

"tsa([inv01,2,3],X),tsa([invlO,2,3],Y),tlc(X,Y)." returns yes because even though the
TSA X and Y do not have the same initial location names, their behavior is identical. This means
that X is an acceptable implementation of Y. Since they are identical, Y is also an acceptable
implementation of X, and the query "tsa( [invOl ,2,3] ,X) ,tsa( [invl0,2,3] ,Y) ,tlc(Y,X)." also
returns yes. However, the query "tsa([inv01,2,4] ,X) ,tsa([inv01,2,3] ,Y) ,tlc(X,Y) ." fails
returning the diagnostic information:
The first deficiency discovered was:
I:invOO
S:invOO
T:[[[kO, 3, 3], [kl, 3, 3]], [[kO, kl]]]
Prob:[delta, s] P#:26 M#:27
Where possible Imp Actions are: [b_]
and possible Spec Actions are: [b_]
and future Imp outputs are not matched by the Spec.
In this case, both the implementation and specification are in location invOO; the time region
T=[[[kO, 3, 3], [kl, 3, 3]], [[kO, kl]]] where both clocks kO and kl are at time 3 (i.e.,
CV= [ [kO, 3, 3] , [kl, 3, 3]]), and their fractional parts are equal (kO, and kl are in the same
partition element CC=[[kO, kl]]); the problem (Prob) is with time progressing (delta) in the
specification (s); the parent timed state is #26 and this timed state is #27. The problem is that
time cannot progress any more in the specification location invOO, but implementation location
invOO can continue producing future b_ outputs. Hence, implementation b_ outputs are not a timed
subset of the specification b_ outputs, and TLC fails to hold.
The subsequent query "trace.to." returns the trace
=a=4=b_=a=6==>
After inputting an a, passing through 4 time regions, outputting a b_, inputting another a, and
passing through 6 more time regions TLCS arrives at the divergent timed states. The query
"comparejstates(invOO,invOO)." returns:
IInv:[[kO, leq, 4]]

103

A:aG:[[kO, 1, 2]] R:[] I_:invlO
A:b_ G:[[kO, geq, 2]] R:[] I_:inv01
SInv:[[kl, leq, 3]]
A:a G:[[kl, 1, 2]] R:[] S_:invlO
A:b_ G:[[kl, geq, 2]] R:[] S_:inv01
This information includes the implementation location invariant and possible implementation
transitions and the specification location invariant and possible specification transitions. In this
case the implementation invariant Ilnv: [[k0,leq,4]] is looser than the specification invariant
SInv: [[kl, leq,3]], leading to the non-TLC-satisfying behavior.
TLCS distribution includes files that define the basic monotonic and inertial gate-level primitives. There are also files defining procedures that simulate TSA (simulate(TSA)), pretty-print
TSA (pp_tsa(TSA)), and print CCS agents from TSA (ccs_agent(StateNamePref ix.TSA)). TLCS
is available via email to f. c. youngSieee. org. TLCS runs on the public domain SWI-Prolog available via anonymous FTP from Jan Wilemaker at ftp.swi.psy.uva.nl/pub/SWI-Prolog.

5.5

Summary
This chapter describes the Prolog Timed Logic Conformance System (TLCS). After present-

ing some background information, it describes the finite automata induced from Timed Safety
Automata (TSA) called region automata. After describing the TLCS region automata time representation, the chapter describes the TLCS Prolog rules and procedures that efficiently implement
the TLC decision procedure. Finally, it concludes with a description of the TLCS TSA input format, TLCS TSA parallel composition, and the TLCS user interface. The final section includes TSA
syntax for TSA definitions and parallel composition, and it explains example debugging information
available when TLC properties are not satisfied between two systems.

104

VI. Application
This chapter is devoted to showing the utility of the Timed Logic Conformance (TLC) relationship
for systems engineering and verification. It describes system models and explains the results of
TLC verifications at several different levels of abstraction.
The flexible time and behavior modeling capabilities of Timed Safety Automata (TSA) make
it possible to express the relationship between time passing and behavior at many different levels
of abstraction. Virtually any other discrete state-based modeling formalism can be mapped into
TSA, including all untimed finite state machine models, timed event graphs (HB94), and timed
CCS. Such a flexible modeling formalism makes it easy to model different kinds of behavior, but
designers should constrain themselves to specific canonical forms for modeling behavior so that the
semantics of the models can be uniformly understood and results can be applied in meaningful
ways. The next few sections discuss using TSA and Time Logic Conformance System (TLCS) to
canonically model and verify hardware systems at three different levels of abstraction.

6.1

Gate-level Models
Logic gates are the primitives in a gate-level hardware model. Typically a logic gate discretely

models the behavior of several interconnected transistors by abstracting real-valued voltage levels
into the binary values zero and one. In practice designers use tools like SPICE to analyze component
models below the gate-level (e.g., individual transistors) because of their bi-directional current flows
and continuous electro-magnetic properties.

6.1.1

Canonical Gate-Level Models.

This section focuses on two canonical forms for

modeling gates that conform to the Definition 30 modeling constraints. The first form is called
monotonic; a monotonic gate model reflects every possible output change that can occur from all
unstable locations. An unstable location is a location where a TSA may generate an output
or internal event. Consequently, a stable location is a location where no output or internal events

105

are possible. In contrast to the monotonic gate model, an inertial gate model might not reflect an
output change from an unstable location. An inertial gate model output event is "canceled" when
the time separation between two input events is small enough (i.e., two events occur on the same
input with less than a minimum delay between them) and the model returns to a stable location
before generating the output event. Monotonic semantics are the standard for untimed gate models.
In timed systems, inertial models support higher fidelity modeling, as shown in Section 6.1.2.
Inertial-delay semantics are commonly used in hardware simulations, and they are the default
signal assignment semantics of the Very High Speed Integrated Circuit (VHSIC) Hardware Description Language (VHDL). Although inertial delay models can make simulations more efficient, they
can also hide defects in systems if not used correctly. In TLCS, as shown in the following examples,
inertial gate models model unstable-location dependencies that are important to investigate for
proper implementation behavior. Since the inertial delay gates model hardware characteristics in
more detail than monotonic gates, inertial gates are used in most of the following hardware examples. Inertial delays are modeled with minimum and maximum bounds, not just a single delay
value, further enriching the model's fidelity in accordance with accepted practice (BS91, Bur92).
The next section examines some simple TSA models of hardware primitives that can be used
to build larger systems by parallel composition. It also examines a simple abstract specification
and the results of comparing implementations against specifications.

6.1.2 Inverters, Ands, and Nands.

The simplest hardware device modeled in this research

is an Inverter. Figure 16 displays the logic symbol and the TSA defining the behavior of a monotonic
Inverter. The Inverter clock name is k. In the figure, black triangles (►) touch stable TSA locations,
and unstable locations have no triangles. Note that the Inverter can be configured to start in either
stable location. Inverter locations are labeled with the two-digit binary codes indicating the values
of the Inverter input and output in that location. The Inverter is monotonic because after entering
an unstable location (i.e., locations 00 or 11), inputs that would return the device to a stable

106

location (called stabilizing inputs) are not allowed, and an output event will occur. Only those
actions explicitly specified as TSA transitions are possible. In parallel compositions attempted
inputs to the inverter while in locations 11 and 00 violate the CI-free property.
► 01
b_Jc>=MinD^
a
>*

00

11

k <= MaxD

k <= MaxD

a,k :=0

Figure 16.

\a,k :=0

gSr

► 10

bJk >- MinD

Monotonie Inverter Logic Symbol and TSA.

Figure 17 is another TSA defining the behavior of a inertial Inverter. Figure 17 is identical to
the TSA in Figure 16, except that it includes two additional transitions from the unstable locations
that model input changes occurring before the output actions. Hence, a spike on the a input to
the inertial Inverter may occur and not generate a b. output action; this Inverter has inertial-delay
semantics during the interval [0,MinD). In practice, it might be the case that an even smaller
inertial time period, and not the whole time interval [0,MinD) would be better for high fidelity
modeling because it models the inertial and unreliable states of a circuit explicitly. Such a model
can be accommodated by adding another timing parameter to the TSA. For simplicity, and in
agreement with the general bi-bounded delay model (BS91, Bur92) used in all of the related work,
more detailed models are not described here.
01
b^k >= MinD^-^
^^a,k := 0
^ a,k<Minrr
00
11
k <= MaxD

k <= MaxD
► 10

Figure 17.

b^k >= MinD

Inertial Inverter TSA.

107

The next simple hardware primitive is a two-input And. Figure 18 depicts the logic symbol
and the TSA denning the behavior of an inertial two-input And. In unstable locations, until the
minimum delay has passed, stabilizing inputs can occur, so the gate has inertial-delay semantics
during the interval [0,MinD). In this model, locations are labeled with three-digit binary codes
indicating the values of the AncTs two inputs and output in that location. For example, the location
101 is an unstable location, where input a is asserted, and input b is de-asserted, and output c_
is asserted. Note that all eight possible combinations of three boolean variables are represented,
so the model is at a detailed level of abstraction. Also note that every TSA input action from a
stable to unstable location resets k and that every unstable location has the invariant k < MaxD
for some integral delay MaxD. And can start from any stable location.
000
►

^

100

k>=MinD

►

010

c_,l k >= MinD
c_,
—*
■
k>=MinE

111

b,k<MinD
l^MM^I

t^ajk<Mii
vaJc<MinD

101

011
001

► Stable

c_, k >= MinD

Unstable: invariants k <= MaxD

Figure 18.

Two-Input And Logic Symbol and TSA.

Figure 19 depicts the logic symbol and Timed Safety Automata (TSA) defining the behavior
of an inertial two-input Nand. A Nand is very similar to an And, except for the fact that the
And stable/unstable locations are swapped to Nand unstable/stable locations. Hence, the location invariants are swapped from the unstable and-locations to the unstable nand-locations, and
transitions are reversed.

108

bJc<MinD

a

c_,k>=MinD

b

|c.jc>=MinD
Oc>=MinD

110
bJ«Mii^-^

J^aJc<MinD

100 Kwc:=0
► Stable

ajc:=0^ 0,0

000
c_k>=MinD

Unstable: invariants k<=MaxD

Figure 19.

Two-Input Nand Logic Symbol and TSA.

One of the simplest And implementations is to couple a Nand and Inverter together as shown
in Figure 20. Figure 21 is the TLCS definition of a Nand and Inverter composed in parallel. The
nandOOl c_ output is renamed to mid_, and the Inverter a input is renamed to mid, and the Inverter
output b_ is renamed to c_ to match the action labels of the 2-input And in Figure 18, and the
resulting mid. action is hidden, changing it to a r(mid_).
a
b

Figure 20.

_J^0r>

m,d

Nand/Inverter And Implementation Circuit Diagram.

paralleK[[[nand001,NandMin,NandMax],[[mid.c]]],
[[invlO,InvMin,InvMax],[[mid,a],[c,b]]]],
[mid],
PAnd)
Figure 21.

Parallel Nand and Inverter And Implementation.

Depending on the timing of the gates, this parallel Andis an acceptable implementation of the
And "specification" in Figure 18. Comparing the timing relationships TLC accepts is interesting.
Generally, given And?s minimum and maximum delays AndMin and AndMax, one expects that the
timing relationship is satisfied whenever NandMin + InvMin > AndMin and NandMax + InvMax

109

< AndMax. That is the case when monotonic gates are used, but that is not the case with inertial
gates! With inertial gate models, the parallel-and implementation can output a c_ earlier than the
And specification allows when NandMin + InvMin = AndMin.
For example, assume that the Nand and Inverter minimum and maximum delays are 1 and
2 time units, and that the And specification minimum and maximum delays are 2 and 4 time
units respectively. Imagine the implementation and specification inputs wired in parallel together
as diagrammed in Figure 22, and refer to the timing diagram in Figure 23 during the following
discussion.
a

b

Figure 22.

[1.2]

J^
\J

[2,4]

j

mid

[U]>

Specc_

And Implementation and Specification in Parallel.

mid

Imp c.

Spec c.
Figure 23.

And Implementation-Specification Timing Diagram.

Let T be the point of reference for time passing, and let T = 0 just when the last input is
asserted from 0 to 1. Then at T = 1.5 the TSA can be in locations implementation:[nandlll,
invlO], and specificatiomandllO, where both the implementation and specification are in unstable

110

locations. Then, r(mid_) de-asserts (changes from 1 to 0) and moves the TSA to locations implementation: [nandl 10, invOO], and specification:andllO where only the Nand TSA is in a stable
location. If another a input occurs at T = 1.75, before the And can assert its output, then the
And specification stabilizes in state andOlO, and the Nand destabilizes to nandOlO. Eventually, if
no more inputs occur before T = 3.75, the Nand will assert r(mid_)and stabilize in state nandOll.
Until the Nand stabilizes, the Inverter is still unstable in state invOO, and it can generate a c_
output for T € [2.5,3.5]. The specification cannot generate this c_ output. This difference between
the specification and implementation outputs is highlighted by the shaded area in Figure 23. If,
however, timing parameters are changed such that the specification's minimum delay (AndMin) is
1 time unit or less, and its maximum delay is 4 or more, and the nand and Inverter delays are
bounded by 1 and 2 time units, TLC is satisfied because the implementation cannot then produce
any outputs outside the time bounds allowed by the specification.
In general, for inertial gates with non-zero gate delays, given that PMin = NandMin + InvMin
and PMax = NandMax + InvMax, TLC holds whenever PMin > AndMin A PMax < AndMax A
AndMin < NandMin. Note for example that a Nand with delays in [2,3] and Inverter with delays
in [1,2] satisfies an And specification with delays in [2,6], but switching the delays—i.e., Nand:
[1,2] and Inverter. [2,3], fails TLC with the And delay [2,4] because the unstable Inverter can still
assert c_ earlier than allowed by the specification as shown above.
Verification results are very dependent on the models chosen as illustrated in this example. In
particular, TLC verification results are different for the monotonic and inertial gate models. Some
of the most difficult errors to track down in hardware devices are those associated with unstable
states; since it is important to create designs that do not suffer from obscure defects like this,
inertial gate models are used for this research.

6.1.3

Gate-Level Model Summary.

The previous section described two different types of

gate-level models: monotonic and inertial. In unstable states, monotonic gates do not allow any

111

stabilizing inputs and always reflect the pending output or internal action. In contrast, inertial
gates allow stabilizing inputs in the interval [O.MinD) after the gate entered the unstable state.
These stabilizing inputs cancel the pending internal and output actions from those unstable states
and more accurately model the behavior of real gates. The more detailed inertial models are better
suited for discovering and correcting obscure timing defects. Although even more detailed models
are possible, the inertial gates are accurate enough to find real problems and simple enough to
support efficient computation of the TLC relation.

6.2

Asynchronous Hardware Components
Many hardware designers may believe that "faster implementations are always better," but,

for many low-power and asynchronous designs, specification minimum delays must be verified as
well. In the case of the Nand- Inverter and And implementation example from Section 6.1.2, the device to which the And output is connected will likely be sensitive to the Hand-Inverter's unexpected
output, so designers must ensure that the implementation's outputs are a timed subset of the specification as checked by TLCS. Unstable-location outputs like those from location [nandOlO.invOO] are
very difficult to anticipate and test for in actual circuits; hence, the utility of the TLC relation and
decision process to root out inconsistencies between specifications and implementations. The ability
to richly model timing dependencies like this is especially important for hardware engineers working
with high-performance synchronous and asynchronous designs. However, since protocol-dependent
asynchronous design allows more variations and poses a more difficult verification challenge, the
next section focuses on commonly used asynchronous components composed of several gates.
A short discussion about hazards precedes the first asynchronous hardware component example. A hazard is a problem associated with hardware circuits.

112

6.2.1

Hazards.

Asynchronous hardware engineers have used different hazard models to

analyze problems with sequential and combinational circuits. Stevens formalized the following
assumptions, hazard models, and hazards (Ste94):

Definition 37. Hazard Assumptions.

- Fundamental Mode Assumption The environment is constrained to hold the inputs stable
long enough to allow the changes to propagate through the logic, produce the desired results,
and stabilize internally before changing the inputs again.
- Isochronous Fork Assumption The difference between delays on the different sections
(called forksj of connected wires is insignificant, hence the change in value of a wire is
propagated to, and reaches, all devices connected to that wire simultaneously.
Unlike untimed FSM-based logics, TSA models do not constrain designers to adopt either of the
above assumptions. Assumptions are specified in the TSA models by their construction. For
example, a non-fundamental mode TSA can be constructed by explicitly modeling all transitions
from every location, for all possible times, for every possible input. Sometimes designers might
desire to do this and include error states for disallowed input sequences or combinations. Typically
however, this is too tedious, so designers may abstract the behavior by leaving out disallowed
inputs, and relying on TLC to tell them when fundamental mode assumptions are violated.
The timed nature of the TSA implicitly specifies when fundamental mode assumptions are
being made by explicitly declaring the times when inputs are possible. TLCS ensures that the
fundamental mode assumptions made by a specification are not violated by TLC satisfying implementations, because as soon as a specification TSA is ready for input, the implementation TSA
must also be ready to accept the same input. TSA are also powerful enough to model isochronous
and non-isochronous systems; a non-isochronous situation can be modeled by modeling each wire
segment of the system as a buffer-like TSA with its own clock.

113

Generally, the TSA used for this research are isochronous and multiple-input-change (MIC)capable, and they explicitly specify the fundamental mode assumptions made. Unfortunately, the
rapid linear increase in the number of clocks, whether the clocks come from the number of devices or
from modeling wires as TSA, exponentially explodes the number of possible timing relationships and
can make it impractical to reason about even small circuits with today's computers. Consequently,
although TSA provide the capability to model systems in as much detail as required, one must
always choose between model fidelity and practicality.
Given Definition 37, four hazard models can be defined. A hazard model is a set of conditions
that describes the level of detail a designer uses to analyze a design.

Definition 38. Hazard Models.

- Delay Insensitive (DI) Model Both device and wire delays are considered, no isochronous
fork assumptions are made. This is the most detailed and accurate model because no timing
assumptions apply.
- Quasi Delay Insensitive (QDI) Model Some of the forked interconnections must be
isochronous for circuits to be hazard-free. This model makes timing assumptions about some
of the wire forks in the design.
- Speed Independent (SI) Model All of the forked interconnects are isochronous, and interconnect delays are lumped into device delays. This model makes timing assumptions about
all wires in the design.
- Burst Mode Model Inputs and outputs are mutually exclusive and the device must stabilize
before subsequent inputs arrive. Hence, a burst mode compliant device will only generate an
output after all inputs in a given input sequence have arrived, and it will not subsequently
change its output unless more input changes occur. No new inputs are allowed until the circuit
has stabilized. Burst mode is the most abstract of the four hazard models, and it can be used

114

with either DI, QDI, or SI wire models, but the burst mode model is typically used with the
SI wire model.
Depending on the level of detail included in the TSA themselves, all four of the hazard models can
be supported by TSA. Modeling some (in the QDI case) or all (in the DI case) wires as bufferlike TSA support the more detailed QDI and Delay Insensitive hazard models. Therefore, TLCS
supports verifying that DI, QDI, SI, implementations and specifications are consistent. The SI
model is used in this research along with upper and lower bounded device delays to accommodate
some wire length, resistance, and capacitance variations.
Given the above hazard models, five general and three sequential-circuit hazards occur often
enough to have special names and definitions.

Definition 39. General Hazards.

- Static Zero Hazard A device output should be stable at zero, but it momentarily outputs one
before returning to zero. This is the hazard that disqualifies the Nand/lnverter implementation
of the And in the example discussed in Section 6.1.2.
- Static One Hazard A device output should be stable at one, but it momentarily outputs zero
before returning to one.
- Dynamic Hazard A device output is changing to a new value, but it changes to that value
more than once before stabilizing.
- Function Hazard A particular dynamic hazard that exists in a MIC circuit if and only if an
output changes more than once along a minimum length path of an input transition. Function
hazards cannot be removed by changing the circuit design (Ste94:56).
- Delay Hazard A hazard that is associated with devices having more than one implicant
enabling a function output in any location.

115

Because of different delays on the implicant

paths, after the faster implicant asserts, and before the slower one asserts, subsequent inputs
destabilize and de-assert the faster implicants before the slower implicant finally asserts the
output.
General hazards may occur in any circuit, either combinational or sequential, but there are
three hazards explicitly defined for sequential circuits only.
Definition 40. Sequential Hazards.
- Essential hazard A hazard where the device stabilizes in a different state after a single event
than after three consecutive events on the same input.
- Transient Hazard A hazard that occurs from a stable state when two events on a single
input return the device to the stable state, and there is a static hazard on any output. This is
caused by the output logic, and not the state-holding logic of the circuit.
- D-Trio Hazard A hazard that occurs when from a stable state, three input events on a single
input return the device to the state entered after the first input, and there are different outputs
in any of the entered states.
Given that a specification disallows any of the above hazard conditions, and they exist in an
implementation, the TLC relation identifies those differences and TLCS reports the first one it encounters because they all represent implementation outputs that are not allowed by the specification
and TLC detects those errors via Formula 23.
Several different hazards have been defined and related to the Nand example already presented. The next section returns to more models and the application of TLC to more complex
designs.

6.2.2

C-Elements.

One commonly used asynchronous circuit component is a C-element.

The C-element specification is a level of abstraction above a gate-level model. Table 6 describes
the output of a C-element based on its input values.

116

Table 6.

C-element Function.

Inputs
00
01
10
11

Output
0
No Change
No Change
1

Figure 24 is the C-element logic symbol and a specification TSA. The TSA definition allows
specifying minimum feedback delay (FB) in the environment from a C-element output to its next a
or b input, and a minimum and maximum bound on the C-element's output response from the time
of the last input. Positive FB explicitly increases the amount of time allowed for the implementation
to conform to the fundamental mode assumption of the C-element. Positive FB adds to the time
that passes in locations XY/X, YX/X, and YY/X before the C-element specification returns to
location XX/X where it can once again accept either an a or b input.
xx/x
b,k>=FB
XY/X

\a,k>=FB
YX/X

,a,k:=0

'b,k:=0

YY/X
k<=CMax
c_Jc>= CMin,k:=0

Figure 24.

Two-Input C-Element Logic Symbol and TSA Specification.

The C-element specification TSA in Figure 24 is not complete because it omits the behavior of
the C-element when one of its inputs changes value twice before the other input changes. Since that
behavior is important in the application focused on in the next section, the missing behavior must
be added to the C-Specification TSA. Figure 25 is the "wobbly" C-Specification TSA required.

117

xx/x
k >= FBy 1
k:=
V A>,kX)

,a,
IVk >= FB,
a,k>0\%=0

XY/X

YX/X

v.a,k:=0

'b,k:=0

YY/X
k<=CMax
c_,k>=CMin,k:=0

Figure 25.

Wobbly Two-Input C-Specification TSA.

Earlier Figures 4 and 5 on pages 43 and 43 depict a standard (but not completely hazard-free)
way to implement C-elements, and the.corresponding TLCS clause defining the parallel C-element
implementation.
Note that verifying this implementation of a C-element in untimed calculi, including Logic
Conformance, fails except under the burst-mode hazard model (Ste94:p64). Here, using TLCS and
TSA capability to implicitly and explicitly specify the fundamental and burst mode assumptions
made in the specification, and the timing of both the specification and implementation components,
a rigorous timing analysis can be accomplished. Which implementations will actually satisfy the
more detailed timed specification without generally adopting the burst mode model can be determined. TLCS can verify when the implicit burst-mode timing assumptions hold. In particular, for
non-zero gate delays, and given that PMin = AndMin + OrMin and PMax = AndMax + OrMax,
Table 7 shows the delay value relationships and whether or not TLC holds for the different gate
models. As with the And example, in unstable locations hazards can occur when inputs change
faster than the minimum delay of the receiving component. Monotonie gates succeed only with
explicit non-zero feedback allowances extending the amount of time between C-element outputs and
the new input. Once again, there is a strong dependency on the relationship between the minimum
specification delay and the minimum delay of the input receiving component in the implementation.

118

Table 7.

C-element Verification Results.

Delay Relationship
FB
PMin <= CMin V PMax > CMax
FB = 0
PMin > CMin A PMax < CMax
FB = 0
0 < AndMax < FB PMin >= CMin A PMax < CMax
PMin <= CMin V PMax > CMax
FB = 0
AndMin > CMin A PMax < CMax
FB = 0
Fails1, specification time bounds too tight.
Fails2, Imp cannot match specification input /output.

Gate Model
monotonic
monotonic
monotonic
inertial
inertial

TLC
Fails1
Fails2
Holds
Fails1
Holds

Note that monotonic gates succeed only with explicit non-zero feedback allowances extending
the amount of time between C-element outputs and the new input. However, even with FB = 0,
inertial gates satisfy TLC when AndMin > CMin; once again, there is a strong dependency on
the relationship between the minimum specification delay and the minimum delay of the input
receiving component in the implementation.
Having described specifying and verifying C-elements, the next section discusses the next
level of abstraction, a component built out of C-elements.
6.2.3 STARI Queue Stage.

C-elements can be used in tandem to dual-rail encode in-

formation in the stages of asynchronous queues. FIFO queue stages are made from C-elements
connected together as shown in Figure 26 (TB97). A Nor produces the acknowledgment signal
ack.m_. Connecting k of these queue stages together produces a fc-length queue. The fc-length
queue is called STARI (Self-Timed At Receiver's Input). Table 8 defines the dual-rail encoding
scheme used in (TB97); the t_n_ and f_n_ values of the individual C-elements determine the value
stored in the nth queue stage; empty distinguishes between a single data item stored for a long time
and two consecutive data items of the same value.
Since STARI stages are asynchronous, STARI supports connecting systems together that
have some skew between the phases of the sender and receiver clocks. Generally, when queues are
longer more skew can be tolerated. Given that the clock-rate of the receiver is greater than or

119

Y7V
röSS

t_n

^~~Zc

ack_jn_

r/ (

°vin

{

N^rv
_)*r

fjn

Figure 26.
Table 8.
t_n_
0
0
1
1

f_n

STARI FIFO Queue Stage.
Dual Rail Encoding Scheme.
f_n.
0
1
0
1

Encoded Value
empty
false
true
illegal

equal to the clock-rate of the transmitter, STARI could be used to connect systems with different
clock rates, but the receiver would have to wait for the slower transmitter by watching for t_k_ and
f _k_ changes. According to (TB97), correct queue operation depends on proving the following two
properties:
1. "Each data value output by the transmitter must be inserted into the FIFO before the next
one is output." (i.e., the transmitter must not change input values to the queue until the first
FIFO stage acknowledges receiving the input by generating an ack_0_ event.)
2. "A new value must be output by the FIFO before acknowledgment from the receiver." (i.e.,
the receiver must not generate an ack_k_ event to the FIFO until it has received the data
from the last FIFO stage.)
In (TB97), they described using the COSPAN verification system to verify STARI operation
as defined in Section 2.2.3. Figure 27 is the timed process that the Berkeley researchers use as a
valid abstraction of the STARI FIFO Queue Stage shown earlier in Figure 26; ►'s indicate two
120

potential starting locations corresponding to an empty and a full queue stage. The edges necessary
to satisfy the nonblocking and stutter closure requirements are not in the diagram. This abstraction
does not explicitly constrain the queue stage to legal inputs and legal output sequences; the TLCS
model includes these important behavioral constraints.
The corresponding 17-location TSA is shown in Figure 28. This TSA constrains the queue
stage to separate each occurrence of true and false inputs with an empty input, and it disallows the
illegal dual-rail code as described in the natural language specification. Note that the inputs and
outputs of the queue-stage are symbolized by the state labels. The letters T, F, and E represent
true, false, and empty, and depict both the value of the inputs and output data signals; hence, the
label TE depicts the situation where the stage inputs encode true, but its outputs encode empty,
and the queue-stage is waiting on an ack_n before changing its output from empty to true. The
binary labels encode the Boolean input and output values (t_m,f-m,ack_n/t_n_,f _n-,ack_m_). The
queue stage timing parameters are [CMin, CMax, NorMin, NorMax], representing the minimum
and maximum bounds on the C-element and Nors used to build the queue stage.
TLCS confirms that gate-level and C-Specification-level FIFO stage models satisfy the TLC
relation with STARI FIFO Queue Stage specification when consistent timing parameters are used.
The gate-level FIFO stage model has 9 clocks; TLCS parallel composes six 2-input Ands, two
three-input Ore, and a single 2-input Nor to create it. The C-Specification-Level FIFO stage model
has 3 clocks. TLCS composes two wobbly C-Specification models (Figure 25), and a single 2-input

ackoutjjend]
ic <= NorMaxJ

ack_m_, x >= NorMin

Figure 27.

Abstract STARI FIFO Queue Stage Timed Process.

121

s ^
EE
k<=N
(000/

rs o o

?

•

ji

o

is

I

o §

t

5
J

II

5
£

s
g 5

►ss

s

? =

gg
B, II

1

5

<.
Figure 28.

STAR! FIFO Queue Stage TSA.

122

Nor generating ack_m_ as shown in Figure 26. Even though gate-delays [1,2] fail when comparing
C-element implementations to C-Specifications with any delays in the previous section, gate-level
FIFO stage verification succeeds with gate-delay [1,2] and C-element delays [2,4]. This is the case
because the FIFO queue stage specification so constrains the C-element inputs that it does not enter
the unstable states that cause the problem during the C-element/C-Specification verifications.
Recognizing where worst case instability problems are avoided (like C-elements with gatedelay [1,2] in STARI), and leveraging their absence to improve performance is a key advantage to
using the TLC relation and TLCS. Of course this is done while maintaining confidence that the
system is going to work correctly under all possible conditions allowed by the specification.
Notice that designers do not need to model the environment and augment TLC verification
with an assumes-guarantees style reasoning process to factor in the constraints imposed on the
environment for the design to work. Instead, those constraints are built into the specifications, and
TLC ensures that those properties that are dependent upon the input capabilities of the specification
hold in the implementation. This enables designers to rely on TLC verifications without separate
models for the environment. TLC also allows implementations the freedom to accept inputs that
the specification does not allow. This allows more design reuse and requires less effort during the
verification and design process.
With the accurate STARI queue stage specification verified against the implementation models at two levels of abstraction, the next section discusses TLC verification at the next level of
abstraction—the entire queue.
6.2.4

STARI Queue and Perfect Buffer.

In the other STARI queue verifications (Gre93,

BM98, TB97), researchers include models of a sender and receiver environment for the verification. They usually focus on verifying that STARI could be used to communicate between two
synchronous systems operating with some clock skew between them. Figure 29 depicts the STARI
queue in its environment. Note that the acknowledgment output of the queue is not connected to

123

the transmitter. Including the environment requires assumes-guarantees style reasoning and complicates the verification process. In this configuration, researchers were obliged to prove that the
environment in conjunction with the queue behave correctly by observing the actions connecting
the sender to the queue and queue to receiver with two different queue models but the same sender
and receiver models. TLC verification generalizes somewhat by eliminating the sender and receiver
models and focusing on comparing the queue directly to a specification of its behavior—a Perfect
Buffer (PB).

Transmitter

data-in

STARI

ack-out

Queue

data-out
ack-in

■varying delayGlobal
Clock
Figure 29.

STARI Environment.

The general problem is to size the queue such that it buffers the data between the clockskewed systems, allowing the transmitter to output and the receiver to input a new data value
every clock cycle without waiting for the queue during "steady-state" operation (i.e., when the
queue is about half full (Gre93:p35)). Note that empty is considered a data value, and that the
queue is not required to output the same data it currently inputs—i.e., the queue is in fact buffering
some data internally. How fast the global clock operates, how much skew is possible, and the speed
of the queue components are of course the parameters that determine how many queue stages are
necessary. Focusing on the queue itself avoids assumes-guarantees style verification complexity.
Figure 30 is an abstract view of the PB TSA used to formalize queue requirements. It does
not explicitly show all of the states that result from the different value sequences the queue can hold.
It abstracts these sequences by their length1. For example, the 4-element string etef represents
during the verification, queue behavior is verified for all possible PB sequences from length n - 1 to n + 1.

124

a PB holding the sequence of four values [empty, true, empty, false], where false will be dequeued
next, and empty was the last data item enqueued.
*t pb,n

tO/fO,
cd >= MT,
ca <= Skew,
cd:=0

/tO/fO,
/cd >= MT,
/cd:=0
Pb

OMin.OMax,

ro.

pbu,n

pb,n+l
an

s^an,
vca>=MT,
\cd <= Skew,
\ca:= 0

MT,
Skew

ca <= OMax
tO/ffl,
'cd >= MT,
'ca <= Skew,
'cd:=0

pbu,n+l
tn_/fh_,
ca >= OMin

Figure 30.

vtn_/fn_,

v ca >= OMin

pb,n-l)

ca <= OMax

Perfect Buffer TSA.

PB maintains an n-size queue of information. It actually can hold either n, n + 1, or n — 1
(for n > 1) values. For n = 2, the three possible (n - l)-length values are f, t, and e; the n-length
values are ef, et, f e, and te; (n + l)-length values are ef e, ete, f ef, f et, tef, and tet. With
two n-length locations for each n-length value, one (n - l)-location for each (n — l)-value, and two
(n + l)-locations for each (n + l)-value, there are (2 * 4) + 3 + (2 * 6) = 23 locations in the n = 2
PB TSA. Following (BM98, Gre93), it is sufficient to focus on the steady-state behavior and verify
a [fc/2]-size PB against queues with k stages. Data inputs (to, fO), and acknowledgment input
(an) are constrained to happen at least MT time units after the previous data and acknowledgment
respectively. Hence, MT is the parameter that specifies the time separation between inputs, or the
inverse of the maximum frequency of the clock. The time of the last data and acknowledgment
events are independently tracked by separate clocks cd and ca. After receiving an, PB will output
tn_/f n_ in the time interval [OMin,OMax] after an. OMin and OMax specify the time delay allowed
for the queue to update its output after receiving an acknowledgment. Generally, OMin < CMin,

125

and OMax < MT-X, where X is the sum of the Receiver's setup, hold, and acknowledgment
generation delays, satisfy the PB specification.
Table 9 defines PB data input and output. Possible data input actions are determined by the
values of the leftmost (q(l)) value in the queue in accordance with the requirements to separate
true and false values by empty. Data output actions are determined by the the nth (q(n)) and
(n - l)st (q(n - 1)) queue values where q(n - 1) ="." is a don't care. When PB holds n values, it
can either input or output a value. When it holds n - 1 values, it can not output data, but it can
input. When it holds n + 1 values, it can not input data, but it will output. The last (right-most)
value in the queue symbolizes the value that the queue is currently outputting. Input actions tO/f 0
and an are constrained to happen within Skew time units of each other.
Table 9.
9(1)
t
f
e
e

Perfect Buffer Input and Output.

Input
t0| (e)
f 04- (e)

tot (t)
f Of (f)

q(n - 1)
_
t
f

q(n)
t
f
e
e

Output
tn4 (e)
f n4 (e)
tn_t (t)
f n_f (f)

PB specifies that no outputs will occur when Skew input timing constraints are not met.
In location [pb,n - 1], when late inputs occur (data arrives more than Skew time units after
acknowledgment), time continues to progress but no actions are possible. All legal inputs when
Skew < OMin are verified following the tO/fO transition from location [pbu.n]. When OMin <
Skew < OMax, data inputs from [pb,n -1] are disallowed for ca > Skew; these are also late inputs.
Finally when Skew > OMax, all inputs in location [pb,n - 1] are allowed; therefore, TLCS verifies
that the queue is consistent with PB for all valid time-constraint-satisfying inputs.
Since the STAR! queue acknowledgment output is not connected to the transmitter, the
ack_0. of the first STARI queue stage is hidden (i.e., it becomes an internal r(ack_0_)) to compare
queue implementations to PB.

126

Table 10 summarizes the STARI versus PB verification results for different numbers of stages
while varying Skew and maximum/minimum time (MT) separation. It shows the MT required
for both the Abstract fifo-spec-based queue model (MT-A) and the Intermediate C-element-based
and iVor-based queue model (MT-I) for TLCS verifications to fail/succeed with two to four queue
stages and Skews ranging from two to six time units. OMin and OMax are tightly constrained
to the same bounds as the C-element (i.e., data output must occur one to two time units after
the acknowledgment input). In row 7 the "?" indicates that TLCS aborts because it ran out
of global stack while computing TLC on a four-stage queue intermediate-level model for MT=8;
hence there is no data for this or subsequent intermediate level TLC verifications. Verification
of a gate-level queue against PB are not shown because parallel composition of a two-stage gatelevel queue (eighteen gates) in TLCS aborts because of stack limitations of the current parallel
composition implementation. Single-stage gate-level queue verifications succeed consistently with
intermediate-level and abstract-level verifications.
Table 10.

STARI 0^iPB Results: Varying Skew & MT.

Cmin=NorMin=OMin=l, CMax=NorMax=OMax=2
Row Q Stages Skew
MT-A
MT-I
1
2
2
12/none
N/A
2
3
2
8/9
6/7
3
3
8/9
6/7
4
4
8/9
7/8
5
5
8/9
8/9
6
6
9/10
9/10
7
4
2
7/8
7?
?
8
3
8/9
?
9
4
9/10
?
10
5
10/11
?
11
6
11/12
?:SWI-Prolog out of memory

Note that for all verifications, the more abstract model is never optimistic about the results.
In these verifications, the more abstract queue implementation (MT-A column) requires the same,
or longer MT than the less abstract queue implementation (MT-I column) requires to model the

127

same perfect-buffer specification. Generally, increasing the Skew while holding the number of queue
stages static forces lowering the input frequency (MT increases). With Skews of four, five, and six
the performance of the three-stage queue is better than the four-stage queue! This result runs
counter to the intuition that longer queues will always allow more skew—it depends on how tight
the timing constraints are. Note that adding an extra queue stage improves the frequency for one
Skew i.e., three abstract queue stages with Skew two requires MT=9 to model PB (row 2), and
with four abstract queue stages, MT=8 models PB (rows 3 and 7), but for the rest (e.g., Skew
three requires MT=9 to model PB for both three-stage and four-stage queues) more queue stages
do not help. This is because as queue length increases, there is a longer delay for a newly inserted
datum to move through the queue, and under certain conditions, the new datum does not reach
the last queue element in time to satisfy PB output constraints because OMax is too tight. This is
precisely why with Skews of four, five, and six the performance of the three-stage queue is better
than the four-stage queue under the tight OMax constraint.
Table 11 shows fifo-spec-level STAR! verification results while holding MT=12 time units
and Skew at two time units while varying OMax for two different sets of bi-bounded delays. This
reports which implementations satisfy a static period and clock skew. A "Y" in columns two to
four means that TLC is satisfied between the STARI queue and PB, a "N" means that TLC is
not satisfied, and a "?" means that the current TLCS implementation exceeded memory limits
before completing the computation. Column two reports some TLCS UltraSparc One performance
statistics for the Min/Max = 1/2 verifications. These results are comparable to those in (TB97)
and (BM98).
In Table 11, column two, a STARI queue implementation in steady state with gate-delays
and C-element-delays in [1,2] will always accept inputs and produce outputs without delaying the
transmitter or receiver as long as the inputs and outputs occur twelve or more time units after the
previous input and output and within two time units of each other as is shown in (TB97). Tasiran

128

Table 11.

STARIo^PB Results: Varying Imp Delays & # Stages.

Q Stages
1
2
3
4
5
6

1/2
Y
Y
Y
Y
Y
Y

OMax=9
C & Nor Min/Max
Performance
2/4
3K states 12 sec 1MB
Y
9K states 66 sec 4MB
N
37K states 7 min 16MB
Y
?
114K states 44 min 58MB
?
452K states 4.6 hrs 254MB
?
1.1M states 21 hrs 690MB
?:SWI-Prolog out of memory

OMax=10
2/4
Y
Y
Y
?
?
?

and Brayton were able to verify the behavior of an eight-stage queue with their less detailed data
model, while the current TLCS implementation is limited to six stages. The TLCS verification
includes checking that the sequence of correctly encoded values input to the queue are output
correctly, and the TLC verification methodology needs no extra assumes-guarantees proofs.
The results in Table 11, columns three and four, are generally consistent with those in (BM98).
They use a less detailed discretized intermediate-level queue model with timing delays CMin =
NorMin = 2, CMax = NorMax = 4, and they claim that their STAR! queue simulates the behavior
of their ideal buffer for a clock period of twelve time units, and a Skew of two time units with from
one to eighteen stages, and they have successfully verified up to five stages in a discretization fine
enough to be equivalent to a dense model—like TLCS. Unfortunately, the TLCS results cannot be
directly compared to Bozga and Maler's because the exponential state space required to handle
the larger number of clocks and higher integer bounds exceeds the memory allocation limits of
SWI-Prolog with more than three stages. This constrains verification to less than four stages using
the more detailed dense models in TLCS. However, depending on how much set-up and hold (S&H)
time is required for the receiver via timing parameter OMax, TLC fails or holds. Apparently, S&H
were not factored into the STARI verifications in (BM98). If the receiver requires S&H < 2, then
TLCS agrees with their results. This is illustrated by the differences between columns three and
four for two queue stages in Table 11. The amount of time allowed for S&H is MT - OMax. In

129

column three, three time units are allowed for S&H, and in column four only two time units are
allowed. TLC does not hold in column three when OMax = 9 (S&H = 3), and Min/Max = 2/4.
The visible sequence
=12,an,t0,4,tn_,8,an,f0,4,fn_,8,an,f0,8,fn_,4,an,t0,8,tn_,4,an,0.001,t0,
4,tn_,7.999,an,0.001,f0,4>fn_,7.999,an,0.001,f0,7.999,fn_,4.001,f0,0.001,
an,3.999,fn_,8,f0,0.001,an,3.999,fn_,8,tO,0.001,an,3.999,tn_,8,tO,0.001,
an,7.999,tn_,4.001,an,0.001,t0,4,tn_,8,t0,l,an,3,tn_,8,f0,l,an,3,fn_,8,
f0,l,an,7,fn_,4,t0,l,an,3,tn_,8,t0,1.001,an,2.999,tn_,8,f0,1.001,an,
2.999,fn_,8,f0,1.001,an,6.999,fn_,4,t0,2,an,2,tn_,8,t0,2,an,2,tn_,8,f0,2,
an,2,fn_,10,an,l,f0,4,fn_,7,an,l,f0,4,fn_,7,an,1.001,f0,4,fn_,6.999,an,
1.001,f0,7.999==>
leads to the states and combined time vector:
I:[fifo_specFF,fifo.specFEU]
S:[pbu.fe]
T:[[[k0,3,4],[kl,3,4],[k2,9,9],[k3,7,8]],[[kO.kl],[k3],[k2]]]
Where possible Imp Actions are: [f0,fn_]
and possible specification Actions are: [fn_]
and future Imp outputs are not matched by the Spec.
IInv:[[kl,leq,4]]
A:f0 G:[] R:[] I_:[fifo_specEF,fifo.specFEU]
A:fn_ G:[[kl,geq,2]] R:[kl] I_:[fifo_specFF,fifo_specFFU]
SInv:[[k2,leq,9]]
A:fn_ G:[[k2,geq,2]] R:[] S_:[pb,f]
where the implementation's f n_ output can occur later than the specification's f n_ output because
the specification cannot stay in location [pbu,fe] after clock k2 = 9. This late output violates the
TLC relation because it infringes on the S&H requirements of the receiver, but TLC holds in column
four when OMax = 10 (i.e., receiver S&H is tightened from three to two time units). In this case,
if S&H requirements of the receiver are less than or equal to two time units, then TLC holds and
TLCS confirms Bozga and Maler's results. Unfortunately, the current TLCS stack limitations keep
us from checking their results for more than a three-stage queue when using queue-stage models
with bi-bounded delays [2,4].
The original proof of correctness for STARI is found in Greenstreet's dissertation. Comparing
his model and its limitations to the TLCS verification enlightening. First, focus on the similarities.
The most important similarity is that TLCS and Greenstreet both model STARI with discrete

130

functional events rather than the analog voltage levels (Gre93:pl46). Second, neither TLCS nor
Greenstreet prove properties about the initialization of the queue. Both "proofs" start by assuming
an initialized queue that is half full. Greenstreet argues convincingly that initialized conditions are
easy to establish in the implementation so it is not an issue for either "proof."
In Greenstreet's original STAR! proof of correctness, he focused on verifying that the signaling
protocol of the queue was observed by formulating and proving invariant properties about the
queue's timing expressed as synchronized transitions, but he did not prove some other correctness
criteria are satisfied (Gre93:pl44), and here is where there are some significant differences between
the "proofs." For example, he did not prove that the sequence of values output by the FIFO are the
same as those input because he did not model the actual data values themselves. In contrast, the
TLCS STARI verification does model the data values explicitly, and since the perfect-buffer outputs
the sequence of values it receives, TLCS verifies that the queue does as well. Greenstreet's detailed
proof also models the transmitter and receiver repeatedly synchronizing exactly at specified time
intervals; since the TLCS verification explicitly allows up to Skew time units between the data
and acknowledgment inputs, the TLCS verification is more general in that sense. Perhaps the
most significant limitation of his analysis is that his FIFO stage models abstract the data and
acknowledgment outputs into a single atomic action (Gre93:pl45). Since these are actually three
separate signals produced by three components with their own distinct delays in his implementation,
the TLCS model is more realistic and therefore closer to verifying the actual circuit behavior.
Unfortunately, his abstractions prevent thorough quantitative comparison of his results directly
with TLCS's, but a single counterexample suffices to show the need to model and "prove" the
circuit's behavior with higher fidelity models. Greenstreet derives Formula 34 (Gre93:p33) for the
skew tolerance (A) of an n-length queue with period ir and C-element delay 6.

A = (n + l)(7r-2<5)

131

(34)

According to Table 11, column 3, where n = 2 = Q Stages,

IT

= 12 = MT, and «5 = 4 = CMax,

Greenstreet says A = 12, but TLCS produces the late-output counterexample with only a skew
of two as discussed above. Even if

-K

— 9 = OMax, A = 3 > 2; this remains a late-output

counterexample. Fundamentally, Greenstreet's results differ from the TLCS results because the
delay of the Nor used to compute the acknowledgment signals in the implementation is ignored by
his analysis when he assumes that each C-element computes its data output and acknowledgment
simultaneously.

6.2.5

Comparing Verification Methodologies.

Generally, from gate-level to Perfect Buffer,

the TLC verification methodology requires three verifications to hierarchically verify the abstract
Perfect buffer against a gate-level implementation. At the top-most level, a monolithic [n/2]-size
PB is the specification (Figure 30), and the implementation is a n-stage STARI FIFO Queue composed from n Queue Stage TSA (Figure 28); i.e., the verification proves QS1IIQS2II • • • \\QSn odtli
PB(n/2). The second verification specification is a single STARI FIFO Queue Stage specification,
and the implementation is a three-component parallel-composed C-element-Nor intermediate-level
queue stage (Figure 26); i.e., the verification proves Ci\\C2\\Nor 0^a QS. The final verification
specification is the Wobbly-C-element specification (Figure 25) against its four-component And-Or
gate-level implementation (Figure 4); i.e., the verification proves j4ndi||j4nd2mnd3||Or 0^i C. In
the preceding discussion, results from several other verifications are presented to show that composing components and verifying across more than one level of abstraction are easy using TLCS.
In contrast, applying the assumes-guarantees verification methodology to STARI (TAKB96,
TB97) is more expensive and is not as detailed. It requires more verifications and the construction
of extra abstract models, and it does not verify a gate-level implementation of the C-element.
Most of the extra verifications are required to show that the abstract FIFO stage model
depicted earlier in Figure 27 is a correct abstraction of the Figure 26 intermediate level queue stage
in its environment. Let F and A denote the intermediate level queue stage and abstract FIFO stage

132

timed processes respectively, and Tx and Rx denote the transmitter and receiver timed processes
modeling the queue environment. Proving the abstraction is valid requires proving for an n-length
queue that
Tx\\F1\\F2\\...Fn\\Rx±LTx\\Al\\A2\\...An\\Rx

Since the environment for each pair of models (e.g., F2, A2) is different, n separate assumesguarantees proofs are normally required. They were able to construct models Ejeft and E^^
generalizing the environment to the left and right of the ith component and reduce the number of
verifications required. This reduces the main verification required to

^leftll^ll^right^^leftll^ll^right

at the expense of showing that £left and E^^t are correct abstractions for the left and right-hand
sides of each module i; i.e.,

V, e [l-nlp-sPx||4,||.. .4-1

<L

£ieft A 4+i||4+2|| ■ • • An\\Rx <L Eflght)

This can be shown by induction on i by
1. showing Tx <L £left2.
2. Assuming rx||4||4:|| • • -4-i

<L

Eleit and showing rx||4||4||.. -4 <L Eleft.

3. Concluding Sleft ||4 ^L£left.
So, the assumes-guarantees methodology requires six verifications:

1. Tx ±L £left
This requires disallowing the transmitter to change its data output if the first stage has not copied the transmitter's previous output value (caring about acfc.0.) and later proving that the transmitter never wants to modify
its data output while the first stage is not ready.

133

2- EMt\\A±LEleit
3. Rx -<L -Bright
4

-

A E

H right 1L bright

5-Bleftll^ll^ight^^leftPl^right
6. rx||yli||^42|| • --AsWRx satisfies the two timing properties enumerated earlier:
(a) "Each data value output by the transmitter must be inserted into the FIFO before the
next one is output." (i.e., the transmitter must not change input values to the queue
until the first FIFO stage acknowledges receiving the input by generating an ack_0_
event.)
(b) "A new value must be output by the FIFO before acknowledgment from the receiver."
(i.e., the receiver must not generate an ack_n_ event to the FIFO until it has received
the data from the last FIFO stage.)
and four abstract models (Tx, Rx, £left, -E^ght) that the TLC methodology does not require.
For each of the first five verifications, COSPAN requires inputting untimed mappings between
the state spaces of the models being compared. TLCS' single C-element/Nor versus Queue-Stage
specification verification is equivalent to these five verifications and does not require the higher-order
inductive logic step.
The sixth verification is required to prove properties that are verified directly by the TLC
verification between PB and the Queue. In the first case, PB's input of a value must always be
matched by Formula 22; in the second case, all outputs produced by the Queue must be allowed by
PB according to Formula 25. The authors did not explain the property verification (number 6), but
it must be a model checking proof; interestingly, it required over 37 times the amount of time and
14 times the memory of the other proofs. In fact, they were unable to complete this verification

134

for a 3-stage F-model FIFO using 1GB of memory (TB97). As shown in Table 10 TLCS completes
verification on similar complexity 3-stage models (the MT-I column, rows 2-6).
Although the models used in Bozga and Maler's STARI verification are described in detail,
the verification methodology is not described in detail (BM98). The implementation models they
use are at an intermediate level of complexity and do not go all the way down to a gate-level Celement implementation. Their "ideal buffer" specification model of the queue in its environment is
similar to perfect buffer, except that it consists of four timed automata: clock, transmitter, receiver,
and queue. They use a Binary Decision Diagram (BDD) extension of the Kronos tool (ABK+97)
to compute that n-length intermediate-level queues simulate ideal buffers of size n when both are
initialized with n/2 data values for n G [1..18]. They use a discrete model of time with integral time
steps. They claim that the discrete semantics coincide when they use 1/fc time steps for fc-clock
systems, and with that fine a discretization, they are only able to verify (n = 5) stage models
compared to the (n = 3) stage TLCS verification.
Since the Kronos verification methodology is based on the simulation relation with models of
the environment, the methodology is also bound by the assumes-guarantees rule. The discretization
simplification allows them to perform the whole verification at once saving the effort required to
verify the decomposition of the verification. They do not need to do the 5 extra verifications
required with the COSPAN methodology or build the models i?ieft and üftght

when tneir tDo1

handles the state space explosion of the entire verification. Whenever the entire verification cannot
be done at once, they too must construct extra abstract models and do the associated verifications
to check their validity. In any case, they build three models: clock, transmitter, and receiver, to
support their verification methodology. These models are not required for the TLC verification.

135

6.3

Summary
This chapter demonstrated the utility of Timed Safety Automata models and the Timed Logic

Conformance (TLC) relationship for systems engineering and verification. It described canonical system models for monotonic and inertial hardware primitives and explained the results of
TLC verifications at several different levels of abstraction, and it compares the TLCS results and
verification methodology with other published work.
Generally, despite modeling systems in more detail than others, TLCS is able to compute
comparable results despite the fact that it explicitly enumerates the states and is written in Prolog.
Using the asynchronous STARI verification problem as a benchmark, TLCS confirms Berkeley
researchers results (TB97); the TLCS models extend the verification to include data values passing
correctly through the queue and no assumes-guarantees reasoning is required to accomplish the
verification. Comparing the TLCS results with French researchers from VERIMAG (BM98), TLCS
generally confirmed their results but pointed out an important counterexample when set-up and
hold time requirements of the receiver are taken into account. The TLCS model is much more
detailed than the original proof of STARI correctness (Gre93), proving properties about the actual
data transferred as well as showing a counterexample to the formula derived for allowable skew
between sender and receiver clocks when the more realistic model is used.
TSA are well suited for modeling systems at various levels of abstraction, and the TLC relationship is useful for verifying when one TSA is an acceptable implementation of another. TSA
modeling and TLC verification support incorporating the environmental constraints into specifications in a natural way. This reduces the modeling problem by eliminating environmental models,
and the incorporated environmental constraints minimize the number of states that must be examined, making a fair tradeoff possible between model fidelity and computational complexity.

136

The TLC verification methodology is simpler than the assumes-guarantees methodology because no assumes-guarantees proof obligations or extra abstract models are required to support
decomposing the verification task.
This chapter's contributions are:
• Definition and application of canonical inertial and monotonic hardware modeling techniques.
• Demonstration of a simple and relatively efficient verification methodology that supports
using more detailed models and discovers subtle problems not exposed by others.
• A comparison and critique of TLCS verification results against other published work.
• A comparison and critique of the TLC verification methodology against other published work.

137

VII. Conclusions
This chapter summarizes the problem and lists the research objectives. Then, it enumerates and explains the research contributions. After proposing some future research opportunities, it concludes
with final remarks.

7.1

Summary
Chapter II defined and described several example formalisms for modeling and reasoning

about the "equivalent" behavior of concurrent systems. There are some significant expressiveness
problems with these formalisms. Upper and lower time bounds (bi-bounded delays) are difficult
to define in the simplest models. Some of the simpler models, and even the more complicated
ones, have nonintuitive semantics such as the maximal-progress semantic leap from two processes
waiting individually to perform their actions to cooperating processes that cannot wait to perform
their cooperative actions. None of the process-algebra-style models support expressing general
temporal relationships between actions that do not sequentially follow each other. Timed processes
support expressing general temporal relationships between actions, but they are quite complicated
because they use state functions to define outputs and invariants, and sequences of events to define
process semantics. Furthermore, in order for timed processes to be reasoned about consistently,
they must be nonblocking. This dramatically increases the complexity of both the model building
and verification task.
Chapter II also discussed the timed "equivalence" relationships Timed Bisimulation and Weak
Timed Bisimulation for TCCS agents, CTR Refinement for CTR agents, and Timed Simulation and
Timed Implementation between timed processes. The bisimulation relationships generally restrict
designer freedom too much and do not allow efficient implementations. The CTR refinement
relationship is looser, but CTR allows implementations that do not accept all the inputs accepted
by the specification, so CTR is formalized "backwards." Timed Simulation is better than the

138

bisimulation straight jacket, but its assumes-guarantees methodology requires many iterations of
expensive verifications just to "verify the verification" because of circular dependencies between
environment and system models. Chapter II revealed that the existing tools for the most powerful
methodology require a lot of user input that is not straight forward to supply.
In summary, Chapter II demonstrated the need for a simpler and yet powerful modeling
formalism to accurately express the relationship between behavior and time. Designers also need
a more practical mathematical relationship between models that supports an automated verification methodology that factors in environmental timing properties without building many different
models of the environment and using them to "verify the verification."
These were the specific research objectives:

1. Adopt or create a simple modeling formalism rich enough to express discrete-valued behavioral
properties and timeliness requirements of digital circuits while modeling continuous time.
2. Canonically define how to model digital circuit components and specify required behaviors
and timing using the modeling formalism.
3. Formally define a practical relationship that expresses when one model satisfies the timing and
behavioral requirements of another. Prove that the relation has the necessary mathematic
properties for meaningful verification.
4. Write a tractable computational procedure that calculates when the relation holds between
two models.
5. Demonstrate the utility of the relation on benchmark digital circuit design problems.
6. Define a verification methodology for using the relation to efficiently hierarchically verify
larger systems.
These objectives have been accomplished.

139

7.2

Contributions
After enumerating contributions organized by topic, the following sections summarize and

explain them.

• TSA Model of Computation
1. Simpler than timed processes.
2. More expressive than most other "simple" models. Theoretically unlimited power to
express the timing relationships between actions.
3. A formal definition of synchronous parallel composition, and a useful implementation of
the composition procedure in TLCS.
4. Simple rules and canonical forms for modeling hardware components as TSA.
• TLC Formal Relationship Between Models
1. Safely weakens "equivalence" and gives designers the structural, temporal, and behavioral freedom they need to design and reuse efficiently.
2. Relaxes timing requirements "the right way."
3. Relatively efficient—avoids checking irrelevant state space.
4. "Completes" the model checking verification process.
5. An "efficient" implementation of the TLC decision procedure and demonstration of its
utility on benchmark problems.
• Verification Methodology
1. A more powerful and efficient hierarchical verification methodology.
2. Breaks the verification task down into independent sub-verifications.

140

3. Avoids always considering changes in the environment and other modules at every level
of design.
4. Fewer abstract models required.
5. Requires no user-supplied state relation.

7.2.1

Model of Computation.

The "simple" and expressive Timed Safety Automata

(TSA) model of computation as adapted for this research does not suffer the deficiencies revealed in
Chapter II. TSA support high-fidelity modeling of electronic circuits when constrained as required
by the unique Def. 30 modeling constraints and bi-bounded inertial delay modeling techniques. The
formal synchronous TSA parallel composition rules and TLCS implementation of them support
modeling and equivalence checking large and complex circuits.
TSA suffer none of the expressiveness problems associated with untimed process algebras.
Upper and lower time bounds (bi-bounded delays) are easily defined using TSA location invariants
and transition guards. The maximal-progress semantic leap (from two processes waiting individually to perform their actions to cooperating processes that can not wait to perform their cooperative
actions) does not exist in the TSA parallel composition rules. General temporal relationships between actions that do not sequentially follow each other are easy to express in TSA by resetting a
clock and freely using clock predicates to define the relationship.
The Mealy machine TSA model is simpler than the Moore machine COSPAN timed process
model. TSA do not define output by associating functions with locations. The TSA model is easier
to use. Users need not specify behaviors for all inputs in all states for all possible times at every
level of the hierarchy. Only those inputs necessary to satisfy the TLC relation with the specification
and satisfy the CI-free property in compositions must be defined. In another sense, the TSA model
is more expressive than both timed processes and process algebras because TSA allow users to use
{<, >, <, >} instead of just {<, >, =} to define timed behavior using clock constraints. The TSA

141

model is also simpler than the most expressive process-algebraic model because it requires only
about half of the rules to define model semantics and parallel composition.
The TSA model works well for describing behavior at many different levels of abstraction.
Chapters IV and VI specified novel rational modeling constraints and defined canonical ways to
monotonically and inertially model implementation-level primitive hardware circuits. Chapter VI
demonstrated using those models in example verifications from handfuls of gates to a dual-railencoded queue for interfacing systems with clock skew between them.

7.2.2 Formal Relationship Between Models.

Chapter IV formally defined the timed equiv-

alence relation, Weak Timed Bisimulation, that relates Dense Labeled Transition Systems (DLTS's)
with different internal action sequences but the same observable action sequences and timing. To
relate systems that do not have the exact same timing, Chapter IV also defined how to abstract
away the temporal differences between TSA, and how to use those abstractions to weaken Weak
Timed Bisimulation via the partial order Timed Logic Conformance (TLC) relation.
With a few well-defined exceptions, TLC requires that implementation inputs are a timed
superset of specification inputs and that implementation outputs are a timed subset of specification
outputs. TLC formalizes these notions and specifies when an implementation can safely replace a
specification, and it has the necessary mathematical properties to support hierarchical verification
of larger systems with the exception that one must be careful when the most abstract specification
is parallel composed.
In summary, TLC:

• Pragmatically and intuitively weakens "equivalence" and gives designers the freedom they
need to design and reuse designs efficiently. TLC provides greater structural, temporal, and
behavioral freedom of implementation while maintaining a meaningful and accurate implementation "implements" specification relationship.

142

• Relaxes timing requirements "the right way." Instead of accepting implementations that can
refuse specification inputs, TLC rejects them; at the same time it rejects implementations
that output when the specification does not allow outputs.
• Avoids checking irrelevant implementation state space by ignoring extra input derivatives
that the specification does not have.
• Is a "completing" companion to model checking. Since TLC gives designers substantial freedom of design, it does not generally preserve arbitrary timed modal logic or /z-calculus properties, yet all pragmatic properties are preserved when the specification completely defines
the inputting environment for the implementation.
Further, Chapter V described the reasonably efficient region-automata-based decision procedure implemented in TLCS. TLCS computes whether or not the TLC relation holds with a
minimum of user input required. TLCS computed whether or not TLC holds for several examples including the STAR! (Self-Timed at Receiver's Input) asynchronous circuit for communicating
safely between two clock-skewed systems. The results, summarized in Chapter VI, are comparable
to those published elsewhere (Gre93, BM98, TB97).

7.2.3

Verification Methodology.

The powerful and relatively efficient top-down TLC

hierarchical verification methodology also works bottom-up. The TLC verification methodology is
better than assumes-guarantees reasoning because it simplifies and reduces the burden of building
models, and it breaks the verification down into less complex and independent pieces.
The TLC verification methodology is simpler because it can be independently decomposed
without the assumes-guarantee circular dependency verifications. This reduces the magnitude of the
verification task tremendously because iteratively changing models and specifications only affects
the verifications up and down the hierarchy, not across the breadth of it for every iteration.
In summary, TLC verification:

143

• Breaks the verification task down into independent sub-verifications that are smaller and
more tractable.
• Avoids having to always consider changes in the environment and other modules at every
level of design.
• Requires no environmental model: naturally captures environmental timing requirements in
the top-level specification.
• Provides an efficient alternative to assumes-guarantees proof obligations.
• Requires no user-supplied state relation.

7.3 Future Work
There is always more work to be done. The plans and ideas are organized into three areas;
TLCS enhancements, TSA/TLC theory extensions, and promising TLC applications.
7.3.1

TLCS Enhancements.

SWI-Prolog indexes information on the heap by the first

term of the asserted fact by default, but facts can be indexed by more non-list terms to improve
efficiency. It would greatly speed up the TLC process if the list of visited state pairs and their time
vectors could be directly indexed according to all three terms—i.e., J's location, S's location, and
the time vector. Unfortunately, the time vector data structure is a list and cannot be used as a
hash key. Generating a nearly unique atomic hash-key for each time vector and using it to index
visited states and to represent time vectors on the stack seems feasible and would vastly improve
the performance of the SWI-Prolog TLCS.
The current parallel composition algorithm stores the transition relations of the composed
systems on the stack and recursively calls itself until no new states are reached. For small compositions, this approach works fine, but for large compositions (e.g., the two-queue-stage STARI
queue with 18 subcomponents) TLCS overflows SWI-Prolog's stack limitation (64MB). Updating
144

the parallel composition algorithm to use the heap (up to 1.9GB) instead of the stack to store
component transition sequences would improve reasoning about larger systems.
There have been advances that reduce the exponential space complexity of the region automata time representation (HKWT95, LLPY97). These techniques should be studied to see if
TLCS space complexity can be significantly improved. Many techniques are applicable for model
checking because they depend on the formulas being checked and the applicable state space to
minimize the complexity. Some techniques have been applied to equivalence checking; e.g., clock
minimization algorithms, clock-planes, and geometric clock regions (RM94). Generally the efficiency gains depend on the particular relationships between the clock resets and clock predicates in
the specific TSA. Whether these techniques can be directly applied to greatly improve the TLCS
efficiency or if they would require extensions or modifications to the theory or algorithm itself is
not yet clear. Of particular interest is University of Utah's Timed Event Level (TEL) structure
research (BM97, BMH99). TEL structures are efficient ways of expressing timed Petri-net style
behavior and signal level information together. University of Utah's ATACS system uses geometric
representations of clock regions to efficiently reason about TEL structure timed state spaces representing the environment and the system. Conflicts between the environment and system state
spaces are timing failures and design errors.

7.3.2

TSA/TLC Theory Extensions.

One promising extension of TLC theory is to define

a "confluent" Timed Logic Conformance, i.e., weaken TLC such that implementations can satisfy
confluent specification output bursts with any of the allowed sequences of outputs, frequently,
specifications allow outputs to be generated in any sequence, but the output sequences converge
to a single state. Currently, the TLC relation requires the implementation to generate all of the
specification's output sequences. Since considerably more efficient implementations can typically
be made that produce only a subset of those sequences, and the receiver of that sequence typically

145

does not care which order they arrive, a confluent TLC relation would safely give designers more
behavioral freedom.
A second extension is to develop a methodology for safely abstracting actions/events from
binary values changing to events on groups of binary signals, events on numbers, strings, and
records. While not theoretically a problem, the rapid growth of region-automata timed state space
severely limits reasoning about the behavior of multi-bit hardware architectures with TLCS. Current
plans are to scale down the complexity by reducing bit-width, but more abstraction options are
needed—especially if TLCS is used for system-level hardware and software architectures.
7.3.3 Promising TLC Applications.

Integrating a TLC decision procedure and existing

tools already available for different applications should be investigated. A main problem with the
application of formal methods to real design is that there are many different models of computation
and tools to support them but no Rosetta stone or transformation process for most of the models.
Instead of trying to promote the use of TLCS with this flavor of TSA formalism for equivalence
checking only, defining the TLC relation for an expressive timed FSM formalism already used for
model checking or other formal methods application makes sense. One model checking environment
without an efficient equivalence checker is the Concurrency Factory (CGL+94). Integrating TLC
into the Concurrency Factory would package the TLC theory in a useful way and expose more
people to the more efficient TLC verification methodology.
Using TLC to define semantics of system architecture refinement in a category-theory-based
specification-refinement tool like SpecWare (SJ94) should be investigated. Mark Gerken laid the
foundation for using untimed process algebras to formally define different software architectures
and reason about them (Ger95). Since the timing of hardware and software systems working
together is so critical to their function, extending his theory over a timed FSM formalism like
TSA and using the TLC relation to define an appropriate implementation relation between system
architectures makes sense.

146

Another potentially fruitful research area is defining mappings from the Unified Modeling
Language (UML) (Dou98) into TSA for the purpose of defining and proving temporal claims about
UML specifications, architectures, and implementations. UML is a popular language for specifying
system architectures, but UML does not have a solid theoretical foundation for all of its semantics.
Previous AFIT research successfully defined formal semantics for informal graphically-based objectoriented specification and modeling languages similar to UML (DeL96), but the formal semantics
have not been extended to the specification and reasoning about system timing and the relationship
of time and behavior. Since one of the most widely used views of a UML specification is FSMbased, using the TSA model and TLC relation to formally define the relationship between time
and behavior and to refine the FSM part of UML specifications makes sense.
Another very important research idea is to use temporal logic, abstract TSA models, and the
TLC relation to define and warrant the behavior of intellectual property (IP) subsystems. If the
interfaces to the subsystem are defined as TSA, and the actions of the subsystem are defined using
temporal logic or timed modal /j-calculus formulae, then potential users of the subsystem could
compose the subsystem into their application and determine if they can interface with the subsystem correctly and satisfy their performance specifications. A predicate-logic based specification of
behavior would likely be necessary to describe the data-path function of the subsystem as done
at the University of Cincinnati (Bar98). This specification would be used for reasoning about the
system's functional consistency and correctness with a theorem prover instead of a model checker
or equivalence checker. With such formal specifications for IP components, users could automatically and reliably search for and reason about the suitability of the IP for their application without
forcing the IP vendor to compromise the details of their implementation.

147

7-4

Concluding Remarks
Based on the results and conclusions in this and previous chapters, the research objectives have

been successfully achieved. The Timed Safety Automata (TSA) formalism is rich enough to express
hardware behavioral properties and all the necessary timeliness requirements. How to use TSA to
model hardware components and specify required behaviors and timing was canonically denned. An
efficient parallel TSA composition procedure was defined to support design and verification of more
complex systems. The Timed Logic Conformance (TLC) relation was formally defined and specifies
when one TSA satisfies the timing and behavioral requirements of another TSA. TLC is loose
enough to give designers the structural, temporal, and behavioral freedom they need to implement
efficiently. TLC does not sacrifice the fundamental requirements to match specification inputs
and safely allow implementation outputs. The TLC partial order has the necessary mathematic
properties for meaningful verification. The tractable computational procedure (TLCS) calculates
when the TLC relation holds. TLCS successfully demonstrated the utility of the TLC relation on
benchmark circuit design problems, and supported the development of a powerful and relatively
efficient top-down hierarchical verification methodology.

148

Bibliography
ABK+97. E. Asarin, M. Bozga, A. Kerbrat, 0. Maler, A. Pnueli, and A. Rasse. Data structures
for the verification of timed automata. In 0. Maler, editor, Proc. HART'97, LNCS
1201. Springer, 1997.
ACD90.

Rajeev Alur, Costas Courcoubetis, and David Dill. Model-checking for real-time systems. In Proceedings of 5th IEEE Symposium on Logic In Computer Science, pages
414-425, 1990.

ACD93.

Rajeev Alur, Costas Courcoubetis, and David Dill. Model-checking in dense real-time.
Information and Computation, 104(l):2-34, 1993.

ACH94.

R. Alur, C. Courcoubetis, and T. Henzinger. The observational power of clocks. In
Proceedings of CONCUR '91 LNCS 836, 1994.

AD94.

Rajeev Alur and David L. Dill. A theory of timed automata. Theoretical Computer
Science, 126(2) :183-235, 1994.

A1183.

James F. Allen. Maintaining knowledge about temporal intervals. Communications of
the ACM, 26(ll):832-843, November 1983.

A1184.

James F. Allen. Towards a general theory of action and time. Artificial Intelligence,
23(2):123-154, July 1984.

ANB95.

John Aldwinckle, Rajagopal Nagarajan, and Graham Birtwistle. An Introduction to
Modal Logic and its Applications on the Concurrency Workbench. Department of Computer Science, University of Calgary, Calgary, Alberta, Canada, February 1995. (Preliminary Version).

AR91.

V.S. Alagar and G. Ramanathan. Functional specification and proof of correctness for
time dependent behavior of reactive systems. Formal Aspects of Computing, 03(3):253283, Jul-Sep 1991.

Bar98.

Phillip Baraona. The Syntax and Semantics of VSPEC, a Larch/VHDL Interface Specification Language. PhD thesis, University of Cincinnati, 1998.

BGS89.

Thomas Bihari, Prabha Gopinath, and Karsten Schwan. Object-oriented design of realtime software. In Proceedings of the Real-Time Systems Symposium, pages 194-201,
LosAlamitos, CA, 1989. IEEE Computer Society Press.

BM97.

Wendy Belluomini and Chris J. Myers. Timed event/level structures. In International
Workshop on Timing Issues in the Specification and Synthesis of Digital Systems, pages
199-208. ACM/IEEE, December 1997.

BM98.

Marius Bozga and Oded Maler. Modeling and verification of the STARI chip using
timed automata. In Proceedings of Cav '98, 1998.

BMH99.

Wendy Belluomini, Chris J. Myers, and H. Peter Hofstee. Verification of delayed reset
domino circuits using ATACS. In International Workshop on Timing Issues in the
Specification and Synthesis of Digital Systems, pages 39-44. ACM/IEEE, March 1999.

BS91.

J.A. Brzozowski and C-J. H. Seger. Advances in asynchronous circuit theory Part II:
Bounded inertial delay model, MOS circuits, design techniques. EACTS Bulletin 43,
1991.

Bur92.

Jerry Burch. Delay models for verifying speed-independent asynchronous circuits. In
Proceedings of the International Conference of Computer Design (ICCD), pages 270274. IEEE Computer society Press, October 1992.

149

Cer92.

K. Ceräns. Decidability of bisimulation equivalences for parallel timer processes. In
Proceedings of CAV '92. LNCS 663, 1992.

Cer95.

Kärlis Ceräns. CTR: A calculus of timed refinement. In I. Lee and S. Smolka, editors,
Proceedings of CONCUR '95, pages 516-630, 1995.

CGL93.

Kärlis Ceräns, Jens Chr. Godskesen, and Kim G. Larsen. Timed modal specificationtheory and tools. In C. Courcoubetis, editor, Proceedings of CAV '93, pages 253-267,
1993.

CGL+94.

J. N. Cleaveland, J.N. Gada, P. M. Lewis, S. A. Smolka, 0. Sokolsky, and S. Zhang.
The concurrency factory—practical tools for specification, simulation, verification, and
implementation of concurrent systems. In Proceedings of The DIM ACS Workshop on
Specification Techniques for Concurrent Systems, Princeton, NJ, DIMACS Series in
Discrete Mathematics and Theoretical Computer Science. American Mathematical Society, 1994.

CH92.

P.J. Clarke and D.J. Holding. The specification, design and verification of real-time
embedded control logic using csp and tcsp. In Real-Time Programming (WRTP '92).
Preprints of the IFAC Workshop, pages 167-172, Oxford, UK, June 1992. Pergamon
Press.

CHLM93. P.C. Clements, C.L. Heitmeyer, B.G. Labaw, and A.K. Mok. Applying formal methods
to an embedded real-time avionics system. In Proceedings of the First IEEE Workshop
on Real-Time Applications, pages 46-49, Los Alamitos, CA, May 1993. IEEE.
CL96a.

Duncan Clarke and Insup Lee. Automatic specification-based testing of real-time properties. ftp.cis.upenn.edu/pub/rtg/Paper/Full_Postscript/test96.ps.Z, 1996.

CL96b.

Duncan Clarke and Insup Lee. A hybrid approach to formal verification applied to and
atm switching system. Technical Report MS-CIS-96-04, University of Pennsylvania,
1996. ftp.cis.upenn.edu/pub/rtg/Paper/Full-Postscript/atm.ps.Z.

CLK94.

Jin-Young Choi, Insup Lee, and Inhye Kang. Timing analysis of superscalar processor
programs using acsr. In Proceedings of 11th IEEE Workshop on Real-Time Operating
Systems and Software, 1994.

CW96.

Edmund M. Clarke and Jeannette M. Wing. Formal methods: State of the art and future directions. Technical Report CMU-CS-96-178, Carnegie Mellon University, August
1996.

Dan92.

Mats Daniels. Modelling real-time behavior with an interval time calculus. In Formal
Techniques in Real-Time and Fault-Tolerant Systems. Second International Symposium
Proceedings, 1992.

Das85.

B. Dasarathy. Timing constraints of real-time systems: Constructs for expressing them,
methods of validating them. IEEE Transactions on Software Engineering, ll(l):80-86,
January 1985.

Dav93.

Jim Davies. Specification and Proof in Real-Time CSP. Cambridge University Press,
1993.

DeL96.

Scott A. DeLoach. Formal Transformations from Graphically-Based Object-Oriented
Representations to Theory-Based Specifications. PhD thesis, Air Force Institute of Technology, 1996.

Dou98.

Bruce Powel Douglass. Real-Time UML: Developing Efficient Objects for Embedded
Systems. Grady Booch, Ivar Jacobson, and James Rumbaugh Object Technology Series.
Addison-Wesley, 1998.

150

Dro89.

Geoff Dromey. Program Derivation: The Development of Programs from Specifications.
Addison-Wesley, Sydney, Australia, 1989.

EAP98.

0. Maler E. Asarin and A. Pnueli. On discretization of delays in timed automata and
digital circuits. In R. de Simone and D. Sangiorgi, editors, Proc. Concur'98, LNCS.
Springer, September 1998. to appear.

FH92.

Stephen Fickas and B. Robert Helm. Knowledge representation and reasoning in the
design of composite systems. IEEE Transactions on Software Engineering, 18(6):470482, June 1992.

FP93.

Laurent Fribourg and Marcos Veloso Peixoto. Concurrent constraint automata. Technical Report LIENS 93-10, Ecole Normale Superieure, ftp.ens.fr/pub/reports/liens/liens93-10.A4.ps.Z, 1993.

Ger95.

Mark James Gerken. Formal Foundations for the Specification of Software Architecture.
PhD thesis, Air Force institute of Technology, 1995.

GF88.

A. Gabrielian and M. K. Franklin. State-based specification of complex real-time systems. In Proceedings of the 9th IEEE Real-Time Systems Symposium, pages 2-11,
Huntsville, AL, 1988. IEEE Computer Society Press.

GF90.

Armen Gabrielian and Matthew K. Franklin. Multi-level specification and verification
of real-time software. In Proceedings of the 12th International Conference on Software
Engineering, pages 52-62. IEEE Computer Society Press, March 1990.

GI91.

A. Gabrielian and R. Iyer. Integrating automata and temporal logic: A framework for
specification of real-time systems and software. In C.M.I. Rattray and R.G. Clarke,
editors, Proceedings of the Unified Computation Laboratory. Oxford University Press,
1991.

GI92.

A. Gabrielian and R. Iyer. Verifying properties of hms machine specifications of realtime systems. In Proceedings of the Workshop on Computer-Aided Verification— Aalborg, Denmark, July 1-4, 1991, Lecture Notes in Computer Science. Springer-Verlag,
1992.

Gre93.

Michael R. Greenstreet. STARI: A Technique for High-Bandwidth Communication.
PhD thesis, Princeton, January 1993.

GSSAL94. Rainer Gawlick, Roberto Segala, J0rgen S0gaard-Andersen, and Nancy Lynch. Liveness
in timed and untimed systems. In Proceedings of 21st ICALP, LNCS 820, pages 166177. Springer-Verlag, 1994.
GV95.

Daniel Gajski and Frank Vahid. Specification and design of embedded hardwaresoftware systems. IEEE Design and Test of Computers, Spring 1995.

Hal92.

W. A. Halang. Real-time systems: Another perspective. In Krishna M. Kavi, editor,
Real-Time Systems Abstractions, Languages, and Design Methodologies, pages 11-18.
IEEE Computer Society Press, 1992.

HB94.

Henrik Hulgaaard and Stephen M. Burns. Bounded delay timing analysis of a class
of CSP programs with choice. In International Symposium on Advanced Research in
Asynchronous Circuits and Systems, pages 2-11. IEEE, November 1994.

Hen95.

Thomas A. Henzinger. Hybrid automata with finite bisimulations. In F. Fulop, Z.; Gecseg, editor, Automata, Languages and Programming. 22nd International Colloquium,
ICALP 95 Proceedings, pages 324-335. Springer-Verlag, 1995.

HJ95.

Michael G. Hinchey and Stephen A. Jarvis. Concurrent Systems: Formal Development
in CSP. McGraw-Hill International Series in Software Engineering. McGraw-Hill Book
Company Europe, London, 1995.

151

HKWT95. Thomas A. Henzinger, Peter W. Kopke, and Howard Wong-Toi. The expressive power
of clocks. In F. Fulop, Z.; Gecseg, editor, Automata, Languages and Programming.
22nd International Colloquium, ICALP 95 Proceedings, pages 417-428. Springer-Verlag
1995.
HLY91.

Uno Holmer, Kim Larsen, and Wang Yi. Deciding properties of regular real timed
processes. In Proceedings of CAV '91, pages 443-453, 1991.

HNSY94.

Thomas A. Henzinger, Xavier Nicollin, Joseph Sifakis, and Sergio Yovine. Symbolic
model checking for real-time systems. Information and Computation, 111:193-244
1994.

Hoa85.

C.A.R. Hoare. Communicating Sequential Processes. Prentice/Hall International, UK,
LTD., 1985.

HP87.

Derek J. Hatley and Imatiaz A. Pirbhai. Strategies For Real-Time System Specification.
Dorset House Publishing, New York, 1987.

Jah89.

Farnam Jahanian. Verifying properties of systems with variable timing constraints. In
Proceedings, Real Time Systems Symposium(Cat No.89CH2803-5), pages 319-328, New
York, December 1989. IEEE Computer Society Press.

Jen93.

E. Douglass Jensen. A timeliness model for asynchronous decentralized computer systems. In Proceedings of the International Symposium on Autonomous Decentralized
Systems, pages 173-182, Los Alamitos, CA, 1993. IEEE Computer Society Press.

JM86.

Farnam Jahanian and Aloysius Ka-Lau Mok. Safety analysis of timing properties in realtime systems. IEEE Transactions on Software Engineering, 12(9):890-904, September
1986.

JU93.

Mark B. Josephs and Jan Tijmen Udding. An overview of D-I algebra. In Mudge, Multinovic, and Hunter, editors, Proceedings of the 26th Annual Hawaii International Conference on System Sciences, volume I, pages 329-338. IEEE Computer Society Press,
January 1993.

Kan95.

Inhye Kang. CTSM: A Formalism for Real-Time System Analysis Based on State-Space
Exploration. PhD thesis, Department of Computer and information Science, University
of Pennsylvania, Philadelphia, PA 19104-6389, February 1995. Prospectus.

Koy92.

R. Koymans. Specifying real-time properties with metric temporal logic. In Krishna M.
Kavi, editor, Real-Time Systems Abstractions, Languages, and Design Methodologies,
pages 88-132. IEEE Computer Society Press, 1992.

Kri92.

Padmanabhan Krishnan. A calculus of timed communicating systems. International
Journal of Foundations of Computer Science, 3(3):303-322, September 1992.

LA90.

Shem-Tov Levi and Ashok K. Agrawala. Real-Time System Design. McGraw-Hill Book
Company, New York, 1990.

Lad86.

Peter Ladkin. Time representation: A taxonomy of interval relations. In Proceedings
of AAAI-86, pages 360-366,1986.

LBGG94. Insup Lee, Patrice Bremond-Gregoire, and Richard Gerber. A process algebraic approach to the specification and analysis of resource-bound real-time systems. In Proceedings of the IEEE, Special Issue on Real-Time Systems, January 1994.
LLPY97.

Kim G. Larsen, Fredrik Larsson, Paul Pettersson, and Wang Yi. Efficient verification
of real-time systemsxompact data structure and state-space reduction. In Proceedings
of 80th IEEE Real-Time Systems Symposium, pages 14-24, December 1997.

152

LM91.

Michael R. Lowry and Robert D. McCartney, editors. Automating Software Design.
AAAI Press and the MIT Press, 1991.

LY93.

Kim G. Larsen and Wang Yi. Time-abstracted bisimulation: Implicit specifications and
decidability. In Proceedings of Mathematical Foundations of Programming Semantics
(MFPS)'93, pages 160-176, 1993.

MC90.

Derek P. Mannering and Bernard Cohen. The rigorous specification and verification of
the safety aspects of a real-time system. In Proceedings of the Fifth Annual Conference
on Computer Assurance (COMPASS 90), pages 68-85, New York, June 1990. IEEE.

Mil80.

R. Milner. A Calculus of Communicating Systems. Springer-Verlag, 1980.

Mil89.

R. Milner.
1989.

MM91.

Wenbo Mao and George J. Milne. An automated proof technique for finite-state machine
equivalence. In Proceedings of Cav '91, pages 233-243, 1991.

Mol91.

Faron Möller. Process algebra as a tool for real time analysis. In G. Birtwistle, editor, Proceedings of the IV Higher Order Workshop, pages 32-53, Berlin, Germany,
September 1991. Springer-Verlag.

MP95.

Oded Maler and Amir Pnueli. Timing analysis of asynchronous circuits using timed
automata. In Proceedings of Correct Hardware Design and Verification Methods. IFIP
WG 10.5 Advanced Research Working Conference, CHARME 95, pages 189-205, Berlin,
October 1995. Springer Verlag.

MRM94.

Chris J. Myers, Thomas G. Rokicki, and Teresa H.-Y. Meng. Automatic synthesis and
verification of gate-level timed circuits. Technical Report CSL-TR-94-652, Stanford
University, Computer Systems Laboratory, Department of Electrical Engineering and
Computer Science, Stanford University, Stanford, CA 94305-4055, December 1994.

MT92.

Faron Möller and Chris Tofts. A temporal calculus of communicating systems. In Krishna M. Kavi, editor, Real-Time Systems Abstractions, Languages, and Design Methodologies, pages 242-256. IEEE Computer Society Press, 1992.

Pnu98.

Amir Pnueli. Invited talk, 21st century engineering consortium workshop. Weizmann
Institute of Science, DARPA/ITO Sponsored, March 1998.

RM94.

T. G. Rokicki and C. J. Myers. Automatic verification of timed circuits. In International
Conference on Computer-Aided Verification, pages 468-480. Springer-Verlag, 1994.

RR92.

G.M. Reed and A. W. Roscoe. Timed csp: Theory and practice. In Krishna M. Kavi,
editor, Real-Time Systems Abstractions, Languages, and Design Methodologies, pages
206-241. IEEE Computer Society Press, 1992.

Rus95.

John Rushby. Formal methods and their role in the certification of critical systems.
Technical Report SRI-CSL-95-1, Computer Science Laboratory, SRI International,
Menlo Park, CA, March 1995. Also available as NASA Contractor Report 4673, August
1995, and to be issued as part of the FAA Digital Systems Validation Handbook (the
guide for aircraft certification).

SJ94.

Y. V. Srinivas and Richard Jüllig. Specware: Formal support for composing software.
Technical report, Kestrel Institute, 3260 Hillview Avenue, Palo Alto, CA 94304, Draft:
Dec 11, 1994.

SS94.

Oleg V. Sokolsky and Scott A. Smolka. Incremental model checking in the modal mucalculus. In Proceedings of CAV'94, LNCS 818, June 1994.

Communication and Concurrency. Prentice-Hall International, London,

153

SS95.

Oleg V. Sokolsky and Scott A. Smolka. Local model checking for real-time systems. In
Proceedings of CAV95, 1995.

Ste94.

Kenneth S. Stevens. Practical Verification and Synthesis of Low Latency Asynchronous
Systems. PhD thesis, The University of Calgary, Calgary, Alberta Canada, September
1994.

SY96.

Joseph Sifakis and Sergio Yovine. Compositional specification of timed systems. In
Proceedings of STACS 96. 13th Annual Symposium on Theoretical Aspects of Computer
Science, LNCS-1046, pages 347-359. Springer-Verlag, 1996.

TAKB96. Serdar Tasiran, Rajeev Alur, Robert P. Kurshan, and Robert K. Brayton. Verifying
abstractions of timed systems. In Proceedings of 7th International Conference on Concurrency Theory, pages 546-562. Springer-Verlag, 1996.
TB97.

Serdar Tasiran and Robert K. Brayton. Stari: A case study in compositional and hierarchical timing verification. In Proceedings of the Computer Aided Verification Conference,
1997.

Tsa87.

Edward Tsang. Time structures for ai. In Proceedings of the Tenth International
Joint Conference on Artificial Intelligence, pages 456-461, Los Altos, CA, 1987. Morgan
Kaufmann.

van90.

R. J. van Glabbeek. The linear time - branching time spectrum. In J. C. M. Baeten
and J. W. Klop, editors, Concur 90, pages 278-297, Berlin, 1990. Springer-Verlag.

Wan90.

Yi Wang. Real-time behavior of asynchronous agents. In J.C.M. Baeten and J.W. Klop,
editors, Proceedings of CONCUR '90, 1990.

154

Form Approved
OMB No. 0704-0188

REPORT DOCUMENTATION PAGE

The public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searchina existina data source*
gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden est mate o^anyX? aspect of this coHection
?^-,^,0^i',onJ,'^lu.d'J]9 su98est;ons for reducing the burden, to Department of Defense, Washington Headquarters Services, Directorate fo In formationi Ooerations andnSrts
(0704-01881, 1216 Jefferson Davis Highway, Suite 204, Arington, VA 22202-4302. Respondents should be aware that notwithstanding, any other^proS^of law n^person shK
subject to any penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number
provision or law, no person snail De

PLEASE DO NOT RETURN YOUR FORM TO THE ABOVE ADDRESS.
1. REPORT DATE (DD-MM-YYYY)
2. REPORT TYPE

15-06-1999

DATES COVERED (From - To)

Ph.D. Dissertation

4. TITLE AND SUBTITLE

Jan 1993-Jun 1999
5a. CONTRACT NUMBER

TIMED SAFETY AUTOMATA AND LOGIC CONFORMANCE
5b. GRANT NUMBER

5c. PROGRAM ELEMENT NUMBER

6. AUTHOR(S)

5d. PROJECT NUMBER

Frank C. D. Young

5e. TASK NUMBER

5f. WORK UNIT NUMBER

7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES)

8. PERFORMING ORGANIZATION
REPORT NUMBER

Air Force Institute of Technology
2950 P Street
WPAFB OH 45433-6583

AFIT/DS/ENG/99-02

9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES)

10. SPONSOR/MONITORS ACRONYM(S)

James S. Williamson
AFRL/IFTA
2241 Avionics Circle
WPAFB, OH, 45433-7334

11. SPONSOR/MONITOR'S REPORT
NUMBER(S)

N/A

(937)255-6653x3607
12. DISTRIBUTION/AVAILABILITY STATEMENT

Distribution Unlimited

13. SUPPLEMENTARY NOTES

14. ABSTRACT

~~

Timed Logic Conformance (TLC) is used to verify the behavioral and timing properties of detailed digital circuits against abstract
circuit specifications when both are modeled as Timed Safety Automata (TSA) with real-valued clocks. TLC is a bisimulation-style
partial order relationship defined over TSA state space. TLC defines when one system is an acceptable implementation of another
by asymmetric action-matching requirements for specification inputs and implementation outputs. TLC intuitively and
pragmatically supports writing abstract specifications and verifying them against implementations. TLC scales up by substituting
verified specifications for implementations and hierarchically verifying larger systems. The TLC verification process is more
efficient than the circularly dependent assumes-guarantees verification methodology. The TLC verification methodology explicitly
captures environmental timing properties in the system specification and automatically ensures they are satisfied in the TLC
relation. The region-automata-based Timed Logic Conformance System (TLCS) implements TSA parallel composition and a TLC
decision procedure. TLCS is used to hierarchically verify the STARI (Self-Timed at Receiver's Input) asynchronous circuit for
communicating safely between clock-skewed systems.
15. SUBJECT TERMS

Formal Verification of Digital Electronics, Timed Safety Automata Region Automata, Bisimulation, Partial Order Refinement,
Calculus of Communicating Systems, Timing Verification.
16. SECURITY CLASSIFICATION OF:
a. REPORT
b. ABSTRACT c. THIS PAGE

Unclassified

Unclassified

Unclassified

17. LIMITATION OF
ABSTRACT

UU

18. NUMBER 19a. NAME OF RESPONSIBLE PERSON
OF
Thomas C. Hartrum
PAGES

169

19b. TELEPHONE NUMBER (Include area code)

(937)-255-3636x4581
Standard Form 298 (Rev. 8/98)
Prescribed by ANSI Std. Z39.18

