Verification and synthesis of asynchronous control circuits using petri net unfoldings by Semenov., Alexei
University of Newcastle upon Tyne /
Department of Computing Science
Verification and Synthesis of Asynchronous
Control Circuits Using Petri Net Unfoldings.
by
Alexei Semenov
NEWCASTLE UNIVERSITV LIBRARV----------------------------
097 52134 8
--------=-?n~~~;L bOq 4= - - - - - -
PhD thesis
July 1997
BEST COpy
.
, .AVAILABLE
. Variable print quality
,
Contents
Acknowledgements viii
Abstract ix
1 Introduction
Motivation
1
2
3
4
1.1
1.2
1.3
1.4
Design Cycle . . . . . . . . . . . . . . . .
Position and Contributions of This Work
Organisation of Thesis . . . 5
2 Previous and Related Work
2.1 Asynchronous Circuits Taxonomies
2.1.1 Delay taxonomy .
2.1.2 Protocol signalling taxonomy
2.2 Design Methodologies .
2.2.1 Huffman Fundamental Mode Circuits
2.2.2
2.2.3
Delay-Insensitive Circuits .
Speed-Independent Circuits
7
8
8
8
10
10
11
11
12
13
16
17
2.2.4 Micropipelines . . . . . . .
2.3 Formal Models . . . . . . . . . . .
2.4 Design of Speed-Independent Circuits
2.5 Conclusions..............
3 Petri Nets and Related Formalisms
3.1 Petri Nets .
3.2 Analysis of PN Behaviour by RG Methods .
3.3 Analysis of PN Behaviour by PN-unfolding .
3.4 Signal Transition Graphs .
3.5 Analysis of STG Behaviour
3.6 Conclusions.....
18
18
25
26
32
34
37
4 Analysis of PN Models
4.1 Adapting Truncated PN-unfolding
4.2 Avoiding Redundancy in PN-unfolding .....
4.2.1 Redundancy of Truncated PN-unfolding
4.2.2 PN-unfolding Segment . .. .....
38
38
40
41
43
CONTENTS ii
4.3 Performance Comparison of Algorithms
4.3.1 Ring Protocol ..
4.3.2 Production Cell .
4.4 Analysis of LPN Models
4.4.1 Verification of LPN Models of Specifications
4.4.2 Verification of LPN Models of Circuits
4.5 Experimental Results.
4.6 Concluding Remarks .
50
50
52
55
55
58
62
62
5 Analysis of 5TG models
5.1 Full State Graph ...
5.2 5TG-unfolding Segment ..
5.3 Low-level System Analysis.
5.3.1 Analysis of 5TG specifications.
5.3.2 Analysis of asynchronous circuits
5.4 Conclusions .
64
64
69
75
75
76
80
6 Synthesis from 5TG-unfolding
6.1 Motivation .
6.2 Implementation of SI Circuits
6.2.1 Basic Synthesis Concepts
6.2.2 ACGpS Implementation.
6.2.3 ACGpEF Implementation.
6.2.4 ACGpER Implementation
6.3 Basic Definitions .
6.3.1 5TG-unfolding Cuts
6.3.2 5TG-unfolding Slices
6.3.3 Concluding Remarks
6.4 Exact Cover Implementation
6.4.1 ACGpS Implementation.
6.4.2 ACGpEF Implementation.
6.4.3 ACGpER Implementation
6.5 Strategies for Deriving Approximated Covers
6.5.1 Negative Set, Approximation .
6.5.2 Positive Set Cover Evaluation.
6.5.3 Concluding Remarks . . . . . .
6.6 Initial Cover Approximation. . . . . .
6.6.1
6.6.2
6.6.3
Partial Cut Cover Approximation
Finding P-set and N-set Approximations
Correctness of Negative Set Approximation Strategy
82
82
84
84
86
88
89
90
91
93
95
95
95
98
100
102
103
104
105
106
107
110
112
113
117
. 117
. 118
6.7 Cover Refinement ...
6.8 Experimental Results.
6.8.1 Practicality
6.8.2 Feasibility.
CONTENTS
6.9 Conclusions . ...................... , .
7 Applications of PN-unfolding
7.1 Motivation for Contextual Net Unfolding
7.2 Positive Contextual Nets .....
7.2.1 Contextual Net Definition
7.2.2 Role of Conflict Relation
7.3 Contextual Net Unfolding ....
7.3.1 Basic Relations in Acyclic Contextual Nets
7.3.2 Contextual Net Unfolding .
7.3.3 Contextual Net Unfolding Segment .
7.4 Application: Modelling a Communication Mechanism
7.5 Circuit Verification Results .
7.6 Use of Unfolding for Variable Ordering .
7.7 Symbolic Traversal of Petri Net State Space
7.8 Variable Ordering by Means of Unfolding
7.9 Experimental Results.
7.10 Conclusions
8 Conclusions
8.1 Summary .
8.2 Areas of Further Research
III
. 119
120
120
122
122
123
125
125
128
129
130
134
136
136
139
142
143
145
145
. 147
List of Figures
1.1 Overall design process. . . . . . . . . . . . . . . . . . 3
2.1 Illustration of pure (a) and inertial (b) delay models.
2.2 Illustration of dual-rail (a) and bundled data (b) signalling.
2.3 Illustration of four-phase (a) and two-phase (b) protocols ..
2.4 Fundamental mode synchronous (a) and asynchronous (b) circuits.
2.5 Illustration of Delay-Insensitive (a) and Speed-Independent (b) circuits.
2.6 Sutherland micropipelines. . . . . . . . . .
8
9
9
10
11
13
3.1 Examples of different classes of PNs: (a) SMPN, (b) MGPN, (c) FCPN and
EFCPN (d). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 19
3.2 Example of an RG of a PN. 21
3.3 Illustration of relations between transitions: (a) concurrent, (b) structural con-
flict with concurrent transitions and (c) dynamic conflict. 22
3.4 Illustration of UCPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 23
3.5 Example of an LPN. ..... . . . . . . . . . . . . . . . . . . . . . . . . . .. 23
3.6 Example of a PN (a) and a reduced RG (b) built using stubborn sets method. 25
3.7 Example of a BDD representation of the RG in example from Figure 3.6(a).. 26
3.8 Algorithm for building PN-unfolding. 28
3.9 Steps of the PN-unfolding algorithm (a) initialised N', (b) after adding two
instances, (c) after adding one instance of each transition. 29
3.10 Algorithm for truncated PN-unfolding. 31
3.11 The truncated unfolding for PN from Figure 3.6(a). . . . . 32
3.12 Examples of a valid (a) and invalid (b) STGs. . . . . . . . 34
3.13 Illustration of the RG and SG built for the STG example from Figure 3.12(a). 35
4.1 Example of truncated (a) and modified truncated (b) PN-unfolding. 38
4.2 Algorithm for modified truncated PN-unfolding. 39
4.3 Example of truncated PN-unfolding redundancy .
4.4 Examples of truncated PN-unfolding growth .
4.5 Illustration of FIFO transformation of an unsafe PN.
4.6 Example of a PN and its truncated PN-unfolding ..
4.7 Parametrised algorithm for truncated PN-unfolding.
4.8 Example of a PN and its truncat.ed PN-unfolding
4.9 Truncated PN-unfolding with wrong cutoffs ....
4.10 Algorithm for pruning a truncated PN-unfolding.
40
41
42
43
45
46
47
48
IV
LIST OF FIGURES v
4.11 Illustration of redundancy in a PN-unfolding segment.
4.12 Scalable example .
4.13 Illustration of a production cell. .
4.14 Initial (a) and cyclic (b) sequences of events in production cell.
4.15 PN fragments (a) and the complete PN model (b) for production cell.
49
50
52
53
54
4.16 Algorithms for verification of properties in PN-unfolding segment: (a) Liveness
check, (b) Safeness check and (c) Persistency check. 56
4.17 Basic two-phase control elements and their LPN models. . . . . . . . . . . . . . 59
4.18 Sutherland's micropipeline FIFO (a), its control circuitry (b) and its LPN model
(c). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 60
4.19 Illustration of a hazard of the gate's output. . . . . . . . . . . . . . . . . . .. 60
4.20 Standard (a-b) and Fast Forward (c-d) pipeline with four-phase latch control 61
5.1 An STG (a) and its corresponding RG (b). . . . . . . 65
5.2 Algorithm for constructing an FSG from an STG. . . 66
5.3 An FSG constructed for the STG from Figure 5.1(a). 67
5.4 Example of an STG (a) and its RG (b) which is not covered by its FSG (c). 68
5.5 Algorithm for obtaining STG-unfolding segment. 73
5.6 Examples of STG-unfolding segments. 74
5.7 Examples of a 3 input AND gate (a), Muller C-element (b) and ME-element (c). 78
5.8 Four-phase micropipeline control circuit . 79
6.1 Overview of synthesis issues discussed in the work.
6.2 Atomic complex gate architecture. . . . . . . . . .
6.3 Example of an STG (a) and its corresponding SG (b).
83
86
87
6.4 Atomic complex gate per excitation function architecture. 88
6.5 Atomic complex gate per excitation region architecture. 89
6.6 Illustration of cuts. . . . . . . . . . . . . . . . . . . . . . 93
6.7 Illustration of slices. . . . . . . . . . . . . . . . . . . . . 94
6.8 An SG (a) and STG-segment (b) for the STG in Figure 6.3. 97
6.9 Illustration of the Set cover calculation on STG-unfolding. . 99
6.10 Another example of the Set cover calculation on STG-unfolding. . 99
6.11 Illustration of slices and cover calculation for ACGpER architecture. . 101
6.12 Illustration of the Negative set approximation strategy. . 103
6.13 Procedure for the Negative set approximation strategy. . 104
6.14 Illustration of the Positive set evaluation strategy. 104
6.15 Procedure for the Positive set cover evaluation strategy. 105
6.16 Illustration of cover approximation for a place (a) and a slice (b). 108
6.17 Procedure for refining cover approximations. . . . . 115
6.18 Illustration of cover approximation and refinement. 117
6.19 Experimental results for Muller pipeline. . . . . . . 119
7.1 Example of a Petri net with self-loops (a) and its unfolding according to the
requirement of structural conflict (b) 121
LIST OF FIGURES VI
7.2 Petri net with self-loops (a) with its step reachability graph (b) and contextual
net (c) with its step reachability graph (d) 124
7.3 Conflict and semi-conflict. . 126
7.4 Examples of eNs (a),(c) which cannot be contextual occurrence nets and their
corresponding graphs (b),(d) of must occur before relation ..
7.5 Algorithm for obtaining eN-unfolding segment. . ..
7.6 Another example of a eN and its unfolding .
7.7 Schematic for Simpson's communication mechanism.
7.8 Illustration of the Variable element. . .
126
130
131
132
133
7.9 Illustration of the benchmark circuit. . . . . . . . . . 134
7.10 Experimental results: (a) Size of the segment in transition instances; (b) Time
taken. . 135
7.11 Example of different ordering of variables 1:37
7.12 Pseudo-code for construction of the BOD representation of the state space of a
PN .
7.13 Example of a BOD .
7.14 Pseudo-code for clustering algorithm ..
7.15 Dining philosophers benchmark .....
7.16 Pseudo-code for cluster ordering algorithm.
7.17 Steps of cluster ordering algorithm .
139
139
140
141
141
141
List of Tables
4.1 Experimental results for the token ring protocol. 51
4.2 Experimental results for the production cell. .... 54
4.3 Experimental results for the Sutherland's pipeline. 62
5.1 Experimental results for the examples set of benchmarks. 75
5.2 Experimental results for the No-USC set of benchmarks. 77
5.3 Experimental results of four-phase circuit. verification. 80
6.1 Experimental results for circuit. synthesis. . . . 118
7.1 Experimental results for PN symbolic traversal.
7.2 Experimental results (deadlock detection) ...
143
143
vu
Acknowledgements
I would like to express my gratitude to my supervisor, Alex Yakovlev, for introducing me
to the exciting and challenging world of asynchronous circuit design. His enthusiasm and
devotion to the asynchronous world kept me going from the very first day when I learned
about the existence of asynchronous circuits till the very end. Special mentioning deserves his
patience and on-going interest in discussing some of my theories (often not very good ones,
in retrospect) and wholehearted participation in the development of most of my papers. He
introduced me to top-class researchers in the asynchronous area, for which I am also thankful.
He and his family (Maria and Greg) made my life in Newcastle a pleasant experience.
This work would have not been possible had I not met and discussed it with the "mediter-
ranean" research group consisting of Luciano Lavagno, Jordi Cortadella, Enric Pastor, Oriol
Roig and Marco Pefia, Their comments helped me to develop and shape this work. A special
thank you goes to the members of their families who's companies I enjoyed while visiting
Berkeley and Barcelona.
Of course, this work would never be completed without constant support from my family
and friends, patiently bearing my "coma-like" periods during which I was working towards
numerous deadlines. I value greatly the moral input from Olga, Anton and Andrew who once
again proved that friendship is indeed delay-insensitive. I would like to thank my officemates
from B338, Martin Hesketh and Frode Sandnes for being such a wonderful company; my
particular appreciation is to Rob Allen who, in addition, managed to read through the whole
thesis.
Last, but not least, I would like to acknowledge financial help from the Research Committee
of the University of Newcastle upon Tyne, which provided my Research Studentship grant,
and the Committee of Vice-Chancellors and Presidents, which provided the Overseas Research
Studentship Award.
VUl
Abstract
Design of asynchronous control circuits has traditionally been associated with application of
formal methods. Event-based models, such as Petri nets, provide a compact and easy to
understand way of specifying asynchronous behaviour. However, analysis of their behavioural
properties is often hindered by the problem of exponential growth of reachable state space.
This work proposes a new method for analysis of asynchronous circuit models based on Petri
nets. The new approach is called PN-unfolding segment. It extends and improves existing
Petri nets unfolding approaches. In addition, this thesis proposes a new analysis technique
for Signal Transition Graphs along with an efficient verification technique which is also based
on the Petri net unfolding. The former is called Full State Graph, the latter - STG-unfolding
segment. The boolean logic synthesis is an integral part of the asynchronous circuit design
process. In many cases, even if the verification of an asynchronous circuit specification has
been performed successfully, it is impossible to obtain its implementation using existing meth-
ods because they are based on the reachability analysis. A new approach is proposed here
for automated synthesis of speed-independent circuits based on the STG-unfolding segment
constructed during the verification of the circuit's specification. Finally, this work presents
experimental results showing the need for the new Petri net unfolding techniques and con-
firming the advantages of application of partial order approach to analysis, verification and
synthesis of asynchronous circuits.
IX
Chapter 1
Introduction
Asynchronous (or self-timed) circuits and systems have attracted increasing attention from
the research community in recent years. The inherent concurrency in their operation and the
absence of the requirement for a pre-determined settling period, the clock cycle, means that
these systems reflect more naturally the processes happening in real life.
By making the assumption of a synchronous mode of operation, designers can abstract
from the problem of tracking of all intermediate states of the system. It can be safely assumed
that the clock period is chosen to be long enough for the signals to settle to their new values.
Any feedback is cut off to prevent the changing outputs from affecting the inputs. The arrival
of a new clock pulse triggers the transition process to the next state of the system.
In an asynchronous circuit there is no such a "start-stop" mechanism. Any change of
signals may cause a transition of the system into the next state. This makes asynchronous
circuits harder to design. In addition, the majority of today's designers are used to creating
systems and circuits in the synchronous domain.
Since asynchronous circuits are more complex to design, most of the design methodologies
assume the use of some formal method. For some time this was an additional obstacle to
adopting the self-timing concept. The need for formal verification in circuit design has now
been widely recognised in the synchronous domain as well. This places asynchronous circuits
on a par with their clocked counterparts.
The asynchronous community has demonstrated that it is possible to design fully func-
tional circuits beyond trivial examples. Several microprocessors have been designed to date.
Examples of microprocessor designs can be found in works reported by the Cal tech [43], Titech
[55Jand Manchester [25, 24, ·IJ research groups. In Manchester, the AMULET group designed
an instruction-level compatible asynchronous version of the ARM6 microprocessor whose per-
formance characteristics are comparable to those of the synchronous one. In addition, Philips
reported a design of an asynchronous error correction chip [6, 5J which demonstrated 80%
savings in the power consumption.
In order to cater for the growing need and complexity of asynchronous circuit design, new
methods need to be developed. The conventional approach to circuit verification and synthesis
proves to be unable to deal with relatively large examples. The purpose of this work is to
introduce a novel technique which will advance the applicability of formal methods. It also
serves as the basis for further research.
1
CHAPTER 1. INTRODUCTION 2
1.1 Motivation
The use of the asynchronous paradigm in circuit design has been argued to provide certain
advantages in circuit performance. The most commonly cited are discussed below.
Average case performance The clock cycle of every synchronous circuit is determined
by the longest propagation delay of the circuit. The rate of the clock signal must
accommodate the settling times for the longest possible operation. Therefore, during a
faster operation some of the parts of the circuit will stay idle while the clock signal is due
to switch. To overcome this problem circuit designers need to come up with elaborate
scheduling and re-timing schemes.
In an asynchronous circuit, every part works at its own pace. As soon as the data has
been processed by one part, the next part is informed and may start working with the
data. Thus the overall cycle time, i.e. the average time between the completion of two
sequential operations, will be the average of the execution times of all operations.
Absence of clock skew The existence of a propagation delay in the wires of a chip means
that the signal change may arrive at two ends of a forking wire at different times. This
phenomenon is known as the clock skew problem. To guarantee that all operational
blocks work synchronously the designer needs to make sure that the clock signal is
received by each block at exactly the same time. However, with growing clock rates it
becomes increasingly difficult to guarantee the absence of clock skew. III addition, clock
wiring has been reported to take up to 60% of all wiring in the chip.
By choosing an asynchronous implementation the designer escapes the clock skew prob-
lem and the associated routing problem.
Low power consumption During the operation of a synchronous circuit the clock signal is
propagated to every operational block of the circuit even if this block is not used in a
particular computation at all. Thus the power is spent on driving the clocked inputs of
the gates which do not perform any useful actions.
Each part of an asynchronous circuit operates only when signalled to commence the
operation, after the data has been prepared on the inputs of this part. Therefore, until
such a request is produced, this part of the circuit does not consume any power at all.
High modularity Synchronous circuits are subject to precise synchronisation between the
modules comprising them. Redesigning of any module requires meeting heavy restric-
tions on the execution times to ensure the correct synchronisation.
Any part of an asynchronous circuit can be redesigned at will. The new module must,
of course, conform to the same interface protocoi as the module that is being replaced.
However, the speed at which the new module operates is irrelevant allowing easy up-
grading of asynchronous circuits.
Reduced EM! Electro-magnetic emission generated by synchronous circuits causes interfer-
ence with other equipment. Much of this interference is attributed to the clock signal
which produces a steady peak in the spectrum on the frequency at which the transistors
are switched.
CHAPTER 1. INTRODUCTION
Figure 1.1: Overall design process.
The transistor switching frequency in an asynchronous circuit depends on the data which
is being processed by the circuit. Thus the spectrum is smoother and the peak values
are lower.
1.2 Design Cycle
The work presented in this thesis follows a well established circuit design path. The overall
design process is illustrated in Figure 1.1.
At the first stage of the design process a designer's idea is expressed as a high-level speci-
fication of the future circuit. This specification it>then checked for correctness, i.e. that the
specification behaves according to the designer's requirements.
At the next stage, the high-level description is transformed into a low-level specification of
the circuit; this low-level specification now includes signals which will implement the circuit..
At this stage the specification is again checked for correctness. This time the requirements
also include conditions related to the binary nature of the circuit implementation.
Once verified, the specification is submitted to the synthesis procedure which produces
a set of boolean functions, one for each output signal. The synthesis procedure deals with
such things as optimisation of the boolean logic functions and the technology mapping (im-
plementing the circuit using a particular type of gates).
If the synthesis procedure uses some formal method and is automated, then there is no
need to verify the implementation. However, many designers still use ad hoc techniques to
produce an implementation from a high-level "blackboard" specification. In this case, the
implementation needs to be verified. To do so, the model of the implementation is composed
with the model of the environment obtained from the initial specification. The composed
model is then verified for correct nest>. This process is somewhat similar to the debugging
process in software development.
The third stage deals with the actual physical production of the circuit. This stage includes
placing and routing of the circuit elements on the actual silicon. A laid out circuit is sent to
CHAPTER 1. INTRODUCTION 4
the manufacturing process.
At the last stage, the manufactured circuits are tested for the absence of faults. The
testing procedure usually targets faults which could be introduced during the manufacturing
of the chip. In order to do so, test sequences are required which consist of the sequences of
input changes along with the outputs' checkpoints. These are generated using the low-level
specification and the implementation produced by the synthesis process.
The process outlined above has been widely accepted for the design of asynchronous cir-
cuits. It is common to employ some formal model, such as Petri nets or process algebras, in the
asynchronous circuit design. A variety of analysis methods can be used for reasoning about
the behavioural properties of circuit models. A growing body of current research is aimed at
the efficient automation of the design process; this works forms a part of this research.
1.3 Position and Contributions of This Work
The main objective of this work is to demonstrate the application of the partial order ap-
proach in the design of asynchronous circuits. Unlike the state graph approach, this method
represents the concurrency of an asynchronous system in its true form. Thus in many cases
the exponential state explosion, usually associated with the state graph approach, is avoided.
This work tackles three major problems in the asynchronous circuit design:
• Specification verification, where the general Petri net (PN) unfolding technique is
adapted for the verification of PN and/or Signal Transition Graph (STG) models of
the "would-be-circuits".
• Implementation verification, where a PN or STG model is constructed for an already
designed circuit and then this model is verified along with the model of the circuit's
environment.
• Boolean logic synthesis, where the boolean logic implementation is obtained from the
STG-unfolding segment instead of constructing the state graph.
This work proposes an automated approach which takes a specification of an asynchronous
circuit in the form of an STG, verifies the specification and, in the case of successful verification ,
produces an implementation in the form of boolean logic equations. If the specification failed
to pass the verification stage, the offending behaviour is reported and the specification can
be corrected. In addition, techniques proposed ill this work can be used for verification of
existing circuits. The main contributions of this work are as follows:
• The existing PN-unfolding method, suggested by McMillan, is examined and adapted
for the verification of relations between transitions of the original PN. The problem of
redundancy in the truncated PN-unfolding is approached. A new termination condition
is suggested for a wide class of non-autoconcurrent PNs. This condition avoids construc-
tion of redundant copies of the transition instances in the unfolding, which results in
gains in speed and size of the segment.
• New algorithms, based on the PN-unfolding segment method, are suggested for the
verification of the behavioural properties of asynchronous circuits and systems. The
CHAPTER 1. INTRODUCTION 5
verification of these properties allows the designer to find errors ID the design long
before the implementation stage is reached.
• A new concept of the Full State Graph (FSG) is introduced, which adequately captures
the behaviour of an arbitrary STG. A partial order based approach for the FSG anal-
ysis, called the STG-unfolding segment, is suggested. This method is an extension of
the PN-unfolding segment approach to STG analysis and takes into account the signal
interpretation of transitions in an STG.
• A new method for the automated synthesis of asynchronous circuits from STGs is sug-
gested. This method identifies fragments of the STG-unfolding segment from which the
boolean logic implementation is obtained for each signal. In addition, the new synthe-
sis method employs an approximation technique which uses the structural information
available from the segment.
• A new algorithm which applies the unfolding technique to contextual nets is proposed.
This algorithm takes advantage of contextual dependency and demonstrates significant
savings in time and space compared to the analysis of PN models of existing circuits.
• An algorithm is suggested for obtaining a better variable ordering for the analysis and
synthesis methods which use Binary Decision Diagrams for the representation of state
space.
Results obtained in the course of this research also contributed to works on verification
of STGs [76, 77] and synthesis of speed-independent circuits from their STG specifications
[80, 81]. In addition, the methods and approaches developed here were used to explore the
analysis of timed models [78] and for the analysis of realistic examples of a microprocessor
[75] and a communication mechanism [79].
This work leaves out such areas of the asynchronous circuit design process as testing and
technology mapping. It does, however, lay the basis for future research in these areas and
demonstrates that the partial order methods achieve results which compare favourably to
those of existing powerful methods.
1.4 Organisation of Thesis
This thesis is organised as follows:
• Chapter 2 briefly outlines the research work done in the area of asynchronous circuit
design.
• Chapter 3 introduces Petri nets (PNs) and describes methods for their analysis. This
chapter also introduces Signal Transition Graphs (STGs) which are used for the speci-
fication of asynchronous circuits.
• Chapter 4 suggests a new method for the analysis of PNs based on McMillan's truncated
unfolding. It presents a comparison between the original version of the PN-unfolding
algorithms and the suggested experimental technique and illustrates the performance of
CHAPTER 1. INTRODUCTION 6
the approach on real life examples. The new method is also applied to the analysis of
PN models of asynchronous circuits.
• Chapter 5 introduces the Full State Graph (FSG) and proposes the application of the
new unfolding technique to the analysis of STGs. The suggested STG-unfolding segment
analysis is applied to a set of existing benchmarks and its performance is discussed.
• Chapter 6 describes the application of the STG-unfolding segment to the synthesis of
asynchronous circuits. The experimental results demonstrate that the new synthesis
method extends the application of automated synthesis procedures.
• Chapter 7 illustrates how the application of the unfolding technique may assist in solving
other problems in asynchronous circuit design. The first problem is related to the
analysis of PNs with self-loops, which are often found in PN models of circuits, and deals
with Contextual nets; the second application of PN-unfolding deals with the variable
ordering for Binary Decision Diagrams.
• Chapter 8 concludes the thesis, summarising the results presented in this work and
outlining the areas for future research.
Chapter 2
Previous and Related Work
The purpose of this chapter is to give a brief account of the work done to date on asynchronous
circuit design.
An asynchronous circuit can be viewed as a set of gates interconnected with wires so that
no two outputs can be connected together. Asynchronous circuits assume that there is no
clock signal. However, the behaviour of the circuit components cannot be considered without
taking the timing domain into account. Every event that takes place in the circuit can be
characterised by the time it has taken and the place where this event occurred. In addition,
several signalling protocols exist which ensure that the signal levels are interpreted correctly.
The interpretation of the time domain and the signalling protocols lead to the two taxonomies
that define existing design methodologies:
• Delay taxonomy, which defines the model chosen to represent the duration of every event
occurring in the circuit; and
• Protocol taxonomy, which defines the method that. is used to pass data from one part
of the circuit to another.
Combinations of different types of delays and protocols produced a variety of different de-
sign methodologies for asynchronous circuits. Each methodology established certain require-
ments on the environment in which a circuit operates. It was soon realised that asynchronous
circuits were too complex to be designed by hand. This called for the use of formal methods
in asynchronous design.
The goal of formal methods application is, on one hand, to provide the designer with
a somewhat unified way of describing the desired behaviour. On the other hand, formal
methods allow reasoning about the global properties of the behaviour, e.g. establishing if a
system ever reaches a certain state. An attempt to find a rarely encountered state by means
of conventional simulation may take a long time and 'cannot be done with 100% certainty.
First this chapter examines the delay and the protocol taxonomies. The discussion about
taxonomies is followed by a brief account of the existing methodologies and the formal models
and methods used in asynchronous circuit design.
7
CHAPTER 2. PREVIOUS AND RELATED WORK 8
~ ~
~
, ,
delay delay
(a) (b)
Figure 2.1: Illustration of pure (a) and inertial (b) delay models.
2.1 Asynchronous Circuits Taxonomies
2.1.1 Delay taxonomy
The delay taxonomy draws a distinction between different models of delays taking into account
their duration and behaviour.
Bounded and unbounded delays One of the major properties of the delay is its duration.
A delay is said to be bounded if its upper and lower bounds are known. Alternatively, a
delay is called unbounded if its upper and lower bounds are unknown, however it. is known
that the delay is finite and positive.
Pure and inertial delays Another characteristic of the delay is its ability to propagate
signals. A delay is called pure if a change of any length in the input signal causes a change
on the output after a certain amount of time. A delay is called inertial if the changes in
the input signals are not propagated if they are shorter than a certain length. The difference
between these two delay models is illustrated in Figure 2.1. The pure delay element in
Figure 2.1(a) simply delays the changes in the output signal, whereas the inertial delay element
(Figure 2.1 (b)) filters out short pulses but delays the the long ones.
Delay cite Any circuit can be viewed as a set of gates interconnected by wires. The cite of
the delay in a circuit is crucial to the design methodology. A delay is called gate delay if it
occurs inside a gate, reflecting the time taken to compute the output signal change. A delay
is called wire delay if it happens in the wire and reflects the wire propagation times of the
signals.
2.1.2 Protocol signalling taxonomy
The protocol signalling taxonomy draws a distinction between the ways in which data is
transfered from one part of the circuit to another.
Dual-rail and bundled data signalling The absence of the clock means that there is no
way to fix a moment in time at which the signal level can be sampled. For example, registering
a low level of some signal twice may mean two sequential Os. Alternatively, it may be a 0
followed by a 1, but the second value was sampled too early, i.e. before the transition was
completed.
CHAPTER 2. PREVIOUS AND RELATED WORK
100... 100...
B DODI :BSnd • , A,ck, , Rcv
DO LJ___ri__ri_ .
DI Ul___j_j_ .
Ack: r+ r+ ~:---J: LJ: LJ: L ...
, I I I
(a)
9
010 ... 010 ...
B., ~::D~ , :B
Req~'"
I I I ,
: r-----i :DO~ ~ ...
, I I I
~
":' ...
Ack : , , ,
, I I I, ,
, , I I
Figure 2.2: Illustration of dual-rail (a) and bundled data (b) signalling.
(b)
Data latched -,
----------~ :' Return \
~o zero \1---
Re~~\: \~:
AC~
: '<, -~/ :
Dat~~~
Transaction
(a)
I I I I
Dat~~~'---
, "
Trans. I Trans.2
Figure 2.3: Illustration of four-phase (a) and two-phase (b) protocols.
(b)
To ensure the correct data transmission between two parts of the system (a sender and
a receiver) a dual-rail data signalling protocol was introduced, illustrated in Figure 2.2(a).
Each bit uses two wires, e.g. DO and DI with the appropriate encoding using combinations
of high an low levels of both wires. One combination, e.g. 01 (DIDO), represents a "0" and
a complimentary one, 10, represents a "1". One of the combinations 00 or 11 is used as a
spacer, a special symbol which separate sequential bits. The fourth combination is considered
to be illegal and must never appear. A single wire is used in the reverse direction to indicate
that the receiver has registered the changes on all data wires and is ready to accept the next
piece of data.
A bundled data signalling protocol assumes that each data bit is represented by one
wire, but there exists a pair of request and acknowledgement wires between the sender and
the receiver. This protocol is illustrated in Figure 2.2(b). As soon as the sender sets the levels
on the data wires, it sends a request signal. Upon receiving the request signal, the receiver
processes the data on its inputs and returns an acknowledgement after which the system enters
the next cycle. An important assumption in this protocol is that the propagation delay in the
request wire must be greater than the longest delay in any of the data wires.
Four-phase and two-phase signalling This distinction comes from the fact that the
signals have two levels. A four-phase signalling protocol assumes that only one edge (change
of the signal from high to low or vice versa) indicates an occurrence of some event. Therefore,
CHAPTER 2. PREVIOUS AND RELATED WORK 10
(a) (b)
Figure 2.4: Fundamental mode synchronous (a) and asynchronous (b) circuits.
there exists a sequence of changes in the signal levels, called the "return-to-zero" phase, when
the signals are reset to their original levels. Since only one level of the signal represents
an event, this protocol is also called level signalling protocol. This protocol is illustrated in
Figure 2.3{a}.
In the two-phase signalling protocol, every change in the signal level indicates an event.
This protocol is illustrated in Figure 2.3(b). In this protocol there is no phase resetting the
signals to their original levels.
2.2 Design Methodologies
2.2.1 Huffman Fundamental Mode Circuits
The operation of an asynchronous circuit in the Huffman fundamental mode [31] is similar
to the operation of a circuit in the synchronous mode (see Figure 2.4(a)). The Huffman
fundamental mode assumes that the circuit consists of a combinational logic block and a set
of feedback wires. However, these circuits assume that a bounded delay element is inserted
instead of the latches breaking the feedback wires (Figure 2.4(b)). The changes in the outputs
appear at the inputs of the circuit separated in time, thus giving the necessary delay for settling
of the signals inside the combinational logic block. Huffman fundamental mode circuits also
require that only one input changes at a time.
The circuit is specified using a Finite State Machine (FSM) flow table [89] which is then
binary encoded and implemented. The flow table specification is usually minimised to reduce
the complexity of the encoding algorithms and to reduce the number of the variables needed
to encode the states of the FSM.
The implementation in the Huffman mode must be free from critical races [90]. A race
is a simultaneous change of more than one signal during a transition from one state of the
system to another. A race is called critical if the" behaviour of the circuit depends on the
order in which the racing signals change.
The operation in the Huffman fundamental mode imposes very strict requirements on the
implementation. A number of approaches were suggested to relax these restrictions. They
are based on the observation that not all multiple changes in the input signals lead to critical
races; hence the other two modes can be considered: multiple input change (MIC) mode,
where several inputs can change at the same time; and unrestricted input change (DIC) mode,
CHAPTER 2. PREVIOUS AND RELATED WORK 11
(a) (b)
Figure 2.5: Illustration of Delay-Insensitive (a) and Speed-Independent (b) circuits.
where no restrictions are imposed on the input changes whatsoever. However, designing MIC
and UIC circuits proved to be complex. A solution was suggested in the form of the burst
mode circuits [57] which assume that:
• the inputs can change in bursts (sets of simultaneously changing signals);
• no burst can be a subset of another burst.
Furthermore, the burst mode can be extended into the extended burst mode [104] which allows
don't-cares on the inputs and condition signals. The former allows an input to choose non-
deterministically whether or not its value changes in a particular burst. The latter introduces
special signals whose levels determine possible advancements in the behaviour of the FSM.
There exists a variety of other methodologies implementing fundamental mode circuits such
as locally clocked [59, 60] and 3-D state machines [106, 105].
2.2.2 Delay-Insensitive Circuits
Delay-Insensitive (DI) circuits assume that both gate and wire delays are unbounded. The
general idea is shown in Figure 2.5(a). As a result of this assumption these circuits are the most
robust implementation with respect to the delay changes. Indeed, a DI circuit is insensitive
to the variations of the delay values due to the working conditions of the implement.ation. If
a signal gets stuck permanently at a particular level, so called stuck-at-fault, then the circuit
will stop functioning rather than producing a spurious result, i.e. it will fail safely.
Very few circuits can be designed so that they are completely DI. Therefore, a DI imple-
mentation is usually obtained from modules whose behaviour is considered to be DI on their
interfaces.
An implementation is usually obtained from a specification in a high-level programming
language such as Communicating Sequential Processes (CSP) [30] and CSP-like HDL [45],
Tangram [4], trace theory expressions [20] or DI algebras [33]. The known examples of DI
circuits include asynchronous microprocessors [43, 9] and Philips error correction chip [6, 5].
2.2.3 Speed-Independent Circuits
The research into Speed-Independent (SI) circuits was pioneered by Muller [53]. SI circuits
assume that the gate delay is unbounded whilst the wire delay is negligible with respect to
the date delay. An illustration of the delay cite in an SI circuit is given in Figure 2.5(b).
Muller introduced a formal model, called State Transition Diagram (STD), for representing
CHAPTER 2. PREVIOUS AND RELATED WORK 12
the behaviour of asynchronous circuits. Each state of an STD is a binary vector representing
the signal values. States are connected by the arcs labelled with signal transitions (only one
label per arc is allowed). A signal is said to be stable in a particular state if it is equal to
the value computed by the corresponding logic function under the values given by the vector;
otherwise it is called excited. Muller showed that the circuit's behaviour can be equivalently
described using STDs.
Speed-independence is closely related to the notion of semi-modularity. A circuit is said
to be semi-modular if every excited signal becomes stable due to the change of its value,
i.e. the signal's excitation cannot be removed by another signal. Muller showed that any
semi-modular circuit is speed-independent. The synthesis procedure for SI circuits takes an
STD as the specification of the future circuit and produces an implement.ation in the form
of boolean logic equations for the circuit's gates. Varshavsky et. al. [93J showed that any
semi-modular STD can be implemented as an SI circuit using a restricted set of gates: n-input
AND-OR-NOT gates (that are able to implement an arbitrary sum-of-product function) or
2-input NAND and 2-input NOR gates with the fanout limited to two gates. Recent works
[3,2J established the conditions for an SI implementation using n-input NAND gates and a
Muller C-element.
Specifying an SI circuit in terms of an STD can sometimes be a problem due to the high
degree of concurrency. A number of formal models were suggested to be used for specification
of SI circuits, e.g. Trace theory [19J, Change Diagrams [35J and Signal (Transition) Graphs
[73, 13J. These models specify the behaviour in a compact form and then automatically verify
and/or synthesise the SI implementation. A more detailed discussion of the existing methods
is given in the next section.
Quasi Delay-Insensitive (QDI) circuits were suggested in [44J and assume the unbounded
gate and wire delay models, however, they are enriched with isochronic forks. An isochronic
fork is a forking wire where the difference between the delays of the branches is negligible. The
isochronic fork definition does not require the delays bet.ween all destinations to be negligible.
Thus it is possible to specify an isochronic fork in which the difference between the delays is
negligible only for a subset of destinations. QDI circuits with this form of the isochronic fork
are not equivalent to SI circuits. However, if all destinations are isochronic, which is usually
the case, QDI circuits are equivalent to SI circuits if the wire delay is considered as a part of
the gate delay generating the signal.
2.2.4 Micropipelines
Micropipelines were suggested by 1. Sutherland in [88J. The general idea is illustrated in
Figure 2.6. The backbone of a micropipeline consists of Muller C-elements and Capture-
Pass latches. The sender generates a request when the data is ready to be sent down the
pipeline. The first stage is ready to accept new data if the previous piece of data has already
been latched by the next stage. If ready, the first stage latches the new data and sends a
signal acknowledging this latching to the sender. At the same time the first stage sends a
request to the next stage to pass on the portion of data held in the latch. Each stage of the
micropipeline operates in a similar way regarding the preceding stage as a sender. At the
other end of the micropipeline the receiver accepts the arriving data and acknowledges every
CHAPTER 2. PREVIOUS AND RELATED WORK 13
e
Ack
R
s "8"'~~~~I' ------;,' 1
V
e
Ack
~
Req
Figure 2.6: Sutherland micropipelines.
portion. In addition, each stage may contain a combinational logic block which performs
necessary computations on the data. The control circuitry of the micropipelines is delay
insensitive. Introducing the data path requires careful compensation for the propagation time
of the signals through the data wires and, where necessary, through the combinational logic.
Micropipelines use bundled data protocol with either two- or four-phase signalling. They
have proved to be a powerful design methodology; well-known examples of the micropipelined
systems include a FIFO controller [71J and the AMULET microprocessor [24, 23J.
2.3 Formal Models
The goal of this section is to give a brief overview of the formal methods employed in asyn-
chronous circuit design methodologies. The motivation behind using formal models in circuit
design is to ensure that the implementation is correct. In particular, the implementation
must produce the required output signals in response to the input stimuli. Furthermore, an
asynchronous circuit must operate without hazards. A hazard is an unspecified change of the
signal, e.g. a spike. In synchronous design, a spike may occur during the settling period.
This spike does not affect the correctness of the implementation but rather its power con-
sumption. In an asynchronous circuit, there is no way to distinguish a spurious spike from a
sequence of signal changes. Thus this spike may be registered by a gate and cause the circuit
to malfunction. Interested readers are referred to [87, 41] for a thorough review of hazards.
State graph based models In the state graph based methods the specification is given
in terms of a finite automaton describing all possible states of the system. If the system has
many events that can happen concurrently, then the total number of states in the system may
be prohibitively large.
The problem with the size of the specification comes from the fact that any set of con-
current events produces an exponential number of intermediate states, although the state
reached at the end is always the same. The use of the burst mode FSM specifications allows
a reduction in the size of the specification. In effect, a burst of input and/or output signals
captures all interleavings which would be possible had these signals been allowed to change
freely. The penalty paid for such a reduction is the requirement for the difference between
the moments of signal changes in one burst to be negligible.
The state based models offer a direct route for obtaining the circuit implementations. The
CHAPTER 2. PREVIOUS AND RELATED WORK 14
states are encoded using binary codes and the truth tables are obtained in a straightforward
manner.
Trace based models The trace theory was suggested for the automated verification of SI
circuits by Dill [19]. The behaviour of each element of the circuit is described using the trace
theory primitives. In addition, the desired behaviour is also specified in terms of trace theory.
An element is said to conform to its specification if its observable behaviour is equivalent
to that of its specification. This suggests the hierarchical verification where an element is
substituted with its specification which is often much simpler. This method, however, is more
applicable to the verification of the already designed circuits, i.e. the designer must take a
trial and error approach if he wishes to implement. a particular specification.
Ebergen [20] suggested an approach for the synthesis of 01 circuits which is also based on
trace theory. This approach uses a top-down design methodology. A future circuit is specified
using the trace theory description of its input/output behaviour. The specification is verified
for delay insensitivity. Alternatively the specification can be constructed using a restricted
grammar which can only produce a 01 circuit. Once a circuit is specified it is generated
automatically using syntax-directed translation and a predefined table of the implementation
primitives.
Josephs [34] takes a similar approach suggesting an algebraic solution to the synthesis of
asynchronous circuits. Using a special 01 algebra the specification is transformed to the level
of the implementation primitives.
The trace based model provides a powerful approach to the automated synthesis of asyn-
chronous circuits. The circuits are hazard free by construction. However, this model does
not have provision for the verification of such important properties as a deadlock, i.e. a state
from which no further advancement of the system can be made. In addition, implementations
produced by a syntax-driven synthesis process are often far from optimal.
High-level description languages High-level description languages specify the system in
a similar way to the conventional programming languages. Among the most well-known are
Martin's [44] and Brunvand's [10, 8] compilation systems and van Berkel's Tangram language
[7,4]. Most of these methods are based on the theory of Communicating Sequential Processes
[30] using a channel as the primary communication mechanism between subsystems.
Martin's compilation sys~em used a CSP-like hardware description language whereas van
Berkel suggested a completely new language. The approach is, however, similar. The system
is specified as a composition of the communicating processes. Once the system is specified,
each process is decomposed into simpler processes. At the low level, the communication and
synchronisation commands are expanded into a four-phase handshake prot.ocol. The final
circuit is obtained after the re-shuffling of transitions and the insertion of state signals to
eliminate the ambiguities.
Brunvand's approach is based on a subset of Occam. Similar to the techniques described
above, the system is specified as a program. Each statement has a corresponding hardware
primitive. The program is directly translated into a set of interconnected primitives. The
resulting circuit is often very poor with respect to the area size and the performance. Sim-
ilar to programming language compilers, this approach uses an optimisation to increase the
CHAPTER 2. PREVIOUS AND RELATED WORK 15
performance and the area results. The optimisation, called peephole optimisation, is based on
detecting those parts of the circuit which can be safely substituted by an already optimised
fragment with an equivalent behaviour.
Event based models The use of event-based models in asynchronous circuit design was
prompted by the difficulties with the state space size for complex behaviours. Instead of the
complete enumeration of all states of the system, an event-based formal model specifies events
and relations between them. A suitable formal model for this was found in the form of Petri
nets (PNs)l [65, 67J. PNs provide a simple graphical description of the system with an easy
representation of concurrent events or a choice between alternative events. In addition, the
set of reachable states can be obtained from a PN using a straightforward algorithm.
PNs do not make any assumptions about the time at which an event occurs. This makes
them attractive for asynchronous circuit design. Patil [63Jsuggested a syntax directed method
for the translation of PN specifications of asynchronous systems into implementations.
A number of works [51, 86, 54J use l-tiets for the specification of asynchronous circuits.
An I-net represents the interface behaviour of a circuit using events associated with its in-
puts and outputs. The initial state of the system is captured by the initial marking. After
the specification is completed, an Interface State Graph (ISG) is built for this I-net which
represents all reachable states of the system. After that an Encoded Interface State Graph
(EISG) is constructed which takes into account the binary interpretat.ion of t.he signals on the
circuit's interface. The EISG is then used for the generation of truth tables and building an
implementation either in the Huffman or burst mode.
Signal Transition Graphs (STGs) were suggested independently in [73J and [13J for the
specification, verification and synthesis of self-timed circuits. An STG is a PN where each
transition is labelled with a directed signal transition (up or down). An STG specification
serves as a low-level description of the future circuit's behaviour. The synthesis process at-
tempts to restore an STD from an STG by building the Teachability graph representing the set
of reachable state of the underlying PN, similar to I-nets. Each state of the obtained reach-
ability graph is assigned with a binary code. Once the binary code assignment is completed
the implementation is generated by deriving the truth tables.
A model closely related to the STG model, called Change Diagrams (CDs), was suggested
in [35J. CDs have two distinctive features. Firstly, they have provision for non-repeatable
events using disengagable ~rcs. Secondly, they allow OR-causality, i.e. they are able to
model an event whose happening is induced by any of its causes. A set of algorithms for the
verification and automated synthesis of SI circuits was suggested in [35J. A notable feature of
these algorithms is that they use the unfolding process to reason about the properties of the
specification. Unfortunately, CDs cannot model specifications with non-deterministic choice.
The methods discussed above are geared for the automated verification and generation of
implementations from a PN-based specification. A number of works [47, 101J also examined
the verification of the already designed circuits. These approaches usually build fragments
of PNs for each gate which are then composed together according to the gate net list. The
resulting PN is composed with the PN model of the environment and it is verified for errors
1See next chapter for definitions from the Petri net theory.
CHAPTER 2. PREVIOUS AND RELATED WORK 16
in design and/or hazards.
2.4 Design of Speed-Independent Circuits
SI circuits have a special place in the asynchronous circuit design. Operational conditions
for SI circuits require less strict assumptions than those for fundamental mode circuits. The
design process of a fundamental mode circuit is similar to the design process of a synchronous
circuit. This, on one hand, makes it easier for a synchronous circuit designer to understand
the new design methodology. On the other hand, an accurate delay estimation is required for
the correct operation of the circuit. The delay estimation must take into account all possible
conditions affecting the circuit. SI circuits are built to operate independently of the gate
delay. Thus, if a circuit is SI, then this circuit will operate correctly under any environmental
conditions that may affect the gate delay. This also makes SI circuits very robust to the
manufacturing technology parameters. Therefore, an SI design can be ported to different
technologies without major modifications.
SI circuits have a gate-level degree of granularity as opposed to the module level of DI
circuits. Only a few elements can be designed to be DI at the gate level. The module-level
granularity is very coarse and usually has a negative impact on the performance of a circuit.
Furthermore, SI circuits can be built using standard gate libraries, and, therefore, existing
layout tools can be used for their low-level design.
It has also been shown that SI circuits are self-checking with respect to stuck-at-faults on
gate outputs. That is, if a fault occurs, a circuit would stop rather than produce incorrect or
unspecified outputs. Using this property, it is easy to design an autonomous fault-correction
mechanism. Thus, if a circuit fails, the fault-correction mechanism will detect the fault place
and correct the fault by, for example, replacing the faulty module with a reserved one.
The SI circuit design supports easy decomposition. A complex design can be decomposed
into smaller subsystems with a well defined set of interface signals. In many cases, the en-
vironment model for a subsystem, which includes only the interface signals, is much smaller
than the model for the rest of the system. Thus each subsystem can be designed separately
using tools which cannot cope with the whole system. Furthermore, any subsystem can be
later re-designed at will without the need for re-design of the rest of the system.
From the very beginning the design of SI circuits was associated with formal methods.
Formal verification methods, unlike traditional simulation, can provably show that the circuit's
behaviour is correct, or produce a sequence of events leading to the erroneous behaviour.
Behaviours described by PNs have a striking resemblance to asynchronous systems. The
fundamental notions of the states and transitions between the states are inherent in PNs.
This has prompted their application in SI circuit design. The graphical representation of the
behaviour in the form of a PN (or STG) is easier to understand by circuit designers than an
algebraic or trace model. The body of existing PN research is enormous; many results from
PN theory have been applied to SI circuit design.
CHAPTER 2. PREVIOUS AND RELATED WORK 17
2.5 Conclusions
This chapter briefly outlined the main existing methodologies in the asynchronous circuit
design. Examples of the reported designs include almost every conceivable combination of
delay models, signalling protocols, formal models and their analysis methods. A number of
works, e.g. [29, 41], provide a more extensive introduction and comparison of most common
approaches. This chapter also described in more detail the pros and cons of SI circuit design
which is the main subject of this work.
Chapter 3
Petri Nets and Related Formalisms
This chapter introduces Petri nets (PNs) and their related models, such as Labelled Petri
nets (LPNs) and Signal Transition Graphs (STGs). Properties of the behaviour described by
each formalism are defined and discussed. These properties are related to the properties of
the correct behaviour of asynchronous circuits and systems. The existing methods for the
behavioural analysis for each model are also outlined.
3.1 Petri Nets
This section defines a Petri net and introduces the notation used throughout the thesis. Inter-
ested readers may wish to refer to Peterson [65Jand Reisig [67Jfor more extensive introductions
to Petri net theory.
Definition 3.1.1 A Petri net (PN) is tuple N = (P, T, F) where
- P is a set of places, and
- T is a set of transitions such that P n T = 0; and
- F is a flow relation between places and transitions, F <;;;; P x TU T x P.
Both P and T are assumed to be finite unless stated otherwise. o
Graphically, a PN is usually represented in the form of a graph with two types of vertices:
circles, which correspond t~ places, and bars (or boxes), which correspond to transitions. The
flow relation F is represented by directed edges (arcs) of the graph. A bi-directional arc is
used sometimes as a shorthand for a pair of arcs going in the opposite directions between a
particular pair of a place and a transition.
Each element x E PuT of a PN N has a set of input elements (which are connected with
x by the arcs going to x) and a set of output elements (which are connected with x by the
arcs originating from x). These sets of PN are called pre-set and post-set of x respectively and
are defined as follows:
Definition 3.1.2 The sets ex and xe are called pre-set and post-set of x E PUT respectively
iff:
- ex = {y E PUTI (y,x) E F}
18
CHAPTER 3. PETRI NETS AND RELATED FORMALISMS
tl t2
(a)
(c)
19
(b)
(d)
Figure 3.1: Examples of different classes of PNs: (a) SMPN, (b) MGPN, (c) FCPN and EFCPN
(d).
- X. = {y E PUT! (x,y) E F}
The notation Xl • X2 means that Xl. n .X2 i= 0. o
In what follows, it is assumed that .t i= 0 i= t.) for every transition t E T.
Structural properties of PNs define structural classes of PNs; these classes are identified
below.
Definition 3.1.3 A state machine PN (SMPN) is a PN N such that Vti E T !.ti!
1 and !ti.! = 1. 0
In other words, every transition in a SMPN has one input and one output place. An
example of a SMPN is shown in Figure 3.1(a).
Definition 3.1.4 A marked graph PN (MGPN) is a PN N such that VPi E P !.Pi! =
1 and !Pi.! = 1. 0
Each place in a MGPN may have at most one input and one output transition. An example
of a MGPN is shown in Figure 3.1(b).
A place Pi such that !Pi.! ~ 2 is called a conflict place and the transitions that are in Pi.
are said to be in structural conflict. This is defined below:
CHAPTER 3. PETRI NETS AND RELATED FORMALISMS 20
Definition 3.1.5 Two transitions t, E T and tj E T of a PN N are said to be in structural
conflict iff .ti n .tj =I- 0. 0
The structural conflict between two different transitions i, and tj is denoted as t;#t). No two
transitions of MGPN can be in structural conflict.
Definition 3.1.6 A free choice PN (FePN) is a PN N such that for any Pi E P with Ipi.1~ 2
the following is true: Wi E Pi. : I.til = 1. o
Definition 3.1.7 An extended free choice PN (EFePN) is a PN N such that for any Pi E P
the following is true: Vti, tj EPi. : .ti = .tj. 0
Any two conflicting transitions in FePN have only one input place. EFePNs are an ex-
tension of FePNs allowing the conflicting transitions to have more than one input place but,
at the same time, requiring that this set of input places is identical for these transitions.
Examples of FePN and EFePN are shown in Figures 3.1(c) and 3.1(d) respectively.
In order to convey the dynamic properties of the system a notion of PN marking is used.
A subset of places P may be marked which is denoted on the graph by placing tokens (thick
black dots) into the places. Formally, a marking is defined below.
Definition 3.1.8 A marking of a PN N is a multiset M defined on P, i.e. it is a function
M:P-+{0,1,2, ... }. 0
Definition 3.1.9 A transition i; is said to be enabled at a marking M iff .tt S;;; M. 0
A transition which does not have all of its input places marked at a marking M is said to be
disabled at this marking. An enabled transition may fire, changing the current marking of
the PN. The new marking is calculated as follows:
This rule is called the PN firing rule. The firing of a transition ti is denoted as:
M~M'.
Thus a transition of a PN can be associated with some event and its input and output places
with pre- and post-conditions. When all its pre-conditions are fulfilled, the event occurs
(transition fires) changing the state of the system by setting its post-conditions to TRUE. A
dynamic system is usually described by its structure and some initial state from which the
system progresses. In terms of PNs this is defined as a marked PN.
Definition 3.1.10 A marked PN is a tuple N = (P, T, F, Mo) where Mo is an initial marking
of the PN N. 0
From now on any PN in this thesis will be treated as a marked PN unless stated otherwise.
Transitions of a PN start firing from its initial marking Mo and their firing may continue
while there exists at least one enabled transition. A sequence of transitions such that: a =
M1 ~ M2 ~ M3 ... is called a firing sequence from M1. Obviously a transition t, may
CHAPTER 3. PETRI NETS AND RELATED FORMALISMS 21
- - --,
pI
tV ~2 t7
t3 p2p3 t4 p4"t5
/' '" "'-p2p6 p3p5 p7
"'/t6 p5p6
Figure 3.2: Example of an RG of a PN.
be included several times in one firing sequence. Each firing of this transition is called an
instance", Given a marking M 1 and a sequence a it is easy to restore all visited markings by
firing the transitions in the order of their instances in a.
Definition 3.1.11 A marking Mm is said to be reachable in a PN N from M 1 iff there exists
at least one firing sequence a =M1 .!.!t M2 ~ ... t~ 1 Mm-
This is also denoted as: M1 ~ Mm. 0
The set of all makings which are reachable from Mo is called the reachability set of a PN N.
It is defined formally as follows:
Definition 3.1.12 The set R = {Mi I 3a :M0 ~ Md of markings of a PN N is called the
reachability set of N. 0
Often, the reachability set of a PN is represented as a directed graph where vertices are
labelled with reachable markings and the edges are labelled with transitions which change one
marking to another. This graph is often referred in the literature (e.g. [65]) as the reachability
graph (RG). An example of the RG for the PN from Figure 3.1(c) is shown in Figure 3.2. In
order to avoid cluttering in the figures from here on, obvious labels of arcs which represent
the same transition froin different markings will be omitted, e.g. arcs between (P2,P3) and
(P3,P5) and between (P2,P6) and (P5,P6) correspond to the firing of transition t4. These arcs
are drawn parallel to each other. The initial marking is indicated by a broken arrow.
The dynamic behaviour of a PN allows some transitions i) to fire in parallel or ii) to
prevent each other from firing. This is captured in the notions of i) concurrency and ii)
(dynamic) conflict.
Definition 3.1.13 Two transitions ti and tj of a PN N are said to be concurrent iff there
exists a reachable marking M at which both transitions are enabled and M contains the
multiset eti and etj; i.e. eti + etj s:;; M. 0
The fact that a particular marking M contains the sum of input places of both enabled
transitions ti and tj means that transitions may fire simultaneously (as illustrated in Fig-
ure 3.3(a)) consuming tokens from their input places and producing tokens into their output
places. Note that ti and tj may be in a structural conflict but they could still fire indepen-
dently. If the number of tokens in the conflicting place(s) at M is sufficient for firing both
IThis notion will also be used later to refer to transitions and places in an unfolding of PN
CHAPTER 3. PETRI NETS AND RELATED FORMALISMS 22
(a) (b) (c)
Figure 3.3: Illustration of relations between transitions: (a) concurrent, (b) structural conflict
with concurrent transitions and (c) dynamic conflict.
ti and tj simultaneously, then these two transitions are concurrent (see Figure 3.3(b)). Two
concurrent transitions are denoted as: ti Iitj.
The notion of concurrency can be further extended tu represent the relation between places
and places and transitions. Two places PI and P2 of a PN are said to be concurrent if there
exists a reachable marking M such that {PI,P:2} ~ M, i.e. PI and P:2 can be simultaneously
marked at some reachable marking M. Lastly, a place P is said to be concurrent to a transition
t if there exists a reachable marking M such that {p} + .t ~ M, i.e. token in place P remains
untouched while transition t fires at M.
A special case is when .t + .t ~ M; then transition t may fire simultaneously more
than once. Such a transition is called autoconcurrent. For example, both ti and tj in
Figure 3.3(b) are auto concurrent.
Definition 3.1.14 A PN N is said to be non-auioconcurreni ifno transition is auto concurrent
at any reachable marking of N. o
Non-autoconcurrency of events is one of the main requirements in asynchronous circuit spec-
ifications. Therefore, unless it is necessary to distinguish explicitly, all PNs in this work will
be considered to be non-autoconcurrent.
Definition 3.1.15 Transition t, of a PN N is said to be in dynamic conflict with another
transition tj at a marking M iff both transitions are enabled at M and the firing of ti disables
0. 0
The notion of dynamic conflict is asymmetric, i.e. transition ti may be disabling tj whereas
the firing of tj does not disable ti. A transition ti in conflict with tj is denoted as tdhJ' If
the dynamic conflict is symmetric then, abusing the notation, it is denoted as ti#tj. A
symmetric conflict is illustrated in Figure 3.3(c), transitions t, and tj are in conflict at the
marking (PI,P4). Furthermore, ti and tj may be in dynamic conflict at M but the firing of a
third transition tk may change the marking to M' at which ti and tj will be concurrent, e.g.
transitions ti and tj at the marking (PI, PI) in Figure 3.3( c).
Recall the classification of PNs according to their structural properties. It follows from
the definition of MGPN that no two transitions in a MGPN can be in dynamic or structural
conflict. The notion of dynamic conflict is stronger than the notion of structural conflict. If
two transitions are in dynamic conflict, then they are always in structural conflict. The notion
of dynamic conflict is used to identify another class of PNs.
CHAPTER 3. PETRI NETS AND RELATED FORMALISMS 23
'" 13
plp~·~·p4
12! r tI
p5-plp2
14
Figure 3.4: Illustration of UCPN.
Figure 3.5: Example of an LPN.
Definition 3.1.16 A 'Unique choice PN (U(PN) is a PN N such that for any two transitions
ti and tj in dynamic conflict the following is true: eti = etj. 0
An example of a UCPN is shown in Figure 3.4 with its reachability graph on the right. As
it can be seen, transitions tl and t2 are never enabled together although they are in structural
conflict.
Each transition in a PN is unique. However, it is often impossible to describe a system
with only one transition corresponding to each action of the system. Therefore, the notion of
a Labelled PN is introduced below.
Definition 3.1.17 A Labelled PN (LPN) is a tuple NL = (N,A,L) where
- N is a marked PN,
- A is a set of actions, and
L : T -t A is a labelling function which associates each transition of the PN N with some
action from A.
o
Henceforth, N will be used instead of NL to represent an LPN unless it causes confusion.
It is sometimes convenient to allow A to include a special action I which is called silent
action and does not cause any visible effect. An example of an LPN is given in Figure 3.5.
It is also possible to define the notions of concurrency and conflict between actions of an
LPN.
Definition 3.1.18 Two actions a; and aj of an LPN N are said to be concurrent if there exists
a reachable marking M at which two concurrent transitions tl : L(td = a; and t-, : L(tm) = aj
are enabled. 0
CHAPTER 3. PETRI NETS AND RELATED FORMALISMS 24
Definition 3.1.19 An action ai of an LPN N is said to be in dynamic/conflict with another
action aj at a reachable marking M iff there exist two transitions tt : L( td = lLi ami t-« :
L(tm) = aj enabled at M and no transition tk : L(tk) = aj is enabled at the marking reached
by firing tt. o
The dynamic conflict between actions always requites two transitions to be in dynamic
conflict. An example of a dynamic conflict between two actions is shown in Figure 3.5.
Although transitions ti and t2 are ill dynamic couflict, the action lLl is not disabling the
action a2. Such a behaviour is also sometimes described by the term fake conflict. However,
the firing of a2 leads to a marking (P3,P4) at which no transition labelled with al is enabled.
Definition 3.1.20 A deadlock is a marking at which no transition is enabled. o
Obviously a deadlock represents a state of the system from which no further progress can be
made. Presence of deadlocks is regarded as an error in a system which operates in cycles. A
deadlock can be found while traversing the RG as a node with no outgoing arcs.
Another notion, closely related to the correct functioning of the system is boundedness.
Definition 3.1.21 A PN is said to be k-bounded iff the number of tokens in any place at any
reachable marking does not exceed k. 0
When modelling asynchronous systems with PNs, tokens often represent resources or signals
stored in some part of the system. Obviously, the number of available resources or latches
to store signals is bounded and, therefore, this property is a fundamental one. The RG of an
unbounded PN is infinite/. Therefore, the boundedness of a PN is checked while the RG is
constructed. If for a newly generated marking M.J : M, ~ MJ the following is true: Mt C MJ,
then the sequence a can be fired from the places marked at Mi repeatedly increasing the
number of tokens in at least one place of M i: Hence such a PN is unbounded.
A l-bounded net is called safe net. The safeness of a PN can be checked during the
construction of its RG by simply checking each newly generated marking.
Definition 3.1.22 A transition t E T of a PN N is called live at a marking M if there exists
a firing sequence a :M -4 . .. such that t E a. 0
Definition 3.1.23 A PN N is called strongly live if every transition from T is live at every
reachable marking.
A PN N is called weakly live if every transition from T i~ live at Mo. o
A transition which is not live usually indicates that some operation of the designed system
can never be performed. A live action of an LPN is defined in a similar way.
Definition 3.1.24 An action ai E A of an LPN N is called live at a marking M if there exists
a firing sequence o : M ~ ... such that 3t E o : L(t) = ai. 0
Another important notion is persistency, i.e. the ability of transitions and actions to stay
enabled while other transitions are firing.
2In [65] a representation of infinite RGs is considered using w-sequences. These are not considered in this
work.
CHAPTER 3. PETRI NETS AND RELATED FORMALISMS
(a)
25
Figure 3:6: Example of a PN (a) and a reduced RG (b) built using stubborn sets method.
(b)
Definition 3.1.25 A transition ti of a PN N is said to be persistent with respect to another
transition tj if tj is not in dynamic conflict with ti at any reachable marking M enabling both
ti and tj. 0
Definition 3.1.26 An action ai of an LPN N is said to be persistent with respect to another
action aj if aj is not in dynamic conflict with ai at any reachable marking M which enables
transitions labelled with both actions. 0
For example, in Figure 3.5 action 0,2 is persistent with respect to action al. As it will be
shown later, the persistency of actions of an LPN is closely related to the correct functioning
of an asynchronous circuit whose behaviour has been specified by the LPN.
3.2 Analysis of PN Behaviour by RGMethods
PN properties can be verified by traversing its RG. However, the size of the RG can be expo-
nential in the number of transitions of the PN. It is often impossible to construct explicitly the
whole RG even for a moderately sized PN. Several methods have been suggested for overcom-
ing this problem. Amongst the most efficient are stubborn set methods [91J (a closely related
method based on persistent sets was, introduced in [28]) and PN symbolic traversal [61) 36].
Here these methods are only briefly outlined; an interested reader is referred to the above
mentioned literature for more details.
Stubborn sets The objective of the stubborn set method [91J is to analyse a given PN for
deadlock freedom. This method is based on the fact that different interleavings of concurrent
transitions will lead to the same marking. Therefore, only one interleaving needs to be explored
to find out if this marking is a deadlock marking. Thus only a subset of all reachable markings
for a given PN is constructed. A stubborn set is a set of transitions whose ability to become
enabled can not be affected by firing any transitions outside this set. The stubborn set is
calculated using the structural properties of the PN graph. Therefore, the complexity of
finding a stubborn set for a given marking depends on the size of the original PN. An example
CHAPTER 3. PETRI NETS AND RELATED FORMALISMS 26
pJ" \p3 p3Is' \{
, \ ,Pt ,
p'( p7
\'1
p2"" \\p4 p4\
'-6' \'-6' ...p,P ,
i\'~\p8 p8 \
\--'~',,........... \, --- ---IT] @]
Figure 3.7: Example of a BOD representation of the RG in example from Figure 3.6{a).
of a PN and its reduced RG are shown in Figure 3.6. The shaded area shows one of the possible
interleavings which may be explored by the algorithm.
PN symbolic traversal [61, 36] This method uses symbolic representation of the RG in
the form of a characteristic boolean function". This function is represented in a canonical
graphical form called Binary Decision Diagram (BOD) [11]. Contrary to the stubborn set
methods, it represents implicitly the whole RG. Each boolean variable is associated with a
place of the analysed PN. If a PN is safe, each place can either be marked or unmarked, i.e.
the corresponding variable is TRUE whenever a place is marked and FALSE otherwise. A
marking is a boolean function which evaluates to TRUE when all places that belong to it are
marked. The RG of a PN is represented as a BOD for a disjunction of boolean functions for all
reachable markings. An example of a BOD representing the RG for the PN from Figure 3.6 is
shown in Figure 3.7; the dashed vertices correspond to the FALSE value of each variable. This
method has shown to be efficient for verification of state-based properties, i.e. the properties
that can be determined from the RG vertices only.
Methods based on partial exploration of the RG can efficiently detect deadlocks in a PN.
The verification of other properties by means of stubborn sets requires exploring additional
states which reduces their efficiency. The PN symbolic traversal suffers from the variable
orderinq problem". However, this method proved t.u Le popular and is currently t.he subject
of rigorous research.
3.3 Analysis of PN Behaviour by PN-unfolding
Another approach, based on partial orders, is to obtain an implicit representation of the RG
for a PN by preserving the concurrency relation between instances of transitions (i.e. possible
firings of transitions). Such a method, known as PN-unfolding, was introduced in [46, 47].
3This method is described in more detail later in Chapter 7.
"See also Chapter 7.
CHAPTER 3. PETRI NETS AND RELATED FORMALISMS 27
The formal definition of the PN-unfolding and other necessary notions~re introduced below.
A PN-unfolding is an occurrence net [56] which is defined as a (P, T) labelled occurrence
net in [47].
Definition 3.3.1 A (P, T) labelled occurrence net (possibly infinite) obtained from a PN N
is a tuple (N',L/), where N' is a PN N' = (PI, T', F/) and L' is a labelling function which
maps P' and T' onto P and T respectively such that:
e F' is acyclic, i.e. the (irreflexive) transitive closure of F' (later denoted by F") IS a
partial order;
e Vp' E P',p' E t~e and p' E tze : t~= tz, i.e. there are no backward conflicts;
e lJt' E T' : t' #t', i.e. no transition is in self-conflict, where x' #y' if there are t~, tz such
that t' .: t' and et' n et' ..../..0 and (t' x') E F" and (t' y') EF'"I r 2 I 2 rI' 2"
e Vt~, tz E T', L'(t~) = L'(tZ)' et; = etZ: t; = tz;
e N' is finitely preceded, i.e. for every :1;' E P' UT', {Y/l (y', x') EF"} is finite.
o
Note that the elements of pI and T' will be called instances; two elements satisfying x'#y'
will be called to be in conflict.
A (P, T) labelled occurrence net is an acyclic PN which starts from a set of minimal places.
Traversing such a PN visits every transition and place only once. Furthermore, if tokens are
placed into the set of minimal places, then each transition can fire once and only once.
An unfolding construction algorithm is based on the temporal relations between instances
of transitions and places. Similar to PNs, there are two types of temporal relations: conflict
(already defined in Definition 3.3.1) and concurrency and, ill addition, the precedence relation.
The precedence and concurrency relations are defined below for instances of the occurrence
net.
Definition 3.3.2 An element x~ of a (P, T) labelled occurrence net is said to be preceding
another element Xz of this net iff there exists a set Z ~ P' U T', Z = {z~, z~ ... z~} such that
I I 1.1
Xl e Zl e ... e Zn e x2'
Elements x~ and Xz are also said to be in the sequential relation; it is denoted as X; -< x2'
The notation x~ ~ x2 means that x~ = x2 or A -< :[;2' 0
Definition 3.3.3 Two instances .'E~ and x2 of the occurrence net N' are said to be concurrent.
denoted as x~ Ilxz, iff they are neither preceding each other nor in conflict. 0
Note that the concurrency relation in the occurrence net is generalisable, i.e. given a set
of elements X' ~ P' UT' such that Vx~, X2 E X', x; i= Xz : x; IIxz all elements in X' can be
marked and/or fired simultaneously if the execution is started from one token in each of the
minimal places. If X' nT' = 0, then X' is a set of instances of places which can all be marked
at the same time. If X' n P' = 0, then X' is a set of transition instances which can all fire
simultaneously.
CHAPTER 3. PETRI NETS AND RELATED FORMALISMS 28
proc Build unfolding(N = (P, T, F, C, Mo))
Initialise N' with instances of places in Mo
repeat
for each t in T do
Find unused set of mutually concurrent. instances of places in .t
if such set exists then do
Add instance of t and t. to N'
end do
end do
until no new instance can be added
return N'
end proc
Figure 3.8: Algorithm for building PN-unfolding.
Definition 3.3.4 A PN-unfolding N' built from the PN N is the maximal (P, T) labelled
occurrence net (up to isomorphism) satisfying the following:
• "It' ET' : L' restricted to .t' and .L'(t') is a bijection, and L' restricted to t'. and L'(t').
is a bijection;
• L' restricted to the set P:nin of minimal places in pi is a bijection between P:nin and M.
o
For any element of a PN N the corresponding element of the PN-unfolding is referred to
by adding an apostrophe to its name. The number of apostrophes denotes the occurrence
number of this element. When the occurrence number is too large, it is denoted by a number
itself.
The pseudo-code of the algorithm for building the PN-unfolding (similar to that of [47])
is given in Figure 3.8. The algorithm first initialises the unfolding by adding the instances of
places which are marked at the initial marking Mo. It then checks each transition in order
to find at least one transition whose places in .t have mutually concurrent instances in the
unfolding. If such a set is found and this transition has not yet been instantiated with this set
of inputs, then instances of t and places in t. are added to the unfolding. If no new instance
can be added to the unfolding, the algorithm terminates. An illustration of the output of the
PN-unfolding construction algorithm for the PN from Figure 3.6 is given in Figure 3.9. It
illustrates three steps of the algorithm's work: the PN-unfolding initialised with instances of
places marked at the initial marking (Figure 3.9(a) L the PN-unfolding after adding instances
of tl and tz (Figure 3.9(b)) and after adding one instance of each transition of the original
PN (Figure 3.9(c)).
Definition 3.3.5 The initial transition of a PN-unfolding is denoted as ..L and is defined so
that • ..L = (/)and ..L • = P:nin. 0
Although ..L does not have pre-set places, this is harmless. It can be viewed as a "phantom"
transition which initialises the PN by putting tokens into the places of initial marking, and
CHAPTER 3. PETRI NETS AND RELATED FORMALISMS 29
p'Jo p'l t'l p'30+-0
p'2o
(a)
p'2 t'2 p'4
0+-0
(b)
p'l t'l p'3 t'3 p'5 1'5 p'7 p"l
1'7
p'2 t'2 p'4 t'4 p'6 t'6 p'8 p"2
(c)
Figure 3.9: Steps of the PN-unfolding algorithm (a) initialised N', (b) after adding two
instances, (c) after adding one instance of each transition.
is needed only to make some notation simpler. This transition is never fired more than once.
In discussions about reachability it should be borne ill mind that the initial marking is .L e.
Definition 3.3.6 A configuration C of an unfolding N' is a non-empty subset of T' such
that:
• 'v't~,t;, t~ • t;, t; E C : t~ E C;
• 'v't~,t; E C, t~ i t; : .t~n .t; = 0.
o
Property 3.3.1 No two instances which belong to a configuration C are in conflict. 0
A configuration is a set of transition instances which is conflict-free and backwards closed
with respect to the precedence relation.
Definition 3.3.7 The local configuration of a transition instance t', denoted as rt'l, is the
least backwards closed subset of T' with respect to F' containing t', o
Clearly a local configuration is a configuration. From definitions also follows that t~ -< t;
iff t; E rt; 1-
Proposition 3.3.1 For any two transitions t'l, t; E T' the following is true: t'l -< t; iff
rt~1 ~ rt;1- 0
For any transition t' in the unfolding the following is true: r j_ 1 ~ rt'l. The local configuration
of .L is the initial transition itself.
Definition 3.3.8 The set C. ~ P' is called the post-set of a configuration C and is calculated
as: C.={t'• :tIEC}\{.t':t/EC}. 0
CHAPTER 3. PETRI NETS AND RELATED FORMALISMS 30
/
Definition 3.3.9 The multiset of places Fs(C) = L'(C.) (i.e. if C. = {pi,p~, ... }, then
Fs(C) = L'(pi) + L'(p~) + ... ) of the PN N is called the final state of configuration C in the
PN-unfolding built from N. D
The set of maximal elements of a configuration, called the max-set of configuration, is
defined as M ax( C) = {t' E C : /Jt" E C, t' -< til}. The max-set is unique for each configuration.
For any instance in the max-set of configuration the following is true: t'» ~ C•.
Property 3.3.2 For any finite configuration C the following is true:
C =U rt~l : < E Max(C)
D
That is, any finite configuration can be found from the local configurations of the instances
in its max-set.
The next property follows from the definitions of conflict relation and configuration.
Property 3.3.3 For any conflict free set of instances T' = {ti ... t~} the following is true:
rti 1 u ... u rt~1 is a configuration. D
Lemma 3.3.1 Let N' be the PN-unfolding of a PN N. If for two instances til' t~ E T' the
following is true: ti Ilt~,then two transitions t I = L' (t~) and t'2 = L' (t~) are concurrent.
Proof: Since ti and t~ are concurrent, then no pair of instances in their local configurations
may be in conflict. From Definition 3.3.6 it follows that there exist a configuration
C = rti1 u rt~1. Furthermore, there exists a configuration C' = C \ {t;, t~} for which
the following is true: .ti ~ C'. and .t~ ~ C'. and .ti n .t~= 0. Hence there exists
a reachable marking M = Fs(C') such that (L'(.ti) + L'(.t~)) ~ M, i.e. tl and t2 are
concurrent.
D
It was proved in [47] that for any reachable marking M there exists a finite configuration
C such that M = F; (C) and vice versa.
Lemma 3.3.2 For a transition t E T of a PN N which is live at Mo there exists a corre-
sponding instance t' E T' of N' such that: L'(t') = t.
Proof: Since every reachable marking is represented as a post-set of some finite configuration,
then the marking M enabling t will have a corresponding configuration C : F., (C) = M.
Thus a set of mutually concurrent instances of .t exists in the unfolding and, hence, t'
will be instantiated.
D
Theorem 3.3.1 Two transitions i-, t2 E T are concurrent in PN N iff there exists a pair of
their instances ti, t~ET' in the PN-unfolding N' such that tillt~.
CHAPTER 3. PETRI NETS AND RELATED FORMALISMS
proc Build truncated unfolding(N = (P, T, F, Mo))
Initialise N' with instances of places in Mo
Initialise QUEUE with t enabled at Mo
while QUEUE not empty do
Pull t from QUEUE
if t' is a not cutoff then do
Add t' and t'• to N'
end do
for each t in T do
Find unused set of 'mutually COnC1J,1Tentinstances of places in .t
if such set exists then do
Add t to QUEUE in order if its Irt'll
end do
end do
end do
return N'
end proc
Figure 3.10: Algorithm for truncated PN-unfolding.
31
Proof: [iJ] Follows from Lemma 3.3.1.
[ only iJ] Any reachable marking M such that (etl + .t2) ~ M is represented as a
final state of some configuration C [47]. This configuration has the post-set C. which
includes disjoint instances of etl and .t2. Therefore, t~ and t~will be instantiated in N'
with these instances of .t~and .t~. The two instances t~ and t~cannot be in conflict
with any instances in C, nor can they be preceding each other. Hence, t~Ilt~.
o
ICI·
The size oj configumtion C is defined as the number of instances in C and is denoted as
The complete unfolding of a cyclic PN can be infinite. Thus a characteristic fragment of
the unfolding is required which will be finite but as informative as the full unfolding.
A method of truncating the PN-unfolding was introduced in [47]. This method is based
on the cutoff condition as follows:
Definition 3.3.10 (Cutoff condition [41])A newly built instance t:. of the PN- unfolding
is a cutoff point if there exists another instance t' such that:
r,(f t'l) = r,(ft~l) and IIt'll < IIt~l!
o
In other words, an instance t~ is a cutoff point if there exists another instance t' in the already
built portion of the PN-unfolding such that the firing of the transitions whose instances are It'l
and It~l leads to the same PN marking and the local configuration of the existing transition
is smaller.
CHAPTER 3. PETRI NETS AND RELATED FORMALISMS 32
p'l t'l p'3 t'3 p'5 C5 p'7 p,'~1 t'.'1 p"3 t".3 p"5
r> " ,I" -, ~ r>
~t--~ t'7 ~_f-~~--~\ .._f-~;--~,_,'
' ......,_' '
p'8 ""':~'" p"2 t"2 p"4 ("4 p"6
~ -\- -~~--~' -' .. -...!~- -~' -'I
.. _" I. ..._" " .. _"
p'2 t'2 p'4 t'4 p'6 t'6
cutoff point
Figure 3.11: The truncated unfolding for PN from Figure 3.6{a).
A somewhat simplified version of the McMillan's algorithm is shown in Figure 3.10. The
construction of a truncated unfolding starts from a set of places which are labelled as occur-
rences of places in the initial marking of a PN. Contrary to the algorithm in Figure 3.8, it
checks each added transition for a cutoff condition. Furthermore, the truncated PN-ullfolding
algorithm uses QUEUE to sort the newly generated instances so that an instance is added
only after all instances with smaller local configurations are considered. The truncated PN-
unfolding for the PN in Figure 3.6 is shown in Figure 3.11. Instance tt., is a cutoff point and,
therefore, no instance depicted with a dashed line will be added to the truncated PN-unfolding.
The construction stops for a bounded PN [47] when there are no more transitions that could
be added into the PN-unfolding.
Theorem 3.3.2 [47] A marking M of a bounded PN N is reachable iff there exists a config-
uration C in the truncated unfolding N' built from N such that F, (C) = M. 0
From this theorem it follows that instead of constructing the reachability graph, a truncated
PN-unfolding can be constructed to represent all reachable markings of a bounded PN.
3.4 Signal Transition Graphs
Signal Transition Graphs (STGs) have been introduced independently by [73] and [13] for
the low level modelling of asynchronous circuits. They became popular because of their close
relationship to PNs, which provides a powerful theoretical background for the specification and
verification of asynchronous circuits. In addition, an asynchronous circuit can be synthesised
from its STG specification if it satisfies certain criteria of implementability. In this section
STGs are formally defined; the correctness of a behaviour described by an STG is defined
along with the corresponding properties.
Definition 3.4.1 A Signal Transition Graph (STG) is a tuple G = (N, A, vo, A) where
• N is a marked PN,
• A is a set of signals,
• Vo is an initial state of the 5TG, which is a binary vector of dimension IA I : Vo E {O,1} IA I,
• A is a labelling function which labels every transition of N with a signal transition +a
or -a where a E A.
o
CHAPTER 3. PETRI NETS AND RELATED FORMALISMS 33
It can be observed from the definition that STGs are a particular case of LPNs where the set
of actions is restricted to signal transitions, i.e. +a( -a) represents the change of the value of
signal a from logical 0 to logical 1 (from 1 to 0). The set of signal transitions on A is defined
as *A = {+, -} x A so that *a E {+a, -a} and 1 * 0,1 denotes the signal itself, i.e. 1 * 0,1 = a.
There also exists a less strict definition of the STG which implies that some of the transitions
of the STG can be dummy transitions, i.e. they do Hot change values of any signal in the STG.
STGs were introduced as a formal model for the specification of asynchronous circuits.
Each transition is associated with some signal transition of the circuit or its environment.
Therefore, the set of signals of an STG is usually divided into two subsets: a set of input
signals and a set of output signals. Obviously, not every behaviour can be regarded as a
correct one for circuit implementation. The notion of correctness of an STG is defined on the
firing sequences that it can generate. First, a valid firing sequence is defined.
Definition 3.4.2 A firing sequence a: M 0 ~ M is ualid iff for every signal a: :It Ea:
A(t) = *a the following is true:
• the next possible change of signal a after +a( -a) can only be -a( +a),
• the first change of signal a is consistent with the initial state of the STG, i.e. if the
value of a is 0(1) in the initial state, then +a( -a) is the first change of a in any firing
sequence.
o
The first condition is known as switchover correctness [35]. The second condition is known as
stability of the initial marking, also due to [35].
Definition 3.4.3 An STG is called valid {correct} iff the underlying PN is finite, bounded
and every feasible sequence in it is valid. o
Property 3.4.1 An STG is invalid if there exist two concurrent transitions labelled with
signal transitions of one signal a. o
The above property proves to be very important later in the analysis of STGs using the PN-
unfolding method. Its correctness follows from the fact that concurrent transitions are enabled
together at at least one reachable marking. Hence, further advancement of the system from
this marking will violate at least one of the conditions of a valid sequence.
Example. An STG shown in Figure 3.12(a) is valid if the initial state is {OOO}where the
order of signals in the state vector is abc. An example of an invalid STG is shown in
Figure 3.12(b). If the initial state is {1O} or {ll} (the order of signals is ab) then the
firing of +a will be inconsistent with the initial state. If the initial state is {01}, then
for signal b, a change -b can occur after -b without an intermediate +b in the sequence
PI ~ P3 ~ P5 ~ PI ~ P3 ~ P5 ~ (a shorter sequence PI ~ P3 ~. P4 ~ P2 ~ P3 is also
inconsistent with the initial state). •
CHAPTER 3. PETRI NETS AND RELATED FORMALISMS 34
p3
+<:
p5 p3
-c -a
p7 p5
-b
(a) (b)
Figure 3.12: Examples of a valid (a) and invalid (b) STGs.
A single-run STG is an STG whose RG contains no cycles. Also, a cyclic STG is an STG
whose RG is strongly connected. Often practically useful STGs consist of a combination of
single-run and cyclic segments, e.g. an STG with a segment which is executed once before it
enters its cyclic segment. Such STGs model the behaviour of circuits or signalling protocols
with initialisation.
STGs are a particular subclass of LPNs. Thus they have the same properties as LPNs
defined in the previous section. An additional important property of STGs, related to the
correctness of the circuit functioning is output signal persistency which is defined below.
Definition 3.4.4 A signal ai of an STG G is said to be persistent with respect to another
signal aj if aj is not in dynamic conflict with ai at any reachable marking M which enables
transitions labelled with both actions. 0
Since the set of signals is divided into sets of input and output signals, the signal persistency
can be defined with respect to a set of signals.
Definition 3.4.5 An STG G is called persistent with respect to a set of signals A' ~ A if
every signal ai E A' is persistent with respect to any other signal aj E A at any reachable
marking M which enables transition labelled with al' 0
An STG where A' = A is simply called persistent STG. The output signal persistency has
an important practical meaning.
Definition 3.4.6 An STG is called output signal persistent if it is persistent with respect to
its output signals. 0
Output signal persistency is closely related to the correct operation of the circuit. It.
guarantees that the outputs of the circuit cannot change non-deterministically, Thus, for the
observer in the environment, the circuit always reacts deterministically to any input stimuli.
3.5 Analysis of STGBehaviour
This section studies the conventional method of STG analysis. This method is based on the
reachability analysis of the underlying PN.
CHAPTER 3. PETRI NETS AND RELATED FOR.MALISMS 35
pI+a+
P2~+Y +C
p3p4 p p5-y -. / ~
p3p6 p4p5 p2p5
';s:{ ~i
~i
-a
000+a+
100+y~c
110 101
-y '\./ ~--I"~100 III 100<: <:
101 110
'\./
100
-a
Reachability graph State Graph
Figure 3.13: Illustration of the RG and SG built for the STG example from Figure 3.12{a).
The current state of an STG is captured using the notion of the state vector'. A state
vector V of an STG G is a binary vector of size IAI such that each of its elements correspond
to one and only one signal. The element v[i], corresponding to a signal ai, represents the
state ("high" or "low" ) of this signal. It is assumed that 1 corresponds to the "high" value
of the signal and 0 corresponds to the "low" value of the signal. Whenever an STG changes
its marking by a signal transition of ai the state vector changes accordingly.
The behaviour described by an STG is analysed by means of constructing its State Graph.
Definition 3.5.1 The State Graph (SG) constructed from an STG G = (N, A, Vo, A) is a tuple
S = (V, E) where for each reachable marking M, of N there exists a vertex Si = (Mi' 'Ul) E V
assigned with a state vector Vi' For each transition t ET: Mi 4 M j there exists an edge
e E E connecting two corresponding vertices and labelled with A(t).
Each vertex of the SG is called a state. 0
Figure 3.13 shows an example of the RG and the SG obtained from the STG in Figure 3.12(a).
The validity of an STG is checked on the SG level through the notion of consistent binary
vector assignment.
Definition 3.5.2 An SG labelling is called consistent if for all edges e the following is true:
• if Mi ~ u, then 'UiU] = 0 and Vk[j] = 1;
• if Mi ~ M k then ViU] = 1 and Vk[j] = 0;
• Vi[J] = vdj] otherwise
o
It has been shown in [41] that an STG is valid if its SG is finite and its binary vector
assignment is consistent. The SG of an STG is finite if the underlying PN is bounded. Thus,
the validity of an STG can be verified through the construction of its SG instead of examining
all its feasible sequences.
If an STG specifies a desired asynchronous circuit, then its validity only indicates that
this STG may be implemented as an asynchronous circuit. If the obtained SG does not have a
CHAPTER 3. PETRI NETS AND RELATED FORMALISMS 36
consistent state vector assignment, then the STG is invalid and should be redesigned. However,
the consistent state vector assignment does not immediately guarantee its implementability.
The behaviour must satisfy other implement ability properties such as output signal persistency
and Complete State Coding.
The circuit implementation should be free from hazards - unspecified changes of signals.
Several works, e.g. [41, 35], define semi-modularity of SI circuits as the criterion of its hazard
freedom.
Suppose that a circuit is given in the form of a gate net-list together with the model of
the environment in which this circuit operates. A circuit is said to be semi-modular if every
its signal becomes stable only through changing its value. Informally, a semi-modular circuit
is hazard-free since no signal changes are allowed which may cause a glitch on the output of
any gate.
The State Transition Diagram (STD) is constructed for a circuit which represents all states
of the circuit as a graph with vertices corresponding to the states of the circuit and edges
representing transitions between the states. Every vertex is associated with a binary vector
whose elements represent the states of signals. A signal is said to be stable at some state if
the value of the corresponding element of the binary vector is equal to the value calculated by
the corresponding logic function under the input values given by the vector; and it is called
excited otherwise. An STD is called semi-modular if there are no edges connecting two states
so that the corresponding transition removes excitation from some signal other than the one
changing in the transition.
The notions of STD and SG are very close. It is possible to define an isomorphism between
an STD and an SG obtained for some STG. In this case the STG is said to be an event-based
representation of the circuit. It was shown in [41] that a circuit is semi-modular (hazard
free) if the STG is valid, output signal persistent and it has an SG isomorphic to the 5TD
of the circuit. Interested reader is referred to [99, 41, 35] for a detailed explanation of the
relationship between circuit semi-modularity and its hazard freedom.
An important observation from the above discussion for this work is that 5TG validity
and output signal persistency are necessary conditions for an 51 circuit to be hazard free.
This means that if for a given 5TG it is hypothesised that there exists a hazard free 51 circuit
implementing this behaviour, then the following properties of this 5TG must be checked III
order to guarantee its hazard free implementation as an SI circuit:
• STG boundedness;
• STG validity;
• signal output persistency.
The process of obtaining an implementation from an 5TG specification is called synthesis.
During the synthesis process, truth tables for future logic gates are derived from the binary
vectors assigned to states of the built SG. Each vector is considered as a point in the domain
of a boolean function whose value is the implied value of some output signal. However, if two
different states of the 5G imply the same set of values for the output signals, then these two
states cannot be distinguished using only these output signals. Therefore, another necessary
CHAPTER 3. PETRI NETS AND RELATED FORMALISMS 37
condition, the Complete State Coding (esC) [13J requirement, must be satisfied if the circuit
is to be synthesised from an STG by constructing the corresponding SG.
Definition 3.5.3 An STG is said to have Complete State Coding (esC) if for any two states
81 and 82 in its SG such that VI = V2 the set of output signals excited (defined in Section 2.2.3)
in both states is equal. 0
At the circuit level all information about the state of the system is kept in the values of the
signals, i.e. binary codes. Satisfying the ese ensures that each state of the synthesised circuit
is unique at the circuit level.
The ese condition distinguishes between input and output signals. It does, however,
allow an SG to have two states with different marking components but equal binary vectors
assigned to them. A stricter condition was also introduced in [13J which requires every state
of the SG to have a unique binary vector assigned to it. This property is called Unique State
Coding and is defined below.
Definition 3.5.4 An STG is said to have Unique State Coding (USe) property iff for any two
states 81 and .52 in its SG such that Ml = M2 the following is true: VI = V2. o
Further discussion about these properties in relation to the synthesis of SI circuits can Le
found in Chapter 6.
3.6 Conclusions
In this chapter PNs and LPNs were introduced. Structural and behavioural properties of
each formalism were defined. This chapter also reviewed the main two methods of the PN
behavioural analysis based on constructing a reduced reachability graph and symbolic repre-
sentation of the reachability graph in the form of BOD.
Section 3.3 introduced PN-unfolding as the means for analysis of PN behaviour. This
method is based on the partial order approach which constructs a labelled occurrence net.
The algorithms for building the unfolding and its truncated fragment are reproduced. The
truncated PN-unfolding represents all reachable states of the original bounded and finite PN
in a finite fragment of the PN-unfolding. The truncation uses the cutoff condition suggested in
[47]. The following chapter demonstrates the potential inefficiency of this cutoff condition and
introduces a PN-unfolding segment. and et new cutoff condition which avoids this drawback.
The notion of STGs as a particular case of LPNs was introduced. It allows specification
of asynchronous circuits at the signal level. The STG analysis method based on the con-
struction of its SG was presented. The properties of STGs which are crucial to the correct
implementation of an STG specification as an SI circuit are defined. It will be shown later that
these properties can be efficiently verified using the STG-unfolding segment, a new concept
introduced in Chapter 5.
Chapter 4
Analysis of PNModels
This chapter describes a new concept of the PN-unfolding segment which is based on the
truncated PN-unfolding. First, the existing truncated PN-unfolding is adapted to enable the
analysis of the temporal relations between transitions of the original PN. Then the redundancy
of the modified truncated PN-unfolding is explained. This chapter then presents a cutoff
condition for safe PNs due to Esparza et. al. [22], which attempts to avoid this redundancy.
In addition, an experimental technique of truncation is presented which is applied to truncated
unfoldings of unsafe PNs and demonstrates great potential. The fragment of the unfolding
constructed with the new cutoff condition is called the PN-unfolding segment. Experimental
results illustrate the reduction in size of the fragment which is required to represent the
reachable state space for two realistic PN models. The PN-unfolding segment is applied to
the verification of asynchronous circuits.
4.1 Adapting Truncated PN-unfolding
The algorithm for obtaining a truncated PN-unfolding [47] constructs a representation of all
reachable markings. However, this is not enough if the relations between transitions need to
be analysed. According to the original McMillan's algorithm, cutoff point transitions are not
included in the truncated unfolding. Thus some of the live transitions t of the origina! PN
may have no corresponding instances tf in the truncated PN-unfolding.
Consider the truncated PN-unfolding in Figure 4.1(a) reproduced from Figure 3.9. Since
instance t7 is a cutoff point, ,this instance will not be added to the truncated PN-unfolding.
p"I t'l p'3 t'3 p'5 t'5 p'7 p'l t'l p'3 t'3 p'5 t'5 p'7 p"l
t'7
p'2 t'2 p'4 t'4 p'6 t'6 p'8 p"2
(a) (b)
Figure 4.1: Example of truncated (a) and modified truncated (b) PN-unfolding.
38
CHAPTER 4. ANALYSIS OF PN MODELS
proc B'uild modified truncated unfolding(N = (P, T, F, C, Mo) )
Initialise N' with instances of places in Mu
Initialise QUEUE with t enabled at Mo
while QUEUE not empty do
Pull t from QUEUE
** Add t' and tIe to N'
** if t' is a cutoff then do
** Mark t' and t'» as cutoff points
** end do
for each t in T do
** Find unused set of concurrent instances of places in .t
** which are not successors of a cut-off transition
if such set exists then do
Add t to QUEUE in order if its Irt'll
end do
end do
end do
return N'
end proc
Figure 4.2: Algorithm for modified truncated PN-unfolding.
39
To ensure that all instances are present in the truncated PN-unfolding, the cutoff points
must be retained in the fragment. These instances and their successor places are marked
as cutoff points. These place instances are, therefore, never chosen again when a set of
independent place instances is looked up. Thus the modified truncated PN-unfolding, shown
in Figure 4.1(b) will include instance t~.
The pseudo-code of the algorithm producing a modified truncated PN-unfolding is given
in Figure 4.2. As it can be seen, the only difference (lines marked by **) with the previous
version is the treatment of the cutoff point transitions.
Property 4.1.1 Let N be a PN which is finite and bounded and N' be a truncated unfolding
constructed by the algorithm in Figure 4.2. Then, for every reachable marking M in PN there
exists a configuration C in N' such that F, (C) = M and no instance in C is a cutoff transition.
o
Proposition 4.1.1 For any transition t which is live from Mo in a finite and bounded PN
N there exists an instance t' in the modified truncated PN-unfolding built for N.
Proof: By Property 4.1.1, for every reachable marking M there exists a configuration C in
the truncated PN-unfolding N' such that F, (C) = M and no instance in C is a cutoff
transition. Hence, no instance in C. is a successor of a cutoff transition; and, therefore.
if a transition is enabled at M, then its instance t' will be instantiated in N' unless tf is
a cutoff transition.
o
CHAPTER 4. ANALYSIS OF PN MODELS 40
pI • p2
p'2 p'l p"2
••
p" 1 : p'" 1
(a)
(b)
Figure 4.3: Example of truncated PN-unfolding redundancy
Proposition 4.1.2 For all transitions tl ... t-. enabled at a reachable marking M of a finite
and bounded PN N there exist a configuration C and instances t~ ... t;l in the modified
truncated PN-unfolding such that Vt~: .t~~ C. and Fs(C) = M and no place in C. is a
successor of a cutoff transition. 0
The result above is very important as it shows that the relations between transitions can
be analysed in the modified truncated PN-unfolding. The next corollary proves to be useful
for establishing relations between elements of the original PN from its modified truncated
PN-unfolding.
Corollary 4.1.1 Two elements Xl, X2 E PUT of a PN N are concurrent iff there exist two
instances x~ and x~ in the modified truncated unfolding segment such that x~ Ilx~. 0
Since the addition of cutoff points cannot lead to the instantiation of new instances,
all statements proved in the previous chapter and [47] hold for the modified truncated PN-
unfolding. The size of the unfolding is increased only by the number of cutoff transitions and
their immediate successors. Henceforth, the modified truncated PN-unfolding will be referred
to as a truncated PN-unfolding.
4.2 Avoiding Redundancy In PN-unfolding
The original McMillan's algorithm may produce a truncated PN-unfolding which includes
redundant instances of transitions. A redundant instance t' is a non-cutoff transition of
the constructed truncated PN-unfolding which does not add new information about the PN
behaviour, i.e. the final state of any configuration C which includes t' is equal to the final state
of some other configuration C' of the truncated PN-unfolding. Note that the cutoff transitions
are not considered to be redundant as their presence ensures the correct representation of
events in the unfolding. This section examines the redundancy of the truncated PN-unfolding,
explains an existi~g method of battling it for safe PNs and suggests a truncation technique
for bounded PNs.
CHAPTER 4. ANALYSIS OF PN MODELS
storage free
41
storage used
(a)
(c)
Tokens States Trans
1 4 4
2 7 20
3 10 96
4 13 520
5 16 3260
(b)
(d)
Figure 4.4: Examples of truncated PN-unfolding growth
4.2.1 Redundancy of Truncated PN-unfolding
The truncated PN-unfolding has the power to distinguish tokens in a place. If a place p
becomes unsafe, then the number of instances of this place will correspond to the number of
tokens in it. The PN firing rule does not distinguish which of the tokens should be removed
by the firing of a transition t which has p in et. The marking reached after the firing of t is the
same whichever token is used. However, in the unfolding, the structural distinction between
place instances may cause the construction of several instances of t and their successors,
increasing the size of the unfolding.
Example. Consider a PN and its truncated unfolding shown in Figure 4.3. Since place P2 is
unsafe, there will be two instances of P2 in the PN-unfolding. Thus a single token in Pl
will be "paired" with each of the tokens in P2 and two instances of transition tl will be
constructed. If the order of the tokens in the unsafe place does not matter, as it is true
for most systems, then the second instance of tt and all its successors are redundant.
Another example, shown in Figure 4.4(a) is taken from Nowick and Dill's work [58]
and represents a storage unit. The number of tokens in an unsafe place represents the
capacity of the storage unit. The truncated PN-unfolding grows exponentially in the
number of tokens in this example as illustrated in the Table in Figure 4.4(b). •
.
An overly strong cutoff condition is another cause of redundancy; it may lead to the
creation of redundant transitions even in the case of a safe PN. It is easy to come up with
p'4 to-;
tl •
P4 ~• t2
(c)
to
/\
tl t2
(a) (b) (d)
.. - - - - - --
CHAPTER 4. ANALYSIS OF PN MODELS 42
(e)
p4
•
(f)
Figure 4.5: Illustration of FIFO transformation of an unsafe PN.
an extreme example (e.g. example in Figure 4.4(c) taken from [39]) which is a safe SMPN.
Because of the strict condition on the size of the local configuration for the cutoff transition,
the size of the truncated PN-unfolding of this PN, shown in Figure 4.4(d), will be exponential.
However, only a fraction of the instances, linear in the number of transitions in the original
PN, will be sufficient to represent all reachable markings. The redundant copies of instances
are shaded out in Figure 4.4( d). In this case the truncated unfolding distinguishes tokens
arriving in a place through different paths.
An interesting approach was described in [35]. The CD-unfolding, suggested there, imposes
a strict FIFO order on the consumption of the tokens from an arc with the activity more than
1 (a "CD equivalent" of an unsafe place). Under this assumption the tokens are consumed
in the order of their arrival onto this arc and, therefore, the transition can consume only
one token. Thus only one instance of t will be created in the CD-unfolding. It is possible to
simulate such behaviour in a PN by substituting any unsafe but bounded place with a pipeline
structure which is capable of accumulating a bounded number of tokens; this structure will
release tokens in the order of their arrival.
Consider the example shown in Figure 4.5(a). The PN-unfolding for this PN is shown in
Figure 4.5(b). As it can be seen, there are two instances of t2, one of which, t~, is redun-
dant as the final state of its configuration is already represented by t2. This behaviour can
be equivalently described by a CD shown in Figure 4.5(c} whose CD unfolding is shown in
CHAPTER 4. ANALYSIS OF PN MODELS 43
pI
(a) (b)
Figure 4.6: Example of a PN and its truncated PN-unfolding
Figure 4.5(d). The CD unfolding has only one instance of t2 and thus does not have this
redundancy. However, the unsafe place P2, which causes redundancy, can be substituted by a
pipeline-like structure as shown in Figure 4.5(e), and, hence, the FIFO order is imposed on the
token consumption. The PN-unfolding of the transformed PN is given in Figure 4.5(f), it has
only one instance of t2' The part of the PN-unfolding of the transformed PN corresponding
to place P2 of the unsafe PN is highlighted by a dashed line.
Note that the result of such transformation is a safe PN. However, the FIFO discipline
on the order of token consumption in CDs can be assumed due to the fact. that they are
choice-free. Therefore, the transformation illustrated above can only be applied to choice-free
specifications, e.g. MGPN.
Several attempts were made to enhance the truncated PN-unfolding condition. In [39J a
seemingly simple cutoff condition was suggested which allows a transition with the equal size
of its local configuration. It has, however, been shown to be incorrect first in [76J for bounded
PNs and then in [22J for safe PNs. Esparza et. al. [22J suggested an efficient algorithm for
constructing a finite prefix of PN-unfolding from safe PNs. In this work it was noted that a
total order can be imposed between configurations in the unfolding of a safe PN. This total
order corresponds to the total order in which instances of transitions in the unfolding are
constructed. Thus it can be used to decide which of the instances is a cutoff transition.
The following section presents the result of [22J and t.hen suggests a truncation technique to
overcome the redundancy associated with unsafe places. A segment of the PN-unfolding which
does not contain the redundant copies of transitions is called a PN-unfolding segment.
4.2.2 PN-unfolding Segment
Consider an example of a PN in Figure 4.6(a) with its truncated PN-unfolding shown
in Figure 4.6(b). As it can be seen, the truncated unfolding contains redundant instances of
transitions t3 and ts, e.g. instances t~ and t~ have equal final state of their local configurations
and, therefore represent the same reachable marking (Pl,P4). Consider first the redundancy
associated with arrival of tokens into one place through different paths.
Let there exist an arbitrary total order « which is imposed on the transitions of a PN
N. The order « is extended to arbitrary connected partially ordered sets of instances of the
CHAPTER 4. ANALYSIS OF PN MODELS 44
PN-unfolding as follows. For a set of events T", let c.p(T") be that sequence of transitions
which is ordered according to « and contains each transition t as often as there are events in
T" with the label t. c.p(T') is called the signature oj T", Now, it is said that T{' «T2' if c.p(T{')
is shorter than c.p(T2'), or if they are the same length but c.p(T{') is lexicographically smaller
than c.p(T2'). Note that T{' and T2' are incomparable with respect to « if c.p(T{') = c.p(T2'). In
particular, ifT{' and T2' are incomparable with respect to «, then IT{'I = IT2'1.
Esparza et. al. [22] also introduced an isomorphism IS; between two finite configurations.
Let two finite configurations Cl and C 2 be such that F,(C d = F,(C2) and Cl C C 2. From
definitions it follows that since Fs(CJ) = Fs(C2), then the extension of the unfolding from
Cl is isomorphic to the unfolding of the original PN where Mo = Fs(C2); and therefore the
unfolding extension from Cl is isomorphic to the unfolding extension from C2. Moreover,
there is an isomorphism IS; from the extensions from Cl to the extensions from C2. This
isomorphism introduces a mapping from the finite extensions of Cl onto the extensions of C2;
it maps Cl UT" onto C2 U IS; (T"). A finite extension T" of some configuration C is also
called a suffix to C. In [22] a notion of adequate order was introduced as follows.
Definition 4.2.1 [22] A partial order <s on the finite configurations of PN-unfolding is called
adequate order iff:
• <s is well-founded, i.e. <s is finite,
• <s refines C, i.e. Cl C C2 implies Cl <S C2, and
• <S is preserved by finite extensions, meaning that if Cl <S C2 and Fs(CJ) = }'s(C2), then
Cl UT" <S C2 U IS; (T"), where Til is a suffix to Cj•
o
It was observed in [22] that the algorithm and the cutoff condition can be presented in
parametrised form where the parameter is an adequate order <S, i.e. a newly generated instance
t' is a cutoff transition iff
The parametrised version of the algorithm is given in Figure 4.7; the difference from the
algorithm in Figure 3.10 is in the ordering of the newly generated instances in the QUEUE (a
line marked with "**").
It was also noted that McMillan's order corresponds to a particular case of <S, i.e. the
order
Cl <SM C2 {:? ICll < IC21
which can be easily shown to be adequate. Furthermore, Esparza et. al. [22] introduced the
following total order on suffixes of configurations.
Definition 4.2.2 [22] Let T{' and T2' be two suffixes of configurations of a PN-unfolding and
let Min(T{') and Min(T2') be the sets of minimal elements of T{' and T2' with respect to the
causal relation. Then T{' <SE T2' if:
• Tt' « T2', or
CHAPTER 4. ANALYSIS OF PN MODELS 45
proc Build truncated unfolding(N = (P, T, F, Mo))
Initialise N' with instances of places in Mo
Initialise QUEUE with t enabled at Mo
while QUEUE not empty do
Pull t from QUEUE
Add t' and t'• to N'
if t' is a cutoff then do
Mark t' and t'e as C'u,tojf points
end do
for each t in T do
Find unused set of mutually concurrent instances of places in .t
which are not successors of a cut-off transition
if such set exists then do
Add t to QUEUE according to the order (S**
end do
end do
end do
return N'
end proc
Figure 4.7: Parametrised algorithm for truncated PN-unfolding.
• <p(T{') = <p(T~')and
Min(T{') «Min(T~'), or
<p(Min(T{')) = <p(Min(T~')) and T{' \ Min(T{') (SE T~' \ Min(T~').
o
The following result is due to Esparza et. al. [22].
Theorem 4.2.1 [22] (SE is an adequate total order on the configurations of a PN-unfolding
N' constructed for a safe PN N.
The proof of this theorem is done in [22] by proving the following statements:
• (SE is a partial order,
• (S E is total on configurations of N',
• (SE is well-founded,
• cs'E refines C,
• cs'E is preserved by finite extensions.
o
The interested reader is advised to consult the original proof for details. From the above
theorem it follows that using the signature defined as above for every instance in the PN-
unfolding it is possible to construct a finite prefix for safe PNs such that no two instances
have equal final states of their local configurations. The cutoff condition is defined as follows.
CHAPTER 4. ANALYSIS OF PN MODELS 46
p7 p8 p9 p'7 p'9 p'8 p"7 p"9 p"8
(a) (b)
Figure 4.8: Example of a PN and its truncated PN-unfolding
Definition 4.2.3 Safe PN cutoff condition
A newly generated instance t~ is called a cuiof] transition iff there exists another instance t'
such that
FsUt/l) = FsUt~l) and rt/l ~E rt~l
o
The result of [22] is based on the fact that all configurations in a PN-unfolding built for
a safe PN are totally ordered. It has demonstrated significant savings in computational time
and space when applied to analysis of safe PNs. However, this method is restricted to safe
PNs only, as in an unsafe PN the order between two signatures ceases to be preserved by finite
extensions. Nevertheless, the analysis of bounded PNs can be helped by means of pruning.
Consider another PN shown in Figure 4.8(a). The PN-unfolding built from it is shown in
Figure 4.8(b). Obviously, some of the transition instances are redundant. However, consider
a truncated PN-unfolding'constructed for the same PN and shown in Figure 4.9. The order of
instances added to the unfolding was t; , t~,t~,t~,t~,t~,t~,t~. If the instances were made cutoffs
as shown, then this PN-unfolding does not represent one of the reachable markings, namely
P3,P7 reached through the firing of transition t4' Note, that whatever order of instances was
chosen, at least one reachable marking of the original PN will not be represented in the PN-
unfolding. In fact, the instance t~ (not t~) and both instances of t3 must be kept in order to
have all reachable markings represented in the unfolding".
The above example demonstrates that further decision about an instance being a cutoff
in the unfolding of a bounded non-auto concurrent PN can only be made after taking into
account the fact that this instance may produce new instances in the future. Intuitively, this
may be illustrated as follows. Suppose there are two instances t~ and t~ which have equal
final states of their local configurations and are in conflict. Suppose also that there exists
a third instance t~ which is concurrent to t~ but there is no instance of t2 concurrent to
t1. In this case, if t~ is made a cutoff point, then no instances which include t~ and t2 into
their local configurations could be constructed. At the same time, since no instance of tz,
IObviously the choice of kept instances depends on the order of added instances in the unfolding.
CHAPTER 4. ANALYSIS OF PN MODELS 47
p"9 p"8
Figure 4.9: Truncated PN-unfolding with wrong cutoffs.
which is concurrent to t1, is present in the unfolding, no instances including t1 and t2 can be
constructed either. Therefore, the set of transitions which are concurrent to t~ and t2 must
be considered.
Note that in a non-autoconcurrent PN, all instances of a transition t are either sequential
of in conflict. In particular, this means that all instances of t with the same length of their
local configuration are in conflict.
To develop a condition which will allow the unfolding to be cut "on-the-fly" consider first
the following pruning procedure. Suppose that all instances in the truncated PN-unfolding
have been ordered, initially in the order of their instantiation. Such an ordering will range
the instances of the unfolding in order of the sizes of their local configurations. Let also the
instances of one transition which have equal final states of their local configurations be grouped
together. In the process of pruning, all instances which have been tested for redundancy and
have been decided to be kept in the unfolding will be deposited into the set TP, which is
initially empty.
The remaining ordered set of instances, which are still to be considered for redundancy, is
denoted as TT; initially TT = T'. This set can be viewed as a queue. The pruning procedure
starts at the beginning of TT and works through it. At each iteration it removes an instance
t~ at the beginning of TT. It then checks if there exists another instance t~ in TP such that
r; (rt~l) = Fs ( rt~l ). Obviously, if t~ exists, then the sizes of rt~land rt~l are equal, otherwise,
t~ would be a cutoff in the truncated PN-unfolding. If t~ is decided to be prunable (using
some condition, e.g. one suggested later), then it and all its successors are discarded from
further consideration. Alternatively, t~ is kept, and it is deposited into TP. The pseudo-code
of the pruning procedure is shown in Figure 4.10.
Consider now the redundancy condition for instances in the pruning algorithm. The
relations between instances in the PN-unfolding are captured in the structure of the unfolding.
Using the set TP, a representative set is defined for each instance as follows.
Definition 4.2.4 A subgraph [(t') = (P",T",F") of a PN-unfolding N' = (P',T',F',L') is
called a representative set of instance t' iff
• T" ~ TP
• Vt" ET": (t'llt") 1\ (.t" ut". ~ p,,)
CHAPTER 4. ANALYSIS OF PN MODELS 48
end do
else do
TP = TP U {t~}
end do
end do
end do
return TP
end proc
proc Prune truncated unfolding(N' = (P', T', F', L'))
Initialise TT with T' and order it
while TT not empty do
Pull t~ from beginning of TT
if :3t~ E TP : r; (It~1) = P. (It~1) then do
if t~ is prunable then do
T'r=T,·\{t'-lt' -(t'-}
1, 1 _ 1,
Figure 4.10: Algorithm for pruning a truncated PN-unfolding.
• no instance til E Til is a cutoff transition.
o
In other words, the representative set of an instance t' is a subgraph of the unfolding
such that every transition instance of this subgraph is concurrent to t', and it is restricted to
include all those transition instances of the PN-unfolding which have already been decided to
be kept by the pruning procedure.
It is possible to define a morphism with respect to labelling function L' : P' UT' -t PUT
between two subgraphs of the PN-unfolding.
Definition 4.2.5 A morphism between two subgraphs [1 and [2 of the PN-unfolding N'
with respect to the PN-unfolding labelling function L' : P' U T' -t PUT is a mapping
h : P{ UT{ -t P~ UT~ such that:
• Vt~ E T{, h(tD = t~ E T~ : L'(t~) = L(t~);
• for every t~ E T{, the restriction of h to .t~ is a bijection between .t~ (in [d and .h(tD
(in [2), and similarly for t~. and h(tD •.
o
In other words, the morphism defined above is a mapping between two subgraphs of the
unfolding which preserves the nature of nodes and the environments of transition instances.
In addition, h requires that two nodes x;, x~ : h(x~) = x~ of the subgraphs map onto the same
node of the original PN. Note that the definition of morphism h is asymmetric, not every node
in the subgraph [2 is required to have a corresponding node in [1, i.e. [2 may be larger than
[1.
CHAPTER 4. ANALYSIS OF PN MODELS
(a) (b)
49
Figure 4.11: Illustration of redundancy in a PN-unfolding segment.
(c)
Using the notions of the representative set of an instance and subgraph morphism it is
possible to define a prunable instance as follows.
Definition 4.2.6 An instance t' of-truncated PN-unfolding constructed for a non-autocon-
current PN is called prunable iff there exists another instance til of the same transition t such
that Irt'll = Irt"ll and h(£(t')) = £(t"), where £(t') and £(t") are the representative sets of
t' and til respectively. o
Thus, in the algorithm in Figure 4.10, if Irt'll = Irtill I and h(£2) = £1 for the representative
sets of til and t', then til is pruned from the truncated PN-unfolding.
Note that the order of instances in TT is the same as the order of generation of instances
in the algorithm in Figure 4.7 up to permutations of instances with the same length of local
configurations. Therefore, the pruning procedure can be applied along with the procedure
deciding if a newly generated instance is a cutoff, i.e. it can be done "on-the-fly". Hence the
new cutoff condition is defined as follows.
Definition 4.2.7 N on-auto concurrent PN cutoff A newly generated instance t~ is called
a c'utojj: transition in the PN-unfolding constructed for a non-autoconcurrent PN ifI' there exists
another instance t' such that
F (rt'l) - F (rt'l) d [ Irt'll < Irt~11, or
S ' - s 'c an 3h: h(£(t')) = £(t~), (if L'(t') = L'(t~))
o
The finite fragment of a PN-unfolding constructed using the cutoff condition from Defini-
tion 4.2.7 is called a PN-unfolding segment.
The algorithm does not always produce a minimal segment as it is illustrated in Fig-
ure 4.11. Two possible PN-unfolding segments for a PN from Figure 4.11(a) are shown in
Figures 4.11(b) ar:_d4.11(c). As it can be seen, the segment in Figure 4.11(b) has one more
instance of t6 compared to the segment in Figure 4.11(c). Which of the segments is con-
structed for this particular PN depends on the order in which the transitions of the original
CHAPTER 4. ANALYSIS OF PN MODELS 50
;,._- - - - - - - - - - - -·r
,
:~:, ,, ', ', :,
,~- - - - - - - - - - - - - -
Figure 4.12: Scalable example.
PN are considered. The algorithm attempts to predict the future behaviour of the PN from
incomplete information. This is a trade off between efficiency and accuracy of the algorithm.
Obviously, it is possible to develop an algorithm which would be an "inter-breed" of both
methods. On each step the algorithm would construct a layer of PN-unfolding which contains
all concurrent transitions for instances with the current length of their local configurations.
Then the redundant copies of transitions would be pruned and the algorithm would go on to
the next step.
4.3 Performance Comparison of Algorithms
To compare the performance of different approaches the algorithms described above were
implemented in the analysis tool PUNT. Although Esparza's algorithms can be applied to
safe PNs only, this has not been an obstacle since it is possible to detect unsafeness of most
benchmarks is known or can be detected during unfolding. Thus if a particular benchmark is
reported to be unsafe using Esparza's algorithm, then the unfolding process is stopped and
the tool is restarted using the cutoff condition based on pruning.
The performance comparison of Esparza's algorithm with the original McMillan's algo-
rithm was presented elsewhere [22J; therefore the PN-unfolding segment algorithm based on
the pruning cutoff condition suggested in the previous section is compared with the the orig-
inal McMillan's algorithm here. The comparison uses two realistic examples; the first one is
an example of a token ring protocol, and the second is a production cell example.
4.3.1 Ring Protocol
Token ring protocols, e.g. [100], are common means of communication between two or more
users. The communication protocol, chosen here for illustrative purposes, is a somewhat
simplified version of a real-life communication protocol. Each user is connected to an adapter
which is responsible for access to the ring. The user prepares a data packet and issues a
request to its adapter, informing it that the data is ready. Thus the user instructs the adapter
to obtain access to the ring and to send the data down the ring to the next one. After the
data has been sent, the adapter acknowledges this fact to the user who in turn prepares new
CHAPTER 4. ANALYSIS OF PN MODELS 51
Benchmark McMillan II Experim. II
No. ads I No. tok. Time I Size [tr/pl] II Time I Size [tr/pl] Jj
2 1 0.08 10/25 (3/5) 0.07 10/25 (3/5)
2 3 0.17 38/85 (7/13) 0.09 18/45 (11/21)
2 10 2.04 262/547 (21/41) 0.40 46/115 (39/77)
2 20 17.7V 922/1887 (41/81) 1.50 86/215 (79/157)
5 I 0.12 25/61 (6/11) 0.13 25/61 (6/11)
5 :1 0.39 95/211 (16/31) 0.~8 45/111 (26/51)
5 10 6.30 655/1366 (51/101) 1.84 115/286 (96/191)
5 20 53.75 2005/4710 (101/201) \1.42 215/536 (196/391)
10 1 0.27 50/121 (11/21) 0.27 50/121 (11/21)
10 :1 1.09 190/421 (31/61) 0.74 90/221 (51/101)
JO 10 18.01 13lU/2731 \ lUl(201) 7.13 230(571 (WI/381)
10 20 148.98 4610(9431 (201(401) 38.99 430/1071 (391(781)
20 1 0.72 100/241 (21/41) 0.71 100/241 (21(41)
20 3 3.72 380/841 (61/121) 2.85 180(441 (101/201)
20 10 67.21 2620/5461 \201/4(1) :,W.~7 460/1141 \381/761)
20 20 525.95 9220/18861 (401/801) 165.36 860/2141 (781/1561)
Table 4.1: Experimental results for the token ring protocol.
data and issues a new request.
Adapters are connected between themselves in a ring fashion so that the data propagates
in one direction. The fact that an adapter got its turn to send the data is indicated by the
arrival of a special data package on its inputs which is usually called a "token". Upon the
receipt of the token, the adapter issues a request to its neighbour to indicate that it is sending
a data packet from its user or to pass the token on, if there was no data to send. The overall
organisation of such communication mechanism is shown in Figure 4.12. The direction of the
data flow in this example is clockwise.
Adapters are responsible for arbitrating input requests coming from its user and its left-
hand side neighbour. That is, if both requests arrive close to each other, the adapter decides
which one is the winner and processes the winning request. If the user' request was the winner
(operation called "Hit"), then the adapter removes the token and sends a data packet from its
user down the ring. If the user's request was late (operation called "Miss"), then the adapter
simply passes the token over. Any data packet from the left-hand side neighbour which is
destined for the adapter's user is removed and the outstanding user's packet is sent down the
ring.
To make the user's operation more independent from its adapter they are decoupled using
a latch. That is, any data packet coming from the user to be sent down the ring is latched
after which the user may continue with its other activity. Any data coming from the adapter
is also latched so that the user may take it whenever it is ready.
The user is assumed to be able to prepare several data packages which are stored in a pool
of data. Packets are sent from this pool regardless of their order.
The PN model of the control for one of the adapters, its corresponding user and a latch
is shown in Figure 4.12. The behaviour of an adapter is similar for any type of packet on
its input (data or token), and therefore one transition is used for each possible activity. The
pool of user's data is represented by an unsafe place where the number of tokens in the place
indicates the maximum number of prepared data packages, in this case four. Transition "Gen"
represents the request generation from the user. The PN model for the whole ring is obtained
by connecting the required number of copies of this net together. The resulting PN is a
non-auto concurrent PN and therefore it can be verified using the new PN-unfolding segment
CHAPTER 4. ANALYSIS OF PN MODELS 52
Boy
Figure 4.13: Illustration of a production cell.
algorithm.
The experimental results for this example were obtained on a Sun SPARC20 machine and
are shown in Table 4.1. Column "Benchmark" presents the number of adapters in the ring
and the number of tokens in the unsafe place. The rest of the Table presents the results of
constructing the truncated PN-unfo!ding using McMillan's cutoff condition (columns under
"McMillan") and the PN-unfolding segment (columns under "Experim."). For each algorithm
two parameters were measured: the time (in seconds) required to construct a finite fragment
of the unfolding and its size. The size of the fragment is measured in the number of transition
and place instances, separated by a "/". The Table also shows the number of cutoff transitions
and places which are their successors (corresponding numbers in brackets in columns "Size").
From the results is can be observed that the PN-unfolding segment algorithm using the
cutoff condition based on pruning showed significant gain in speed and reduction in the frag-
ment size for this set of benchmarks. For the PN model of a token ring with 20 adapters and
the pool size of 20 the Pf\l-unfolding segment had only 860 transition instances. This gain
is due to eliminating confiicting instances of transitions with the same sizes of local config-
urations which do not represent any new markings. This reduction is significant as most of
the algorithms that verify properties of the original PN using the fragment of its unfolding
have complexity dependent on the number of instances (transitions and/or places) in the
fragment. Note also that most of the transition instances in the PN-unfolding segment were
cutoff transitions.
4.3.2 Production Cell
Another example for illustrating the performance of the new method is the model of a pro-
duction cell presented in [42] as a case study of an industry-oriented problem.
The production cell processes metal blanks which are conveyed to a press by a feed belt.
From the feed belt the blank goes to a feeding table. A robot picks the blank up with its
Arm1 and deposits it into the press. After that the press processes the blank. The robot uses
its Arm2 to remove the forged metal plate from the press and puts it onto the deposit belt.
The traveling crane picks the plate from the deposit belt and moves towards the feed belt.
On its way it drops the processed plate and picks up a new blank from an infinite supply of
CHAPTER 4. ANALYSIS OF PN MODELS 53
(a) (b)
Figure 4.14: Initial (a) and cyclic (b) sequences of events in production cell.
blanks. It acts as a link between the two belts that makes it possible to let the model function
continuously. The production cell is configured so that several metal plates can be processed
and transported continuously; this should allow optimal utilisation of the cell capacity. The
schematic view of a production cell is shown in Figure 4.13.
The initialisation of the cell is done by a boy who deposits initial blanks onto the feed
belt. He has a limited number of blanks to deposit into the cell.
The task description is given in- terms of Coordinated Atomic Actions [96], i.e. actions
coordinating the interaction of two elements of the cell. Part of the specification also includes
graphical representation of sequences of executed actions, similar to timing diagrams in circuit
design. Two sequences are distinguished: the initialisation sequence, in which the boy deposits
the first few blanks into the cell, and the cyclic sequence, which represents activity of the cell
after the initial blanks have been deposited. The graphical representation for both sequences
is shown in Figure 4.14(a) (for 4 initial blanks) and Figure 4.14(b).
The meaning of the actions is self explanatory. For example, action AO means that the
boy deposits a blank onto the feed belt and requires the coordination of interaction between
the boy and the feed belt; action A3 represents depositing a blank from the table in to the
press and requires the coordination of interaction between both arms of the robot and the
press.
However, the specification can be considered from the view point of elements of the prod uc-
tion cell. It is easy to construct models for each of the elements which synchronise whenever
an action needs to be performed. In terms of PNs, this means that a PN model representing
the behaviour of each element is derived from the sequences, and then these PN fragments are
put together by merging the transitions with the same name. The set of PN fragments for the
elements of the production cell is shown in Figure 4.15(a). Note that the PN for Arm1/ Arm2
has two transitions labelled with A2/1 and A2/2. The former represents the very first occur-
rence of A2 and the latter represents A2 occurring when the system is in cycle. Formally this
is done by the synchronisation operation between LPNs [66]. The composed PN is shown in
Figure 4.15(b) where the fragments corresponding to each element of the production cell are
shown by a dashed box. The unsafe place represents the number of blanks available to the
boy for the initialisation of the cell, 4 as required in the initial specification.
The resulting PN was analysed using the existing unfolding techniques. The results of
analysis are shown in Table 4.2. The PN model was analysed with a variable number of
CHAPTER 4. ANALYSIS OF PN MODELS 54
AO
Table AI A2
®-+O---I
Press A3 A4 AS
CfH=O+CHJ
Crane A8 A9
~
DepBeJt A6 A7 AS
CfH=O+CHJ
Boy
Armi/Arm2 A211 A3 A2/2 A5 A6
~0+0-+1
(a)
, ,-----r--- --------r _ ...
: .:. Ho)
,-------------
(b)
Figure 4.15: PN fragments (a) and the complete PN model (b) for production cell.
Tokens II McMillan II Experim. Deadlock
II Size [tr/pl] J Time IL Size [tr /pl] I Time
1 5/17 (0/0) 0.10 5/17 (0/0) 0.08 .j
2 32/67 (2/4) 0.19 17/40 (2/4) 0.12
3 135/253 (12/24) 1.02 28/61 (5/10) 0.18
4 488/911 (60/120) 8.88 36/78 (9/18) 0.29
5 1745/3337 (320/640) 106.08 43/93 (14/28) 0.36
6 **"'* **** 49/106 (19/38) 0.49 .j
ID .......... ...... 73/158 (43/86) 1.11 .j
Table 4.2: Experimental results for the production cell.
tokens in the unsafe place. Column "McMillan" presents the results of truncated PN-unfolding
construction using McMillan's cutoff condition. Column "Experim." presents the results of
analysis using the PN-unfolding segment suggested in the previous section.
The overall aim of the analysis was to show the sensitivity of the cell to the number of the
initially available blanks. The results showed that the model of the production cell is deadlock
free2 when there are 4 blanks available to the boy (line 4 of Table 4.2). Further investigation
revealed more interesting results. The production cell was shown to be deadlocking if the
number of initially available blanks is 1. However, it also showed that 2 blanks are enough to
set the production cell into the cyclic, deadlock free operation, i.e. the initial requirement of 4
blanks is excessive. It was also determined that the cell will deadlock if the number of initial
blanks is more than 5. This means that if the boy sends too many blanks into the production
cell, it will fill up and come to a halt.
As it can be seen from the results, the PN-unfolding segment showed substantial gain in
speed and reduction in the size of the constructed PN-unfolding fragment in comparison with
the existing methods. Furthermore, the construction of the truncated PN unfolding failed
due to the size of the unfolding for the case of 6 tokens. The analysis of the cell model using
any of the existing PN-unfolding methods would not be able to detect the above-mentioned
deadlock in the system. The PN-unfolding segment approach did not have any problems in
constructing the segment for the case of 10 initial blanks and detecting the deadlock there.
2See the next section for discussion about the deadlock freedom check using the PN-unfolding.
CHAPTER 4. ANALYSIS OF PN MODELS 55
4.4 Analysis of LPNModels
This section describes an application of the PN-unfolding segment to the analysis of LPNs. On
one hand, LPNs are used to specify the behaviour of the future system or circuit. After the
specification was found to be correct, its implementation is obtained by one of the existing
techniques, e.g. syntax driven translation. On the other' hand, for circuits designed in an
"ad hoc" manner, it needs to be shown that they correctly implement the desired behaviour.
In this case the circuit is converted to an LPN model which is then verified along with the
model of its environment. Circuits built using two-phase protocol have symmetric operation
on both up and down signal transitions. Four-phase circuits, however, may have different
functions for up and down transitions of the output signal of a gate. A way to model these
circuits using LPNs was shown in [47, 35, 101J. However, some properties are hard to check
using this model. For example, to detect all illegal adjacency of two up transitions without an
intermediate down transition requires checking all feasible sequences of the LPN. Verification
of such properties is simpler using the STG based model where this notion is inherent in the
validity of the STG. Hence, in this Section, only models of two-phase circuits are considered.
The verification of four-phase circuits is presented later.
4.4.1 Verification of LPN Models of Specifications
As discussed in the previous Chapter, the PN-unfolding segment represents every reachable
marking M as a final state of some configuration C and, moreover, all transitions enabled
at M are represented as instances whose inputs are in C.. Hence, any PN conflict can be
pin-pointed by finding the instances of places with more than one output arc. Furthermore,
if a PN-unfolding segment was constructed successfully, then the LPN is bounded and finite.
The safeness of an LPN can be checked as the existence of two concurrent instances of one
place. Thus the following important properties of LPNs can be verified:
• Boundedness (safeness), which indicates that the system can he implemented using a
finite number of components. In addition, an unsafe place may indicate that a transition
becomes auto concurrent and hence may cause confusion in the system's operation,
• Action persistency, which indicates that transitions of the system cannot disable each
other. Whereas this is usually allowed in the environment, such behaviour in the system
usually means that some action may be made disabled before its completion and hence
lead to a hazard.
• Liveness, where a non-live action indicates that the system never performs an action.
• Deadlock freedom, which indicates that a system never reaches a terminal state. In any
system which is supposed to operate in cycles, a presence of a deadlock is regarded as
an error.
If the specification is unbounded, then it is not possible to implement this behaviour at all.
The rest of the properties are responsible for the correct behaviour of the system.
All these properties can be detected from the PN-unfolding segment. Boundedness is
checked during the construction of the PN-unfolding segment. An efficient branch and bound
CHAPTER 4. ANALYSIS OF PN MODELS
begin proc Check live(N,N')
for each t E T do
if fJt' E T': £/(t/) = t then do
Report non-live t
end do
end do
end proc
(a)
56
begin proc Check safe(N, N')
for each pEP do
Find instances of p
if 3p', p" : p'lip" then do
Report unsafe p
end do
end do
end proc
(b)
begin proc Check persistent(N')
for each p' E P' such that p'. > 1 do
for each t~, t~ E p'. do
if 3C: (.t/]u .t~) ~ C. then do
if fJA(td enabled at £/(C.) \ (.t2) u (t2.) then do
Report non-persistent A( tl)
end do
if fJA(t2l enabled at £/(C.) \ (.tl) u (tl.) then do
Report non-persistent A (t2 l
end do
end do
end do
end do
end proc
(c)
Figure 4.16: Algorithms for verification of properties in PN-unfolding segment: (a) Liveness
check, (b) Safeness check and (c) Persistency check.
algorithm for deadlock detection was suggested by McMillan in [47]. Consider algorithms for
boundedness, safeness, persistency and liveness checks separately.
Boundedness check. The PN-unfolding segment of an unbounded PN is infinite. During
the execution a PN becomes unbounded if it reaches a marking M' and there exists another,
already visited, marking M such that M c M' and there exits a sequence a :M ~ M'. This
is also true for markings which are represented in the PN-unfolding segment by final states
of local configurations. Therefore, if for a newly generated instance til there exists another
instance t' such that Fs{lt'l) c Fs{lt"l) and t' -< t""then this PN is unbounded. Once the
unboundedness is discovered, it is reported and the segment's construction terminates. Since
the PN-unfolding segment construction algorithm already checks newly generated final states
against the already existing ones, the boundedness verification can be efficiently incorporated
into this check.
Safeness check. To verify the safeness of a place in a PN (or LPN), all instances of this
place are found. If the place is unsafe, then there exist at least two instances which belong to
CHAPTER 4. ANALYSIS OF PN MODELS 57
the post-set of one configuration. These instances are concurrent. Hence; if two independent
instances of one place are found, then this place is unsafe. The pseudo-code of the safeness
check algorithm is shown in Figure 4.16(b). The complexity of the algorithm verifying the
safeness of a PN is O(IPI12 x Ti), where r. is the complexity of the independence check for two
instances. Since the complexity of the independence check is usually negligible, the complexity
of the safeness check is square in the number of place instances in the PN-unfolding segment.
Persistency check. The persistency check is required to find those markings where two
transitions of the underlying PN are in conflict. From the properties of the PN-unfolding
segment (the unfolding is an acyclic graph) it follows that any extension of a configuration
C cannot reach C again. If the same marking as Fs(C) is reached from C, then it is the
final state of another configuration Cl : C C Cl. Hence, any two transitions which are in
conflict at F; (C) can be identified by finding C and examining its final state. By definition,
two transitions ii and t2 may be in conflict if etl n et2 I=- 0.
The pseudo-code for the action persistency check algorithm is shown in Figure 4.16(c).
The algorithm iterates through all place instances pI with more than one successor. For each
pair of transition instances t; and t~ such that pI E et/l n et~ it attempts to find a minimal
configuration C producing et; + et~, i.e. et; + et~ <;;; ()«, If such a configuration exists, then
a state at which both tl and t2 are enabled in conflict is reachable. Then the persistency
of A(tt} is checked by firing t2 from M = Fs(C) and checking if A(td is still enabled at
Fs(C) \ (et2) + (t2e). Similar for A(t2).
Note, that the problem of transition persistency for PNs is simpler than the problem of
action persistency in LPNs. In a safe PN, a transition tl may only remain persistent if the
firing of a conflicting transition t2 returns tokens to all places in etl + et2. Hence, tl is
persistent with respect to t2 at Fs(C) if LI(etD <;;; (Fs(C) \ (et2) + (t2e)).
The complexity of the action persistency check is OUPII), linear in the number of place
instances in the PN-unfolding segment.
Liveness check. Weak liveness verification is the simplest check. A weakly live transition
becomes enabled at least at one reachable marking on the PN. If a transition ever becomes
enabled at any reachable marking, then this reachable marking will be represented in the
PN-unfolding segment. The transition is then instantiated. Hence a transition is not live
if there is no instance of this transition in the PN-unfolding segment. The pseudo-code of
the liveness check algorithm is shown in Figure 4.16(a). The complexity of this algorithm is
O(IT/I), linear in the number of transition instances in the PN-unfolding segment.
Unfortunately, there is no easy way to check strong liveness of a PN transition. The
problem of PN liveness is known to NP-complete for general PNs. There exist polynomial-
time algorithms for examination of liveness for certain classes of PNs. These algorithms
detect certain structural properties of PNs. The PN-unfolding approach is more suitable
for determining other properties of the behaviour described by a PN. In the PN-unfolding
segment strong liveness can be checked in the following manner. Firstly, the PN must be
deadlock free, and therefore a branch-and-bound algorithm for deadlock detection [47] must
be applied. Secondly, deadlock freedom does not guarantee strong liveness of the system,
and, furthermore, for some examples a particular marking may only be reached once, yet
CHAPTER 4. ANALYSIS OF PN MODELS 58
the PN is strongly live. Hence, to detect a strongly live transition (oran action) in a PN-
unfolding segment also requires examining (non-local) configurations of the segment to detect
the strongly connected component and examine the liveness of transitions which leading to it.
Degree of concurrency. Another important characteristic of the asynchronous design is
its degree of concurrency which is measured in the number of mutually concurrent events.
Intuitively, the greater degree of concurrency, the more data is processed at the same time
by different parts of the system/circuit. Thus, increasing the degree of concurrency increases
the throughput of the circuit.
An example of using the PN-unfolding segment to determine the degree of concurrency was
given in [75]. This work proposes a design of an asynchronous version for a simple synchronous
microprocessor. The initial implementation was obtained using the refinement technique
starting from the high-level description of the microprocessor. Several implementation versions
were suggested which were aimed at enhancing the overall performance of the processor.
The PN-unfolding segment analysis was used to extract the concurrency relation between
transitions of the LPN representation of the microprocessor. It provided guidance for the
designer, indicating which particular transitions can be decoupled (made concurrent) from
the rest of the design.
4.4.2 Verification of LPNModels of Circuits
The problem of the verification of two-level circuits usually considers a circuit given in the
form of a gate net-list or schematic. The environment of the circuit is described by a simple
PN, e.g. representing delays (or inverted delays) in the environment from circuit outputs
(requests) to circuit inputs (acknowledgements). The verification needs to find an answer to
the question "Does a circuit behave without hazards in a particular environment?" .
The original set of components used for building two-phase (see Subsection 2.1.2) control
circuits was proposed by Sutherland [88]. They include the following:
• C-element, which implements AND-causality or synchronisation between different pro-
cesses. The admissible behaviour of this element is such that both inputs are allowed
to change their values, say from logical 1 to logical 0, if the output change, from logical
o to logical 1, has been produced for the previous input change. This component is
described by the boolean equation: Y = X1X2 + Y(Xl + X2), where Y is the output and
Xl and X2 are the inputs of the C-element. The variable y is used to distinguish the
feedback wire from the main output.
• Merge, or eXclusive-OR (XOR), which realises OR-causality between input changes,
but requires that only one input can change-at a time. Input changes must therefore
arrive on a mutually exclusive basis.
• Toggle, which switches between two outputs for every input change, as a complementary
flip-flop. It is used to unconditionally alternate between two possible directions of control
flow.
• Select, which changes one of the two output signals but, unlike Toggle, does it condi-
tionally. The output is selected depending on the state of another input, the level-based
CHAPTER 4. ANALYSIS OF PN MODELS 59
Micropipclinc Control Elements Petri Net fragments Micrupipclinc Cmuml Elements Petri Net fnlgnlC91ls
XOR
XOR:D-+--O-
Call
Ccclcmcnt
Select
, ,..-
'.'
,--,~---
•
?t~--..: F\,: ':>---
_.(
:'\ ,--,~---
:. T ','
:~' ,
D·' __'
Arhitcr
I
G1:
::*
02 r,
Toggle
Figure 4.17: Basic two-phase control elements and their LPN models.
one. This component allows the construction of branches in control flow depending upon
the state of the data path .
• Call, which operates like a control flow multiplexer. It transmits any of its alternative
input requests to the single output request, and upon receiving the acknowledgement
from the single acknowledgement input, transmits it to the acknowledgement output
corresponding to the original request. This module therefore operates as an interface
between different parts of the control flow and the single operational unit. It is crucial
that input requests arrive in a mutually exclusive manner.
• Request-Grant-Done (RGD) Arbiter, which arbitrates between two possibly con-
current input requests (R) and generates only one grant (G) at a time, using a built-in
metastability resolution circuit. To indicate that one of the requesters has finished a
critical section of the computation, it uses another input, called" Done" (D).
These components are modelled by the PN fragments shown in Figure 4.17. The main
idea behind this type of modelling is that the places are associated with input/output wires
and the transitions with signal events. Since there is no distinction between rising and falling
edges of transitions in the two-phase discipline, it is possible to associate one net transition
with both.
The model of the Select element has a special feature. The complete model shows the
effect of the environment which changes the state of input D (meaning "data"). Since D
is a level-based, also called Jour-phase signal, its edges, denoted as +D and - D, are not
"symmetric", and must be modelled by separate net transitions. The figure does not show
the origins of the logic which switches D.
To illustrate conversion of a circuit into an LPN consider the control circuitry for mi-
cropipeline FIFO structures. The basic two-phase FIFO structure, proposed by Suther-
land [88], is shown in Figure 4.18(a). It is based on a data path storage element called
Capture Pass Element.
The synchronisation between the data path and control in this FIFO is done using the
bundled data technique, which requires using explicit delay elements between the stages.
These compensate for delays and signal skewing in the bundles of data wires. Alternatively,
CHAPTER 4. ANALYSIS OF PN MODELS 60
(a) (b)
(c)
Figure 4.18: Sutherland's micropipeline FIFO (a), its control circuitry (b) and its LPN model
(c) .
a
b
c
Figure 4.19: Illustration of a hazard of the gate's output.
it is possible to use dual-rail signalling [74], but this option is often discarded in practice as
overly expensive in terms of area and power consumption.
Consider the modelling of control flow in such pipelines. The data path is abstracted away
by means of modelling the delays in Capture Pass Elements as explicit delays inserted into the
appropriate wires. The extracted cont.rol circuit for the FIFO micropipeline in Figure 4.18( a)
is shown in Figure 4.18(b):
The operation of the FIFO stages is represented by the LPN shown in Figure 4.18(c). This
net has a certain degree of redundancy that is caused by the explicit modelling of delays. It
is easy to reduce this net to a simple loop with two transitions, each modelling the C-element
that synchronises the request signal from the previous stage with an acknowledgement signal
from the next stage.
The analysis of this LPN by means of the PN-unfolding segment shows that this net is
live, safe, persistent and deadlock free. Hence the circuit is hazard free. Note that an unsafe
place may indicate a hazard in a two-phase circuit. This is illustrated in Figure 4.19. This
figure shows an XOR and its LPN model. Suppose that an input change caused the output of
this gate to start its transition from one level to another. However, while the output is being
changed, an event arrives at another input. This will cause the gate output to return to its
CHAPTER 4. ANALYSIS OF PN MODELS 61
Aout Rout
"t"~- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - _.'
Initially latch opened Rill Ain
(a) (b)
RoutAout
AOUI ROllI
~
.
. ~.
~~A" =r
~- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - - - - - - _.,
Initially latch opened Rill Ain
(c) (d)
Figure 4.20: Standard (a-b) and Fast Forward (c-d) pipeline with four-phase latch control
original level, i.e. produce a short spike on the output. This is illustrated on the signal level
diagram.
The performance of the pipeline is determined by the following two parameters. The
first is the latency, which is the time it takes to propagate a datum through the stages. In
Figure 4.18(a) this would be the time from Rin to Rout. The second performance factor is the
cycle time, or the time it takes one stage to process one value and accept the next one. The
maximum cycle time of all the stages determines the overall throughput. To achieve better
performance, designers often perform low-level optimisations of circuits, sometimes relying on
the delay ratios. In this case the circuit analysis is required to alert them to possible hazards.
Despite obvious performance gains achieved through the combined use of two-phase control
with a Capture-Pass storage element, the designers of AMULET1 considered this design to
be too costly in area and transistor count [64, 17]. They preferred to use conventional pass-
transistor Transpar-ent Latch circuits, which are four-phase operated. The latch is controlled
by two complementary enabling signals, En and nEn. As a result, more complex control
circuitry has to be used to convert the two-phase control of the interface between the stages
to the four-phase control of the latches inside the stages and back. The conversion is done by
means of a combination of a Merge (XOR gate) and a Toggle.
To illustrate the circuit analysis further, consider two (out of three) possible designs
from [64, 17], based on the four-phase data path. 'The first, the standar-d one, is shown in
Figure 4.20(a) for one stage. The PN-unfolding segment analysis shows that the control circuit
is delay-insensitive. The second design, called fast-for-war-d pipeline, has better performance
(smaller forward latency) but at the cost of becoming sensitive to delays in the environment.
It is shown in Figure 4.20(c). Its LPN model, if analysed without taking timing parameters
into consideration, is unsafe. The place that models the Merge gate can be marked with more
than one token. To avoid this, the designer must guarantee that the delays associated with
CHAPTER 4. ANALYSIS OF PN MODELS 62
Stages States Versify PUNT II
Tv Tt Size [tr/pl] Tt II
2 29 0.01 0.14 14/20 (1/1) 0.09
3 123 0.02 0.24 26/36 (1/1) 0.13
4 [)21 0.03 0.44 42/57 (1/1) O.I~
5 2207 0.05 0.69 (;2/83 (1/1) 0.33
10 s.ur x lOG 0.21 h.60 222/288 (1/1) 2.90
15 4.11 x 109 0.61 35.27 482/618 (1/1) 14.69
20 5.60 x 1012 1.08 112.73 842/io73 (1/1) 51.48
Table 4.3: Experimental results for the Sutherland's pipeline.
firing transitions corresponding to Merge, latch control circuitry, Toggle and the environment
are carefully balanced and thus hazards are avoided. Such a constraint was satisfied in the
AMULETl design. It can be seen that the reverse latency in this design remains the same as
in the previous design.
4.5 Experimental Results
Since STGs are a particular case of LPNs, the verification technique for LPNs is very similar
to that of the verification of STG specifications. The results of the specification verification
for a wide range of benchmarks can be found in Chapter 5.
To illustrate the performance of the circuit verification using the PN-unfolding segment
the algorithms were applied to the example of the control circuitry of the micropipeline. Its
model was shown in Figure 4.18(c).
The verification results obtained on a Sun SPARC20 are presented in Table 4.3. All exam-
ples were verified for safeness, persistency, liveness and deadlock freedom. Columns, grouped
under "Versify" present the results of verification using the "state-of-the-art" verification tool
versify [69J which uses Binary Decision Diagrams for the PN symbolic traversal. Columns
Tt give the total time (in seconds) spent on the construction of the behavioural representation
and on the verification' of properties for both tools. Column Tv shows the fraction of time
spent by versify on the actual verification of properties. Columns grouped under "PUNT"
present the results of the verification using the PN-unfolding segment. Column "Size" shows
the size of the PN-unfolding segment (and the number of cutoff' transitions and their succes-
sors). As it can be seen, the method based on the PN-unfolding segment performs better
than the state-based approach. Note also that most of the time spent by versify was used
for construction of the RG representation. This is exactly where the PN-unfolding approach
performs better.
4.6 Concluding Remarks
This chapter introduced a new concept of the PN-unfolding segment. First, it presented the
result of [22J which can be applied to analysis of safe PNs. Then a new cutoff condition was
suggested which avoids redundancy in the truncated PN-unfolding of a non-auto concurrent
PN. Such redundancy is associated with multiple instances of one transition. The new cutoff
condition is based on the notion of a representation set and uses relations between transition
instances of the unfolding.
CHAPTER 4. ANALYSIS OF PN MODELS 63
The PN-unfolding segment was applied for the analysis of LPN models of asynchronous
circuits and systems. The method was also applied to two real-life examples. The production
cell example, in particular, demonstrated the need for the novel technique. The method was
compared to other existing analysis tools and demonstrated favourable results.
Chapter 5
Analysis of STGmodels
A number of works, e.g [73, 13, 41], study the analysis of STGs using the assignment of
consistent state vectors to the states in the RG of the underlying PN. This technique can
be shown (although this has not been done formally) to be adequate only for cyclic STGs,
while it is easy to show that for acyclic STGs or STGs with an acyclic segment such a vector
assignment may not satisfy the intuition about the STG consistency. For example, an STG
shown in Figure 5.1 is intuitively correct (because it is valid according to Definition 3.4.3),
but there is no way to assign consistent state vectors to the markings of the underlying PN.
There would either be two vectors associated with each of the markings {P4} and {ps} or the
state vector assigned to {P4} will differ from the state vector assigned to {P2} and {P3} in two
elements.
The purpose of this chapter is two-fold:
• To introduce a new notion of Full State Graph, which adequately captures the behaviour
of an arbitrary STG; and
• To introduce an STG-unfolding segment which allows analysis of the STG behaviour by
means of partial orders, based on the PN-unfolding segment introduced in the previous
chapter.
5.1 Full State Graph
The purpose of this section is to introduce the notion of the Full State Graph (FSG). This
new model correctly represents the behaviour of an arbitrary STG (including acyclic and
combined STGs).
An STG marking is defined for an STG G as a reachable marking of its underlying PN
N. All definitions from Section 3.1 for PN markings apply to STG markings. Any reachable
marking M of an STG is associated with a binary vector v, called the state vector. Each state
vector has exactly IAI elements so that every element v[i] corresponds to exactly one signal
ai from A. Unlike PNs, the dynamic behaviour of an STG must include the interpretation of
its marking with the corresponding states of its signals in the marking. Indeed, it is always
done for the initial state ~- one has to specify the initial marking and the initial state of an
STG (although the latter is often done implicitly through the initial marking). It is therefore
64
CHAPTER 5. ANALYSIS OF STG MODELS
(a)
65
pI
/."...
p2 p3
~/
Us
Figure 5.1: An STG (a) and its corresponding RG (b).
(0 )
natural to define a full state which captures a marking together with the associated state
vector.
Definition 5.1.1 A full state (FS) of an STG G is a pair s = (M, v), where
• M is a reachable marking of N;
• v is a binary state vector.
o
Let v[j] denote the element corresponding to signal aj E A. The binary state vectors for
reachable markings can be found in the way that they satisfy the following requirement (also
called the consistency between an FS and a signal transition):
Definition 5.1.2 A binary state vector v is said to be ossiqned consistently to a marking M
(forming an FS s = (M,v) of an STG) iffor every FS s' = (M',V') reachable from M by firing
a transition labelled with a signal transition *a{
• if M ~ M' and v[j] = 0, then v/[j] = 1
• if M ~ M' and v[j] = 1, then v/[j] = 0
• v[i] = v/[i] for all i '"j.
The full state FS 8 = (M, v) is called consistent. o
A state vector can not be assigned if the above conditions are not held.
An initial FS is denoted as 80 = (Mo,vo). Several full states may correspond to one
marking in the RG. It is natural to define equality between two FSs as
The next definition lays out the concept of the Full State Graph.
CHAPTER 5. ANALYSIS OF STG MODELS
proc Get FSG(G)
Set <I> = {so = (Mo,vo)}
Push So onto STACK
DFS(<I>, STACK)
return <I>
end proc
66
proc DFS(<I>, STACK)
while STACK not empty do
Pop s = (M,v) from STACK
for each t enabled at M do
if *ai = A(t) consistent with v[i] then do
Find M' by firing t from M
Find v' for M'
if s' = (M', v') not in <I> then do
<I> = <I>Us'
Push s' onto STACK
DFS(<I>, STACK)
end do
end do
end do
end do
end proc
Figure 5.2: Algorithm for constructing an FSG from an STG.
Definition 5.1.3 A Full State Graph (FSG) is a quadruple ~ = (S, E, A, IJI) defined from an
STG (N, A, vo, A) such that
• S is a set of all consistent full states of the STG which are reachable from the initial full
state So = (Mo, 'Vo) through valid firing sequences; So E S,
• E is a set of all arcs ei,j : Si -7 8j connecting pairs of consistent full states Si = (Mi, Vi)
and Sj = (Mj, Vj) if there exists a transition t ET: Mi ~ Mj,
• A is a set of signals,
• IJI : E -7 *A is a labelling function, which labels all arcs with signal transitions from
*A.
o
The FSG represents those and only those FSs that are reachable from the initial FS and satisfy
the condition of consistency between a full state and a signal transition. It follows from the
above definitions that two state vectors of two FSs connected with an arc can only differ in one
element. Note, however, that the definition of an FSG does not require two FSs to have equal
state vectors if their marking components are equal, as it is presumed in the conventional
definition of the SG.
The algorithm for the construction of an FSG for a given STG is shown in Figure 5.2.
This algorithm is a straightforward adaptation of the basic algorithm for constructing of the
RG for a PN [65]. The difference is ill the construction of the new states. For each new
state a binary vector satisfying the consistency conditions (laid down in Definition 5.1.2) is
found. An example of the FSG built for the STG from Figure 5.1(a), where no consistent state
assignment to its RG is possible, is shown in Figure 5.3.
CHAPTER 5. ANALYSIS OF STG MODELS 67
abed
" pI
0000+Y "'{b
p2 p3
1000 0100
+d ++e
p4 p4
1010 0110
+ +tJd5 p5-d 11 0111-d
Figure 5.3: An FSG constructed for the STG from Figure 5.1{a).
As it can be seen, it is possible to start building the FSG and reach an FS s = (M, v) from
which a particular transition cannot be constructed. This can happen because of two reasons.
Firstly, it may happen if there are no transitions enabled at M. Analogously to PNs, such a
state is called deadlock. Secondly, if in such a state a signal transition +aj (-aj) is enabled at
marking M but the corresponding element in v is 1(0). Such a state is called siqtial deadlock
with respect to signal tmnsition +a( -a) and is defined below.
Definition 5.1.4 A signal deadlock with respect to signal transition +aj (-aj) is a state s =
(M,v) in the FSG such that:
3t: .t ~ M and A(t) = +aj( -aj), v[j] = 1(0),
where v[j] is an element of the state vector corresponding to signal aj' o
In other words, a signal deadlock with respect to *aj is a reachable FS s such that the value
of vU] is inconsistent with the sign of the transition of aj enabled at M.
Due to the condition of consistency and thus the potential presence of signal deadlocks,
some of the reachable markings of the underlying PN may not be associated with state vectors.
Noting this, the coverability of FSG is defined as follows:
Definition 5.1.5 The FSG, constructed for an STG, couers the RG obtained from its under-
lying PN if there are no signal deadlocks in the FSG.
Such an FSG is also called consistent. o
Example. Consider an STG shown in Figure 5.4(a). Its underlying PN has an RG shown
in Figure 5.4{b). As it can be seen, the FSG (shown in Figure 5.4(c)) has two signal
deadlocks with respect to +b and hence it does not cover the RG. The initial state of the
STG, corresponding to the initial placement of tokens, is 00 for the order of the signals
ab. •
Proposition 5.1.1 If there exist a valid feasible sequence a: Mo ~ Mi (Definition 3.4.2),
then there exists a full state Si = (Mi' vd, where Vi is a signal state obtained by changing the
initial state vector vd in the order of transitions in a.
CHAPTER 5. ANALYSIS OF STG MODELS 68
plp6pt~~
-a ~ -b -b
-b plp4
/;G~+b~
p2p4 P3~+bPIPD5
+b~ -b ~ ~+b -b
p2p5 p3 5
P.1p6,0~Y +b
/
P2P6.IO ~P6.01
-a I -b
-b +
(
PIP4.lJ~J;Y/ ~+b +b b
. 2p4.10 (;P4.01 P pS 01 -
~+b -b
2p5.11
Si nul deadlock W.r.t. +b
(a) (b) (c)
Figure 5.4: Example of an STG (a) and its RG (b) which is not covered by its FSG (c).
Proof: If a is valid, then all signal changes in a are consistent with values of binary vectors
associated with all visited states. Hence all visited states (including Si) exist in FSG.
o
Theorem 5.1.1 Let an STG have a bounded and finite underlying PN. The FSG built from
an STG covers the RG built from the underlying PN iff this STG is valid.
Proof: [ if] If an STG is valid then all conditions of Definition 3.4.3 hold; also, all feasible
sequences generated hy this STG an' valid. It. follows that TlO reachable state of this
STG satisfies the conditions of Definition 5.1.4 and, hence, there are no signal deadlocks
in the FSG built from this STG. Then, by Definition 5.1.5, such an FSG covers the RG
constructed for the underlying PN.
[ only if] Suppose that the STG is invalid. It needs to be shown that the FSG does not
cover the RG obtained from the underlying PN. Note that there exist a signal, e.g. aj,
for which at least one of the conditions of Definition 3.4.2 is not true. Without loss of
generality assume that vo[j] = O. Consider two possible cases:
1. In the underlying PN there exist a sequence a :M 0 ~ M k such that a = al tW2 and
A(td = -aj, there are no instances of aj preceding ti and a1 is valid. According to
Definition 5.1.4, S = (M k, v k), where s is the full state reached after aI, is a signal
deadlock with respect to the signal transition -aj (since vdj] = 0) and thus the
FSG does not cover the RG.
2. In the underlying PN there exist a sequence M 0 ~ M k ~ such that a = al tW2 and
A(td = A(tj) = +aj, there are no instances of aj in a2 and a is valid. According
to Definition 5.1.4, the FS 8k = (M k, Vk), which is reached after a, is a signal
deadlock with respect to the signal transition +Uj (since Vk[j] = U) and thus, as in
the previous case, the FSG does not cover the RG.
Hence, the FSG does not cover the RG of the underlying PN for an invalid STG and
therefore this part of the proof also holds.
CHAPTER 5. ANALYSIS OF STG MODELS 69
D
It is clear that the STG, shown in Figure 5.3, is valid, according to Definition 5.1.5. This
method gives an opportunity to verify the validity of an arbitrary STG based on Defini-
tion 3.4.3. However, this method has limited practicality due to its exponential complexity.
The following sections describe the application of PN-unfolding to this problem and introduce
the STG-unfolding segment. This is an event-based representation capturing the concurrency
in its natural form, which allows the analysis of STGs and attempts to avoid the exponential
growth of the explored number of states.
5.2 STG-unfolding Segment
In order to analyse an STG specification of a circuit, the PN-unfolding segment needs to be
modified so that it covers the FSG of an STG. Similar to the presentation of the PN-unfolding,
the STG-unfolding is introduced first, and then its truncation is suggested.
It is clear that marking components of the full states can be traced as final states of the
PN-unfolding segment of the underlying PN. Due to the potential presence of signal deadlocks,
configurations of the PN-unfolding segment may represent marking in the RG which will not
be covered by the FSG. In order to be able to derive the state vector component the notion
of a signal state of configuration is required.
Definition 5.2.1 Let N' be the the PN-unfolding constructed for the underlying PN of an
STG G. The signal state of configumtion C is a binary vector ~, with n = IAI components
each of which corresponds to one and only one signal. It is defined iff for any signal a E A
represented by T" <;; C, T" = {t~ I IA (L' (tD) I = a} the following is true:
• All signal changes of a are in total order such that t~,t~ ... t~ (i.e. {t~, t~ ... t~} = Ta)
and Vi = 2 ... k : the sign of A(L'(t:_l)) is opposite to that of A(L'(t:));
• the first signal transition A (L' (t'l)) is consistent with the initial state of the STG.
The value of each element ~[j] is calculated as: ~[j] = ~o[j]EBITaj I, where ITaj I is the number
of occurrences of the transitions representing the signal OJ E A in the configuration C, EB
represents the modulo 2 sum and ~o [J] is the signal state of r.L1 equal to the initial state of
G. D
A local configuration, satisfying the conditions of the above definition, also can have a signal
state because it is a configuration.
Definition 5.2.2 An STG-unfolding is a tuple G' = (N', 3) where:
• N' - is an unfolding obtained from the PN underlying an STG;
• 3 - is a set of defined signal states of local configurations ~ rt'l labelling local configura-
tions rt'l·
D
CHAPTER. 5. ANALYSIS OF STG MODELS 70
Note that the PN-unfolding of the underlying PN may contain configurations whose signal
state is undefined, e.g. configurations representing marking components of signal deadlocks.
Proposition 5.2.1 Every configuration C' <:;; C has a defined signal state iff there exists a
defined signal state for configuration C. 0
The above proposition follows directly from the definition of the signal state of config-
uration. The next proposition establishes the conditions for configuration extensions which
preserve the existence of signal states.
Proposition 5.2.2 Let C be a configuration of an STG-unfolding with a defined signal state
~. Let also t~be an instance with a defined signal state of its local configuration ~ r t~l' If there
exists a configuration C' = rt~l U C and Vtj E rt~l,t~ E C, t~lltj : IA(L'(t~))1 i= IA(L'(tj))I,
then C' has a defined signal state e·
Proof: Since ~ is defined for C, all instances in rt~1 n C have signal states defined for their
local configurations. Therefore consider instances in r til \ C. For these instances the
proposition is proved by induction. For the base consider, without loss of generality, any
instance tj E rtil : etj <:;; c« Since ~rt~l is defined, then the signal change A(L'(tj))
is consistent with the initial state. On the other hand, tj is the only instance added
to C where all (existing) instances of IA (L' (tj) ) I are in total order. The order of t.hese
instances in C U {tj} may only become partial if there exists an instance t~ E C, t~ IItj :
IA(L'(t~))1 = IA(L'(tj))1 which contradicts the conditions of the proposition. Hence the
base case is done. The inductive step is proved using similar arguments for all instances
in r til \ c.
o
Corollary 5.2.1 Let t~ E T' be an instance of an STG-unfolding and C be a configuration
such that C = rt~l \ {tao Let Ma:x;(C) be the set of maximal instances in C. The signal state
is defined for local configuration rt~l if the signal states are defined for local configurations
rtjl : tj E Ma:x;(C), there are no concurrent transitions t~, t; E C such that IA(L'(t~))1
IA(L'(tD)1 and A(L'(tD) is consistent with ~ of the configuration C. 0
Consider the formula
for calculating the signal state of configuration C. It would be convenient to rewrite this
formula in a vector form, i.e. ~ = ~o E9(. Each component ([i] corresponds to one and only
one signal a; E A and represents the number of occurrences of a given signal in C. Such a
vector is called the cumulative state of configuration C. The notion of the cumulative state
used here is similar to the one used in [49, 35]. The notion of the cumulative state of a
configuration proves to be useful in the calculation of the cumulative state of configuration C
from the cumulative states of local configurations comprising C.
CHAPTER 5. ANALYSIS OF STG MODELS 71
Proposition 5.2.3 Let C be a configuration satisfying the conditions of existence of the
signal state ~; let also M ax( C) = {t~, t~ ... tD be the set of maximal instances of C. The
cumulative state ( of C is calculated as follows:
Vi: 1 < i < n; ([i] = mix(( rt'l [iJ),
J=l I]
where (I tj 1is the cumulative state of the local configuration Itj 1·
Proof: Take any a E A and TU. Since all instances in T" are totally ordered and C is finite,
there is t~E M ax( C) such that TU ~ It~l.
o
The cumulative state of l.ll is a O-vector. Using cumulative states it is possible to adapt
the PN-unfolding algorithm to construct the STG-unfolding which takes into account signal
states of configurations. Indeed, whenever a new transition t' is added to the unfolding, the
signal state of its local configuration is calculated from the states of local configurations of
instances in Max(C) where C = In \ {t'}, i.e. the local configuration of t' without t' itself.
This is the minimal run of the underlying PN which enables this instance. Obviously, rt'l
must satisfy the conditions of the signal state existence (Definition 5.2.1). If Itil satisfies
these conditions, then (Itil is found from the cumulative states of the local configurations of
instances ill M ax( C) and the signal state ~It'l is obtained.
Proposition 5.2.4 An FS s = (M, 'V) exists in the FSG of an STG G if there exists a config-
uration C : Fs(C) = M which has a defined signal state ~ = 'V.
Proof: If C exists and its signal state is defined, then for every signal all changes represented
by instances in C are in an alternating total order; also, the first instance is consistent
with the initial state of the signal. Hence, there exists at least one valid feasible sequence
which includes all instances of C and therefore, by Proposition 5.1.1 there exists an FS
s = (FAC)'~).
o
Proposition 5.2.5 The FSG <I> has a signal deadlock iff there exists a configuration C in the
STG-unfolding whose signal state ~ is undefined.
Proof: [if] Consider a configuration C whose signal state ~ is undefined. Let also C' = C\ {t'}
be a configuration with a defined signal state (it is always possible to find C, C' and t'
satisfying these conditions}, From Proposition.5.2.4 it follows that an FS Si = (Fs(C'), e)
exists. The signal state of a configuration C could only be undefined if: 1) t' has
another concurrent instance in C' which represents a transition of the same signal or
2) A(LI(t')) = *ai is inconsistent with e[i] due to the presence of another instance
til : til -< t' such that A(L'(t")) = A(LI(t')). In either case, by Definition 5.1.4, Si is a
deadlock with respect to ai.
[ only ifJ Choose an FS s = (M, 'V) for which there is minimal (in length) feasible firing
sequence a such that Mo -4 M and M is a signal deadlock with respect to some ai.
CHAPTER 5. ANALYSIS OF STG MODELS 72
Consider this FS. If this FS is so, then some instances t' L' (.t') ~ M0 represents a
signal transition of ai which is inconsistent with ~ r .Ll[iJ, and hence ~ rt'l is undefined.
Otherwise, in the PN-unfolding of the underlying PN there exists a configuration C' :
Fs(C/) =M. If at least one feasible sequence consisting of instances from C' is invalid
(according to Definition 3.4.2), then the signal state of C' is undefined, in which case
the proposition holds. Therefore, let all sequences be valid and e be defined. There
exists an instance t' : .t' ~ C'. such that A(LI(t')) = *ai. Obviously, there exists a
configuration C = C' U {t/}. From Definition 5.1.4, eli] is inconsistent with A(LI(t'))
and, therefore, C cannot have CL defined signal state.
o
Theorem 5.2.1 Let <I> be an FSG free from signal deadlocks constructed for an STG G. Let
also G' be the STG-unfolding constructed for G with signal states defined for all configurations.
An FS s = (M, v) exists in <I> iff there exists a configurat.ion C such that C = M and ( = v
in G'.
Proof: [if] Follows from Proposition 5.2.4.
[ only if] Suppose that FSG is signal deadlock free, but there exists a state s = (M, v) for
which there is no corresponding configuration C. Consider an FS s' = (M', v') such that
M' ~ M. There exists a configuration C' such that Fs(C/) = M' and e = o': Since
s' is not a signal deadlock, then eli] is consistent with *ai and therefore there exists a
configuration C = C' U {t'} : A(L/(t')) = *ai. Furthermore, A(LI(t')) is consistent with
eli] and hence C has a defined signal state ~. Therefore there exists an FS s = (M,~).
o
If for a constructed STG-unfolding all configurations have defined signal states, then the
FSG of the original STG has no signal deadlocks. At the same time, it follows from The-
orem 5.1.1 that an STG is valid if its FSG covers the RG of the underlying PN (the FSG
does not have signal deadlocks). Hence the analysis of STG validity can be done using the
STG-unfolding. Similar to the PN-unfolding, the STG-unfolding can be infinite. Thus a cutoff
condition is required. Obviously, this cutoff condition should be based on the cutoff condition
of the PN-unfolding segm~nt and take into account signal states of the STG-unfolding.
Definition 5.2.3 STG-unfolding cutoff
A newly generated instance t~ is a cutoff transition in the STG-unfolding iff there exists
another instance t' such that t~ and t' satisfy the conditions of PN-unfolding segment cutoff
transition (Definition 4.2.3 or Definit.ion 4.2.7) and ~ rt'l = ~rt~.l· 0
In addition to the cutoff conditions for the PN-unfolding segment, the cutoff condition for the
STG-unfolding requires the signal states of local configurations to be equal.
Definition 5.2.4 The STG-'Unjold,tng segment Gil = (Nil, 3) is the greatest backwards closed
subnet of the STG-unfolding G' where for all t' E Til there exists an STG-unfolding cutoff
(according to Definition 5.2.3) such that t' j t~. 0
CHAPTER 5. ANALYSIS OF STG MODELS
proc Build STG-unfolding segment(G)
Initialise N' with instances of places in Mo
Initialise QUEUE untl: t enabled at 1\10
while QUEUE not empty do
Pull t from QUEUE
Add t' and t'e to N'
if t' is a cutoff then do
Mark t' and t'• as cutoff points
end do
for each t in T do
Find unused set of mutually concurrent instances of places in .t
which are not successors of a cui-oj] transition
if such set exists then do
** if signal state for' rt'l doesn't exist then do
** Report signal deadlock in rt/l and TERMINATE
** end do
Add t to QUEUE according t.o the order <E
end do
end do
end do
** for each maximal configuration Cm", .. do
** if signal state for' C ""'''' doesn't exist then do
** Report signal deadlock in [r'] and Tt<:RMINATE
** end do
** end do
return N'
end proc
73
Property 5.2.1 The STG-unfolding segment Gil constructed for an STG G is finite if its
Figure 5.5: Algorithm for obtaining STG-unfolding segment.
underlying PN N is bounded. o
Lemma 5.2.1 Let G' be an STG-unfolding of an STG G. For any configuration C of G'
with a defined signal state ~ there exists a configuration C' such that C' contains no cutoff
transitions and Fs(C) = F~(C') and ~ = (. 0
The proof of the above statement is similar to those in [47] and [22] for bounded and safe PNs
respectively.
Corollary 5.2.2 Let <l> be an FSG free from signal deadlocks constructed for an STG G. Let
also Gil be the STG-unfolding segment constructed for G with signal states defined for all
configurations. An FS s = (M, 'U) exists in <l> iff there exists a configuration C such that
C = M and e = 'U in Gil. 0
From the above corollary it follows that the STG-unfolding segment can be used for verifi-
cation of STG validity and analysis. The STG-unfolding segment is constructed for an STG. If
during construction of this segment a configuration is found whose signal state is undefined,
CHAPTER 5. ANALYSIS OF STG MODELS 74
p"3
~ = 0100
+b' 1;=0100
~=0I10
, I;= 0110
+C '
~ 01
+b"'t; = 21
~ =0111
+d" S=OIII
~=0110
-d" S= 1112
p'''' 1 p' p''''4
(a) (b)
Figure 5.6: .Examples of STG-unfolding segments.
then the STG is invalid. Otherwise, a finite STG-segment is constructed which represents the
FSG.
It is impractical to check the existence of signal states of all configurations whenever a new
instance is added. Let Cmo,x be a maximal configuration in the STG-unfolding segment, i.e.
there are no instances in the segment which can be added to Cmo,x' Such a configuration is
called final configl1,mtion. Proposition 5.2.1 implies that if the signal state existence conditions
are satisfied for all Cmo,x, then all configurations in Gil have their signal states defined. At
the same time, signal states are calculated for all local configurations in Gil. Thus, if such a
local configuration is found, the segment construction is aborted and the signal deadlock is
reported. The pseudo-code of the STG-segment construction is given in Figure 5.5. As it can
be seen this algorithm is an extension of the PN-unfolding segment construction algorithm;
the differences are in the lines marked with **.
~
Example. The STG-unfolding segment obtained from the STG in Figure 5.4(a) is shown in
Figure 5.6(a). In order to avoid cluttering in figures the names of signals with apos-
trophe are used instead of the corresponding transition instance names; the number of
apostrophes indicates the number of instances of a particular signal transition. The
STG in invalid because final configuration Cmu:c = {+a', -a', +b", +blll, =b"; -b"'} does
not have a defined signal state. This configuration has concurrent transition instan es
of signal b.
Another STG-unfolding segment for the STG from Figure 5.1(a) is shown in Fig-
ure 5.6(b ),: As it can be observed all configurations have their binary states defined
and therefore this STG is valid. Observe that in the PN-unfolding segment transition
+c" would be a cutoff transition. In the STG-unfolding segment this is not the case
CHAPTER 5. ANALYSIS OF STG MODELS 75
Name States II Versify II PUNT
Jl Tu _l re II Size [tr/pl] Tt
c-e lem 64 0.01 0.11 7/12 (1/2) 0.07
elllIl72 768 0.02 0.26 13/14 (2/2) 0.11
es pin al t-Ixad 15360 0.07 0.74 13/17 (0/0) 0.12
espi ual t-gocd 2764~ 0.10 0.83 25/30 (2/3) 0.17
fai r-erb-sg .jord ic 1280 0.09 0.80 32/33 (9/9) 0.51
Iair-urb-sg 20H 0.03 O.:Hj 20/21 (6/h) 0.14
fc 960 0.03 O.:.W 14/16 (2/2) 0.09
fnlll :120 0.02 0.15 10/14 (1/2) 0.06
l"ull2 n4 U.02 U.H) 10/16 (1/2) 0.10
half-done 224 0.01 0.18 10/16 (1/2) 0.07
joscpm 45056 0.07 0.72 21/29 (1/1) 0.12
lung 208 0.02 0.24 14/15 (2/2) 0.15
m ast.er-read 3.45 X IOi U.39 7.40 51/78 (1/1) 0.37
mixlbuo1.4 3532~ 0.17 O.VB 28/41 (4/6) 0.21
rn ix I bool.4.nomutex 16896 0.16 1.04 32/54 (4/8) 0.24
orc-umt.ex 480 0.05 0.37 19/20 (5/5) 0.12
qr42-llollsc 4096 0.07 0.65 21/31 (1/1) 0.11
rim 768 0.02 0.24 13/14 (2/2) 0.13
rlm1 768 0.01 0.22 13/14 (2/2) 0.07
roberto 844~ 0.13 0.77 14/23 (1/1) 0.06
1.1 618496 2.65 8.97 67/104 (6/12) 2.87
vbe5c 1536 0.02 0.28 12/16 (1/1) 0.09
jst (in 0.02 0.26 12/22 (1/1) 0.08
irred .uo I Loken '11472 0.19 0.93 6/10 ( ... ) 0.07
Total 4.37 26.98 II 6.13 II
Table 5.1: Experimental results for the examples set of benchmarks.
because instances +c' and +c" have different signal states of their local configurations .
•
5.3 Low-level System Analysis
Analysis of asynchronous systems at the low level is divided into two categories: analysis of
circuit specifications and analys'i.~ of assniclu-onous circuits. In the first case, the specification
of the future circuit is verified for the correctness of its behaviour and implementability. The
circuit specification is given in the form of an STG. In the second case, the existing circuit
is verified for the correctness of its behaviour in a given environment. The circuit is usually
designed by hand or using semi-automated techniques. In most cases the environment can be
expressed in the form of an STG.
5.3.1 Analysis of STG specifications
Since an STG is a special" case of LPNs, the algorithms suggested in the previous chapter for
boundedness, safeness, liveness and persistency checks can all be applied in STG verification.
Furthermore, all configurations have defined signal states in an STG-unfolding segment for a
non-autoconcurrent 1 and valid STG. Thus, if a configuration is found which has an undefined
signal state, it is reported along with the trace leading into it. Otherwise, the segment is
constructed and it is used for the verification of necessary properties.
Experimental results for specification verification To illustrate the performance of
the new method based 011 the STG-unfolding segment, the STG-unfolding segment construc-
tion algorithm was implemented as a part of the tool PUNT. This implementation was tested
1A non-autoconcurrent STG is all STG with a nou-autoconcurrent underlying PN.
CHAPTER 5. ANALYSIS OF STG MODELS 76
on a number of benchmarks available in the asynchronous community ~[40J. These bench-
marks include a wide range of STGs, most of which have safe underlying PNs. The results
of experiments are shown in Table 5.1 for the subset of benchmarks called examples and in
Table 5.2 for the subset called no-usc. The experiments were carried out on a Sun SPARC20
workstation.
As previously, the new STG analysis method was compared to the method based on PN
symbolic traversal and implemented in the tool versify. The tables present timing results
(in seconds) for comparison. Columns "Tt" for both tools show the total time taken for
the verification of a benchmark. This time includes the time spent on the construction of
the behaviour representation and verification of the properties. Verified properties include
boundedness, safeness, signal (or action) persistency, liveness and deadlock freedom. Column
"Tv" for versify shows the fraction of time spent on verification of the properties on an
already built BOO representation of the RG. Column "Size" for PUNT provides information
about the STG-unfolding size in transition instances and place instances. It also shows in
brackets the number of cutoff transitions and their immediate successors. For illustrative
purposes, the size of the RG is also given in column "States".
As it can be observed from both tables, the method based on the STG-unfolding seg-
ment consistently outperforms the PN symbolic traversal approach. It demonstrates gain in
speed for all benchmarks in these sets. Note the last line in Table 5.1. This STG, called
irred.noitoken, is an invalid STG. The STG-unfolding segment detects the signal deadlock
in a fraction of a second and reports the trace leading into it. At the same time, versify
constructs the whole RG and then detects problems in it. The PN-unfolding segment of the
underlying PN had 25 transition instances and the verification of PN properties was completed
in 0.13 seconds.
5.3.2 Analysis of asynchronous circuits
To analyse an asynchronous circuit it needs to be represented as an STG. The basic idea of its
translation is similar to the modelling of two-phase circuitry: each gate is represented by an
STG fragment. These fragments are composed together and this composition is then composed
with the model of the circuit environment. However, unlike their two-phase counterparts, four-
phase gates may have asymmetrical excitation functions for up and down transitions of the
output signal, i.e. an up (and/or down) transition may be driven by a subset of input values.
Furthermore, there may be several subsets driving the output of a gate. Therefore, transitions
of the output signal for each gate have to be represented explicitly. Since all fragments are
STGs, the result of their composition is an STG.
Modelling four phase circuits The STG representation of a gate, often referred to as a
Circuit PN, can be obtained from its boolean function. Consider, for example an AND-gate
with three inputs. Its boolean function can be written as:
y=S+yR
where y is the output signal of the gate, Sand R are set and reset functions respectively
defined as:
CHAPTER 5. ANALYSIS OF STG MODELS 77
Name St.ates II Versify II PUNT
11 Tv I Tt II Size [tr/pl] Tt
alexl.l.llousc 1216 0.02 0.30 13/27 (1/2) 0.12
u lex L'z.uousc 2~H O.Ul 0.17 13/21 (1/1) 0.12
ai(·xl.:{.Jlolls(" ,!,Q,f<, DOl () 2·1 I 1/2.'; (1/2) 0.11
alex Luousc 1344 0.03 0.2~ J(j/30 (1/3) 0.11
u.lex Luou sc 24 0.00 0.07 6/iO (l/2) 0.10
a! luc-o u t bound .IIUll!):(" 117lj U.UL U.J:) Ih/l'J 1~/2) O.I:!
Iut.u ru.nousc 921£; 0.09 1.03' 28/33 (l/2) 0.18
imul-edgu.uousc 224 ().Otl 0.92 36/37 (~/8) 1.28
liu-edecua.ucusc 320 0.01 0.27 12/15 (1/1) 0.08
muster-read .Lvu ou sc 7.31 X 107 0.25 2.46 74/113 (1/2) 0.53
m ast.er-vead .u o usc M.99 X JOti 0.19 1.53 40/64 (I/I) 0.29
IllI11tl.1l0US(' 20992 0.08 0.81 21/35 (I/I) 0.12
m p-fcr war-d-jakt.m ou sc 2560 0.06 0.53 15/28 (1/2) 0.11
n a.k-p amo usc 2h672 0.06 0.63 IIl/23 (1/1) 0.11
nousu.min-sur 256 0.02 0.24 12/20 (2/2) 0.06
uo usr :256 0.02 0.22 12/20 (2/2) 0.10
uousc.t.mp I 256 0.01 0.19 10/19 (1/2) 0.06
pe-rcv-ifc.chu 57344 0.48 2.71 49/67 (4/4) 0.68
pe-r-cv-i re. Cc .uousc 11776 0.28 1.87 41/55 (4/4) 0.47
pe-rcv-ifc.u ousc 12032 0.33 1.95 41/58 (4/6) 0.46
pe-aeu d- iCc .nousc :!0720 0.52 2.24 45/61 (6/12) 1.05
pul semo usc 96 U.Ol 0.18 12/13 (1/ I) 0.09
raur-rea.d-s b uf'.u ou sc :!6864 0.07 0.77 21/2Y (1/ I) 0.14
ruv-sut.upvno usc' 448 0.01 0.26 15/17 (3/3) 0.14
shu F-t-am -wri te .ncusc 59392 0.09 0.93 24/36 (1/l) 0.18
sbuf-rcad-ct l.u cusc 896 0.02 0.26 13/17 (1/1) 0.09
sbuf-read-ctl.nousc.old 960 U.02 0.31 15/17 (2/2) 0.10
sbuf-send-ctl.nousc 1280 0.03 0.47 18/23 (2/2) 0.10
sbur-seud-pkt.zucusc 1344 0.0:1 0.45 20/2:1 (4/4) 0.18
sbu f-sen d- pk t.1.y unvn ou sc 1664 0.06 0.61 23/31 (4/4) 0.24
sen d r-cio ne-n ou sc 56 0.01 0.11 6/9 (1/2) 0.07
II Total II 2.94 23.36 7.60 II
Table 5.2: Experimental results for the No-USC set of benchmarks.
and
expressed in terms of the inputs of this gate.
The STG fragment corresponding to this AND gate is shown in Figure 5.7(a). Each signal
has two corresponding places, one for each of its "high" and "low" states. Thus in this example
there are six places representing the input signals of the gate and two places representing the
output signal. The number of transitions switching the output is equal to the number of terms
in the set and reset functions. The gate does not control its inputs. Therefore, transitions
changing output value return tokens iuto their input places. Bi-directional arcs are used as a
shorthand to represent arcs going to and from input places.
Sequential gates, such. as Muller C-elements [53J (or generalised C-elements [2]), are also
modelled by STG fragment.s. An example of the STG fragment for a generalised C-element
with a logic function:
is given in Figure 5.7(b). This C-elernent has an asymmetric excitation function and has two
transitions representing output signal changes. Each transition is connected to a different set
of input places. Another example of a sequential gate is the Mutual Exclusion (ME) element.
An ME-element resolves the conflict between two (or more) input requests. The illustration
of the STG fragment for an Mli-elemcnt is shown ill Figure 5.7(c). This STG fragment has an
additional place, representing the "memory" of the element. As it can be seen, this version of
the ME-element resolves the conflict only between the "high" values of requests. It requires
CHAPTER 5. ANALYSIS OF STG MODELS 78
11&i2 c. Y
i3
:~
<i.
=flr1-
~ y~il i3+y(i2+i3)
(a) (b)
~:~-r-~-I
~
r-------,
fl)Io r2=1 ,,--------
(c)
Figure 5.7: Examples of a 3 input AND gate (a), Muller C-element (b) and ME-element (c).
the request signal which has been given a "grant" to be lowered before the next conflict is
resolved. ME-elements are a very useful tool for designing arbiters as they allow localisation
of non-deterministic choice in one (specially designed) element [16].
These examples illustrate how the STG modelling is done for a gate with a given boolean
logic function or behaviour. It is convenient to introduce a schematic-like depiction for gates
which is also given for all three examples, This representation is similar to the representation
of processors from [18]. Each gate shows its input-dependent transitions and places for output
values. Up and down transitions are marked with "+" and "_,, respectively; values of the
outputs are labelled "0" and "I" for "high" and "low". The representation is chosen so that
the only type of arcs that go between two gate boxes are bi-directional arcs. In order to avoid
cluttering in the figures arrows on these arcs are not shown.
STG fragments are composed by connecting transitions which correspond to the output
signal changes of one gate to the input places of those gate(s) to which this output is connected.
If an output of the gate is forked to several gates, then output places are duplicated, one for
each gate which uses this output as an input. Thus the true concurrency of operation of the
gates in the circuit is preserved.
Experimental results for circuit verification To illustrate the analysis of four-phase
circuits by means of the STG-unfolding segment a set of already designed circuits was used.
Most of these circuits come from [35] where they were also used as examples for verification
using CDs. Note that direct comparison between CD based and STG-unfolding segment based
methods was impossible as Forcage, the only available CD-based verification tool, uses a
different computer platform. However, it was possible to compare the verification results of
CHAPTER 5. ANALYSIS OF STG MODELS 79
(a) (b)
Figure 5.8: Four-phase micropipeline control circuit.
the STG models for these circuits using versify2.
The results of the circuit verification are presented in Table 5.3. As previously, columns
"Tt" show the total time (in seconds) spent by each tool on the verification of the STG model
of each circuit; column "Tv" shows the fraction of time spent by versify on the verification
of the properties on the BOD representation of the SG; column "Size" shows the size of the
STG-unfolding segment. The size of the SG is given in the column "States" and the number
of gates in each model is shown in column "Gates".
All circuit models were found safe, live and deadlock free. The top section of Ta-
ble 5.3 presents the analysis results of circuits which were persistent, i.e. no signal tran-
sition can disable a transition of another signal. The lower part of the Table shows the
verification results for circuits which had some non-persistent signals. For example, ver-
ification of the initial four-phase pipeline control circuit [17J from Figure 5.8(a) was per-
formed using the STG model shown in Figure 5.8(b). For simplicity, delays in the envi-
ronment are assumed to be represented by the existing inverters. The verification revealed
that the outputs of both C-elements are non-persistent and reported the following trace:
+Rin, +Yl, -Rin, -Y2, +nAou,t, -Yl, +Rin which leads to a state in which both +Y2 and +Yl
are enabled but firing y1 will remove the excitation from Y2. In the corrected circuit, suggested
in [98], the boolean function for the first C-element. was Yl = Rin Y2+ Yl(Rin + tiAout + Y2).
The verification showed (line 1 in Table 5.3) that the STG model is persistent and the circuit
is free from hazards.
Most of the circuits analysed here were determinist.ic circuits, i.e. circuits wit.hout inter-
nal arbitration. However, two benchmarks used in the experiments, shapiro and LowLat2,
are implement.at.ions of a t.ree arbitration cell from [27J and an implementation of the Low
Latency arbiter from [76J. Both circuits are non-deterministic and are designed so that all
non-determinism of the circuit is concentrated in the ME-elements. The outputs of an ME-
element are, of course, non-persistent and the alarm raised by their non-determinism should
be disregarded. Both circuits were found persistent with respect to the rest of the signals.
It was also observed that the size of the STG-ullfoldillg segment may grow drastically if
the circuit is non-persistent. The non-persistency can, however, be detected within the first
few transition instances. If the segment construction continues, e.g. when the circuit has
arbitration in it, the STG-unfolding segment may suffer from an unfolding explosion. This is
attributed to the presence of bi-directional arcs.
2versify is capable of the circuit verification using the boolean logic function for each gate. However the
comparison with this approach was not considered here.
CHAPTER 5. ANALYSIS OF STG MODELS 80
Name Gates States Versify PUNT
Tv Tt Size Tt
yak-kish 4 224 0.05 0.27 11/38 (1/2) 0.15
a4-t.f-101 ~ rd20 0.36 I.K4 20/115 (1/4) 0.42
joiu Meu g G 40gb 0.25 1.03 18/90 (1/3) 0.27
kish238 9 14336 0.45 1.89 21/107 (2/9) 0.39
kish327 4 100 0.11 0.76 9/55 (2/11) 0.20
shapiro 9 53248 0.75 2.40 26/130 (2/10) 0.38
LowLat2 10 407552 10.33 22.65 13'ti/971l (27/212) 20.35
paul-day 4 224 0.04 0.22 12/37 (2/5) 0.15
c-eleurt 6 2112 0.17 1.00 20/109 (6/38) 0.48
a4-tAo3 9 95744 2.10 4.87 130/597 (53/226) 11.19
kish132 9 40960 0.70 2.60 69/313 (14/55) 2.81
Table 5.3: Experimental results of four-phase circuit verification.
When a two-phase circuit is modelled using LPNs, the places represent the wires in the
circuit. Since transitions in LPN represent. events, the tokens propagation in the model denotes
changes in the voltage levels on the wires. Once an event has occurred, the new conditions
for this event can only be established when new tokens arrive into its input places. However,
when a four-phase circuit is modelled, places represent current states of the signals. Thus
transitions can only move tokens in the places representing the output signal of a gate. The
enabling conditions are established by connecting the input places and transitions with bi-
directional. The transition thus only "observes" the value of the gate's inputs and fires when
the excitation conditions are reached.
The dependency between places and transitions connected by bi-directional arcs can be
interpreted as the context in which a transition is allowed to fire. This was captured in the
notion of contextual nets (see Chapter 7). If an ordinary net is used for modelling contextual
dependencies, then the power of the STG-unfolding segment will make a distinction between
an input place marked before and after a transition fired. This, in turn, may cause an
exponential explosion in the size of the unfolding which would simply represent all possible
firing of contextually dependent transitions. To avoid this, a Contextual Net unfolding is
introduced later in Chapter?.
5.4 Conclusions
This chapter introduced the semantical model of an FSG was introduced. This formalism,
unlike previous ones, cal?- capture the behaviour of an arbitrary STG. States of the FSG
consist of two components: a marking and a binary code. Unlike the conventional RG, the
FSG distinguishes states with different markings but equal binary codes. Hence it is possible
to build a correct. behavioural representation for an acyclic STG and, thus, exclude false alarms
raised by the conventional SG analysis methods.
The second main result of this chapter is the STG-unfolding segment. It is based on the PN-
unfolding segment but also takes into consideration signal interpretations of the transitions.
The STG-unfolding segment has been applied to the verification of STG specifications as well
as verification of existing circuits. It was demonstrated that the new STG analysis method
based on the STG-unfolding segment is more favourable for a large number of benchmarks.
It was also observed that the circuit analysis may suffer from the explosion of the STG-
unfolding due to the high degree of concurrency in the STG and the presence of bi-directional
CHAPTER 5. ANALYSIS OF STG MODELS 81
arcs between places and transitions. Using contextual nets and the contextual net unfolding
avoids this explosion. This method is described later in this thesis.
Chapter 6
Synthesis from STG-unfolding
The aim of this chapter is tu introduce a new technique for the synthesis of SI circuits from
their STG specifications. This new method uses partial order presented as an STG-unfolding
segment to derive the boolean logic implementation. It is based on the idea of a slice, which
localises the behaviour of a particular signal instance in a structural fragment of the segment.
Two approaches are suggested: the exact cover calculation and the cover approximation.
Within the approximation approach two strategies for approximate cover derivation are con-
sidered. The method is applied to the synthesis in three main implementation architectures.
Experimental results show the power of the approximation approach in comparison with the
existing methods.
First, this chapter draws up a classification of common implementation architectures for SI
circuits and summarises the correctness criteria for each architecture. Then it introduces new
notions defined on the STG-unfolding for the synthesis procedure. After that, a new method
is described for each architecture. Finally, two techniques for improving the implementations
and speeding up tho synt.hesis are suggested and experimental results results are given t.hat.
compare the new method with the existing "state-of-the-art' ones.
6.1 Motivation
There exists a variety of approaches to the synthesis of SI circuits from their STG specifications.
These approaches can be divided into groups according t.o the types of gate libraries used for
the implementation of output signals. Fur example, [3, 2] uses a Muller Cvelernent for each
implementable sigual and a network uf gates to drive it. Work presented in [35] uses an
RS-Iatch in similar conditions. Early methods, e.g. [13, 48], assume that each signal is
implemented as a single complex gate. Later techniques, e.g. [83, 38], attempt to decompose
the complex gates preserving the speed-independence of the circuit.
Another taxonomy in the synt.hesis of SI circuits is established by the various methods
used to obtain the boolean logic functions. Two primary approaches exist to date: State
Graph (SG) based and structural methods (eliciting information for the synthesis from the
structure of the STG). The first approach constructs an SG as a model that represents the
behavioural properties of the "would-be-circuit". It then proceeds with extracting the subsets
of states required for the implementation. This method is used in such tools as SIS [82] and
Assassin [102]. A recently developed tool petrify (and approach) [15] uses BODs to represent.
82
CHAPTER 6. SYNTHESIS FROM STG-UNFOLDING 83
Specification correctness conditions
(bounded ness. consistency.
output-sernirnodularity)
States ~ Cuts
Regions of states ~ Slices
On/Off-sets ~ OIl/OjJ~slices
\" ,h.xcitatiull Regions ~ Excitation Slices
- Exact covers
- Approximate covers
Implementation-specific
correctness conditions
(correct covers)
Scope of this work
Figure 6.1: Overview of synthesis issues discussed in the work.
the state space. Due to implicit representation of the SG this tool is efficient in synthesising
moderate-sized examples. Since all these methods work with the full SG, they suffer from the
state explosion problem, i.e. the number of reachable states grows exponentially with the size
of the specification.
The structural method of [62] uses State Machine (SM) decompositions of STGs to obtain
concurrency relations between signal transitions. Using these relations, this method finds an
approximate implementation avoiding the exploration of the state space. Thus it demon-
strates impressive results although it is restricted to free-choice specifications. The method
described in [103] also uses structural information of the STGs (lock relations between signals)
to synthesise circuits.
Partial order techniques have also been applied in the synthesis process. CDs were intro-
duced in [35] for the synthesis of 51 circuits from choice-free (no choice at all) specifications.
The absence of choice constructs significantly restricted their use. Nevertheless, this work was
a significant step in the development of this approach ~ it was first to establish the relationship
between the sets of connected states (e.g. excitation regions in the 5G) and elements of the
event-based description (event instances in the CD-unfolding).
A more recent work' of [50] uses PN-unfoldings to derive logic functions. This work,
however, is based on restoring the state space from the partial order and is, therefore, also
prone to the state explosion.
It was shown in previous chapters that the partial order technique, based on the PN-
unfolding, can obtain an implicit reachability graph representation, in the form of a finite
segment of the unfolding. It can often construct an STG-unfolding segment for those examples
where the construction of the reachability graph fails. This STG-unfolding segment represents
all states of an asynchronous system. In addition, as the segment is constructed it is verified
for correctness. Thus, after the verification stage is completed, the implementation can be
derived from the constructed STG-unfolding segment.
This chapter proposes a novel approach for the synthesis of SI circuits from the STG-
CHAPTER 6. SYNTHESIS FROM STG- UNFOLDING 84
unfolding segment of their specifications. Initially it suggests an exact method, which produces
implementations comparable with those of the SG approach. Although the exact approach
benefits from STG-unfolding segment properties, this method may still suffer from state ex-
plosion. To overcome this problem, an approximation method is suggested, which is based
on temporal relations found in the segment. However, unlike [62J, this approach works with
the partial order representation of a fragment of system's execution. Therefore, it uses local
dependency information available for each instance of every signal transition. Only instances
of signal transitions which are concurrent to a particular instance are considered. This gives
a more accurate initial approximation and a more precise refinement of cover functions for
signal implementation. The proposed approach is applied to the synthesis in three major im-
plementation architectures. The scope of synthesis issues presented in this work is summarised
in Figure 6.1.
6.2 Implementation of SI Circuits
6.2.1 Basic Synthesis Concepts
Conventionally, to obtain an implementation for an STG G a corresponding SG (or FSG1) S
is derived by constructing the reachability graph of the underlying PN and then assigning a
binary vector vj to each state Sj. The binary vectors are assigned consistently (see Chapter 5).
States of the SG generated by a consistent STG have therefore two components: a marking and
a binary vector. At the circuit level, however, the states are represented only by their binary
vectors which are in this case values of the signals in the circuit. Thus it may be possible
that two states with equal binary vectors will be indistinguishable at the circuit level. This
situation is often referred to as coding conflict. The Complete State Coding (eSe) condition
introduced in [13J requires any two states with equal binary vectors to have the same set
of excited output signals. If for some signal ai this requirement is not satisfied, then it is
impossible to extract the boolean function for its implementation. It was shown in [13J that
STGs satisfying ese are implernentable as SI circuits.
Once a consistent state assignuicut has been perfonued, truth tables are obtained for each
output signal and all implementation is produced. The process of obtaining a truth table
depends on the implementation architecture chosen (for this particular signal).
Correctness criteria for the synthesis of SI circuits can be divided into general specification
correctness criteria and architecture specific correctness criteria. General correctness criteria
are verified by examining the behavioural properties of an STG. These criteria constitute the
requirements for an STG to be implementable "in principle". The general criteria are:
• STG validity, which requires an STG to be consistent with its implementation as a
circuit;
• Boundedness, which guarantees that the behaviour specified by an STG can be imple-
mented using a finite Humber of components;
ITraditionally an SG is constructed, but the FSG is required to represent correctly the behaviour of acyclic
STGs.
CHAPTER 6. SYNTHESIS FROM STG-UNFOLDING 85
• Semi-modularity (also called "output signal persistency") which ensures that the
output signals cannot be disabled by some input signal change and thus cause a hazard;
• ese satisfiability, which ensures that the STG specification has sufficient state coding
power to allow the synthesis procedure to produce logic functions for the output signals.
It was shown earlier that the first three criteria can be checked on the STG-unfolding seg-
ment G' constructed for an STG G. Verification of the latter criterion requires obtaining all
reachable states explicitly. Instead of that, the approach given here attempts to construct
an implementation. If it fails, then the STG does not satisfy eSc. It is, nevertheless, pos-
sible to correct an STG specification by inserting additional (internal) signals to resolve the
coding conflict. This, however, is considered to be outside of the scope of this work. Several
automated techniques for resolving ese conflicts at the SG level have been published, e.g.
[92,14].
An implementation is obtained by building a cover function. A boolean function with a
variable corresponding to each signal is said to be covering a state Sj if it evaluates to TRUE
when the variables have the values equal to the elements of binary vector Vj assigned to Sj.
A function C covering a set of states is called a cover function (or simply cover) for this set
of states {s.}. Each term of the cover is traditionally called a cube, denoted as B, as it may
cover several states. Each variable in a cube is called a literal. Note, however, that a cube
may have literals for all signals, in which case it is called a minierm.
The concepts of a rninterm and its corresponding binary vector are inherently very close.
A minterm can be easily obtained from a binary vector by substituting all 1's with the literals
of corresponding signals, and all D's with their complementary literals. If a binary vector
corresponds to a set of states, i.e. some of the variables are "-", then the corresponding
signal's literal is omitted from the minterm, which produces a cube. For example, a binary
vector v = {101} corresponds to a cube B = abc and vice versa, on a set of signals {a, b, c}.
Similarly, a binary vector u = {-lD}, which represents two vectors {OlD} and {1l0}, cor-
responds to a cube B· = abc + abc = be and vise versa. Therefore, among the "synthesis
community", set-theoretical operations on sets of states are often interchanged freely with
boolean logic operations applied to minterms and cubes, e.g. {1O-} U {-10} ¢:} ab + be.
Henceforth, this work will assume that these operations are interchangeable for the purposes
of cover derivation. In addition, trausformatious between binary vectors and cubes do not
require any additional operators.
The cover is not required to cover only states in {sd. If a cover is obtained by performing
standard boolean transformations all the set of tenus which are extracted from the binary
vectors of the states, then, of course, it covers only the states in {sd. Such a cover is called
the exact cover. However, if a cover was obtained differently (e.g. using an oracle or any
other method), it may include some other states. In this case such a cover is called the
approximated cover. Approximated covers need to be checked for correctness. The notion
of correctness, applied at the implementation stage, is concerned with the requirement of
hazard-freedom with respect t.o the gates of the synthesized circuit. It is different. from the
general correctness conditions (discussed above) related to the specification. As a matter of
fact, this notion is essentially dependent on the implementation architecture because the sets
of states Si, for which the boolean covers are extracted, arc different for different architectures.
CHAPTER 6. SYNTHESIS FROM STG-UNFOLDING 86
Figure 6.2: Atomic complex gate architecture.
Thus, the archiieciure-specijic correctness criteria establish relations between sets of states Si
and cover functions.
There are three basic implementation architectures which have been rigorously researched
in a number of works:
• Atomic Complex Gate per Signal (ACGpS) implementation;
• Atomic Complex Gate per Excitation Function (ACGpEF) implementation;
• Atomic Complex Gate per Excitation Region (ACGpER) implementation.
The first architecture can be considered as the basic one. The other two aim at reducing
the sizes of customised complex gates. Each implementation architecture is discussed along
with the corresponding correctness criteria in more detail in the following subsections. In
this chapter, however, the correctness criteria are chosen to be relatively simple. They do,
however, guarantee existence of an implementation for any STG satisfying ese. For instance,
in the last two architectures, as a target for boolean covering, only those states are considered
where the implementable signals are excited. Several recent papers, e.g. [62, 38], examine the
possibility of expanding the set of covered states with states at which those signals are stable.
This, however, can be viewed as an optimisation aimed at reducing the size of customised
complex gates.
6.2.2 ACGpS Implementation
This is the initial architecture for SI circuits studied in [13, 48, 73]. The circuit is implemented
as a network of atomic gates, each one implementing one output signal. The boolean function
for each gate can be represented as a Sum-Of-Products (SOP). The general view of such a
gate is shown in Figure 6'.2. Each atomic gate contains a combinational part, and a possibly
sequential part implemented as an internal feedback. The delay between its "ANDing" and
"ORing" parts, and the internal feedback is assumed to be negligible. The diagrammatic gate
representation is used to denote the implemented logic function, but the actual implementation
is resolved at the transistor level.
Recall (from Section 2.2.3) that a signal is said to be stable in a particular state if it is
equal to the value computed by the corresponding logic function under the values given by the
vector; otherwise it is called excited. Two (mutually complementary) subsets of the reachable
states are distinguished in the SG for every signal ai:
• the on-set, denoted as On(ad, which includes all states at which the output signal a;
has the implied value of TRUE, i.e. s E On(ad if ai in s is stable at 1 or is excited to
CHAPTER 6. SYNTHESIS FROM STG-UNFOLDING 87
(a) (b)
Figure 6.3: Example of an STG (a) and its corresponding SG (b).
switch to 1; and
• the off-set, denoted as 0 ff(ai), which includes all states at which ai has the implied
value of FALSE.
The implementation is derived by building a cover for the on-set '. Each state s = (M, v) can
be represented by a minterm B which has IAI variables each corresponding to one and only
one signal tu, The minterm becomes TRUE only when the valu~s of the variables are equal
to those in the binary vector assigned to the state. The cover COn(ai) for the implementation
is obtained as:
COn(ai) =L e;
j
where Bj are the minterms obtained from the binary vectors Vj for all states Sj E On(ai).
In many cases the union of the on- and off- sets is smaller than the set of all possible
combinations of the cotresponding boolean' variables. The difference in this case is called the
Don't care set (DC-set). None of the states in the DC-set is reachable in the system and thus
the terms corresponding to the states in the DC-set can be used for minimisation .. This is
done using standard minimisation tools, such as Espresso [82].
Example. The synthesis procedure for this architecture is illustrated in Figure 6.3(b) for
an STG shown in the Figure 6.3(a). Suppose that an implementation of the signal
b is required. The on-set for b is found from the SG as: On(b) = {(P2,P3), (P3,P5),
. (P2,P6,P8), (P5,P6,P8), (P7,P8), (P4)}. The cover function C(b) is obtained as: C(b) =
abc + abc + abc + abc + abc + abc = a + c.
The DC-set in this example is empty, so no further minimisation can be attempted. •
Obtaining exact covers usually means that all states in the on- or off- set must be known .
Recent research (including this thesis) is aimed at obtaining the covers without exhaustive
exploration. Thus the problem is posed as follows: given two covers (obtained by some
2Here and later, for simplicity, it is assumed that the OIl-set is constructed, Usually the simplest of OIl-set
or off-set is chosen for implementation.
CHAPTER 6. SYNTHESIS FROM STG- UNFOLDING 88
Figure 6.4: Atomic complex gate per excitation function architecture.
algorithm, e.g. approximation) to determine if they represent a correct implementation. For
this implementation architecture the covers (exact or approximate) should satisfy the following
condition:
Definition 6.2.1 Two coven; C()n(U,i) and COff(a;) are said to satisfy the ACGpS correct-
ness condition iff:
On(o,i) C COn(o,i)
Of f (U"i) C cOff (U,i)
COn(o,i) n COff(ai) CDC-set
o
It should be emphasised that the correctness condition above does not require the covers to
be exact. Exact covers are a particular case and satisfy this condition iff the STG has ese
since in such an STG COn(o,i) and COff(o,i) cover On(o,i) and Of f(ad respectively and their
intersection is empty.
6.2.3 ACGpEF Implementation
The ACGpEF architecture was studied extensively in a number of papers, e.g. [3, 37, 2]. It
assumes that a separate memory element is used to produce an output signal. The Set and
Reset excitation functions for this memory element are implemented as atomic complex gates.
Depending on which memory element is used, the implementations are divided into:
• Standar·d C-element implementation, which uses Muller C-element as the memory ele-
ment (e.g. shown in Figure 6.4(a)), and
• Standard RS-latch implementation, where an RS-latch is used.
For synthesis purposes the following sets of states, called regions, are identified on the SG
for each signal transition.
Definition 6.2.2 The Generalised Excitation Reqion. (GER) of a signal transition Mi, denoted
as GER(*ai), is the set of all states of the SG S in which =a; is excited, i.e.:
o
CHAPTER 6. SYNTHESIS FROM STG-UNFOLDING 89
Figure 6.5: Atomic complex gate per excitation region architecture.
A GER for some signal transition *a·i represents all states in which this signal transition is
excited. Since there are two possible transitions for one signal +ai and -ai, there are two
corresponding GERs GER(+ai) and GER(-ai) found for each signal.
An implementation is obtained by finding covers Cs and CR for the set. and reset func-
tions of a memory element from the minterms corresponding to the states in GER( +ai) and
GER( -ad, respectively.
The set function is obtained from the terms corresponding to the states in GER(+ai).
Similarly, the minimal reset. function is obtained from the terms for states in GER( -ad. It
is possible to show the existence of an implementation in the ACGpEF architecture for any
STG satisfying the ese condition.
Example. The covers Cs and CR for signal b in Figure 6.3(b) are obtained as follows: Cs(b) =
abc + abc + abc = ab + be and Cu(b) = abc which is an implementation of the signal in
the ACGpEF architecture. •
The cover correctness condition in this architecture is as follows:
Definition 6.2.3 A set (reset) cover Cs(ai) (CR(ai)) is said to be correct if the only reachable
states covered by CS(ai) (CR(ai)) belong to GER(+ai) (GER(-a.i)) and it covers all states
in this GER. 0
The conditions imposed on the set and reset covers correspond to the "intuitive" under-
standing of the correctness of a circuit, i.e. absence of hazards. Indeed, according to the
conditions of the definition, the output signals of atomic complex gates implementing the set
and reset functions may only be switched where it. is excited in the specification; and it is not
allowed to switch at any other reachable state outside their corresponding GERs. Note that
these conditions do not restrict the correct cover tu the one which covers GER exactly. The
latter is a special case of the correct cover. An approximated cover may also include states
from the DC-set. An implementation of an STG with ese by means of exact GER covers
always exists as they satisfy these correctness conditions.
6.2.4 ACGpER Implementation
Signals in this architecture are created using networks of atomic complex gates to implement
set and reset functions of the memory element. As a result, smaller complex gates are used
CHAPTER 6. SYNTHESIS FROM STG- UNFOLDING 90
which are then connected to an OR-gate whose output is in turn fed into the memory element.
The basic structure of this architecture is shown in Figure 6.5. Similar to the previous
architecture, the memory element can be a Muller C-element or an RS-latch.
As it can be noted, the GER for a particular signal instance *ai can have several connected
sub-regions. This is captured in the definition of the excitation region.
Definition 6.2.4 The Excitation Region (ER) of a signal transition *ai, denoted as ER(*ai),
is the maximal connected set of states of the SG S in which *ai is excited. 0
There may exist several connected ERs for one signal transition *ai. From definitions it follows
that
GER(*a'i) = UERj(*ad
j
The correctness condition for this architecture is as follows:
Definition 6.2.5 A set of covers CMad, ... ,CS(ai) (Ck,(ai), ... , CJr(ai)) for the set (reset)
function of signal a; is said to be correct if each E R, (+ai) (E Rj (-ai)) is covered by its
corresponding C:~(ai) (C}?(ai)) and the only reachable states covered by C~(ai) (Ck (ai)) belong
to ERj( +ad (ERj( -ad· 0
Example. Signal b in the STG of Figure 6.3 can also be implemented in the ACGpER
architecture. In this case the set network contains two gates corresponding to two
covers obtained for both ERs of b+ whereas the reset cover contains only one gate:
C1(b) = abc + abc = ab, C~(b) = abc and CR(b) = abc. •
The correctness condition requires that the cover for each ER is interpreted as a separate
gate. However, this condition also requires that only one atomic complex gate is switching
at a time, thus avoiding dynamic delay hazards[2]. Similar to the previous architecture, the
covers need not cover their ERs exactly. Exact covers are a special case which always satisfy
this condition. In an extreme case, when the set cover consists of only one cover the OR-gate,
merging the outputs of gates implementing ER covers, becomes redundant.
Any circuit implementable in ACGpER architecture is also implementable in ACGpEF
architecture. In this case all covers for ERs are implemented as one atomic complex gate. The
ACGpER architecture c8:n be viewed as an attempt to improve over ACGpEF architecture. If
the set and reset covers covering GERs in ACGpEF architecture were obtained from several
covers for ERs, then the ACGpER architecture implementation can be found by checking
which of the ER covers have non-empty intersection and implementing them as one gate per
a connected ER.
6.3 Basic Definitions
The purpose of this section is to define new concepts for the synthesis based on the STG-
unfolding segment, which will be used later. Two main notions are introduced: a cut and a
slice; they allow identification of sets of states at the unfolding level.
CHAPTER 6. SYNTHESIS FROM STG-UNFOLDING 91
6.3.1 STG-unfolding Cuts
It was shown earlier that all states of an FSG (and hence an SG) corresponding to an STG are
represented in the STG-unfolding segment. A state of the SG is captured by a cut as follows:
Definition 6.3.1 A maximal set of places C of the unfolding N' satisfying the following:
Vpi E c, Vpj f:. pi E C : pi lip) is called a cut of the unfolding N'. 0
From definitions it follows that for each cut c; there exists a unique configuration C, such
that Ci• = c.. Thus in an STG-unfolding segment constructed for a valid STG it is possible to
associate a binary vector tc, with every cut c.. Hence, each cut corresponds to a reachable
state of the SG built for an STG.
It is convenient to define relations between cuts.
Definition 6.3.2 A cut Cl is said to be in relation ~ with another cut C2, if Vpi E Cl 3pj E
C2 . pi -< pI. 0. t - J"
Relation C 1 ~ C2 can be viewed as cut precedence, i.e. cut C I is preceding cut C2. It has
been shown [21] that if cut Cl = Cl. precedes another cut C2 = C2., then Cl ~ C2. Two
cuts Cl and C2 are said to be in conflict if there exists at least one pair of places p'l E Cl and
p~ E C2 such that p; #p~.
Two special cuts are uniquely identified by any transition instance of the STG-unfolding.
These cuts represent states at which the corresponding signal transition first time becomes
enabled and stable.
Definition 6.3.3 A cut c~!in(tU is called a muiunul excitation cut of t~ iff .t~ ~ c~nin(t~)
and Vtj,tjllt~: (tj.) n <~in(t~) = 0. 0
Definition 6.3.4 A cut c~!in(t~) is called a miuinuil stable cui of t~ iff t~. ~ c~in(t~) and
Vtj, tjllt~: (tj.) n c7!i'f!(tU = 0 . 0
As it can be seen from the definition, the minimal stable cut is the post-set of the local
configuration of t~. The initial transition .L has only maximal stable cut c~in(l_) = l_.
defined for it. For any other instance there exist exactly one minimal excitation cut and
one minimal stable cuts. Note, however, that if the cuts of unfolding correspond to states
of an STG, the minimal stable cut c~',in(t') for an instance t' may in fact correspond to a
state which excites another transition of the signal a; labelling t', The only interesting case
for this work is when ai' is an output signal. In this case, such an STG does not have ese
since there are two states in the SG of this STG assigned with the same binary state vector.
Hence, this property can be used in verification of ese using the STG-unfolding segment.
There also exists a correspondence between the cuts found in the STG-unfolding segment and
the concepts of the Change Diagram theory [35]. For example, the minimal excitation cut
corresponds to the minimal entry point of an ER of the signal labelling t~.
Two other special types of cuts can be found for each transition instance. These represent
states from which the system cannot make any further progress unless some condition is
violated.
Definition 6.3.5 A cut c::wx(tU is called a nuuiimol excitation cut of t~ iff .t~ ~ c~WX(t~)
and there is no other cut Cj such that .t~ ~ Cj and c~WX(t~) -< Cj. 0
CHAPTER 6. SYNTHESIS FROM STG-UNFOLDING 92
A maximal excitation cut defines a cut which represents a marking from which no further
advancement of the PN can be made unless t~: is fired or it is disabled by firing of some other
transition. There may be several maximal excitation cuts for a particular instance t', the
number of maximal stable cuts for each instance is equal to the number of configurations C
such that .t~c:;;; C and t~ is the only instance that can be added to C.
To define the next type of cuts the notion of the ned transition for an instance t~ is defined
in the STG-unfolding.
Definition 6.3.6 The set of instances ne:rt(t;.) is called the set of next transitions for t~ iff
Vt~ E next(t~) the following is true: IA(L'(tU)1 = IA(L'(t~))/, t~ -< t~, there is no t; such that
(IA(L'(t;,))1 = IA(L'(ti))I) 1\ (t~ -< t; -< tU and next(t~) is maximal. 0
In other words, ne:rt(ti) is the subsequent change of the signal labelling ti. From the definition
it follows that in a STG-unfolding segment of a correct STG these two instances will be
labelled with signal transitions of opposite sign. jirst(ai) is the set of all instances labelled
with *ai which appear first in any sequence represented in the STG-unfolding segment, i.e.
Vtj E jin;t(ai) : Vt;, IA(L'(tD)I = o,i : t; f< tj. Obviously, all instances in first(ai) found in an
STG-unfolding segment built for a valid STG are labelled with the same signal transition *ai.
Definition 6.3.7 A cut c~!(J,X(ti) is called a maximal stable cut of t~ if the following hold:
• For every cut Cj with c:nin(ti) :::S Cj :::S c~J.ax(ti) there is no t~ E next(ti) such that
.t~c:;;; Cj; and
• Let C be the configuration generating c~ULX(ti). Then for every configuration C U {t~}
there is an instance t~;E next. (tD such that .t~. c:;;; (C u {t'rn}.)'
o
A maximal stable cut for an instance t~represents a maximal state which is reachable from
t~ but does not enable an instance of next( t~). If there is no next instance in a particular con-
figuration, then the maximal cut is bounded by the cutoff transitions or maximal transitions
of this configuration.
A maximal stable cut is defined for the initial transition .l with respect to a particular
signal cu, Such a cut c~la;£(.l lad is defined as a cut satisfying:
F itl min(.l) .:» .:» 'fnOT(.l I ) 1 . , . ()• or every cut Cj WI 1 Cs '. ~ C] ~ Cs' '" o,i t iere IS no tk E [irst ai such that
.t~c:;;; Cj; and
• Let C be the configuration generating c~Lax (.l lai). Then for every configuration CU{ t~}
there is an instance t~ E ji'f'st(t~) such that ·.t~c:;;; C U {t~} •.
A maximal stable cut for the initial transition can be viewed a maximal stable cut which
would be found if this transition were labelled with a signal transition of a..
There may exist several maximal excitation and maximal stable cuts for each instance t'·• t t
however, their number is always finite ill the STG-uufolding segment. for a valid STG. The set.s
of all maximal excitation and maximal stable cuts for a particular instance t~ are denoted as
C~ax(tD and C~HL1;(t~),respectively. Furthermore, an instance t~ may have no maximal stable
CHAPTER 6. SYNTHESIS FROM STG-UNFOLDING 93
p"H)::'P'7
.' "
p'l
+<1'
(a) (b)
Figure 6.6: Illustration of cuts.
cuts defined for it. In particular, there is no maximal stable cut for t~ if c~in(tD enables a
transition in next(t~). Similar to the case considered above for the minimal stable cut, an STG
for which the STG-unfolding was constructed does not have ese, and hence this property can
also be employed in verification of ese satisfiability for a particular STG.
Example. All four types of cuts are illustrated in Figure 6,6,
Figure 6,6(a) shows the STG-unfolding segment for the STG from Figure 6.3. The
minimal excitation cut of instance +e' is the same as the minimal excitation cut of +c'
and is equal to (pD· The maximal excitation cut of +b" is (P2,P6'PS)' The maximal
stable cut of +b' is (P~,P8)' Another example of the STG-unfolding segment, shown in
Figure 6.6(b), illustrates several maximal excitation cuts for one instance, Instance +b'
has two maximal excitation cuts: (P2'P~) and (P2,P6) (only one is shown). •
Lastly, a partial cut is introduced as follows.
Definition 6.3.8 A set of places c" is called a pariiol cut of the unfolding N' iff Vp; E
c*,Vpj =/-pi E c*: pilip)· o
By definition, any subset of place instances from any cut c is a partial cut c".
6.3.2 STG-unfolding Slices
Each cut of the STG-unfolding captures one particular state of the SG, However, in order to
synthesise an SI circuit, it is necessary to define a notion that captures a set of states, Such
notion is a slice of the STG-unfolding.
Definition 6.3.9 The set of cuts of the STG-unfolding segment is called a slice and is defined
as a tuple 5 = (cm'in, C'lTLaX) where:
• cmin is a cut called the 'minimal cui (min-cut) of slice 5, and
• Cmax is cl set of cuts, called the set of maximal cuts {max-cuts} of slice 5 such that
VCi E cmax : (cmin :::S c.) 1\ (l-kj E cmax, c, =/- Cj : Cj -< c.).
CHAPTER 6. SYNTHESIS FROM STG-UNFOLDING 94
1/
Figure 6.7: Illustration of slices.
Every cut Ck : (cm'in ~ Ck) 1\ (:lei E Cmo~£ : Ck ~ Cj) is said to be encapsulated by S and is
denoted as Ck E S. 0
Thus a slice is a set of cuts which is captured between the min-cut and the set of max-cuts of
the slice. Since each cut represents some state of the SG, the slice represents a set of reachable
states of the SG. From the above definition one can conclude the following properties.
Property 6.3.1 For every cut..c encapsulated by a slice S = (cmin, Cmox) there exists a
max-cut C' E Cmox such that cm'in ~ C ~ c', o
Property 6.3.2 Let S = (cm'in, Cmox) be a slice. If a cut c is such that there exist two cuts
C' E Sand C" E S such that c' ~ c ~ c"; then c E S. o
These two properties are important when using slices for identification of states. Since every
cut corresponds to some state in the SG, a slice represents a connected set of states. Moreover,
following Property 6.3.1 any state which is represented by c encapsulated by S is reachable
from the state represented by cmin. Furthermore, this connected set of states does not have
"holes", i.e. it does not contain a state (or a subset of states) which is surrounded by states
represented as cuts in a slice.
Example. The notion of a slice is illustrated in the example in Figure 6.7. A slice S can be
defined using a min-cut c = (pD and a set of max-cuts C = {(P~,P6,P8)' (P7'PS)}' This
slice captures cuts (P~,P3) and (p~). However, no slice can be defined in this example if
the min-cut is c ,; (p~) and the set of max-cuts includes a cut which is non-sequential
. . (' I )to c, e.g. P2,P3' •
"F~~'any two slices the following relation is defined:
Definition 6.3.10 Two slices S1 and S2 are said to be in r;;;; relation (S1 r;;;; S2) ifI'Ve E S1 =>
C E S2. 0
In other words, if S1 r;;;; S2, then all cuts encapsulated in SI are encapsulated in S2.
Property 6.3.3 For any two slices SI and S2 the following is true: S1 r;;;; S2 iff
• cmin -< Cmin2 - 1 ,
V maa: ::J Cnw ..x . .:»• Cj E Cl ,::JCi E 2 . Cj =c Ci o
CHAPTER 6. SYNTHESIS FROM STG- UNFOLDING 95
The proof of the following proposition follows from the definitions of a slice and the
sequence relation between cuts.
Proposition 6.3.1 Let SI = (cl~in,c) and S2 = (c2'm\C) be two slices defined using min-
cuts Cm1in and cm2in respectively and the same set of max-cuts C. If cmin -< cmin then S c:: S .1 - 2, 1_ 2
o
Corollary 6.3.1 Let Si = (c;~in(t~), C) and Sj = (c~in(tj), C) be two slices defined using
minimal ezciiaiion cuts of instances tf and tj and the same set of max-cuts C. If ti ::5 tj, then
s, ~Si' 0
Corollary 6.3.2 Let Si = (c~'iin(tD, C) and SI = (C~I'II(tj), C) be two slices defined using
minimal stable cuts of instances ti and tj and the same set of max-cuts C. If ti ::5 tj, then
o
Corollary 6.3.3 For two slices Si = (c~nin(ti), C) and Si' = (c~in(ti), C) defined using mini-
mal excitation and stable cuts of instance ti and the same set of max-cuts C the following is
true: Si' c::: Si· o
Finally, a slice can be associated with a fragment of the STG-unfolding and therefore it
is convenient. to refer to the elements of the unfolding (instances of places and transitions)
which are within this fragment as those belong'lng to the slice.
6.3.3 Concluding Remarks
This section provided basic definitions for the synthesis method described in the following
sections. It also established useful properties of cuts and slices. Although these are tailored
for the synthesis from STGs, similar definitions will hold for ordinary PNs. In this case a slice
of the PN-unfolding segment represents a set of reachable markings.
6.4 Exact Cover Implementation
This section suggests a new method for extracting exact cover implementations using the
STG-unfolding segment for all three main architectures.
6.4.1 ACGpS Implementation
To obtain an implementation of an STG specified behaviour in complex gates, the covers for
the on-set and off-set of each output signal are required. In this section it will be shown how
the exact covers are obtained from the STG-unfolding segment.
Here only the on-set cover calculation is considered. To obtain the off-set cover the in-
stances of -ai should be used. The exact cover for the on-set On(ai) is obtained by interpreting
the binary vectors of the states in On( ai) as minterms of a Boolean function.
A slice of an STG-segment represents states reachable in the SG of an STG. Therefore,
the problem of finding the on-set On(a.J from the STG-segment can be restated as finding a
partitioning of the segment with a set of slices representing On( ai). Each slice in this case
CHAPTER 6. SYNTHESIS FROM STG-UNFOLDING 96
represents a subset of On(ad. To define each slice its min-cut and the set of max-cuts need
to be identified in the segment.
Consider finding the min-cuts for the On( ad partitioning. The local configuration of any
instance tj in the STG-segment represents a set of minimal runs of the original STG leading
to the marking reached by the firing of tj as soon as it becomes enabled. Any cut of the·
STG-segment which represents a state at which tj is' enabled is sequential to its minimal
excitation cut c, (tj). Recall that every instance t' uniquely defines its minimal excitation
cut and the set of maximal stable cuts in the STG-unfolding segment. Therefore, t' uniquely
defines a slice S(t') = (c;!in(t'), c~taX(t')) from its minimal excitation cut c~in(t') up to, but
not including, the cuts enabling instances in next(t') (if there are any). Similarly, the initial
transition uniquely identifies a slice S(l_ lad = (c~!in(l_), c~w:C(l_ lai)) which encapsulates all
cuts starting from the very first one up to those enabling transitions in first(ai).
Definition 6.4.1 A set of slices SOn (§O j'j) in an STG-unfolding segment G' is called the
On-set (Off-set) pariiiiotiitu; of G' 11J.T'.t. a signal a, iff for each instance +a~ (-a~) its corre-
sponding slice SOn(+a;') (SOff(-am is defined with c;!ill.(+a;') «:!in(-o.m as its min-cut
and C~nax(+aD (C7taX( -am as a set of its max-cuts.
If signal ai is at "1" ("0") in the initial state of the STG, then the set of slices SOn
(§O f f) also includes a slice defined with c~lm (l_) as its min-cut and C~nax(l_) as the set of its
max-cuts. 0
Each slice in SOn (§O j'j) is called an on-slice (ojJ-slice). The set of instances *ai is called the
set of entr-y tnmsiiiotis for the On-set (Off-set) partitioning of the STG-unfolding segment.
The exact cover for the states which have corresponding cuts in an on-slice SOn (+aD is
found from:
COn(+a~) = 2:~c, Cj. = Cj E SOn(+a~)
J
j
from which the OIl-set cover is obtained using all instances of +ai as:
COn = 2:COI/,(+o.7)
k
where COn (+0.7,) is found for each slice in SOn as above. In other words, the on-set cover
is found as the union of all covers found for the slices of on-set partitioning. Each slice
cover is obtained by taking the union of all mintenns corresponding to the signal states of
configurations Cj whose post-set is a cut Cj encapsulated by SOn (+a7,).
Lemma 6.4.1 A state s of the SG S constructed for a valid and CSC-compliant STG G
belongs to an on-set (off-set) of a; iff there exists a corresponding cut C in the STG-unfolding
segment G' which is encapsulated into at least one on-slice (off-slice) for +ai.
Proof: (for on-set, the proof for off-set is similar) [ if 1 Follows from the definition of the
on-slice. Since none of the cuts in an on-slice can enable a -ai transition and the only
cuts that have the value of ~[Q,il = 0 for the corresponding configuration C are those
enabling +ai, then every cut covered in some on-slice belongs to the on-set of tu,
[ only if 1 Since the STG is valid, there exists a corresponding cut C for any reachable
state s = (M, v) and no instance in C is a successor of a cutoff transition (Lemma 5.2.1).
CHAPTER 6. SYNTHESIS FROM STG-UNFOLDINC 97
On·set of c
·.'!Q'·:.:<':'-~i···1
.:' 000 ..,,/7 ~\,
/ p2p3 p4 '
:' +tylOO 001 ,
" /' ~ ,"
:' p3p5 p2p6p8 /
: 110 ++b/IOI,'. ~c,. ..
""" p5p6p8 "'/~b
". III ":ar--
:'~7~8~
: 011 :
, . 'r-C ', '
: p9 :
: 010 : -b
~;-s~t;ofC
(a) (b)
Figure 6.8: An SG (a) and STG-segment (b) for the STG in Figure 6.3.
Suppose that such a cut exists but it is not encapsulated by any of the slices in the
On-set partitioning with respect to ai. Two cases are possible: (1) cut c represents a
state exciting +a'i, i.e. 'U['i] = 0; and (2) cut c represents a state in which ai is stable,
i.e. 'U[i] = 1. Consider each of these cases separately.
(1) The STG-unfolding segment includes all cutoff point transitions. Therefore, there
must exist an instance +ai such that .( +ai) ~ c and, furthermore, c;l.in( +ai) :; c.
Instance +ai will be used to find the On-set partitioning of C' w.r. t. ai, Hence, c will
be encapsulated into SOn (+ai) = (c~in (+ai), C~ax (+ai)) and this is a contradiction.
(2) If c is not encapsulated by any of the slices in §On (ai), then either
i) there exists an instance -ai (which changed the value of » to 1) such that c~in( -aD :;
c and no instance +a.i which was used to define an on-slice encapsulating c such that
-a' -< +0." or~ ~,
ii) c~nin(.1) :; c and no instance +ai which was used to define an on-slice encapsulating
c such that .1-< +ai·
However, in both cases since c does not belong to the On-set partitioning, then it must
be encapsulated by the Off-set partitioning of G'. Since 'U[i] = 1, then the state v
belongs to those states in the off-set which excite -ai· However, a; must be stable at v.
Otherwise, there exist two states which have different markings but equal binary vectors
"with different sets of excited output signal transitions enabled in them. This contradicts
the condition that the STG has eSc.
o
, Example. Consider the calculation of the on-set for the signal c of the STG in Figure 6.3
from its STG-segment shown in Figure 6.8(b). For illustrative purposes, the signal states
of all local configurations are shown and the SG of this STG is also given. The set of
entry transitions is found as T~ = {+c') +c"}. The minimal excitation cuts of the slices
CHAPTER 6. SYNTHESIS FROM STG-UNFOLDING 98
for each instance are (p~) and (p~,p~) for Sbn (c) and S'iJn (c) respectively, For each
on-slice the set of maximal stable cuts is identified as:
SOn(c')
SO,I,(C")
co~(+c')
cmo"r(+c")On
{(p~) }
{ (p~ , p~, p~) }
Thus the on-set of c is found from the slices (with the order of signals a, b, c) by explicit
enumeration of all cuts: Can (c') = {lOO, 110, 101, Ill} = a, Can (e") = {OOO,001} = ab.
A Boolean function, obtained after standard boolean transformations, is the exact cover
of the on-set and is a complex gate implementation for each output signal. For signal c
the cover and implementation will be: C(c) = a + b. •
6.4.2 ACGpEF Implementation
This type of architecture assumes that the boolean function for each output signal ai is given
in the form: a, = S +a.R, where Sand R are the set and reset functions for ai. Each function
is a poly term cover which is implemented as an atomic complex gate.
Consider finding the set function for ai; the reset function is obtained in a similar way
using, the instances of -ai·
The set function cover Cs (o,i) must cover all states in the genemlised excitation region of
a particular signal tu, The problem of obtaining the set function from the STG-segment is
restated as finding a set of slices in the STG-segment which represent the states from ERs of
the signal. Several transitions of the underlying PN may be labelled with one signal transition
+ai. Furthermore, several transitions of the STG may correspond to one signal transition in
the SG.
Consider obtaining the exact set covel' for a particular signal transition +o,i. Each instance
+a~ uniquely defines a minimal excitation cut c~in (+'ai) and a set of maximal excitation cuts
c~o,X(+'ad. Therefore, it uniquely defines a slice Se(+a~) with c~'in(+'ad as its min-cut and
a set of maximal excitation cuts c~wx (+' ad as its set of max-cuts. Any cut enabling +ai is
encapsulated by Se (+aD. The set (reset) partitioning is, therefore, defined as follows.
Definition 6.4.2 A set of slices §s(ai) (§R(ai)) in an STG-unfolding segment G' is called
the Set (Reset) partitioning of G' with respect to signal a; iff for each instance +ai (-aD its
corresponding slice Se( +ai) (Se( -am is defined with c~in( +aD (c~in( -ai)) as its min-cut
o
Each slice Se (*aD is called an excitation slice of *a~. Similar to the previous architecture,
the cover for the set function is obtained from the binary vectors corresponding to the cuts
encapsulated by the slices:
from which the set cover is found as:
Cs(ad =LCe( +0,7)
k
CHAPTER 6. SYNTHESIS FROM STG-UNFOLDINC 99
Figure 6.9: Illustration of the Set cover calculation on STG-unfolding.
p'l p'2 p'}
-b' +c' +a'
0+0+0+-
..a_~c:.Q~
"+b +C +Il -b -c :------':+e -a
00000-01000-01100-11100-10100-10000'-"10001-00001
:+bj: j j
:IIOOO~11001-01001
: +d j: j j b
'"OIO;-IOII~~ c
-e
L_----------------~-d-------------OOOIO c
d
Figure 6.10: Another example of the Set cover calculation on STG-unfolding.
where Ce( +a7) is the cover found for each excitation slice as above. As in the previous
architecture, the covers are found by taking the union of minterms corresponding to the
signal states of configurations whose post-sets are the cuts encapsulated by slices Se (+af).
Lemma 6.4.2 A state s of the SG S constructed for a valid and CSC-compliant STG C
belongs to CER( +ai) (C ER( -a'i)) iff there exists a corresponding cut c in the STG-unfolding
segment C' which is encapsulated into at least one excitation slice +o,i (-o,i).
Proof: (only +o,i is considered, for -o,i the proof is similar) [ if J Any cut encapsulated by
some excitation slice Se( +a~) enables +a~. Thus, by the definition of GER, it belongs to
DER(+ai).
[ only 4J The STG-unfolding segment represents any reachable state s as a cut c and no
instance in c is a successor of a cutoff transition (Lemma 5.2.1). For any transition +ai
enabled in s there exists an instance +a~ and, furthermore, c;;nin(+a~) ~ c. Instance +a~
will be used in the Set partitioning of C' and c will be encapsulated by the excitation
slice Se( +a~).
o
CHAPTER 6. SYNTHESIS FR.OM STG-UNFOLDING 100
Example. Consider again the synthesis of signal b from the example -in Figure 6.3{b). The
STG-unfolding segment is reproduced in Figure 6.9. For each instance of b the excita-
tion slices are found as Se(+I/') = ({P;,P~l)'{(P;,p~,p~)}) and Se(+b') = ((P4),{(P4)})
for GER of +h aud 5,,(-1/) = ((p~), {(p~))}) for the opposite signal transition. Af-
ter extracting the binary vectors the covers for set and reset functions are: Cs
{lOO, 101} U {OOl} = {10-, -Ol} = ab + be and CR = {01O} = abc.
Another example is shown ill Figure {dO. The following slices are found on the STG-
unfolding segment for the signal e:
( (p~ , p~ ), {(p~, p~ 1) } )
((P~2),{(P~2)})
From these slices the set and reset covers are obtained (the order of signals is abcde):
Cs(e) {10000} U {l1000} U {1101O}= {l-OOO} U {11O-O}
{000 11} = abcde
which produces an implementation shown in Figure 6.10 which is the same as the one
obtained from the SG shown in the same figure. •
For any CSC-compliant STG, if the GER covers are found from the excitation slices of the
up and down instances of the output signal, then the covers for set and reset functions will
be disjoint. They will differ at least in the value of 'U[i] corresponding to the output signal
cu, In addition, thes« covers will be exact and thus will only cover the states which belong
to the GERs. Therefore the ACG pEF correctness conditions are automatically satisfied. In
Chapter 8 an extension technique for GER covers is discussed. Once the cover is extended, this
cover is no longer guaranteed to be covering only states in a particular region and therefore
its correctness will be checked.
6.4.3 ACG pER Implementation
In this implementation an attempt is made to implement each ER as one gate whose outputs
are then fed into an OR-gate to form a set or reset function of the memory element.
Suppose that the excitation slices were calculated for each instance of +ai in an STG-
unfolding segment built for a CSC-confOrInallt STG. Suppose also that for each slice Se(tj) a
cover Ce(tj) for all states represented by the cuts encapsulated in Se(tj) was obtained. As was
discussed earlier, the set cover satisfies, by construction, the ACGpEF correct.ness conditions
if it is obtained as a union of all covers Ce(tj). Thus, the implementation in the ACGpER
architecture only differs from the ACGpER architecture in the interpretation of the covers
found for excitation slices.
Suppose that. two exact. covers were found for t.wo connected sets of states, To find out if
these two sets are parts of one connected set, the intersection of these two covers needs to be
checked. If the intersection is non-empty, then two subsets are parts of one connected set of
states; alternatively, they are two uucouuected sd.s of states. From Properties 6.3.1 and 6.3.2
CHAPTER 6. SYNTHESIS FROM STG-UNFOLDING 101
p'l +u' p'2
Figure 6.11: Illustration of slices and cover calculation for ACGpER architecture.
it follows that a slice represents a set of connected states. Hence, if the exact covers were
obtained for two slices, then their non-empty intersection will indicate that these two slices
represent two portions of one connected set of states.
Therefore, once the covers Ce(tj) are found, their intersection is checked iteratively.
The iteration continues until the pairwise intersection in the newly obtained set of covers
Ce(*aD,Ce(*an,,,.Ce(*an is non-empty, i.e.:
for each ERd*ai) : C~(*ai) = 2.:Ce(*ai)
j
The resulting set of covers represents the set (reset) function for a memory element in the
ACGpER architecture.
The only exception is the case of a fake conflict (see Section 3.1). If two signal transitions
are in fake conflict, then ill the STG-unfolding segment there will be two (or more) excitation
slices for each instance in fake conflict. However, when the STG-unfolding segment is con-
structed, fake conflicts are determined when the semi-modularity of STG is checked. Thus the
union of two covers is taken even if two excitation slices are produced due to a fake conflict.
Example. Consider an STG-unfolding segment in Figure 6.11. For an output signal d the
following excitation slices will be found from the STG-unfolding segment:
Se(+d') = ((p;), {(p;)})
Se (- d') = ((p~), { (p~ ) } )
Se(+d") = ((p~), {(p~)})
Se(-d") = ((p~), {(p~)})
from which the covers for the excitation slice of each instance will be as follows:
Ce( +d') = {IlOO}
c; (-d') = {OlOl}
Ce( +d") = {lOlO}
c.; -d") = {OOIl}
The intersection of Ce( +d') and Ce( +d") is empty as is the intersection of Ce( -d') and
Ce( -d"). Thus these covers may be implemented as separate gates. The implementation
is shown in Figure 6.11.
In the example in Figure 6.8 signal instances +c' and +c" are in fake conflict. Thus,
although two slices will be found for instances of +c, there will be only one cover
Cs(c) = be + or. •
CHAPTER 6. SYNTHESIS FROM STG-UNFOLDING 102
As with the ACGpEF architecture discussed in the previous sect-ion, this basic imple-
mentation in ACGpER may be inefficient. Some of the ER covers may be extended covering
other states where a; is stable. In this case the extended cover will need to be checked for
correctness. Cover extension and the correctness of extended covers are outside the scope of
this work and are discussed later as a suggested area of future research.
6.5 Strategies for Deriving Approximated Covers
The synthesis procedure described ill the previous Sections has one drawback. If many con-
current transitions belong to a slice, then examining all cuts will suffer from an exponential
explosion of states. Recall that the correctness criteria for each architecture allows the imple-
mented cover to be greater than the exact cover. This can be exploited in an approximation
method for covering the desired slices (on-, off- and excitation slices). This section describes
the approximation approach and examines possible strategies for deriving the approximated
covers from the STG-unfolding segment.
To help identify the rest of reachable states in an SG, a Generalised Quiescent Region,
which has the opposite notion to the GER notion, is defined as:
Definition 6.5.1 The set of all states GQR(+ai) (GQR(-ad) of the SG S such that ai is
stable and for all states in GQR(+ai) (GQR(-ai)) the value of the corresponding elements
v[i] is equal to 1 (0) is called a Ceneroliseil Q'IJ:i.escent Region (GQR) of HI;. o
There are two specific sets of reachable states for each cover C satisfying the correctness
requirement of any implementation architecture:
• the Posiiiue set, denoted as P-set, which is a set of states that must be covered by C;
and
• the Negative set, denoted as N-set, which is a set of states that must not be covered
by C.
The choice of the P-set, and N-set. comes from the cover correctness conditions (Defini-
tions 6.2.1, 6.2.3 and 6.2.5)and is made for the architectures as follows:
• ACGpS implementation: P-set is taken as the on-set and N-set is taken as the off-set
of a particular signal tu;
• ACGpEF implelllelltation: the P-set is taken as the GER( +ad (GER( -at)) and the
N-set is taken as the rest of reachable states for the set (reset) function of a particular
signal tu, i.e, N-set = GQR( +ai) U GER( -ai) U GQR( -ai) (N-set = GQR( -ai) U
GER(+ai) U GQR(+ai)).
• ACGpER implementation: the P-set is taken as the ERj( +ai) (ERj( -ai)) and the
N-set is taken as the rest of reachable states for the set (reset) function of a particular
signal ai, i.e. N-set = Uk,ki-jERA;(+ai)UGQR(+ai)UGER(-ai)UGQR(-ai) (N-set =
Uk,ki-jERk( -u,t) U GQR( -ai) U GER( +Ui) U GQR( +ad).
CHAPTER 6. SYNTHESIS FROM STG-UNFOLDING 103
DC-set DC-set
Initial approximation Approximation after refinement
Figure 6.12: Illustration of the Negative set approximation strategy.
The cover it; obtained by finding the partitioning of the STG-unfolding segment into slices
which represents the P-set. However, the N-set also corresponds to some slices. The inter-
pretation of both sets and the covers and slices in the STG-unfolding segment suggests (at
least) two possible strategies for deriving the cover. Both strategies use initial approximation
and refinement of covers, which are discussed in the following sections.
6.5.1 Negative Set Approximation
This strategy assumes that the initial approximation is found from the STG-unfolding segment
not only for Cp, covering the states in the P-set, but also for CN, which covers the states
in the N-set. Thus the partitioning of the segment for CA! is also required. Assume that
the approximations Cp and CN have been constructed so that all states in the P-set and the
N-set, respectively, are covered. By making sure that Cp . CN = 0 it is guaranteed that no
state from N-set is covered by Cp. However, if the intersection of approximations Cp and
CN is not empty, then the cover approximations must be refined. To assist the refinement, a
set of offending signals is found, i.e. those signals which cause the covers to be loose. The
refinement procedure "fills in" literals for some of the offending signals and produces covers
for a smaller number binary vectors. Eventually, in the worst case, after full refinement, it
must produce exact ~overs for the P-set and the N-set. If the intersection of the P-set and
the N-set is empty, then the exact covers for these sets will also have an empty intersection.
However, if the STG does not satisfy the esc condition, then the intersection of the P-set
and the N-set will not be empty. Hence, if the refinement procedure terminates -with fully
refined covers but their intersection is still non-empty, then this STG does not satisfy the ese
condition. While the refinement is performed, no optimisation is done. Two fully refined
covers can only intersect on minterms. Since minterms have all literals present, the set of
offending signals will be empty. Thus, if after the refinement step the set of offending signals
is empty, the ese problem is reported. The general idea behind this strategy is illustrated in
Figure 6.12.
This strategy finds approximations Cp and C-N that cover the required sets of states and
partition the set of combinations which are allowed to be covered by them into two disjoint
sets. It therefore produces pessimistic covers as it does not allow the combinations from the
DC-set to. be shared by both covers. The pseudo-code of the procedure implementing this
strategy is shown in Figure 6.13.
For example, in the ACGpS architecture the P-set and N-set are taken as the on- and
off-set. The on~ and off-sets are disjoint by construction for a eSC-co:UPliant STG. If approx-
CHAPTER 6. SYNTHESIS FROM STG-UNFOLDING 104
proc Find couertl? -set, N -set)
Find initial approximations Cp and CN
while Cp . CN i 0 do
for each C*(x') E Cp, C*(.'];") E CN : C*(x')· C:(:r") i 0 do
Find set of offending signals Sig
if covers are fully refined then do
Report ese problem and TERMINATE
end do
else do
Refine cover (C(.'];'),Sig)
Refine cover (C(x"), Sig)
end do
end do
end do
return Cp
end proc
Figure 6.13: Procedure for the Negative set approximation strategy.
:/~A.r.(:V \1:)
\~C~for P-sel __:'
:)0
,U
DC-se, DC-se'
Initial approximation Approximation after refinement
Figure 6.14: Illustration of the Positive set evaluation strategy.
imations can and Caff cover on- and off-set respectively, and Can' Caff = 0, then these
covers satisfy the correctness criterion set out in Definition 6.2.1.
6.5.2 Positive Set Cover Evaluation
This strategy assumes that only the approximation Cp covering the P-set is found in the STG-
unfolding segment. The cover Cp is then evaluated by finding where in the STG-unfolding
segment it becomes TRUE. The evaluation finds a set of slices S which represent all states
in which the cover becomes TRUE. If no cut in S represents a state from the N-set, then the
covet satisfies the correctness criterion. Otherwise, approximation Cp is refined until no cut
represents a state from the N-set. As with the previous strategy, no optimisation is performed
until the refinement procedure finishes. Therefore, the set of offending signals is found for each
cover C(x') comprising the P-set cover approximation. The refinement procedure uses this
set of offending signals to tighten up the cover approximation and eliminate the intersection.
• The general idea behind this strategy is illustrated in Figure 6.14. When Cp is fully refined
but such a cut still exists, the refining procedure aborts and reports the ese violation. The
pseudo-code of the procedure for this strategy is shown in Figure 6.15.
For example, suppose that CS(ai) was found for the ACGpEF implementation. Any state
CHAPTER 6. SYNTHESIS FROM STG-UNFOLDINO
proc Fisul covert]? -sei, N -set)
Find initial app1'O:£imation C:p
Eualuate C:p
while some cut from S is ill N-set do
for each C(x') covering cuts in N-set do
Find set of offending siqnals S'ig
if covers are fully refined then do
Re1JOr·t ese problem. and TERMINATE
end do
else do
Refine cover (C*(x'), Sig)
end do
end do
Evaluate Cp
end do
return C:p
end proc
105
Figure 6.15: Procedure for the Positive set cover evaluation strategy.
Sj from the N-set = 0(211.( +ai) U GE11.( -ai) U G(2R( -ad falls into one of the two following
categories:
• Sj belongs to OQR( +ad U GER( -ad, in which case the value of the element 'Uj[i] = 1
is opposite to the value of vd'i,] = 0 of the state belonging to the P-set. = GER( +o.;}; or
• Sj belongs to OQR( -ad, in which case the values of 'Uj[i] and 'Uk[i] are equal, but Sj
does not enable (J,i·
Thus the cover correctness is checked by examining the cuts Ck of the slices S and checking
that Sk represented by Ck does not satisfy either of the above conditions.
The evaluation of the cover is performed for each cube of the cover. It may use a branch-
and-bound algorithm which splits a slice (the whole segment in the beginning) into sub-slices
according to the literals present. in each cube.
6.5.3 Concluding 'Remarks
The fundamental difference between the discussed strategies is that the Negative set approxi-
mation strategy attempts t.o find an approximate cover for the set. of states which must not be
covered by the P-set. cover. On the contrary, the, Positive set evaluation strategy only checks
that no state covered by the P-set cover belongs to the N-set.
The implementation in the ACGpER architecture is a special case of the approximation
technique. It roots from the fact that any circuit implementable in the ACGpER architecture
can be implemented in the ACGpEF architecture.
Consider finding the set function cover for the ACGpER architecture using the Negative
set approximation strategy. Recall t.hat. the Set. and Reset partitioning of t.he STG-unfolding
segment does not provide distinction between excitation slices belonging to different ERs.
CHAPTER 6. SYNTHESIS FROM STG-UNFOLDING 106
Such distinction can only be made after the exact covers for all slices have been found. Thus
it is impossible to construct, without knowing the exact covers, an approximation of the
Uk,khERk (+ai) part of the N-set, i.e. an approximation which, after full refinement, will
only cover states ill Uk,ki'jERk (+ai)' Thus the P-set cover approximation must be taken for
the ACGpER architecture to be the same as for the ACGpEF architecture, i.e. the GER.
cover approximation.
On the other hand, slices and cover approximations for GERs and GQRs are clearly dis-
tinguishable. Therefore, if an approximated cover for the P-set does not intersect with the
approximation of the GQR( +ai) U GER( -a,d U GQR( -ai) part of the N-set, then an ap-
proximated cover for the GER can be obtained from a set of approximation covers for each
slice. Two approximated covers found from two excitation slices can intersect either (1) on
reachable states or (2) on the DC-set or (3) both. However, since the DC-set is unknown,
none of these cases can be distinguished. After the approximated covers are obtained, they
are interpreted in a similar way to their interpretation when the covers are calculated exactly.
Consider now the Positive set cover evaluation strategy for the ACG pER architecture,
Since the Uk,khERd +ai) part of the N-set is not available a priory, no specific properties
can be drawn for the states ill Uk,A4jERk (+a.i) which distinguish these states from those in
ERj( +ad. The properties of the rest of the states in the N-set can be clearly identified (as
in the earlier example for the ACGpEF architecture). Hence the cover approximation needs
to be taken as the GER cover which is then refined until it satisfies the ACGpEF correct-
ness condition. Once the correct cover approximation for GER is found, the covers for each
individual excitation slice are interpreted. This interpretation produces an implementation
in ACGpER architecture. Note, however, that the exact covers are produced in the worst
case only (full refiueiucut}. At the same time, if the approximated covers have all intersection
on the DC-set, the correctness conditions for the ACGpEF architecture may be satisfied for
approximated covers. In this case a pessimistic implementation is produced where intersecting
covers are implemented as one atomic complex gate.
For the reasons explained above the last two architectures are considered together where
the approximation method is used.
The Positive set cover evaluation strategy works with the exact negative set. Therefore
the results of the approximation should be slightly better than the results from the Negative
set approximation cover. Indeed, t.he Positive set cover evaluation will produce a satisfiable
cover as soon as no sta~,es from the negative set are covered by the approximation. However,
to achieve this it requires the evaluation procedure which is more complex than the refinement
of both approximations for the P-set and N-set. Furthermore, in the ACGpS architecture
both covers are required for the implementation and hence the refinement process obtains
both cover approximations at the same time. For these reasons, the Positive cover evaluation
strategy is not considered ill this thesis,
6.6 Initial Cover Approximation
The slices ill the STG-unfulding segment represent. two types of states: those where a signal
transition «a, is excited (GER(*ad) and those in which the signal ai is stable (GQR(Md). At
the STG-unfolding level, the instances of places and transitions are available. Each transition
CHAPTER 6. SYNTHESIS FROM STG-UNFOLDING 107
instance t' identifies the set of place instances which are immediate predecessors of t', All cuts
enabling t' will include places from .t'. Therefore the approximation for all cuts enabling t'
can be found as an approximation for the partial cut c" = .t'. Similarly, each place instance p'
which is sequential to the signal transition instance *a~but precedes transitions from next( *a~)
can only be marked in the states from GQR(*ad. Hence the states at which p' is marked can
be approximated by finding a cover approximation for the partial cut c" = (p').
Therefore, the problem of finding a cover approximation of the slice S is restated as a
problem of finding cover approximations for partial cuts which are formed by some elements
of the STG-unfolding segment belonging to S.
6.6.1 Partial Cut Cover Approximation
Consider obtaining a cover approximation for a partial cut c" such that exists a cut e : c" ~ e
and e is encapsulated by a slice S. S represents a connected set of states which are represented
as cuts in S. Any state in this connected set of states in which all places p' of c" are marked
is reached by firing the instances which belong to the slice S. If a signal instance M:' is
concurrent to all places in c", then the value of its corresponding element in the binary vector
may take values of both "0" and "1". Therefore the cover approximation for the partial cut
is defined as follows.
Definition 6.6.1 A cover approximation C* (c") is called a partial cut approximation cover
for c" and is calculated as follows:
C*(c*)[i] = { -, .
~e' ['I,],
t'.
if * a~ E {til(3el' e:2 E S: Cl ~ e2) 1\ ('tip' E c" : tillp')}
otherwise
where ~c- is calculated from the signal states of the local configurations of instances epj
pj E c" = {p~, p~, ... P;J, using the cumulative states of local configurations (repj 1 as:
(c· " ( : PJl E c·L·rep'l.i J
~e' ~oEl:! (c·
where ~o is the signal state of the initial transition .L, i.e. the binary vector of the initial state
so· o
In other words, the literals corresponding to the signals whose instances belong to Sand
are concurrent to places in the partial cut c" are substituted by «..» (don't care).
Property 6.6.1 Any instance *aj is concurrent-to all instances p' E .(*a~) iff *ajll * a~. 0
Property 6.6.2 All instances wj of the STG-unfolding segment which are concurrent to *a~
belong to the excitation slice of *a~.
Proof: Follows from the definition of the excitation slice for *a~ (Section 6.4).
o
CHAPTER 6. SYNTHESIS FROM STG-UNFOLDING
(a)
108
Figure 6.16: Illustration of cover approximation for a place (a) and a slice (b).
(b)
Following the above property, the cover approximation for the partial cut .( *aD for a tran-
sition defining its excitation slice Se( *a~) can be found by examining all instances concurrent
to *a~ (no check is needed if *0.) belon_gs to Se (*o,i)). The approximated cover for all states
represented in an excitation slice of *o,~is denoted as C; (*O.~). Furthermore, by its definition,
the binary vector ~c' is equal to the signal state of the configuration producing the minimal
excitation cut of w~. The minimal excitation and minimal stable cuts are only different in
the value of ~ r*(1,;1 [i] as *O,~ is the only instance separating them. Thus, instead of computing
the binary state ~c' from the cumulative states of predecessors of e] *o,~), it can be found from
~ r*a;l by inverting the value of ~ r*a;l [i].
Example. Consider the cover approximation for .( +d') in Figure 6.l6(a). The binary vector
of its minimal excitation cut c~in (+d') = (p~, p~, p~) is found from the signal state of
its local configuration"as ~ = {1000000} (the order of signals is o,bcdefg). There are
four signals {b, c, e,.f} whose instances belong to the excitation slice of +d' Se( +d') =
((p~, p~, p~)){ (p~, Ps, pg)}) and are concurrent to +d'. Thus the cover approximation -for
+d' will be C~(+d') = {I - -0 - -O} = 0,(19· •
Property 6.6.3 The cover approximation C~(+o,~) (C;(-o,~)) obtained from the STG-
unfolding segment of an STG satisfying the general specification correctness criteria (Sec-
tion 6.2) always has the value of the element corresponding to o,'lset to "0" ("1"),
Proof: Follows from the fact that in an STG-unfolding segment constructed for an STG satis-
fying general specification correctness criteria no two instances of a; can be concurrent.
Thus the element corresponding to a; will remain equal to that of ~[i] assigned to the
minimal excitation cut c~],in(+o,~) (c~in(-o,m, i.e. "0" ("1"),
o
A. partial cut by "definition is any set of mutually concurrent instances p', Thus a sin-
gle instance p' is also a partial cut. In this case, the partial cut approximation cover can
CHAPTER 6. SYNTHESIS FROM STG-UNFOLDING 109
be viewed as a cover approximating all states where p' is marked; this cover is denoted as
C*(p'). Furthermore, the calculation of such a cover is greatly simplified as there is only one
predecessor t' to be considered. Therefore, C* (p') is calculated directly from the binary vector
assigned to the minimal stable cut c;tin(t').
A cover approximation for an arbitrary partial cut encapsulated by a slice S must not
cover cuts outside S. If a partial cut consists only of places belonging to a max-cut, the firing
of all concurrent instances may reach a cut which is sequential to this max-cut. To avoid this,
the set of concurrent transitions is chosen so that it never leads to a cut which is outside the
bounds of S, i.c. its ruin-cut and l.lu: set uf max-cuts. There may be several max-cuts and,
hence, there may be several possibilities to choose the set of concurrent transitions. In this
case, the partial cut cover approximation is found as:
C*(c*) =LC;, (c"},
k
k
where C;, (c *) is found using a. restricted set of concurrent instances, i.e.:
k
C;, (c*)[i] = { -,
k . ~ c. ['i],
t'
if a~E {t:l(k 1= l) /\ (:JCI' C2 E S: Cl -4 C2) /\ ('<lp' E c" : t:llp')}
otherwise
for each t~ such that (t~ • Uc*) ~ c: c E cmax. There are no successor transitions of t' as t'.
forms the max-cut and none of its successors belongs to S.
Example. Consider an approximation of the partial cut coven; for cuts consisting of single
places belonging to S(+a') = ((pD, {(p~,p~,p~), (p~,p~,p~o), (p~,p~,p~o)}) in the ex-
ample shown in Figure 6.l6(b). The approximation cover for c = {p~} is found from
~r+all as C*(P~l) = {1 - -0 - -O} = a£1g. Place P'lO' on the other hand, belongs to at
least one max-cut. Thus the approxiinatiou cover for c" = {p~o} is found using two
approximations corresponding to two different sets of concurrent transitions:
C*(P'lU) Cj, (]ilU) (for {b',c', c'})
+ C;"(P'lO) (for {b',c',J'})
{l- -1 - Ol} U {I - -10 - I} = adjg + ad:eg.
•
Property 6.6.4 Let a partial cut c" consist of one place p' belonging to the on-slice (off-slice)
SOn(+ai): +ai -< p' (SOfj'(+ai): -ai -< p') in the STG-unfolding segment of an STG
satisfying the general specification correctness criteria (Section 6.2). The cover approximation
C* (c*) always has the literal (compliment of the literal) corresponding to tu,
Proof: Follows from the fact that the on-set (off-set) slice contains no instances of a; except
for +ai (-a~), which is used to define it. Thus there are no instances of ai in the slice
which are concurrent to p'. Since p' is sequential to +a~ (-a~), the value of the corre-
sponding element will remain the same as ~ r+a;1[i] = 1 (~r -a; 1['i] = 0), corresponding to
the minimal stable cut of +(],~ (-a~).
o
CHAPTER 6. SYNTHESIS FROM STG-UNFOLDING 110
6.6.2 Finding P-set and N-set Approximations
Since the Negative cover approximation strategy requires approximation covers for both P-
set and N-set, consider finding those for each implementation architecture. The Positive set
evaluation strategy only uses the P-set approximation. For simplicity only the on-set covers
and covers for GER( +ai) are considered further. The complimentary cover approximations
are found by using the instances of -ai.
ACGpS Implementation
After the On- and Off-set partitioning w.r. t signal a, was found, the slices S 071,( +a~) and
SOn( -aD represent t.hc cuts starting from those enabling each instance *o.~ up to (but not
including) the cuts enabling instances from ne:.ct( *G.~). To approximate the cuts enabling
*a~ the approximation cover Ce( *a;,) for the partial cut c" = .(*aD is used. To find the
approximation for the rest of cuts in San (+aD and San (-aD partial cover approximations
are found for cuts consisting of place instances which belong to SOn(+a~) and SOn(-a~),
respecti vely.
A cover approximation for a partial cut c" = {PI} will cover all states in which pi is marked
together with any other concurrent place Pj. Therefore, only mutually non-concurrent subset
of places belonging to SOn (+0.;') can be considered. A set of such places is found in the
STG-unfolding seglll!'nt.
Definition 6.6.2 A maximal set p~ of places belonging to a slice SOn( +a~) such that 'ip~ E
P~: +a~ -< p~ (if such +0.;' exists) and 'ip~,p; E r; : p~ ,.{1plis called an approximation set of
the slice SOn(+a~). 0
The approximation set for a slice is a "skeleton" of places for this slice which are either
sequential or in conflict with each other. Any cut encapsulated by San (+a~) will contain a
place from its approxiuiation set.
Definition 6.6.3 The cover COn (ai) is called the initial on-set cover approximation and is
calculated from the oil-slices SOn (+aD as:
CChJai) = LCC)n(+a7)·
k
where
C* ( k) C*( k) '" *(' , ,On +ai = e +ai + L C PI), PI E P+ak
I 1
for each San (+a~) defined using c~n.in(+af) as its its min-cut and
CC}n(+a7,) = LC*(Pl), PI E P~ak
1 1
if San (+a~) was defined using c~Lin(.1.). o
Definition 6.6.4 The cover Cof f (ai) is called the initial off-set cover approximation and is
calculated from the off-slices SOf] ('-a~) as:
CHAPTER 6. SYNTHESIS FROM STG-UNFOLDING 111
where
C()ff(-a~) = C;(-af) + L:C*(P;J, p;' E P~(J7
I
for each SOn(-a~) defined using c;!!in(-a~) as its its min-cut and
if SOn (-an was defined using c~!in (1-). o
The initial cover approximations for the 011- ami off-sots are taken as the initial cover approx-
imations for the P-set and N-set.
Proposition 6.6.1 For any STG satisfying the general specification correctness criteria (Sec-
tion 6.2), the on-set cover approximation COn(ad. obtained from its STG-unfolding segment,
covers all reachable states in On(ai).
Proof: Since there arc two types of states in On( ai), the proof is split into two parts: for
those states where +ai is excited and for those states where a; is stable. The proof for
the former (represented by Se(+aD which is included in SOn(+a~)) is given later in
Proposition 6.6.2; only the proof that a cut corresponding to any state from On(ai) in
which a; is stable is covered by its COn (ai) is given here.
Every reachable state of an STG is represented in the STG-unfolding segment. There-
fore, for every state 8 in On(ai) there exists a corresponding cut in the segment and no
instance in c is a successor of a cutoff trausitiou (Lemma 5.2.1). Every such cut c is
sequential to the minimal stable cut of some +a~ (or .l.). Consider the set of places be-
longing to this cut; one of these places, say p', will be chosen in to the approximation set
P~. Furthermore, c is reached from c~!in(.p') through the firing of transition instances
which are concurrent to p' and belong to SOn,(+aD. The cover approximation C*(p')
will have "-" for all literals corresponding to the signals whose instances are concurrent
to p' and will, therefore, include the exact cover C(c). Hence C*O (ai) includes C(c) and
ti
covers 8.
o
A similar statement holds for the off-set cover approximation and the set of states in the
off-set.
ACGpEF and ACGpER Implementations
It was discussed earlier that the P-set and N-~et cover. approximations for the ACGpER.
can only be chosen the same as for the ACGpEF implementation architecture. Also consider
only the calculation of the set function. For the reset function the instances of -ai are
used. The P-set and N-set in these architectures are GER(+ai) and the rest of reachable
states, respectively. In the discussion above, for the ACGpS implementation, two separate
approximations were used for the states in which +ai is excited and in which ai is stable.
Thus the P-set and N-set cover approximations can be found by obtaining the On- and
Off-set partitioning of the STG-unfolding segment.
CHAPTER 6. SYNTHESIS FROM STG-UNFOLDING 112
Definition 6.6.5 The cover approximation Cr, (ai) is called the initial set cover"approximation
for signal transition +ai and is calculated from the excitation slices of +af as:
C;.(ad = 2:C:( +af)
k
o
Proposition 6.6.2 For any STG satisfying the general specification correctness criteria (Sec-
tion 6.2), the set cover approximation C1,(ai), obtained from its STG-unfolding segment, covers
all reachable states where +U.i is excited.
Proof: Every reachable state s enabling +ai is represented in the STG-unfolding segment
and the cut. c corrospoudiug to ,'; does not contain any successors of cutoff transitions
(Lemma 5.2.1). Furthermore, there exists a corresponding instance +a~. Hence there
will exist a slice S ('(+aD defined by the minimal excitation and minimal stable cuts of
+a~ and, also c is encapsulated by Se( +a~).
c is reached from c~in (+aD through the firing of transition instances which are concur-
rent to +a~ and belong to Sc(+aD. The cover approximation C*(+a~) will have "-" for
all literals corresponding to the signals whose instances are concurrent to +a~ and will,
therefore, include the exact cover C(c). Hence C: (ai) includes C(c) and covers s.
o
Definition 6.6.6 The cover approximation CN is called the initial N -sei cover approximation
for AcepEF (ACGpEF) crchiiecture for the set cover approximation and is found as:
CN = 2:C*(pD + 2:C:(-ai) + 2:C*(pU
Ink
where P;' and p~ belong to the approximation sets found for On- and Off-set partitioning,
respectively, as in the previous architecture. o
Obviously, similar definitions exist for the reset cover of *ai and a statement similar to Propo-
sition 6.6.2 holds.
The set. and reset. cover approxnuatious for the ACGpER architect ure are found by in-
terpretation of the cover approximations for each excitation slice after the approximations for
ACepEF architecture are found.
6.6.3 Correctness of Negative Set Approximation Strategy
It is demonstrated here that the Negative set approximation strategy produces a correct
implementation for any STG satisfying CSe.
Proposition 6.6.3 Let the P-Hct and the N-set be chosen as on- and off-sets of tu, respec-
tively. Let the cover approximations COn (ai) and Co f f (ai) be calculated from the segment
for a CSC-compliant STG as per Definitions 6.6.3 and 6.6.4. Then the Negative set approx-
imation procedure given ill Figure 6.13 produces correct covers for ACe pS architecture iff
the refinement procedure in the worst case restores the exact covers for On- and Off-set
partitioning after a finite number of iterations.
CHAPTER 6. SYNTHESIS FROM STG-UNFOLDING 113
Proof: (1) According to Proposition 6.6.1 the above approximation method produces covers
for the on- and off-sets of a'i' (2) The procedure in Figure 6.13 exits only if the covers
are disjoint or terminates if the STG does not have CSc. For a CSC-compliant STG
the on- and off-sets of a, arc disjoint. Therefore, if the refinement. procedure in the
worst case restores exact. covers for each OIl- and off-slice of the partitioning, then the
states covered by these restored covers will belong only to on- and off-set, respectively.
Thus the refined covers will satisfy the correctness criterion for the ACGpS architecture
(Definition 6.2.1).
o
The next proposition illustrates that covers found for ACGpEF and ACGpER using our
strategy are also correct.
Proposition 6.6.4 Let the P-set and the N-set. be chosen as GER( +a'i) and the rest of
reachable states, respectively. Let the cover approximations C; (+a,J and CN be calculated
from the segment for a CSC-compliant STG as per Definitions 6.6.5 and 6.6.6. Then the Neg-
ative set approximation procedure given in Figure 6.13 produces correct covers for ACGpEF
and ACGpER architectures iff LlH: rufiuruuent. procedure ill the wurst. case restores the exact.
covers for all cuts including .( +0.;) and the cuts including the place instances used to find
Cj,(ai) and CN(ao;) in a finite number of iterations.
Proof: (1) According to Proposition 6.6.2 the above approximation method produces covers
for GER(+ai). (2) There are three components in the N-set cover approximation CN'
From the properties of transition and place instance cover approximations it follows that
the cover approximations L C*(pD and L C; (-aD will have an element corresponding
to a; set to "I". This element will always be set to "0" in the P-set cover C;(+ai).
Therefore, the only intersection between the P-set and the N-set cover approximations
may happen if some C:(+a;) intersects with LC*(P~). The former corresponds to the
states where signal transition +a'i is excited and the latter to those where a; is stable
at "0". In Cl. CSC-compliant STG intersection between these two sets of states is empty.
Thus, if the refinement. procedure in the worst case produces exact covers, then these
covers satisfy the correctness criteria for these architectures (Definitions 6.2.3 and 6.2.5,
respectively) .
o
Note that the above proposition also showed that only intersection between the cover approx-
imations for the excitation slices and the places of the Off-set partitioning needs to be checked
when the set function is found for the implementation in the ACGpEF or ACGpER archi-
tectures. This reduces the number of cover intersections to be checked and, hence, reduces
the synthesis time.
6.7 Cover Refinement
The purpose of the refining procedure is to restore some of the relations between concurrent
transitions belonging to a slice S which were ignored during the approximation.
CHAPTER 6. SYNTHESIS FROM STG-UNFOLDING 114
The refinement IS used in both cover derivation strategies. In the first/one, Negative
set approximation, the refinement. procedure is called when cover approximations Cp and
CN for the P-set and N-set, respectively, have a non-empty intersection. Furthermore, the
cover approximations Cp and CN are built from the covers of transition and place instances.
Thus when the intersection is non-empty, at least two instances x' and x" causing it can be
identified. An intersection check can be performed Oll the "per cube" basis, which narrows
the intersection to a particular pair of cubes from which the set of offending signals Sig is
found. These are the signals whose corresponding literals are missing from a particular cube
of the cover.
In the second strategy the cover approximation is evaluated. The P-set cover approxima-
tion Cp is also formed from the cover approximations of particular instances. If Cp covers
some states from the N-set, then it is possible to find at least one instance whose cover ap-
proximation covers these states. The set of offending signals in this case will be all signals
whose literals are missing from at least one of the cubes of the cover.
Obviously, there may be several choices of instances whose cover approximations cause
a non-empty intersection in the first strategy or whose cover approximation covers states
from the N-set in the second. R.efining one of them at a time will, however, correct the
approximated cover.
The refinement procedure, therefore, needs to be able to refine a cover for an element of
unfolding J:' with a given set of offending signals. The instance x' can be either a place or a
transition instance. If :1:' is a place instance, then, by definition, this place forms a partial cut.
If x' is a transition instance, then its approximated cover is in fact a cover for a partial cut
including instances of places in .:r'. Hence the refinement procedure should work with partial
cuts.
Recall that each instance :1;' belongs to some slic« of the appropriate partitioning. The
refinement procedure needs to find some of the places which can be marked together with
the places already in a partial cut c" and produce new partial cuts for each combination,
i.e. restoring partial cuts. When a new partial cut is formed, a new cube is introduced into
the cover which represents this partial cut. Eventually, when all partial cuts are restored
to ordinary cuts, the refinement procedure terminates with the cover consisting of the cubes
found for each cut. Any existing minimisation technique can be used to optimise this cover by
standard boolean transformations. Special attention is required for those partial cuts which
are part of at least one max-cut of S. Their initial cover approximation consists of several
cubes Bt' each of which does not allow some instance t' to be used in the approximation. Thus
in any further refinements of these covers any cubes derived from Bt' may not be refined using
t' .
The refinement of the cover for element x' is based on finding the refinement set for x'
with respect to an offending signal aj.
Definition 6.7.1 A maximal set of places P: that belong to the slice S is called the refining
set of .'E' with r-espect to (J.j iff it satisfies the following: Vp~ E P:: x' Ilp~,'lip; E P: : p~ ;Ilp;
and V *aj E S: (*II.;). rip,' "I 0 0
In other words, the refining set is a set of mutually non-concurrent places belonging to S
which are pair-wise concurrent with x'. The inclusion of the successors of each *aj into P:
CHAPTER 6. SYNTHESIS FROM STG-UNFOLDING 115
is required for the progress of the refinement procedure. Thus, if aj was causing the cover to
fail the correctness condition, the literal corresponding to aj will be present in all cubes of the
cover approximation of x' after this iteration. In addition, at least one signal will be refined
at each iteration.
Suppose the refinement set P: was found for x', Suppose also that the cover for x' consists
of a set of cubes B, with corresponding partial cuts c;. From each partial cut c; new partial
cuts are built using instances in P,':
c*j = cj U {p'}, where (p' E P:) 1\ (Vp" E c; : p'llp")
and for each newly created partial cut c*j its new cover approximation C* (c*') is found as
before, using the cumulative states of local configurations of instances t' E .p' : p' E c*j. Note,
that this cover approximation will be a single cube. The newly created cover approximation
for c*j will only have those literals set to "", whose instances belong to the slice S and are
concurrent to all places in c*j.
The refined cover C.~ew (:1;') is obtained as:
from the set of old partial cuts c;.
The pseudo-code of the algorithm for cover refinement is shown in Figure 6.17.
proc Refine COVC1·S(C*(:J;/), Sig)
Set C:!ew (:1;1) = 0
Choose an offending signal (Lj from Sig
Find rejiuitu; set F;' [or :1;' ui.r. t. Uj
for each cj used to find C*(:1;/) do
for each pi E P;' do
c" = c" U {pi}
Calculate C* (C*/)
end do
end do
end proc
Figure 6.17: Procedure for refining cover approximations.
Property 6.7.1 The cover approximation for :r' obtained after an iteration using the refining
set with respect to ai adds a literal corresponding to ai to each cube.
Proof: By definition the refining set P: contains place instances which arc sequential to all
instances *a~ belonging to S. Furthermore, all places in P: are mutually non-concurrent
and, thus, none of them can be concurrent to any *a~. Hence, no *a~ will be concurrent
CHAPTER 6. SYNTHESIS FROM STG-UNFOLDING 116
to all places of any newly constructed partial cut. Therefore, literal corresponding to ai
will be defined in all cover approximations for newly built partial cuts.
D
Proposition 6.7.1 The refinement procedure in Figure 6.17 terminates in a finite number
of steps.
Proof: Since each step refines the value of at least one variable and the set of signals is finite,
the refinement procedure will terminate after at most IAI x IP~Iiterations.
D
Corollary 6.7.1 The cover derivation procedure for the Negative set approximation strategy
(shown in Figure 6.13) terminates in a finite number of steps. D
Proposition 6.7.2 The fully refined (in the worst case) cover of x, in the STG-unfolding
segment covers only states corresponding to the cuts which are encapsulated by S and covered
by the exact cover for :1:'.
Proof: The approximated cover for :r:' represents partial cuts: those where input places of
x', if :r;' is a transition, and those where x' is marked, if x' is a place. At each step the
refinement procedure restores partial cuts of S. Thus at the end of the refinement pro-
cedure all cuts are fully restored to the ordinary cuts. No transitions can be concurrent
to all places in c. The cover approximation for each fully restored cut c will, therefore,
be equal to the signal state of the configuration producing it. Hence, the fully refined
cover will be obtained as the union of the binary vectors found for each cut in Sand
includes .;];' or :];' depending on whether x' is a transition or place instance, i.e. the
cover will be the exact cover for x',
D
Corollary 6.7.2 The fully refined cover for an excitation slice is equal to the exact cover for
this slice. D
Corollary 6.7.3 The fully refined cover for an OIl- (off...) slice is equal to the exact cover for
this slice. D
From the above corollaries it follows that Propositions 6.6.3 and 6.6.3 about the correct-
ness of the Negative set cover derivation strategy hold. Moreover, the refinement procedure
preserves the covering of the P-set. Therefore, after each iteration step a newly obtained
cover also covers P-set. Hence, if after some iteration the new P-set and N-set covers have
an empty intersection, then they will satisfy the implementation specific correctness criterion,
set out in Definitions 6.2.1-6.2.5 for each implementation architecture.
Example. Consider a fragment of an STG-unfolding segment shown in Figure 6.18. Sup-
pose that on-set cover approximation Can' found with the approximation set p~ =
CHAPTER 6. SYNTHESIS FROM STG-UNFOLDING 117
p'!
Figure 6.18: Illustration of cover approximation and refinement.
{p~, P3, P~, Ps}, intersects with Co f"f for some signal. Suppose also that some cube
which is a cover approximation of place p~ causes this non-empty intersection. ,:!,he set
of offending signals is found as Big = {a, b, c}. Let a be the signal chosen for refine-
ment. Its ouly instance which should be used iu refinement is -a'. A refinement set is
chosen as P/ = {p;,p~,p~,p~}. The new partial cuts are: Cl = (p~,p;), Cl = (p~,p~),
Cl = (p~,p~), Cl = (p~,p~). Therefore, the new 'cover approximation for the place in-
stance p~ is: C~e'W(P~) = {lOOlO} u {110lO} U {llllO} U {OlllO} = acde + bcde. The
resulting cover is an exact cover of for place p~. •
6.8 Experimental Results
The approximation method using the Negative set approximation strategy was implemented
on the basis of the STG verification tool "PUNT" which constructs an STG-unfolding segment.
The Negative set approximation strategy requires On- and Off-set partitioning for each of
the implementation architectures. One of the architectures, ACGpS, can be considered as an
indicator of the method's performance. While testing the novel approach the following targets
were aimed at:
• To demonstrate the practicality of the approach on a set of moderately sized examples
by a comparison of the obtained implementation to those obtained from other existing
tools .
• To illustrate the increased feasibility of the synthesis process using the suggested ap-
proach, by an investigation of the dependency of the time taken to synthesise a circuit
from the size of specifications.
6.8.1 Practicality
To-demonstrate the practicality of the approach a set of publicly available benchmarks
was used. All STGs in this set of benchmarks have a low number of signals (max. 25). Thus
the size of the state space is moderate and it is possible to synthesise these STG::; with other
existing tools. The synthesis results are presented in Table 6.1. The table presents the t.otal
CHAPTER 6. SYNTHESIS FROM 5TG-UNFOLD1NG
Hcnclun ark Si~~ PUNT ACCl'S Other tools
TotTim LitCnt Petrify SIS LitCnt
i1I1{!('-IIICt:-:>ter-read .csr lb 77.UO H3 125.66 630.52 69
uowick.u.sn 7 0.97 17 1.44 0.51 20/17
nowi ck h 0.57 15 1.10 0.23 14
parA .csc 14 3.63 :Hi 12.31 168.55 36
sis-master-read .esc 14 5.78 48 27.09 130.66 48
tsbmSIBltK 25 42.70 72 299.90 141.51 72
Pll_,tg_exalll ple (j 1.77 19 4.20 6.84 19
Iorc-vur.xndered H 14b 20 5.24 .~.~I j(j
alloc -ou tb ou n d 9 0.85 16 1. 75 1.53 16
mp-forwar-d-jok t 20 0.83 17 1.50 0.22 17
u ak.-p a 10 0.96 20 2.28 0.29 20
pe-scn d-Ifc 17 2.53 68 19.50 1.16 75/72
ruur-rr-u.d-abuf II i.os ~:l :1 2H 026 22
rcv-se t.up 0.25 K 0.72 0.14 8
sb u I-ram-wrr tc- 12 14~ 2;1 4.U4 0.38 23
S]lIll"I·Pitd-ctl.old H O.8G !:l 1.:29 0.19 1.5
»buf-r-ead-ct.l H U.71 If) O.HH 0.16 15
shu [-xen d-ct.l H U.B8 IH I.Hn 0.21 19
sbu f-xun d- pk t.z " 0,99 IH 2.16 0.23 19Si)\lf-sCI1(i-]>kt.:l·YIIII " I.U7 :11 :l.43 0.26 31
:-it:lJdl'·doJJI' U.2J \, U.:I.J 0.14 U
Totul 228 146.78 592 520.16 1092.77 580/574
Table 6.1: Expcrirueutal results for circuit synthesis,
118
time spent (in seconds) on the synthesis of 51 circuits from their 5TG specifications in the
ACGpS architecture ("PUNT ACGpS"). On average, about 1% of this time was spent on
building the 5TG-ullfolding segllwut awl about 15% was spent on Espresso minimisation. For
comparison, the sallie set of benchmarks was synthesised using petrify and SIS [15, 82].
Their total timings arc grouped ill the column "Other tools" .
The literal count was used for comparison of the implementations obtained by different
tools (columns "LitCnt"). The literal count shows the total number of literals used in all cubes
of logic functions implementing all signals, As it can be observed, the synthesis technique
based on the 5TG-unfolding segment using the Negative set approximation strategy produces
implementations comparable with those produced by other tools. The timing results show that
the approximation technique compares favourably to petrify [15]. PUNT is also comparable
with SIS 011 the boucluuarks 'with et low count of signals and it becomes increasingly better
with the growth of the signal count. These results show that for small sized benchmarks, the
overheads of constructing and traversing the 5TG-unfolding segment may outweigh the time
spent on constructing a small reachability graph with an efficient implementation. The slightly
worse literal count fur two beucluuarks (imec-master-read. esc and nowick) is attributed
to the fact that the DC-set is. partitioned due to the pessimistic condition on the empty
intersection between cover approximations in the Negative set approximation strategy.
6.8.2 Feasibility
The Muller pipeline benchmark was chosen to demonstrate the increased feasibility of the
approximation method. The graph interpretation of the results is shown in Figure 6.19. As can
be observed, existing tools cannot cope well with the growing size of the specification, either
running out of memory or taking a prohibitively long time. Double exponential dependency
of SIS and petrify is attributed to (1) exponential explosion of the state space, and (2)
exact cover calculation methods. Iu addition, the new tool was used to synthesise a real life
specification of the Counterflow pipeline specification [97]which has 34 signals. Of the existing
CHAPTER. 6. SYNTHESIS FROM 5TG-UNFOLDING 119
111.111111
1,111111
11111
III
~SIS
+--+ Petrify
'_.~ PUNT
III I ~ 211 25 311 50 No. signals411
Fig11l'C(j.19: Experiuieutal results for Muller pipeline.
tools, only petrify was able to synthesise it but it took more than 24 hours. At the same
time PUNT was able to synthesise it in under 2 hours, thus giving an order of magnitude gain
in speed. This result is shown Oll the graph as a circled dot.
6.9 Conclusions
This chapter introduced a methodology for the synthesis of 51 circuits from the STG-unfolding
segment. It presented it review of the major implementation architectures for 51 circuits along
with the conditions of implcrueutability of an 5TG in a particular architecture. It. introduced
cuts and slices of the 5TG-unfc)lding segment, which were used to identify fragments of the
STG-unfolding segment corresponding to sets of reachable states of the original 5TG.
A new synthesis procedure from the 5TG-unfolding segment was developed, first for exact,
and then for approximated covers. The practicality and applicability of the suggested tech-
nique was demonstrated for the Negative set approximation cover strategy by a comparison
with implementations obtained from the existing tools.
This work leaves open fat" future research the problems of developing better techniques
for cover evaluatioll and ddectillg cuts that belong to the negative set in the Positive set
evaluation strategy. Once the solution for these problems is found, the comparative study
of two strategies call h(~performed to indicate which classes of 5TGs and implementation
architectures benefit most from the application of different strategies.
Chapter 7
Applications of PN-unfolding
This chapter describes two Hew applications of the PN-unfolding segment. The first one is
related to the problem of circuit analysis. The second, suggests a new use for PN-unfolding
as a pre-processing mechanism for PN symbolic traversal.
PN-unfolding Illay suffer from all unnecessary exponential explosion when it is applied to
the verification of PN models of asynchronous systems if the model contains bi-directional arcs.
Sections 7.1-7.5 of this chapter propose the use of contextual nets instead, by presenting an
algorithm for constructing a finite contextual net unfolding segment. This method is applied
to the verification of an asynchronous control structure implementing a four-slot asynchronous
communication mechanism, intended for use in real-time systems.
The rest of this chapter proposes the use of PN-unfolding for obtaining a good variable
ordering for analysis methods based on PN-symbolic traversal. These recently proposed verifi-
cation methods often yield better performance than using the conventional reachability graph
analysis. They employ a Binary Decision Diagram (BDD) representation of the boolean func-
tions characterising the state space of the model. PN-symbolic traversal may, however, suffer
from bad ordering of BDD variables. The method suggested here combines two approaches for
PN verification: PN-unfolding and BDD-based traversal. The results of unfolding construction
are used for obtaining a better ordering of BDD variables thereby helping the PN symbolic
traversal approach.
7.1 Motivation for Contextual Net Unfolding
Chapter 5 examined the analysis of four-phase asynchronous circuits by means of Circuit
PNs. The circuit schematic is conver ted into a set of STG fragments composed together. A
characteristic feature of STGs which fall into the category of Circuit PNs is the presence of a
contextual dependence between places and transitions associated with different logic elements
of the circuit. The intuitive meaning of such a dependence happens to be exactly the same as
that of the coriiert jioui-rclation in contextual nets [52]. However, the "standard" STG uses
the "ordinary" PN model, and those contextual links are generally represented in terms of the
usual flow-relation as seU"-loop arcs (often represented by bi-directional arcs). The application
of the "ordinary" PN seiuautics to PNs and STGs with self-loops, as ill all existing unfolding
algorithms, often results ill the same sort of exponential blow-up as with the use of RGs and
SGs (see an example below).
120
CHAPTER 7. APPLICATIONS OF PN-UNFOLDING 121
pi
LI' L2'
LI rz
p3' p4'
p3 p4
(a)
(b)
Figure 7.1: Example of a Petri net with self-loops (a) and its unfolding according to the
requirement of structural couflict (b)
The root of this problem, informally, is in the different semantic interpretations applied
to self-loops in ordinary PNs and in contextual nets. This appears to be critical, from the
size point of view, for the partial order (or non-sequential) semantics [12]. Indeed, the PN-
unfolding is a partial order technique which proves to be efficient for a large class of PN models
- it can keep concurrency in its natural, "non-interleaving", form. Unfortunately, the classical
partial order semantics, underlying the existing unfolding methods, loses it efficiency when
the paradigms of coucurreucy awl conflict are mixed Up.
Consider a well-known example of a pair of t.ransit.ions t1 and t2 sharing a single place
p by means of a self-loop flow relation as shown in Figure 7.1.(a). The place p is thus both
a predecessor and a successor t.o transitions tj and t'2' The classical partial order semantics
does not allow those transitions to fire simultaneously, since the token in the shared place
is treated as a single '/'CSO'/l,'/'(;e (struct ural conflict 011 p). It will unfold this net into two
interleaving sequences (Figure 7.1.(b)), resulting in a combinatorial blow-up.
In asynchronous system modelling, transitions may also be connected by self-loops with
shared places but t.llC:,;e connect.ions have it different meaning. Their ureaning is not resource-
based but rather condition-based a transition, associated with a gate's output, can fire if
a place, associated with another gate's output., is marked with a token. In that sense, the
above example should be interpreted as the fact. that two gates share the same input wire (the
"high" or "low" state of the wire is modelled by place p). When the value is set to logical 1
(or 0) it enables both gat.e:,; (the events on the gates' outputs are represented by transitions
t1 and t2), and so the latter can fire completely independently of each other.
The new CN-uIlfoldillg algorithm suggested here allows explicit contextual arcs in the
underlying PN. This algorithm may find its theoretical justification in the work on non-
sequential semantics of contextual nets by Busi and Pinna [12]. The algorithm was applied to
a number of characteristic exaniples of models with contextual arcs. Those examples included
the verification of asynchronous circuits and asynchronous communication mechanism for
coherence (checking [reedom [rom sinvultcneous access to data for read and write). In the
latter example, it, was impossible to construct the truncated unfolding for an ordinary PN
CHAPTER 7. APPLICATIONS OF PN-UNFOLDING 122
interpretation, due to the large number of self-loop arcs, while the contextual net unfolding
appeared to be fairly compact. Note that it is often the case that even initial STG specifications
of asynchronous systems (see the example in Section 7.4) may contain contextual arcs and
therefore the use of the new unfolding algorithm will be productive. The use of contextual nets
in the modelling of asynchronous systems substantially increases the efficiency of the unfolding
(i.e. partial order) approach, and thus enhances the power of PNs as a modelling/verification
tool in general.
7.2 Positive Contextual Nets
This section introduces the basic concepts required tu develop the algorithm for a contextual
net unfolding. For siurplicity, a subclass of contextual nets in which only the so-called positive
[12] context is allowed is considered here and the underlying PN is safe. This restriction is
mainly for practical reasons since this class is sufficient to deal with net models of asynchronous
systems, which would otherwise be represented by ordinary PNs with self-loops. For example,
Circuit PNs, mentioned before, are a class of I-safe nets with self-loops. Furthermore, one
can imagine that it is possible to extend this technique to nets with negative context (on
the basis of contextual interpretation of inhibitor arcs). This can be done by the (standard)
transformation of a bounded inhibitor net to an ordinary PN with complementary places and
self-loop arcs [65].
Further reading OIl contextual Petri nets can be found, e.g., in [52, 12].
7.2.1 Contextual Net Definition
Since contextual nets differ from ordinary PNs, several notions, e.g. transition enabling and
firing, must be redefined. First, a contextual net is defined.
Definition 7.2.1
1. A (positive) contextual net (CN) is a tuple (P, T, P, C), where (P, T, F) is a safe Petri
net and C s:;; P x T is the context relation such that C n F = 0.
2. A marked (positive) contextual net is CN augmented with an initial marking Mo
of its places ill P, i.o. it is a tuple (P, T, P, C, Mo).
o
For a transition t ETa context set of t is defined as t = {y E PI (y, :1:) E C}. Places in
the context set of t are called contextual places. III the graphical representation of CNs, the
context relation will be depicted with a line without arrows.
A transition t is called enabled at marking M if et s:;; M and t~M. Thus, for a transition
to be enabled in a CN, ill addition to all its predecessor places, all its contextual places must
also be marked.
The firing of a transition t enabled at marking M is defined as an instantaneous action
producing the new marking lVI' = (M \ et) ute. Such a marking M' is called directly reach-
able from marking M. Note that transition firing in CN does not affect tokens which mark
CHAPTER 7. APPLICATIONS OF PN-UNFOLDING 123
contextual places. The notions of feasible (firing) sequence and reachability are defined for
PNs on markings and transitions between them and, therefore, are directly applicable to CNs.
A CN is said to bp ./inde if sets P and T are finite.
A transition t is said to be disabled by another transition tl of a CN, if there exist a marking
M in which both I. a.ud {I art: enabled awl t is not enabled in the marking MI reached from
M by firing t', In this C<lSC t is said to ue a non-persistent transition or CN is non-persistent
with respect to t. Otherwise CN is called persistent wit.h respect. to t. Finally, a CN is called
persistent if it. is persistent with respect. t.o all its transitions.
In order to be able to work with STG models of asynchronous circuits, a contextual STG
is defined.
Definition 7.2.2 A Contextual Signal Transition Graph (CSTG) is a tuple
(P, T, F, C, Mo, A, A), where (P, T, F, C, Mo) is a CN, A is a set of signals and A T--+
(A x {+, -}) is the signal labelling function. 0
7.2.2 Role of Conflict Relation
A pair of transitions t. I and t2 in a CN are said to be in symmetric structural conflict iff
.tl n .t2 i= 0. Transitions tl and t2 are said to be in asymmetric structural conflict iff
.tl n .t2 = 0 but .t In r; i= 0. A pair of transitions tl and t2 are said to be in symmetric
dynam'ic conflict ((J.s:IJ'ITI:mei'l"icrlyn(J:rn:ic conflict) if they are in symmetric structural conflict
(asymmet'f'ic structural c01lfl-ict) and there exist. a marking in which they are both enabled.
Note that the definition of dynamic conflict. is fairly strong (it. is brought. to match to the
notion of conflict. in the unfolding see below).
The conventional "PN-based" definition of rcachability graph defines the so-called inter-
leaving semauiics of a CN. This type of semantics CC1!1110t. for example distinguish between two
behaviours of the following kind. In the first case, a pair of transitions can fire independently
(in either order or simultaneously). In the second case, two transitions are in symmetric
dynamic conflict where theyshare a predecessor place with one token. They cannot fire si-
multaneously; howe vcr they are allowed to fire 011eafter the other in either order. It is possible
to apply a more refined type of semantics, called step semantics [32], which can differentiate
between those behaviours. III this case, a transition step, consisting of both transitions, is
allowed which will be explicitly represented in the step reachability graph. The step semantics
of CNs is defined ill [52. 12].
Example. Figure 7.2.(a) shows an example of a PN with a self-loop flow relation between
place p and transitions t1 and t'2' Its reachability graph and step reachability graph are
the same - they are shown ill part (b) of the figure. For a "similar" contextual net,
shown in Figure 7.2.(c), where the relation between p and tl and t2 is contextual, the
step reachability graph is different - it is depicted in part (d). Note that the same step
reachability gra.ph would lx: produced by the above CN (or PN) if place p and its context
edges are deleted. •
Note that considering steps of two or more non-confiictuiq transitions, in addition to
simple, single-trausitiou steps does not create new markings in the reachability set of a CN.
CHAPTER 7. APPLICAT[ONS OF PN-UNFOLDING 124
(pl,p,p2)
til \t2
tl t2 (p3,p,p2) (pl,p,p4)
t2\ It I
p3 o p4 (p3,p,p4)
(a) (b)
pl@ .p (pI,p,p2)
til } \Q
II t2 (p3,p,p2) (pI,p,p4)
p3
, t2 \ {t 1 2} Itl
OP4 (p3,p,p4)
(c) (d)
Figure 7.2: Petri uct with self-loops (a) with its step reachability graph (b) and contextual
net (c) with its step reachability graph (d)
It produces only new firing sequences, called step sequences. As has been noted, the partial
order models, such as net unfoldings, are sensitive to such semantical distinctions as well,
but their representatioll reflects the above distinction in the structure of the semantic model.
For example, the presence of dynamic conflicts in the original eN generates choice between
alternative branches of the net unfolding, which consists of the instances (or occurrences) of
places and transitions taken from the original eN.
It is obvious t.hat tho necessary condition for a disabling to occur (and hence non-
persistency) between transitions is the presence of dynamic conflicts between them. The
opposite is not true indeed. ill the eN shown ill Figure 7.2.(a) transitions tl and t2 are in
dynamic conflict. but. they do Bot disable each other. The property of transi tion persistence (or
non-persistence) is crucial in the analysis of asynchronous circuit behaviour. It corresponds
to the behavioural quality of a circuit to be either free from hazards on a given signal or
not. In the use of PNs for the analysis of hazard-freedom it is convenient to identify hazards
with some local properties of the semantical model, such as conflicts- the latter are easier
to check than those properties which are based on the global information such as markings
and their teachability. Therefore the cases like the one shown in Figure 7.2.(a) appear to be
difficult for analysis because from the circuit semantics such behaviour can be correct (the
signal transition corresponding to say t1 is not disabled by firing t2) while its analysis through
the notion of dynamic conflicts raises an alarm 1. eNs distinguish the cases of contextual
dependence from those which are real dynamic conflicts and imply hazardous behaviour in
the circuit terms. The eN-unfolding, introduced later, supports this distinction. It fills the
IThis alarm can cert.aiulv be checked and identified as false by means of explicit analysis for disabling - but
this would affect t.lu- ovr-rnll dfi{'i('lw\' of 1,11('analysis P],(j('('SS .uid henu' it. is preferable tu avoid it.
CHAPTER 7. APPLICATIONS OF PN-UNFOLDING 125
semantic gap between the notion of a dynamic conflict in the net and that of non-persistence,
the gap characteristic for ordinary PNs.
7.3 Contextual Net Unfolding
7.3.1 Basic Relations in Acyclic Contextual Nets
Similar to PN-unfolding, CN-unfolding is defined using the notion of a labelled occurrence
net. In order to define the corresponding notions for contextual nets, several preliminary
definitions are required. These will impose additional conditions on the structure of a (P, T)
labelled positive occurrence CN when it is augmented with the context relation between places
and transitions. Those conditions must ensure that every transition in the occurrence CN can
be fired once and only once if all its minimal places are initially marked.
Consider a (P,T) labelled positive CN CN = (P',T',F',C,L'), where (P',T',F',L') is a
(P, T) labelled occurrence net. and C <;;; P' x T' is a context relation, satisfying C' n F' = 0.
The following relations in this nut. are defined.
Definition 7.3.1 (Weak and Strong Precedence)
1. Two elements :r;' and a:" of CN are said to be III the weak precedence relation,
denoted x' -< :[;", iff (:[;'):r;") E (F' u C)*.
2. Two elements :1:' and :1;" of CN are said to be in the strong precedence relation,
denoted :1:' -<-< x"; iff ::It : (:1:', t) E F'* : t -< x",
o
It is clear from these definitions that:
• -<-<<;;;-<
• if the first element in a pair ofelernents (x', x") E-< of eN is a transition (Le. x' ET'),
then (:1:',:/;") E-<-<, This is a simple corollary of the definition of C, which is defined on
P' xT'.
Note that the set-theoretic difference between the weak and strong precedence is a relation
which reflects the specific nature of acyclic CNs. If a place p is in such a relation with another
element x, this means that p must be marked with a token before x is either marked (if x E P')
or fired (if x ET'). However, this does not state that when x is marked or fired, the token
must have been removed from p.
The following definitions of conflict and semi-conflict 'are also required.
Definition 7.3.2 (Couflict and Semi-conflict)
1. Two elements :r:' ami :1;" of eN are said to be in the conflict relation, denoted x' #X",
iff there exist two distinct transitions t' and t" such that .t' n .t" =j:. 0 and t' -< x' and
t" -< x",
CHAPTER 7. APPLICATIONS OF PN-UNFOLDING
t'
Figure 7.0: Conflict and semi-conflict.
p3pl~tl
to~
t2_p2
p4
(a) (b) (c)
126
(d)
Figure 7.4: Examples of eNs (a),(c) which cannot be contextual occurrence nets and their
corresponding graphs (b),(d) of must OCCV.T before relation.
2. Two elements x' and x" of CN are said to be in the semi-conflict relation, denoted
x' #X", iff there exist two distinct transitions t' and til such that .t' n £I' i' 0 and t' -< x'
and til -< x",
o
The difference between the two conflict relations is illustrated in Figure 7.3. In the left
part of the figure t' and til are in conflict, while in the right part in semi-conflict. The semi-
conflict relation in CN corresponds to the asymmetric conflict in PNs discussed earlier. The
firing of t' can disable til. In this case, p' and p" will not be marked together. However, if til
manages to fire before t', then both p' and p" can have tokens in the same reachable marking.
Obviously, if p' and p" are in conflict, there is no reachable marking in which they can both
have tokens.
Example. Consider the eN shown in Figure 7.4(a). This example satisfies the conditions of
Definition 3.3.1, applied to the CN taken above. At the same time this eN is not a
valid contextual occurrence net since its transition t3 cannot be fired. This is despite
the fact that t3 satisfies the "no self-conflict" condition of Definition 3.3.1. •
Indeed, in order to fire transition t3 both P3 and P4 must be marked in the same marking.
In order to mark P3, t1 must fire before the token is removed from P2 E .t2. "However, firing
CHAPTER 7. APPLICATIONS OF PN-UNFOLDING 127
tl removes token from Pl and thus prevents t'2 from firing. The weak precedence relation
defined as the set (C' U F')* does not reflect all possible precedences that are expressed by
the CN. For example, the weak precedence relation (due to context relation) between P2 and
tl in Figure 7.4(a) reflects only the fact that P2 must be marked with a token before t i fires.
On the other hand, again due to the context relation between P'2 and tl, it can be said that
ii must occur before the token is removed from P'2, and hence before the occurrence of t2, the
successor of P2. This new type of precedence combined with the transitive closure of F' gives
rise to a new relation which will be important for the definition of the independence relation.
Definition 7.3.3 (t-Weak Precedence) Two elements x' and x" of CN are said to be in the
t-weak precedence relation, denoted x' -<t x", if (x', x") E (F'* U (,-1), where (,-1 is the
inverse of C. 0
This relation should be interpreted as "must occur before". The prefix t designates the
fact that the relation (,-lis used, which originates in transitions. Consider a graph where
vertices represent elements of the CN involved in the context relation (x', .'E") E (' and those
elements whose independence needs to be checked. The edges represent -<t.
On the basis of the -<I, relation the notion of contextual conflict in CN is defined.
Definition 7.3.4 The set of elements X = {.'E~ ... x~} of CN such that no two xi and xj in
X are in conflict (Definition 7.~.2) or in strong precedence (Definition 7.3.1) is said to be in
contextual conflict, denoted {:1:'1 ••• :1:"/} E #, iff there exist two distinct transitions t' and til
such that (t', til), (til, 1;1) E (-<')* Iy, where Y = {y; ... y~} is the set of elements that belong to
the backward transitive closure (with respect to F' UC') from X, and (-<t)* Iy is the transitive
closure of -<t with the domain restricted to Y. 0
That is, a set of elements X is in contextual conflict if there exists a cyclic path in the
graph of the -<t relation such that this path goes through the elements that precede the
elements in X. Observe that unlike the acyclic PN case this relation is defined for a set of
elements and is not geueralisable from a pairwise relation, i.e. in an acyclic CN the absence
of pairwise contextual conflicts in X does not imply that X is free from contextual conflicts.
Example. The graph showing (-<")*11' relation for the example in Figure 7.4(a) is shown in
Figure 7.4(b). As can be observed, there exists a loop in this graph which indicates
that it is impossible to fire transitions belonging to this loop due to the contextual
dependence between them.
The example in Figure 7.4(c) (similar to discussed in [94]) illustrates that the contextual
conflict relation is not generalisable. Indeed, from the graph in Figure 7.4(d) it can be
seen that there is no contextual conflict between any pair of places P4, P5, P7, however,
all three places are in contextual conflict (and hence cannot ever be marked together) .
•
Thus the independence relation is introduced as:
Definition 7.3.5 A set of elements X = {xi' .. x~J of CN is said to be in the independence
relation, denoted {:z:; ... x",} E II, iff the following three conditions are satisfied:
CHAPTER 7. APPLICATIONS OF PN-UNFOLDING 128
1. no two instances :r:~ and :r:j are in conflict ((:r:~,:r:j) tt #);
2. no two instances :r;i and :r;j are in strong precedence with each other (xi -<-< xj)
3. the elements of X are not in contextual conflict ({x~ ... x~} tt #=).
o
The first two conditions are trivial extension of those used in defining independence in
occurrence nets. The third condition shows that the elements of X may be independent even
if there exists a semi-conflict between them but no a contextual conflict. For example, places
p' and p" are in semi-conflict in Figure 7.3 but are also independent. Therefore these two
places can be marked together.
7.3.2 Contextual Net Unfolding
It is now possible to define formally a contextual occurrence net.
Definition 7.3.6 A (P, '1') labelled (positive) contextual occurrence net is a CN CN =
(P',T',F',C',L'), where (P',T',F',L') is a (P,T) labelled occurrence net, C' ~ P' x T' is a
context relation, satis(ying C' n F' = 0, and for any t E T' : VPl, P2 E .t ut: PliiP2 (i.e. all
preceding and context places for every transition are independent). o
The definition of a contextual occurrence net is different from the one in [12] (Definition
6). It is, however, possible to prove that the conditions defined in items 3 to 5 of Definition
6 in [12] follow from the conditions based on the independence relation in Definition 7.3.6.
The occurrence net derived by unfolding a CN is defined as follows (in a similar way as
the PN-unfolding ill Chapter 3).
Definition 7.3.7 If (P, T, F, C,Mo) is a marked CN, then the CN-unfolding of this net is
the maximal (P, T) labelled contextual occurrence net (up to isomorphism) (P', T', F', C', L'),
satisfying the following properties:
• Vt' E T' : L' restricted to .t' and .L'(t') is a bijection, L' restricted to t'. and L'(t'). is
a bijection and L' restricted to ? and J7(i!) is a bijection;
• L' restricted to thu set P/,.tin of minimal places in P' is a bijection between P/nin and M.
o
The notion of independence relation plays a critical part in the algorithm of the unfolding
as it allows one to determine if a particular transition is.instantiated or not. A new instance
t' is constructed when there exists a set of independent instances of places in (.t) ut. Similar
to the PN-unfolding, the following "cornerstones" are defined:
• A confiquraiion C of a CN-unfolding is defined as a transitively backwards closed (with
respect to F' u C') set. of transitions (i.e. if t' -< til, then til E C implies t' E C )
such that no two instances t' and til ill C are in conflict or contextual conflict. A local
configuration of t', denoted as rt'l, is a minimal configuration including t',
CHAPTER. 7. APPLICATIONS OF PN-UNFOLDING 129
• The post-set of coufiquraiioti C, denoted as C., is the set of places which are successors
but not predecessors of the transition instances in C. The post-set consists of instances
of places reachable after firing of all transitions in C.
• The final state of C, denoted as F; (C), is the set of places which is obtained by mapping
the instances ill C. onto places of the original (N.
A local coufigurat.iou r l'l also has a post-set. and a final state. Note that places in t' are
not consumed by t' awl, therefore, instances ill Lt are always included into the post-set of its
local configuration.
In a PN-unfolding, if a configuration C1 is a subset of another configuration C2, then the
r,(C2) is always reachable from F\ (Cl) by firing all transitions whose instances are in C2 \ Cl.
Firing all such transitions is always possible because, by the definition of configuration of a
PN-unfolding [40], all their instances are nut in conflict with any transitions in C2 and hence,
if enabled cannot lx: disabled.
In a eN-unfolding, it is possible that transition instances that are in semi-conflict belong
to one configuration. Let the above-mentioned C'2 be such a configuration and let t2 E C2 and
t1 ECl be in semi-conflict t2#tl. Then transition tl may be fired before t2, and thus disable
t2· At the same time, if t'2 fires before t i, the latter is not disabled, and thus configuration C2
becomes valid. There always exists at least one firing sequence which includes all transitions
of any configuration ill tile contextual eN-unfolding.
7.3.3 Contextual Net Unfolding Segment
The eN-unfoldillg can be infinite. To obtain a finite fragment of eN-unfolding (similar to a
truncated unfolding) a cutoff couditiou is introduced.
Definition 7.3.8 A transition instance t~ is called a cutoff point if there exits another instance
t' such that :
• I rt'll < I r t~11, and
• FA rt'l) = r; (I(1).
o
Note that the cutoff definition imposes the same conditions on the newly generated in-
stance t' as in [40]. The choice of these conditions may introduce redundancy into the unfolding
fragment, i.e. some transitions will be added although their successors do not add any in-
formation about the (N behaviour. However, for the sake of simplicity, this redundancy is
ignored here. The eN-ulIfoldillg algorithm in given in Figure 7.5.
The difference between this algorithm and the truncated PN-unfolding algorithm is in the
line marked **. Instead of simply finding Cl set of independent instances for places in .t, the
new algorithm needs to find a set of instances for .t u t which are independent according to
Definition 7.3.5.
Example. Consider all example in Figure 7.6. In order to instantiate ts the independence
of Ps and P:j is checked, and a graph of context relations is constructed as shown in
CHAPTER 7. AFPLlCATIUNS OF PN-UNFOLDiNG 130
if such set exists then do
Add I, to QUEUE in order if its Ir t'll
end do
end do
end do
return N'
proc Build seyrnent(N = (p,T,F,e,Mu))
Initialise N' untl: 'instances of places in. Mu
Iniiiolis« QUEUE with i enabled at Mu
while QUEUE HOt empty do
Pull t from QUEUE
Add f;' ami t'. to N'
if t' is Cl cutoff then do
M urk 1,' atu] f'. as cuto./J points
end do
for each t ill T do
Find unused set of eN independent instances of places in .t ut**
end proc
Figure 7.S: Algorithm for obtaining eN-unfolding segment.
Figure 7.(j. As call be observed, these places are not independent due to a contextual
conflict between them. Hence t~ will not be instantiated. •
The work of Vogler et. al. [95] presents a rigorous proof of the completeness of the eN-
unfolding segment for read-persistent subclass of contextual nets, i.e. contextual nets where
etl n et2 -:/ (/)for all t. I, t'2 E T ill conflict under some reachable marking. This work, however,
highlights that this simple cutoff condition cannot be applied to all contextual nets. It. presents
an example of a contextual net with an acyclic contextual fragment which is not synchronised
later with any future behaviours of the eN. In this particular case, the eN-unfolding segment
fails to represent all reachable markings. Nevertheless, the eN-unfolding servers as a powerful
experimental verification vehicle for this work. The examples illustrating its application arc
cyclic and demonstrate the great potential of the eN-unfolding segment.
The eN-unfolding can bp extended to eSTG unfolding in a similar way as the PN-unfolrling
was extended to STG-llllfuldillg. TIle eSTG-unfolding keeps track of the signal interpretation
of transitions and tcnuiuatcs wheu all states of the SG a~'e represented in the truncation.
7.4 Application: Modelling a Communication Mechanism
A good example for the application of the eSTG-unfolding technique can be found in [84]. This
paper describes an asynchronous communication mechanism, which is used in designing real-
time systems for safety-critical applications. The mechanism is defined at the high abstraction
level as a concurrent system consisting of a reader process, a writer process and a four-slot
CHAPTER 7. APPLICATIONS OF PN-UNFOLDING 131
p2 //
12 1'2
po p4 p'4
13 ,4
p5 p6 p'6
,5 ~'9
p'S
p7 p8 p'B
17
p9
""~/. ,'S
t p'IO
:' 'I
Figure 7.6: Another example of a eN and its unfolding.
data array and a set of shared control variables:
WTding Reading
WT: d[n, s[n]] := input. TO: T := l
wO: srn] := srn] T1: v:= s
wI : l := nlln := r rd : output := d[T, V[T]]
The four slot data array is denoted by variable d[i, j], which has a two-dimensional struc-
ture. The first subscript i of d defines one of the two pairs of slots (numbered as pair ° and
pair 1), while the second subscript j defines one of the two slots in each pair (numbered as
slot ° and slot 1). The values of subscripts are obtained through the auxiliary shared control
variables. Variable::; i: (for "next"), l (for "latest") and T (for "reading") are binary. The
variables sri] and V ['i] are single dimensional arrays, each consisting of two elements; these
arrays give pointers to the slots which are currently being written and read, respectively.
The primary aim of this communication mechanism is to organise the process of writing
to and reading from data slots by the writer and reader in such a way that:
• (1) they can proceed from one operation to another, cyclically executing their respective
sequences WT, wO, wI and TO, rl, rd, in their own pace - that is, completely independently
of each other; and
• (2) they never "clash" on writing to and reading from the same slot.
The author of the mechanism claimed (and proved in a fairly laborious way [85], analogous
to manual reachability analysis) that the system satisfies the above stated requirements. For
the first condition, he assumed that the writer may write data into a slot which has been
written to but those data have not been read by the reader. Similarly, the reader is allowed to
read from the same slot twice or more without new data being written into the slot. With this
assurnptiorr' both the writer and the reader may access data slots directly, without checking
any sort of semaphoreor other blocking (mutual exclusion) mechanisms. This would guarantee
2In this work Simpson's -"freshness" conditions [85] are not considered.
CHAPTER 7. APPLICATIONS OF PN-UNFOLDING 132
II' / / v/a
rO
~
r11
wO
~
Notation:
S=selector
Vevariable
C=C-element
M=merge
- -(> event-based
signal
-- level-based
signal
I I I I I I
slla s l a vtla via
I I I I
rOO riO
rOi rll
wOOwiO
wOiw11
Figure 7.7: Schematic for Simpson's communication mechanism.
that both processes can act. in a tntly asynchronous and mutually independent fashion. This
is critical from the viewpoint of real-iiuie applications.
The second requirement IS important from the [uuctional correctness point of view. Any
reading or writing operation applied to a slot of data is not atomic because the structure of
data can be complex. Hence the reading and writing operations on the same slot may not
interleave iu time, i.c. every access operation must be separated from the next by an operation
of some other sort. Thus the system must provide mutual exclusion only at the level of data
slots, without usiiu; such methods on control variables.
The repetitive ac(:(~ss of t.hc writer and the reader to the pairs and the slots with those
pairs is controlled entirely by means of the shared variables, which can be implemented in
hardware as bistablcs (i.(). Hip-Hops). The order in which these variables are assigned new
values and probed by the processes is outlined ill the above procedures. Note that the notation
II in operation wI stands for parallel execution of its left and right hand side subaction.
Assume that the initial state of all binary variables n, r, l is 0 and that s = v = (0,0), The
writing process is repeated as follows. The writer process first puts data into the data slot
pointed to by the current value of n (next pair to write) and the inverse of the srn]. Then the
writer toggles 8[n] to its inverse state. Finally. the writer assigns l (latest) to the value of n
(next) and at the S<1I1H' t.imc puts into ti (next) the inverse value of r (reading).
CHAPTER 7. APPLICATIONS OF PN-UNFOLDING 133
6
Figure 7.1:\: Illustration of the Variable element.
The reading process bcgillS with the assignment of T (pair for reading) to l (latest pair
to have been writ tell to). Then the reader copies the value of the writer's slot pointer s to
its slot pointer u. Finally, the reader reads a value from the data slot pointed by its current
value of rand v[r'], after which the reading process is repeated.
The above control mechanism was implemented [84] in the form of a hardware structure
which can be modelled as all AeS shown in Figure 7.7. The nodes of this structure are
components of four main types: "Selector", "C-element", "Merge" and "Variable". The former
three elements were dcscribt«] previously in Chapter 4. The latter, called Variable (also called
Flip-flop), is a node which stores CL level-based value on its output q (its complement q' is also
available if needed). This module can copy the value of its level-based input d into q upon the
arrival of a Request Oil the event-based input T. The result of copying is acknowledged on the
event-based output (J,. If the previous value of CJ matched the new value of d, then the node
retains its value, respoudiug ouly with its acknowledgement on a, This behaviour is reflected
in the eSTG model of Variable shown ill Figure 7.8.
The system has both event-based (shown with dashed lines) and level-based (shown with
solid lines) signals. Note that the system was slightly simplified ill this implementation by
serialising the parts of the 'WI operation- first, l := 'IL, and then n := i'. This does not affect
the basic idea of independent interaction between the writer and the reader.
The eN for the whole system is constructed by composing the fragments for each element
together as it was described earlier. Transitions of the resulting eN are labelled with actions
corresponding to the switching signals. The actual resulting net is not shown here due to its
fairly large size. This net has fuurt.een places with contextual arcs from them ... those places
correspond to seven level-based signals (variables n, l, T, sO, s l , '00 and vI.)
Due to the relatively large number of contextual arcs and a high degree of concurrency in
the eN, its corresponding ordinary PN model produces a very large size unfolding segment.
It was impossible to build such a segment due to memory blow-up '. However, the application
of the new eN-ullfuldiug algorithm allowed building the segment (up to cut-off transition
instances) for the eN. awl its size is rather modest.
In the process of building the unfolding both of the above correctness conditions were
verified. The first condition, mutual independence and non-blocking, was checked in terms
of persistence of trausitious of the eN (e.g .. the act of disabling a transition involved in
the writing process by it trausitiou involved in t.he reading process and vice versa). It was
found that the unfolding was free from ordinary conflicts. The only remaining source of non-
3CN-unfolding was built 011 it SPARC4.
CHAPTER 7. APPLICATIONS OF PN-UNFOLDING 134
Figure 7.9: Illustration of the benchmark circuit.
persistence is due to the presence of semi-conflicts. For example, when the reader changes the
value of variable t: ill operation TO, the writer may concurrently 'listen to' the value of r in its
operation 'WI. Such a list.cnillg is realised via tho contextual arcs between the places T = 0 and
T = 1 and the transitions in its fragment corresponding to variable n (transitions labelled n+,
n- and two dummies see Figure 7.8). It is thus possible to imagine that when the writer
enables the transition labelled 'n+ (under the state ti = 0 and T = 1), the reader switches r
from 1 to 0, and thus disables n+. But this disabling of n+ will always be simultaneous with
the enabling of a dummy transition in the same eN fragment (for n), and thus the progress
of the writer is not. affected. The eN-unfolding verification showed that only such types of
non-persistence are possible, thus proving that the non-blocking (real-time) requirement is
satisfied.
Consider the "no-clash" condition. This condition, in terms of the properties of the eSTG
model can be stated as follows:
• for all four pairs of the read and write signals (wOO, rOO), (w01,TOl), (wlO,dO) and
(w 11, r I 1), referring to the same data slot, it is not possible to reach a marking in the
eSTG in which a corresponding pair of transitions is simultaneously enabled and is not
in conflict.
In terms of tho uufolrliug. it. is sufficient to verify whether any pair of transition instances in
the eN-unfolding seglllCllt which map onto their transitions in the eN in the above mentioned
pairs, belong to the independence relation. The result of the check proved that the mechanism
satisfies its "no clash" condition.
7.5 Circuit Verification Results
The eN-unfolding method described earlier was implemented within the PN/STG analysis
tool "PUNT" which uses the PN-unfolding approach. An enhanced cutoff condition, described
previously in Chapter 4, was used which allows the avoidance of possible redundancy in the
McMillan's unfolding and the construction of a PN-unfolding segment for larger PNs.
The eN model for Simpson's communication mechanism had 47 places, 56 transitions, 142
ordinary arcs and 44 contextual arcs, which in an ordinary PN would correspond to a total of
230 ordinary arcs. The constructed Cbl-unfolding segment had 1299 transition instances and
showed that there are 110 independent instances of transitions for read and write operations
on the same data slot. The computer ran out of memory trying to build the PN-unfolding
segment for the ordinary PN model when the size exceeded 3000 transition instances.
CHAPTER 7. APPLICATIONS OF PN-UNFOLDING 135
Trans.
3000
2000
1000
Til;:;:e~
1111) I
.........eN unfoldingIJo(---)(- PN unfolding .............PN unfolding....-. eN lIlIluldlllg
10
0.1
o.ot
No. inv 15 20 25 35 No. inv10 20 25 35 5 1015
(a) (b)
Figure 7.10: Experuncutal results: (a) Size of the segment in transition instances; (b) Time
taken.
To illustrate the purformancc of the Cbl-unfoldiug approach a simple scalable example was
chosen, consisting of all AND gate and inverters in the feedback loop of the AND gate. The
circuit is shown ill Figure 7.9. The number of inverters can vary, making this benchmark
easily scalable. This «ircuit is known to have a, hazard which exhibits itself as non-persistency
of the output of tlw AND gate. This, of COIll'SC, call be detected during the construction
of the eN-unfoldillg and the construction can be terminated with an error report. Such
a termination can only be made due to the hazard-freedom requirements of asynchronous
circuits. However, examples such as the communication mechanism, described in the previous
section, may require that the unfolding segment is built for the PN (or eN) even though
some signals are non-persistent. Therefore, for illustrative purposes, the whole PN- (or eN-)
unfolding segment was built.
The results arc presented in Figure 7.10. The graph in Figure 7.10(a) illustrates the growth
in size of the PN and eN-unfoldillg segments with the increase of the number of inverters.
The size of the unfolding includes cutoff transitions. The graph in Figure 7.10(b) shows the
time spent on the construction of the segment. This time was spent on the unfolding of the
STG rather than tho PN, i.e. the algorithm kept track of the binary states of the STG. The
superiority of the Cbl-unfolding for this benchmark is obvious. For comparison, the original
McMillan's algorithm builds a truncated PN-unfolding with 913 transition instances in 13.15
sec. for the bencluuark with only 4 inverters.
The results dornonstrat« that the size of the PN-unfolding segment and the time it takes
to construct it explodes double-exponentially. The first exponential dependency is caused by
the exponential growth ill the number of transition instances due to the exponential number
of interleavings. The second dependency is caused by the combinatorial complexity during
the selection of a. set of independent instances for places in et. When a new instance of t is
generated, the algorithm needs to find a set of independent instances of places in et, i.e. it
may try all combinations in the worst case. The number of place instances is large due to
the exponential number of transitions. Therefore, this selection process greatly affects the
CHAPTER 7. APPLICATIONS OF PN-UNFOLDING 136
performance of the PN-unfolding construction algorithm.
Notably, the original Mclvlillau's algorithm becomes triple-exponential for this set of bench-
marks. The third exponent is caused by the redundant instances of transitions which cannot
be made cutoffs due to the overly strong cutoff condition.
In the eN-unfolding the exponential explosion attributed to interleavings is avoided. Since
this drastically reduces the number of place instances, the effect of the independent instances
selection process is reduced to it uegligible value. Thus the performance of the eN-unfolding
algorithm on this set of bcnclnuarks is close to polynomial. It was also observed that using the
McMillan's cutoff condition yields a eN-unfolding of the same size as the one obtained using
the enhanced cutoff condition. Due tu the benefits of exploring the contextual dependency
the algorithm did not !2;enerate redundant instances of transitions which were causing the
blow-up.
7.6 Use of Unfolding for Variable Ordering
As it was discussed earlier, the analysis of PN models for state-based properties, such as
deadlocks, is hard on the PN-unfolding segment. It was also noted in [47] that if a PN
contains a deadlock, then the branch-and-bound algorithm [47] detects this deadlock in a
reasonable time. However, if a PN is deadlock free, then the deadlock detection algorithm
may need to examine all final configurations which is a time consuming operation. Recent
methods [61, 36], based on Binary Decision Diagrams (BODs), have demonstrated that they
are capable of handling large state spaces at a relatively low cost. This feature has made this
method attractive awl its application is currently being investigated.
Despite being powerful, BOD-based verification techniques may suffer from the problem
of bad ordering of the BOD variables. Using a proper variable ordering can yield significant
reduction in the size of BOD, which in the worst case can be exponential to the number of
variables. Usually, it is assumed that the designer, using additional knowledge about the
system, can provide pwp(;r variable ordering. This obviously cannot be assumed in general,
especially if the PN description has been generated automatically.
The rest of this chapter suggests a technique combining two approaches to the verification
of PN-based models: the PN-unfolding approach, based on partial order and the PN reach-
ability symbolic traversal approach. The overall verification framework still employs many
useful properties of the PN-ullf~lding algorithm, such as boundedness and safety checks as
well as the properties of its signal transition interpretation, relevant to the hazard-freedom of
the analysed circuit. However, in the new framework, the new role for the PN-unfolding is to
produce a more efficient. variable ordering.
7.7 Symbolic Traversal of Petri Net State Space
There are several incthods of representing logic functions such as truth tables, Karnaugh maps,
minterrn canonical Iorui or the SUlU of products forrn. Operating with these representations
is inefficient for relatively big logic functions.
Binary Decision Diagrams (BODs) were proposed as a means of canonical representation
of logic functions ill a. graphical form. For a detailed introduction to BODs and their basic
CHAPTER 7. APPLICATIONS OF PN-UNFOLDING 137
I
I
\
I
\
'~
(b) (c)
Figur« 7.11: Example of different ordering of variables.
manipulations, the reader is referred to [11]. We will only briefly introduce BODs and explain
how they can be used tor PN analysis.
Consider a logic function given below:
f = a.b + cu: + ad
A Binary Decision Tree (BOT) is constructed for this function using a straightforward algo-
rithm. The BOT has two types of leaves labelled with 0 and 1. Leaves labelled with 0 indicate
that if the values of variahlcs are equal to those' ill tho nodes along the path leading to such
a node, then the fuuctiou evaluates to FALSE. Leaves labelled with 1 have the opposite
meaning. The BOT is constructed for a specific order of variables; in general the number of
different BOTs is equal to the uuiuber of permutations ill the variable order. The BOT for
function f is shown in Figure 7.11(a), where dashed lines represent the value FALSE for each
variable.
After performing transformational operations on the BOT [11] (merging equivalent nodes
and eliminating the redundant ones] a BOD is obtained in the form shown in Figure 7.11(b).
Evaluating all three representations (the Boolean function given above and its corresponding
BOT and BOD) of this function will show that. all these representations are equivalent. The
number of nodes ill tho BOD for this variable ordering is 4 while the number of nodes in the
BOT is 16.
BODs were shown to be very powerful for representing Boolean functions. Boolean binary
CHAPTER 7. APPLICATIONS OF PN-UNFOLDING 138
operations, such as conjunction and disjunction, on two functions represented by BODs can
be performed ill polynomial time in the size of BDDs [11]. It has, however, been noted [11]
that the size of BDDs s trougly depends on the order of the variables in the function. For
example using anot.hor order (r- < b < a. < d) for the same funct.ion will give a BDD shown in
Figure 7.11 (c). In gCllcral, the size of a BDD call Le exponential in the number of variables,
however, in pract.il·;d examples the BDD usually has a smaller size when the appropriate
ordering of its vari;I!)I<~sis used.
The usc of BD[),; Ior t.hc: PN analysis has beeu explained ill [61]. The interested reader is
referred to that. work for a more elaborate description. In essence, a marking of a safe" PN N
can be represented by llW,U1Sof a Boolean vector V E 21P1. Then the fact that a place Pi is
marked is denoted by asserting the value of corresponding element V[i] to TRUE. A reachable
marking M n corresponds to a vector V;! and a Boolean function Rn (V) which evaluates TRUE
for Vn. Hence the reachability set of a given PN can be represented symbolically as the Boolean
reachability funct'lon
n
R = IIn;
FJ
Another set of variables V' E 21'1'1 is introduced where each variable corresponds to one
and only OlW t.rausi tiou or t.l«: PN. Using V awl V' several other functions, which describe the
behaviour of the PN. are obtained using the structural information about a PN. i.e, it.s flow
relation. These include the enabling [unction, which has the domain V U V' and evaluates to
TRUE when tho input pIHc(~sfor a particular transition t are marked. The firing function
evaluates to TRUE for t.he set of places which become marked after firing t.
From this reproseutatiou, using standard Boolean operations such as quantification and
substitution, all niarkiugs an) obtained which are reachable from the initial one via firing the
transitions enabled at 1\11 u- Furthermore, since these functions evaluate to T RU E for a set
of markings {M J ••• M III }, the set of all markings reachable from this set via the firing of all
transitions enabled at all markings in {M 1 ... M TT!} is found in the same way.
This gives rise to <111 efficient algorithm constructing R for a given PN. A detailed algorithm
was developed [61] which uses the BDD representation of the reached markings and iteratively
constructs the symbolic representation in the form of Boolean function. This method is called
the PN syrnbol'lc traversal; and the function R is called the traverse function. For clarity, this
algorithm is reproduced here in a slightly simplified form. The pseudo-code of the algorithm
is shown in Eiguro 7.12. T(f) denotes a function which returns a BDD representing the set
of markings rcacllahk In nu tho markings rep resell ted by f. The time of traversing a PN and
the size of the BDD constructed during traversal strongly depends on the order of variables
which are defined lHI the places of the PN. If this ordering is unsatisfactory, then the symbolic
traversal procedure may even never complete. Thus, finding an optimal ordering is a crucial
task for the symbolic traversal approach. It it) iuipossible" to find a good ordering without
referring to some extra infortuat.ion available front the net. The algorithm introduced in tho
next section uses tlu: PN-Ilnfolding segment built from the original PN to obtain an ordering
yielding a BDD whose size is reasonable.
"Existiug PN symbolic travorsal iuethods deal only with safe PNs; analysis of unsafe PNs requires additional
encoding of tokens ill unsafe places.
sUnless a completely greedv enumeration of all possible orderings is performed.
CHAPTER. 7. APPLICATIONS OF PN-UNFOLDING 139
end proc----------------------------------------~
proc Construct BDD(PN = (P,T,F,Mo))
NEW = BDD(Mo)
REACHE[) = BDD(FALSE)
while NEW =f. BDD(FALSE) do
R";ACIIE[) = REACHED + NEW
Nicw = T(NEw)
end do
Figure 7.12: Pseudo-code for construction of the BOD representation of the state space of a
PN.
Figure 7.13: Exalllple of a BOD.
7.8 Variable Ordering by Means of Unfolding
Consider the BOO built for Cl fornmla:
f = abed + abed + abed + abed
which is given in Figure 7.13. Each term of this formula has one variable in normal form and
all the others in complementary form. In general, these type of functions can be written as:
H Ii
f = L[aj . II(iii : t =j:. j)j
j=',=1
If each variable is associa.ted with only one place in a PN, then such a formula will evaluate to
TRUE for the markings which have only one place marked." Note that the size of the BOD
does not depend on the order of the variables used in it. The size and the structure of the
BOD remain the same for any possible orderings; it is' essentially the same BOD which has
some nodes renamed.
According to the PN symbolic traversal algorithm, each of the places of the original PN
corresponds to a variable' ill the traverse function. Hence, any subset of places which can never
be marked at the saur« t.iin« will have its traverse function in the form of function f given
above. An Mli-clusicr (or simply a cluster) is defined as a set of places of the original PN
6This type of formulas is also used ill the one-hot encoding technique [36].
CHAPTER 7. APPLICATIONS OF PN-UNFOLDING 140
proc Get dU.StCI·$ (N, N')
for each place p ill P do
find a cluster C in CLUSTERS such that p is orthogonal to every Pi in C
if such cluster C found then do
add J! to C
else
add new cluster C" = {p} to CLlJSTEI{S
end do
end do
return CL I;S'I'lmS
end proc
Pigur« 7.14: Pseudo-code for clustering algorithm.
that cannot be marked simultaneously. The problem of dividing places of a PN into clusters
is, in fact, NP-hard. A heuristic suggested here allows a more efficient calculation of clusters
to be used for variable ordering.
The result ill Chapter 4 (Proposition 4.1.1) shows that the PN-unfolding segment repre-
sents the concurrency relation between elements of the original PN. Hence, for two places it
is said that they arc ill all ortlioqonalits; relation (or simply orthogonal to each other) iff they
are not concurrent. Using the orthogonality relation, places of a PN are split into clusters
with the algorithm similar to the graph colouring algorithm given in [26]. The pseudo-code
of this algorithm is shown ill Figure 7.14.
This is a greedy algorithm which does not. check all the possible clustering of the PN. As
it can be easily seen, not. every clustering of places will yield the smaller size of BOD. It was
observed that if the clusters arc balanced in number of places contained in them, then such
a clustering produces bct.t.(~rresults. One of the possible ways to reach a balanced clustering
within this approach is to order the places of the PN in the ascending order of the number of
their outgoing arcs. Then the places which can be included into the largest number clusters
will be considered last [68].
It is convenient to represent the orthogonality relation between places as a table, b., where
each element is found as follows:
b.[i, j] = {O if Pi Ilpj.
1 otherwise
Obtaining clusters theuisel ves is obviously not enough .. Clusters should also be ordered with
the same goal to minimise the size of BODs. In order to achieve this the degree of or-
thogonality, Oij, is defined between two clusters Pi and Pj using the matrix of orthogonality
relations .0. as:
In other words, the d(~grc(~of orthogonality is calculated as the number of mutually exclusive
pairs of places between two dusters.
CHAPTER 7. APPLICATIONS OF PN-UNFOLDING 141
•
Figure 7.15: Dining philosophers benchmark.
proc Order clusters (CLUSTERS)
choose cluster wi th highest degree of orthogonality
add chosen cluster to the LIST
while not all clusters are in the LIST do
choose cluster which has greatest (j with most of clusters in LIST
add the chosen cluster at the end the LIST
end do
return Lls'I'
end proc
Figure 7.16: Pseudo-code for cluster ordering algorithm.
Example. To illustrate the clustering algorithm, consider a well-known example of dining
philosophers. Consider first a subnet, No, taken alone from the PN shown in Figure 7.15.
After clustering there are four ME-clusters as shown by the shaded areas. The degree of
orthogonality is represented as a graph, in Figure 7.17(a) where each node corresponds
to a cluster and the arcs are inscribed with the degree of orthogonality between two
clusters. The arcs representing the 0 degree of orthogonality, i.e. independence of
places belonging to different clusters, are omitted. •
The next step is to order the ME-clusters between themselves. At this point a greedy
algorithm which orders the clusters according to their degree of orthogonality is used. The
algorithm itself is given ill Figure 7.16.
Example. The illustration of application of the cluster ordering algorithm to the dining
(a) (b) (c) (d)
Figure 7.17: Steps of cluster ordering algorithm.
CHAPTER. 7. APPLICATIONS OF PN-UNFOLDING 142
philosophers example is given in Figure 7.17. Shaded nodes represent the/clusters added
to the list. First, node "I" is chosen (Figure 7.17(b)), then node "II", which has the
highest 15 with "I". The next node added to LIST is "III", because it has the same degree
of orthogonality with those in LIST but is connected to more clusters than "IV". The
algorithm terminates with the following ordering for places: Pl,P'2,P3,P4,P5,P6,P7,P14 .
•
Consider the complexity of the algorithms suggested above. The complexity of the algo-
rithm deriving the Mli-clustcrs is O(IP'12), i.e. quadratic in the number of instances in the
PN-unfolding segmellt. Finding the degree of orthogonality between clusters also has O(IP'12)
complexity. Finally, tho ordering of clusters lias complexity O(IP'I). Thus, the overall com-
plexity of the c1usterillg procedure is O(IP'I'2).
7.9 Experimental Results
The clustering procedure was implemented within PUNT and run on a Sun SPARC5. The
PN symbolic traversal software was developed at upe7 using the CMU8 BOD package.
In order to demonstrate tho performance of the developed algorithm a set of benchmarks
[68J was chosen which included such examples as dining philosophers (Figure 7.15) and Muller
pipelines. Both typos of models are scalable and can be easily grown by instantiating an
additional number of gClwric fragments. The results of experiments for PN symbolic traversal
and for the ordering algorithm using PN unfolding can be observed from Table 7.1.
Table 7.1 presents the reslllts of PN symbolic traversal for three different variable orderings.
The table presents the time (in second) on the construction of BOD representation (columns
"Time") and the size of the BOD (columns "BDD size"). The first two columns present
the benchmark name and the size of the state space. The next two columns presents the
results for PN-symbolic: traversal for an arbitrary ordering" which existed in the description of
the benchmark and tile sift dynamic reordering procedure supplied with CMU BOD package.
The last two columns present the results for the combined technique suggested in the previous
section. The tiuiing results for BOD traversal (column "Cluster order") include the time spent
on construction of the PN-ullfolding segment and obtaining the ordering for the BOD. The
performance of the algorit.lull obtaining the variable ordering only is given in column "PUNT"
which show the fraction of time and the size of the required segment. The size of the segment
is given in the number of transition instances which indicates the number of reachable states
actually visited during the construction of the segment.
The results demonstrate the gains achieved by using the PN-unfolding segment for deriving
the variable ordering for PN-symbolic traversal.
Table 7.2 shows the comparison of times needed for checking deadlock freedom, for both
approaches. It can be observed that once the BOD in PN symbolic traversal has been built, the
check for deadlock freedom call be carried out UH the BOD faster than using the PN-unfolding
segment.
7Universitat Politecnica de Catalunya, Spain
8Carnegie-Mellon University, USA
9There exists an ordering with which the PN symbolic traversal fails to construct the BOD.
CHAPTER 7. APPLICATIONS OF PN-UNFOLDING 143
Benchmark St.at.f's II Arbit.rary order Dynamic reorder Clustering order II PUNT II
Tillie BOD size Time BDD size Time I BOD size II Time I Size [tr] 1J
10 phil i.s« x 10(' :L~J!J [)5-1 -1.'15 357 2.39 357 0.60 50
20 phil 2.10 x lOla IX.:I:I 1174 19.39 737 10.03 737 1.73 100
30 phil 1.03 x 10:2U '12.~I:l 1794 44.48 1117 23.30 1117 3.66 150
40 phil "" 10:27 7h.~I:{ HI4 79.18 1497 41.13 1497 6.68 20050 phil "" 10:1-1 1 12.05 3034 126.37 1877 64.11 1877 10.74 250
15 pipe (i()()ti :.!~.·H) 16:~n 22.87 1153 12.17 715 1 11 70
30 pipe 6.01 x 10" 7;J'1.Kl 6694 786.38 4518 352.J.3 2635 11.61 240
·15 pip(' 1 , . ~II I I()ll (,,','J7 ():" 1.-li·H) GHKK,K, ..... IU(iti;, 27.0:1 ..01 ;)7f)fi 76.91 "'J!O_.
C~
Table 7.1: Experimental results fur PN symbolic traversal.
B(!lIchlllark I PN unfolding PN traversal I
0.17
0.85
2.01
'{,Gb
6.04
10 phil 0.18
20 phil 1.32
:W phil ·1.:1·1
,1(} phil I(j_.j()
50 phil 2U.58
Table 7.2: Experimental results (deadlock detection)
The above comparisou shows that both PN-unfolding analysis and PN symbolic traversal
should be used ill «onjunct.iou. complementing each other. For relatively small examples, the
PN-unfolding scgiucut call be US(~Jboth for obtaining the variable ordering for future PN
symbolic traversal awl deadlock detection. When the examples grow larger it is more efficient
to obtain the variable ordering and then proceed to PN symbolic traversal. At the same time,
the PN-unfoldillg sCgllWll1.call be kept for later "backtracking" in the case a deadlock has
been found during syuibolic traversal, for the identification of the offending trace.
While building tho PN-Illlfoidillg segment, the PN is checked for boundedness. In the case
of an unbounded PN the trace leading to unboundedness is reported at the pre-processing
period without. wasting time Oil more expensive traversal. Using the STG-unfolding segment
it is also possible to check the validity of the STG while building the segment itself. Thus, all
the traces invalidating tlw behaviour described by the STG are reported at an earlier stage of
the analysis. Once a good ordering is obtained, symbolic traversal methods [61, 70, 15] can
be used to solve the ese problems or problems of decomposition. In this case, STG-unfolding
pre-processing allows a further extension of automated synthesis methods.
7.10 Conclusions
This chapter proposed a now algorithm for the analysis of contextual nets. This approach is
based on the partial order approach and coustrnct.s et eN-unfolding segment. which represents
the set of reachable markings (or states for STGs). It attempts to overcome the problems of
exponential explosion of t.he PN-lIllfolding which show up during the analysis of PN model of
a eN, i.e. a PN with bi-directional arcs to represent contextual dependency. This explosion
is caused by the difference ill tho firing semantics of two models. The PN-unfolding explicitly
examines all possible iutcrleavings of transitions whose firings lead to the same marking. The
eN-unfolding, suggested here, preserves the step semantics of the transition firings.
The new method was iuiplemeutcd and used on a realistic example of a four slot commu-
CHAPTER 7. APPLlCATIONS OF PN-UNFOLDING 144
nication mechanism. The behavioural trend of the new approach was demonstrated using a
scalable benchmark. Experimental results demonstrate the power of the new eN-unfolding
algorithm.
The second suggested application of the PN-unfolding technique is based on the combina-
tion of partial order (PN uufoldiug) and symbolic traversal techniques. This approach uses an
algorithm for obtaining the ordering of variables in BODs employed for symbolic traversal of
the PN state space. Experimental results show that this approach is practical for the known
set of benchmarks.
Chapter 8
Conclusions
This chapter presents the summary of contributions offered by this work, namely the improve-
ment of existing PN analysis techniques based on the partial order approach, novel techniques
suggested for the verification of PN and 5TG models of specifications and implementations of
asynchronous circuit s. synthesis of 51 circuits from 5TGs. It also outlines potential areas of
further rescarcl: w liich .uo opouod by this work.
8.1 Summary
This thesis presented the theory and application of partial order approach to asynchronous
circuit design. It follows the top-down design methodology and presents new methods for
automated verification of event-based descriptions and synthesis of 51 circuits from their 5TG
specifications.
Extension of the existing PN-unfolding technique This work presented a comparative
study of the existing methods for PN analysis based on the PN-unfolding method. This work
examined potcutial redundancy ill the PN-Ullfoldillg truncation constructed by the original
McMillan's algorithm and presented the cutoff condition for safe PNs due to [22]. In addition,
this thesis presented it promising pruning technique (and a new termination condition) which
avoids the redundancy of the PN-unfoldillg truncation caused by the unsafeness of places in
a PN. This condition uses temporal relations which are available in the unfolding. A new
version of the algorit.lnu coustructiug a finite fragment of the PN-unfolding was suggested.
This fragment is called a PN-'Ilnfolding segment.
Verification of PN models PNs are used to model a variety of asynchronous systems.
This work suggested new algorithms for the verification of properties of PN models such as
safeness, persistency and livoucss using a PN-uufolding segment. These properties are crucial
for establishing the correctness of behavioural models represented by PNs. This thesis also
described a modelling approach for the verification of already existing circuits. This approach
is based on representing each element of the circuit by a fragment of a Labelled PN. The
fragments are composed together along with the model of the environment. The resulting
circuit model is verified for absence of hazards using the PN-unfolding segment technique.
14G
CHAPTER 8. CONCLUSlONS 146
Verification of STG models Conventional STG verification techniques construct a State
Graph which represunt« all reachable states of all STG. This work revisit.ed this verification
approach and showed l.ha.t it may produce false alarms for STGs with acyclic parts. To
overcome this problciu, this thesis proposed a lH~W concept, Full State Graph, which represents
adequately the behaviour of all arbitrary STG. III addition, this work presented an adaptation
of the PN-unfolding aualysis for the analysis of STG models. The new representation, called
STG-unfolding seqnicn: takes into account the signal interpretation of transitions in an STG
and allows verification of the STG properties. The STG-unfolding segment approach was
applied to the analysis of four-phase circuits, whose behaviour can be described using 5TG
fragments.
Synthesis of SI circuits The problem of 51 circuit synthesis from 5TGs is of paramount
importance to the whole process of SI circuit design. The conventional approach requires the
construction of the SG and only then the implementation can be obtained. Unfortunately,
often the 5G cannot Iw built due to computational limits, even though the verification process
shows no problems with the STG description. This work builds upon recent research in
structural synthesis methods. It uses a compact implicit representation of the 5G in the
form of the STG-uufoldillg segment. Thus, once the specification has been verified, the STG-
unfolding segment is roused ill the synthesis process. Two approaches were present.ed in t.his
work: exact and approxilliate, Although the implementation can be obtained using the exact
method, the approximation approach produces comparable implementations in a fraction of
time needed for any other method to synthesise the same set of benchmarks.
Analysis of eNs Analysis of eN models falls into the category where the high degree of
concurrency makes their analysis intractable fur the Reachability Graph analysis methods,
and the modelling of cout.oxtual dependency using hi-directional arcs in PNs makes it hard
for the PN-unfolding approach. The RG-based approach runs into computational limits. At
the same time, the uufokling approach is too powerful in distinguishing the state of a place
before and after a. contextually dependent transition fires. However, eN models proved to be
useful in modelling of asynchronous systems and circuits. This thesis suggested a new method
of eN analysis which is based ou t.he PN-ullfolding but preserves the contextual dependency
between transitions and places.
Combining partial orders' and symbolic traversal Some of the problems in asyn-
chronous circuit design. (~.g. resolving coding conflicts, are still solved using the RG rep-
resentation of the PN or STG model. Recently proposed PN symbolic traversal methods
represent state spaces using Binary Decision Diagrams. They demonstrated the ability to
handle large state spac('s at. it relatively low cost. However, these methods may suffer from a
bad variable ord('rill.C>;ill BODs. Silln' variahlos ill lIH's(' methods arc associated wit.h places
of a PN, the knowledge al iout the behaviour of these places assists in reducing the size of the
BOD, representation of its state space. This work proposes a combined approach where the
PN-unfolding segment is used for obtaining a good variable ordering and the PN symbolic
traversal is used for representing the state space.
CHAPTER 8. CONCLUSIONS 147
Experimental results The proposed approaches and algorithms were implemented in an
experimental tool. TlH~t.()ol was applied to it wide selection of benchmarks which includes PN
and STG specifications as well as circuit. models.
Three realistic ('x;ullplcs were used. Tho first two illustrated the motivation and need for
the new PN analysis iuut.hod based on the PN-unfolding segment. Using the PN-unfolding
segment it was possible to detect the behaviour in a production cell example which could not
have been identified using any previously existing PN-unfolding approaches due to the large
size of the model. The third example illustrated the application of eN unfolding to the analysis
of a communication mechanism used in a real communication system. The verification of PN
and STG models included control circuits from the AMULETl microprocessor and a selection
of other available cir.ui: s
In addition, a number of publicly available bcuclnuarks were used to show advantages of
the new synthesis method based on the STG-Ilnfolding segment. The synthesis procedure was
also used to produce all iniplernentation from the counterflow pipeline processor, one of the
proposed challenges ill the asynchronous community. The performance of the new methods
was also tested on well-known scalable examples such as PN descriptions of dining philosophers
and Muller pipeline.
Experimental results presented in this thesis confirm the advantages of using the partial
order approach in the vorificat.ion, analysis and synthesis of PN and STG models.
8.2 Areas of Further Research
The potential for future research in application of partial order methods, such as on PN-
unfolding technique, ill asynchronous circuit design is enormous. Experimental results ob-
served during this work prompted several new applications.
Timing analysis Analvsis of models which include some information about the duration of
events is gaiuiug n~coglllt,i()ll·alllollg formal method developers, In order to produce a better
implementation dpsigllc)"s often take shortcuts by making assumptions about propagation
delays in different parts or the circuit. Such low-level optimisation is often done by hand and
therefore requires verification to guarantee the correctness of the circuit. In addition, taking
realistic delay assumptions into the high-level model may show that in reality the system
behaves correctly. For example, realistic timing assumption in the production cell example
may change the limit OIl the Humber of initially available blanks.
Several works. (~.g. [72, 78]' ha.ve indicated that it is possible to apply partial order
techniques fur tlu: analysis of models with t.illliug iuforuiatiou. This area, however, requires
further theoretical illV('sligatioll.
Solving ese problem One of the problems being currently investigated in SI circuit syn-
thesis is how t.o rcsolv« coding conflicts for STGs which do not satisfy the Complete State
Coding condition. This work proposed a refinement technique for resolving the intersection
between approximated covers. If refined covers still intersect, the implementation is impos-
sible. An different appm;tch is to attempt to resolve coding conflicts by means of inserting
CHAPTER 8. CONCLUSIONS 148
additional signals. Solving this problem would require identification of insertion points on the
STG-ullfolding segment.
Technology mapping The problem of technology mapping for asynchronous circuits deals
with the iruplcmcut.atiou of a circuit in a given gate library, i.e. it requires an implemen-
tation of the circuit using a restricted set of gates. The synthesis procedure suggested here
assumed that. almost any gat.e exists in the library. This is obviously not the case for many
real designs. Solving t.his problcui requires decomposition of the boolean logic into simpler
components preserving t.h« speed-independence. The technology mapping problem can often
be reformulated as tl«: prohluiu of inserting additional signals into the specification and then
resolving the codillg collflicts. Thus it. is closely related to the ese problem, discussed above.
Synthesis using ext.ended covers The synthesis procedure proposed in this work pro-
duces basic impknucutm.ions ill Atomic Complex Gate per Excitation Function and Atomic
Complex Gate per Excit.at.ion Region architectures. It is known that covers implementing
output signals may IH~ allowed t.o cover states at. which these signals are stable. Such cover
may be obtained by ('xt.cll<iillg excitation slices wit.h new cuts, thus expanding the logic op-
timisation domain. Ext.(~jj(kd covers are required to be monotonous, i.e. the set of covered
states may not contain a stat.e which causes an opposite transition of the signal. The problem
of cover mouotony verification is closely related to the cover evaluation problem and can be
also solved on the STG-lIufoldillg segment.
Testing of asynchronous circuits The last stage of the design process is testing. All
current testing machines (nud techniques] assume synchronous mode of operation. To enable
testing of asynchronous circuits in synchronous test machines a new approach is needed.
The testillg PW(:('tlllI'(' ioquircs coustructiug t.est. sequences, which consist. of input stimuli
and output responses for a circuit. The testing of fundamental mode circuits, which have
well-defined sets of ckwgillg inputs, are very dose to the testing of synchronous ones. For
fundamental mode circuits. permutations of input signal changes in one set lead to the same
response on tho uut.put.s.
SI circuits iuav I'('sp()ud differently to different sequences of inputs changes. Obviously it
is impossible t.o t.est. all possible combiuations of inputs allowed by an SI circuit specification.
However, it is possibl« t.() idontify those states ill which tho outputs of a circuit are stable and
the circuit is awaiting for it change in the input signals. A set of these states can be used in
a synchronous test. m.uhim- t.o test the circuit. Identification of such states can be made on
the STG-unfoldillg SCgllwut constructed for all STG model of the circuit (or its specification).
Since each state ill the SG (or FSG) of an STG corresponds to a cut in the STG-unfolding
segment, the approach should be similar to the one discussed in this thesis for the synthesis
of SI circuits.
Use of BODs in STG-ul1folding Finally, the problem of synthesis requires efficient imple-
mentation and opcrnt.iou Oil binary vectors. On!' of tho most efficient methods to represent.
them is BODs. Tlwrd'm('. Cl cOlllbincd approach which constructs the BOO representation of
CHAPTER 8. CONCLUSIONS 149
the states represented by all STG-unfolding segment is required. The objective gf this combi-
nation is efficient. derivat.iou of implementations from an STG-unfolding segment rather than
using it only a.s it p)'('-pr()(:(~ssiIlg method for variable ordering, which was suggested in this
thesis.
Bibliography
[1] Arnulet l group workshop: Presentation materials. Technical report, Manchester Uni-
versity, Department of Computer Science, Amulet Group, Lake District, England, July
18-22 1994.
[2] P. A. Bcerel. (';11) Fools f01' the Synthesis, Ver"tfication, and Testability of Robust
Asynch'/'()'lw'I/..~ Circuits PhD thesis, Stanford University, 1994.
[3] P. A. Bcerd and T.II .v. Mcng. Automatic gate-level synthesis of speed-independent
circuits. III Proc. /nt(T!l.I/"'tonal Conj. Co1lt]i'ILte'I'-AidedDesign (ICCAD), pages 581-587.
IEEE Computer Society Press, November 1992.
[4] K. van Berkel. Hinulsluike Circuits: An Ititermediaru between Communicating Processes
and VLS!. PhD thesis, Eindhoven University of Technology, 1992.
[5] K. van Berkel, H. Burgess, J. Kessels, Ad Peeters, M. Roncken, and F. Schalij. Asyn-
chronous circuits for low power: A DCC error corrector. IEEE Design fj Test of Com-
pulers, 11(2):22 :~2. Summer 1994.
[6] K. vall Dcrl«'1, H. Bllr~(~SS,OJ. Kessds, Ad Pcol.crs, M. Roncken, and F. Schalij. A fully-
asynchronous low-power error corrector for the DCC player. In International Solid State
Circuits C()nI('n~'n.(:e.pages 88-89, February 1994.
[7] K. van Berkel, .i. l«~sscls, M. Ronckeu, R. Saeijs, and F. Schalij. The VLSI-programming
language Tauur.uu alld its translation iut.o handshake circuits. In P'f'OC. Europeati Con-
[erence on Dcsi.ll'll Aul.o7no.tion (EDAC), pages 384-389, 1991.
[8] E. Bruuvaud. Ihw,sll/,l'i,ny Concurrent Comuiunicatinq Proqrams into Asynchronous
Circuits. Phl: thesis. Cai-negio Mellon Uuivorsity, 1991.
[9] E. Brunvaud. The NSH processor. In Pmc. Hawaii International ConJ. System Sciences,
volume 1. IEEE Computer Society Press, January 1993.
[10] E. Brunvand awl H.. 1<'. Sproull. Translating concurrent programs into delay-insensitive
circuits. III Proc. lnu-rruitumol Conf. Computer-A ided Design (ICCAD), pages 262-265.
IEEE Computer Society Press, November 1989.
[11] R. E. Bryant. Graph-hased algorithms for boolean function manipulations. IEEE Trans-
actions on COII/p'I/./,el's, C-JG(~):(j77(jYl, U)~(j.
1GO
BIBLIOGR.APHY 151
[12] N. Busi and G. M. Pinna. Non-sequential semantics for contextual PIT nets. In Proc.
of 17th Int. Con]. on Applicat'ions and Tlieori; of Petri Nets, Osaka, pages 113132,
June 1996.
[13] T, A. Chll, Synthcsis of SeU'_Timed VLSI Circuits [rom Graph-theoretic Specifications.
PhD thesis. MIT. 1YX7.
[14] J. Cortadella, M. Kishiuevsky, A. Koudratyev, L. Lavagno, and A. Yakovlev. Complete
state encoding based on the theory of regions. In Proc. International Symposium on
Advanced Rcsearcli in Asimchronous Circuits and Systems. IEEE Computer Society
Press, March 199(j.
[15] J. Cort.aclclla. M. Kisliiuevsky, A. Koudratyev, L. Lavagno, and A. Yakovlev. Petrify:
a tool for mauipulatuu; concurrent specifications and synthesis of asynchronous con-
trollers. III Proc. of the l l ili Conf. Desiqn of integrated Circuits and Systems, pages
205 210. Bar(·(,j(III:1. Spain. Novouihcr 1!l<)(i
[16] J. Cortudclla. A. Yakovlcv, L. Lavagano, awl P. Vanbekbergen. Designing asynchronous
circuits from behavioral specifications with internal conflicts. In Proc. International
Symposium, on Advanced Research in Asynch:l'Onous Circuits and Systems, pages 106-
115, November 1994.
[17] P. Day and .J. V. Woods. Investigation into micropipeline latch design styles. IEEE
Trasisaciious ou VLS'I Sy8tC1ll,,~, 3(2) :2(j4 272, .J uno 1995.
[18] J. Desel and .J. Espal'lla. Free Choice Petri Nets. Cambridge University Press, Cam-
bridge, 19%.
[19] D. L. Dill. Trace Theory for' Automatic Hierorchical Verification of Speed-Independent
Circuits. The MIT Press, Cambridge, Mass., 1988. An ACM Distinguished Dissertation
1988.
[20] J. C. Ebcrgeu. Tm,nslai'ing Proqtums 'into Delay-Insensitive Circuits, volume 56 of CWI
Tract. CWI. Aiusl.crdain, 1989.
[21] J. Esparza. Model checking using lid. ullfoldillgs. Technical Report 14/92, Universitat
Hildeshei III, o.«.1)( u: 1!J92.
[22] J. Esparza, S. Romor. and W. Vogler. All iuprovernent of mcmillan's unfolding algo-
rithm. Technical Report TUM-IY599, Insitute Fur Inforrnatik, Technische Universitat
Miinchen, 1995.
[23] S. Furber. Computing without docks: Micropipelining the ARM processor. In Graham
Birtwistle and AI Davis, editors, Asynchmno'u8 Digital Cir-cuit Design, Workshops in
Computing, pages 211 262. Springer-Verlag, 1995.
[24] S. B. Furber, P. !Jay . .I. D. Garside, N. C. Pavel', and J. V. Woods. AMULET1: A
micropipcliuod AJL~r. III Pmccul-inY8 iEEE Co niputer Conference (COMPCON), pages
476- 485. March 1~)!)4.
BIBLIOGRAPHY 152
[25J S.B. Furber, P. Day, .1.0. Garside, N.C. Paver, and J.V.Woods. A micropipelined ARM.
In VLSI'fJ."J, Gn:uohte, 1993. Conference best. paper award,
[26J F. Gavril. Algurit.IJlIIS for minimum colouring, maximum clique, minimum covering by
cliques, and iuaxiuuuu iudepeudent set. of a chordal graph. SIAM Jornal on Computing,
1(4):180187, December 1972.
[27J H. J. Genrich awl R. M. Shapiro. Formal verification of an arbiter cascade. In Pro-
ceeduu;« of 1.11('LJilI JII.knw,tionu.l CU/Ifen/uT Oil Applicaiun: uiul Tlwny o] Petri Nels,
pages 20G 223. 1!J!J2.
[28] P. Godefroid and P. Wolper. Using partial orderes for efficient verification of deadlock
freedom and safety properties. Formal Methods in System Design, 2(2):149-164, April
1993.
[29J S. Hauck. Asynchronous design methodologies: An overview. Proceedings of the IEEE,
83(1), January 19%.
[30J C. A. R.. Hoan'. Coinnutsucctitu; Seq'IJ.cnti(J.lProcesses. Prentice Hall, New York, 1985.
[31] D. A. Hufhuau. TII<' synthesis of sequential switching circuits. In E. F. Moore, editor,
Sequential Muchiru:»: Selected Papers. Addison- Wesley, 1964.
[32] R. Janicki and lVI. Koutuy. On cq ui valent. execution semantics of concurrent systems.
In Lecture Notes ill Comqniicr Science, Vol. 2M;". Springer-Verlag, 1987.
[33] M. B. Josephs, C. A. R. Hoare, and He Jifeug. A theory of asynchronous processes.
Technical H<~port l'I{(;-TR-6-8!J, Oxford Uuiv .. Computing Laboratory, 1989.
[34] M. B. Josephs and .I. T. Udding. An algebra for delay-insensitive circuits. In R. P.
Kurshau awl E. M. Clarke, editors, Proc. International Workshop on Computer Aided
Ve7'ification, volume G31 of Lecture Notes in Computer Science, pages 343-352. Springer-
Verlag, 1990.
[35J M. Kishittcvsky. A. Koudratyev, A. Taubill, and V. Varshavsky. Concurrent Hardware:
The Theoru arul Practice of Self- Timed Design. John Wiley and Sons, London, 1993.
[36] A. Kondratyov . .J. Corta~ldla, M. Kishinevsly, E. Pastor, O. Roig, and A. Yakovlev.
Checking Sigwd Transition Graph iinpleiueutability by symbolic BOD traversal. In
ED TC-.rJ5, pages :l:2G :J:12, 1!J%.
[37] A. Koudratycv. M. Kishinevsky, B. Lin, P. Vaubekbergen, and A. Yakovlev. Basic gate
implementation of speed-iudepeudent circuits, Ill' Pmceedings of A CM/IEEE Design
A uiomatiou Cri'l/,/rTClI.ce, pages 5662, June 1994.
[38J A. Kondratycv. M. Kishinevsky, and A. V. Yakovlev. On hazard-free implementation of
speed-indopcudout «ircuit.s. III P'f"Uc(;(CrhnY8 u./ Asia and Suuth Pasijic Desiqn. Automation
ConjeTe1/,ce (ASP-DA C'95), pages 241 248, 1995.
BIBLIOGRAPHY 153
[39J A. Kondratyov and A. Taubin. 011 verification of the speed-independent circuits by
STG unfoldiugs. III hiiertuitunuil Symposium on Advanced Research in Asynchronous
Circuits and Sy8te'/ll,,~. Salt Lake City, Utah, USA, pages 64-75, November 1994.
[40] L. Lavagno. Porsouul communications.
[41J L. Lavaguo an. I A. Sangiovanni- Vincentelli. Algorithms for Synthesis and Testing of
Asimclnonou« Ci'l'l "/I, its. Kluwer Academic Publishers, Massachusetts, 1993.
[42J C. Lewcrcutz a.url '1', Linder. Formal development of reactive systems - Case study
production c('11 UV(','" 891.1995.
[43J A. J. Martin. Collected papers OIl asynchrouous VLSI design. Technical Report Caltech-
CS-TR-90-09, California Insitute of Technology, 1990.
[44J A. J. Marf.iu. J>llJgritllllllillg ill VLSl: Frolll couuuuuicating processes to delay-insensitive
circuits. Iu C. A. H.. Hoare, editor, Developments in Concurrency and Communication,
UT Year of Progr.umniug Series, pages 164. Addison-Wesley, 1990.
[45] A. J. Martiu. Syntlwsis of asynchronous VLSI circuits. In J. Staunstrup (ed.), editor,
Formal Methods Iii/, VLSI Desiqn, chapter 0. North Holland, Amsterdam, 1990. IFIP
WG 10.5 Lecture \j()t.<~s.
[46J K. L. McMillan. Usiug unfolding to avoid the state explosion problem in the verifica-
tion of asynchronous circuits. III Proceeduujs of the 4th WOTkshop on Computer Aided
Verijicatiou; pages Ui4 177, Montreal, 1992.
[47J K.L. Mclvlillau. 8YI/I,/)()lic Model Check,tug. Kluwer Academic Publishers, Boston, 1993.
[48J Teresa H,-Y. MCII,te;. Robert W. Brodersen, and David G. Messerschmitt. Automatic
synthesis of asvuciuouou« circuits Iroui hi~h-lcvd specifications. IEEE Transactions on
Com.put(T-Air/('(! j)('SiY'/I'i 8(1l):lHl51205, November 1989.
[49J R. E. Miller. Swil.!:h:i.uqtheo'/'y, chapter 2, pages 192· 244. Wiley and Sons, 1965.
[50J T. Miyamoto and S. K urnagai. An efficient algorithm for deriving logic functions of asyn-
chronous circuits. IH Fmc. of the Second lniernaiionul Symposium on Advanced Research
in Asyw:h.muo/ls Oin"'lds. and System,,~ (A SYNC'96): pages 30-35, Aizu- Wakamatsu,
Fukushima, .J apau. March 1!J9G.
[51J C. E. Molnar. '1'.-1'. Fallg. awl F, U, ROSPlll)(~r~el'.Synthesis of delay-insensitive modules.
In Henry Fuchs, editor, 1985 Chapel Hill Conference on Very Large Scale Integmtion,
pages 67 8G. COUIJJllt,(~rScience Press, 1985.
[52J U. Montanari awl F, Rossi. Contextual nets. Acta Informatica, 36:545-596, 1995.
[53J D. E. Mlllb' awl W. S. Bartky. A theory of asynchronous circuits. In Proceedings
of an lnicriiatiouol Symposium on the TheoTY of Switching, pages 204-243. Harvard
University PI'!'ss. April 1!)5!).
BIBLIOGRAPHY 154
[54J T. Murata. Petri nets: properties, analysis and applications. Proceedings/ of IEEE,
77(4):541 5~O, April 19~9.
[55J T. Nanya. A quasi-delay-insensitive microprocessor: Titac-1. In Proceedinqs of 1995
Israel Workshop on Asynchronous VLSI, March 1995.
[56J M, Niels(~n, G. Pl()t.kin, and G. Winskcl. Petri nets, event structures and domains. part
I. Theoreticol (ltnnsniter Science, 13:~5-1O~, 1981.
[57J S. M. Nowick. /\ ui.otruiis»: Synthesis of Burst-Mode Asynchronous Controllers. PhD
thesis, Stanford University, Department of Computer Science, 1993.
[58] S. M. Nowick (LIlli D. L. Dill. Practicality of state-machine verification of speed-
independent circllits. in F'/"oceerhnys of iCCAD'8Y, Santa Clara, CA, November 1989.
[59J S. M. Nowick and D. L. Dill. Automatic synthesis of locally-clocked asynchronous state
machines. III Proc, Inienuitiotial Con.f. ComputeT-Aided Design (ICCAD), pages 318-
32l. IEEE Coruput.or Society Press, November 1991.
[60] S. M. Nowick aud D. L. Dill. Synthesis of asynchronous state machines using a local
clock. III P'/"Oc. international Con.f. Computer Design (ICCD), pages 192-197. IEEE
Computer Society Press, October 1991.
[61J E. Pastor, O. Hnig . .1. Cortadella, and R. M. Badia. Petri net analysis using boolean
manipulations. III Procecdiuqs of 15th Intevtuitiotuil Conference on Application and
TheoTY of Pel'n. Nels, Zaraooza, Spain, Jane 1YY4, pages 416-435, 1994.
[62J P. Pastor, .J. Cort.adella, A. Kondratyev, and O. Roig. Structural methods for the
synthesis of spcod-iudependent circuits. In Proc. European Design and Test Conference
(EDAC-ETC-E"II:/"O;\SIC), pages 340--347, Paris(France), March 1996.
[63J S. S. Patil. C(~lllllar arrays for asynchronous control. In Proceedings of the ACM 7th.
Aruuuil Wm},:s!i.lij' lill Mic'I'oJ)'I'o.(j1"O:rn:m:i'l/,_Ij,1974. (CSG Tech. Memo. 122, Project MAC,
MIT, April EI7:)).
[64J N.C. Paver. The rlesiqn and implementation of an asynchronous microprocessor. PhD
thesis, University of Manchester, 19~4.
[65J J. L. Peterson. r.u: Net Them'y tuul the '///'udez.tuy uf systems. Prentice-Hall, Inc., 1981.
[66J 1. Reichel' awl M. Yocli. Net-based modelling of communicating parallel processes with
applications to VLSl design. Technical Report 5:~2. Technion. Haifa. 1988.
[67J W. Reisig. Petri Nets: an Introduction. EATCS Monographs in Computer Science.
Springer- Verlag, li.nIiu. 19~G.
[68J O. Roig. Personal couunuuications.
[69J O. Roig. FO'/"lfw.l VrTifica.t·io'fl. and Testing of Asynchronous CiTC7J.its. PhD thesis, Uni-
versitat Politccnic» riP Catalunya (UPC), 1997.
BIBLIOGR.APHY 155
[70] O. Roig, E. Pastor. and J. Cortadella. Symbolic model checking for speed ind~pendent
circuits. In Proccedinos of ACiD WOTkshop on Asynchronous Low Power VLSI, Lyngby,
Denmark. April I~m:~.
[71J Per Torst.oiu Roill('. Asynchronous FIFO buffer I'm multicomputer applications. Master's
thesis, Dcpart.nu-u: of luforrnatics, University of Oslo, 1994.
[72J T.G. Rokicki. H('lll'(osl'nt'lng and modeling digdll.l circuits. PhD thesis, Stanford Univer-
sity, 1993.
[73J L. Va. Hoscnblum and A. V. Yakovlev. Signal graphs: from self-timed to timed ones. In
Proceedinqs of lnu-rnaiiotial WOTkshop on Timed Petri Nets, TOTino, Italy, July 1985,
pages El9 207. IEI':I<: Computer Society, 1985.
[74J C. L. Seitz. SYSI.('111 timing. III C. A. M(~ad awl L. A. Conway, editors, Introduction to
VLSI Systnl/.s. <"11;11)1.('1' 7. Addison-W(~slcy. 1980.
[75J A. Semenov, A. M. Koelnians, L. Lloyd, and A. Yakovlev. Designing an Asynchronous
Processor Using Pdl'i Nets. IEEE Mic1'U, pages 54-(j4, Mar/Apr 1997.
[76J A. Sernenov and A. Yakovlev. Event-based framework for verification of high-level
models of asy ur.hrouous circuits. Technical R.eport 487, University of Newcastle upon
Tyne, 1994.
[77J A. S(~lIWlJ()V '\lld\. Yakovlcv Cornbiuing part.ial orders and symbolic: traversal for
efficient vorificat.io» of asynchronous circuits. III Proceeduiqs of CHDL '95, Chiba, Japan,
pages 507 57:;, UJ~):;.
[78J A. Semenov and A Yakovlev. Verification of asynchronous circuits using time Petri-net
unfolding. III P'/'()('. A CM/IEEE Design Automation Conference, pages 59-63, 1996.
[79] A. Semenov null A. Yakovlev. Contextual net unfolding and asynchronous system veri-
fication. Techuical Report 572, University of Newcastle upon Tyne, 1997.
[80] A. Semenov. A. Yakovlev, E. Pastor, M. Pella, .J. Cort.adella, and L. Lavagno. Partial
order based nppl'Oil.clt to synthesis of speed-independent circuits. In Proc. International
SympoS'l'IJ.'f(I,0'11 Arlll(J:II,ced Reseurch. in Async1i:mno'U.s Circuits and Systems. IEEE Com-
puter Society Press. April 1997.
[81] A. Seuieuov, A. Yakovlev, E. Pastor, M. A. Pefia, and J. Cortadella. Synthesis of
speed independent circuits from STG-unfolding segment. In Proc. ACM/IEEE Design
A uiomuium C()lIf('/'(~'l/.cC, pages 16- 21, 1997.
[82J E.M Sont.ovuh t]: .i SIS: A systom ItH S(~ljll<'lltial circuit syuthesis. Memorandum No.
UCB/ERL M!J:2/J I, University of California, Berkeley, 1992.
[83J P. Siegel awl G. De Micheli. Decomposition methods for library binding of speed-
independent asynchronous designs. In Proceedinqs of the International Conference on
Computer- A iili«] Dc.siqu, pages 558 565, 1994.
BIBLIOGRAPHY 156
[84] H. R. Sirnpsou. Four-slot fully asynchronous communication mechanis~. lEE
Proceedinqs-E, 137(1):17--30, January 1990.
[85] H. R. SilUPS()Il. CmrcctlwsS analysis for class of asynchronous communication mecha-
nisms. lEE Pron-cdinqs-E, 1:J9(1):35 49, January 1992.
[86] R. F. Sproull ilwl 1. E. Sutherland. Asiniclironous Systems. Sutherland, Sproull and
Associates, Palo Alto, 1986. Vol. I: Introduction, Vol. II: Logical effort and asynchronous
modules, Vol. Ill: Case studies.
[87] K. S. Stevens. l'riu.iicul Ve'l"i.ficat'ion and Synthes'is of Low Latency Asynchronous Sys-
tems. PhD ti)('sis. Dept, of Computer Science, University of Calgary, Canada, September
1994.
[88] 1. E. Sutherland. Micropipelines. Conununicatiotis of ACM, 32(6):720-738, 1989.
[89] S. H. Ultg(~l". ilsi/nchnmo'/J,s Sequential Switch:iug Circuits. Wiley-Interscience, New
York, 19G9.
[90] S. H. Unger. Hazards, critical races, and metastability. IEEE Transactions on Comput-
eTS, 44(6):754 7(i8, June 1995.
[91] A. Vahnari. St.uhboru Sets for Reduced State Space Generation. Advances in Petri Nets
1990, ed, G.RoZe'/l/)(TIJ. LNG'S 488, pages 491--515, 1991.
[92] P. Vanbckhcnnn. U. Lilt, C. GOUSSCllS, aucl H. de Man. A generalized state assign-
ment theory lor transformations on signal transition graphs. In Proc. International
Con}'. CO'ln.]J'II.t(T-Aided Design (ICCAD), pages 112-117. IEEE Computer Society Press,
November 1992.
[93] V. 1. Varshavsky d. al., editor. Self-Timed Control of Concurrent Processes: The Design
of Aperiod-ic Loqical Circuits in Computers and Discrete Systems. Kluwer Academic
Publishers, Dordrcclit. The Netherlands, 1990.
[94] W. Vogler. Persoual conuuunicatious.
[95] W. Vogler, A. Sciucuov, and A. Yakovlev. Partial order semantics and read arcs. Tech-
nical Report. (i:YI. l lui versity of Newcastle upon Tyne, February 1998.
[96] J. Xu, B. H.andell, A. Romanovsky, C. Rubira, R. Stroud, and Z. Wu. Fault tolerance in
concurrent object-orionted software through coordinated error recovery. In Proceedings
of the Twcnty Fijth. Auuuul Iuicrnuiiouul Symp. ott Fuuli- Toleratii Coinpuiinq., pages
499- 509. 199.').
[97] A. Yakovlev. Ucsiguillg control logic for couuterfiow pipeline processor using Petri nets.
Technical Rcpmt [in: University of Newcastle upon Tyne, 1995.
[98] A. Yakovlev, M. Kishiuevsky, and A. Koelmans. Petri net based modelling and analysis
of micropipeliuos. ill [1].
BIBLIOGR.APHY 157
[99] A. Yakovlov, L. Lavagno, and A. Sangiovanni- Vincentelli. A unified signal)ransi-
tion graph inodrl I'm asynchronous control circuit synthesis. In Proc. International
Conf. CO'fll.]J'IlI,(T-Auld Des'ign (ICCAD), pages 104-111. IEEE Computer Society Press,
November 1992.
[100] A. Yakovlev. V. Varshavsky, V. Marakhovsky, and A. Semenov. Designing an asyn-
chronous pipoliu« i.okou ring interface. In Asyru:h'f'(J'/I,o'uS Design Methodologies, pages
32-41. IEEE Computer Society Press, May 1995.
[101] A. V. Yakovlev, A. !'v!. Kochuans, A. Scuicuov, and D. J. Kinuement. Modelling, analysis
and synthesis of asynchronous control circuits using Petri nets. Inteqraiioti, the VLSI
journal, 21(3):1I:l 170, December 1996.
[102] Ch. Ykmau-Couvrour, B. Liu, and H. DeMan. ASSASSIN: A synthesis system for
asynchronous C<JlI1.101circuits. Reference manual, IMEC, 1995.
[103] Ch. YknliLll-C()IIV!('IIL IL Lin. C. Goossuus. and H. D(~Man. Synthesis and optimization
of asyuchrouuus (·()III.roll<:rsIlCLs<~dOil extended lock graph theory. In Proc. European
Confe'I'cn(;(' on /k~i,.lJn Automation (EDA C), pages 512-517. IEEE Computer Society
Press, February 19!):l.
[104] K. Y. Yun, Autoiuati« synthesis of extended burst-mode circuits using generalized C-
elements. III J>-/'()(:. E'II.1'OpeanDesign Automation. Conference (EURO-DAC), September
1996.
[105] K. Y. YIIII aucl D L. Dill. Automatic synthesis of 3D asynchronous state machines.
In Pmc. !nl.c/'l/.lllwl/,(J.l Conf. C01/1,jiutc'I'-AirLed Design (ICCAD), pages 576-580. IEEE
Computer Soci('ty Press. November 1!)!)2.
[106] K. Y. YUll, D. L. Dill. awl S. M. Nowick Synthesis of 3D asynchronous state machines.
In Proc. [til.crtuiiicnut] Con]. .Cotnqniier D('.s'ign (ICCD), pages 346-350. IEEE Computer
Society Press, Octoher 1992.
