Verifying and Testing Asynchronous Circuits using LOTOS (extended version) by He, Ji & Turner, Kenneth J
Ji He and Kenneth J. Turner. Verifying and Testing Asynchronous Circuits
using LOTOS (extended version). In Tommaso Bolognesi and Diego Latella,
editors, Proc. Formal Methods for Protocol Engineering and Distributed
Systems (FORTE XIII/PSTV XX), Kluwer Academic Publishers, London, UK, October 2000.
Verifying and TestingAsynchronousCir cuits using LOTOS
Ji He and KennethJ. Turner




It isshownhow DILL (Digital Logic in LOTOS) canbeusedtospecify,verify andtestasynchronous
hardwaredesigns.Asynchronous(unclocked)circuitsarea topic of active researchin thehardware
community. It is illustratedhow DILL canaddresssomeof the key challenges.New relationsfor
(strong)conformancearedefinedfor assessingacircuit implementationagainstits specification.An
algorithmisalsopresentedfor generatingandapplyingimplementationtestsbasedonaspecification.
Toolshave beendevelopedfor automatedverificationof conformanceandgenerationof tests.The





DILL (Digital Logic in LOTOS, e.g. [9, 10]) is an approach,a languageanda toolsetfor specifying,
analysingand testingdigital hardware designs. The authorshave developedan extensive library of
typical hardwarecomponents,andmethodsfor dealingwith synchronous(clocked)circuits. Although
DILL haslanguagefacilitiesfor inclusionof standardcircuit components,it is really justaveneerontop
of LOTOS. DILL canthereforeexploit the rich theoriesandtools for LOTOS. The recentdevelopments
describedin thispaperhave extendedDILL to asynchronous(unclocked)circuits.
Conventionaldigital circuits operateundercontrol of a masterclock that synchronisesthe major
components.Thedesignof suchsynchronouscircuitsis well understood.Theclockednatureof designs
avoids problemsdue to variationsin speedamongthe components.However, asynchronouscircuit
designis increasinglyattractingattention.Thesecircuitsoperateat thespeedof individual components,
without artificially limiting them to someclock rate. They may thus be capableof fasteroperation
thansynchronouscircuits. Unfortunatelyasynchronouscircuitsaremuchharderto designandanalyse.
Indeedtherearemany designstrategieswhichaimto achievedifferentgoalssuchasindependencefrom
thedelaysor speedof circuit elements.Thechallengeis to allow eachcomponento operateasfastas
possiblewhile preservingthecircuit function.
Verificationof asynchronouscircuits, especiallyspeed-independentanddelay-insensitive ones,is
an active researchtopic (e.g. [2, 4]). Rigoroustestingof asynchronouscircuits is still in its infancy.
This paperpresentssolutionsfor verificationof asynchronouscircuitsandfor deriving rigorousimple-
mentationtestsfrom their specifications.It thusmakesa contribution to theevolving understandingof
asynchronouscircuit design. The paperalsoshows a novel applicationof protocoldesigntechniques
(LOTOS, conformancetesting)to anew domainthatis exciting industrialinterest.
1.2 RelatedWork
Formal techniquesthathave beenusedfor asynchronouscircuits includeCIRCAL [1], CSPandDelay-
IndependentAlgebra.Of these,DILL mostcloselyresemblesCIRCAL in thatbothhaveabehaviouralbasis
in processalgebra,andbothhave beenusedin (a)synchronouscircuit design.However, the integrated
1
datatypesin LOTOS makesit muchmoreexpressive thanCIRCAL. In the authors’experience,LOTOS
canbeusedsuccessfullyatavarietyof abstractionlevelswhereasCIRCAL appearsto belesseffective at
higherlevels. It is very difficult to useCIRCAL for specifyingrelatively complicatedbehaviour.
Like DILL , many otherasynchronousverificationapproachesdefinerelationsthatjudgecorrectness
of acircuit design.Therelationsconforandstrongconfordefinedin thispaperresemblethoseintroduced
by others,e.g.conformance[2], decomposition[4] andstrong conformance[6]. It is not possibleto
detectdeadlocksandlivelockswith conformanceanddecomposition. Althoughstrongconformancecan
dothis,it requiresanimplementationnotto producelessoutputsthanits specification.Thisexcludesthe
possibilityof applyingtherelationtonon-deterministicspecifications.Aswill beseen,the(strong)confor
relationsdefinedin thispaperhave clearadvantagesover thosementionedabove.
Forvalidatinghardwaredesigns,testcasesarein practicemanually definedor arerandomlygenerated.
More rigorousapproachesusetraditionalsoftwaretestingtechniquesor statemachinerepresentations.
[13] makesuseof higher-level statemachinespecifications,but cannothandlenon-deterministicspeci-
fications. In theDILL approach,testsarederivedfrom higher-level specificationsin a novel adaptation
of theconformancetestingtheorydevelopedfor protocols.
1.3 Structure of Paper
Section2 discussesvariouskindsof asynchronouscircuit componentsandhow they canbespecifiedin
DILL . Section3 thenexplainshow asynchronouscircuit implementationscanbeverifiedagainsttheir
specifications,usingthe notion of conformancerelations. The theoryandtools alsoallow automated
derivation of testsfor asynchronouscircuits. Section4 shows how an asynchronousFIFO (First-In
First-Outbuffer) canbeverified to exhibit livenessandspeedindependence.Automaticallygenerated
testsare also presented.The Or-And example in section5 demonstratesthe subtletiesin verifying
speedindependenceanddelayinsensitivity. Two plausibleimplementationsareshown to have differing
properties.Finally, section6 usestheexampleof aselectorto demonstratehow theapproachcopeswith
specificationsthatallow non-deterministicimplementations.
2 SpecifyingAsynchronousCir cuit Components
2.1 Classesof AsynchronousCir cuits
Asynchronouscircuitsexhibit avarietyof formsdueto thedifferentdelayandenvironmentassumptions
made.An asynchronouscircuit canonly behavecorrectlywhentheseassumptionsaremet. Someof the
better-known designapproachesincludethefollowing.
DI (Delay-Insensitive) circuitsarethemostrobustclassin theasynchronouscircuit family sincethey
takethemostpessimisticview aboutdelaysandtheenvironment.Delaysin componentsandwires
areassumedto be unbounded(but finite). DI circuits canoperatecorrectlyregardlessof actual
delaymagnitudes.MostmeaningfulDI circuitsrequiremorethanbasiclogic gates,sospecialised
componentsaredefined[11].
QDI (Quasi Delay-Insensitive) circuits augmentthe delay model of delay-insensitive circuits with
the useof isochronicforks. Thesearebranchingconnectionson which the differenceof delay
magnitudesis negligible. This is a goodcompromisefor building practicalcircuitsusingsingle-
outputgates.
SI (Speed-Independent)circuits have gateswith unboundeddelay, but wires have zerodelay. If all
gateshave justoneoutput,SI andQDI areactuallyidentical.
Specifyingboundeddelaysneedsa formalismthatsupportsquantitative timing specification.This
paperstudiesthe classesabove sincethey assumeunboundeddelaysand so aresuitablefor LOTOS.
(Quasi) delay-insensitive designscan be easily changedto speed-independentcircuits by inserting
2
artificial delaycomponents.Sinceunboundeddelayplusunboundeddelayis still unbounded,mostof
thewire delayscanbeabsorbedinto theprecedingcomponents.Only forks andcomponentswith more
thanoneoutputneedspecialtreatment.
The restof the paperthereforemainly discussesspeed-independentdesigns. Happily thesearea
goodmatchto theDILL approachsincecomponentdelaysareunbounded,just like theinterval between
consecutive LOTOS events. In DILL , componentports are connectedby synchronisingtheir LOTOS
events.Thisactuallyassumesthatdelayontheconnectingwiresis negligible, anassumptionthatis also
adoptedby speed-independentcircuits. Speedindependenceis closelyrelatedto theconceptof semi-




In this section,basiclogic gatesareusedto illustratehow to modelspeedindependence(really semi-
modularity)of asynchronouscircuits. In [9, 10], thespecificationof basiclogic gatesallows new inputs
to pre-emptpendingoutputs.Someof theseinput transitionsmaychangethelevelsof pendingoutputs,
resultingin theviolationof semi-modularity. ConsideraNand2gate(two-input‘not and’)whoseinputs
andoutputIp1, Ip2, Op areinitially 1, 1, 0. After Ip1 changesto 0, its outputshouldchangeto 1. If Ip1
changesbackto 1 beforeoutputhappens,theoutputmayeitherundergothe1 to 0 transitionor remainon
0. Thisdependson thespeedof thegate.To respectsemi-modularity, suchinputshave to beforbidden.
processNand2[Ip1,Ip2,Op](dtIp1,dtIp2,dtOp:Bit): noexit :
let newOp:Bit = dtIp1nanddtIp2 in (* potentialoutput*)
(
Ip1 ?newIp1:Bit [(newIp1 nedtIp1) and (* first inputchanges*)
((dtOpeqnewOp)or (* nonew potentialoutput*)
((dtOpnenewOp)and (* thereis potentialoutput*)
((newIp1 nanddtIp2) eqnewOp)))]; (* but no changeis needed*)
Nand2[Ip1,Ip2,Op](newIp1,dtIp2,dtOp) (* continuebehaviour *)
Ip2 ?newIp2:Bit [(newIp2 nedtIp2) and (* secondinputchanges*)
((dtOpeqnewOp)or (* nonew potentialoutput*)
((dtOpnenewOp)and (* thereis potentialoutput*)
((newIp2 nandnewIp1) eqnewOp)))]; (* but no changeis needed*)
Nand2[Ip1,Ip2,Op](dtIp1,newIp2,dtOp) (* continuebehaviour *)
Op !newOp[dtOpnenewOp]; (* new outputproduced*)
Nand2[Ip1,Ip2,Op](dtIp1,dtIp2,newOp) (* continuebehaviour *)
)
endproc
Note that the specificationis partial in that inputsareforbiddenat certainpoints. An input offer can
happenonly whenthereis no potentialoutput,or whenthenew input cannotalterthepotentialoutput.
TheusualDILL specificationof a logic gate[9, 10] is input-receptive. But it possessesinertialdelay,
i.e. thegatewill not reactto shortinput pulses.Themodelabove is stricterthanthatof [9, 10], andcan
beusedfor checkingif acircuit is semi-modularor not.
2.3 SpecifyingAsynchronousCir cuit Components
Asynchronouscircuit designis aspecialiseddisciplinethatusesspecial-purposecomponentsin addition
to basiclogic gates.Thesespecialcomponentsaretreatedasfundamental,eventhoughtheir implemen-
tationmay derived from simplerelements.The specialcomponentsareassumedto exhibit properties
3
suchasspeedindependenceor delayinsensitivity. To give a flavour of theapproachandto show that
their specificationsin DILL arestraightforward, a samplingof thecomponentsis specifiedbelow. For
brevity an abbreviated syntaxis usedfor processdefinitions. It is alsocommonpractice[3] to omit
signallevelswhenspecifyingasynchronouscircuits,sincethelevelsstrictly alternate.For examplethe
input sequenceIp !0, Ip !1, Ip !0 canberepresentedasIp, Ip, Ip. The following outlinespecifications
respectherequirementof semi-modularity.
Wires arethe simplestcomponents.In high-speedcircuits suchasasynchronousdesigns,even con-
nectionscancontribute delays.They arenot neededfor speed-independentcircuitssincedelays
on wiresareassumedto bezero. But whena (quasi)delay-insensitive circuit is transformedto a
speed-independent design,delayson wiresmayhave to beexplicitly specified.
Wire [Ip,Op] : Ip; Op; Wire [Ip,Op]
Fork componentsarealsonecessarywhen transforminga (quasi)delay-insensitive designto speed-
independentform. A fork hasoneinput Ip andtwo outputsOp1,Op2. Thevalueon input Ip is
fannedout to Op1andOp2. Becauseof delays,thetwo outputsmayoccuratdifferenttimes.New
input hasto wait until bothoutputshave beenproduced.
Fork [Ip,Op1,Op2] : Ip; (Op1;exit ||| Op2;exit) >> Fork [Ip,Op1,Op2]
C-Elements arevery importantin asynchronousdesign. A C-Element(namedafter its conventional
outputC) is usedasa transitionsynchronisersinceits outputcanchangeonly after both inputs
have changed.For this reason,it is sometimesalsocalleda join element.A C-Elementhastwo
inputsIp1, Ip2 andanoutputOp. Theoutputchangesto 1 whenboth inputshave changedto 1,
andchangesto 0 whenbothhave changedto 0.
C-Element[Ip1,Ip2,Op] : (Ip1; exit ||| Ip2; exit) >> (Op; C-Element[Ip1,Ip2,Op])
Merge componentscopy inputsignalsIp1, Ip2 to a singleoutputOp.
Merge[Ip1,Ip2,Op] : Ip1; Op; Merge[Ip1,Ip2,Op] Ip2; Op;Merge[Ip1,Ip2,Op]
Selectors take asingleinput Ip andnon-deterministicallyoutputonOp1or Op2.
Selector[Ip,Op1,Op2] : Ip; (i; Op1;exit i; Op2;exit)>> Selector[Ip,Op1,Op2]
Sequencershave two datainputs Ip1, Ip2, a control input calledC, andtwo dataoutputsOp1, Op2.
They wait for anIp1 or Ip2 signalplusC, andthenproducethecorrespondingoutputsignal.
Sequencer[Ip1,Ip2,C,Op1,Op2] : (S1[Ip1,Op1] ||| S2[Ip2,Op2]) |[Op1,Op2]| S3[C,Op1,Op2]
where
S1[Ip1,Op1] : Ip1; Op1;S1[Ip1,Op1]
S2[Ip2,Op2] : Ip2; Op2;S2[Ip2,Op2]
S3[C,Op1,Op2] : C; (i; Op1;S3[C,Op1,Op2] i; Op2;S3[C,Op1,Op2])
Latches are the storageelementsin asynchronouscircuits. A latch hastwo datainputs Ip1, Ip2, a
controlinputC, andtwo dataoutputsOp1,Op2. A latchwaitsfor exactlyoneIp1 or Ip2 inputand
a C input, thenthecorrespondingoutputis produced.In contrastto asequencer, theenvironment
mustguaranteemutualexclusionof inputs.
Latch[Ip1,Ip2,C,Op1,Op2] :
((Ip1; exit ||| C; exit) >> Op1;Latch[Ip1,Ip2,C,Op1,Op2])
((Ip2; exit ||| C; exit) >> Op2;Latch[Ip1,Ip2,C,Op1,Op2])
RGD Arbiters arenamedaftertheirsignals:Request,Grant,Done.They have four inputsR1,D1, R2,
D2 andtwo outputsG1, G2. If thearbiterreceivestwo simultaneousrequests,it grantsexactly
oneof themanddelaystheother. RequestRi is followedby grantGi andthenthedonesignalDi.
Thetime intervalsG1..D1andG2..D2areguaranteedto bemutuallyexclusive.
RGD[R1,G1,D1,R2,G2,D2] : (S1[R1,G1] ||| S2[R2,G2]) |[G1,G2]| S3[G1,D1,G2,D2]
where
S1[R1,G1] : R1; G1;S1[R1,G1]
S2[R2,G2] : R2; G2;S2[R2,G2]
S3[G1,D1,G2,D2] : (i; G1;D1; S3[G1,D1,G2,D2]) (i; G2;D2; S3[G1,D1,G2,D2])
4
2.4 Input (Quasi-)Receptiveness
In LOTOS, communicationbetweenprocessesis basedon symmetricsynchronisationat a gate.Thusan
eventcanhappenonly whenall processesoffer eventsat this gate.If oneof theprocessesis not ableto
doso,theotherprocessesjustwait or participatein anothereventif possible.However, digital hardware
hasa cleardistinctionbetweeninputsandoutputs.Signalsareabsorbedat inputsandareproducedat
outputs.A hardwarecomponentcannever refuseaninputsignal,andtheoutputsignalsit producescan
never beblockedby others.
A specificationis saidto beinput-receptive if every input is allowed in every state.In sucha case,
theDILL modelrepresentsthe real circuit faithfully. However input-receptive specificationscannotbe
writtenfor mostasynchronouscircuit componentsinceunexpectedinputsarenotpermitted.Analysing
suchpartialspecificationshasthedisadvantageof notbeingexactsincethebehaviour of aLOTOSmodel
is only a subsetof thebehaviour of the realcircuit. Oneway to addressthis is by explicit deadlockif
unexpectedinputsarrive.
If moreaccurateanalysisis required,input quasi-receptive specificationsshouldbewritten. Infor-
mally, a DILL specificationis input quasi-receptive if it canalwaysparticipatein all input eventsexcept
whendeadlocked. As anexample,thespecificationof awire is partialin thatinput is notallowedwhen
thewire wantsto produceits output.An inputquasi-receptive specificationcanbeobtainedby addinga
choicewhenthereis a potentialoutput.A wire might thusbespecifiedas:
processWire [Ip,Op] (dtIp:Bit) : noexit :
Ip ?newIp1:Bit [dtIp nenewIp1]; (* new input *)
(
Op !newIp1; exit (newIp1) (* new output*)




acceptnewIp:Bit in Wire [Ip,Op] (newIp) (* continuebehaviour *)
endproc
It is not straightforward to transforma specificationwith more than just sequenceand choice
operatorsinto input quasi-receptive form. In sucha case,a partialspecificationcanbeusedto generate
the correspondingLTS (LabelledTransitionSystem). An LTS is actually a LOTOS specificationin
the form of sequenceandchoiceoperators.An input quasi-receptive specificationcanbe obtainedby
modifying the LTS. For a statethat cannotparticipatein all input events,outgoingedgesleadingto
deadlockareaddedfor missedinputs. This methodworksvery well for LTSswithout internalevents.
But subtleproblemscanarisefor thosecontaininginternalevents.SupposestateSacceptsaninput Ip1,
performsaninternalaction,andendsup in stateS′ whereIp2 canbeaccepted.It wouldbeincorrectto
adda transitionto stateS thatacceptsIp2 andleadsto deadlock.That is, SacceptsIp2 only throughan
internalaction.
Whena specificationis consideredfrom the point of view of input receptiveness,internalevents
becomelessmeaningful.Internaleventsmeantheenvironmenthasno effect on choices.In thecontext
of digital design,a circuit producesoutputswithout influencefrom its environment. Thereforeall
outputsshouldbe precededby internal events. If internal eventsare omitted, the environmenthas
the opportunityto choosewhich outputsto acceptandwhich to refuse;this is not a propermodelof
real circuits. However if theenvironmentis input-receptive, it losesits selective power: it will accept
whatever thecircuit produces,eventhoughthereareno internaleventsin thecircuit specification.For
this reason,LTSswith internaleventsaredeterminisedbeforeoutgoingedgesareaddedto createinput
quasi-receptive specifications.An LTSis inputquasi-receptive if, afterdeterminisation,all statesexcept
terminalonescanacceptall inputs.
5
3 AsynchronousCir cuit Verification and Testing
3.1 Verifying AsynchronousCir cuit Designs
The characteristicsof asynchronouscircuits have implicationsfor verification. As it is moredifficult
to specifycomponentsin an input (quasi-)receptive manner, verificationmay still be basedon using
componentsthat are not input-receptive. The verification may, however, not be exact in that some
problemsmaynot bediscovered. Input quasi-receptive specificationsresultin a larger statespaceand
thusmake verificationmoredifficult.
A structuralimplementation(adetaileddesign)normallyhasmuchmorebehaviour thanits abstract
specification.This is not uniqueto DILL andalsoappliesto many otherdesignmethods.This makesit
unrealisticto useequivalenceasthecriterionfor correctdesign.Equivalencerequiresthataspecification
andits implementationhave samebehaviour underall possibleenvironments.This requirementwould
usuallybetoostrongsincepracticalcircuitswork correctlyonly in well-behavedenvironments.
Assumptionsaboutenvironmentshave to bemadesincetheseareoftennot givenfor asynchronous
circuits. Whenanenvironmentis notexplicit, many methodssimplyassumethemirror of aspecification
astheenvironmentof its implementations[2]. If Sis theabstractspecificationandI is theimplementation
specification,verificationmeanscomparingS || I with Sor checkingif a logic formulaholdsfor S || I.
But verifying S || I is not alwayssatisfactory. Whenanimplementationcanacceptmoreinputsthanits
specificationdoes,S|| I restrictstheinputsconsideredtoonly thosein thespecification.Thisassumesthat
theenvironmentdoesnotprovideextrainputs,soinputsthatareacceptedonly by theimplementationare
ignoredwhenverifying thejoint behaviour. Thisis reasonable,butpermitsanimplementationtoproduce
moreoutputsthana specification.This is undesirablesincean implementationproducingunexpected
outputfor legitimateinput is normallyerroneous.Moreover, whena specificationis non-deterministic
thismethodmayexcludecorrectdeterministicimplementations.
Thekey pointhereis thedifferentrolesof inputsandoutputsin digital circuits. An implementation
passively acceptsinputs,soonly thoseavailablefrom theenvironmentmake sense.An implementation
actively producesoutputs,overwhichtheenvironmenthasnoinfluence.A LOTOSspecificationhowever
doesnot distinguishinputs and outputs. When a LOTOS specificationis usedas an environment, it
restrictsinputsandoutputsequally.
Whenanimplementationisspecifiedin aninput(quasi-)receptive way, adistinctionis madebetween
inputsandoutputs. If its environmentis alsoreceptive, it will deadlockon unexpectedoutputsfrom
an implementation. However, it is very hard to extract an input quasi-receptive environmentfrom a
behavioural specification– especiallyif this is complicatedor containsinternalevents. An alternative
methodis thereforeadoptedfor verifying asynchronouscircuits. Relationsaredefinedthat take into
accountthedifferencebetweeninputandoutput.Theserelationsdonot require(quasi-)receptivenessof
theenvironmentor theimplementation,andareintuitivecriteriafor correctnessof asynchronouscircuits.
3.2 Input-Output Conformancefor AsynchronousCir cuits
Althoughmany relationshave beendefinedto characterisetherelationshipbetweentwo LTSs,they are
not very helpful for verifying asynchronouscircuits. This is especiallytruewhentheenvironmentof a
circuit is not explicitly supplied. Two new relations,conforandstrongconfor, arethereforedefinedto
assess(strong)conformanceof animplementationto its specification.Theserelationswereinspiredby
ioconfandioco in [14] for conformancetestingof communicationsprotocols.
SupposeSpecis an abstractspecificationof a circuit and Impl is its implementationspecification.
Specmaybepartial in thesensethat in somestatesit doesnot acceptsomeinputs,i.e. it is not input-
receptive. An input is absentif theenvironmentof a circuit doesnot provide it, if thebehaviour of the
circuit uponreceiving theinput is not of interest,or if thebehaviour is undefined.Althoughall circuits
6
arepotentiallyableto acceptall inputsat any time, mostspecificationsarepartial to avoid too much
detail. Impl maybepartialor total in thesenseof input receptiveness.
Supposethatspis astateof Specandthatim is thecorrespondingstatein Impl. To definetheconfor
relation,first considerthe input transitionsthat sp and im canengagein. If an input ip is acceptable
in sp, it is reasonableto requirethat ip is alsoacceptedin im. On theotherhand,if im canacceptan
inputwhich is notacceptablein sp, this inputandall thebehaviour afterwardscanbeignored.Sincethe
environmentwill neverprovidesuchaninput,or evenif it is provided,suchbehaviour is notof interest.
In short,theinputsacceptablein spshouldbeasubsetof thoseacceptablein im.
As far asoutputsareconcerned,if sp canproduceop thena correctimplementationshouldalso
produceit. If spcannotproducea certainoutput,neithershouldits implementation.However whena
specificationis allowedto benon-deterministic,it is toostrongto requireim to produceexactly thesame
outputsassp sincea deterministicimplementationcould producea subsetof the outputs. A suitable
relation shouldthus requireoutput inclusion insteadof output equality. Unfortunatelya circuit that
acceptseverythingbut outputsnothingmayalsobequalifiedasacorrectimplementation.Thespecialδ
‘action’ overcomesthisweaknessby indicatingtheabsenceof output.Likeany otheroutputaction,if δ
belongsto theoutputsetof im it mustbein theoutputsetof spfor conformanceto hold. In otherwords,
im canproducenothingonly if spcandonothingaswell.
In theabove discussion,sp and im arenot actuallyLTS statesbut areall possiblesituationsthata
circuit maybein aftera certaininput-outputsequence.Becauseδ is alsoinvolved in thesequence,the
statespacesof bothspecificationandimplementationaretransformedinto automatathatareexplicitly
labelledwith δ. Theinput-outputsequencesareactuallytracesof thespecificationautomaton.Formally,
let implementationi ∈ LTS(LI ∪ LU ) andspecifications ∈ LTS(LI ∪ LU). Then:
i confors =def ∀σ ∈ STrace(s): out(i afterσ) ⊆ out(s afterσ)and
if i afterσ 6= ∅ : in(safterσ) ⊆ in(i afterσ)
i strongconfors =def ∀σ ∈ STrace(s): out(i afterσ) = out(s afterσ)and
if i afterσ 6= ∅ : in(safterσ) ⊆ in(i afterσ)
LI andLU refer to the inputsandoutputsfrom the point of view of the implementation.The inputs
andoutputsof anautomatonaftersometracearecomputedby in andout. Theafter operatoryieldsan
automatonafterit hasexecutedagiventrace.STracegeneratesasuspensiontrace.
To definesuspensiontraces,the transitionrelation is extendedwith the refusalof outputactions:
self-looptransitionslabelledwith LU indicatethat no outputactioncanoccur. Refusalto outputcan
alsobeexpressedusingδ, which is regardedasanoutputactiondistinctfromLI andLU . A suspension
tracethuscontainsordinaryactionsandδ actions.If Lδ denotesL ∪ δ, asuspensiontraceσ ∈ L?δ .
Theconfor relationrequiresthat,after a suspensiontraceof s, theoutputsthatan implementation
i canproduceareincludedin whats canproduce.If i canfollow thesuspensiontrace,the inputsthat
s canacceptarealsoacceptedby i. strongconforhasa similar definition exceptthat outputinclusion
is replacedby outputequality. Normally confor is usedwhena specificationandan implementation
are deterministic,while strongconfor is usedwhen an implementationis more deterministicthan a
specification.The (strong)conforrelationsaremoreeasilyobserved if the LTSsof specificationsare
transformedto suspensionautomata.
A suspensionautomatonΓp of an LTS p is obtainedby determinisingp andaddingthe necessary
δ transitions. The suspensiontracesof p coincidewith the tracesof its suspensionautomatonΓp. In
addition,for all σ ∈ L?, out(Γp afterσ) = out(p afterσ); see[14] for theproof. Thereforechecking
(strong)conforcanbeeasilyreducedto checkingtraceinclusionon suspensionautomata.Only traces
withoutδ transitionsarecheckedfor confor, while all thetracesof asuspensionautomatonarechecked
for strongconfor.
A verification tool VeriConf hasbeendevelopedto checkthe (strong)conforrelationsusing the
programminginterface of CADP (CæsarAldébaranDevelopmentPackage[5]). Briefly, CADP is
exploitedto generateLTSsof bothspecificationandimplementation.Thentheverifierisusedto produce
7





Test),a testsuite,anda relationthatcheckscorrectnessof theimplementationagainstthespecification.
Thereshouldpreferablybea testgenerationalgorithmthatproducestestsuitesautomatically. An IUT
maybea product,a formal specification,or evenan informal specification.Presumingthatevery IUT
hasaformalmodelis referredto thetesthypothesis.Notethatonly theexistenceof amodelis assumed.
In this paper, implementationsaremodelledasIOLTSs(InputOutputLabelledTransitionSystems).
An IOLTS p is anLTS whoseactionsL arepartitionedinto inputsLI andoutputsLU , andwhose
input actionsarealwaysenabledin any state.This classof systemis denotedby IOLT S(LI , LU ) ⊆
LT S(LI ∪ LU). Specifications,however, arestill modelledasan LTS to permit an abstractview of
behaviour. SuchspecificationsareinterpretedasincompletelyspecifiedIOLTSswheresomeinputsare
not specifiedin somestates. The intentionof incompletenessmight be implementationfreedom,or
becausetheenvironmentwill notprovide undesirableinputs.
Several implementationrelationshave beendefinedby othersbetweenLTSsandIOLTSs. Some
of theserelations,suchas the one analogousto testingpreorder, are too strongin that they require
specificationsto be IOLTSs. This is obviously impracticalin mostcases.The ioco relationhasbeen
definedto supportconformancetesting. The ioco relation is very similar to confor. The difference
is that implementationsacceptedby confor may not be input-receptive, whereasioco assumesthat
implementationsaremodelledas IOLTSs(andcanthusalwaysacceptall inputs). Consequently, the
input inclusionconditionrequiredby confor is alwayssatisfiedin thecaseof ioco.
A testsuiteis a setof testcases.For practicalreasons,testcasesmusthave finite behaviour. In
additionthey shouldbedeterministicto allow a testerto have controlover testexecution.This requires
that testcaseshave no choicesbetweenmultiple input actionsor betweeninput andoutputactions,as
both introduceundesirablenon-determinismduring a test. As a resulta stateof a testcaseis either
terminal,offersoneinputto theimplementation,or acceptsall possibleoutputsfrom theimplementation
(including the δ action). The terminalstatesof a testarelabelledwith Passor Fail to yield a verdict.
Whenanimplementationis tested,it will stoponly in a passor fail state.Sinceanimplementationcan
be non-deterministic,different terminalstatescanbe reachedwith different testrunsof the sametest
case.Only whenanimplementationpassesall possibletestrunsis it saidto passthetestcase.
A testcaseis modelledasanLT S(LI ∪ LU ∪ {δ}). As before,δ meansa statecannotproduce
any output. Testcasesareobtainedby a finite recursive applicationof thefollowing non-deterministic
choices:terminatethetestcase;giveanext input to theimplementation;or checkthenext outputsof the
implementation.Thefirst choiceterminatesthegenerationprocedureto ensureateststopsatsomepoint
even thoughthe specificationmay include infinite behaviour. The secondchoicewill never result in
deadlockasinputsarealwaysenabled.Thethird choiceensuresfailureif animplementationproducesan
outputnot belongingto out(Γ). This testgenerationalgorithmguaranteesoundtestcaseswith respect
to (strong)confor, andthesetof testcasesthatcanbeobtainedis complete;see[14] for theproof.
In theDILL approachto testingdigital circuitdesigns,acircuit isspecifiedin LOTOS(whosesemantics
is givenby anLTS).Theimplementationof thesamecircuit is describedby VHDL (VHSIC Hardware
DescriptionLanguage[8]). Thebehaviour of aVHDL programis presumedto bemodelledby anIOLTS
thatis merelyassumedto exist – it neednotbeknown explicitly. Thetestsuitefor acircuit is generated
by an algorithm basedon that of [14]. The authorshave extendedCADP to generatehardware test
suitesautomaticallyfrom thesuspensionautomatonof thespecification.A VHDL testbenchexecutes






A possible test trace:






Op3(*S4), Ip, Op2(*S1), Op1...
Figure1: TestTracefor Nodeswith SeveralOutputs
implementation,theimplementationis regardedasincorrect.
Thetestcasesgeneratedin DILL approachhavetheform of tracesratherthantrees.Thisallowseasy
measurementof testcoverage,andautomaticexecutionof testcases.A testsuitecannotusuallycover
theentirebehaviour of a specificationasthis is normally infinite. Thestrategy is thereforeto cover all
transitionsin atransitiontourthataddressestheChinesePostmanproblem.Assuspensionautomatamay
notbestronglyconnected,it is notpossibleto makedirectuseof conventionaltransitiontouralgorithms.
Insteadthe approachof [7] is usedbecauseit is suitablefor all kinds of directedgraphs. Depth-first




in a suspensionautomata.This situationarisesif anoutputmaynot bematchedby theimplementation
undertestsinceotheroutputsarepermitted.This methodis not soeffective whenthebehaviour of an
implementationis non-deterministic.The problemis that whenan inconclusive verdict is reached,a
testrun is abortedandothertestcasesareapplied. However, the testcasecouldbestill usefulif other
neighbouringoutputscanbefoundsothatthetestrunmaycontinue.
Contradictorybranchesin the suspensionautomatonarethereforemarked with ‘?’ andthe corre-
spondingstatelabel. Obviously, outputswith the samemarks in a test suite are neighboursin the
correspondingsuspensionautomaton.In this way thebranchingstructureof the automatontreeis re-
flectedin a testcase. The transitiontour algorithmis ableto cover all the transitionsin a suspension
automaton.If an implementationdiffers from all theoutputswith a certainmark,a fail verdict should
berecorded.This techniquerequiresa testbenchthatis ableto searchthewholetestsuitefor marks.
Figure1 is an exampleof this technique. If an implementationhasthe behaviour Ip, Op1, Op2,
Op3,... it will follow Ip, Op1,Op2 in a testrun. But whenoutputOp3 fails at Op1(?S4), thetestbench
mustlook for anotheroutputwith thesamemarkto seeif Op3canbematched.In this caseit canfind
Op3(?S4)andcontinuetesting.If animplementationbehavesasIp, Op3,... thentherewill benooutput
markedwith (?S1)thatcanmatchOp3; theimplementationwouldberegardedasincorrect.
The testbenchwould normally searchthe remainderof a test tracewhenan inconclusive point is
metso that testingcango forward. However suchmarkssometimesexist only in theprevious partof
the trace,forcing the searchto go backward. This meansthat loopsmay ariseduring testing,so the
testbenchneedsastrategy to avoid this.
The testbenchalsoneedsto maintaina timer. Realcomponentsdo not have unboundeddelays,so
whena δ transitionis encounteredthetestbenchmustrecordthetime thatelapses.If thereis no output
within a certainperiod,theδ transitioncanberegardedashaving occurred;otherwisea failureverdict
9
mustbegiven. Thevalueof thetimer reflectsthedelaysin therealcircuit. A testbenchwill alsohave to
decidewhento provide inputs.For testcaseT1 in thelaterexampleof figure3, if InF !0 is providedtoo
lateafterthefirst input InF !1 thenanoutputmayhavealreadybeenproduced.Thebehaviour shouldbe
fully exploredby othertestcasessuchasT2. But thetestermight notbeawareof theinterrelationships
amongtests.T1 might thereforebeusedat therisk of producingfaulty testresults.
4 CaseStudy: An AsynchronousFIFO
As a typical circuit, an asynchronousFIFO (First In First Out buffer) is specifiedandanalysed.The
FIFOhastwo inputsInT, InF andtwo outputsOutT, OutF. Its inputsandoutputsusedual-railencoding
in which onebit needstwo signal lines. The pair of T/F (true/false)signalvalues1/0 correspondsto
datavalue1, while thepair0/1correspondsto 0. A signalof 0 onbothlinesindicatesidle, whichmeans
thereis no valid data. Lineshave to beresetto idle betweentwo transmissions.Supposea FIFO with
onestageis initially empty. It canaccepteither1 or 0 on receiptof InT or InF. Thedatais delivered
to theoutputlines. After onesuccessfultransmission,the input andoutputlines thathave beenraised
returnto 0 to wait for otherdata.Thebehaviour of onestagecanbeeasilyspecified:
processStage[InT,InF,OutT,OutF]:noexit : (* oneFIFO stage*)
InT !1; OutT !1; InT !0; OutT !0; (* input/output1 thenidle *)
Stage[InT,InF,OutT,OutF] (* continuebehaviour *)
InF !1; OutF!1; InF !0; OutF!0; (* input/output0 thenidle *)
Stage[InT,InF,OutT,OutF] (* continuebehaviour*)
endproc
A FIFO with severalstagescanbeobtainedby composinginstancesof thisprocess.For example,a
FIFO with two stagesandinternalsignalsIntT, IntF is specifiedas:
processSpec[InT,InF,OutT,OutF] (* FIFOspecification*)
hide IntT,IntF in (* internalsignals*)




A possibleimplementationfor a FIFO stageis givenin figure2 (a). Apart from thedatapath,there
aretwo linesthatcontroldatatransmission.Reqcomesfrom theenvironmentof astage,indicatingthat
environmenthasvalid datato transfer. TheAck line goesto theenvironment,indicatingthat thestage
is emptyandis thusreadyto receive new data. Both of thesecontrol signalsareactive when1. The
implementationusetwo C-Elements(seesection2.3)andaNor2gate(two-input‘not or’). Initially both
ReqandAck are1. Whenthereis valid dataon InT or InF, it is passedto OutTor OutF. At thesame
time, Reqshouldberesetto 0 until InT or InF returnsto theidle state.Ack is resetto 0 afterreceiving
dataonOutTor OutF, indicatingthatthestageis full. Whenthedataonoutputlinesis fetched,thestage
returnsto theidle stateandis readyfor thenext transmission.ThecorrespondingDILL specificationof
thisFIFO cell is asfollows:





Theinputs/outputof theC-Elementsareinitialisedto 0,1/0, while thosefor theNor2 gatestartas0,0/1.
To ensurea FIFO workscorrectly, theenvironmenthasto be coordinated.For example,it should
provide correctinput dataaccordingto thedual rail encoding.To make thingseasier, it is convenient
to think abouttheenvironmentin two parts: EnvF (environmentfront-end)is a provider that is always






















Figure2: Implementationof A Two-StageFIFO from Individual Cells
processEnvF [Req,InT,InF] : noexit : (* dataprovider *)
InT !1; Req!0; InT !0; Req!1; (* provide1 *)
EnvF [Req,InT,InF] (* continuebehaviour *)
InF !1; Req!0; InF !0; Req!1; (* provide0 *)
EnvF [Req,InT,InF] (* continuebehaviour *)
endproc
processEnvB [Ack,OutT,OutF]: noexit : (* dataconsumer*)
OutT !1; Ack !0; OutT !0; Ack !1; (* accept1 *)
EnvB [Ack,OutT,OutF] (* continuebehaviour *)
OutF!1; Ack !0; OutF!0; Ack !1; (* accept0 *)
EnvB [Ack,OutT,OutF] (* continuebehaviour *)
endproc
A two-stageFIFOcanthenbeimplementedasin figure2 (b):
processImpl [InT,InF,OutT,OutF]: noexit : (* FIFO implementation*)
hide Req,IntT,IntF,IntR,Ack in (* internalsignals*)
EnvF [Req,InT,InF] (* dataprovider *)
|[Req,InT,InF]|
Cell [InT,InF,IntT,IntF,IntR,Req] (* first cell *)
|[IntT,IntF,IntR]|
Cell [IntT,IntF,OutT,OutF,Ack,IntR] (* secondcell *)
|[Ack,OutT,OutF]|
EnvB [Ack,OutT,OutF] (* dataconsumer*)
endproc
Whenspeedindependenceneedsto be verified, eachbuilding block (including the environment)
shouldbe specifiedin the input quasi-receptive style. Impl QR is the correspondingimplementation
specification.It canusetheDILL library for quasi-receptivespecificationsof thebasicbuilding blocks. It
alsoneedsthecorrespondingquasi-receptive specificationsEnvF QRandEnvB QR. EnvF hasno inputs
andsois identicalto EnvF QR. EnvB QRhastheform:
processEnvB QR [Ack,OutT,OutF]: noexit : (* receptivedataconsumer*)
OutT !1; (* value1 outputby FIFO *)
(Ack !0; (OutT !0; (Ack !1; EnvB QR [Ack,OutT,OutF]
OutT !1; stop OutF!1; stop)
Ack !1; stop OutF!0; stop) (* incorrectackor FIFO output*)
OutT !0; stop OutF!0; stop) (* incorrectFIFOoutput*)
OutF!1; (* value0 outputby FIFO *)
(Ack !0; (OutF!0; (Ack !1; EnvB QR [Ack,OutT,OutF]
OutT !1; stop OutF!1; stop)
11
InF !0







































OutF !1 OutT !1
FailPass Fail 















Ack !1; stop OutT !0; stop) (* incorrectackor FIFO output*)
OutT !0; stop OutF!0; stop) (* incorrectFIFOoutput*)
Ack !0; stop
endproc
Thespecificationshouldexhibit liveness.UsingCADP, it wasverifiedthatthespecificationsatisfies
thefollowing propertyexpressedin ACTL (Action-basedComputationalTreeLogic [12]). If thereis an
input of 1, thenoutputwill become1 eventually:AG([InT !1]A[truetrueUOut!1true]). Theformulafor
data0 is similar andwasalsoverifiedto betrue. It wasverifiedthatSpec≈ Impl || (EnvB |[· · ·]| EnvF)
usingCADP, where≈ denotesobservationalequivalence.
Tocheckspeedindependence,theinputquasi-receptive specificationswereused.It wasalsoverified
thatSpec≈ Impl QR || (EnvB QR |[· · ·]| EnvF QR), which givesmoreconfidencein thedesignof the
FIFO.TheimplementationImpl QR || (EnvB QR |[· · ·]| EnvF QR)alsosatisfiesthelivenessproperty.
Figure 3 gives the LTS for the FIFO (minimisedwith respectto observational equivalence),the
suspensionautomatonfor theLTS,andseveral tests.BecausetheLTS is deterministic,thesuspension
automatonhasalmostthesamestructureexceptfor theδ transitions,whichappearascirclesin thefigure.
TestT1 providestwo inputsandthencheckstheoutputof animplementation.If outputOutF changes,
theimplementationpassesthetest.Howeverif OutTchangesor if thereis nooutput,theimplementation
fails the test. Similarly, testT2 checksoutputafteroneinput is provided. TestT3 checksoutputright
away. For this test,anoutputfrom theinitial stateis incorrectandresultsin a fail verdict. Only afteraδ
transition,meaningthatnooutputis produced,cantestingcontinue.
It wasestablishedthatImpl QR|| (EnvB QR|[· · ·]| EnvF QR) strongconfSpecby usingtheauthors’
VeriConftool. Theauthors’TestGentool producesasingletestcaseof length28 for theFIFO:
12
InF !1 InF !0 OutF!1 InF !1 OutF!0 OutF!1 InF !0
InT !1 OutF!0 InT !0 OutT !1 InT !1 OutT !0 OutF!1
δ InF !0 OutF!0 InT !1 OutT !1 InT !0 InT !1
OutT !0 OutT !1 δ InT !0 OutT !0 δ Pass
5 CaseStudy: An Or-And Cir cuit
This examplewas introducedin [3] to show the differencebetweenspeedindependenceand delay
insensitivity. Althoughsmall,it revealsthenecessityof usinginputquasi-receptive specifications.As in
section2.3,eventsareabbreviatedby omitting signalvalues!1 and!0. Thecircuit hasinputsIp1, Ip2,
Ip3 andoutputsOp1,Op2. OutputOp1 is thelogicalor of Ip1, Ip2, while outputOp2 is thelogicaland
of Ip2, Ip3.
The abstractcircuit specificationis shown in figure 4 (a). The componentOr andAnd gatesare
specifiedin figures4 (b) and4 (c) respectively. The proposedimplementationis in figure 4 (d). The
verification task is to check if this implementationis delay-insensitive and speed-independent. For
analysingdelay insensitivity, the circuit is transformedto figure 4 (e), wherethe isochronicfork in
figure 4 (d) is replacedby an explicit Fork element. (Referbackto section2.3 for an explanationof
these.)Theimplementationsin figures4 (d) andfigure4 (e) arespecifiedasImpl1 andImpl2:
processImpl1 [Ip1,Ip2,Ip3,Op1,Op2] : noexit : (* isochronicfork implementation*)
Or2 [Ip1,Ip2,Op1]|[Ip2]| And2 [Ip2,Ip3,Op2] (* or plusandgates*)
endproc
processImpl2 [Ip1,Ip2,Ip3,Op1,Op2] : noexit : (* ordinaryfork implementation*)
hide Int1,Int2 in
(Or2 [Ip1,Int1,Op1]||| And2 [Int2,Ip3,Op2]) (* or plusandgates... *)
|[Int1,Int2]|
Fork [Ip2,Int1,Int2] (* with fork input *)
endproc
The statespacesof Impl1 and Impl2 are much larger than that of Spec. For example,both can
acceptIp2 andIp3 from their initial statesbut Speccannot. Sinceno explicit environmentis given,a
direct verificationapproachis to compareImpl1 || Specwith Spec, i.e. assumingthat Specis alsothe
environmentof its implementations.It wasfoundthat Impl1 || Spec≈ SpecandImpl2 || Spec≈ Spec
by usingCADP. This suggeststhatfigures4 (d) and(e)arebothcorrectimplementationsof Spec.
However, to ensurethatbothimplementationsarereallyspeed-independent, themoreaccurateinput
quasi-receptive modelis needed.Figure5 shows therevisedLTSs.Thecorrespondingimplementations
areImpl1 QRandImpl2 QR. It wasdiscoveredthatImpl1 QR strongconforSpecby usingtheauthors’
VeriConf tool. UnfortunatelyImpl2 QRdoesnot have theconforor strongconforrelationshipto Spec.
Thetoolgivesadiagnostictrace:Ip1,Op1,Ip3, Ip2,Op2,Ip2, Ip1. By analysingthistraceit canbefound
thatafterOp2 is produced,thespecificationis ableto receive Ip1 andIp2. But for the implementation
in figure4 (e),afterOp2 is producedthefork componentmaystill bein theunstablestatesinceInt1 has
not beenproducedyet. In this unstablestate,an Ip2 input makesthebehaviour of the fork component
undefined. This meansthat figure 4 (e) is not speed-independent,i.e. the correctnessof the circuit
dependson the speedof Fork. Figure4 (d) is thereforenot a delay-insensitive implementationof the
specification.
6 CaseStudy: A Selector
As a final example,a selector(seesection2.3)allows non-deterministicbehaviour in implementations.

















































givesits LTS (minimisedwith respectto observationalequivalence),the suspensionautomatonof the
LTS,andoneof thetestcases.TestT4 shows thatafterinput Ip !1, animplementationproducingeither
Op1!1 or Op2!1 will passthetest.
The authors’TestGentool producesa singletestcaseof length11 for the selector. This example
shows how contradictorybranchesaremarked. A selectorthat insistson sendingits input to Op1can
follow teststeps1, 2, 3, 4, 5, 6, 2, 3, ... This is a loop thatthetestbenchmustbreak.
IP !1 Op1!1 (?S1) Ip !0 Op1!0 (?S2) δ Ip ! 1
Op2!1 (?S1) δ Ip !0 Op2!0 (?S2) Pass
7 Conclusion
An approachto verifying asynchronouscircuitshasbeenpresented.A key aim hasbeento modelreal
hardwareeffectively usingLOTOS. A rangeof typical asynchronouscomponentshasbeenspecified,
demonstratingtheapplicabilityof theapproach.(Quasi)delay-insensitive circuitsaretransformedinto
speed-independentdesigns.Violationsof speed-independence(or really semi-modularity)arechecked
usinginput (quasi-)receptive specifications.
New relationsconforandstrongconforhave beendefinedto assessthe implementationof anasyn-
chronouscircuit againstits specification.Therelationsprovide anintuitive interpretationof correctness
andoffer clearadvantagescomparedto otherapproaches.TheVeriConftool hasbeendevelopedto sup-
port them.Thetheoryof Input-OutputLabelledTransitionSystemshasalsobeenadaptedfor generating
testsof asynchronouscircuitsbasedonsuspensionautomata.TheTestGentoolgeneratestestsuitesusing
transitiontoursof automata.This allows automaticgenerationof testsuiteswith reasonablecoverage,
























Figure5: Input Quasi-Receptive Specificationsof Or-AndComponents
i i




















[1] A. Cerone,D. A. Kearney,andG.J.Milne. Integratingtheverificationof timing,performanceandcorrectness
propertiesof concurrentsystems.In Proc. Applicationof Concurrencyto SystemDesign, pages109–119.
IEEEComputerSocietyPress,1998.
[2] D. L. Dill. Trace Theoryfor AutomaticHierarchical Verification of Speed-IndependentCircuits. ACM
DistinguishedDissertations.MIT Press,1989.
[3] J.Ebergen. A formal approachto designingdelay-insensitive circuits. DistributedComputing, pages107–
119,1991.
[4] J. C. Ebergen,J. Segers,andI. Benko. Parallelprogramandasynchronouscircuit design.In G. Birtwistle
and A. Davis, editors, AsynchronousDigital Circuit Design, Workshopsin Computing,pages51–103.
Springer-Verlag,1995.
[5] J.-C. Ferńandez, H. Garavel, A. Kerbrat, R. Mateescu, L. Mounier, and M. Sighireanu. CADP
(CÆSAR/ALDÉBARAN DevelopmentPackage):A protocolvalidationandverificationtoolbox. In R.Alur and
T. A. Henzinger, editors,Proc. 8th. Conferenceon Computer-AidedVerification, number1102in Lecture
Notesin ComputerScience,pages437–440.Springer-Verlag,Berlin, Germany, Aug. 1996.
15
[6] G.Gopalakrishnan,E.Brunvand,N. Michell, andS.Nowick. A correctnesscriterionfor asynchronouscircuit
validationandoptimization.IEEETransactionsonComputer-AidedDesign, 13(11):1309–1318,Nov. 1994.
[7] R. C. Ho, C. H. Yang,M. A. Horowitz, andD. L. Dill. Architecturevalidationfor processors.In Proc.22nd.
AnnualInternationalSynposiumon ComputerArchitecture, 1995.
[8] IEEE. VHSICHardware DesignLanguage. IEEE 1076.Institutionof ElectricalandElectronicEngineers
Press,New York, USA, 1993.
[9] Ji He andK. J.Turner. Protocol-inspiredhardwaretesting.In G. Csopaki,S.Dibuz,andK. Tarnay, editors,
Proc. TestingCommunicatingSystemsXII, pages131–147,London, UK, Sept.1999.Kluwer Academic
Publishers.
[10] Ji HeandK. J.Turner. Specificationandverificationof synchronoushardwareusingLOTOS. In J.Wu, S.T.
Chanson,andQ. Gao,editors,Proc. Formal Methodsfor Protocol Engineeringand Distributed Systems
(FORTEXII/PSTVXIX), pages295–312,London,UK, Oct.1999.Kluwer AcademicPublishers.
[11] C.E.Molnar, T.-P. Fang,andF. U. Rosenberger. Synthesisof delay-insensitivemodules.In H. Fuchs,editor,
Proc.ChapelHill ConferenceonVeryLargeScaleIntegration, pages67–86.ComputerSciencePress,1985.
[12] R. D. Nicola andF. Vaandrager. Threelogicsfor branchingbisimulation. In Proc.5th. AnnualSymposium
on Logic in ComputerScience(LICS90), pages118–129.IEEE ComputerSocietyPress,1990.
[13] J. M. T. Romijn, O. Sies,andJ. R. Moonen. A two-level approachto automatedconformancetestingof
VHDL designs.Testingof CommunicatingSystems, 10:432–447,1997.
[14] J. Tretmans.Testgenerationwith inputs,outputsandrepetitive quiescence.Software ConceptsandTools,
17:103–120,1996.
16
