Efficient timing analysis algorithms for timed state space exploration* by Myers, Chris J. & Belluomini, Wendy
Efficient Timing Analysis Algorithms for Timed State Space Exploration*
Wendy Belluomini 
Computer Science Department 
University of Utah 
Salt Lake City, UT 84112
Chris J. Myers 
Electrical Engineering Department 
University of Utah 
Salt Lake City, UT 84112
Abstract
This paper presents new timing analysis algorithms fo r  
efficient state space exploration during timed circuit syn­
thesis. Timed circuits are a class o f  asynchronous circuits 
that incorporate explicit timing information in the specific­
ation which is used throughout the synthesis procedure to 
optimize the design. Much o f  the computational complexity 
in the synthesis o f  timed circuits currently is in finding the 
reachable timed state space. We introduce new algorithms 
which utilize geometric regions to represent the timed state 
space and partial orders to minimize the number ofregions 
necessary. These algorithms operate on specifications suffi­
ciently general to describe practical circuits.
1. Introduction
There has been a renewed interest in asynchronous cir­
cuits in recent years due to their advantages over synchron­
ous circuits in performance and power consumption and as 
a way to eliminate problems related to clock skew [3, 5, 9, 
16, 17]. However many of these advantages are often re­
duced or eliminated completely when the additional over­
head in both speed and area that is required to build correct 
asynchronous circuits is included. This overhead mostly de­
rives from the necessity to design a circuit that works cor­
rectly while making few or no assumptions about the timing 
of the signal transitions involved. This often leads to addi­
tional time and space being spent in the circuit to deal with 
contingencies that never happen. Timed circuits, which are 
designed using timing information, can often perform much 
better than asynchronous circuits designed neglecting expli­
cit timing information [11, 1].
Timing information can either be used after the initial cir­
cuit has been designed to optimize out unnecessary circuitry 
[1] or in the process of the design to avoid generating it in 
the first place [11]. This paper concentrates on the second
*This research is supported by a grant from Intel Corporation, NSF CA­
REER award MIP-9625014, and an NSF Traineeship award.
case, although the techniques presented here may be applic­
able to the first case as well. In order to generate a circuit for 
a given specification, the design tool must find the reachable 
state space. This is generally done without including tim­
ing information, since adding timing information is thought 
to complicate an already exponential problem. However, in 
practice, timing information can often designate large por­
tions of the state space as unreachable and therefore reduce 
the time it takes to generate the reachable state space and 
synthesize the circuit. As long as the timing analysis part 
of the exploration does not add too much overhead to the 
design process, it is worthwhile to do timing analysis at the 
same time as state space exploration.
Most of the timing analysis algorithms currently in use 
are not well suited for general timed state space explora­
tion. They either place too many limitations on the types 
of specifications they can analyze, or they require that the 
complete specification be analyzed for each pair of events. 
Since timed state space exploration may involve unrolling a 
cyclic specification many times, keeping around the timing 
information for all events can cause an unacceptable over­
head. In [14], algorithms are presented to do timed state 
space exploration while storing only local timing inform­
ation. However, the algorithms only work on a restricted 
class of specifications where the firing time of each event 
can only be controlled by a single predecessor event.
This paper presents four new algorithms for timed state 
space exploration. The first extends the basic geometric tim­
ing analysis algorithm presented in [14] to allow the firing 
time of each event to be constrained by multiple predecessor 
events. The second shows how partial order information can 
be applied to efficiently determine a conservative approxim­
ation of the timed state space for the same extended class of 
specifications. The third algorithm is a partial order timing 
algorithm which finds the exact timed state space. This al­
gorithm, however, can increase the computational complex­
ity significantly, since it requires more than local timing in­
formation. Therefore, the fourth algorithm adds new data 
structures that allow the algorithm to find the exact timed 
state space with only local timing information. Each of these
1
algorithms maintains the advantages of the approach taken 
in [14], while eliminating the restriction. This allows effi­
cient timed state space exploration of a much more general 
class of specifications.
2. Timed state space exploration
The objective of timed state space exploration is to take 
a specification of a circuit that has timing information and 
produce its reachable state space. This section presents the 
specification structure that we use and the generic algorithm 
that can be used to explore the state space of these structures.
2 .1 . T im e d  E R  s t r u c t u r e s
Many methods have been proposed to specify timed sys­
tems. Two well known methods include time Petri nets 
where timing constraints are assigned to the transitions and 
timed Petri nets where timing is assigned to the places. All 
of the algorithms presented in this paper work on timed 
event-rule (ER) structures [11], which can represent a set 
of specifications equivalent to those represented by both 
types of Petri nets. Timed ER structures can also repres­
ent specifications such as the one in Figure 1(b) that cannot 
be easily translated into either Petri net semantics without 
somewhat complex graph transformations. We have also 
shown that timed ER structures can be automatically gen­
erated from some higher level languages such as CSP[11] 
or VHDL [21]. Since timed ER structures separate causal­
ity from conflict, they are both easier to generate from high 
level descriptions, and easier to analyze.
A timed ER structure S can be represented with the tuple 
where:
1. .4 is the set o f  atomic actions;
2. E  C A  x ( N  =  {0,1,2...}) is the set o f  events;
3. R < Z E x E x N x ( N  U {oo}) is the set o f  rules;
4. #  C E  x E  is the conflict relation.
The set contains the atomic actions possible in the sys­
tem. The occurrence of an action is an event and is denoted 
where is the action and is an occurrence index 
for the action. The rule set R  represents a causal depend­
ence between events. Each rule, of the form is 
composed of an enabling event e, an enabled event f , and 
a bounded timing constraint {I, u ). A rule is enabled if its 
enabling event has occurred. The timing constraint places 
a lower and upper bound on the timing of a rule. A rule is 
satisfied if the amount of time which has passed since the 
enabling event has exceeded the lower bound of the rule. 
A rule is said to be expired if the amount of time which
has passed since the enabling event has exceeded the upper 
bound of the rule. Ignoring conflict, an event cannot occur 
until all rules enabling it are satisfied. An event must al­
ways occur before every rule enabling it has expired. Since 
an event may be enabled by multiple rules, it is possible that 
the differences in time between the enabled event and some 
enabling events exceed the upper bound of their timing con­
straints, but not for all enabling events.
The conflict relation is added to model disjunctive beha­
vior and choice. When two events and are in conflict, 
(denoted e#e'), this specifies that either e can occur or e' can 
occur, but not both. Taking the conflict relation into account, 
if two rules have the same enabled event and conflicting en­
abling events, then only one of the two mutually exclusive 
enabling events needs to occur to cause the enabled event. 
This models a form of disjunctive causality. Inherently dis­
junctive behavior, or true OR causality, cannot currently be 
modeled, but we are working on techniques to address this. 
Choice is modeled when two rules have the same enabling 
event and conflicting enabled events. In this case, only one 
of the enabled events can occur.
If a specification is cyclic, then the timed ER structure 
representing it is infinite. However, due to its repetitive 
nature, this infinite behavior can be described with a finite 
model by adding an additional set of rules and conflicts 
which recursively define the infinite structure [11].
An example of a timed ER structure is shown in Fig­
ure 1(a). The vertices are events and the arcs are rules. 
Each rule is labeled with the delay range associated with it. 
Tokens can be used to indicate that a rule's enabling event 
has fired. An arc with a tick mark represents an initial rule. 
Ignoring the initial rule, this structure specifies that after 
occurs, either or can occur, but not both since they con­
flict. If occurs, follows to time units later. If 
occurs, follows to time units later. happens after 
either or . Note that since and conflict that only 
one of these events needs to occur to cause F. One other in­
teresting note is that happens at most time units after 
even though it is specified to have a maximum of . At time
5, a choice between B  and C  must be made, since if time 
advanced the rule between and would expire. This se­
mantics is the same as the one used in time Petri nets. Timed 
Petri nets cannot model this behavior because a single tim­
ing constraint must be given for the choice place leading to
and . If the timed Petri net semantics is desired, then 
we can simply set the timing constraint between and 
and between and to be equal.
The infinite structure can be derived from cyclic repres­
entation of the timed ER structure by cutting the graph at the 
tick marks and giving each event an occurrence index of . 
Each initial rule in the cyclic graph is then appended to the 
cut graph with an enabled event which has an index greater 






Figure 1. Example of a timed ER structure.
Z  b ( f  <=> [(untime(Z) h f  )A
(V(e, t') G Z  : (e, / , l , u)  G i? => £ > +  Z)]
Intuitively, this says that given that the set of event-time 
pairs in Z  have occurred and time has advanced to time 
t, the event /  is timed enabled. This is true when f  is 
untimed-enabled, and at time the lower bounds of all 
timing constraints have been satisfied. With this relation, 
we can now define time-secured C T C o n x  E  as follows:
time-secured(Z, e) <=> [3(eo, to),. . . ,  (en , t n) G Z  :
e „ = e  A  Vj  <  n  : { ( e 0 , to), . . . , ( e s_ i ,  ts_i)} h t i  e s]
b
the rest of the rules are added with increased indices. This 
process can be repeated to obtain a structure of arbitrary size. 
The formal details are given in [11].
2 .2 . T im e d  C o n f ig u ra t io n s
We define the behaviors specified by a timed ER struc­
ture using timed configurations [11]. Winskel defined the 
allowed behaviors of event structures as subsets of events, 
or configurations [20]. In order to add timing, we introduce 
timed configurations in which each event is paired with the 
time of its occurrence.
The first requirement for a subset of events to be a config­
uration is that it must be conflict-free. In other words, if two 
events are in conflict, they cannot both occur in a configura­
tion. Winskel defined Con to be the set of finite conflict-free 
subsets of , i.e. Con , defined as follows:
Con
In order to add timing, we define TCon to be the set 
of conflict-free subsets of events in which each event is 
paired with the real-valued time that the event occurred (i.e., 
TCon C 2e  x8i). To obtain Con from TCon, we define the 
function untime : T C o n ^ t Con in the obvious way.
The second requirement is that all events in the subset 
must be time-secured. Informally, this means that for 
each event in the set, all the events needed to enable 
the event are also in the set. To define this formally, 
we must first define when an event is enabled. The un­
timed enabling relation (b e  C onx E ) is defined as follows:
X h  f & [ ( { e , f , l , u ) e R ) ^
({e G X)V(3e' G X : (e#e')A(e' ,  f ,  I', «') G R))]
Intuitively, this says given that the events in the set 
have occurred that the event is untimed enabled. This 
is true when a set of non-conflicting enabling events in 
rules in which is the enabled event are in the set . 
To incorporate timing, we now define the timed enabling 
relation^ tC TCon x 3? x E ) as follows:
Intuitively, this says that given that the set of event-time 
pairs in have occurred, the event is time secured if and 
only if a sequence of events can be found in Z  which lead to
being timed enabled.
The third requirement for a subset of events to be a 
configuration is that it is non-expired. Informally, this 
means that an enabled event must occur before it expires. 
An event is expired when for each of the rules enabling 
it, the time since the enabling event has exceeded the 
upper bound of the timing constraint. We define a relation 
expired C TCon x E  x 3? as follows:
expired(Z, f ,  t) <=> [(Z b ( f )  A
(V^ e', t') G Z  : {e', f , l ,  it) G R  => t > t' + it)]
Using this relation, we say a timed configuration 
is non-expired if for each of the events either the event 
has occurred and was not expired when it occurred, a 
conflicting event occurred and was not expired when that 
event occurred, or it has not occurred and is not expired at 
the latest time of any event occurrence in the configuration. 
We define the relation non-expired C TC onx E  as follows:
non-expired expirednon-expired expeixrpeidred 
expired
Now, we can define all the timed configurations specified 
by a timed ER structure. For a timed ER structure 
(.4, E , R , # ) ,  a timed configuration of 5  is a subset of event­
time pairs which is:
1. conflict-free: ^  £ TCon;
2. time-secured: untime time-secured ;
3. non-expired: non-expired .
2 .3 . G e n e r ic  a lg o r i th m
In order to explore the state space, the transition rela­
tion between states must be defined. In the previous sec­
tions, an event was defined to be untimed enabled if all
the rules that enable it are enabled (with exceptions for con­
flicts). An event e is defined to be timed enabled if all the 
rules that enable it are satisfied (with exceptions for con­
flicts). We now define a set R en which contains all enabled 
rules, and a subset of , , which contains all satisfied 
rules. The set R en defines an untimed state since it indic­
ates which rules are enabled, but says nothing about timing. 
In order to determine which rules in should also be in
, timing information is needed. How this timing inform­
ation is represented depends on the specific timing analysis 
algorithm being used. We refer to an arbitrary set of timing 
information as TI. At a minimum, this information must con­
tain how long each rule has been enabled. A timed state is 
defined to be combined with the set of timing informa­
tion (TS = R en x TI). A timed state contains all the inform­
ation necessary to compute .
All of the timed state space exploration algorithms 
presented here have the basic form shown in Figure 2. The 
algorithm simply does a depth-first search of the timed state 
space defined by the specification, and guided by the timing 
information, it finds all the timed states that are reachable. 
Thtfind.enabled.events function uses timing information to 
determine what events should be included in the event .list, 
EL. Events are only added to EL if they can happen in the 
current timed state. An event is chosen from EL, and the cur­
rent timed state and the rest of EL is pushed onto the stack. 
This event could be an action or it could simply be the ad­
vancement of time. If the event is an action, the fire func­
tion changes the set of enabled events ( ) and the timing 
information. If the event is time advancing, only the tim­
ing information changes and remains the same. The 
set, however, may change due to the change in the timing in­
formation. When a new timed state is found, it is added to 
the state space, and a new list of enabled events is found. If 
a timed state is reached that has been reached before, the al­
gorithm pops a timed state and the list of events that have not 
yet been explored for that state off the stack. When a state 
that has been s een before is reached and there are no unex­
plored events on the stack, the entire timed state space has 
been found.
With this algorithm, untimed states are only explored if 
they can be reached given the timing information in the spe­
cification. This can eliminate large portions of the untimed 
state space for most designs since many states reachable 
without timing information are not reachable given the tim­
ing constraints in the specification. However, the algorithm 
must explore the entire timed state space. The size of the 
timed state space depends on the representation chosen for 
the timing information. For example, if a continuous clock 
is associated with each rule in , the timed state space 
would be infinite. If the timing information is represented 
more concisely, however, the timed state space that the al­
gorithm explores may actually be smaller than the untimed
Algorithm 2.1 (Find timed states)
set_ofjtates flnd_timed_states(timed ER structure TERS){ 
timed.state T'5=initial_state(7’£K5); 
set_ofjstates S  =  {TS};





TS=fire(e, TS, TERS); 
if (TS i  S)then 
TS ;
£,L=flnd_enabled_events(7’5, TERS); 
else if TS then
if (stack is not empty) then (TS, EL)=pop();




Figure 2. Timed state sp a ce  exploration.
state space. Since less states may be explored, timed state 
space exploration is often faster than exploring the the un­
timed state space, as long as maintaining the timing inform­
ation does not have an overwhelming cost. The algorithms 
presented in this paper address how to construct and main­
tain the timing information TI so that the set can be con­
structed from every timed state. What this data is, and how 
it is used to calculate depends on the specific timing ana­
lysis algorithm. Ideally, the algorithm only needs to retain a 
limited amount of timing information, so that the operations 
involved in maintaining the information are fast.
3. Overview of existing algorithms
There are a number of timing analysis algorithms that 
have been developed. They all work for the specific class of 
problems for which they were designed, but none of them is 
efficient for use in general timed state space exploration.
In [10], an algorithm is presented for finding the min­
imum and maximum time separations between events in 
acyclic graphs. It is 0 ( n 3) in the number of events in the 
graph. This algorithm can be used for timed state space 
exploration if the specification graph is finite and acyclic. 
However, most circuit specifications are cyclic.
In [12], a polynomial time algorithm is presented to com­
pute an estimate of the minimum and maximum time separ­
ations between all events in a cyclic, conflict free graph. The 
algorithm works by unfolding the cyclic graph into an infin­
ite acyclic graph and examining two finite acyclic subgraphs 
of the infinite graph to determine bounds on time separations 
between events. The estimate is usually sufficient for timed
state space analysis and can be improved by analyzing larger 
subgraphs. The algorithm is where is the number
of vertices and e is the number of edges in the subgraph ana­
lyzed. The conflict free restriction is too limiting, however, 
since most circuits need a choice type semantics to represent 
non-deterministic behavior in the environment.
CTSE [7] provides a way to find a single exact time separ­
ation between two events in a cyclic graph including limited 
types of conflict. However, each time CTSE finds a separ­
ation it reanalyzes the complete graph, so using it to com­
pute all of the possible separations in a graph is slow. For 
example, in [7], CTSE takes 2 seconds to find one time sep­
aration in a Petri net with 21 transitions. To explore the en­
tire state space it would be necessary to compute at least 21 
separations and would take over 40 seconds. In the same pa­
per, O r b its , a tool explicitly designed to compute the en­
tire state space, takes 5 seconds to explore the entire state 
space. While CTSE is more efficient if only one separation 
needs to be computed, it is not appropriate for timed state 
space exploration. Also, while CTSE does handle choice, it 
is limited to unique, free and extended free choice [7].
O r b its  [14] is specifically designed to do timed state 
space exploration and has been applied to timed circuit syn­
thesis [13]. It uses geometric regions to keep track of the 
timing information relevant to the current marking of the 
graph and uses these regions to determine which events are 
timed enabled. Only local information about timing rela­
tionships is necessary to find the next set of timed states. 
This allows timing analysis to always be done on only a 
small subset of the events in the graph and is thus efficient, 
even for large graphs. Unfortunately, O r b its  places some 
pretty severe restrictions on the types of graphs it can ana­
lyze. Each event can have only one rule, called a behavi­
oral rule, that actually controls its firing time. In some cases, 
this single behavioral rule restriction can be worked around 
through transformations on the initial graphs [11], however, 
the transformations cause a large increase in the complexity 
of the graphs which need to be analyzed. For example, if an 
event originally has o behavioral rules, the graph is trans­
formed to model the possible orderings of the enabling 
events.
Finally, in [19], a partial enumeration algorithm is 
presented to analyze a net with multiple behavioral rules. It 
is an interesting approach and the authors claim it is useful 
for validation, but it does not find the entire state space, and 
so cannot be applied to synthesis.
4. Geometric algorithms
There are many different ways that the timing informa­
tion needed in the generic algorithm can be represented. The 
most obvious way would be to simply attach a continuously 
advancing clock to each of the enabled rules. This would,
however, result in an infinite timed state space. A slightly 
better representation would be to attach a clock to each of 
the enabled rules that advances only in discrete time steps. It 
has been shown that for our class of specifications that this is 
equivalent to the continuous model [6, 14]. This does make 
the state space finite, but it still explodes, especially if the 
delay ranges are large [15].
All of the timing analysis algorithms presented here are 
based on geometric regions. Geometric regions are a good 
way to concisely represent timing information [4, 8, 2, 14]. 
Large numbers of discrete timed states can often be con­
densed into a single contiguous geometric region that con­
tains all of them, producing a large reduction in the number 
of timed states generated [14]. While worst case behavior of 
geometric timing is actually worse than the discrete method 
it has been shown that it can work well in practice [15, 13].
When using geometric regions for timing analysis in the 
generic algorithm, we define TI to be a constraint matrix 
that specifies the maximum differences in time between the 
firings of the enabling events of all the rules in . The 
row and column of the matrix contain the separations 
between each rule in and a dummy rule . The firing 
time of is defined to be uniquely 0. Each entry in 
the matrix has the value max firing firing ,
which is the maximum time difference between the firing 
time of event and the firing time of event . Since the fir­
ing time of is always zero, the maximum time difference 
between event and event ( ) is just the maximum 
time since j fired, and the maximum time difference between 
event and event ( ) is the negation of the minimum 
time since fired. Note that only needs to contain in­
formation on the timing of the rules that are currently i n R en, 
not on the whole set of rules. This particular way of repres­
enting timed regions was first introduced in [4]. This con­
straint matrix represents a convex \Ren | dimensional region. 
Each dimension corresponds to a rule and the firing times of 
the enabled events for the rules can be anywhere within the 
space.
O r b its
This representation of timed regions is used by O r b its  
to keep track of which rules are in R s for a given timed state. 
In O r b its , the only action possible is the firing of an event, 
so every action actually changes the untimed state. An event 
is timed enabled when its behavioral rule is in . When the 
timing information is stored in the geometric format, find­
ing the list of timed enabled events is straightforward. The 
maximum time since the firing of each event is kept in the 
first row of the matrix. To look for timed enabled events, 
the algorithm can determine by scanning the first row of 
the matrix and then looking for events with their behavioral 
rule in .
Figure 3. Som e exam ples of ER structures.
When events fire or new rules are added to R en, the mat­
rix needs to be updated to reflect the new timing informa­
tion. Information about the newly enabled rules must be ad­
ded to the constraint matrix, and information about rules that 
are no longer in must be removed. The main opera­
tion O r b its  uses to do this is recanonicalization. Reca­
nonicalization takes a matrix M  where some of the m, j ’s are 
greater than max(t firing (j)) — t firing (i))) and produces 
a matrix where all the m ,j’s have their maximum allowed 
value. The assignment of the m ,j’s so that they all have 
their maximum value is always unique, so O r b its  can de­
termine when a given region is equivalent to or contained 
in a region that has been seen before. Recanonicalization 
is essentially the all pairs shortest path problem and can be 
done in 0 ( n 3) time with Floyd’s algorithm. In the case of 
O r b its , it can in fact be done incrementally in O (n2) time, 
since most of the entries in the matrix already have their ca­
nonical value[14]. The procedure that O r b its  usesforup- 
dating the matrix when an event is fired is dependent on the 
single behavioral rule restriction. We present new proced­
ures for adding timing information to the matrix that allow 
the same recanonicalization method to be used without the 
single behavioral rule restriction in the next section. These 
algorithms retain the efficiency of the O r b its  approach 
while eliminating the restriction.
4 .2 . G eom etr ic  tim in g  in a t a c s
The O r b its  algorithm described above only works with 
the single behavioral rule restriction in which each event can 
only be constrained by a single rule. This assumption is too 
restrictive for most circuit specifications. For example, a 
simple and gate could not be represented with this restric­
tion since either input can constrain the time when the output 
changes. The restriction can be worked around with graph 
transformations as mentioned earlier, but this can cause a 
substantial increase in graph size. In this section, we present 
an extension to the O r b its  algorithm that provides for 
multiple behavioral rules. If multiple behavioral rules are al­
lowed, it is possible for a rule to become expired. The timed 
ER structure in Figure 3(a) shows an example of this. The 
rule (C,D,  2,5) has to remain enabled at least 9 time units 
before (B ,D ,  2,5) is satisfied and allows event D to fire. If
Algorithm 4.1 (Fire a rule)
void fircj'uleYnil< {e, / ,  I, u), constraint matrixM, 
rule set Rf ,  R en, R s){
M[index((e, f,l ,u)][0]=-l;
recanonicalize
project(M, index((e, f ,  I , «)));
;
;
R s =  R s -  (e , f , l , u );










Figure 4. Procedure for firing a rule.
rules are allowed to expire, non-convex regions can be pro­
duced. Since Floyd’s algorithm only works on convex re­
gions, this must be avoided. One way to eliminate the single 
behavioral rule restriction and avoid generating non-convex 
regions is to change the timing semantics of the specifica­
tion so that rules are never allowed to exceed their maximum 
bounds (i.e., type 1 semantics [18]). In type 1 semantics, the 
specification is invalid if a rule cannot fire within its timing 
range. In real circuits, however, rules typically are allowed 
to exceed their maximum bounds (type 2 semantics[18]).
Our geometric timing algorithm eliminates the single be­
havioral rule restriction and allows timing analysis of spe­
cifications in which rules can expire. In the O r b its  al­
gorithm, the timing information is only updated when an 
event fires. The single behavioral rule restriction can be 
eliminated if timing information is updated whenever a rule 
fires and rules are allowed to fire independently of events. 
A rule can always fire when it is satisfied. The firing of a 
rule, however, does not always correspond to the firing of 
an actual event. An event only fires when all of the rules 
enabling it have fired. As rules fire, they are projected out 
of the constraint matrix, and are removed from both Rs and 
R en. They are added to a new set of “fired” rules, f?f , which 
is part of the timing information. Since they have fired, tim­
ing information about them is no longer needed, but the fact 
that they have fired must be recorded. When a set of rules 
sufficient to enable an event e are in R f , e  can fire.
This new method for updating the timing information re­
quires a change in the O r b its  algorithm. When using the 
O r b its  algorithm, thtfind.enabled.events function in Al­
gorithm 2.1 computes a list of events to fire. In the new 
algorithm, instead of determining a list of timed enabled 
events to fire, the function computes a list of satisfied rules 
to fire. The list of rules that are satisfied is simply R s which 
can be calculated easily by scanning the first row of the con­
straint matrix which contains the maximum time since the 
enabling of all the rules in .
The firing of actual events is handled within th tfire.rule 
routine specified in Figure 4. This function takes as input 
the rule chosen to fire, the constraint matrix, and the corres­
ponding rule sets. The index function used in the algorithm 
takes a rule, and returns its index in the constraint matrix. 
The first step of the function sets the minimum time since 
the enabling of the firing rule to be its lower bound since in 
order to fire, it must have been enabled as long as its lower 
bound. The matrix is then recanonicalized to produce a new 
region that is constrained by this firing time. The timing in­
formation for this rule is then removed from the matrix by 
the project operation. Projection simply removes the row 
and column corresponding to this rule from the matrix. This 
step is what allows the size of the constraint matrix to remain 
instead of growing with the size of the specifica­
tion. The rule is also added to R f  and removed from R en 
and . Next, the algorithm checks if firing this rule has 
caused any events to be fired. An event is fired if all of the 
rules that enable it are either in R f  or conflict with another 
rule that is in R f . If it has not, the algorithm is done. If it 
has, the algorithm removes from R en and R f  any rules with 
enabled events which conflict with the event that fired. The 
algorithm also removes from any rules that enabled the 
firing event, and adds to any rules enabled by the firing 
of the new event. Timing information on the newly enabled 
rules is then added to the matrix. When a rule is initially en­
abled, no time has passed since its enabling, so the entries 
in the matrix for the minimum and maximum times since its 
enabling are set to zero. The maximum difference between 
the enabling time of a newly added rule and any old rule is 
just the maximum time since the enabling of the old rule. 
Therefore, the new row of the matrix is set to equal the 0th 
row. The minimum difference between the enabling times 
of a new rule and an old rule is the minimum time since the 
enabling of the old rule, so the new column is set to the 0th 
column. Finally, in the advance time step, the maximums in 
the 0th row are set to their maximum specified value (the up­
per bounds on the rules), and the matrix is recanonicalized. 
We now have a constraint matrix representing the region of 
possible firing times for the rules in the updated set.
Figure 5 shows an example of how Algorithm 4.1 would 
be applied to a simple ER structure. The ER structure, 
with its enabled rules marked with tokens, is shown in the 
first column, the constraint matrix is shown in the second 
column, and the contents of the , , and sets 
are shown in the third column. Initially, rules and
Initially:
0 5 5 \  R sn = {{A,C),{B,C}}
0 0 0 R s = {{B, C)}
0 0 0 /  Rf  = 9





\  - 2 0
Ren = {{A, C)} 
Rs = {(A,C)}
R f = { ( B , C >}
After rule fires:
Ra
0 ) Ren = 0
R s =  0
R f ={{A,C) ,{B,C)}




Ren = {C, D) 
R s = {C, D) 
Rf  = 0
Figure 5. Firing rules.
are in . The constraint matrix indicates that the 
maximum time since both these rules were enabled is 5. 
Since the lower timing bound on (.4, C)  is 10, it is not timed 
enabled and therefore not in R s. The lower bound on (B ,C )  
is 2, which is less than 5, so it is timed enabled and is in 
R s. The rule (B, C)  then fires. It is added to the R f  set 
and its timing information is projected out of the constraint 
matrix. No events are enabled to fire, so no new rules are 
enabled. After the firing of , the constraint matrix in­
dicates that the maximum time since the firing of is 
20. This is larger than the lower timing bound on , 
so it can be added to R s. The rule {A, C)  then fires. Its tim­
ing information is projected out of the constraint matrix, and
the rule is added to R j . The R j  set is then sufficient to en­
able an event, , which causes the rule it enables, , 
to be added to the set. The recanonicalization proced­
ure that produces the values in the constraint matrix is not 
shown here, but is described in detail in [14].
This algorithm allows us to analyze any timed ER struc­
ture including those with multiple behavioral rules and ar­
bitrary conflicts. It can, however, generate a larger number 
of regions to be explored than O r b its  since there are more 
rules than events in a given ER structure. The next section 
introduces methods to reduce the number of regions.
5. Partial order algorithms
The number of explored regions can be reduced signific­
antly by using partial order techniques [15]. Partial order 
techniques take advantage of the inherent concurrency in the 
ER structure and prevent additional regions from being ad­
ded for different sequences of event firings that lead to the 
same untimed state. For example, in Figure 3(b) it does not 
matter whether the firing sequence is [A , B , C] or [A ,C, B ], 
the untimed state of the system is the same after both firing 
sequences. The geometric techniques presented in the previ­
ous section produce a different region, and therefore a differ­
ent timed state, for each firing sequence. With partial order 
techniques, these regions can be combined so that one region 
is generated that encompasses all the timed states possible 
after all firing sequences.
O r b its
O r b its  [14] provides an algorithm to eliminate ex­
traneous regions by keeping a process matrix in addition to 
the constraint matrix. A process is an acyclic, choice-free, 
graph created from an ER structure and a firing sequence. It 
is constructed from the ER structure as follows: the process 
initially contains all of the events whose enabling rules are 
initially in . Events are added in the same order as they 
occur in the firing sequence. For an event in the firing se­
quence, a correspondingly labeled event is added to the pro­
cess. Rules are added to connect the newly enabled event to 
the events in the process that enabled it.
The process represents the concurrency in a particular fir­
ing sequence. One process can correspond to a number of 
different firing sequences that only differ in the order of fir­
ings of concurrent events. All the firing sequences in one 
process lead to the same untimed state. The process matrix 
stores the minimum and maximum possible separations of 
all the events in the process defined by the current firing se­
quence. At each iteration, the separations in the process mat­
rix are copied into the entries of the constraint matrix that re­
strict the differences in the enabling times of the rules. With
the restriction O r b its  places on the semantics, the calcu­
lations to maintain the process matrix can be done with a 
simple application of Floyd's algorithm. Events can 
also be projected out of the process matrix just like they are 
projected out of the constraint matrix, so the algorithm only 
needs to retain and operate on local timing information. This 
is a big advantage when dealing with large specifications. 
However, this technique as presented in O r b its  does not 
work in the general case since rules may stay enabled for a 
time greater than their maximum bounds.
5 .2 . A p p roxim ate  P artia l O rders
We have modified the partial order algorithm presented 
in [14] to produce an algorithm that finds an approximation 
of the timed state space for type 2 specifications. Floyd’s al­
gorithm is still used to recanonicalize the matrix, but the way 
that the timing information about new events is added to the 
matrix is changed. It is shown in a later section that this al­
gorithm always finds a timed state space that contains the 
exact timed state space. Extra timed states may be included, 
causing the circuit to be non-optimal, but a circuit synthes­
ized from the approximate state space is always a correct im­
plementation of the specification.
When specifications have the single behavioral rule re­
striction, it is simple to determine the minimum and max­
imum separations between the firing time of an event and 
the event that enabled it, e,. Since no other rule can con­
strain the firing of , the minimum separation is the lower 
bound on the rule that relates and and the maximum 
separation is the upper bound. When a new event fires and 
is added to the process matrix, the minimum and maximum 
time separations between its firing time and the firing times 
of all other events in the matrix must be determined. With 
the single behavioral rule restriction, the minimum and max­
imum separations between the new event, and all events that 
enable it are immediately known from the lower and upper 
bounds on the rules. These separations can be entered dir­
ectly in the matrix. The separations between the new event 
and events that do not enable it are unknown, and their value 
is set to infinity. The recanonicalization operation constrains 
those unknown separations to their correct value[14].
If the specification can have multiple behavioral rules, 
the minimum and maximum separations between the firing 
time of an event and the event that enabled it are not im­
mediately known. They are not simply the time bounds on 
the rule that relates the events, since another rule may delay 
the firing of e. For example, in Figure 5, the maximum sep­
aration between the firing times of event and event is 
20 even though the maximum time bound on the rule that 
relates them is 5. This is the case because the firing of 
can be delayed until time 20 by the rule .
In this algorithm, when calculating the separations
Algorithm 5.1 (Add an event to the process matrix)
void adcLevent(process P, new event e){ 
foreach et 6 P
if(3{ej , f j ,  I,, u f)  £ P s.t. ((ej =  et) A ( f j  = e))) then 
max_sep(ei, e)=max(aJ1 max{(ek,/),,!k.“*)6P «•<•(/*=«)} 
(max_sep(e} , e*) + «*)); 
min_sep(et,e)= m ax(l3,m a x{{ekJkilk,lk)eP s,t ,(fk=e)} 
(minjsep(ej, e*) +  h ));
else
max_sep(et,e) =  oo; 
min_sep(et, e) =  — oo; 
recanonicalizefprocess matrix for P);
}
Figure 6. Finding separations to add an event.
between the firing time of an event and the event that 
enabled it, , the fact that the firing of may be delayed by 
the other rules that enable it is accounted for. The maximum 
separation is originally set to the value of the upper bound 
on the rule , since the separation must have
at least that value. Then the algorithm checks if there are 
any other rules that could delay the firing of beyond that 
upper bound. This is done by examining the maximum 
separations between all other events that enable and the 
event . If there is an event that enables with the rule 
, and the firing time of is at most time 
units after then delays the firing of if . If
delays the firing of then the value is used as the 
maximum separation between the firing times of and .
Figure 6 shows the algorithm for adding a new event to 
the process matrix. Placement of the time separation val­
ues in the process matrix is not shown in the algorithm. 
References to the minsep  or maxsep  of two events are 
really references to process matrix entries and do not re­
quire any computation. The min_sep(e,, ej) is simply
—max_sep(ej, e,), and all of the separations in the actual 
matrix are interpreted as maximum separations between the 
column and row event. All of the new separations are com­
puted from only local information about the timing of the 
events that enable them. If a new event is enabled by 
an event , then the maximum separation between them is 
at least the upper bound on the rule that relates them ( ). 
However, due to the type 2 semantics it may be more than 
that. Another event that enables may delay the firing of 
beyond the maximum bound on the rule that relates and . 
This is the case if there is some other event e* that also en­
ables e with an upper bound uk andmax_sep(efc, ej ) + uk >
. The minimum separation between and is at least the 
lower bound on the rule that relates them (I j ). But again, due 
to the type 2 semantics, it may be more than that. If another 
rule always delays the firing of e the minimum is greater than
I j . If there is no rule relating e and e j then maximum separa­
tion is set to and the minimum is set to . These separ­
ations are set to their maximum and minimum possible val­
ues given the constraints imposed by the events that do have 
causal relationships when the matrix is recanonicalized [14].
Since only local timing information is necessary to de­
termine the timing of new events, when all the events en­
abled by an event have fired and been added to the pro­
cess matrix, can be projected out. This keeps the process 
matrix small and the computations fast. However, the res­
ulting timed state space is not always exact. For example, 
when the approximate algorithm is run on the ER structure 
in Figure 3(c) the minimum separation between event and 
event z is found to be 4 while the actual minimum is 5. This 
causes a region to be generated that is larger than necessary, 
but the circuit synthesized using this region is still correct. 
The reason for this imprecise result is explained later.
5 .3 . M a x D iff
One way to guarantee finding the exact timed state space 
is to use a more general timing analysis algorithm than 
Floyd’s to analyze the acyclic process graphs in order to de­
termine the separations for the process matrix. Since the 
process is acyclic, an algorithm for acyclic graphs such as 
the ones in [10, 11] can be used to maintain the process 
matrix. The separations between all the events in the cur­
rent unwound portion of the specification can be computed, 
and then those that are needed can be copied into the con­
straint matrix. Note that the process matrix contains sep­
arations between events, and the constraint matrix contains 
separations between rules. However, the time separation 
between two rules is simply the time separation between the 
two events that enabled them.
We use the MaxDiff algorithm, presented in [11], to 
maintain the process matrix. This algorithm is similar to the 
acyclic algorithm presented in [10] discussed earlier. When 
using the MaxDiff algorithm to maintain the process matrix, 
every time a new event is added to the process, the algorithm 
is used to compute the maximum separation between this 
new event and all the other events in the process. Inform­
ation about the separations of previous events is stored in 
the process matrix, and as soon a known value is found, 
the algorithm can end the recursion and begin returning the 
answer. However, calling the MaxDiff requires recursing 
back to the initial event in the process. This means that the 
process matrix for the entire firing sequence must be kept 
around to use this algorithm. As the process gets bigger, 
the time it takes to compute each separation between a new 
event and the older events grows, as does the size of the mat­
rix. At the same time, more separations must be computed, 
since the number of old events grows as well. If the number 
of necessary unfoldings of the specification is small, this al­
gorithm works well. But if many unfoldings are required, 
the overhead to maintain the process matrix becomes ex­
cessive, and another approach is needed.
5 .4 . C o n sisten cy
Algorithms such as MaxDiff that calculate separations 
between events with type 2 semantics need to analyze the 
entire process graph instead of just basing the timing of each 
new event on the timing of the events that enable it. This 
is necessary because the set of separations that has already 
been computed may not be consistent. A set of separations is 
consistent if there is a possible timing assignment that would 
cause all the separations to have their maximum value. With 
type 1 semantics (or the single behavioral rule restriction) 
the separations in the process matrix are always consistent. 
When type 2 semantics is allowed, this may not be the case 
as illustrated with the example shown in Figure 3(c). The 
maximum separation between w and j/ is 5 and the max­
imum separation between * and j/ is 6. However there is 
no one timing assignment that allows both of these maxim- 
ums to occur. For the separation between and to be 5, 
must fire at time 5, and for the separation between and 
to be 6, must fire at time 0. Clearly, this cannot happen 
in one timing assignment. If these separations are used by 
themselves to determine the separations between following 
transitions, the separations calculated may be impossible to 
achieve and therefore greater than their real value. In this 
example the minimum separation between the firing of j/ and 
the firing of would be found to be 4. The actual minimum 
is 5 since sep(w, y) and sep(x , y) cannot achieve their max­
imum separations in the same firing sequence. This distinc­
tion is subtle and led to at least one erroneous timing analysis 
algorithm to be developed [18].
However, most of the time, inconsistencies can be projec­
ted out of the process matrix before they can effect the tim­
ing of later events. Inconsistencies are only generated when 
an event is enabled by a group of preceding events. Usu­
ally, this event is then used in the rest of the ER structure to 
indicate that all of the preceding events have occurred, and 
the preceding events are no longer used. If this is the case, 
the preceding events are projected out of the process mat­
rix as soon as the event they have enabled has fired. This 
means that the inconsistencies that are generated are pro­
jected out as soon as they are created. The approximate al­
gorithm presented previously used this observation. If all 
inconsistent sets are projected out of the process matrix as 
soon as they are generated, then the approximate algorithm 
generates the exact timed state space of the specification. If 
there are inconsistencies that do get used in computation, 
more of the state space is explored since the regions gener­
ated are larger than necessary. In this case, the circuit gen­
erated from the approximate state space is still correct, al­
though possibly not optimal. If the circuit is highly depend­
ent on timing, no implementation may now be possible.
If an inconsistent set of separations is used to compute 
the minimum and maximum separations for a new event, im­
precise results occur. However the regions generated are al­
ways larger than the actual set of regions. Suppose that the 
set of separations between event and all the other events 
in the process is not consistent. Each separation between 
two events in the process matrix is the maximum value 
that that separation can achieve over all possible timing as­
signments. In an actual timing assignment, the maximum 
value for some separations may be lower, but never higher. 
Since min_sep(e,, e.j) is —max_sep(ej,e,) this means that 
actual minimum separations may be higher, but never lower. 
Therefore, when the algorithm computes new separations 
using an inconsistent set, it may be using maximums that 
are too large, and minimums that are too small, but never 
the opposite. Using maximum separations that are too large 
and minimums that are too small in the computation when 
the algorithm calculates the separations for a new event can 
only produce maximums that are larger and minimums that 
are smaller than their actual value. Therefore, the regions 
produced always contain the actual regions. Also, the ap­
proximate algorithm can record the number of inconsisten­
cies it has encountered, so it is known when the algorithm 
completes whether the solution is exact.
5 .5 . C on sisten t Sets
The algorithm presented in this section is an adaptation 
of the approximate algorithm that looks for inconsistencies 
and keeps track of a number of consistent sets of separations 
when they occur. The maximum over all the sets is actually 
copied into the constraint matrix. This algorithm preserves 
the ability to project timing information out of the process 
matrix while still producing the exact timed state space.
The first step is figuring out when an inconsistent set 
has been created and is actually going to be used in later 
computation. The add.event algorithm presented in Fig­
ure 6 is used to generate an initial set of separations. As 
the algorithm is running it also keeps track of which sep­
aration in the matrix each new separation depends on. 
A separation max_sep(ej, e) depends on m a x _ s e p ( u : , > ,) 
if max_sep(ej, e) as computed in add.event is equal to 
m a x _ s c p ( r ; { ,e.j) + uj.  Dependence for minimums is defined 
symmetrically. This means that each new separation de­
pends on one previous separation that actually caused it to 
reach its maximum value. When the initial computation is 
done, the list of dependencies is checked for inconsisten­
cies. An inconsistency occurs when there are two maxim- 
ums or minimums in the computed set that depend on the 
same separation having different values. Since the matrix 
only stores maximums and minimums, inconsistencies can
only occur when one new maximum depends on a previous 
separation having its maximum value and another new max­
imum depends on the same separation having its minimum 
value. The situation for new minimums is symmetric. Note 
that a new minimum and a new maximum can depend on a 
separation having different values since the set of new max- 
imums and the set of new minimums do not need to be gen­
erated by the same timing assignment. If there are no in­
consistencies, then the set of new maximums and minimums 
is consistent and the algorithm is done. If there are incon­
sistencies, then they are checked to see if they only involve 
events that are going to be immediately projected out of the 
process matrix due to the firing of the new event. If they are, 
then they do not cause inaccuracies, and no further compu­
tation is needed. If the inconsistencies are not immediately 
projected out, additional sets of maximums and minimums 
must be generated to maintain consistency.
When a new event is added to the process and it gen­
erates inconsistencies, multiple sets of minimum and max­
imum separations between it and all the previous events still 
in the process matrix need to be generated. Each individual 
set of separations can be generated by a possible timing as­
signment. New sets are created by resolving inconsistencies. 
An inconsistency is resolved by computing two new sets of 
minimums and maximums. One set of separations contains 
the values possible if the inconsistent separation always had 
its maximum value and the other set of separations contains 
the values possible if the inconsistent separation always had 
its minimum value. Both new sets are added to the process 
matrix, and the original, inconsistent set is removed.
A new data structure, called the re solution jirray, keeps 
track of which way inconsistencies are resolved in each 
computed set. When a new event is added, multiple sets 
of minimums and maximums may need to be calculated. A 
new set needs to be calculated for every possible, valid com­
bination of the sets generated for every event in the mat­
rix. A combination of sets is invalid if the resolution ar­
ray specifies the same constraint was resolved in different 
ways for a pair of sets in the combination. Therefore, the 
number of sets generated when a new event is added is de­
pendent on the total number of conflicts that have been re­
solved. This dependence is actually exponential in the num­
ber of resolved inconsistencies, but since events and hence 
inconsistencies are projected out of the matrix as they are no 
longer needed, for typical specifications this is not a prob­
lem. Clearly it is possible to create examples that would 
cause the number of sets to explode, but in that case, the 
MaxDiff or ordinary geometric algorithm should be used in­
stead. The number of inconsistencies in a specification can 
be computed without running the entire consistent sets al- 
gorithmby simply keeping track of them as the approximate 
algorithm is running.
Figure 7 gives an overview of the consistent sets al­
gorithm. The details about how all the sets are kept track of 
in the process matrix are not shown. Calls to add.event refer 
to the add.event function defined in Figure 6, with the addi­
tion that it maintains a list of inconsistencies as it calculates 
a set of separations. When a call to add.event is made, it is 
assumed that the resulting separations are placed in the final 
process matrix in the correct row and column. In the con­
sistent sets algorithm, when a new event is to be added to 
the process, the function addjnew.event is called. It causes 
a new set of separations to be calculated for each valid com­
bination of sets already in the process matrix. A new set in­
herits all the resolution decisions from the sets in the com­
bination used to compute it. For each new set of separations, 
addJiew-event calls make.consistent to resolve any incon­
sistencies that may have been generated. The recursive calls 
to make.consistent are necessary if multiple conflicts need to 
be resolved in one set.
Algorithm 5.2 ( Add event with consistant sets )
process matrix add_new_event(process jnatrix P, new event e,
resolution array R){ 
foreach(valid combination o f sets in P){
/=add_event(7! e);
Add entry to R for this set that contains the union 
ofall the entries for the sets in this combination;




Algorithm 5.3 (Resolve all the inconsistencies in a set)
process jnatrix make_consistent(evenJ e, process jnatrix P,
inconsistancylist I, resolution array R){ 
if (no inconsistencies, or all are projected immediately) 
return;
Select an inconsistency from ; 
if ( resolved by entry in R for this set)
Remove inconsistent set from P;
Pnsw = P  resolved as specified by R;
/=add_event( P„ew,e); 
i\em=make_consistentfe, P„ew, I, R); 
return ; 
else
Remove inconsistant set from P;
with resolved with min;
/=add_event( Pnew,e);
Add resolution to R; 
f*»je-M=niake_consistent(e, P„ew, I, R);
Pnsw = P  with i resolved with max;
I=add_event( PnSw,e);
Add resolution to R;




Figure 7. C onsistent s e t s  algorithms.



























scsiSVT 20 15 56 0.31 33 0.21 33 0.20 33 0.17
spdor 185 18 40 0.18 40 0.22 40 0.19 40 0.17
spdand 88 10 134 0.48 64 0.31 fail 64 0.40
mmuoptSV 397 108 8083 397 806 41 806 30 806 28
slatch 54 30 151 0.97 65 0.77 65 0.67 65 0.52
JSPslatch 54 30 150 1.29 65 0.67 65 0.58 65 0.63
SELopt 351 113 657 17 308 18 308 12 308 11
TSBM 5832 403 out of memory 1946 1096 1946 80 1946 77
Figure 8 shows the process matrix and resolution array 
generated for the ER structure in Figure 3(c). Each entry 
in the matrix is the maximum amount of time that can pass 
between the firing time of the column event and the firing 
time of the row event. For example, the maximum separ­
ation between the firing times of event and event is 
5. The substript indicates that multiple sets were added for 
this event. The symbol in the matrix indicates that sep­
aration would be derived from an invalid combination of 
sets, and therefore is not computed. The resolution array 
shows how inconsistencies were resolved to create each set. 
When separations from this process matrix are copied into 
the constraint matrix, the maximum value over all sets for 
each separation is used. For example, the value copied for 
the sep(y, x) would be 6 and the value copied for sep(y, z) 
would be -5.
W  X yi V2 Zl Z2
W / 0 5 - l - 1 —7 —7 \
X 0 0 - l - 6 —5 - 1 2
y± 5 5 0 0 —5 X
m 1 6 0 0 X - 6
zi 10 10 9 X 0 0
Z‘2 \ 7 12 X 9 0 0 /
w / 0 \
X 0
yi sep(x ,w) = 0
t/2 sep(x, w) = —5
1^ sep(x ,w) = 0
Z‘2 \ sep(x, w) = - 5 /
Figure 8. Proc. matrix and resolution array.
The consistent sets algorithm provides a way to compute 
the exact timed state space of a timed ER structure without 
maintaining a process matrix that grows with the size of 
the specification and the number of unfoldings needed. The 
size of the matrix grows only with the maximum number of 
events that can be active at any one time and the number of
inconsistencies. If the number of inconsistencies is low, this 
algorithm is very efficient. If it is high, one of the other al­
gorithms can be used.
6. Results
We have implemented each of the timing analysis al­
gorithms described in this paper within the timed circuit 
design tool a ta c s , and we have applied them to several ex­
amples as shown in Table 1. The first two columns compare 
the number of untimed states found, first neglecting the tim­
ing information then using it. We see that the state space can 
be reduced by up to an order of magnitude using timing in­
formation. The rest of the table compares the number of re­
gions found and runtimes for each of the algorithms presen­
ted. The runtimes are reported in seconds on a 75 MHz 
Sparc20 with 128 Mbytes of memory. The results show that 
partial order information can reduce the number of regions 
and runtimes by up to an order of magnitude. Indeed, in 
one example, TSBM, geometric timing without partial or­
ders runs out of memory. Furthermore, the approximate and 
consistent set partial order algorithms can yield an order of 
magnitude improvement over the MaxDiff partial order al­
gorithm. Finally, we observe in one example, spdand, that 
the approximate partial order algorithm fails because it gen­
erates regions which are too large and explore numerous ex­
tra states. This occurs because spdand has inconsistencies 
and is highly timing dependent for its correctness.
These results show that each of the algorithms presen­
ted here is appropriate under different circumstances. If the 
amount of concurrency in the specification is low, then the 
geometric timing algorithm can efficiently explore the state 
space with a minimum of overhead. If concurrency is high, 
but the specification produces only consistent sets of max- 
imums or the resulting circuit does not need to be optimal, 
the approximate partial order algorithm can reduce the num­
ber of regions explored and not increase overhead signific­
antly. In the course of running the approximate algorithm, 
the number of inconsistencies can be computed to give the 
user guidance as to whether the consistent sets or MaxDiff 
algorithm could be used to get a more optimal circuit. The 
consistent sets or MaxDiff algorithms can be used to com­
pute the exact state space if an optimal circuit is needed 
for a specification that produces inconsistent sets of maxim- 
ums. If the circuit produces a large number of inconsisten­
cies, then the MaxDiff algorithm is most appropriate. If the 
specification only produces a small number of inconsisten­
cies, then the consistent sets algorithm is more efficient than 
the MaxDiff algorithm. Together these algorithms allow de­
signers to choose tradeoffs between circuit performance and 
synthesis time that meet their needs.
7. Conclusion
We have presented a group of timing analysis algorithms 
specifically designed for timed state space exploration. Do­
ing timing analysis based on the firing of rules instead of 
events allows us to analyze timed ER structures with type
2 semantics and eliminate the restrictions placed on the se­
mantics by previous algorithms. The partial order tech­
niques presented here reduce the number of regions gener­
ated by the basic geometric algorithm. The approximate par­
tial order algorithm and consistent sets algorithms allow par­
tial order techniques to be applied while maintaining only 
local timing information. In the future, we plan to extend the 
algorithms to analyze specifications with OR causality and 
explore BDD techniques to create a more efficient represent­
ation of the timed state space. We also plan on applying the 
algorithms to optimizing synthesized logic.
8 Acknowledgments
We would like to thank Dr. Steve Burns of Intel Corpor­
ation, Dr. Tomas Rokicki of Hewlett Packard, and Robert 
Thacker of the University of Utah for their helpful com­
ments and encouragement.
References
[1] W. Belluomini. Transistor level optimizations of asynchron­
ous circuits. Master’s thesis, University of Washington, 1996.
[2] B. Berthomieu and M. Diaz. Modeling and verification of 
time dependent systems using time petri nets. IEEE Trans­
actions on Software Engineering, 17(3), March 1991.
[3] B. Coates, A. Davis, and K. Stevens. The Post Office exper­
ience: Designing a large asynchronous chip. Integration, the 
VLSI journal, 15(3):341—366, Oct. 1993.
[4] D. L. Dill. Timing assumptions and verification of finite- 
state concurrent systems. In Proceedings o f the Workshop
on Automatic Verification Methods for Finite-State Systems, 
June 1989.
[5] S. B. Furber, P. Day, J. D. Garside, N. C. Paver, and J. V. 
Woods. A micropipelined ARM. In V LSI'93, 1993.
[6] T. A. Henzinger, Z. Manna, and A. Pnueli. What good are di­
gital clocks? In ICALP 92: Automata, Languages, and Pro­
gramming, pages 545-547. Springer-Verlag, 1992.
[7] H. Hulgaard and S. Burns. Bounded delay timing analysis of 
a class of CSP programs with choice. In Proc. International 
Symposium on Advanced Research in Asynchronous Circuits 
and Systems, pages 2-11, November 1994.
[8] H. R. Lewis. Finite-state analysis of asynchronous circuits 
with bounded temporal uncertainty. Technical report, Harvard 
University, July 1989.
[9] A. Marshall, B. Coates, and P. Siegel. Designing an asyn­
chronous communications chip. IEEE Design & Test o f Com­
puters, 11(2):8-21,1994.
[10] K. McMillan and D. L. Dill. Algorithms for interface tim­
ing verification. In International Conference on Computer 
Design, ICCD-1992. IEEE Computer Society Press, 1992.
[11] C. J. Myers. Computer-Aided Synthesis and Verification o f 
Gate-Level Timed Circuits. PhD thesis, Stanford University, 
1995.
[12] C. J. Myers and T. H.-Y. Meng. Synthesis of timed asyn­
chronous circuits. IEEE Transactions on VLSI Systems, 
1(2):106-119, June 1993.
[13] C. J. Myers, T. G. Rokicki, and T. H.-Y. Meng. Auto­
matic synthesis of gate-level timed circuits with choice. In 
Proc. 16th Conf. on Advanced Research in VLSI, pages 42­
58. IEEE Computer Society Press, 1995.
[14] T. G. Rokicki. Representing and Modeling Circuits. PhD 
thesis, Stanford University, 1993.
[15] T. G. Rokicki and C. J. Myers. Automatic verificaton of 
timed circuits. In International Conference on Computer- 
Aided Verification, pages 468-480. Springer-Verlag, 1994.
[16] J. A. Tierno, A. J. Martin, D. Borkovic, and T. K. Lee. A 100- 
MIPS GaAs asynchronous microprocessor. IEEE Design & 
Test o f Computers, 11(2):43-49,1994.
[17] C. K. van Berkel, R. Burgess, J. Kessels, A. Peeters, M. Ron- 
cken, and F. Saeijs. A fully-asynchronous low-power error 
corrector for the digital compact cassette player. In IEEE In­
ternational Solid-State Circuits Conference, 1994.
[18] P. Vanbekbergen, G. Goossens, and H. de Man. Specification 
and analysis of timing constraints in signal transition graphs. 
In Proceedings o f the European Design Automation Confer­
ence, 1992.
[19] E. Verlind, G. de Jong, and B. Lin. Efficient timing ana­
lysis of highly concurrent systems. In International Workshop 
on Timing Issues in the Specification and Synthesis ofDigital 
Systems, November 1995.
[20] G. Winskel. An introduction to event structures. In Linear 
Time, Branching Time and Partial Order in Logics and Mod­
els fo r Concurrency. Noordwijkerhout, Norway, June 1988.
[21] H. Zheng and C. J. Myers. Specification and compilation of 
mixed-timed systems using vhdl. forthcoming paper.
