Abstract
Introduction
A circuit is speed-independent if its behavior does not depend on speeds of its components (gates). These circuits are very robust to parameter variations, such as supply voltage or temperature, and this may have significant practical advantages [8] , for example, a potential reduction of power dissipation [13]. It is important to find a characterization of speed-independence that allows the designer to discover speed dependencies as early as possible in the design process. Such a characterization is presented in this paper as a sufficient condition on a high-level description of the circuit. The condition is formulated in such a way that the transition system can be checked in a modular way, i.e., by checking the design module by module.
Most characterizations of speed-independence assume that the circuit is autonomous which means that it is a self-contained circuit without external input.
*This work has been supported by The Danish Technical Research Council and ACiD-WG (Esprit Basic Research Working Group 7225).
0-8186-6210-7/94 $4.00 0 1994 IEEE To check a component with external input (and output) an explicit environment is constructed and the combination of component and environment is then checked. Our Characterization allows us to check a component in isolation, however, it is possible (and often necessary) to state assumptions about the environment. In the paper [7] it has been shown how the proposed check can be mechanized, however, in the present paper the emphasis is on the characterization itself. Circuit efficiency sometimes makes it necessary to compromise the speed-independence of a well-defined part of a circuit. Our characterization of speed-indeplendence makes it possible to state some speed assumptions about well defined parts while still making it plossible to check the rest of the design. This paper is organized as follows. First, we present a short review of previously published characterizations of speled-independence. Section 3 describes the design language used in this paper for modeling circuits. Section 4 presents the characterization of speedindependence as a condition called persistency. Section 5 gives two examples of experimental designs where the proposed technique has been used to verify speed-independence. Finally, in Section 6 it is argued that the persistency condition is a sufficient condition for speed-independence.
Previous work
This section gives a brief overview of the characterizations of speed-independence that have been published previously.
Mu1:ler's model
In David Muller's theory [lo] a logic gate is modeled by a logic function followed by an unbounded inertial delay element. Formally, a circuit consists of a set of boolean variables, {,q,z2 ,..., z,) ( n 2 l), each of which ha.s an associated boolean function: 
Speed-independence in trace theory
Trace theory is based on characterizing properties of traces obtained by computations of the circuit [2, 3, 4, 141. The designer is assumed to describe a design with trace commands [3]. Figure 2 .a shows the circuit from Fig. 1 . The circuit consists of two components: an initiated fork (implemented by a wire fork and two inverters) and an OR-gate. Regular trace structures can only represent regular sets. Therefore, an automaton can be constructed for each of the components, which will accept the same regular set. A state graph for the initiated fork is given in Fig. 2 .b and for the OR-gzte in Fig. 2 .c. In circuits that have components with symmetric operations for rising and falling signals, one abstract state might correspond to several binary signal values. This is, for example, the case for the initiated fork. The behavior of the OR-gate is not symmetric. Therefore, a state graph for the OR-gate (Fig. 2 .c) has eight states, q0 -q7, which correspond to the eight possible binary states of a two input OR-gate. The trace command specification of the OR-gate requires internal state variables and is similar to the structure of the state graph from Fig. 2 .c. This indicates a drawback of trace commands as a specification language for circuits: the size of the specification grows exponentially even for simple gates such as OR, AND, NOR, NAND.
A circuit cannot control the transitions on its inputs, since these are made by the environment. Therefore, any input transition can occur in any state of the state graph (receptiveness) [2] . However, some of the traces, called failure traces, may induce hazards. After an input transition on a has occurred in the state q0 the OR-gate goes to state q l , and it is ready to produce an output on c and go to state q6. This corresponds to the state 10*0* (in Fig. 1) [2] .
To analyze the behavior of the complete circuit the state graphs of the components are composed. In the example states in the composed state graph (Fig. 2.d 
Tools for speed-independence
There are several model-checking tools for checking speed-independence based both on the Muller model of circuits and the trace model [l, 2, 4, 51. A comparison of these tools is given in [5]. The rest of this paper is devoted to a characterization of speed-independence making it possible to check high-level design descriptions. This characterization gives some new possibilities compared with the techniques mentioned above: non-autonomous designs are handled without giving an explicit environment. This makes it possible to check large designs piece by piece in a modular fashion, higher level designs with non-binary data types can be handled, verification of other (safety) properties of a design can be done using exactly the same approach and the same tools. Hence, speed-independence does not require separate and specialized tools, 0 3 no distinction is made between control and data dominated designs; both can be handled with the same approach.
High-level design descriptions
This section describes how to model circuits as formal transition systems using the design language SYN-CHRONIZED TRANSITIONS [12] . Such transition systems consist of a set of transitions and a set of state variables (both are fixed and do not change during a computation).
Desigin descriptions
A transition, t , describes a component of a circuit and has the form <<Ct -> zt := Et>>, wbere Ct -is a predicate called the precondition, zt is a state variable, and Et is an expression, that has a unique value in any state. As an example, consider a C-element, this is described as; follows: A circuit with many components (operating in parallel) is described by composing a number of such transitions (one for each component). The oscillator from Figure 1 is described as follows: 
Terminology
This section defines a number of concepts that are used to charactierize speed-independence. It can be shown that it is possible to describe any asynchronous circuit as a well-behaved design.
Operational model
The computation of a design can be modeled as repeated non-deterministic selection isnd execution of an enabled transitions. Transitions are executed: one at a time, i.e., as an indivisible operation, repeatedly, each time one has been executed, it is immediately ready to be selected again, independe,ntly, of the order they appear in the design description. There is no upper bound on when a transition is selected.
A design defines a set of computations that are sequences of states, called trajectories. The formal definition of trajectories is given in Section 6.2.
Invariants and protocols,
Invariants and protocols describer; properties of a design that can be verified formally. For example, the following invariant states that a and y cannot be true simultaneously (mutual exclusion).
Invariants
(8 A Y ) The following is an example of a protocol stating that whenever a changes, it gets the valule of y.
x.pre # x.post 3 x.post=y.pre
Environments
In general, the computation of a dlesign depends on the behavior of its environment. Protocols and invariants are used as implicit specifications of environments expressing constraints on the state space and possible transitions changing ezternal state variables.
Example: a pipeline latch. Consider a pipeline latch, it is described as a design wit,h four state variables: two booleans, ai,ao, to modiel the binary acknowledgment signals and two duals, Di, Do, to model a one bit data path. The domain for ,the duals contains three possible values { E , T , F } ("empty", "true", and "false"). The value E is used to reset the latch before it can adopt the next valid data value, T or F . The variables ao (the output acknowledgment) and Di (input data) are external. Figure 3 .a shows the structure of the latch; figure 3.b shows one possible gate-level realization based on two C-elements and one NORgate. Do 1 Figure 3: A structure of the latch (a) and its gate-level implementation (b) Let empty be a predicate which returns TRUE when the value of the dual parameter is equal to E. Then the latch is described as follows: The protocol constrains any change of Di to start in a pre-state where ai.post=empty(Di.pre). This prevents Di from changing directly from one non-empty value to another. Note that a latch for a wider data path is specified by substituting another type instead of dual.
End of example
Internal non-det erminism
Protocols and invariants are also used to specify components with internal non-determinism, for example an arbiter. As an example, consider a simple arbiter serving two clients. Each client indicates a request by making the state variable Reg, true, the arbiter gives an acknowledgment by making Ackl true. The behavior of the two-input arbiter is defined implicitly by the invariant l ( A c k 1 A Ackz) and the protocol: The internal behavior of the arbiter is not a subject of verification ([it cannot be verified by logic means anyway), but a cooperative behavior of the arbiter with other components is verified. This allows us to check the speed-independence of designs with internal nondeterminism.
Design
A design, D, is a five-tuple < Z , T , PE,U,I >, where Z is a, finite set of state variables; T is a finite set of transitions; PE is an external protocol, restricting possible transitions of external state variables, U is a set of initial states, and I is an invariant.
Formally, the protocol and invariant of a design constrains both the internal and external state variables. However, in practice it can be useful to distinguish the external constraints from the internal. The external serves as an implicit characterization of the environment and this is usually needed to carry out the verification. On the other hand, the internal constraints can often be derived automatically. In [7] it is described how model-checking is used for automatically deriving an invariant defining the reachable states.
Example: the pipeline latch (continued). The invariant for the pipeline latch with the external protocol PE is characterized by the following expression:
End of example
For simple designs, it is possible to derive the invariant manually, but for more challenging designs this is often too labcirious and automatic derivation is therefore useful.
The persistency condition
This secticm presents a characterization of the speed-independent designs. It is formulated as a condition on a design; when it is met, the design allows for a speed-independent circuit realization. In Section 6 it is argued thizt the condition is sound, i.e., that it ensures that a computation is independent of the speed of its components. 
Example: an oscillator (continued).
To illustrate a non-persistent design consider the oscillator Fig. 1 and its description in Section 3. In the state a, b, y = FALSE, FALSE, F A L S E both the first and the second transitions are active. If the first transition changes c to TRUE, then the second is no longer active; therefore, the implication in the persistency protocol does not hold, and hence the design is not persistent.
Mechanizing the check
The paper [7] describes tools for mechanically checking the persistency condition. They consists of: 0 a translator for transforming design descriptions into a list of proof obligations corresponding to the persistency condition; a tool for generating reachability invariants; 0 a theorem prover (the LARCH F'ROVER) that is used to verify the proof obligations.
Note that the persistency condition yields a separate implication for each transition. Hence, the verification is broken into a number of independe:nt steps.
Example: the pipeline latch (continued). The invariant, called I in Section 3.7, can be used to verify that the pipeline latch meets the persistency condition. The external protocol, P E , for the latch was defined in Section 3.5. For each (of the two) transitions of the design, it must be shown that it satisfies the persistency protocol of the other transitions (in this case thtere is only one), and the external protocol P E I(pre) A I(pre) A PE (pre, post) (pre, post) (pre, post)
Where i, j E 1 , 2 A i # j . Given the design description, the tools mentioned above, generates similar implications and verifies them which shows that this is a speed-independent design.
Applications
This section describes two particular designs: (1) a switch used in the data-path of a imultiplier -this illustrates the use of high-level designs with variables of non-boolean type, and (2) a self-timed RAM design -this illustrates how to do a partial check of a design with a delay assumption about a well defined part.
A switch of a data-path
The asymmetric switch shown in Figure 4 is used in a speed-independent vector multiplier design [ll] . This switch either lets both data signals pass through, or it crosses one of them over and ignores the other.
All signals in this design follows a four-phase protocol. The data lines, I n A , InB, OutA, and OutB, are part of a dual-rail encoded data pat,hs (of arbitrary width) and one single-rail acknowledgement signal to (for InA, InB) or from (for OutA, 0 u t B ) the environment. The control input, Ctl, also follows a four-phase protocol, and it is a dual-rail input signal. Finally, there is a boolean acknowledgement signal to the environment. 
The switch is apparently very simple, but it was quite difficult to find a correct speed-independent design. The formal verification revealed several mistakes in designs that were believed to be correct and where careful simulations had not uncovered any errors.
A RAM cell
This section describes the design of a RAM cell, and it is shown how to do a partial check of speed-indepenthe RAM cell is not speed-independent. However, this part can be excluded from the check, and the rest of the design can be verified.
The major difficulty in designing a speed-independent RAM is in the implementation of the write operation. It is non-trivial to organize a completion detection after a new value has been written into the (Dit=l and L;kf=O), then immediately after arrival of the write control signal W two transitions start: writing a '1' value into the cell, and driving the output data line Dof'to become 1. Depending on the relative speeds of these processes either a short voltage spike appears at the line Dof (non-persistency) or this line will hold a '1' value until the next cycle (where Dot may take a 'I' value which implies that mutual exclusion is violated).
However, the FLAM cell operates correctly if it is assumed, that the write control signal W always goes high with a delay of at least T after Dit, Dif gets a valid value ( 0 , l or l , O ] , where T is bigger than the dellay of the memory cell. Such an assumption is typical for some asynchronous and self-timed design styles, e.g., micro-pipelines and systems with a bundled data protocol. For such designs, it is possible to do a partial check for speed-independence. For example, in the RAM cell design, we can exclude the two transitions, tbot and tboj, from the persistency check and verify that the rest of the design is speed-independent.
Soundness of the characterization
This section shows how to formulate the intuitive notion of speed-independence and relates the class of persistent designs to this definition.
Delayed (designs
The intuitive notion of gate delays is modeled by the notion of a delayed design. In the underlying circuit, the delay of z corresponds to inserting a delity element before the fork of a wire delivering the value of z to other components and to the environment. If z is an internal variable, then the delay is inserted before any forks of the internal wire. If t is an external variable, then the delay is inserted before the fork of the input wire. 
Definition 5 Lei D be a design with transitions T and external protocol PE and let t be a n arbitrary

Equivalence of designs
observation equivalent i f T r ( D ) = T'r(Dg,) -1 2.
Persistency of the environment
The persistency condition encourages an approach where a component and its environment are checked independently. If the component and the environment are both specified as transition systems then the persistency condition can be used on both. However, if the environment is specified by other means, it should still behave persistently. This section defines a restriction called external persistency. If the external persistency is met by a design, then the design is speedindependent for any environment satisfying the external protocol of the design. It must. be stressed that transition systems satisfying the persistency condition automatically satisfies the restrictioin; it is only relevant for environments specified by other means. 
~.
Figure 6: A speed-independent (a), and delay-insensitive (b) composition of a design and its environment.
The Foam Rubber Wrapper property [9] is often used for delay-insensitive circuits. It states that if arbitrary delays are attached to the input and output lines of the implemented system, the new interface created must have the same behavior as the originally specified ( Fig. 6.b) .
A corresponding property for a speed-independent environment would be to attach arbitrary delays to the input and output lines before wire forks such that the environment (in case of input lines) or the design (in case of output lines) observes delayed signals (Fig. 6.a) . This requirement to a speed-independent environment can be captured by the external persistency condition. The external persistency is weaker than persistency, since it allows non-deterministic behavior of the environment.
Similar to the persistency condition the external persistency condition consists of two requirements. These constrain the behavior of external variables. Intuitively, the first requirement states that if two external variables, are concurrentzy active in a state of the design then they can change their values in any order. The second requirement states that transitions of internal variables cannot disable external variables. It is important to notice that verification of the complete design does not require a check for the external persistency condition in those cases where all modules of the design are expressed as transition systems.
Soundness of persistency
This section defines the notion of a speed-independent design and states a theorem relating the persistency condition to speed-independence.
Definition 9 A design in D i s speed-independent, if any delayed version of design D is observation equivalent t o D.
Although this; definition requires all possible delayed versions to be observation equivalent to the original design, it is not necessary to compare all multiple delayed versions. It can be shown that only single delayed versions need to be considered. Furthermore, instead of checking an observation equivalence one can simply check the persistency condition.
Theorem 1 If a well-behaved design satisfies the persistency condition and its environment satisfies the external persistency condition, then the design is speedindependent.
The proof of this theorem is given in [6] .
A sketch 0 j F the proof. The theorem is first proved (by contradiction) for a case when one variable is delayed. Let Dl be a delayed version that is not observation equivalent to D , although both the persistency and the external persistency hold. Let s be the shortest possible trajectory in the delayed design D:
that has no equivalent projection in the original design D . It ccan always be represented in the form s = r , SO -% q, SI -% Sz, where r, q are trajectories (both T and q might be empty), So, S1 and S2 are states of the delayed design, z is a delayed variable, y is another variiable of the design, and So -% q is the last assignment to z in s.
Assume that q is not empty. No transitions in q can read z in the delayed design. Hence, instead of the trajectory s one 'can always consider another trajectory of the same length, which is obtained from s by swapping the last assignment to z and all the others assignments to the variables that occurs along the trajectory q. Therefore, we can restrict consideration to trajectories where q is empty: s = r, So --% S 1 -% Sa.
Four cases are possible: (1) z , y are internal variables, (2) z is external and y is internal, (3) both z and y are external, and (4) z is internal and y is external, Let us consider the first case. Similarly, for the second case the contradiction is reached with the second requirement of the persistency condition for the transition t 2 , for the third and forth cases a contradiction is found with the first and the second requirements of the external persistency condition.
The case with more than one variable delayed is reduced to the case with one variable to be delayed.
U
In [6] it is also shown that the persistency and external persistency conditions are necessary for a wellbehaved design to be speed-independent for all environments satisfying the external protocol.
Conclusion
This paper has presented a sufficient condition for the speed-independence of a high-level design. The description of such high-level designs allow variables of any finite type and hierarchical structure with both external (input choice) and internal (arbiters) nondeterminism. The formulation of the condition was related to other characterizations of speed-independence. The major difference of the condition presented here is the emphasis on independent verification of separate components/modules of a design.
