Model checking is emerging as a practical tool for automated debugging of complex reactive systems such as embedded controllers and network protocols (see [23] for a survey). Traditional techniques for model checking do not admit an explicit modeling of time, and are thus, unsuitable for analysis of real-time systems whose correctness depends on relative magnitudes of different delays. Consequently, timed automata [7] were introduced as a formal notation to model the behavior of real-time systems. Its definition provides a simple way to annotate state-transition graphs with timing constraints using finitely many real-valued clock variables. Automated analysis of timed automata relies on the construction of a finite quotient of the infinite space of clock valuations. Over the years, the formalism has been extensively studied leading to many results establishing connections to circuits and logic, and much progress has been made in developing verification algorithms, heuristics, and tools. This paper provides a survey of the theory of timed automata, and their role in specification and verification of real-time systems.

Abstract. In this paper we solve the following problem: \given a digital circuit composed of gates whose real-valued delays are in an integerbounded interval, is there a way to discretize time while preserving the qualitative behavior of the circuit? " This problem is described as open in [BS94]. When \preservation of qualitative behavior " is interpreted in a strict sense, as having all original sequences of events with their original ordering we obtain the following two results: 1) For acyclic (combinatorial) circuits whose inputs change only once, the answer is positive: there is a constant, depending on the maximal number of possible events in the circuit, such that if we restrict all events to take place at multiples of,we still preserve qualitative behaviors. 2) For cyclic circuits the answer is negative: a simple circuit with three gates can demonstrate a qualitative behavior which cannot be captured by anydiscretization. Nevertheless we show that a weaker notion of preservation, similar to that of [HMP92], allows in many cases to verify discretized circuits with =1suchthat the veri cation results are valid in dense time. 1

In this paper we argue that the semantic issues of discrete vs. dense time should be separated as much as possible from the pragmatics of state-space representation. Contrary to some misconceptions, the discrete semantics is not inherently bound to use state-explosive techniques any more than the dense one. In fact, discrete timed automata can be analyzed using any representation scheme (such as DBM) used for dense time, and in addition can bene t from enumerative andsymbolic techniques (such as BDDs) which are not naturally applicable to dense time. DBMs, on the other hand, can still be used more e ciently by taking into account theactivity of clocks, to eliminate redundancy. To support these claims we report experimental results obtained using an extension of Kronos with BDDs and variable-dimension DBMs where we veri ed the asynchronous chip STARI, a FIFO bu er which provides for skew-tolerant communication between two synchronous systems. Using discrete time and BDDs we were able to prove correctness of a STARI implementation with 18 stages (55 clocks), better than what has been achieved using other techniques. The veri cation results carry over to the dense semantics. Using variable-dimension DBMs we havemanaged to verify STARI for up to 8 stages (27 clocks). In fact, our analysis shows that at most one third of the clocks are active atanyreachable state, and about one fourth of the clocks are active in 90 % of the reachable states.

In this work we apply the timing verification tool OpenKronos, which is based on timed automata, to verify correctness of numerous asynchronous circuits. The desired behavior of these circuits is specified in terms of signal transition graphs (STG) and we check whether the synthesized circuits behave correctly under the assumption that the inputs satisfy the STG conventions and that the gate delays are bounded between two given numbers. Our results demonstrate the viability of the timed automaton approach for timing analysis of certain classes of circuits.

In this paper, we have extended the trace theoretic verification method with partial order reduction so that it can properly handle timed circuits and timed specification. The partial order reduction algorithm is obtained from the timed version of the Stubborn set method. The experimental results with the STARI circuits show that the proposed method works very efficiently. 1

Abstract. In this paper we report some progress in applying timed automata technology to large-scale problems. We focus on the problem of finding maximal stabilization time for combinational circuits whose inputs change only once and hence they can be modeled using acyclic timed automata. We develop a “divideand-conquer” methodology based on decomposing the circuit into sub-circuits and using timed automata analysis tools to build conservative low-complexity approximations of the sub-circuits to be used as inputs for the rest of the system. Some preliminary results of this methodology are reported. 1

. We present a timed automaton-based method for accurate computation of the delays of combinational circuits. In our method, circuits are represented as networks of timed automata, one per circuit element. The state space of the network represents the evolution of the circuit over time and delay is computed by performing a symbolic traversal of this state space. Based on the topological structure of the circuit, a partitioning of the network and a corresponding conjunctively decomposed OBDD representation of the state space is derived. The delay computation algorithm operates on this decomposed representation and, on a class of circuits, obtains performance orders of magnitude better than a non-specialized traversal algorithm. We demonstrate the use of timed automata for accurate modeling of gate delay and cross-talk. We introduce a gate delay model which accurately represents transistor level delays. We also construct a timed automaton that models delay variations due to cross-talk fo...

ion corresponds to overapproximating F . (ii) Image computation is performed by "propagating wavefronts" across the partitions. This corresponds to performing the composition of the partitions in topological order, and smoothing variables whenever all the G i 's that depend on those variables have been composed. As depicted in figure 6, if the set of waveforms at a given cut-set has been characterized, all variables to the left of the cut-set can be smoothed. This allows minimization and possibly abstraction of the intermediate results. The partitions must be chosen in a way to expedite the image computation. We believe that the following heuristics will work well: ffl As much as possible, create partitions with disjoint support. For such partitions, only the set of possible waveforms at the output nodes need to be stored, the input variables can be hidden. This is not possible for arbitrary partitions, since the correspondence between the output waveforms and the input waveforms need...

Abstract — This paper presents a method to address state explosion in timed circuit verification by using abstraction directed by the failure model. This method allows us to decompose the verification problem into a set of subproblems, each of which proves that a specific failure condition does not occur. To each subproblem, abstraction is applied using safe transformations to reduce the complexity of verification. The abstraction preserves all essential behaviors conservatively for the specific failure model in the concrete description. Therefore, no violations of the given failure model are missed when only the abstract description is error trace to either find a concrete error trace or report that it is a false negative. This paper presents results using the proposed failure directed abstractions as applied to several large timed circuit designs. Index Terms — timed circuits, formal verification, abstraction. I.

Timed Logic Conformance (TLC) is a bisimulation-style partial order relationship defined over the statespace of Timed Safety Automata (TSA) with real-valued clocks. In contrast to timed simulation, Calculus of Timed Refinement (CTR), and Time-Abstracted bisimulation, TLC defines when one system is an acceptable implementation of another by asymmetric bisimulation-style requirements for specification inputs and implementation outputs. While TLC does not necessarily preserve timed properties, it intuitively and pragmatically supports writing abstract specifications and verifying them against implementations. TLC scales up by substituting verified specifications for implementations and hierarchically verifying larger systems. TLC verification is an alternative to assumes-guarantees reasoning process. TLC verification depends on explicitly capturing environmental timing properties in the specification and insuring they are satisfied in the TLC relation. The region-automata-based TLC System...