 Returns true on rising edge of p

node Rise(p: bool) returns (r: bool);

let

r = false > not pre(p) and p;

tel;

node Fall(p: bool) returns (r: bool);

let

r = false > (not p) and pre p ;

tel

 Returns true when p changes

node Changed(p: bool) returns (r: bool);

let

r = false > p <> pre(p);

tel;

24



 Latches p

node Latch(p: bool) returns (r: bool);

let

r = p > p or pre(r);

tel;

 Converts a Boolean to an integer

node b2i(b: bool) returns (i: int);

let i = if b then 1 else 0; tel;

 Returns a stream true for the first n steps of clock clk

node ctF(n: int; clk: bool) returns (r: bool);

var

c: int;

ctF_counter_positive: bool;

let

c = b2i(clk) > pre(c) + b2i(clk);

r = (c <= n);

ctF_counter_positive = c >= 0;

 PROPERTY ctF_counter_positive;

tel;

 Returns number of steps p has been true

node Duration(p: bool) returns (r: int);

var

value_posnat: bool;

let

 Counts the number of instants since p was last false

r = if p then (1 > pre(r) + 1) else 0;

value_posnat = r >= 0;

 PROPERTY value_posnat;

tel;

71


 Returns number of steps since p has been true  zero if p never true

node Since(p: bool) returns (r: int);

var

value_posnat, zero_till_true: bool;

let

r = b2i(p) > if p then 1 else if pre(r) = 0 then 0 else pre(r) + 1;

value_posnat = r >= 0;

 PROPERTY value_posnat;

zero_till_true = not Latch(p) => (r = 0);

 PROPERTY zero_till_true;

tel;

 Returns whether P has been true within the last n steps

node Within(p: bool; n : int) returns (r: bool);

let

r = Since(p) > 0 and Since(p) <= n;

tel;

node OnceWithin(p: bool; n : int) returns (r: bool);

var since_p, pre_since_p : int ;

let

since_p = Since(p) ;

pre_since_p =

0 > if p then (if pre since_p = 0 then 0 else pre since_p + 1)

else (if pre pre_since_p > 0 then pre pre_since_p + 1

else 0) ;

r = (Since(p) > 0 and since_p <= n) and (pre_since_p > n or pre_since_p = 0) ;

 PROPERTY (pre_since_p = 0) or (pre_since_p > since_p) ;

tel;

109



 Returns true if p is always true for at least n steps

node True_At_Least(p: bool; n: int) returns (r: bool);

var

c: int;

value_posnat: bool;

let

 Counts the number of steps p has been true

c = b2i(p) > if p then pre(c) + 1 else 0;

r = true > ((pre(c) > 0 and pre(c) < n) => p);

value_posnat = c >= 0;

 PROPERTY value_posnat;

tel;

node Initializing

(LS_CLK, RS_CLK, LR_CLK, RL_CLK: bool)

returns

(r: bool);

var

LS_Initializing: bool;

RS_Initializing: bool;

LR_Initializing: bool;

RL_Initializing: bool;

let

LS_Initializing = ctF(1, LS_CLK);

RS_Initializing = ctF(1, RS_CLK);

LR_Initializing = ctF(1, LR_CLK);

RL_Initializing = ctF(1, RL_CLK);

r =

(LS_Initializing or

RS_Initializing or

LR_Initializing or

RL_Initializing);

tel

 Inihibited mode constant.

 const inhibit_count_max = 2;

node PFS_Logic

(riseTS, riseOSPF : bool;

Primary_Side : bool)

returns

(PFS : bool);

 const St_Inhibited : int = 1 ;

 const St_Listening : int = 2 ;

 const St_Flying : int = 3 ;

var

 state : subrange [1, 3] of int;

State: int;

fly_to_inh, inh_to_lis, lis_to_fly: bool;

inhibit_count: int;

let

174

175

176

177

178

179

180

181


State = (

if Primary_Side then 3 else 1

) > (

if fly_to_inh then 1 else

if inh_to_lis then 2 else

if lis_to_fly then 3 else

pre State

) ;

191

192


PFS = Primary_Side > (

if State = 1 then false else

if State = 2 then false else

if State = 3 then true else

 Unreachable.

pre PFS

) ;

201

202

203

204

205


tel;

208


node PFS_Side

(TS, OSPF : bool;

Primary_Side : bool)

213

214

215


var

PFSL_PFS : bool;

riseTS_O : bool;

riseOSPF_O : bool;

221

222


PFSL_PFS =

PFS_Logic(riseTS_O, riseOSPF_O, Primary_Side);

226

227


riseOSPF_O = Rise(OSPF);

230

231


tel;

node Cross_Channel_Bus

(I : bool;

Init_Bool : bool)

returns

(O : bool);

let

O = Init_Bool > pre I ;

tel;

node qs_dfa (p, q : bool) returns (ok : bool);

var

r : int;

let

ok = not (((0 > pre r) = 2 and p) or ((0 > pre r) = 2 and q));

r = if p and q then 0

else if p then

(if (0 > pre r) < 0 then 1 else ((0 > pre r)) + 1)

else if q then

(if (0 > pre r) > 0 then 1 else ((0 > pre r))  1)

else (0 > pre r);

tel;

node qs_calendar

(CLK1: bool; CLK2: bool; CLK3: bool; CLK4: bool)

returns

(ok : bool);

let

ok =

(qs_dfa(CLK1, CLK2) and

qs_dfa(CLK1, CLK3) and

qs_dfa(CLK1, CLK4) and

qs_dfa(CLK2, CLK3) and

qs_dfa(CLK2, CLK4) and

qs_dfa(CLK3, CLK4) and

(CLK1 or CLK2 or CLK3 or CLK4));

tel;

node SinceGTOrZero(in: bool ; min: int) returns (out: bool) ;

let

out = (Since(in) > min) or (Since(in) = 0) ;

tel

node SinceLENotZero(in: bool ; max: int) returns (out: bool) ;

let

out = (Since(in) <= max) and (Since(in) > 0) ;

tel

 const all_ticked_max = 7 ;

 const both_stabilization_max =

 (2 + 2) * (7 + 1) + 7 ;

 const 28 =

 (2 + 2) * 7 ;

 const side_comm_stabilization_max =

 (2 + 2) * 7 + 7 ;

node PFS

(TS : bool)

returns

(LPFS, RPFS, LS_PFS, RS_PFS, RL_O, LR_O : bool) ;

var

global_req, global_ens,

inhibited_R2_R3_req, inhibited_R2_R3_ens,

unchanged_nop_R5_req, unchanged_nop_R5_ens,

change_R3_rise_req, change_R3_rise_ens,

change_R3_fall_req, change_R3_fall_ens,

assume, guarantee: bool ;

let

LS_PFS =

PFS_Side(TS, RL_O, true);

RS_PFS =

PFS_Side(TS, LR_O, false);

LR_O =

Cross_Channel_Bus (LS_PFS, true);

RL_O =

((*! /inlining/: true;*)Cross_Channel_Bus (RS_PFS, false));

LPFS = LS_PFS ;

RPFS = RS_PFS ;

global_req = Duration(true) <= 2 + 2 => not Rise(TS) ;

global_ens = (

( (LPFS and (not RPFS)) > true ) and

( LPFS or RPFS ) and

( SinceGTOrZero(Rise(TS), 1) => LPFS = not RPFS )

) ;

inhibited_R2_R3_req = false >

SinceLENotZero(Fall(pre LPFS) or Fall(pre RPFS), 2) ;

inhibited_R2_R3_ens = not (Changed(RPFS) or Changed(LPFS)) ;

unchanged_nop_R5_req = SinceGTOrZero(Rise(TS), 2 + 1) ;

unchanged_nop_R5_ens = not (Changed(RPFS) or Changed(LPFS)) ;

change_R3_rise_req = Rise(TS) and (

SinceGTOrZero(

Fall(false > pre RPFS) or Fall(true > pre LPFS),

2 + 2

)

) ;

change_R3_rise_ens =

Rise(RPFS) or Rise(LPFS) and not (Rise(RPFS) and Rise(LPFS)) ;

change_R3_fall_req = Since(

Rise(true > pre LPFS) or Rise(false > pre RPFS)

) = 1 ;

change_R3_fall_ens =

Fall(RPFS) or Fall(LPFS) and not (Fall(RPFS) and Fall(LPFS)) ;

assume = global_req and (

inhibited_R2_R3_req or

unchanged_nop_R5_req or

change_R3_rise_req or

change_R3_fall_req

) ;

guarantee = global_ens and (

(inhibited_R2_R3_req => inhibited_R2_R3_ens) and

(unchanged_nop_R5_req => unchanged_nop_R5_ens) and

(change_R3_rise_req => change_R3_rise_ens) and

(change_R3_fall_req => change_R3_fall_ens)

) ;

!PROPERTY : ( Duration(assume) = Duration(true) ) => guarantee ;

tel;

387

