An Introduction to Formal

Verification

Sandeep K. Shukla

CECS/ICS/UCI

Acknowledgement

• Maciej Ciesielski (Umass, Amherst)

• Kenneth Mcmillan (Cadence Berkeley
Labs)

1
 Overview
• Introduction
– What is verification (validation)
– Why do we need it
– Formal vs. simulation-based methods

• Math background
– BDD’s
– Symbolic FSM traversal

Overview – Formal Methods

• Equivalence checking
– Combinational circuits
– Sequential circuits

• Model checking
– Problem statement
– Explicit algorithms (on graphs)
– Symbolic algorithms (using BDDs)

• Theorem proving
– Deductive reasoning

2
 Overview – Functional Testing
• Simulation-based methods
– Functional test generation
– SAT-based methods, Boolean verification
• Boolean satisfiability
– RTL verification
• Arithmetic/Boolean satisfiability
– ATPG-based methods

• Emulation-based methods
– Hardware-assisted simulation
– System prototyping

Part I

INTRODUCTION

3
 Verification
• Design verification = ensuring correctness of the design
– against its implementation (at different levels)
-- against alternative design (at the same level)

model ≡? Design 1 Design 2

≡?
behavior HDL / RTL RTL
≡?
function Logic level Logic level
≡?
≡?
structure Gate level Gate level ≡?
≡?
layout Mask level Mask level

Why Verification

• Verification crisis
– system complexity, difficult to manage
– more time, effort devoted to verification than to design
– need automated verification methods, integration

• Examples of undetected errors

– Ariane 5 rocket explosion, 1996 (exception occurred
when converting 64-bit floating number to a 16-bit
integer)
– Pentium bug (multiplier table not fully verified)
– many more ….

4
 Verification Methods
• Simulation - performed on the model
• Deductive verification
• Model checking Formal Verification

• Equivalence checking
• Testing - performed on the actual product
(manufacturing test)
• Emulation, prototyping

Formal Verification
• Deductive reasoning (theorem proving)
– uses axioms, rules to prove system correctness
– no guarantee that it will terminate
– difficult, time consuming: for critical applications only
• Model checking
– automatic technique to prove correctness of concurrent systems: digital
circuits, communication protocols, etc.
• Equivalence checking
– check if two circuits are equivalent

5
 Why Formal Verification

• Need for reliable hardware validation

• Simulation, test cannot handle all possible cases
• Formal verification conducts exhaustive
exploration of all possible behaviors
– compare to simulation, which explores some of possible
behaviors
– if correct, all behaviors are verified
– if incorrect, a counter-example (proof) is presented
• Examples of successful use of formal verification
– SMV system [McMillan 1993]

Part II

BACKGROUND

BDDs, FSM traversal

6
 Binary Decision Diagrams
• Binary Decision Diagram (BDD)
– compact data structure for Boolean logic
– can represent sets of objects (states) encoded as Boolean
functions
– reduced ordered BDDs (ROBDD) are canonical
– canonicity - essential for verification
• Construction of ROBDD
– remove duplicate terminals
– remove duplicate nodes (isomorphic subgraphs)
– remove internal nodes with identical children

BDD - Construction

• Construction of a Reduced Ordered BDD

f
a b c f 1 edge
f = ac + bc a
0 edge
0 0 0 0
0 0 1 0 b b
0 1 0 0
0 1 1 1 c c c c
1 0 0 0
1 0 1 1
1 1 0 0
1 1 1 1 0 0 0 1 0 1 0 1

Truth table Decision tree

7
 BDD Construction – cont’d
f f f = (a+b)c
a a a

b b b b b

c c c c c c c

0 1 0 1 0 1

1. Remove 2. Remove 3. Remove

duplicate terminals duplicate nodes redundant nodes

Application to Verification
• Equivalence of combinational circuits
• Canonicity property of BDDs:
– if F and G are equivalent, their BDDs are
identical (for the same ordering of variables)

a F = a’bc + abc +ab’c a G = ac +bc

b ≡ b

c c

0 1 0 1

8
 Application to Verification,
cont’d
H
• Functional test generation
– SAT, Boolean satisfiability a
analysis
– to test for H = 1 (0), find a b ab
path in the BDD to terminal 1
c
(0)
– the path, expressed in ab’c
function variables, gives a 0 1
satisfying solution (test
vector)

Logic Manipulation using BDDs

• Useful operators F F’
¬
– Complement ¬ F = F’
0 1 1 0
(switch the terminal nodes)

F(x,y) F(y)
Restrict
– Restrict: F|x=b = F(x=b)
where b = const
0 1 x=b 0 1

9
 Useful BDD Operators - cont’d
• Apply: F • G
where • stands for any Boolean operator (AND, OR,
XOR, →)
F G F • G

• =

0 1 0 1
0 1

• Any logic operation can be expressed using only

Restrict and Apply
• Efficient algorithms, work directly on BDDs

Finite State Machines (FSM)

X O
λ(s,x)
δ(s,x)
• FSM M(X,S, δ, λ,O) s s’

R
– Inputs: X
– Outputs: O
– States: S
– Next state function, δ(s,x) : S × X → S
– Output function, λ(s,x) : S × X → O

10
 FSM Traversal

• State Transition Graphs

– directed graphs with labeled nodes and arcs
(transitions)
– symbolic state traversal methods
• important for symbolic verification, state
reachability analysis,
0/0 FSM traversal, etc.
1/0
0/1
s0 s1

1/0 s2 0/1

Existential Quantification

• Existential quantification (abstraction)

∃x f = f |x=0 + f |x=1
• Example:
∃x (x y + z) = y + z

• Note: ∃x f does not depend on x

(smoothing)
• Useful in symbolic image computation (sets of
states)

11
 Existential Quantification -
cont’d
• Function can be existentially quantified w.r.to a
vector: X = x 1x2…

∃X f = ∃x1x2... f = ∃x1 ∃x2 ∃... f

• Can be done efficiently directly on a BDD

• Very useful in computing sets of states
– Image computation: next states
– Pre-Image computation: previous states from a given set
of initial states

Image Computation

• Computing set of next states from a given initial

state (or set of states)
• Img( S,R ) = ∃u S(u) • R(u,v)
R(u,v)

S(u) Img(v)

• FSM: when transitions are labeled with input predicates

x, quantify w.r.to all inputs (primary inputs and state var)
Img( S,R ) = ∃x ∃u S(u) • R(x,u,v)

12
 Image Computation - example
Compute a set of next states from state s1

• Encode the states: s1=00, s2=01, s3=10, s4=11

• Write transition relations for the encoded
states: R = (ax’y’X’Y + a’x’y’XY’ + xy’XY
+ ….)
s2 a xy XY
a 01
s1 1 00 01
s4 0 00 10
00 a’
11 - 10 11
10 ……….
s3

Example - cont’d
• Compute Image from s1 under R
Img( s1,R ) = ∃a ∃xy s1(x,y) • R(a,x,y,X,Y)

= ∃a ∃xy (x’y’) • (ax’y’X’Y + a’x’y’XY’ + xy’XY + ….)

= ∃axy (ax’y’X’Y + a’x’y’XY’ ) = (X’Y + XY’ )
= {01, 10} = {s2,s3}

s2
a 01
s1 s4 Result: a set of next
00 a’
11 states for all inputs
10 s1 → {s2, s3}
s3

13
 Pre-Image Computation
• Computing a set of present states from a given
next state (or set of states)
Pre-Img( S’,R) = ∃v R(u,v) )• S’(v)
R(u,v)

Pre-Img(u) S’(v)

• Similar to Image computation, except that quantification is done

w.r.to next state variables
• The result: a set of states backward reachable from state set S’,
expressed in present state variables u
• Useful in computing CTL formulas: AF, EF

Part III

EQUIVALENCE CHECKING

14
 Equivalence Checking
• Two circuits are functionally
equivalent if they exhibit the same
behavior
In CL Out

• Combinational circuits
– for all possible input values PI Po
• Sequential circuits
CL
– for all possible input sequences
Ps Ns
R

Combinational Equivalence Checking

• Functional Approach
– transform output functions of combinational
circuits into a unique (canonical)
representation
– two circuits are equivalent if their
representations are identical
– efficient canonical representation: BDD

• Structural
– identify structurally similar internal points
– prove internal points (cut-points) equivalent
– find implications

15
 Functional Equivalence
• If BDD can be constructed for each circuit
– represent each circuit as shared (multi-output)
BDD
• use the same variable ordering !
– BDDs of both circuits must be identical

• If BDDs are too large

– cannot construct BDD, memory problem
– use partitioned BDD method
• decompose circuit into smaller pieces, each as BDD
• check equivalence of internal points

Functional Decomposition

• Decompose each function into functional blocks

– represent each block as a BDD (partitioned BDD
method)
– define cut-points (z)
– verify equivalence of blocks at cut-points
F G
starting at primary inputs
f2 g2
z z
f1 g1
x y x y

16
 Cut-Points Resolution Problem
• If all pairs of cut-points (z 1,z2) are equivalent
– so are the two functions, F,G
• If intermediate functions (f 2,g2) are not equivalent
– the functions (F,G) may still be equivalent
– this is called false negative F G
• Why do we have false negative ? g2
f 2
– functions are represented in terms of
intermediate variables z1 z2
– to prove/disprove equivalence must
represent the functions in terms of f1 g1
primary inputs (BDD composition)
x y x y

Cut-Point Resolution – Theory

• Let f1(x)=g1(x) ∀x
– if f2 (z,y) ≡ g2 (z,y), ∀z,y then f2 (f1 (x),y) ≡ g2(f 1(x),y) ⇒
F≡G
– if f2 (z,y) ≠ g2 (z,y), ∀z,y ≠⇒ f2 (f1 (x),y) ≠ g2(f 1(x),y) ⇒
F≠G We cannot say if F ≡ G or not
F G
• False negative
f2 g2 – two functions are equivalent,
but the verification algorithm
z z declares them as different.

f1 g1
x y x y

17
 Cut-Point Resolution – cont’d
• Procedure 2: create a BDD for F ⊕ G
– perform satisfiability analysis (SAT) of the BDD
• if BDD for F ⊕G = ∅, problem is not satisfiable, false negative
• BDD for F ⊕G ≠ ∅, problem is satisfiable, true negative

F G F ⊕G = ∅, F ≡ G (false negative)
= Non-empty, F ≠ G
⊕

– the SAT solution, if exists, provides a test vector

(proof of non-equivalence) – as in ATPG

Sequential Equivalence Checking

• Represent each sequential circuit as an FSM
– verify if two FSMs are equivalent
• Approach 1: reduction to combinational circuit
– unroll FSM over n time frames (flatten the design)
x(1) x(2) x(n)

M(t1) M(t2) … M(tn)

…
s(1) s(2) s(n)

Combinational logic: F(x(1,2, …n), s(1,2, … n))

– check equivalence of the resulting combinational circuits

– problem: the resulting circuit can be too large too handle

18
 Sequential Verification
• Approach 2: based on isomorphism of state
transition graphs
– two machines M1, M2 are equivalent if their state
transition graphs (STGs) are isomorphic
– perform state minimization of each machine
– check if STG(M1) and STG(M2) are isomorphic
1/0
1/0 0/0 0/1
0/0 0/1 State min. 0 1.2
0 1/1 1
M1 min 1/1 ≡
1/0 2 0/1 M1
1/0
0/0 0/1
0 1
M2
1/1

Sequential Verification
• Approach 3: symbolic FSM traversal of the
product machine
• Given two FSMs: M1(X,S1, δ 1, λ1,O1), O(M)
M2(X,S2, δ 2, λ2,O2)
• Create a product FSM: M = M1× M 2
– traverse the states of M and check its O1 O2
output for each transition
– the output O(M) =1, if outputs O1= O2
M1 M2
– if all outputs of M are 1, M1 and M2 are S1 S2
equivalent
– otherwise, an error state is reached X
– error trace is produced to show: M1 ≠ M2

19
 Product Machine - Construction

• Define the product machine M(X,S, δ, λ,O)

– states, S = S1 × S 2
– next state function, δ(s,x) : (S1 × S2) × X → (S1 × S2)
– output function, λ(s,x) : (S1 × S2 ) × X →
{0,1} • Error trace (distinguishing sequence)
that leads to an error state
- sequence of inputs which produces 1
λ1 λ2 at the output of M
δ1 δ2 - produces a state in M for which M1
M1 M2 and M2 give different outputs

X λ(s,x) = λ 1(s 1,x) ⊕ λ2(s2,x) O {10 otherwise

=
if O =O
1 2

FSM Traversal - Algorithm

• Traverse the product machine M(X,S,δ, λ,O)
– start at an initial state S 0
– iteratively compute symbolic image Img(S 0,R) (set of next states):
Img( S0 ,R ) = ∃x ∃ s S 0(s) • R(x,s,t)
R = ∏i Ri = ∏i (ti ≡ δ i(s,x))
until an error state is reached
– transition relation R i for each next state variable ti can be
computed as ti = (t ⊗ δ(s,x))
(this is an alternative way to compute transition relation, when
design is specified at gate level)

20
 Construction of the Product FSM
1/0 0/0
0/0 0/1 2
M1 0 1 M2 1/1 1/0
0/1
0/0
1/1 0 1
• For each pair of states, s1 ∈ M1 , s 2∈ M 2 1/1
– create a combined state s = (s1. s2) of M
– create transitions out of this state to other states of M
– label the transitions (input/output) accordingly

1⊗ 1
0/1 1/0 0/1 Output = { 10 error
OK
0⊗ 0
M1 1 0 1/1
0/1 1.1 0.2

M2 1/0
1 2

FSM Traversal in Action 0/0

1/0
0/0 0/1 2
0 1 1/1 1/0
0/1
0/0
M1 1/1 0 1
M2 1/1

Initiall states: s1=0, s2=0, s=(0.0) Error state

0/0 1/0 0/0
Out(M) 0.1 1.0
State reached x=0 x=1 1/0 1/1
0/1
• New 0 = (0.0) 1 1
0/0 1.2 0.2
• New 1 = (1.1) 1 1
1/0 1/1
• New 2 = (0.2) 1 1 0.0 1.1
• New 3 = (1.0) 0 0 M 0/1 1/1 0/1

• STOP - backtrack to initial state to get error trace:

x={1,1,1,0}

21
 Part IV

MODEL CHECKING

Model Checking
• Algorithmic method of verifying correctness of (finite state)
concurrent systems against temporal logic specifications
– A practical approach to formal verification

• Basic idea
– System is described in a formal model
• derived from high level design (HDL, C), circuit structure,
etc.
– The desired behavior is expressed as a set of properties
• expressed as temporal logic specification
– The specification is checked agains the model

22
 Model Checking
• How does it work

– System is modeled as a state transition structure (Kripke structure)

– Specification is expressed in propositional temporal logic (CTL

formula)
• asserts how system behavior evolves over time

– Efficient search procedure checks the transition system to see if it

satisifes the specification

Model Checking
• Characteristics
– searches the entire solution space
– always terminates with YES or NO
– relatively easy, can be done by experienced designers
– widely used in industry
– can be automated

• Challenges
– state space explosion – use symbolic methods, BDDs
• History
– Clark, Emerson [1981] USA
– Quielle, Sifakis [1980’s] France

23
 Model Checking - Tasks
• Modeling
– converts a design into a formalism: state transition system

• Specification
– state the properties that the design must satisfy
– use logical formalism: temporal logic
• asserts how system behavior evolves over time

• Verification
– automated procedure (algorithm)

Model Checking - Issues

• Completeness
– model checking is effective for a given property
– impossible to guarantee that the specification covers all properties
the system should satisfy
– writing the specification - responsibility of the user

• Negative results
– incorrect model
– incorrect specification (false negative)
– failure to complete the check (too large)

24
 Model Checking - Basics
• State transition structure
M(S,R,L) (Kripke structure)
s1
S = finite set of states {s1, s 2, … sn }
R = transition relation a
L = set of labels assigned to states, so that s3
s2
L(s) = f if state s has property f b ac

• All properties are composed of Label (property)

atomic propositions (basic
properties), e.g. the light is green,
the door is open, etc.
– L(s) is a subset of all atomic
propositions true in state s

Temporal Logic
• Formalism describing sequences of transitions
• Time is not mentioned explicitly
• The temporal operators used to express temporal properties
– eventually
– never
– always
• Temporal logic formulas are evaluated w.r.to a state in the
model
• Temporal operators can be combined with Boolean
expressions

25
 Computation Trees
s1
a
s1
a
b ac
s2 s3
b ac
a ac ac

State transition structure ac

(Kripke Model)
Infinite computation tree
for initial state s1

CTL – Computation Tree Logic

• Path quantifiers - describe branching structure of the tree
– A (for all computation paths)
– E (for some computation path = there exists a path)

• Temporal operators - describe properties of a path through

the tree
– X (next time, next state)
– F (eventually, finally)
– G (always, globally)
– U (until)
– R (release, dual of U)

26
 CTL Formulas

• Temporal logic formulas are evaluated

w.r.to a state in the model

• State formulas
– apply to a specific state

• Path formulas
– apply to all states along a specific path

Basic CTL Formulas

• E X (f)
– true in state s if f is true in some successor of s (there
exists a next state of s for which f holds)
• A X (f)
– true in state s if f is true for all successors of s (for all
next states of s f is true)
• E G (f)
– true in s if f holds in every state along some path
emanating from s (there exists a path ….)
• A G (f)
– true in s if f holds in every state along all paths
emanating from s (for all paths ….globally )

27
 Basic CTL Formulas - cont ’d
• E F (g)
– there exists a path which eventually contains a state in
which g is true
• A F (g)
– for all paths, eventually there is state in which g holds
• E F, A F are special case of E [f U g], A [f U g]
– E F (g) = E [ true U g ], A F (g) = A [ true U g ]
• f U g (f until g)
– true if there is a state in the path where g holds, and at
every previous state f holds

CTL Operators - examples

so so

g
g g g

so |= E F g so |= A F g

so g g so
g g g

g g g g

so |= E G g so |= A G g

28
 Basic CTL Formulas - cont ’d
• Full set of operators
– Boolean: ¬, ∧, ∨, ⊕, →
– temporal: E, A, X, F, G, U, R

• Minimal set sufficient to express any CTL formula

– Boolean: ¬, ∨
– temporal: E, X, U

• Examples:
f ∧ g = ¬(¬f ∨ ¬g), F f = true U f , A (f ) = ¬E(¬f )

Typical CTL Formulas

• E F ( start ∧ ¬ ready )
– eventually a state is reached where start holds and
ready does not hold
• A G ( req → A F ack )
– any time request occurs, it will be eventually
acknowledged
• A G ( E F restart )
– from any state it is possible to get to the restart
state

29
Model Checking – Explicit Algorithm
Problem: given a structure M(S,R,L) and a temporal
logic formula f, find a set of states that satisfy f
{s ∈ S: M,s |= f }
• Explicit algorithm: label each state s with the set
label(s) of sub-formulas of f which are true in s.
• i = 0; label(s) = L(s)
• i = i + 1; Process formulas with (i -1) nested CTL operators.
Add the processed formulas to the labeling of each state in
which it is true.

• Continue until closure. Result: M,s |= f iff f ∈ label (s)

Explicit Algorithm - cont’d

• To check for arbitrary CTL formula f

– successively apply the state labeling algorithm to the
sub-formulas
– start with the shortest, most deeply nested
– work outwards

• Example: E F ¬ (g ∧ h )
T1 = states in which g and h are true
T2 = complement of T1

T3 = predecessor states to T2

30
 Model Checking Example
Traffic light controller
(simplified) sensor
C Timer
C = car sensor Road 2
T = timer C ’+ T ’ TC G1 R2

Road 1
G1 R2 G1 R2
Y1 R2
CT
G1 R2 Y1 R2 R1 G2

R1 Y2 Y1 R2
G1 G2
Y1 R2 R1 G2 R1 Y2 R1 G2
Y1 Y2
R1 R2
C ’+ T
R1 Y2 R1 G2 G1 R2
R1 G2

CT ’
R1 Y2

Traffic light controller - Model

Checking
• Model Checking task: check
C ’+T ’
– safety condition
– fairness conditions G1 R2

CT

• Safety condition: no green lights on

both roads at the same time R1 Y2 Y1 R2

A G ¬ (G1 ∧ G2 )
C ’+T

• Fairness condition: eventually one R1 G2

road has green light CT ’

E F (G1 ∨ G2)

31
 Checking the Safety Condition
A G ¬ (G1 ∧ G2) = ¬ E F
(G1∧G2) G1 R2 1

2
• S(G1 ∧ G2 ) = S(G1) ∩ S(G2) = R1 Y2 Y1 R2
{1}∩{3} = ∅
4
• S(EF (G1 ∧ G2 )) = ∅
S(¬ EF (G1 ∧ G2 )) = ¬∅
R1 G2
• 3
= {1, 2, 3, 4}
Each state is included in {1,2,3,4} ⇒
the safety condition is true (for each state)

Checking the Fairness Condition

E F (G1 ∨ G2 ) = E(true U (G1 ∨ G2 ) )
• S(G1 ∨ G2 ) = S(G1)∪S(G2) = {1} ∪{3} = {1,3}
• S(EF (G1 ∨ G2 )) = {1,2,3,4}
(going backward from {1,3}, find predecessors)

1 4 3 3 2 1

Since {1,2,3,4} contains all states, the condition is

true for all the states

32
 Another Check
E X 2 (Y1) = E X (E X (Y1)) G1 R2 1
(starting at S1=G1R2, is
there a path s.t. Y1 is true in 2 2
steps ?)
R1 Y2 Y1 R2

4
• S (Y1) = {2}
R1 G2
• S (EX (Y1)) = {1} 3
(predecessor of 2)
• S (EX (EX(Y1)) = {1,4}
(predecessors of 1)
Property E X 2 (Y1) is true for states {1,4}, hence true

Symbolic Model Checking

• Symbolic
– operates on entire sets rather than individual states

• Uses BDD for efficient representation

– represent Kripke structure
– manipulate Boolean formulas
• RESTRICT and APPLY logic operators

• Quantification operators
– Existential: ∃ x f = f |x=0 + f |x=1 (smoothing)
– Universal: ∀x f = f |x=0 • f |x=1 (consensus)

33
 Symbolic Model Checking - example
Traffic Light Controller

• Encode the atomic propositions (G1,R1,Y1, G2,Y2,R2):

use [a b c d] for present state, [v x y z] for next state

G1 R2 s1
abcd
11 10
G1 11 -- s2
10 01
Y1 01 --
R1 1 0 -- R1 Y2 Y1 R2

G2 --11 01 10
s4
Y2 --01 10 11
R2 -- 10
R1 G2

s3

Example - cont’d
• Represent the set of states as Boolean formula
Q: Q = abcd’ + a’bcd’ + ab’cd + ab’c’d

• Store Q in a BDD
G1 R2 s1
(It will be used to perform logic
operations, such as S(G1) ∨ S(G2) 11 10

10 01 s2

R1 Y2 Y1 R2

01 10
s4
10 11
R1 G2

s3

34
 Example - cont’d
• Write a characteristic function R for the transition
relation R =abcd’vxyz’ + abcd’v’xyz’ + … +
ab’c’dvxyz’
abcd vxyz R s1
(6 terms) G1 R2

1110 1110 1 11 10
1110 0110 1
10 01 s2
0110 1011 1
1011 1011 1 R1 Y2 Y1 R2
1011 1001 1
1001 1110 1 01 10
s4
10 11

R1 G2
• Store R in a BDD. It will be used for s3
Pre-Image computation for EF.

Example - Fairness Condition

• Check fairness condition: E F (G1 ∨ G2 )

• Step 1: compute S(G1), S(G2) using RESTRICT

operator
– S(G1): ab·Restrict Q(G1) = ab Q| ab = abcd’ = {s1}
– S(G2): cd·Restrict Q(G2) = cd Q| cd = ab’cd = {s3}

• Step 2: compute S(G1) ∨ S(G2 ) using APPLY

operator
– Construct BDD for (abcd’ + ab’cd) = {s1, s3}, set of
states labeled with G1 or G2

35
 Example – cont’d
• Step 3: compute S(EF (G1 ∨ G2 )) using Pre-Image
computation (quanitfy w.r.to next state variables)

• Recall: R = abcd’vxyz’ + abcd’v’xyz’+ … + ab’c’dvxyz’

• ∃s’ {s1’,s3’} • R(s,s’) ) =

= ∃vxyz(vxyz’ + vx’yz) • R(a,b,c,d;v,x,y,z)

= ∃vxyz(abcd’vxyz’ + a’bcdvx’yz + ab’cdvx’yz + ab’c’dvxyz’)
= (abcd’ + a’bcd + ab’cd + ab’c’d) = {s1, s2, s3, s4}

• Compare to the result of explicit algoritm √

Example – Interpretation
• Pre-Img(s1’,s3’,R) eliminates those
transitions which do not reach {s1,s3}
G1 R2 s1
abcd vxyz R
11 10
1110 1110 1 s2
X 1110 0110 1 10 01
0110 1011 1 R1 Y2 Y1 R2
1011 1011 1
X 1011 1001 1 01 10
s4
1001 1110 1 10 11
R1 G2

s3
• Quantification w.r.to next state variables
(v,x,y,z) gives the encoded present states
{s1,s2,s3,s4}

36