Temporal abstraction of digital designs

John Herbert

February 1988
Temporal Abstraction of Digital Designs

John Herbert
Computer Laboratory
Pembroke Street
Cambridge CB2 3QG

Abstract: Formal techniques have been used to verify the function of reasonably large digital devices ([Hunt85], [Cohn87]), and also to describe and reason about digital signal behaviour at a detailed timing level [Hanna85] [Herbert86]. Different models are used: simple synchronous models of components are the basis for verifying high-level functional specifications; more detailed models which capture the behaviour of signals in real time are the basis for proofs about timing. The procedure called temporal abstraction is a technique for formally relating these two behavioral models.

The background to temporal abstraction is presented and the details of its implementation in HOL. The HOL language ([Gordon85a]) is a computerised version of higher-order logic which has an associated proof assistant also called HOL. In HOL one may specify behaviour at both the functional and timing levels. This work describes how the relationship between these levels may also be described in HOL and reasoned about using the HOL system.

The formal transformation of descriptions of behaviour at the timing level to behaviour at the functional level involves generating and verifying timing constraints. This process can be identified with the conventional design activity of timing analysis. This work shows that timing verification can be viewed, not as a separate phase of design, but as part of a single verification process which encompasses functional and timing verification. A single formal language, HOL, is used to describe all aspects of the behaviour and a single verification system provides all the proofs of correctness. The use of uniform, formal techniques is shown to have a number of advantages.
Preface

This report is essentially a self-contained portion of my thesis \(^1\). The following is a copy of my acknowledgement from the thesis. In addition I would like to thank Dr. Mike Gordon and Dr. Mary Sheeran for their comments.

Part of the work was supported by SERC/Alvey grant number GR/D/17304 entitled "Formal Methods for Hardware Verification".

I wish to thank my supervisor, Dr. Andy Hopper, for his help and support. I am grateful to Professor Roger Needham, the head of the Computer Laboratory, for the opportunity to work at Cambridge and for his contribution to a good working environment. I have been fortunate to receive financial support through scholarships from the Royal Commission for the Exhibition of 1851 and Corpus Christi College, Cambridge, and an award from the Lundgren Research Fund.

I would like to thank those people who have read and commented on earlier drafts of this dissertation: Andy Hopper, Jeff Joyce, Miriam Leeser, Tom Melham, Larry Paulson and Frances Quigg. Frances Quigg read early drafts diligently and helped correct my presentation of ideas; Miriam Leeser commented closely on the chapters on timing.

The hardware verification group at Cambridge has provided a friendly and stimulating work environment. I am especially grateful to Mike Gordon for leading the way in hardware verification and giving me advice and encouragement when it was needed. Special thanks also to the other HVG roadshow members — Albert, Inder, Miriam and Tom.

9 Verification of Timing Level Implementation
   9.1 Temporal Abstraction .................................. 26
   9.2 Function-timing Composition ........................... 27
   9.3 Statement of Correctness ............................... 29

10 Discussion ................................................. 30
   10.1 Relationship to Timing Analysis ....................... 30
   10.2 Advantages of Formal Timing Verification .......... 31
   10.3 Summary ............................................. 32
1 Introduction

All the formal specifications and proofs described in this article have been constructed using the HOL system. We will not describe the HOL language and associated system; they have been presented in [Gordon85a], [Gordon85b].

In previous work we have reasoned in HOL about digital systems at two distinct behavioural levels. The HOL ECL chip proof, [Herbert88a], deals with the synchronous behavioural level; each combinational device has zero delay, a memory element acts as a unit delay. In the verification of basic memory devices,[Herbert88b], we have reasoned about digital behaviour at the timing level; each gate has propagation delay, each memory element has an explicit clock and a number of timing parameters. We now relate the behaviour of the timing level models to the corresponding synchronous level models.

The process of formally relating behaviour on different time scales is called temporal abstraction. (Note, we sometimes refer to temporal abstraction as simply abstraction.) In this work temporal abstraction is used to relate the timing level to the synchronous level. We derive a formal relationship between timing level models which capture closely the physical component behaviour, and synchronous level models which provide a tractable means of verifying functional behaviour. Related work on various abstraction mechanisms (including temporal abstraction) is being done by Melham [Melham87].

Before presenting a formal treatment of temporal abstraction we describe some of the ideas behind this process.

1.1 Informal Description of Abstraction

At the timing level, the clock signal is modelled just like any other signal. At the synchronous level, the clock signal is hidden. However, we can consider the time dimension at the synchronous behavioural level to be based on the times of synchronising events of the hidden clock (e.g. the times of rising edges for positive-edge triggered logic). This relationship provides the basis for relating the time dimension of the two levels. We identify a signal at the synchronous level with a sampled timing level signal. Successive synchronous signal values are the values of the corresponding timing level signal, sampled on successive clocking events.

We have chosen to clarify the abstraction process by only sampling at the exact time of the active clock event and by sampling all signals at the same time. An identical process can be used when signals are sampled at some offset from clock
event times and when different signals are abstracted in different ways.

Figure 1 presents a timing diagram for signals of a positive-edge triggered flip-flop. The value of data input $d$ around the active edge is latched by the flip-flop and appears on the $q$ output some time after the active edge.

We sample the data input and output signals at the times of rising edges of the clock. The sampled value of $q$ at times $t_0 + 1$ and $t_0 + 2$ are the sampled value of $d$ at time $t_0$ and $t_0 + 1$ respectively. For these waveforms, the flip-flop acts as a unit delay between the sampled $d$ and sampled $q$ signals. This corresponds to our synchronous level model of flip-flop behaviour. A rigorous proof of this relationship will be given later.

Sampling the timing level signals is not sufficient to deduce that the synchronous level behaviour is exhibited. A number of timing conditions must be satisfied by the timing level signals. For example, if a timing level flip-flop is to exhibit the behaviour of a unit delay at the synchronous level, then its data and clock inputs must fulfill setup, hold and minimum high and low constraints. Dealing efficiently with timing conditions is an important part of the verification of digital designs modelled at the timing level.

2 Formalising Clock Properties

Certain concepts about clocks must be formalised for the temporal abstraction process. Although our particular abstraction deals with regular periodic clocks, many of the properties we formalise do not depend on periodicity. A similar set of definitions and theorems deals with rising and falling edges. We just present those for rising edges.

2.1 Rising Edges

We model a signal as a function from time to boolean. At each moment in time a signal may have a value of T or F. A signal rise, which corresponds to the change from value F to T, is thought of intuitively as occurring between two instants of time. Formally, we define a signal as rising at time $t$ if it is low at time $t$ and high at time $t+1$.

$$\text{RISE} (\text{signal}, t) = \neg (\text{signal}(t)) \land \text{signal}(t+1)$$

The formal rise time can be brought within a given limit of the intuitive transition time by choosing a sufficiently fine time scale. (This assumes that signals are
Figure 1: Sampling of flip-flop signals
two-valued.)

A clock signal provides a succession of edges. We wish to introduce the concept of the $n^{th}$ rise of the clock. To do this we define a higher order function $\text{up}$ using primitive recursion:

\begin{align*}
(\forall \text{ck} \ t. \\
(\text{up } 0 \text{ ck} \ t) & = (\text{rise}(\text{ck}, \ t) \land (\forall t_1. (t_1 < t) \implies \neg (\text{rise}(\text{ck}, t_1)))) \\
(\forall \text{n} \text{ ck} \ t. \\
(\text{up } (\text{succ } \text{n}) \text{ ck} \ t) & = \\
& (\text{rise}(\text{ck}, \ t) \land \\
& (\exists t_1. (t_1 < t) \land \\
& (\forall t_0. ((t_1 < t_0) \land (t_0 < t)) \implies \neg (\text{rise}(\text{ck}, t_0))) \land \\
& (\text{up } \text{n} \text{ ck} \ t_1))))
\end{align*}

This definition can be paraphrased as:

the zero$^{th}$ $\text{up}$ of the clock is at time $t$ if the clock rises at time $t$ and does not rise before then; the $(n+1)^{th}$ $\text{up}$ of the clock is at time $t$ if the clock rises at time $t$ and there exists a time $t_1$ less than $t$ such that the $n^{th}$ rise of the clock is at time $t_1$ and the clock does not rise between $t$ and $t_1$.

2.2 Regular Signal Rises

We now introduce the idea of a rise cycle which consists of two successive rising edges.

\begin{align*}
\text{CLOCK_RISE_CYCLE}(\text{ck}, \ t_1, \ t_2) & = ((t_1 < t_2) \land \text{rise}(\text{ck}, t_1) \land \text{rise}(\text{ck}, t_2) \land \\
& (\forall t. ((t_1 < t) \land (t < t_2)) \implies \neg (\text{rise}(\text{ck}, t))))
\end{align*}

Times $t_1$ and $t_2$ define a single rise cycle of the clock if $t_1$ and $t_2$ are successive rise times.

A regular synchronous clock will include a periodic train of rising edges. A further definition introduces the concept of a periodic rising edge.

\begin{align*}
\text{CK_RISE_PERIODIC}(\text{ck}, \text{origin}, \text{p}) & = \\
& (\forall n. \text{CLOCK_RISE_CYCLE}(\text{ck}, (n \ast p) + \text{origin}, ((n+1) \ast p) + \text{origin})) \land \\
& (\forall t. (t < \text{origin}) \implies \neg \text{rise}(\text{ck}, t)) \land \\
& \neg (p = 0)
\end{align*}

The predicate $\text{CK_RISE_PERIODIC}$ is true if the signal $\text{ck}$ has a periodic train of rising edges beginning at time $\text{origin}$ and the period $p$ is non-zero.
2.3 Time of \textit{n}th UP

We deduce that the \textit{n}th UP of a clock \textit{ck}, for which \textit{ck\_RISE\_PERIODIC}(\textit{ck}, \textit{origin}, \textit{p}) holds, occurs when the time is \((\textit{n+p})+\text{origin}\). The theorem is:

\[
\text{ck\_RISE\_PERIODIC}(\textit{ck}, \textit{origin}, \textit{p}) \implies \\
(\forall \textit{n} \leq \textit{UP} \leq \textit{ck} \leq (\textit{t}=(\textit{n+p})+\text{origin}))
\]

(The \textit{n}th rising edge of a clock with period \textit{p} and start-up time \textit{origin} occurs at time \((\textit{n+p})+\text{origin}\).)

Although the result seems obvious we have proved it rather than just stated it as an axiom. This arises from a philosophy of building from a reasonably small conceptual basis. We have tried to restrict the number and complexity of the definitions and axioms used. For example, the definition of the \textit{n}th rising edge did not assume periodicity or anything about falling edges. Other than in the basic definition of \textit{RISE}, we have not referred to signals having the values \text{T} or \text{F}.

In a similar manner, the corresponding theorems for falling edges can be proved. Higher-order functions \textit{FALL} and \textit{DOWN} are analogous to \textit{RISE} and \textit{UP}.

2.4 Periodic Rises and Falls

Based on the theorems already proved about sequences of rising and falling edges, we now formalise regular clock cycles where both rising and falling edges occur. A single cycle of a clock is defined in terms of rising and falling signals. A predicate \textsc{one\_cycle} is defined as follows:

\[
\textsc{one\_cycle}(\textit{ck}, \textit{t0}, \textit{p\_low}, \textit{p\_high}) = \\
\textsc{fall}(\textit{ck}, \textit{t0}) \land \\
\textsc{during}(\textit{t0}, \textit{t0}+(\textit{p\_low}-1))(\lambda \textit{t}. \neg \text{RISE}(\textit{ck}, \textit{t})) \land \\
\text{RISE}(\textit{ck}, \textit{t0}+(\textit{p\_low})) \land \\
\text{during}(\textit{t0}+(\textit{p\_low}), \textit{t0}+(\textit{p\_low}+(\textit{p\_high}-1)))(\lambda \textit{t}. \neg \text{FALL}(\textit{ck}, \textit{t})) \land \\
\text{FALL}(\textit{ck}, \textit{t0}+(\textit{p\_low}+(\textit{p\_high})))
\]

The predicate \textsc{one\_cycle} is true if a single cycle of clock \textit{ck}, as described in terms of rising and falling edges on the left-hand side of the definition, occurs. We might expect that \textit{p\_low} and \textit{p\_high} correspond to the lengths of time when the clock is low and high respectively. However the definition was just based on the concepts of rises and falls and does not refer to the logic levels.

A periodic clock consists of a regular succession of cycles. We define a predicate \textsc{clock\_cycles}(\textit{ck}, \textit{origin}, \textit{space}, \textit{mark}) as follows:

\[
\textsc{clock\_cycles}(\textit{ck}, \textit{origin}, \textit{space}, \textit{mark}) =
\]
\[ (\forall n. \text{ONE_CYCLE}(ck, (n*(\text{space+mark}))+\text{origin}, \text{space}, \text{mark}) \land \\
0 < \text{space} \land \\
0 < \text{mark} \land \\
(\forall t. t < \text{origin} \implies \neg \text{FALL}(ck, t)) \land \\
(\forall t. t < (\text{origin+space}) \implies \neg \text{RISE}(ck, t))) \]

The predicate \text{CLOCK_CYCLES} describes what we expect to be true for a periodic clock. The clock has regular cycles of rising and falling edges, non-zero intervals between edges and no irregular edges before the regular cycles begin.

Although we have not referred to logic levels in the definitions, we do need to deduce when the clock signal is high and low. We deduce the following theorem:

\[ \text{CLOCK_CYCLES}(ck, \text{origin}, \text{space}, \text{mark}) \implies \\
(\text{DURING} \\
((n*(\text{space+mark}))+\text{origin}, \\
(n*(\text{space+mark}))+\text{(origin+space)}) \\
(\lambda t. \neg \text{ck t}) \land \\
\text{DURING} \\
(((n+1)*(\text{space+mark}))+\text{origin}, \\
((n+1)*(\text{space+mark}))+\text{origin}+\text{space}) \\
(\lambda t. \neg \text{ck t}) \]

Thus \text{space} and \text{mark} correspond to the lengths of time when the clock \text{ck} is low and high respectively. The clock period is \text{space + mark} and the offset from the origin is \text{origin}.

In later proofs, we need a particular form for the higher-order function which relates the \(n\)th rising edge to its time of occurrence. \text{UP} does not match this format. To facilitate the later proofs we define a new function \text{UP_OF}. This change of higher-order function is essentially cosmetic.

\text{UP_OF} is defined as:

\[ \text{UP_OF} \text{ clk} = (\lambda n. \text{UP n clk}) \]

The predicate \text{CLOCK_CYCLES} describes regular cycles of rising and falling edges. We can easily deduce the behaviour of the train of rising edges. We then use the theorems proved earlier to deduce the times of rising clock edges:

\[ \text{CLOCK_CYCLES}(ck, \text{origin}, \text{space}, \text{mark}) \implies \\
(\forall n t. \text{UP_OF} \text{ ck} \ n \ t = (t=(n*(\text{space+mark}))+\text{(origin+space)})) \]
2.5 Stability With Respect To a Clock Signal

We require that some signals fulfill timing conditions with respect to the clock signal. Two higher-order functions which are used to describe these conditions are `STABLE_INTERVAL` and `STABLE_ABOUT_UP`.

`STABLE_INTERVAL` is defined as follows:

\[
\text{STABLE\_INTERVAL}(t_0, t_1)\text{event sig} = \\
(\exists \text{data. DURING}(\text{event} - t_0, \text{event} + t_1)(\lambda t. \text{sig} t = \text{data})) \land \\
0 < t_0 \land \\
t_0 \leq \text{event}
\]

`STABLE\_INTERVAL(t_0, t_1)\text{event sig}` states that the signal `sig` has some constant value over the interval `event - t_0` to `event + t_1`, and the conditions `0 < t_0` and `t_0 \leq \text{event}` are met. The condition `0 < t_0` means that `sig` must be defined at time `event` and the interval is non-empty. The condition `t_0 \leq \text{event}` means that the length of the interval is always `t_0 + t_1`.

`STABLE\_ABOUT\_UP` is defined as:

\[
\text{STABLE\_ABOUT\_UP}(\text{clk}, \text{startcycle})(t_0, t_1)\text{sig} = \\
(\forall n. \text{STABLE\_INTERVAL}(t_0, t_1)(\varepsilon t. \text{UP\_OF clk}(n + \text{startcycle} t)\text{sig})
\]

(\(\varepsilon\) is the choice operator in HOL.
\(\varepsilon t. P t\) is a value of \(t\) chosen such that \(P\ t\) is true.)

`STABLE\_ABOUT\_UP(\text{clk}, \text{startcycle})(t_0, t_1)\text{sig}` states that for all `n`, the signal `sig` is stable around a time chosen such that `clk` has the `n + startcycle` rising edge at that time.

This corresponds to stating that the signal is stable around all rising edges of the clock after (and including) the `startcycle` rising edge.

3 Temporal Abstraction Basics

A synchronous level signal may be thought of as a sampled version of a corresponding timing level signal. We consider the value of the synchronous level signal at time `n` to be the `n^{th}` sampled value of the timing level signal. A selection function is used to determine whether a value at the timing value is sampled.

3.1 Definition of Abstraction Function

The function used to relate the timing level to the synchronous level is `ABS`.

`ABS` is defined by:
ABS select signal n = signal(εt. select n t)

ABS select signal n (i.e. the value of signal, abstracted using the function select, at synchronous time step n) is defined to be the value of signal at a time t chosen such that select n t is true.

select n t is true if time t at the timing level corresponds to the synchronous time n. The function select determines which values at the timing level are sampled to get values at the synchronous level.

ABS select signal (which is a function from natural numbers to any type) is the synchronous level signal corresponding to signal at the timing level.

Although we have explained the abstraction function in terms of abstraction from the timing to the synchronous level, it can be used to relate any two description levels which can be characterised in a similar way.

We have chosen to model signals at the timing level as functions of the natural numbers, and a unit interval corresponds to some interval of real time. At the synchronous level, signals are also modelled as functions of natural numbers. A unit interval now corresponds to the intervals between synchronizing clock events. In relating these two levels, the sampling times are the times of synchronizing clock events. For example, the sample times will be times of rising clock edges for positive-edge triggered logic.

3.2 Theorems of Abstraction

We call a theorem which states a relationship between timing level behaviour and its counterpart synchronous behaviour a theorem of abstraction.

The essential part of such theorems is the statement of the relationship between the two levels of abstraction. Certain timing conditions must be fulfilled if the abstraction from the timing to the synchronous level is to hold. Some of these timing conditions relate to the stability of input signals. When composing two devices, one may need to verify stability conditions on the interface signals. To allow this verification, the stability of output signals is also deduced when the abstraction of a device is performed. The theorems of abstraction we deduce, follow this general format:

\[
\text{input stability conditions } \implies \text{clocking conditions } \implies \text{timing level behaviour } \implies \text{synchronous level behaviour } \wedge \text{output stability assertions}
\]
This may be paraphrased as:

*IF*

the input stability conditions are satisfied, and

the clocking conditions are satisfied, and

the timing level behaviour holds,

*THEN*

the synchronous level behaviour holds, and

certain output stability assertions hold.

This form of abstraction theorem allows us to compose devices easily. When composing, we can use the assertions of output stability of one device to eliminate the corresponding input stability conditions of another device.

# 4 Abstraction of Component Models

In this section we describe how we formally relate timing level component models to their synchronous level counterparts.

## 4.1 Components Modelled at the Synchronous and Timing Levels

Three standard components are now described formally at both the synchronous and timing behavioural levels.

### 4.1.1 Synchronous Level Component Models

The predicates describing the inverter, two-input NOR gate and simple flip-flop at the synchronous level are \texttt{INV}$_S$, \texttt{NOR}$_2$$_S$, \texttt{DTYPE12}$_S$.

These are defined as:

\[
\text{INV}_S(\text{in}, \text{out}) = (\forall t. \ \text{out} \ t = \neg \text{in} \ t)
\]

\[
\text{NOR}_2(\text{in1}, \text{in2}, \text{out}) = (\forall t. \ \text{out} \ t = \neg (\text{in1} \ t \lor \text{in2} \ t))
\]

\[
\text{DTYPE12}_S(\text{d}, \text{q}, \text{qbar}) = (\forall t. \ \text{q}(t + 1) = \text{d} \ t) \land \\
(\forall t. \ \text{qbar}(t + 1) = \neg \text{q}(t + 1))
\]
The behaviour of these components is similar to that to that used in previous work. A slight difference in the flip-flop definition is explained in [Herbert86].

4.1.2 Timing Level Component Models

The timing level behaviour of the inverter and two-input NOR gate are described by predicates INV_t and NOR2_t.

These are defined as:

\[
INV_t(in,d0,out) = (\forall t. \ out(t + d0) = \neg in\ t)
\]

\[
NOR2_t(in0,in1,d0,out) = (\forall t. \ out(t + d0) = \neg (in0\ t \lor in1\ t))
\]

We use the master-slave as the timing level flip-flop. The master-slave is described as a structure of propagation delay inverters and NOR gates which fulfills the appropriate internal conditions and whose external parameters can be related to the internal gate delays.

The definition of the predicate MASTER_SLAVE describing the flip-flop is:

\[
MASTER\_SLAVE(d,clk,q,qbar,setup,hold,mark,space,start,finish) = \\
(\exists dbar\ d0\ clkbar\ d3\ a_0\ b_0\ d1\ d2\ qa\ qb\ d5\ d6\ a_1\ b_1\ d4\ d7\ d8\ d9. \\
(setup = (MAX(d1,d0 + d2)) + (d5 + d6)) \land \\
(hold = 0) \land \\
(space = setup) \land \\
(mark = d8 + (d9 + ((MAX(d4,d7)) - (MIN(d7,d4)))))) \land \\
(start = (MAX(d4,d7)) + (d3 + (d8 + d9))) \land \\
(finish = (MIN(d4,d7)) + d3) \land \\
INV_t(d,d0,dbar) \land \\
INV_t(clk,d3,clkbar) \land \\
NOR2_t(d,clk,d1,a_0) \land \\
NOR2_t(dbar,clk,d2,b_0) \land \\
NOR2_t(a_0,qb,d5,qa) \land \\
NOR2_t(b_0,qa,d6,qb) \land \\
NOR2_t(qa,clkbar,d4,a_1) \land \\
NOR2_t(qb,clkbar,d7,b_1) \land \\
NOR2_t(a_1,qbar,d8,q) \land \\
NOR2_t(b_1,q,d9,qbar) \land \\
MS\_INTERNAL\_CONDS(d1,d2,d3,d5,d6,d8,d9)
\]

The inverter, NOR gate and master-slave flip-flop are modelled exactly as in previous work on timing [Herbert88b].

4.2 Abstraction of NOR Gate

A NOR gate is not a clocked device and so we can choose what clock events define the synchronous behaviour. For the flip-flop example in this section, we
abstract timing level signals by sampling on the rising edges of a clock. We do the abstraction of the NOR gate in the same manner.

A simple case of the abstraction of a NOR gate is when we assume that the input signals are stable for one time unit greater than the propagation delay of the gate.

We have proved the following theorem:

\[ STABLE\_ABOUT\_UP(c\_1k,0)(t0 + del, t1)in0 \land STABLE\_ABOUT\_UP(c\_1k,0)(t0 + del, t1)in1 \implies \]

\[ NOR2\_t(in0,in1,del, out) \implies \]

\[ NOR2\_S(ABS(UP\_OF c\_1k)in0, ABS(UP\_OF c\_1k)in1, ABS(UP\_OF c\_1k)out) \land STABLE\_ABOUT\_UP(c\_1k,0)(t0, t1 + del)out \]

This can be paraphrased as follows, 

**IF**

the inputs are stable from \( t0 + del \) before rising edges until some time \( t1 \) afterwards, and

the timing level NOR behaviour with delay \( del \) is satisfied,

**THEN**

the input and output signals abstracted on the clock rising edges satisfy the synchronous level NOR behaviour and

the output signal is stable from \( t0 \) before rising edges until \( t1 + del \) after.

\( ABS(UP\_OF c\_1k)in0, ABS(UP\_OF c\_1k)in1 \) and \( ABS(UP\_OF c\_1k)out \) are synchronous level signals which are derived from the timing level signals \( in0, in1 \) and \( out \) by abstraction on rising edges of the clock \( c\_1k \). The synchronous level NOR behaviour (described by predicate \( NOR2\_S \)) holds for these signals.

In Figure 2 we present some waveforms for a timing level NOR gate and the corresponding synchronous level signals obtained by temporal abstraction. Inspection of the synchronous level values shows that the output at a synchronous time step is the \( nor \) function of the inputs at that time step. This is the purely functional relationship specified for a synchronous level NOR gate by predicate \( NOR2\_S \).

In Figure 3 we illustrate the part of the theorem of abstraction which relates to signal stability. Signals are specified as being stable over certain intervals of time. Given that the inputs are stable around each clock rising edge, we can deduce that the output is stable over an interval about the same clock edge.
Figure 2: Temporal abstraction of timing level NOR signals
Figure 3: Stability relationship for timing level NOR signals
4.3 Abstraction of Synchronous Flip-flop

The master-slave flip-flop is a clocked device and requires that certain conditions are fulfilled by a well-behaved clock and data signals.

We have deduced the following theorem for the abstraction of the master-slave.

\[
\text{STABLE}_{-}\text{ABOUT}_{-}\text{UP}(\text{clk},0)(\text{min\_setup},\text{min\_hold})d \implies \\
\text{CLOCK}\_\text{CYCLES}(\text{clk},\text{origin},\text{space},\text{mark}) \land \\
\text{start} \leq (\text{space} + \text{mark}) \land \\
\text{min\_mark} < \text{mark} \land \\
\text{min\_space} < \text{space} \implies \\
\text{MASTER}_{-}\text{SLAVE} \\
(d,\text{clk},q,\overline{q},\text{min\_setup},\text{min\_hold},\text{min\_mark},\text{min\_space},\text{start},\text{finish}) \implies \\
\text{DTYPE12}_{-}\text{S}(\text{ABS}_{-}\text{OF} \text{clk}d, \text{ABS}_{-}\text{OF} \text{clk}q, \text{ABS}_{-}\text{OF} \text{clk}\overline{q}) \land \\
\text{STABLE}_{-}\text{ABOUT}_{-}\text{UP}(\text{clk},1)((\text{space} + \text{mark}) - \text{start},\text{finish})q \land \\
\text{STABLE}_{-}\text{ABOUT}_{-}\text{UP}(\text{clk},1)((\text{space} + \text{mark}) - \text{start},\text{finish})\overline{q} \\
\]

This can be paraphrased as follows,

**IF**

the data input is stable from the setup time before rising edges until the hold time afterwards, and

the clk is a regular periodic one with space and mark times which satisfy certain conditions, and

the timing level behaviour of a master-slave implementation holds,

**THEN**

the abstracted input and output signals satisfy the synchronous level flip-flop behaviour of DTYPE12S, and

the output signals are stable from an interval around all rising clock edges after the first one.

4.3.1 Restrictions on Inputs

The restriction on the data input, \(d\), is that it must be stable from \(\text{min\_setup}\) before rising edges until \(\text{min\_hold}\) after. The clock high and low times, mark and space, must exceed the minimum high and low times for the flip-flop.

There is also a restriction: \(\text{start} \leq (\text{space} + \text{mark})\). This condition requires that the period of the clock be greater than the flip-flop timing parameter \(\text{start}\).
The condition ensures that output changes caused by a clock event occur before the succeeding clock event. This means that we get the correct value on the output when we sample on the clock event times.

This condition was unexpected. A formal mathematical treatment often forces us to re-examine some aspect of a problem. In this case, we had overlooked a slightly obscure but necessary condition. A flip-flop which does not fulfill the restriction can act quite well as a synchronous memory unit but cannot be related by the above abstraction process to unit delay synchronous models.

4.3.2 Stability of Outputs

In the theorem of abstraction for the master-slave, we have deduced certain stability assertions for outputs q and qbar, i.e.

\[
{\text{STABLE\_ABOUT\_UP}}(\text{clk},1)((\text{space + mark}) - \text{start,finish})q \wedge
\]

\[
{\text{STABLE\_ABOUT\_UP}}(\text{clk},1)((\text{space + mark}) - \text{start,finish})q\bar{\text{b}}
\]

The 1 in the above expressions means that q and qbar are stable about all clock rises after the first one (cf. definition of STABLE\_ABOUT\_UP).

To deduce the synchronous behaviour of the flip-flop we assumed that the input signal was stable about all clock rises. i.e.

\[
{\text{STABLE\_ABOUT\_UP}}(\text{clk},0)({\text{min\_setup}},\text{min\_hold})d
\]

We need to deduce that flip-flop outputs are stable around all clock rises if the output of one flip-flop is to provide the input for another flip-flop. To do this we demand that all flip-flop outputs be stable over a certain interval around the first rising clock edge.

The predicate START\_STABLE is used to state this condition. This predicate is defined as follows:

\[
\text{START\_STABLE}(t_1,t_2,\text{clk},q,q\bar{\text{b}}) =
\]

\[
(\text{STABLE\_INTERVAL})(t_1,t_2)\text{ (t. UP\_OF clk 0 t)}q \wedge
\]

\[
(\text{STABLE\_INTERVAL})(t_1,t_2)\text{ (t. UP\_OF clk 0 t)}q\bar{\text{b}}
\]

START\_STABLE\,(t_1,t_2,\text{clk},q,q\bar{\text{b}}) states that signals q and qbar are stable from t1 before the first rising edge of clk until t2 after.

We use START\_STABLE to define the extra restriction that we are placing on flip-flop implementations. We demand that the flip-flop outputs are stable from time (space + mark) - finish before the first rising edge until start after this edge. This restriction is:
START_STABLE((space + mark) - finish,start,clk,q,qbar)

By adding this restriction on the flip-flop implementation, we can now deduce
that q and qbar are stable around all rising edges i.e. :

STABLE_ABOUT_UP(clk,0)((space + mark) - start,finish)q ∧
STABLE_ABOUT_UP(clk,0)((space + mark) - start,finish)qbar

If all flip-flops fulfill the extra requirement of output stability then all flip-flops
satisfy a unit delay synchronous level behaviour such as that defined by DTYPE12_S.
This holds even when the flip-flop input signals are generated by another flip-flop.

5 Temporal Abstraction of a Digital Design

Temporal abstraction was used to deduce the synchronous level behaviour of a
gate and flip-flop modelled at the timing level. We now consider structures of
components modelled at the timing level. An implementation which consists of
primitive components modelled at the timing level is called a timing level imple-
mentation. An implementation consisting of synchronous component models is
called a synchronous level implementation.

To verify designs modelled at the timing level we must do temporal abstraction
of many components. We have devised an efficient procedure to do this. The pro-
cedure is well-suited to a life-cycle of functional design and verification followed
by the introduction of timing level models. In a later section this procedure is
demonstrated by taking an example circuit through all stages of design and veri-
fication at the synchronous and timing levels. We firstly describe our perception
of the rôle of synchronous and timing level models in the design life-cycle.

5.1 Synchronous and Timing Levels in Design

A design procedure of top-down specification and implementation, followed by
bottom-up verification is assumed. However all the ideas discussed apply equally
well to other design procedures.

In the initial design of a circuit issues like detailed timing are secondary to
achieving the correct functionality. Therefore the initial specification and verifi-
cation of a circuit can be based on simple synchronous level models. The design
can be specified and verified at all levels of the structural hierarchy. A high-level
specification of a device like the ECL chip can be verified using these synchronous level primitive components.

Having verified the function of the circuit at the synchronous level, a particular physical realisation can be chosen and the implementation is mapped onto a structure of physical components. More detailed, timing level models are introduced in order to capture the behaviour of the physical components. We assume that the physical components can be modelled as propagation delay gates. The functional specification is then verified with respect to the timing level implementation. Following this process the high level specification is formally related to an implementation in which the models capture closely the behaviour of physical components.

5.2 Verification of Timing Level Implementation

We must verify that the implementation using components modelled at the timing level achieves the same functional behaviour as the synchronous level implementation. In doing this we must also verify the timing properties of the implementation. Figure 4 depicts the derivation of functional behaviour for a timing level implementation. There are two stages to this procedure.

5.2.1 Temporal abstraction

In the first stage we apply temporal abstraction to modules which consist of primitive components. All these modules must correspond to modules in the synchronous level implementation. The temporal abstraction process separates the functional and timing parts of the behaviour. We deduce that, under certain timing constraints, a functional behaviour holds and some output timing assertions are true.

The function we deduce for a module must satisfy the functional behaviour of the corresponding module in the synchronous level implementation. This condition means that the functional behaviour of all modules in the timing level implementation has been related to the functional behaviour of all modules in the synchronous level implementation. We want to demonstrate that the total timing level implementation achieves the functional behaviour of the synchronous level implementation. Verifying each sub-unit is not sufficient; we must compose the results and verify the top-level of the design.
Figure 4: Deriving behaviour of timing level implementation
5.2.2 Function-timing composition

The second stage of verification deals with the function and timing at all higher levels of the design hierarchy. We call the process of deducing the function and timing properties of a device from the function and timing of its components function-timing composition. Function-timing composition is used to deduce the behaviour at all higher levels in the structural hierarchy.

Function-timing composition involves:

1. Verifying the timing constraints on interface signals between components.

2. Deducing the timing constraints and timing assertions of the composite device.

3. Deducing the functional behaviour of the composite device.

The main effort in function-timing composition is in verifying timing. The functional behaviour of each module in the timing level implementation has already been related to the functional behaviour of a corresponding part of the synchronous level implementation. The composition of functional behaviour in the synchronous level implementation has already been achieved. By matching functional behaviours to those at the synchronous level we can use the result of composition obtained in the synchronous level proof.

6 Circuit Design Example

We illustrate the use of temporal abstraction in the design life-cycle by taking part of through all stages of design and verification. The circuit is part of the modulator section of the the ECL chip chip ([Hopper86] and is used to detect a modulation error. The circuit is specified, implemented and verified at a synchronous level. A timing level implementation is then related to the previous synchronous implementation by temporal abstraction. We verify that the timing level implementation of the device satisfies the top-level synchronous specification.

The circuit schematic with sub-blocks identified, is given in Figure 5.

The example follows a sequence of:

- Top-down synchronous design, involving specification and implementation.

- Bottom-up verification of synchronous design.
Figure 5: Modulation Error Detector

• Introduction of timing level models of components.

• Temporal abstraction to separate timing properties and function.

• Composition of timing and function throughout the hierarchy.

• Verification of device specification for timing level implementation.

7 Synchronous Level Specification and Verification

The example circuit is specified, implemented and then verified at the synchronous level.

7.1 Top-down Synchronous Design

The circuit is part of an interface chip for the Cambridge Fast Ring [Hopper86]. The modulation system used in the Cambridge Fast Ring is based on delay modulation. In the basic scheme, data can be transmitted using two lines. Boolean values (denoted by T and F) are encoded by the changes on the lines at successive clock ticks. The value T corresponds to changes on both lines; F corresponds to a change on one line. Neither line changing is an error, a modulation error. The example circuit detects a modulation error.
The predicates, CHANGED and DEMODULATE_ERR, used in this example are defined as follows:

\[
\text{CHANGED } ina \ t = \neg ((ina \ t = ina(t - 1)) \\
\text{DEMODULATE_ERR}(ina, inb)t = \neg \text{CHANGED } ina \ t \land \neg \text{CHANGED } inb \ t
\]

Top level specification and implementation

We give a specification for the top-level behaviour and then define a structure of sub-blocks to implement this structure.

The specification of behaviour is defined as:

\[
\text{MODERR_SPEC}(ina, inb, moderr) = \\
\left(\forall t. \ moderr(t + 3) = \text{DEMODULATE_ERR}(ina, inb)(t + 1)\right)
\]

The output moderr indicates if a modulation error occurred on inputs ina and inb two time units earlier. The device does not detect errors at time 0, hence the \(t+1\) in the specification.

We choose to implement the circuit as a structure of three sub-blocks. The implementation is defined as:

\[
\text{MODERR_TOT}(ina, inb, moderr) = \\
\left(\exists qa, qb. \\
\text{MODERR_PART}(ina, qa) \land \\
\text{MODERR_PART}(inb, qb) \land \\
\text{MODERR_OUT}(qa, qb, moderr)\right)
\]

Sub-block specification and implementation

The specifications of behaviour for the sub-blocks are:

\[
\text{MODERR_PART_SPEC}(ina, q0) = \left(\forall t. \ q0(t + 2) = \text{CHANGED } ina(t + 1)\right) \\
\text{MODERR_OUT_SPEC}(qa, qb, moderr) = \left(\forall t. \ moderr(t + 1) = \neg qa \ t \land \neg qb \ t\right)
\]

The implementations of these sub-blocks are defined as:

\[
\text{MODERR_PART}(ina, q0) = \\
\left(\exists 11 \ 12 \ 10 \ 13 \ 14. \\
\text{INV}_S(ina, 10) \land \\
\text{DTYPE12}_S(10, 11, 12) \land \\
\text{NOR2}_S(ina, 11, 13) \land \\
\text{NOR2}_S(10, 12, 14) \land \\
\text{DTYPE2}_S(13, 14, q0)\right)
\]

\[
\text{MODERR_OUT}(qa, qb, moderr) = \\
\left(\exists \mod_d. \\
\text{NOR2}_S(qa, qb, \mod_d) \land \\
\text{DTYPE12}_S(\mod_d, moderr)\right)
\]

23
All the components within the sub-blocks are primitive gates and flip-flops so there is no further decomposition.

We have now constructed a hierarchy with specifications at each level above the lowest primitive component level. We now verify that the structures do achieve the specified behaviours.

7.2 Bottom-up Verification.

We firstly prove that the implementations of the lowest-level blocks satisfy their specifications.

These theorems have been proved:

\[ \text{MODERR\_PART}(\text{ina}, \text{qo}) \implies \text{MODERR\_PART\_SPEC}(\text{ina}, \text{qo}) \]

\[ \text{MODERR\_OUT}(\text{qa}, \text{qb}, \text{moderr}) \implies \text{MODERR\_OUT\_SPEC}(\text{qa}, \text{qb}, \text{moderr}) \]

The implementations consisting of synchronous level gates and flip-flops have been proved correct with respect to the specifications of the blocks. We can now use the specification for each block rather than the implementation when verifying behaviour at the next level in the hierarchy.

The next level is the top level. We have proved that the top-level specification is satisfied by the implementation:

\[ \text{MODERR\_TOT}(\text{ina}, \text{inb}, \text{moderr}) \implies \text{MODERR\_SPEC}(\text{ina}, \text{inb}, \text{moderr}) \]

This theorem states that the implementation, consisting of synchronous elements at the lowest level, satisfies the specification of behaviour defined by predicate \text{MODERR\_SPEC}. The specification and verification of the device at the synchronous level is now complete.

8 Timing Level Implementation

We now implement the example device using components modelled at the timing level rather than at the synchronous level. We use actual values derived from a gate-array data sheet (Appendix 1) for the propagation delays of gates. The timing parameters for the master-slave flip-flops are derived from the delays of its component gates. These delays are got from the same data sheet. Thus, the timing level implementation corresponds directly to a structure of propagation delay gates such as might comprise a gate array realisation.
8.1 Implementation Structure

The structural hierarchy of the timing level implementation is exactly the same as the synchronous level implementation. The primitive components are now modelled differently.

We define the predicates MODERR_PART_t and MODERR_OUT_t to describe the structures at the timing level which correspond to the synchronous level implementations MODERR_PART and MODERR_OUT.

These are defined as follows:

\[
\text{MODERR\_PART\_t}(\text{ina\_t}, \text{clk}, \text{space}, \text{mark}, \text{qa\_t}) = \\
(\exists 10\_t \ 11\_t \ 12\_t \ 13\_t \ 14\_t \ qa\_0\_t. \\
\text{INV\_t}(\text{ina\_t}, 73, 10\_t) \land \\
\text{MASTER\_SLAVE}(10\_t, \text{clk}, 11\_t, 12\_t, 257, 0, 156, 257, 101) \land \\
\text{NOR2\_t}(\text{ina\_t}, 11\_t, 53, 13\_t) \land \\
\text{NOR2\_t}(10\_t, 12\_t, 53, 14\_t) \land \\
\text{MASTER\_SLAVE\_2} \\
(13\_t, 14\_t, \text{clk}, \text{qa\_t}, \text{qa\_0\_t}, 257, 0, 156, 257, 101) \land \\
\text{START\_STABLE}((\text{space} + \text{mark}) - 257, 101, \text{clk}, 11\_t, 12\_t) \land \\
\text{START\_STABLE}((\text{space} + \text{mark}) - 257, 101, \text{clk}, \text{qa\_t}, \text{qa\_0\_t})
\]

and

\[
\text{MODERR\_OUT\_t}(\text{qa\_t}, \text{qb\_t}, \text{clk}, \text{space}, \text{mark}, \text{moderr\_t}) = \\
(\exists \text{mod\_d\_t} \ \text{modbar\_t}. \\
\text{NOR2\_t}(\text{qa\_t}, \text{qb\_t}, 53, \text{mod\_d\_t}) \land \\
\text{MASTER\_SLAVE} \\
(\text{mod\_d\_t}, \text{clk}, \text{moderr\_t}, \text{modbar\_t}, 257, 0, 156, 257, 101) \land \\
\text{START\_STABLE}((\text{space} + \text{mark}) - 257, 101, \text{clk}, \text{moderr\_t}, \text{modbar\_t})
\]

All the timing level components are in a 1-to-1 correspondence with similar components in the synchronous level implementations. This is not necessary; we just require that the timing level components achieve the same functional behaviour as the synchronous level implementation.

The non-component terms in the timing level implementation, involving the predicate START_STABLE, state the requirements that flip-flop outputs must be stable before the first clocking edge. The use of these extra terms in the timing level implementation has been explained in section 4.3.2.

9 Verification of Timing Level Implementation

We now verify that the implementation using components modelled at the timing level achieves the same functional behaviour as the synchronous level implementation. In doing this we also verify the timing properties of the implementation. The
derivation of functional behaviour for a timing level implementation is depicted in Figure 4. There are two stages to this procedure: temporal abstraction and function-timing composition.

9.1 Temporal Abstraction

The first stage of the verification process involves performing temporal abstraction of structures of components modelled at the timing level.

These theorems follow the pattern of:

\[
\begin{align*}
\text{input stability conditions} & \implies \\
\text{clocking conditions} & \implies \\
\text{timing level behaviour} & \implies \\
\text{synchronous level behaviour} & \land \\
\text{output stability assertions} &
\end{align*}
\]

We have proved theorems of abstraction for the two timing level structures MODERR_PART_t and MODERR_OUT_t.

The theorem of abstraction for MODERR_PART_t is:

\[
\begin{align*}
\text{STABLE_ABOUT_UP(clk,0)(ina_t_{t0},ina_t_{t1})ina_t} & \land \\
383 & \leq ina_t_{t0} \implies \\
\text{CLOCK_CYCLES(clk,origin,space,mark)} & \land \\
150 & < \text{mark} \land \\
257 & < \text{space} \land \\
567 & \leq \text{(space + mark)} \implies \\
\text{MODERR_PART_t(ina_t,clk,space,mark,qa_t)} & \implies \\
\text{MODERR_PART(ABS(UF_of clk)ina_t,ABS(UF_of clk)qa_t)} & \land \\
\text{STABLE_ABOUT_UP(clk,0)((space + mark) - 257,101)qa_t}
\end{align*}
\]

The theorem of abstraction for MODERR_OUT_t is:

\[
\begin{align*}
\text{STABLE_ABOUT_UP(clk,0)(qa0_{t_{t0}},qa0_{t_{t1}})qa_t} & \land \\
\text{STABLE_ABOUT_UP(clk,0)(qb0_{t_{t0}},qb0_{t_{t1}})qb_t} & \land \\
310 & \leq qa0_{t_{t0}} \land \\
310 & \leq qb0_{t_{t0}} \implies \\
\text{CLOCK_CYCLES(clk,origin,space,mark)} & \land \\
150 & < \text{mark} \land \\
257 & < \text{space} \implies \\
\text{MODERR_OUT_t(qa_t,qb_t,clk,space,mark,moderr_t)} & \implies 
\end{align*}
\]
We describe the theorem for MODERR.OUT.t.

Input signals qa.t and qb.t must be stable from 31ns before rising edges until some (unconstrained) time afterwards. The clock signal must be a regular one with high and low times greater than 15.6ns and 25.7ns respectively. These restrictions on clock high and low times can be translated into a minimum clock period of 41.3ns and a mark-space ratio of approximately 3:5.

Given that the input and clocking constraints are satisfied, we can deduce that the timing level implementation, MODERR.OUT.t, satisfies the synchronous level behaviour, MODERR.OUT for signals qa.t, qb.t and moderr.t abstracted on rising clock edges.

We also deduce that the output moderr.t is stable around rising edges of the clock for an interval determined by the clock period mark + space. If mark and space fulfill the minimum clocking requirements, then moderr.t is stable from 15.6ns before edges until 10.1ns afterwards.

The temporal abstraction process has enabled us to separate timing and function. We deduce for groups of components modelled at the timing level:

- **Timing properties.**
  
  - Timing constraints consisting of input stability conditions and clocking conditions.
  
  - Timing assertions stating when outputs are stable.

- **Function i.e. the behaviour at the synchronous level.**

The temporal abstraction of modules is tedious but not difficult. We have automated the process for the combinational parts of the design. If the timing level models of components do not match the synchronous ones than some manipulation will be necessary to prove that the timing level achieves the synchronous level behaviour. We do not require equivalence, just that the timing level behaviour implies the synchronous level.

### 9.2 Function-timing Composition

In the first stage of timing level verification the function and timing properties of modules have been deduced. Function-timing composition is now used to verify
all higher levels of the design hierarchy. Function-timing composition derives the
function and timing of a part of the design from the function and timing of its
components.

In function-timing composition the timing constraints on interface signals are
also verified. A theorem stating the function and timing of a module will usually
have stability constraints on inputs and will assert when outputs are stable. In
function-timing composition, the assertions of output stability for one module can
be used to verify the input stability constraints of another. If one fails to verify
these timing requirements, then redesign or adjustment of component delays may
be necessary.

The timing level implementation at the next level is described by predicate
MODERR_TOT_t. This is defined by:

\[ \text{MODERR} \_\text{TOT}_t(\text{ina}_t,\text{inb}_t,\text{clk},\text{space},\text{mark},\text{moderr}_t) = \]
\[ (\exists \text{qa}_t \text{ qb}_t. \]
\[ \text{MODERR} \_\text{PART}_t(\text{ina}_t,\text{clk},\text{space},\text{mark},\text{qa}_t) \land \]
\[ \text{MODERR} \_\text{PART}_t(\text{inb}_t,\text{clk},\text{space},\text{mark},\text{qb}_t) \land \]
\[ \text{MODERR} \_\text{OUT}_t(\text{qa}_t,\text{qb}_t,\text{clk},\text{space},\text{mark},\text{moderr}_t)) \]

The timing level implementation is a structure of sub-blocks, each of which
corresponds to a similar sub-block in the synchronous design. Above the level of
primitive components, there is a direct correspondence between all modules in the
timing and synchronous level implementations.

Deducing the function and timing properties of MODERR_TOT_t involves composit-
ion of the function and timing properties of its sub-blocks MODERR_PART_t and
MODERR_OUT_t. The conditions of stability for the inputs of MODERR_OUT_t are veri-
ified by the stability assertions on the outputs of both MODERR_PART_t modules.
Therefore in the theorem stating the behaviour of the composite device we just
have constraints on its external inputs.
The following theorem stating function and timing properties of MODERR_TOT_t has
been proved.

\[ \text{STABLE} \_\text{ABOUT} \_\text{UP}(\text{clk},0)(\text{inb}_t,\text{t}_0,\text{inb}_t,\text{t}_1)\text{inb}_t \land \]
\[ 383 \leq \text{inb}_t,\text{t}_0 \land \]
\[ \text{STABLE} \_\text{ABOUT} \_\text{UP}(\text{clk},0)(\text{ina}_t,\text{t}_0,\text{ina}_t,\text{t}_1)\text{ina}_t \land \]
\[ 383 \leq \text{ina}_t,\text{t}_0 \implies \]
\[ \text{CLOCK} \_\text{CYCLES}(\text{clk},\text{origin},\text{space},\text{mark}) \land \]
\[ 156 \leq \text{mark} \land \]
\[ 257 \leq \text{space} \land \]
\[ 567 \leq (\text{space} + \text{mark}) \implies \]
\[ \text{MODERR} \_\text{TOT}_t(\text{ina}_t,\text{inb}_t,\text{clk},\text{space},\text{mark},\text{moderr}_t) \implies \]

28
MODERR_TOT
(ABS(UP_OF clk)ina_t,ABS(UP_OF clk)inb_t,ABS(UP_OF clk)moderr_t) \land
STABLE_ABOUT_UP(clk,0)((space + mark) - 257,101)moderr_t

The predicate MODERR_TOT describes the behaviour of the synchronous level implementation of the example device. We have therefore proved that the timing level implementation achieves the same functional behaviour as the synchronous level implementation.

9.3 Statement of Correctness

We have already proved that the synchronous level implementation satisfies the device specification:

MODERR_TOT(ina,inb,moderr) \implies MODERR_SPEC(ina,inb,moderr)

We have now deduced that the synchronous level behaviour holds for the abstracted signals of the timing level implementation. We can therefore deduce, using a single rule of inference, that the device specification holds for the abstracted signals of the timing level implementation. This theorem is presented in Figure 6.

STABLE_ABOUT_UP(clk,0)(inb_t,t0,inb_t,t1)inb_t \land
383 \leq inb_t,t0 \land
STABLE_ABOUT_UP(clk,0)(ina_t,t0,ina_t,t1)ina_t \land
383 \leq ina_t,t0 \implies

CLOCK_CYCLES(clk,origin,space,mark) \land
156 < mark \land
257 < space \land
567 \leq (space + mark) \implies

MODERR_TOT_t(ina_t,inb_t,clk,space,mark,moderr_t) \implies

MODERR_SPEC
(ABS(UP_OF clk)ina_t,ABS(UP_OF clk)inb_t,ABS(UP_OF clk)moderr_t)

Figure 6: Correctness of timing level implementation

The inputs ina_t and inb_t must be stable from 38.3\,ns before rising edges of the clock until some time afterwards. The clock must have a period greater than 56.7\,ns and the minimum lengths it must remain high and low are 15.6\,ns and 25.7\,ns respectively. If these constraints are satisfied then the timing level
implementation ensures that signals \texttt{ina\_t}, \texttt{inb\_t} and \texttt{moderr\_t} abstracted on the rising edges of the clock signal \texttt{clk} satisfy the functional specification of the device.

This ends the verification of the example device. We have proved that an implementation, using component models which capture closely the physical device behaviour, satisfies a high-level functional specification. We have also deduced the timing constraints on the input signals to the device and the minimum clock high and low times.

Modelling closely the physical behaviour has a number of advantages. We can feel more confident that the physical device will achieve the functional behaviour. We know the timing constraints on the input signals and the maximum clock frequency.

10 Discussion

10.1 Relationship to Timing Analysis

The process of generating and verifying the timing conditions of a circuit is called \textit{timing analysis}. Timing analysis is important at LSI and VLSI levels of integration. The physical device has a scarcity of probe points; timing problems can be inadvertently introduced when sub-blocks of a large circuit are combined; the layout contributes to timing problems.

In performing temporal abstraction we generate a number of timing conditions which must hold if the timing level circuit is to achieve the synchronous level behaviour. Given the actual signal timing parameters and circuit delays we can deduce whether these conditions hold. Formally deducing and verifying these timing conditions is a similar process to non-formal timing analysis.

Important activities in timing analysis are:

1. Determining whether paths in the design meet stated timing criteria. For example, data signals must arrive at clocked elements in time for valid sampling but not too early (\textit{i.e.} set-up and hold times must be observed).

2. Calculating minimum clock period.

3. Identifying critical paths (\textit{i.e.} paths whose delay is a limiting factor to the minimum operating speed of the circuit).

The first two activities form part of formal timing verification. Constraints on the stability of input signals are determined by timing requirements such as set-
up and hold times, and the path delays. Deducing and verifying these timing constraints corresponds to the first activity.

The second activity is part of formal timing verification. We deduce the minimum clock high and low times, and the minimum clock period. For example, the modulation error device has a minimum clock period of 56.7\text{ns} and minimum clock high and low times of 15.6\text{ns} and 25.7\text{ns} respectively. (Some devices may only have clock high and low constraints; the minimum clock period is therefore the sum of the minimum clock high and low times.)

Identifying critical paths has not formed part of temporal abstraction. However the derived timing constraints could be analysed for this purpose.

10.2 Advantages of Formal Timing Verification

Formal verification of timing conditions allows us to deduce a more abstract, synchronous level behaviour for a structure of components modelled at the timing level. The synchronous level behaviour provides the basis for the more usual functional verification of the implementation. We therefore explicitly relate the process of timing verification to functional verification. Although we separate timing and functional behaviour, both are based on unique timing level models of components. Non-formal timing analysis is an independent part of the digital design process and is not formally related to functional verification.

The formal verification is compositional and exploits the design hierarchy. The timing properties of a device can be deduced from the timing properties of its components. When modules are composed timing constraints on interface signals must be verified or added to the constraints of the composite device. Enforcing these constraints means that only valid compositions are achieved. Verification of timing properties hierarchically indicates the source of timing errors and bottlenecks. For example, the minimum clock period of modules \texttt{MODERR\_PART\_t} and \texttt{MODERR\_OUT\_t} are 56.7\text{ns} and 41.3\text{ns} respectively. Thus, \texttt{MODERR\_PART\_t} limits the speed of the composite device \texttt{MODERR\_TOT\_t}.

The formal verification of timing can be extended to include function. When we separate timing and function we use the worst case timing behaviour, ignoring function. The basic models of components describe both the timing and functional behaviour and so we can include functional information without changing these models. Taking function into account, the timing behaviour of a NOR gate might state that a stable high on any input guarantees output stability. Different parts of the design can be verified with or without functional information in a consistent
fashion due to the unique underlying models of components. The use of functional information is of practical importance because bogus timing problems are found when function is ignored.

10.3 Summary

We have devised a procedure of temporal abstraction followed by function-timing composition to derive the behaviour of the timing level implementation. Efficiency is achieved by separating timing and function, and relating the functional behaviour of the timing level implementation to that of the synchronous level design. The procedure is modular and hierarchical and therefore the sources of timing errors and bottlenecks are clearly indicated.

The formal verification of timing fits into a design life-cycle of functional design and verification, followed by timing level implementation and verification. Proofs based on synchronous level models can be done independently of the timing level models. When the timing level models of components are introduced, it is not necessary to repeat any proofs of correctness of the functional behaviour.

Verifying the functional behaviour of a timing level implementation involves generating and verifying various timing properties. We have identified this process with non-formal timing analysis of circuits. In contrast to non-formal timing analysis, the formal verification of timing conditions is explicitly related to the verification of functional behaviour. As far as we know, the idea that timing analysis provides a link between detailed timing models and synchronous behavioural models has not been noted or formalised previously.

References


Appendix 1

Delay of Gates in Bipolar Gate Array

Typical gate delay in nanoseconds as a function of fan-in and fan-out.

<table>
<thead>
<tr>
<th>Fan-in</th>
<th>1</th>
<th>2</th>
<th>3</th>
<th>4</th>
<th>5</th>
<th>6</th>
</tr>
</thead>
<tbody>
<tr>
<td>1</td>
<td>4.8</td>
<td>7.3</td>
<td>9.8</td>
<td>12.3</td>
<td>14.9</td>
<td>17.4</td>
</tr>
<tr>
<td>2</td>
<td>5.3</td>
<td>7.8</td>
<td>10.3</td>
<td>12.9</td>
<td>15.4</td>
<td>17.9</td>
</tr>
<tr>
<td>3</td>
<td>8.1</td>
<td>10.7</td>
<td>13.2</td>
<td>15.7</td>
<td>18.2</td>
<td>20.7</td>
</tr>
<tr>
<td>4</td>
<td>8.7</td>
<td>11.2</td>
<td>13.7</td>
<td>16.2</td>
<td>18.7</td>
<td>21.3</td>
</tr>
<tr>
<td>5</td>
<td>11.5</td>
<td>14.0</td>
<td>16.5</td>
<td>19.1</td>
<td>21.6</td>
<td>24.1</td>
</tr>
<tr>
<td>6</td>
<td>12.0</td>
<td>14.5</td>
<td>17.1</td>
<td>19.6</td>
<td>22.1</td>
<td>24.6</td>
</tr>
<tr>
<td>7</td>
<td>14.9</td>
<td>17.4</td>
<td>19.9</td>
<td>22.4</td>
<td>24.9</td>
<td>27.5</td>
</tr>
<tr>
<td>8</td>
<td>15.4</td>
<td>17.9</td>
<td>20.4</td>
<td>22.9</td>
<td>25.5</td>
<td>28.0</td>
</tr>
</tbody>
</table>