Formal development of a clock synchronization circuit by Miner, Paul S.
N96- 10037
Formal Development of a Clock Synchronization Circuit
Paul S. Miner
/
This talk presents the latest stage in a formal development of a fault-tolerant clock synchronization
circuit. The development spans from a high level specification of the required properties to a circuit realizing
the core function of the system.
An abstract description of an algorithm has been verified to satisfy the high-level properties using the
mechanical verification system EHDM [2]. This abstract description is recast as a behavioral specification
input to the Digital Design Derivation system (DDD) developed at Indiana University [1]. DDD provides
a formal design algebra for developing correct digital hardware. Using DDD as the principle design envi-
ronment, a core circuit implementing the clock synchronization algorithm was developed [3]. The design
process consisted of standard DDD transformations augmented with an ad hoc refinement justified using the
Prototype Verification System (PVS) from SRI International [4].
Subsequent to the above development, Wilfredo Torres-Pomales discovered an area-efficient realization
of the same function [5]. Establishing correctness of this optimization requires reasoning in arithmetic, so a
general verification is outside the domain of both DDD transformations and model-checking techniques.
DDD represents digital hardware by systems of mutually recursive stream equations. A collection of PVS
theories was developed to aid in reasoning about DDD-style streams. These theories include a combinator
for defining streams that satisfy stream equations, and a means for proving stream equivalence by exhibiting
a stream bisimulation.
DDD was used to isolate the sub-system involved in Torres-Pomales' optimization. The equivalence
between the original design and the optimized verified was verified in PVS by exhibiting a suitable bisimu-
lation. The verification depended upon type constraints on the input streams and made extensive use of the
PVS type system. The dependent types in PVS provided a useful mechanism for defining an appropriate
bisimulation.
References
[1] Bhaskar Bose. DDD - A Transformation System for Digital Design Derivation. Technical Report 331,
Computer Science Dept. Indiana University, May 1991.
[2] Paul S. Miner. Verification of fault-tolerant clock synchronization systems. Technical Paper 3349, NASA,
Langley Research Center, Hampton, VA, November 1993.
[3] Paul S. Miner, Shyamsundar Pullela, and Steven D. Johnson. Interaction of formal design systems in the
development of a fault-tolerant clock synchronization circuit. In Proceedings 13th Symposium on Reliable
Distributed Systems, pages 128-137, Dana Point, CA, October 1994.
[4] Sam Owre, John Rushby, Natarajan Shankar, and Friedrich von Henke. Formal verification for fault-
tolerant architectures: Prolegomena to the design of PVS. IEEE Transactions on Software Engineering,
21(2):107-125, February 1995.
[5] Wilfredo Torres-Pomales. An optimized implementation of a fault-tolerant clock synchronization circuit.
Technical Memorandum 109176, NASA, Langley Research Center, Hampton, VA, February 1995.
225
https://ntrs.nasa.gov/search.jsp?R=19960000037 2020-06-16T07:06:17+00:00Z
22,G
q3
ou.l
0
c-
o
E
0
o_._
_ o
"_3 "4_ "-
o. _ .=-_
.= .u_ "_ o
U
¢J
o
E_'"
i
°_
[e
_m
0
I
0
o_
L.
I !
,r ;| i
"0
0
c
_ >
n
_-_'_ _-_
> _- .! _._
"_ ¢ _
0 ._ "-
I l I
I l m
om
.<
Q
Q
eml
C_
_. _oc
._ ._
.._ ---
•_-- 0 c
m I=
_'_ = __ _
._J : b
b_
c
_ __
-!2_•_ ._ _o_
o , __-I
2;
I
•'-'! "- '
_ It
±_
5
w w
i'I
=
o
E
227
m_
O
o,.q
.o
-d
o.
r.-
8
0
0
to
e-
r._
p.
°°
P,-, o
1.4
I
_ k
4._ _I .- 4_
10he, C_ _I C_ U
Ca
v
v
n
k
°°
_AA _
o
L -i
o_
.u
_. _
I_, o
"-
0 "' .E _,
o_ .__._
•- _ _
•_ _
• •
228
r.1
¢S ==
.°
4_ P-I
r._
q= += _.=
_' ^^I I -°
U
14 _ L--J L--J _ .
O I--t _.4
@ r.cl _r" 0
4_
v
0
v
II
V
0
@
I
0
t_
U
o
u
=
°_
0
=
rJl
I
II
_u
I
I
_2+_
II
_ E
0
r_
_2
_J
II
,.g
II n
_ v v A
u _ _ _ II
_ U V
_ II
! I
=
o
IN
r_
o
o
i"-I
Pt
.° .
M _
n_ .1_
.o ._ _ I_ II
/.4 14 _ .-
._ r._ _._ _ O
O 1-4 _, PI
U
el3
•1_ A
II
°°
'_ .e.I
II r-_
.'_ ._..t
,,,e _
..-1
_ "_!
o
e_
.M
o
o
ol,=_
oi-i
.i.=i
f_,
.i,=i
_>
0
o
'_ "_ '-4
_p
v u u
bO ..., bO
° .-_
• el h-I
_ o
•. _ _ ..
Z _
_,_0 °'_ _ _
o_ _ _
n ._I II
o_
oN
r_
_r2
_r_
m ¢'_ m
u _ u
Jl II II _
0
e_
r_
o_
_ _ -<
•_ _ ._ <
II il II
•_ "_"b _
230
.°
It . ,_.._ {_°
'_"1__-_. r'_
0 "- "-." N o r.,..,
0 = "" _ "" _ _-,
0 E _'_._ r_o...._.,
p,_ P-
=
0
_ o _
_ P
_ E e_ e_
8 _> ._=
"_- _ _ _'j= _.=
-_.
_ ._-
_ ._
°--
_, x_. ._ 0
•-
"_ &._
_. l= .-
t • •
0
e-
v
t'- __
_-" _j
_ >
E .__
_..E_
n _
0
@
=
@
S.,
0
rj
.°
4_
0
u
I
C3
A
_g E
.. n
.....2. _ '_
.. r._ _
+
0
°_
o_ II
=
_ +
_I _._ n
v
-. f
__. <
r +
< ----
.___1
_ F-_
_., n
281
