Congruent weak conformance by Stevens, Kenneth & Brower, Ronald W.
Congruent Weak Conformance 
Ronald W. Brower, Member, IEEE and Kenneth S. Stevens, Senior Member, IEEE 
Abstract-Congruent weak conformance is a property between 
formal models capturing the desired relationship between a 
specification and its implementation by allowing unused and 
redundant circuitry and tolerating unspec(fied behavior in the 
unreachable stale space. By providing greater flexibility in 
design than previous properties, it becomes a useful tool to vali-
date transformational systems, such as logic synthesis and 
hardware description language translation systems. 
Index terms-formal methods, process algebras, congruence, 
conformance, hardware equivalence. 
I. INIRODUCTION 
Engineers are continuaJIy chaJIenged to produce electronic 
designs that meet specification; and logisticians are forever 
seeking replacements for obsolete, non-procurable micro-
circuits. Thus there is a general need to find circuits and 
circuit models that are "equivalent" either to a specification 
model or to some obsolete part that needs to be replaced. 
However a moment's reflection reveals that equivalence is a 
stronger notion than what is really needed or desired. 
First of all, equivalent speed is not necessary. One can of-
ten replace an obsolete circuit with a faster circuit of 
equivalent function. This approach springs from the ration-
alization that the faster part can certainly keep pace with 
system demands, while timing constraints simply become 
less stringent. However, introducing a speedier component 
can uncover race conditions and hazards that were safe-
guarded by the delays inherent in the original component. 
In fact. practitioners often deliberately introduce delays to 
recover timing safeguards when faster parts are used. 
Secondly, excess or redundant circuitry in the implementa-
tion can often be tolerated. The extra circuitry can simply 
sit idle, with pins either uncOlU1ected or grounded. Also, 
unneeded behaviors at connected pins can often be ignored 
during certain phases of the execution. For example, test-
Mr. Brower is a Ph.D. candidate at the Air Force Institute of 
Technology, Wright-Patterson AFR. OH. Dr. Stevens is 
with Intel Corporation. Hillsboro. OR. 
This work is supported by the Air Force Research Labora-
tory. Wright-Patterson AFB. OH. 
666 0-7803-7150-X/OI/$IO.OO@2001 IEEE 
ability circuits constitute redundant logic when a circuit is 
under normal operation. 
Thirdly. options allowed by output concurrency can be ex-
ploited. If the specification calls for the production of two 
concurrent outputs x and y, then both output interleavings: x 
followed by y, and y followed by x. are admissible. The 
original implementing device may consistently produce one 
interleaving and the replacement device the other. One 
would never consider the two devices "equivalent," yet each 
may serve equally well within a specific application. 
Examples of hardware equivalences abound [1-12,15,16]. 
Any equivalence relation enjoys the symmetric property 
which requires that A ; B implies B = A. As noted before. 
however, designers and logisticians may settle for devices 
that "exceed" the specification. rather than merely "equal-
ing" it. Symmetry is not necessary. A might "comply with" 
B, yet B could never "comply with" A. To truly model the 
notion of device compliance a hardware partial order is 
more useful than an equivalence. 
The new property of congruent weak confol7lUlnce captures 
the desired relationship between a specification and a con-
fonning implementation. Congruent weak confonnance 
will be useful in supporting future research which seeks to 
link simulation-based hardware description languages such 
as YHDL to process algebras such as CCS [8]. Once estab-
lished. this link will allow stricter verifications of YHDL 
models based on the bisimulation semantics of CCS. 
II. EXAMPLE 
Consider a circuit specified to convert binary-coded-
decimal (BCD) to pure decimal. Four input bits are needed 
to encode a decimal digit. The converter will need four 
inputs corresponding to each of the encoding bits. Call 
them a, b. c and d. The ten outputs will be labeled 
0, ,0, ' .... 09 corresponding to the decimal digit detected. 
One can think of the outputs as ten lights. Each time there 
is change on an input bit, one of the lights turns on while 
another is extinguished. According to the specification, one 
will not care if momentarily two are lit, or none are lit. The 
CCS specification model will have ten named 1 states corre-
sponding to each decimal digit detected. In the specifica-
tion model given below, the shorthand notation (00 10J is 
used to express the concurrency of output signals. 2 
S '% a.(oo 1o, ).sl +b.(oo 1o, ).S2+c.(00 1(4)'S 4+d .(°01°8 ).S8 
SI '% a.(Oo lo,).s +b.(O, 103 ).s3+c.(0, 1o, ).s5+d.(0, 109 ).s9 
S2 '% a.(O',10'3).S3+b.(o,loo).s +c.(O',10'6).s6 
S3 '% a.(o,103 ).S2+b'(0'310', ).sl +c.(0'310', ).s7 
S4"4 a.(0410,).S5+b'(0'4106).S6+c.(0410'0).s 
S5 "4 a.(o, 10'4).s4+b.(0, 1o, ).S7 +c.(o, 10',).s1 
S6 "4 a'(0'610', ).S7+b.(06 1(4).S4+c.(02 106 ).S2 
S7 "4 a.(O',10'6 ).s6+b.(O,lo,).S5+c.(o,10'3).S3 
S8 "4 a.(0810'9).s9+b'(0'8100).s 
S9"4 a'(O'sI0'9).s8+d.(0910,).SI 
Only the states Sand SI respond to all four inputs because 
combinations above 1001 are illegal BCD codes. Omitting 
the input transitions that would result in illegal codes in the 
equations for S2 to S9 constitutes the specification's goaran-
tee that the illegal input combinations will not be received. 
Given the above specification S, what constitutes a valid 
implementation? A 4:16 demultiplexer, or "demux," as 
shown below, is an obvious choice. The inputs a, b, c, and 
d form the four select lines of the demux. Of the sixteen 
outputs, only ten are used. A fifth input pin, here hard-
wired to 1, represents the multiplexed input. Note therefore 
that a conforming implementation must have a pin for every 
input and output called out by the specification, though it 
may have more. 
-- '. 
A "first cut" CCS model for this demux could read just like 
the specification model but with the missing input transi-
tions added and the extra outputs generated. 
I Here ten of the states bear explicit names, but the model has many more 
interrnediare stares. There is a state after the occurrence of each atomic 
action. 
2 This shonhand, which one can think of as a "parallelism of actions." is 
not part of the CCS fonnal syntax. 
This implementation has more states than the specification 
since it can execute illegal sequences. The illegal transi-
tions are allowed because the specification guarantees that 
they are unreachable-the illegal input combinations will 
never be forthcoming. One might hastily conclude that im-
plementations must duplicate all the states of the specifica-
tion, with additional states allowed. Yet this is not the case. 
Although implementation I gratuitously generates all the 
possible output interleavings allowed by the specification, 
in reality it would be both'difficult and counterproductive to 
create such a device. A real, physical layout results in finite 
delays along various paths. Most likely, the same interleav-
ing appears every time in a physical implementation, espe-
cially when the delays are due solely to passive components. 
Take, for example, the transitions from S to SI. The con-
currency of the outputs is represented by a diamond in the 
transition diagram below. Clearly, the implementation need 
only navigate one path through this diamond, or through any 
such output "burst." The same is not true for inputs. When 
an input concurrency is present, as in the case of the C-
element [13], the implementation must be poised to accept 
any possible interleaving that may come and therefore must 




A "second cut" implementation, J, chooses specific output 
interleavings where possible. This implementation might 
look something like this: 
J "4 a'0"'O'o.JI+b.O'o.O',.J2+c'0'4.O'o.J4+d'0'0.os.J8 
Jl ';;{ a.oo.oJJ +b.~.Oj.J3+c.OI,05J5+d.oJ.09J9 
and so forth where one specific interleaving is chosen at 
each output concurrency. Thus. when presented with an 
output concurrency, the implementation can implement any 
or all the paths, as long as at least one path is implemented. 
Implementations I and J do indeed accept more input be-
haviors than the specification calls out and both are able to 
667 
generate the unused outputs should an illegal input code be 
forthcoming. However, the parent system does not care if 
the illegal inputs are properly decoded or not. In fact, de-
signers will usually want to exploit this "don't care" region 
of behavior to produce more efficient designs. 
The BCD decoder example shows how a compliant imple-
mentation can exceed the specification in the number of lIO 
pins, and can generate illegal behavior in the unreachable 
state space. In general it can possess more behaviors than 
the specification, thought it can get by with fewer output 
behaviors. 
III. CONGRUENT WEAK CONFORMANCE 
The authors have devised a new property called congruent 
weak conformance to capture the intuitive notion of con-
formance presented above. This property is symbolized by 
·!;w'. By definition, whenever I!;w S holds between im-
plementation I and specification S then the following four 
laws govern what must transpire when either agent requests 
an input. or issues an output or hidden action: 
Law of Specified Input or Tau (LSIT) 
'v'aE )l(S) u {r} , whenever S '4S' then 
O3tE ()l(S)u'E-{tr»* such that 
(I) Ibl' 
(2) ti )l(S) = a 
(3) I'!;w S· 
Law of Specified Output (LSO) 
Let X be a maxoctset of S. O3sE X and 3 tE )I(It such that 
(1) sbs' 
(2) Ib/' 
(3) ti )l(S) s 
(4) I' !; • .s' 
Law of Implemented Input (LII) 
'v'YE)l(S), whenever 1-41' and sb then 
(I) sbs' 
(2) I' !; • .s' 
Law of Implemented Output or Tau (LIOT) 




A technical description of congruent weak conformance and 
proofs of its important properties are outside the scope of 
this paper, but will be published shortly. 
668 
Congruent weak conformance is called "weak" in the same 
sense as weak bisimulation [8:108], i.e., it abstracts away 
internal actions that are irrelevant to the observable behav-
ior of devices. Congruent weak conformance nevertheless 
respects internal actions that lead to instability [8: 112]. In 
that regard it is similar to observational congruence [8:153]. 
Like its predecessor, logic conformance [14:136-145], con-
gruent weak confonnance does not require the symmetric 
property and thereby imparts greater freedom to implemen-
tation designs than do hardware equivalences. Furthennore, 
both logic conformance and congruent weak conformance 
allow unspecified behavior as long as such behavior occurs 
within the unreachable state space. 
Congruent weak conformance is an improvement over all 
previous properties in several respects: 
I. Congruence weak conformance allows extra input and 
output ports or pins, called extraneous pins, in the im-
plementation. The role of extraneous inputs is re-
stricted somewhat so that they do not block specified 
behavior. Extraneous outputs, however, can freely in-
terleave all behavior, subject only to the relative stabil-
ity requirement given below. 
2. The implementation can chose a single path through an 
output concurrency burst, instead of having to imple-
ment all such paths. 
3. Congruent weak conformance uses a new kind of stabil-
ity called relative stability. Relative stability recog-
nizes the ability of extraneous outputs to play the same 
role as internal action to in yielding unstable models. 
4. Congruent weak conformance employs several rules of 
construction for building compound models. Though 
they seem restrictive at first glance, these rules are in-
deed reasonable as well as consistent with good design 
intent. Violating these rules is tantamount to changing 
the specification after the implementation is begun. 
When these rules are employed congruent weak con-
formance can indeed be shown to be a congruence 
(hence the name). Congruent properties are preserved 
by all the operators of the underlying algebra. In prac-
tical terms, congruence allows for the safe substitution 
of confonning parts within a system. 
IV. CONCLUSION 
In work yet to be published, we have formally proven that 
congruent weak conformance is indeed a congroence and 
thus correctly models "safe substitution." We foresee the 
useful application of this property to tools that transform 
models between design languages. For example, a tool to 
transform models from a design languages such as VHDL to 
CCS would allow the greater verification powers of CCS to 
accrue to VHDL models. Of course, the event-based simu-
lation semantics of VHDL do not match the bisimulation 
semantics of CCS. Thus, such a transfonned model can not 
be called "equivalent" to its VHDL original. However, one 
does not want the principle of safe substitution to be lost, so 
the property of congruent weak conformance between mod-
els ought to be preserved in the course of the translation. 
Since we have strived to develop as unrestrictive a property 
as possible, it will be easier to devise tools that preserve 
congruent weak confortnance than any of the other proper-
ties or equivalences. Thus we recommend, when develop-
ing such tools, that each transfortnation be validated by 
formal proof that it preserves congruent weak confonnance. 
v. REFERENCES 
[I] Bloom, B., S. Istrail and A. R. Meyer. "Bisimulation Can't 
Be Traced: Preliminary Report," 15111 ACM Symposium on 
Principles of Programming Languages (POPL), pp. 229-239, 
San Diego, CA. 1988. 
[2] Brookes, S. D., C. A. R. Hoare and A. W. Roscoe. "A The-
ory of Communicating Sequential Processes," JACM 31(3), 
pp. 560-599. 1984. 
[3] De Nicola. R. and M. Hennessy. "Testing Equivalences for 
Processes," Theoretical Computer Science 34, pp. 83-133. 
1984. 
[4] Groote. J. F. and F. W. Vaandrager. Structured Operational 
Semantics and Bisimulation as a Congntence. Report CS-
R8845, Centrum voor Wiskunde En Informatica, Amsterdam. 
1988. 
[5] Hennessy. M. and R. Milner. "Algebraic Laws for Nonde-
tenninism and Concurrency," JACM 32(1), pp. 137-161. 
1985. 
[6] Hoare. C. A. R. "Communicating Sequential Processes," On 
the Construction of Programs-an Advanced Course (R. M. 
McKeag and A. M. Macnaghten, eds.), pp. 229-254. Cam-
bridge University Press. 1980. 
[7] Milner, R. "Calculi for Synchrony and Asynchrony," Theo-
retical Computer Science 25, pp. 267-310. 1983. 
[8] Milner, R. Communication and Concurrency. Prentice Hall. 
New York. 1989. 
[9] Olderog, E. R. and C. A. R. Hoare. "Specification-oriented 
Semantics for Communicating Processes," Acta Injonnatica 
23, pp. 9-66. 1986. 
[10] Park, D. M. R. "Concurrency and Automata on Infinite 
Processes," Proceedings 5th GI Conference (P. Deussen, ed.) 
LNCS 104. pp. 167-183. Springer-Verlag. 1981. 
[11] Phillips, I. C. C. "Refusal Testing," Theoretical Computer 
Sciellce 50. pp. 241-284. 1987. 
[12] Pnueli. A. "Linear and Branching Structures in the Seman-
tics and Logics of Reactive Systems." Proceedings 1CALP 
85, Nafplion (W. Brauer, ed.), LNCS 194, pp. 15-32. 
Springer-Verlag. 1985. 
[13] Shams, M" J. C. Ebergen and M.l. Elmasry. "Modeling and 
Comparing CMOS Implementations of the C-Eleroent," 
IEEE Transactions on VLS1 Systems 6(4), pp. 563-567. De-
cember 1998. 
[14] Stevens, K. S. Practical Verification and Synthesis of Low 
Latency Asynchronous Systems. Doctoral Dissertation. 
University of Calgary. Calgary, Alberta, Canada. 1994. 
[15] Rounds, W. C. and S. D. Brookes. "Possible Futures, Accep-
tances, Refusals and Communicating Processes," Proceed-
ings 2211d Annual Symposium on Foundations of Computer . 
Sciellce, pp. 140-149. IEEE. New York. 1981. 
[16] van Glabbeek, R. J. The Linear Time - Branching Time 
Spectrum. Technical Report CS-R9029, Centre for Mathe-
matical and Computer Science, P.O. Box 4079, 1009 AB 
Amsterdam, The Netherlands, 1990. 
669 
