Introduction 1 1 Introduction
With chip size reaching one million transistors, the complexity of VLSI algorithms { i.e., algorithms implemented as a digital VLSI circuit { is approaching that of software algorithms { i.e., algorithms implemented as code. However, the design methods for circuits that are commonly found in textbooks resemble the low-level machine language programming methods. Selecting individual logical gates and registers in a circuit like selecting individual machine instruction in a program. State transition diagrams are like owcharts. These methods may have been adequate for small circuit design when they were introduced, but they are not adequate for circuits that perform complicated customer algorithms.
Oftenly we do not build circuits to perform complicated algorithms directly. We build general-purpose processor, and customise them for a particular algorithm by writing a program. For many application, particularly where speed of execution or security is important, a customer-built in circuit is better than the traditional processor-and-software combination. The speed is improved by the absence of the machine language layer and introducing parallelism, whereas security is improved by the impossibility of reprogramming. Moreover, there are space saving compared to a combination of software and processor.
In principle, there is no di erence between hardware and software; what can be done with one can be done with the other. For example, an assignment statement x := b, where x is a Boolean variable, can be realised by a clocked circuit, wherein the output port of a combination device which generates the value of expression b is connected to the input port of a register, which is allocated to hold the value of x. An incoming clock signal triggers the execution of the circuit which propagates the value of b to the output port of the register. On the other hand, the instruction set of a general-purpose processor can often be described by an interpreter 2, 6] .
Out of the previous analysis has come an increasing awareness of the need for behavioural models suited for specifying and reasoning about both programs and digital devices. Contemporary hardware description languages (for example 7, 10, 11]) are not su cient because of the following limitations:
1. Most such tools are intended much more for simulation than for mathematically sound reasoning. 2. Di culties arise in developing circuit speci cations that may refer to di erent levels of behavioral abstraction. 3. Existing formal frameworks for such languages are in general too restrictive to deal with the inherent parallelism of digital circuits.
An extended linear-time temporal logic based on intervals was developed in 4, 5, 9] for presenting the kinds of quantitative timing properties and signal transitions that occur in hardware devices. The behaviour of programs and circuits can often be decomposed into successively smaller intervals of activity. State transitions of programs can be characterised by properties relating the initial and nal values of variables over interval of times. However in the treatment of hybrid systems where the physical world evolve continuously, this approach seems inappropriate.
We have used the notations of DC (Duration Calculus 12]) to describe hybrid systems. Case studies show that many quantitative timing properties can be handled e ectively in DC. Nevertheless, it is not designed to model event-based languages, and lacks the mechanisms to synchronise systems with di erent time granularity. Section 2 presents a speci cation language, which is a variant of DC, enriched with a novel parallel operator to integrate systems evolved at various time rate. Its mixed interval structure enables us to model both discrete-time and continuous-time systems. This framework provides a unifying means for presenting the various features of event-based hardware description languages and state-based imperative programming languages.
The main purpose of the mathematical de nition of temporal operators is to deduce their interesting properties. These are most elegantly expressed as algebraic laws { equations usually, but sometimes inequations, with implication between formulae rather than equivalence. Section 3 is devoted to the algebraic properties of our speci cation language. Algebra is well-suited for direct use by engineers in symbolic calculation of parameters and structure of an optimal design. Algebraic proofs by term rewriting are the most promising way in which computers can assist in the process of reliable design.
Section 4 gives a number of tests, known as healthiness conditions, which can be applied to speci cations and intermediate designs to maintain their feasibility during the development process. It also explores the mathematical links between theories satisfying individual healthiness conditions, and shows that the set of formulae expressible in each theory is closed under relevant operators.
The VERILOG hardware description language (HDL) 11] is widely used to model the structure and behaviour of digital systems ranging from simple hardware building blocks to complete systems. It has a simulation oriented semantics based on events, i.e., changes to the values of wires and registers. This event semantics can actually model detailed asynchronous behaviour, but is very ne-grained and does not support formal veri cation. Section 5 shows the utility of our theory in dealing with hardware, and provides an observation-oriented semantics to the core of VERILOG. TEMPURA 4, 9] is an imperative language based on interval temporal logic. It has been put forward as a useful tool for reasoning about concurrent programs and hardware. Every TEMPURA statement is a temporal logic formula. TEMPURA is formalised in Section 6 as a sub-theory which satis es additional healthiness conditions. We adopt an inclusion-like partial order among intervals Clearly, this ordering is preserved by the catenation operator.
As a speci cation mechanism based on interval temporal logic, our language includes global variables, which represent constant (i.e., independent of time) and are denoted by lower letters x; y; : : : ; z. The terms of the language can conveniently be de ned by induction (1) global variables are terms.
(2) temporal variables (including l and ]) are terms. (3) if X is a state variable, then X ! X and X are terms. (4) if r 1 ; : : : ; r n are terms and f is an n-ary function name, then f(r 1 ; : : : ; r n ) is also a term.
The set of well-formed formulae is generated by the following rules:
(1) if r 1 ; : : : ; r n are terms, and p is an n-ary predicate name, then p(r 1 ; : : : ; r n ) is a well-formed formula (2) 
if =< t 0 ; t 1 ; : : : ; t n > M (f(r 1 ; : : : ; r n )) = df M(f)(M (r 1 ); : : : ; M (r n )) Formulae are interpreted as functions from intervals to the Boolean values ftt; ffg.
M (true) = df tt M (false) = df ff M (p(r 1 ; : : : ; r n )) = df M (p)(M (r 1 ); : : : ; M (r n )) M (: 
Chop
The chop operator b is used to model sequential systems. Like its counterpart in ITL, its behaviour is subject to the following familiar laws.
(int-1) (associativity) 
Parallel
The de nition of nn is complicated; so it is comforting that it shows many of the algebraic properties of other familiar parallel operators.
(nn-1) (associativity) 
Healthiness Conditions
In this section, we work towards to a more precise characterisation of the class of formulae that are useful in software/hardware design. As usual, we follow the standard practice of mathematics, which is to classify the basic concepts by their important properties. For example, among the functions of real numbers, it is useful to single out those are integrable, or continuous, or rational, or di erentiable. A similar classi cation of the basic concept of a interval formula is essential to our goal of unifying theories of co-design. This section gives a set of healthiness conditions, and shows that the set of healthy formulae is closed under relevant operators. In the later sections we will demonstrate that all actual software/hardware systems satisfy all the the stated healthiness conditions (and more). 
Monotonicity
Proof of (3) 
fDef of 1 g 
which together (nn ? 2) implies that 2 is idempotent. 2 Theorem 4.11 (1) stb(E) = df 9x 2 t ( E = x) The formula stb ? (E) is true on if the value of E remains changed except at the end of that interval.
stb ? (E) = df 9x 2 t (l > 0 ) ( E = x)) Let E =< E 1 ; : : : ; E n > be a list of expressions. We de ne stb(E) = df stb(E 1 )^: : :^stb(E n ) The formula stb ? (E) can be de ned in a similar way. 
VERILOG Timing Controlled Statements
The VERILOG hardware description language 11] is widely used to model the structure and behaviour of digital systems ranging from simple hardware building blocks to complete systems. Its semantics is based on scheduling of events and the propagation of changes. In this section we are going to examine the VERILOG timing controlled statements and the delayed assignments. Timing controls are used in VERILOG for scheduling. They are either delay (#e) or Proof of ()) From Theorems 6.5 and 6.6 it follows that F is a monotonic program satisfying F = F^full. The conclusion that F is also continuous follows directly from Theorem 4.23.
(() The conclusion follows from Theorems 4.23 and 6.5. Something is considered to happen always if it happens immediately and then again after each time unit.
Report No. 166, May 1999 UNU/IIST, P.O. Box 3058, Macau
