A theory for the derivation of combinational C-mos circuit designs  by Hoare, C.A.R.
Theoretical Computer Science 90 (1991) 235-251 
Elsevier 
235 
A theory for the derivation 
of combinational C-mos 
circuit designs 
C.A.R. Hoare 
Oxford University, Computing Laboratory, Programming Research Group, 8-11 Keble Road, 
Oxford OXI 3QD, UK 
Abstract 
Hoare, C.A.R., A theory for the derivation of combinational C-mos circuit designs, Theoretical 
Computer Science 90 (1991) 209-251. 
This paper shows how propositional logic may be used to reason about synchronous combinational 
switching circuits implemented in C-mos. It develops a simple formalism and theory for describing 
and predicting their behaviour. On this it builds a calculus of design which is driven by proof 
obligations. The design philosophy for software introduced in [l] is thereby extended to a certain 
kind of hardware design. No prior knowledge of hardware is assumed of the reader; but useful 
background, motivation, examples and pictures may be found in [2]. Many of the problems 
described in that paper have been solved in this one. 
1. Operation of C-mos circuits 
A C-mos circuit is a collection of transistors connected to each other by wires. 
A transistor acts like an electrical switch, which may be in one of two states, either 
on or ofS-for our purposes any intermediate states are transient, and can be ignored. 
When it is on, the transistor makes a conducting path between two wires attached 
to its source and its drain. When it is off, these two wires are disconnected. Note 
that connection between source and drain is the same as connection between drain 
and source. Connection and disconnection are therefore symmetric relations. It is 
a valuable property of our theory that it preserves and takes advantage of this 
naturally occurring symmetry. 
Each wire of a circuit also may be in one of two states, either at high voltage (1 
or power or VDD) or at low voltage (0 or ground or VSS); for our purposes, any 
intermediate voltages are transient and can be ignored. There are two special constant 
wires: the power wire supplies high voltage wherever needed, and the ground wire 
supplies low voltage. If two wires with different voltages are connected through a 
transistor which is switched on, a current will flow between them; and this will tend 
to reduce the difference between their voltages. If one of the two wires is permanently 
connected to the power supply and the other is permanently connected to ground, 
then the current will flow forever. This short-circuit counts as failure of a C-mos 
@ 1991-IFIP 
236 C.A.R. Hoare 
circuit; our theory shows how to avoid such failures, and so does not need to 
describe their effects in detail. In correct operation, all currents rapidly subside, 
with equalization of voltages at the source and the drain of all the transistors that 
are in the on state. 
In contrast to the familiar manual domestic switch, the state of a transistor is 
controlled electronically by the voltage on a third wire attached to its gate. There 
are two kinds of C-mos transistor, the N-transistor and P-transistor. In the case of 
an N-transistor, a high voltage at the gate causes it to switch on, and a low voltage 
switches it off. In the case of a P-transistor, it is a low voltage that switches it on, 
and a high voltage switches it off. 
The state of a circuit consisting of many transistors is determined by the state of 
each of its wires. Since each wire may take either of two states (high or low), the 
total number of states is therefore two raised to the power of the number of wires 
of the circuit (excluding the power wire and the ground wire, which have only one 
state each). But a great many of these states are impossible, because they ascribe 
different voltages to wires connected to the source and the drain of a transistor 
which happens to be in the on state. We therefore define a state as consistent if 
(1) The power wire is high and the ground wire is low. 
(2) Wherever the wire attached to the gate of an N-transistor is high, then the 
two wires attached to its source and drain have the same voltage; and similarly for 
the source and drain of a P-transistor, if its gate is low. 
The operation of a circuit is split into a series of cycles. We shall confine attention 
to combinational circuits, for which behaviour on each cycle is considered indepen- 
dent of the preceding cycles, and all transistors are considered to be initially in the 
off state. This is a useful simplification, though it is quite unrealistic, and so it can 
lead to circuit designs that are difficult to lay out or manufacture. 
At the beginning of each cycle, a voltage (high or low) is applied from outside 
to each of a certain subset of wires, the chosen input wires for this cycle; and this 
is maintained throughout the cycle. As a result certain of the transistors switch on, 
thereby creating connections between power or ground and certain other wires. 
These wires then acquire a high or low voltage, thereby causing further transistors 
to switch on or off. The signals thus propagate rapidly through the circuit. In a 
synchronous circuit, enough time is allowed for the propagation to reach a stable 
state; and finally, the voltages on the set of wires chosen for output on this cycle 
are read by the environment of the circuit. The next cycle of operation is now ready 
to begin. 
It is usual but not necessary for the selection of input and output wires to remain 
the same on all cycles of operation. Wires that are never used for input or output 
are called local. They will not be physically connected to the environment of the 
circuit. It is a primary goal of any circuit theory to ensure that the external behaviour 
of a circuit can be specified and understood without any reference to the voltages 
or even the existence of such local wires. 
Derioation of C-mos circuit designs 237 
A vital property of a switch (either manual or electronic) is that it is incapable 
of changing its state as a result of voltages applied to its source and drain. Consider 
for example an N-transistor with its source connected to power and its drain 
connected to ground. The only consistent voltage for its gate is low. However the 
wire connected to its gate will not automatically assume this voltage at the end of 
the cycle. In practice, it is likely to take some intermediate voltage, which allows 
current to flow perpetually between the source and drain; and this leads to failure 
of the circuit. 
To avoid the risk of this kind of failure, we need to make a further distinction 
between the states of each wire, whether it is driven or not. At the beginning of 
each cycle of operation, the environment causes the chosen input wires to be driven. 
If a transistor is in the on state and its gate is driven, then any drive on its source 
will propagate to its drain and vice-versa. At the end of the cycle, a wire will be 
driven if and only if it acquires drive as a result of the propagation rules described 
above; they never specify that drive should be propagated from source or drain to 
the gate of the same transistor. Thus we maintain symmetry between the source and 
drain of a transistor, while introducing the necessary asymmetry between them and 
the gate. 
A circuit state is now said to be adequate if the gate of every transistor is driven, 
with the exception of transistors whose source and drain are equal anyway. It is 
the responsibility of the environment of the circuit to drive a sufficient set of input 
wires to ensure that, after the internal propagation described above, the circuit state 
will be adequate; and furthermore that all output wires will be driven. 
There is one further complexity that we cannot ignore. An ideal switch which is 
on should continue to conduct current until the voltages at its source and drain are 
equal. Unfortunately, an N-transistor will stop conducting when its source (or drain) 
is high and its drain (or source) is still at a somewhat lower voltage. Such lower 
voltages can be further weakened by passage through other transistors. Similarly, 
a P-transistor will stop conducting when its source is low and its drain is at a 
somewhat higher voltage. We need to adapt our theory to avoid the circuit failure 
that could result from use of these weakened signals at the gates of its transistors. 
The problem could be tackled by introducing a further distinction between wires 
carrying strong or weak signals. A simpler solution is to equate all weakened signals 
with the undriven state of a wire. This is achieved by making propagation of drive 
conditional on the voltage of the source and the drain: in the case of an N-transistor 
these must be low; and for a P-transistor they must be high. Now the adequacy 
condition ensures that weakened signals will not be used in circumstances in which 
they could lead to failure. (These constraints can be relaxed to permit the use of 
puss transistors, on the proviso that syntactic rules forbid them to be chained. Other 
syntactically checked design rules are usually imposed, for example to ease problems 
of manufacture. These concerns can be successfully separated from those described 
in this paper.) 
238 C. A. R. Howe 
2. Formalization of the theory 
The previous section has given an informal description of the operational 
behaviour of a synchronous switching circuit as implemented by C-mos transistors. 
It has explained some of the simplifications which can reasonably be made in a 
theory which explains this behaviour: some of them were justified because they are 
on the side of pessimism, and will not predict correct operation of a circuit that is 
subject to risk of failure. The present section gives a formal treatment of the theory: 
its formulae may be used to calculate the behaviour of circuits in a way that abstracts 
from operational detail. The only mathematics required comes from propositional 
logic. 
In order to describe the behaviour of a physical system by a formula, it is necessary 
to establish a convention whereby free variables of the formula stand for values 
that can be observed at certain points in the system at certain instants during its 
evolution. In the case of a C-mos circuit, we give an alphanumeric name (typically 
w, s, 4 g, . . . ) to each wire; and we use the same name in a formula to denote the 
voltage observed on the wire at the end of a typical cycle of operation. In the case 
of input wires, this will be the same as the value at the beginning of the cycle. A 
high voltage is represented by a “true” value for the name, and a low voltage by a 
“false” value. 
Our first task is to describe the consistent states of a circuit by a propositional 
formula containing wire names as free variables: the formula will be true for just 
those combinations of voltages of the wires that are consistent, and false for the 
inconsistent ones. Consider first a single N-transistor (Fig. 1) with gate wire named 
g, source wire named S, and drain wire named d. The inconsistent states of this 
simple circuit are just those in which it is on (i.e., g is true) but the voltages of the 
source and drain differ. These are the states described by the propositional formula 
(g/,s/,ld)v(gAxAd). 
The consistent states are therefore defined as the negation of this, which by proposi- 
tional logic may be rewritten to 
g+(s = d). 
Similar reasoning applies to a P-transistor, except that it is on when its gate wire 
is low. Its consistent states are described by the formula 
lg+(s = d). 
A complete circuit is in a consistent state in just those cases when all its component 
transistors are consistent. The formula defining these states is just the conjunction 
of the formulae for all its individual component transistors. This very simple way 
of computing the behaviour of a complex system by conjunction from that of its 
components is characteristic of many kinds of parallel composition (Fig. 2). 
Derivation of C-mos circuit designs 239 
(4 a (b) a 
‘d ‘d 
An N-transistor N(g, s, d) is drawn as in (a) where g stands for its gate, s for its 
source and d for its drain. Its consistency condition is g+(s = d). When g is true, 
the transistor is switched on, so its source and drain must take the same value. A 
P-transistor P(g, s, d) is drawn as in (b). It is switched on when g is false, so its 
consistency condition is lg+(s = d). 
Fig. 1. 
The formula defining the consistent states of a circuit serves as a specification of 
the externally visible states of the input and output wires. It also mentions the values 
of all the local wires in the circuit, even though these wires are not connected 
externally, and their values can never be observed. The formula would be much 
more useful as a specification if we could abstract away from these wires, removing 
all mention of their names. 
Let C(w) be the consistency formula for a circuit with a local wire w not connected 
to its external environment. The easiest way to remove this name from the formula 
is by quantification 3 w. C(w). Since w can take only two values true or false, this 
1 
I- a. e 
‘0 
A negation circuit NEG consists of two transistors connected as shown above. Its 
consistency condition is the conjunction of the consistency conditions for the two 
component transistors: 
la*(l-e), (by p(a, 1, e)), 
A a*(e=O), (by N(a, e, 0)). 
In the propositional logic, this simplifies to e = ~a. The voltage on wire e of the 
negation circuit must be the opposite of the voltage on a. 
Fig. 2. 
240 C.A. R. Hoare 
is equivalent to C(1) v C(O), a formula of pure propositional logic. The use of 
existential quantification rather than universal to hide a local wire is justified by 
the fact that consistency is achieved merely by the existence of a consistent voltage 
for all the wires in the circuit. The question remains whether the actual hardware 
of the circuit will avoid short-circuit by ascribing a consistent voltage to the local 
wire; this question is addressed by the drive and adequacy conditions described 
below (Fig. 3). 
'0 
The circuit N(g, 1,O) shown above has consistency condition g=$(l-0) which 
simplifies to Tg. If g is a local wire (unconnected to either power or ground), its 
consistency condition is 3g. Tg, which is true. 
Unfortunately, in practice g will assume an intermediate voltage, allowing flow 
of current between power and ground. To protect against this, we need to introduce 
concepts of drive and adequacy. 
Fig. 3 
First we introduce for each wire w a new free variable 6w, which is true just if 
the wire w is driven at the end of the cycle. The power and ground wires are always 
driven, and the input wires are those that are driven from the beginning of the cycle 
to the end. Consider an N-transistor with gate wire g, source s and drain d. If the 
transistor is on and the gate is driven, and either the source or drain wire is driven, 
then the other one is too. This fact is expressed by the propositional formula 
g A 6g+(6s = 6d). 
The corresponding formula for a P-transistor is 
lg A 6g+(6s = 6d). 
Unfortunately, as observed at the end of Section 1, this is too simple. For C-mos 
transistors one must use a formula that specifies propagation of drive only when 
the propagated signal is at the right level, i.e., low for an N-transistor, high for a 
P-transistor. Thus the formulae given above should be weakened to 
g A Sg A (1s v ld)+(Ss= 6d), 
lg A 6g A (s v d)+(Ss = Sd), 
for an N-transistor and a P-transistor respectively. 
Derivation of C-mos circuit designs 241 
The drive condition of NEG is the conjunction of the drive conditions of P(a, 1, e) 
and N(a, e, 0). That is 
(laASah(lve))J(Sl-Se) (by P(a, 1, e)) 
~(a~Sa~(levlO))j(6e~SO) (by N(a,e,O)). 
The power and ground wires are always driven, so 61 = SO = 1, and the formula 
simplifies to &r~Se. The implication means that drive is propagated from wire a 
to wire e, so if a is chosen as an input wire (&I = l), then e can be used as an 
output wire (but nof the other way round). 
Fig. 4 
The propagation of drive through a whole circuit is achieved by the propagation 
through each of its component transistors. The formula describing this is nothing 
but the conjunction of the formulae for all its individual component transistors 
(Fig. 4). 
The adequacy condition of NEG is the conjunction of the adequacy conditions of 
P(a, 1, e) and N(a, e, 0), 
((13 e) v ~?a) (by P(a, 1, e)) 
A((e=o)vsn) (by N(a, e, 0)) 
which simplifies to 6~. This means that the environment has the responsibility of 
ensuring a is always driven, i.e., it is an input wire. The distinction between input 
and output wires is one of the main reasons for introducing drive and adequacy. 
Fig. 5. 
Finally, we define the adequacy condition for a circuit. As before, this is just the 
conjunction of the adequacy conditions for all the transistors of the circuit (Fig. 5). 
A transistor is adequate if its source equals its drain, because then the status of its 
gate does not matter. Otherwise, the gate must be driven. For both kinds of transistor 
the adequacy condition is defined as 
(s=d)vSg. 
3. Some simplifications 
The arguments in the previous section suggest that the behaviour of any circtiit 
can be characterized by three propositions (C, D, A), where C is the consistency 
condition and D is the drive condition and A is the adequacy condition. For example, 
a circuit consisting of a single N-transistor is the triple 
c = (g*(s = d)), 
D = g A (1s v -d) A Gg+(Ss = &I), 
A=(s=d)vag, 
242 C. A. R. Hoare 
where g is the name of the gate wire, s the source, and d the drain. The formula 
for a P-transistor is similar, except that lg is substituted for g, 1s for s and ld 
for d. 
The adequacy condition A describes the obligation of the environment in supply- 
ing drive on a sufficiently large set of input wires. The drive condition D describes 
which wires will be driven at the end of the cycle of operation; these are the wires 
on which output may be read. The consistency condition C is satisfied by just those 
wire values that avoid short circuit. The environment has an obligation to set the 
input wires true or false in such a way that there exists a combination of values for 
the remaining wires which satisfies the consistency condition. The values ascribed 
by the circuit to the output wires at the end of the cycle will then maintain satisfiability 
of c. 
A more complex circuit is built up as a collection of P-transistors and N-transistors, 
connected to each other by named wires. When two circuits are connected to each 
other in this way, the behaviour of the resulting circuit is described by the component- 
wise conjunction of the three conditions describing the components. We can define 
this as a parallel composition operator on the triples 
(C, D, A) 11 (C’, D’, A’) c (C A C’, D A II’, A A A’). 
This operator obviously shares all properties of conjunction, for example associativ- 
ity, commutivity and even idempotence. These are exactly the properties one would 
expect when putting circuits together in practice. For example, the order in which 
connections are made between the components is immaterial to their subsequent 
behaviour. (Certain circuits, for example arbiters, are non-deterministic in operation. 
As a result, a circuit composed of two identical arbiters may result in short-circuit, 
thus violating idempotence. Our theory must therefore be limited in application to 
deterministic circuits.) 
The three formulae describing each individual transistor are already quite compli- 
cated; and when these formulae are joined by parallel composition, they will get 
very long as well. Of course, considerable simplifications can be made by the laws 
of Boolean algebra; in this section we shall introduce some even more powerful 
laws, specific to the design of C-mos switching circuits. 
Our main simplifications are justified, like earlier simplifications, by the fact that 
we are not interested in making distinctions between circuits that are not designed 
correctly. A similar simplification is introduced into Dijkstra’s calculus of sequential 
programming by its identification of all incorrect programs with abort. In our case 
we choose not to make any distinctions between inconsistent states of a circuit; for 
example, it is wholly irrelevant whether an inconsistent state satisfies the drive 
condition or not. Similarly, assuming consistency of the state, operation of the circuit 
will guarantee the truth of the drive condition at the end of the cycle. It is only at 
the end of the cycle that the adequacy condition has to be met. So the adequacy 
condition is relevant only when the consistency and drive conditions are known to 
be true. This fact allows the circuit itself to contribute to its own adequacy condition. 
Derivation of C-mos circuit designs 243 
We therefore define two circuits be equivalent if they differ only on states which 
we have decided to regard as irrelevant. They must have exactly the same consistent 
states; their states which are both consistent and driven must be the same; and states 
which are consistent, driven and adequate must be the same. So we define 
(C, 0, A) = (C’, D’, A’) 
to mean [C = C’] and [ C*( D = D’)] and [C A DJ(A = A’)], where the square 
brackets indicate that the enclosed propositional formula is a tautology (notation 
due to Dijkstra). 
Clearly, this defines an equivalence relation among circuits. The most important 
consequence of this is 
(C, D,A)=(C, CA D, CA D=+A). 
The right hand side of this equivalence will be taken as a canonical form of the 
description of a process. 
Take two equivalent circuit descriptions and combine each of them in parallel 
with a third description. You would certainly hope that the resulting pair of 
descriptions are also equivalent-otherwise the definition of equivalence could not 
be used to simplify component subcircuits of a large circuit. So the parallel composi- 
tion operator should respect equivalence, as guaranteed by the following congruence 
theorem: 
If (C, D, A) = (C’, D’, A’) 
then (C,D,A)ll(P,Q,R)=(C’,D’,A’)ll(P,Q,R). 
The main purpose of an accurate description of the behaviour of a circuit is to 
serve as its specification, for the benefit of a designer who will incorporate the circuit 
into some larger environment. For this purpose, it is important that the specification 
be simple; to achieve this we can even allow it to be inaccurate! The inaccuracy 
will be harmless, provided that the specification describes a circuit that is systemati- 
cally worse than the actual one, worse in all ways and in all environments. It is the 
responsibility of the designer of the environment to ensure correct operation in spite 
of the apparently reduced quality of the component; our theory will ensure that it 
continues to do so when the actual quality of the component is superior to that 
specified. The only disadvantage of weakening the specification of a circuit is that 
it reduces the apparent range of environments in which it may be used. But a 
specification that is too complicated can make a circuit even more useless, as users 
of complex software systems know to their cost. 
It is a fact of circuit design that a driven wire is always more useful than an 
undriven one. Given two circuits with the same consistent states, the better one is 
the one that in each consistent state has more driven wires, or at least as many (in 
set inclusion ordering). The drive condition of the better circuit will therefore be 
stronger than the drive condition of the other. In this way, the drive condition of 
a circuit acts like the post-condition of a sequential program: to weaken it makes 
the program appear worse than it actually is; but no errors can result. 
244 C.A.R. Hoare 
Similarly, the adequacy condition of a circuit is like the precondition of a 
sequential program. It describes an obligation that must be met by the environment 
within which the component is embedded. The designer of the component may 
assume that this has been done, and correct operation of the component may depend 
upon it. Given two circuits with the same consistent states and the same drive 
condition, the better circuit is the one with the weaker adequacy condition, since 
this places less restriction upon the environment in which it may be used. The same 
is true of the consistency condition. According to this reasoning, the canonical form 
of a process description is the one that paints the process in the most favourable 
light: the drive condition is as strong as possible, and the adequacy condition as 
weak as possible. 
Let us formalize the definition of our merit ordering, where Pr= Q means Q is as 
good as or better than P: 
(C, 0, A)r(C’, D’, A’) 
means [C+C’] and [C’ A D’+C A D] and [C' A D’ A AJA’]. This relation is 
clearly a preorder (reflexive and transitive). Furthermore, it induces the already 
familiar equivalence relation by the usual definition 
(PE: P’ and P’c P) iff P= P’. 
If the justification given above for the definition of equivalence and ordering between 
circuits is not wholly convincing, some additional confidence may be gained from 
their properties described in the remainder of this section. 
Take two circuit descriptions, one better than the other, and combine each of 
them in parallel with a third description. You would certainly hope that the system 
with the better component would behave better than the other, or at least no 
worse-otherwise replacement of a component by a better one would be invalid, 
and so would the whole design philosophy based on our ordering relation. In other 
words, the parallel composition operator should respect the ordering relation C, as 
guaranteed by the following monotonicity theorem 
If (C, 0, A)r(C’, D’, A’) 
then (C, D, A) II (P, Q, R)E(C’, D’, A’) II (P, 0, RI. 
One of the most important simplifications in a specification is that which conceals 
the voltage, the name, and even the existence of a local wire w. The result is allowed 
to be worse than the original, i.e., the drive condition can be weakened by existential 
quantification, and the adequacy condition can be strengthened by universal quan- 
tification, as justified by the theorem 
(C,(3w, SW. D),(Vw, Sw.A))c(C, D,A). 
As explained before, the wire name w is concealed from the consistency condition 
(which does not contain 6w) by existential quantification on w. We therefore define 
a concealment operator H by the equation 
Hw. (C, D, A) = ((3~. C), (3w, SW. C A D), (VW, 6~. CA DJA)). 
Derivation of C-mos circuit designs 245 
The useless circuit shown above has the full specification: 
g*(l =O), consistency 
g/\SgA(lvO)+(61=SO), drive 
(1 = 0) ” sg, adequacy 
which simplifies to the triple (ig, true, 6g). By the definition of the concealment 
operator Hg, localising g will form a circuit with specification 
Jg. 18, consistency 
3g, fig. ‘g h 1, drive 
vg, sg. (1g A l)Jg, adequacy 
which simplifies to (true, true, false). The adequacy condition is simply false. It is 
logically impossible for any environment to meet this condition; the circuit is shown 
to be totally useless (as indeed it is). 
Fig. 6. 
This definition enjoys algebraic properties similar to those of other quantifiers; 
they are the same properties that one would expect of the actual hardware of a circuit: 
(a) (Hw. Q) = Q, if w and SW are not free in Q. 
(b) (Hw. Qw) = (Hv. Qv), where Qw contains w and SW in just those positions 
where Qv contains v and Sv. 
(c) If PC Q then (Hw. P)6 (Hw. Q). 
(d) (Hw. P) )( Q = (Hw. (P )( Q)), if w and SW are not free in Q. 
(e) Hv. (Hw. P) = Hw. (Hv. P). 
It is an important property of a theory that it permits full abstraction from internal 
states and events. It is this that permits modular design of large circuits, and permits 
complex components to have simple interfaces. The need to prove the properties 
listed above is a major determinant in the choice of the definition of the ordering 
r (Figs. 6-9). 
4. A calculus of design 
The previous section has shown how a C-mos circuit design can be built up from 
individual P-transistors and N-transistors by means of parallel composition (II) and 
hiding of local wires (H). With each design, it associates a triple of propositional 
246 C.A.R. Hoare 
The “pull-up net” of a NOR circuit has a local wire x. We define: 
SNOR = Hx. P(a, 1, x) (/ P(b, x, z). 
~a I\ ?b+z, consistency 
~a A Tb A Sa A SbdSz, drive 
((a+&~) A (b36b)) v (z A (10 v lb)), adequacy 
This subcircuit would be easier to use with the simpler adequacy condition (a J&Z) A 
(b+Sb), even though it is stronger and therefore more difficult to meet. No error 
can result from use of a stronger adequacy condition. 
Fig. I. 
formulae, which can be used to predict the behaviour of a given circuit, and in 
particular to analyse and avoid the risk of failure. Like other scientific theories, it 
is purely descriptive, and could be supported or refuted by experiment on actual 
C-mos circuits (provided that these also satisfy the design rules of the fabrication 
line on which they are produced). 
In this section we shall develop the theory into a design calculus for deriving the 
design of a circuit directly from its specification. By following the rules step by step, 
a design engineer will be prevented from introducing logical errors into the design. 
Since each step is small and uses only propositional logic, its correctness can be 
easily checked, even by computer. The fact that correctness of each step guarantees 
correctness of the whole design is established by mathematical reasoning, based on 
theorems like those of the previous section. 
A formal design calculus must start with a formal specification of the product 
to be designed. The specification should be expressed in the clearest possible fashion, 
to reduce the terrible risk that it fails to describe what is really required. Thus it 
should be free to use concepts and notations which are more abstract and more 
general than those in which the design is described. The restriction in the design 
notation is needed only to permit direct and efficient implementation, for example 
Derivation of C-mos circuit designs 247 
The basic combinational NOR circuit uses SNOR as a component 
NOR(a, b,z)=SNORII N(a,z,O)/I N(b,z,O) 
z=l(avb), consistency 
((aASa)v(bASb)v(fiar.Sb))jGz, drive 
(a~~b/iGa)v(b~laA6b)v(6a/\Sb), adequacy 
The consistency condition states the familiar logical function of the circuit. The 
remaining conditions can be simplified. The drive condition is usually weakened to 
6a A 66+8z and the adequacy condition strengthened to 6a A 66. No error can result 
from these simplifications. 
Fig. 8. 
as a C-mos circuit etched onto silicon; such restrictions can have only a deleterious 
effect on a specification. 
In the case of a C-mos circuit, we will start with a specification containing three 
propositional formulae (C, 0, A), with the same free variables (w, 6~) as the eventual 
behavioural description of the circuit; however they may be combined freely by 
arbitrary propositional connectives, not just parallel composition and hiding. It is 
the task of the designer to invent a circuit, expressed solely in terms of transistors, 
parallel composition and hiding, whose behaviour is as good as or better than that 
specified. 
In a correct design, the consistency condition C for the specification should imply 
the consistency condition C’ of the design. In the absence of hiding, the latter is 
just the conjunction of the consistency conditions for the individual transistors of 
the circuit. Each of these must therefore be a logical consequence of C. This fact 
can be checked separately for each individual transistor, before it is added to the 
248 C.A.R. Hoare 
A cross-coupled flip-flop is normally used as a storage element. Disregarding storage, 
its combinational behaviour may be defined 
SR = i’JOR(s, ci, 4) /I NOR(r, 434). 
The consistency condition is 
(q’l(svq)) ,t (4=1(rvq)), 
which defines its consistent states according to the table 
1 1 0 0 
1 0 0 1 
0 1 1 0 
0 0 u 1” 
where the value of u may be either 0 or 1. The drive condition is 
(SAfiS)V(4r,64)V(SsASq)Jsq 
~(rA6r)v(qn6q)v(Srh6q)J6q. 
Since CJ and 4 are not going to be used as inputs, this can be weakened to 
((sv(rrh8r))hSsJSq) A ((rv(shSs))ASr*S~) 
The adequacy condition is 
(shlqA6s ” cfAlSA&j v SShScj) 
/\(rr,lqASrvqhlrAS9v6rhSq), 
which can be strengthened to (S v r) A 6s A 6r. 
Fig. 9. 
circuit. In this way, the correctness of the whole circuit is assured by proofs conducted 
piecemeal during its design. A circuit designed in this way is not subject to risk of 
unintended short circuits. 
The decision to introduce a local wire w into a circuit, like the introduction of a 
local variable into a sequential program, requires good judgement. The designer 
presumably knows the intended properties of the final value of the local variable, 
and should express this as a proposition I(W). The consistency of this needs to be 
checked by proof (from C) of 3 w. I(w). I(w) may then be added as an assumption 
to the condition C, as used to derive the individual transistors of the circuit which 
are connected to the wire w. It is permissible to introduce two or more variables at 
the same time, linked by a single proposition I(v, w). The role of I(w) is like that 
Derivation of C-mos circuit designs 249 
of an assertion in a sequential program: it has no effect on the actual behaviour of 
the circuit; however, it is essential to the progress and documentation of the design. 
Treatment of drive and adequacy is a little more complicated. The goal of the 
design is to prove the drive condition of the specification, which plays the role of 
the postcondition of a sequential program. During the design, the set of assumptions 
and the set of proof obligations will change. As each transistor is added to the 
circuit, its drive condition is added to the assumptions, and its adequacy condition 
is added to the proof obligations. Further transistors are added until the accumulated 
consistency and drive conditions of the circuit imply the consistency and drive 
condition of the specification; and, together with the adequacy of the specification, 
imply all the adequacy conditions of the circuit. At this point, the design is complete, 
and the accumulated set of transistors is better than required by the specification; 
indeed, that was the main purpose of introducing the ordering relation between 
circuit descriptions. 
In the design of a large system, it would be intolerable to add just one transistor 
at a time. Indeed, the designer wants to call up and insert a complete subcircuit 
which has been previously designed to meet some generally useful specification. A 
similar facility is offered by the call of a procedure in a sequential programming 
language. The method of inserting a complete subcircuit is identical to that of 
inserting a single transistor. The consistency condition of the subcircuit must first 
be proved; then its drive condition is added to the assumptions and its adequacy 
condition is added to the proof obligations. The validity of this method of composing 
subcircuits is guaranteed by the fact that parallel composition and hiding are both 
monotonic operators, so replacement of a subcircuit specification by its actual 
transistors can only improve the entire product. 
The overall effect of this design methodology is that the design emerges as a 
byproduct of the proof, and it is not possible that it contains an error. In principle, 
each line of the proof can be checked by computer. The research reported in this 
paper therefore is an illustration of the modern engineering philosophy “design 
right first time”. However, the correct design of combinational switching circuits is 
currently assured by simpler methods; and no claim is made that this new method 
will be useful in practice. Before any practical application, it would be advisable 
to explore the conditions under which the theory is faithful to the actual behaviour 
of electronic circuits; in this paper the only supporting case is given by the examples. 
Better support can be obtained by relating the assertional techniques of this paper 
to the operation of a realistic simulation like that of [3]. At the same time, the 
theory should be extended to cover sequential circuits. 
The more important lessons I would draw from this paper are philosophical and 
methodological: how a scientific theory of actual product behaviour must be 
extremely simple if it is to provide a basis for engineering design practice; and the 
transition between the two requires development of a considerable mathematical 
theory. But the general philosophy is the same for both hardware and software 
design, and much interesting research remains to be done in both areas. 
250 C. A. R. Home 
Acknowledgment 
For inspiration, encouragement, and helpful comments to Jonathan Bowen, Geoff 
Brown, Mani Chandy, Edsger W. Dijkstra, Paul Gardiner, Mike Gordon, Mohamed 
Gouda, Jifeng He, Roy Jenevein, Geraint Jones, Mark Josephs, Chris Lengauer, 
Quentin Miller, Jay Misra, Jeff Sanders, Ian Page, Juzer Shaikhali, David Shepherd, 
And& Stern, David Wheeler, Zhou Chaochen, and the VLSI club at Eindhoven 
(correspondent: Tom Verhoeff). The research was supported in 1986/1987 by the 
Admiral B.R. Inman Centennial Chair of Computing Theory at the University of 
Texas at Austin. 
Appendix 
Here we show by example how the theory described in this paper may be turned 
into a design method, involving the following steps: 
(1) Write consistency conditions in the left column, drive conditions in the middle 
column, and adequacy conditions in the rightmost column of the page. 
(2) Write the specification at the head of each column. 
z-la/\16 6a A 6b+Sz 6a A 66 
(3) Before putting a transistor into a circuit, its consistency condition must be 
derived from that of the specification, for example, truth of a (or b) implies falsity 
of z. This justifies the insertion of two N-transistors. 
N( a, z, 0) : a*(z=O) 6a A a=36z 6av(z=O) 
N( b, z, 0) : b+(z=O) 6bA b*c?z Sb v (z = 0) 
The drive and adequacy conditions of each transistor are then written in the other 
two columns. 
(4) At any stage it is permissible to combine and simplify the conditions, thereby 
obtaining a check on the progress of the design. If the adequacy of a component 
follows from the specification, it can be simplified to true: 
a v b+lz ((ar\h)v(b/\6b))+6z true 
This gives a check on the progress of the design. The drive condition is satisfied 
when either a or b is true. It follows that we still need to deal with the cases when 
a and b are both false. 
(5) A previously designed circuit may be included in exactly the same way as a 
single transistor: its consistency condition must be proved, and then its drive and 
adequacy conditions are written in the other columns (compare the inclusion of a 
procedure call in a programming language). For example 
SNOR( a, b) : lahlb=Sz la~lbA6ar,6b+6z (a+8a) A (b+66) 
Derivation of C-mos circuit designs 251 
b 
Fig. 10. 
(6) The design continues until it is possible 
(a) to prove the consistency of the specification from that of the design: e.g. 
((a v b)alz) A (la A lb+z)+(z= la A lb). 
(b) given the consistency conditions, to prove the drive condition of the 
specification from those of the circuit, e.g. 
((a A 8~) v (b A 6b) v (la A lb A 6u A 6b)+6z)=$(h A Sb=+cSz). 
(c) assuming (if necessary) all drive and consistency conditions, to prove all the 
adequacy conditions of the design 
6u A 6ba(Su A 66 v lz) A (a+&) A (b36b). 
All the formulae are tautologies, thus proving that our design is complete. 
Exercise. Derive an EXOR circuit (with NEG), to satisfy 
z = (a f b), consistency 
6u A Sb+Sz, drive 
6u A 66, adequacy 
where a Z b C (a A lb) v (la A b). Try to use only six transistors. 
(Note. The answer could be as shown in Fig. 10. This is a circuit which in some 
theories gives the wrong result, and in practice it may be difficult to ensure satisfactory 
operation.) 
References 
[II 
[21 
r31 
E.W. Dijkstra, Guarded commands, non-determinacy, and the formal derivation of programs, Comm. 
ACM 18 (1975) 453-457. 
C.A.R. Hoare and M.J.C. Gordon, Partial correctness of C-mos switching circuits: an exercise in 
applied logic, in: Proc. 3rd Ann. Symp. on Logic in Cornpurer Science, Edinburgh (1988) 28-36. 
R.E. Bryant, A switch-level model and simulator for the MOS digital systems, IEEE Trans Comput. 
33 (1984) 160-177. 
