Three simple models of synchronous hardware are given; using linear discrete, branching discrete and branching real time. A simple notion of abstraction is introduced, motivated by the need to ultimately view such models as scienti c theories that make empirical predictions. It makes the signi cance of design rules explicit.
Introduction
In this paper we investigate some issues involved in the formal modelling of hardware. It is widely accepted that models at various levels of abstraction are required. When reasoning about a system it is desirable to use the most abstract model possible. It is a truism that actual hardware cannot be formally veri ed and therefore that our formal models must be related to the real world by some scienti c work, enabling empirical predictions to be con dently made about the behaviour of actual hardware from the results of formal reasoning. This appears to be most straightforward for reasonably concrete models. We de ne a notion of abstraction between two models that has only enough structure to lift an empirical understanding of the more concrete to the more abstract. A model is typically only valid for circuits that satisfy certain design rules. It is often unclear, however, exactly what is guaranteed by a particular design rule. This can sometimes be answered by a precise result in a more concrete model that is more widely valid. The design rule, together with assumptions on the concrete models of primitive components, can then be seen as necessary for a particular abstraction to exist. These general statements are given some precise meaning by considering three models of simple synchronous circuits and the abstractions between them. In x2 and x3 we give a syntax suitable for describing circuits at the gate level and a standard linear discrete time model. In x4 we discuss design rules and abstractions between models in general.
In x5{7 we give a branching discrete time model and an abstraction that depends on the design rule`All cycles contain a sequential gate'. This involves a class of deadlockfree parallel compositions. In x8 we recall the informal timing properties given in the manufacturer's databook TI84] for certain 74LS devices. In x9{12 we give a branching real time model and an abstraction that depends on the design rule`There are no long sequences of combinational gates' and a physically plausible formalisation of the timing properties. It should be noted that we are only attempting to explore a few of the issues involved in relating abstract formal hardware models to actual hardware. In particular we consider only very simple synchronous circuits and quite abstract models. Our more concrete models have not been related to the concrete models in use, although they seem to be physically plausible. Most proofs are deferred to Appendix A. A short version of this work appeared at the 3rd Workshop on Designing Correct Circuits (DCC '96) Sew96].
Circuit Syntax
We take a simple syntax of circuits with terms that are either primitive components from some set prim or the parallel composition of two terms:
circ ::= p circ k circ p 2 prim:
To each term we associate a pair of disjoint nite sets of port names, drawn from a set N, representing the available input and output ports. These are given for primitive components by a function sort : prim !(P n N) ( We will consider only terms for which any input (resp. output) port is connected to at most one other port, which must be an output (resp. input). This condition, of 1:1 directional connection, is captured by D 0 , where D 0 (c 00 ) () if c k c 0 is a subterm of c 00 then sort c and sort c 0 are composable and sorts hi; oi, hi 0 ; o 0 i are composable i i \ i 0 = o \ o 0 = fg. Set union between sets of ports will usually be elided. We will often refer to pairs of sorts of the form hi 1 h 1 ; o 1 h 2 i; hh 2 i 2 ; h 1 o 2 i, in which the sets are all supposed disjoint. The composition of terms c; c 0 with these sorts could be depicted as on the left below. which could be depicted as on the right above. This syntax is quite an abstract description of the structure of circuits | for certain problems, e.g. calculating capacitances between points, much more concrete geometrical descriptions would be required. We will be concerned with abstractions between the behaviours of terms in various models. We will not in this paper consider abstractions between di erent levels of structural description. Henceforth we identify circuits with terms of the syntax. We will appeal to notions of the actual instances of a circuit c and of the actual behaviour of these instances. By the former we mean the physical objects that could be constructed following some`standard practice' and that correspond to c. We will not attempt to be more precise about what this`standard practice' is. The choice of a binary parallel composition enables design rules, properties of ciruits and proofs of abstraction results to be expressed compositionally in a straightforward way. Parallel composition will be commutative and associative in all our models (up to a restriction on sorts), as expected. The choice of 1:1 directional connection is appropriate for the gate-based circuits we deal with. It would presumably not be appropriate for circuits with transistor-based structural descriptions. Having explicit sets of port names associated with each circuit simpli es our notation and de nitions. where sort c = hi 1 h 1 ; o 1 h 2 i, sort c 0 = hi 2 h 2 ; o 2 h 1 i and h 1 h 2 = fa 1 : : : a n g. For example, we might have the following, putting V = bool = ft; fg: These are informal but easy to make precise (indeed 0 has been as D 0 , 1 will be in x5 and 2 will be in x9). It is not clear exactly what is ensured by imposing these, nor whether they are su cient.
We have not said how c] ] L corresponds to the actual behaviour of instances of c.
These points can be addressed by considering more concrete models and the abstraction relationships between them. We envisage a number of models, related to each other by some mathematical notion of abstraction. We suppose that one of these models is related to the actual behaviour of instances of circuits by some scienti c work, giving us aǹ empirical understanding' of it. It is well known that it is not necessary to use as ne an equivalence as bisimulation in order to be sensitive to deadlock and be a congruence for parallel composition. Bisimulation is chosen to make the de nitions in the next section and the relationship with the real time model simple. We will give abstractions from B all the way to the linear time L, skipping over intermediates such as failure equivalence classes of transition systems. One can argue that B is closer than L to the behaviour that might be exhibited by a stochastic circuit simulator. L abstracts from the internal states of circuits, whereas we might expect a simulator to maintain them | in a given state, (perhaps randomly) choosing a succeeding state and valuation for ports from those allowed by the primitive components in that state. Such a simulator would therefore detect (probabilistically) the deadlocks of the example in x7.4. One might also argue that a proper treatment of nondeterminism will be essential when we get to very concrete physical models. X inhabits fha; big and fha; cig but not fg. Note also that determinacy (in any of the senses of x7.5) and nontermination are not implied by inhabitation.
The formalisation of property (1) for a primitive component p : T is that p] ] B inhabits T and is nonterminating. This holds for the examples given. In this de nition and henceforth we implicitly identify the units of discrete time with the period of some global clock.
Remark This notion of type does not seem to t into the interaction category framework of Abramsky Abr94], essentially because the interpretations of types are all distinct and composability is not an involution on types. Consider compositions of sorts hi 1 h 1 ; o 1 h 2 i; hi 2 h 2 ; o 2 h 1 i. If A is a set of types for one of these we de ne A ? to be fT 0 j 8T 2 A : T; T 0 are composableg and note that for a type T the set fTg ? may not be a singleton.
Abstraction Result
The important property of states inhabiting certain types is the following. However, none of the above notions of determinacy are preserved by parallel composition.
Informal Timing Properties
In the remainder of this paper we consider Design Rule 2:`There are no long sequences of combinational gates'. Imposing this ensures that, loosely speaking, the timing behaviour of actual circuits will be correct, e.g. that setup and hold times will be met. To obtain a convincing abstraction result depending on Design Rule 2 we must, therefore, consider the timing properties of primitive components. The basic problem is to state properties of the real-time behaviour of circuits that: For primitive components are expected to hold of standard device physics models, and are loose enough to admit manufacturing variations. Are strong enough to admit a strong abstraction result to a discrete-time model. Are composable (for circuits satisfying the design rule). The abstraction result given below (Theorem 3) should be regarded only as an approximation to the kind of result desired | as will be discussed in the conclusion, the rst condition has been relaxed slightly in order to obtain a reasonably tractable proof. For simplicity we suppose that primitive components are either purely combinational, of the form Comb f ab , or purely sequential, of the form Seq fg ab . We will give these timing properties based on those informally speci ed in the databook TI84] for two particular TTL devices, a 74LS00 NAND gate and a 74LS171 D-type (with`clear' input tied to V cc and`clock' tied to a global square-wave clock). In this section we recall these informal speci cations.
Combinational Primitives
We assume that combinational primitives have a maximum propagation delay of t p > 0ns and a minimum propagation delay of 0ns. Informally:
If the inputs of a combinational primitive are stable for an interval of length t p or more then its outputs will be stable, and have the correct values, for the subinterval starting t p later.
This can be depicted by the timing diagram below, for a primitive with sort hã;bi. In these diagrams a double line denotes a requirement or guarantee of a stable signal, hatched lines denote`don't care'.ã b t p
For a 74LS00 NAND the databook TI84] speci es maximum propagation delays t PLH = 15ns, t PHL = 15ns for low-to-high and high-to-low input transitions. For our results to be relevant to actual circuits constructed using these devices we would therefore require t p max (t PLH ; t PHL ) = 15ns. TI84] does not specify a minimum propagation delay.
Our choice of 0ns is uncontroversial.
Sequential Primitives
We device, tying the`clear' input to V cc and the`clock' input to a global clock with period t c . There t su = 20ns and t h = 5ns. Two propagation delays t PLH = 25ns, t PHL = 30ns are given so we could take t pseq = 30ns. The minimum propagation delay t pminseq is not speci ed. We require t h t pminseq , for example t pminseq = 5ns, which seems reasonably plausible. We take for example a clock period t c = 100ns. We take such a D-type to be a new primitive component DType 0 , with sort hfdg; fq; qbargi and discrete time semantics De nition N ; +; t is the naturals extended by a negative in nite element with addition and maximum operations de ned by + n m m + n t n n m m max (m; n) :
The De nition D 2 (c) () D 0 (c) and c is typable in the system above.
For simplicity this is slightly stronger than necessary | it forbids all long paths of combinational primitives, not just those which feed to sequential primitives. These re ned types above are related to the types of x5 as follows.
De nition If R is a re ned type for sort hi; oi then T(R) i o is given by a T(R) b () R ab 6 = :
Proposition 5 If re ned types R; R 0 are composable then types T(R); T(R 0 ) are composable and T(R k R 0 ) = T(R) k T(R 0 ).
Timing Disciplines
In this section we discuss the timing disciplines that a circuit may be required to obey.
This simply generalises the informal calculation of x8.3 to arbitrary circuits. We have not yet given a real time model and so cannot yet state what it means for a real time model of a circuit to obey a timing discipline.
De nition A timing discipline is a function from the port names N to non-empty subsets of the interval 0; t c ) (for our simple circuits we will only use open sub-intervals of 0; t c )).
Intuitively such a de nes, for each port a, a part (a) of each clock period for which the value on that port will be or must be constant. If we were using a richer model of values this would have to be replaced by a more interesting condition, e.g. that the value on a is above or below certain thresholds in each interval, rather than simply constant. For later convenience we take clock ticks to be at f(k + 1)t c ? t h j k : Ng. A timing discipline may thus refer to intervals containing clock ticks.
A circuit may be placed in contexts that require it to obey di erent, indeed incomparable, timing disciplines. For example, suppose K = 3 and consider the circuit c = Not ad k Not db in the two contexts on the left below. In these, c must obey the timing disciplines depicted on the right. For any typable compositions we can nd a timing discipline that can be agreed upon by both components.
Proposition 6 If R; R 0 are composable re ned types and 2 td(R k R 0 ) then there exists 0 2 td(R) \ td(R 0 ) such that 8d 2 i 1 i 2 o 1 o 2 : 0 d = d : Proposition 7 For any re ned type R the set td(R) is a non-empty set of timing disciplines.
R, a Branching Real Time Model
In order to express timing properties (2) and (3) of primitive components we must use a real time model. We take R to be BR( 0; t c ) ! V ), recalling the de nition of BR( ) from x6. Thus R io is again a transition system quotiented by strong bisimulation but now with labels from io ! 0; t c ) ! V instead of io ! V , giving the values on ports at each time in a clock period. It is a hybrid of linear real and discrete branching time. This makes it easy to formalise a clean abstraction result and the required properties of primitive components. It is, however, rather ad-hoc. In principle we would prefer a continuously branching model. We will not make essential use of the reals (although we should note that we do not use induction over time). Using`small-step' discrete time, with many units per clock cycle, would make little di erence to the results given here although it would be more awkward to relate to yet more concrete models. We say what it means for transitions U; V : io ! 0; t c ) ! V to obey a timing discipline on certain ports j io, be equal on j and be abstractly equal on j:
De nition U obeys on j, written U# j , if there exists some abs j (U) : j ! V such that 8c 2 j : 8t 2 (c) : U(c)(t) = abs j (U)(c). 
Abstraction from R to B
An abstraction relation between R and B must satisfy two criteria | it must be reasonably strong, to enable us to make interesting predictions about the behaviour of a circuit from c] ] B , and the abstraction result must be derivable from physically plausible assumptions on primitive components. In the rst subsection we de ne a relation < between R and B, parameterised by a timing discipline . The relation < between R and B, for which we shall give an abstraction result, is de ned in terms of < and a notion of a`resonable' timing discipline. An alternative characterization of < is given using a partial equivalence relation = over R and a function abs ( ) from R to B. In the second subsection we brie y consider a linear real time model LR, giving some linear time consequences of < . In the last two subsections we give an interpretation of the re ned types in R, formalising some plausible timing properties of primitives, and prove an abstraction result along < that depends on them.
Abstraction Relations
The relation < is de ned as follows. We therefore pick out a large class of timing disciplines and de ne the abstraction relation < as the union over these of < .
Consider the (pathological) timing disciplines depicted below for sort hã;bi. The left is unresonable in that the input signal is not realisable | there is insu cient switching time allowed. The right is unreasonable in that the output signal is not observable | it is not required to stay constant for long enough to observe. ) (8t 0 2 (t + t p ; t 00 ) :b(t 0 ) = f(ṽ)): De nition A signal a : R 0 ! V obeys a timing discipline if it is constant within (a) in all clock periods, i.e. if there is some function f : N ! V such that 8n : N : 8t : R 0 : t ? nt c 2 (a) ) a(t) = f(n). When it exists, f will be unique and denoted abs (a). 
These seem, however, to be too weak to obtain a useful abstraction result, for example one based on the following linear time analogue of < .
De nition Suppose P 2 LR io and Q 2 L io , i.e. P io ! R 0 ! V and Q io ! N ! V .
We say P < lin Q i :
1. 8ab : io ! R 0 ! V : (a obeys ^P (ab)) ) b obeys . 2. 8a : i ! R 0 ! V : 8 : o ! N ! V : a obeys ) (9b : P(ab)^abs (b) = ^b obeys () Q(abs (a) )). Proposition 13 If s 2 R io and t 2 B io then s < t implies itr(s) < lin itr(t).
The
with. The author initially attempted to give a good abstraction result between LR and L. It turned out to be much more natural to formalise the required real-time properties of components in R rather than in LR.
Interpretation of Re ned Types in R
For an abstraction result along < we need to nd conditions on the real time behaviours of circuits (i.e., an interpretation of the re ned types in R) under which < is a conguence for (re ned-typable) parallel composition. Equivalently, by Proposition 12, under which = and abs ( ) are congruences. There are two problems. Firstly, consider a composition of circuits as below. For its real time model to satisfy the rst clause of the de nition of < we must show that, if is obeyed during a clock period on a and a 0 , then must be obeyed on b and b 0 . However, from the rst clause of the de nition applied to the subcircuits we cannot infer that is obeyed on c and c 0 .
----- 
(See Lemma 22, Corollary 23 and Corollary 24 in Appendix A.)This is an ampli cation of the second sentence of property (3), generalised to arbitrary circuits. In the rest of this subsection we make these precise, giving an interpretation of the re ned types in the branching real time model B. We rst state the properties for a single clock period and xed timing discipline . We then de ne a modi ed form of bisimulation, strengthening = by incorporating these properties at every clock period. This will be a congruence for parallel composition. Clauses 1 and 2 formalize properties (4) and (5) respectively. Clause 3 ensures that inhabitation of re ned types will be preserved by all transitions that obey the timing discipline.
The interpretation of re ned types in R and the relation , which will turn out to be a partial equivalence relation, used above must be de ned simultaneously. We need a partial equivalence which is ner than the bisimulation = de ned above and also preserves re ned types.
De nition If is a relation on R io , T i o and s; s 0 2 R io then s G T; ( ) s 0 i 1. s F ( ) s 0 2. s; s 0 both inhabit 1-step type T for .
De nition T is the greatest xed point of G T; . It is a partial equivalence relation containing all pre-xed points of G T; . Proposition 14 T is well de ned and is a partial equivalence relation containing all pre-xed points of G T; .
These relations are congruences for parallel composition in the following sense. 
Abstraction Result
The following proposition is used only implicitly, within the proof of the abstraction result. We state it anyway. It then su ces to note that, by Propositions 7 and 9, < <. 2
This can be composed with the earlier result to give an abstraction from the real branching time model to the discrete linear time model. (part of property (3)) might not be expected to hold exactly in a real time/voltage model. More subtle formalised properties than our interpretations of re ned types would then be needed for an abstraction result. It is not clear whether the proof of this result could follow the same form as the one given, particularly for the analogue of (the key) Proposition 15.
The model R is rather ad-hoc. The hybrid of linear real time (in each clock cycle) and branching discrete time (with branching only at the ends of clock cycles) was chosen to simplify the statement and proof of the abstraction result. We would prefer a model that allows branching at all times. The circuits considered have been extremely simple and the primitive components rather complex (and not heavily used in current VLSI design). We conclude by mentioning some related work, pointing out some di erences without attempting a full survey or discussion. In Win87] Winskel considers abstraction between two models of the steady state behaviour of transistors. An abstraction result is given in terms of an adjunction between partial orders of speci cations. Related work is presented in Mel93, Chapter 7], where Melham shows that for circuits satisfying a design rule Wb (de ned inductively on circuits but also using the more concrete semantic function) two steady state transistor models agree. When we get to more concrete timed models, such as the R de ned here, it is not clear what a good class of speci cations of circuits should be. It seems more straightforward, therefore, to work only with the models of circuits, whose signi cance is given by abstraction results along particular relations, as we have done. In Her88, Her89] Herbert takes a linear small-step discrete time model and considers the implementation of certain ip-ops using gates. The timing properties of components di er from those expressed by inhabitation of re ned types | the latter are composable, even for cyclic networks of sequential primitives, but would not su ce to show correctness of a ip-op implementation using combinational primitives. Related work by Hanna and Daeche is presented in HD86], where the authors consider a speci cation of a D-type ip op and show that it can be implemented using NAND gates. The D-type speci cation seems to be similar to the linear real time models This allows a property of`non-zero delay' to be stated. It would be interesting to have a precise connection between this and the inhabitation of types in B.
In Han94] Hanna considers the steady state analogue behaviour of devices, giving a veri cation of a transistor implementation of a Not gate. He also mentions the possibility of proving design rules correct. This notion of correctness is given in terms of the commutation of certain behavioural abstraction and structure rei cation functions. The proof of Theorem 3 essentially shows such a result, where the behavioural abstraction function is the abs ( ) : R ! B de ned in x12.1 and the structure rei cation function is the identity (we have considered analogue and digital behaviour of a single representation of circuit structure).
A Deferred Proofs
This appendix contains the proofs of propositions required for the abstraction from R to B. It is divided into two parts. The rst contains composability results for 1-step types and so also for the relations T , giving a proof of Proposition 15. This is the larger part of the formalisation in R of the informal timing reasoning. The second contains the remainder | the proofs that the various coinductive relations used are well de ned, results about the timing disciplines associated with re ned types, the characterisation of < using = and abs ( ) and the relationship between < and < lin .
A.1 Proofs of 1-step type composability results
In order to prove Proposition 15 (the composition result for the interpretation of re ned types in the real time model) it is convenient to use slightly more abstract de nitions.
In this subsection we take an arbitrary set V of values and a branching time model S def = BR(V). We suppose that for each port name a 2 N there is a partial equivalence relation ' a over V. This is lifted to functions from sets of ports to values as follows. If A; B; C N and U : A ! V;
In each case if the subscript is omitted (and A = B) then it is taken to be A. 
