Introduction
The complexity of electronic systems is rapidly reaching a point where it will be impossible to verify correctness of the design without introducing a verification-aware discipline in the design process.
Even though computers and design tools have made important advances, the use of these tools in the commonly practiced design methodology is not enough to address the design correctness problem since verification is almost always an after-thought in the mind of the designer. A design methodology should on one hand put to ood use all techniques and methods developed thus far for verifcation, from formal verification to simulation, from visualization to timing analysis, but should also have specific conceptual devices for dealing with correctness in the face of complexity such as:
0 Formalization, which consists of capturing the design and its specification in an unambiguous, formal "language" with precise semantics.
0 Abstraction, which eliminates details that are of no importance when checking whether a design satisfies a particular property.
e Decomposition, which consists of breaking the design at a given level of the hierarchy into components that can be designed and verified almost independently. These mechanisms can be a plied to different classes of designs: from embedded controlfers to computers, from microprocessors to digital-to-analog converters. They are not only useful in the verification process but also in the design process r r se making verification itself unnecessary in some cases.
or example, formalization of the desi n specifications is required for formal verification but it also kelps in design transfer between different organizations elimnating the risk of losing knowledge about the design and its s ecifications, thus making that almost all advances in verification stem from the application of these three basic concepts. However, the ap lication of each of these rinciples has been performed at locayired levels of the design Rierarchy leading to a plethora of models,, where each tool assumes a different model. Maintaining coordination and consistency of these multiple models has rightly become a verification before and after the trans F er unnecessary. We argue desi ner's nightmare. Tfis aper is organized as follows: in Section 2 we will review t i e available verification tools. In Section 3, formalization will be investigated in several contexts. In Section 4, abstraction will be mesented with a set of examdes. In Section 5 , decomposith will be introduced. Finafly in Section 6, a desi n methodology that includes all these aspects will be propose J .
CAD Tools for Verification
Traditionally verification has been carried out by reproducing the behavior of the design with an approximate implementation, *University of California -Berkeley CA t Cadence Berkeley Laboratories -Berkeley CA $Cadence Berkeley Laboratories -Berkeley CA 33rd Design Automation Conference@ Permission to make digitavhard copy of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage, the copyright notice, the title of the publication and its date appear, and notice is given that copying is by permission of ACM, Inc. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires Prior specific permission and/or a fee. DAC 96. 06/96 Las Vegas, NV, USA 01996 ACM 0-89791-779-0/96/0006..$3.50 a prototype, of the design, or with mathematical techniqu involving the construction of a model and running a comput simulation. Virtual or real measurements were taken to asse the quality of the design.
Simulation is applied at all levels of a design: an incomple list of simulators at various levels includes circuit simulatic (e.g. S ice), switch and transistor level simulation (e.g. CO mos [hj, gate level simulation (e. Veri10 -XL) register tran fer level simulation (e.g. Verilog-%I..) and %ehavioral or syste level simulation (e.g. Ptolemy [7] ).
In both simulation and emulation, the correctness of the d sign is asserted only with respect to the inputs provided by tl environment or by its model and with respect to the measur ments chosen by the designer.
In a more formal a proach to design as we advocate in tl next section, the set o f properties and performance indices a explicitly expressed. Sometimes these properties may be vel fied by setting up a comprehensive set of ex eriments or sir ulation runs, other times it is impossible to Kave a reasonab confidence that the experiments yield the a propriate answc Properties such as absence of deadlock a n f fair access to r sources to be verified for communicating processes, require formal approach to verification. Formal verification is an a proach that has been explored for the past 20 years but the le\ of attention paid by the design community has been raised on recently.
The categories of tools that provide formal proofs of c( rectness, and a counter-example in the case of an error are follows: Equivalence checking where a combinational log level design is compared against another desi n for functior equivalence; Language containment and mode? checking whe the system is described as a collection of FSMs and the pro e1 to be verified is specified as an automaton and tem oral yo5 formula respectively; and, Theorem proving where t l ! e verific tion problem is stated as a theorem and a set of axioms (built. or user-specified) is used to construct a proof of the theorem proving a set of intermediate results.
Formalization
By a formal model of a design, we mean a model with preci. unambiguous semantics. Formalization is critical: wsthou formal model of a design, the very meaning of "verificatio becomes fuzzy and problematic.
There is a broad range of potential formalizations of a desii but most tools and designers describe the behavior of a desi as a relation between a set of inputs and a set of outputs. TI relation may be informal, even expressed in naturtil language. is easy to find examples where informal specifications result in unnecessar redesigns! In our opinion, a formal model 4 design shoudconsists of the following components: 0 A set of explicit or implicit equations which involve inp output and possibly internal (state) variables.
0 A set of properties that the design must satisfy given a set of equations over design variables (inputs, outpu states).
A set of performance indices which evaluate the qual of the design in terms of cost, reliability, speed, size, el given as a set of equations involving design variables.
Vote that there are cases where one or more of the sets described Iboke may not be given or may be implicitly stated, although #e clo not advocate this practice. Such formalisms have stron advantages. First and foremost, v'irt~ ally all come with an algefra, permitting to manipulate the lesign precisely. With a formal model, the effect of an operaion or transformation on a design is always well defined. The randions along the design flow can be smooth and with few or io special conditions that are design-dependent. At every stage if the design flow, one can also argue about the correctness of he intermediate result or final implementation because of the txistence of this underlying formal model. Second, the divi-;ion into equalities and inequalities neatly separates verification md aptimization problems. Finally, the notions of abstraction md decomposition have precise, easy-to-understand definitions iver systems of equations.
However, formally describing a design is not enough to set he stage for a correct verification process. Any design is part If a larger system. The interface between the design and its environment is through input and output signals. Hence, to verify he behavior of the design a model of the environment must be Ziven. The environment defines the input domain. Often, the :nvi ronment is not known precisely. Thus, the model may often 3e given in terms of distributions over intervals or of stochastic :qustions. Often, verification fails to give correct answers when .he model of the environment has not been precisely defined.
We can now summarize our discussion with the following statement:
The formalization of a system composed of a design and its environment consists of a closed system of equations and inequalities over some algebra.
In the following subsections, we supply some exam les of formalisms. Our analysis will progress from more &tailed repr1:sentations to more abstract ones.
Continuous waveforms and differential equations
Whtm the design is at the transistor level, often the properties to be verified involve the precise knowledge of the current and vokige waveforms. In this case, the appropriate representation for the design variables is a continuous function over time.
The design equations are given as a set of ordinary differential equations which combine the input-output relationships for each device with the interconnection equations. Note that the inputoutput relationships in this case are defined implicitly by the circuit equations. The input-out ut behavior is obtained by solving numerically the set of di8e:ential e uations. (This. is what a circuit simulator such as Spice doe$. The properties could be expressed as an inequality which should be satisfied oveI a time interval of interest. In this case the environment is modeled by the input waveforms. Often the environment interferes with the intended behavior of the s stem through noise. Noise is then an input that may be descriged in terms of stochastic differential equations.
Discrete waveforms and wave equations
The discrete waveform formalism is intended to retain the re cision over the time domain of the continuous formalism ?;Rile relalting the ran e to a discrete set. It arose in attempting to fornialize the defa models in hardware description lan uages and. simultaneousyy, in efforts to solye the so-called f a i e pati problem in timing analysis. Until this formalism was devised in the early 1990's,. a variety of crude formalisms had been used to capture the notion of time, and, in particular, the interacsis. These were usually some combination of Boolean algebra and graph-theoretic conce ts, and were generally fair1 unsatapproaches to timing may be viewed as approximations to this general theory.
tion of timing and function for the purposes of timing analyisfactory. Both standard fjoolean algebra and graph-t x eoretic The primitive objects in the waveform formalism are discrete signals, which are total functions from continuous time onto a finite lattice which obe a quasi-continuity property: a signal can't change values wittout first going through the "uncertain" value.
The operators on the discrete waveform space are any functionals which take in one or more discrete signals and produce a discrete signal. A simple gate in a technology library is an exam le of such a functional. The Boolean function of the gate, togetRer with its associated delay model, forms an evaluation rule on wave space, or, put more simply, it tells how this gate takes waveforms on its input pins and produces a waveform on its output pin.
Since the waveforms are static (though infinite) objects, algebraic operations over waveforms are well-defined; since the gate dela model lays the role in this algebra of an operator, it is an argebra efPectively parameterized by the delay model; hence it can be used with a variety of delay models.
Though the wave algebra was only formalized quite recent1 [ 151, it has been implicit in a number of tools for some time. $hough the semantics of most hardware descri tion languages are difficult to capture in either an equationafor denotational sense, the "hardware subset" of most HDL's is pretty much defined over a space of waveforms. Augustin[l] first devised an approximation to general discrete waveform theory to analyze the timing models of VAL and VHDL.
Binary and multi-valued logic variables and Boolean equations
When time is neglected and switch-level lo ic is not considered, signals can be represented with static varigles that take values on a discrete set. In particular, two-valued variables have been the cornerstone of digital design. On two-valued variables, the input-output relationship of each gate can be represented as a Boolean equation.
The Boolean e uation formalization is critical because it is the formalism wit1 which we have the most experience. Thirty years of intensive algorithm development have given us good tools for logic synthesis (finding a smallest set of equations equivalent to ai given set), equation solution (find an input vector such that all the equations are satisfied), and equation evaluation (evaluate a given set of Boolean equations very quickly). For this reason, Boolean equations are the very heart of modern synthesis, verification, and simulation technologies, and casting a problem as a system of Boolean equations is a major step in solving it.
However, Eioolean algebra is not restricted to operate on binary variables. For fifteen years multi-valued logic technology has been develloped into a high art, and most of the familiar twovalued logic technologies are easily extended to multi-valued logic. Lo ic synthesis technolo y, binary decision dia rams, and rapid function evaluation tecfnology are examples ofthose technologies which translate easily from the binary to the multivalued domain. For this reason, two-valued logic signals are now regarded as encoding multi-valued signals.
System Representations
Designs should be entered into a formal framework possibly supported by tools as early as possible in the design process. Formalization at the system level is crucial for real advances in verification. The terminology "system" means different things for different people, here we consider the notion of an electronic system embedded in an environment to which the system has to react with some constraints on the time of response. Embedded real-time reactive systems are in this category. Such electronic systems contain several components from sensors, to data-processing subsystems, from analog circuitry to actuators. Most of them are implemented usin a set of existing programmable com onents such as DSPs antmicro-controllers. In this case an im8ementation is a combination of hardware and software components, where the software components "customize" the standard programmable parts for the application. The richness of implementation choices makes the use of a unified model for a 'system" almost impossible today. Hence, an unambiguous representation has to reflect the heterogeneity of the components of the design as well as the fact that these components interact among themselves in many different ways. Hence, at the system level of abstraction a design and its environment can be represented as a set of communicating entities that may or may not be based on the same model of computation. A definition of this concept is given in [ Note that non-destructive read is enerally asynchronous, and implies a buffer with a single celf (the shared variable). The standard distinctions between uni-directional and bi-directional communication, as well as between point-to-point and broadcast, are also useful for classification purposes. The Ptolemy environment was the first to allow the simulation of process networks with heterogeneous entities [7] . Two sets of node models are of particular interest in system design: a control-dominated class based on Finite State Machines (FSMs) and a data-oriented class based on data-flow networks. FSMs in their classical form are not Turing equivalent and hence questions about their behaviors are decidable. However, data manipulations are not easily described. Dafaflow representations in their classical form are Turin alent, but there are useful restrictions of the model SI%% s nchronous data-flow) which are not. They are most useful in dscribing data manipulations.
Communicating FSMs
An FSM is a process whose in ut/output function can be comuted by a finite automaton. $he edges of the automaton are Pabeled with inputloutput data pairs. A network of FSMs uses broadcast synchronous non-blocking communication among the FSMs.
Synchronous languages such as Esterel [ 3 ] is a language whose semantic is based on FSM and is of particular interest since it is among the few system-level langua es that have unambiguous semantics. The s nchronous hypotfesis, common to all synchronous languages (Zustre and Si nal also belong to the class of synchronous languages), states tiat time is a sequence of instants, between which nothing interesting occurs. In each instant, some events occur in the environment, and a reaction is computed instantly by the modeled system. This means that computation and internal communication take no time. This hypothesis is very convenient, because it allows modeling the complete system as a single FSM. This has the advantage that the behavior is total1.y predictable, because there is no problem of synchronizing or interleaving concurrent processes.
Like all FSM based control-dominated models, data manip ulation cannot be done very naturally. Also, having a syn chronous model makes it hard to specify components of a sys tem that operates at different rates. Hence Esterel by itself car only be used for process level modeling while the system leve modeling of asynchronous communicating processes should bt done using another formalism. The erfect synchron hypoth esiq simplifies the design process, Rut also forces t i e timini constraints to be specified outside Esterel.
3.4.2
A Petri net is a flat hierarchy. Nodes (usually called "transi tions") "fire" by reading from each input and writing to eack output. Communication is asynchronous, with infinite bu er:
(usually called "places"), with blocking read and non-bloc f inj write. In the pure Petri net model no value is transferred by com munications, the only significant information being the possiblt transition firing sequences, A data-flow network is similar to a Petri net, but each com. munication can transfer a value (e. , integer or Boolean), anc buffers have FIFO semantics. Littfe or no restriction is posec on the function computed by each leaf node in response to a sei of communications on its input ed es, apart from terminating ir finite time. Note that due to the bfocking read communication a node cannot test an input buffer for emptiness. Nonetheless nodes can decide from which input(s) and to which output(s communications will be performed. The main result concerning data flow networks, which is directly connected with the block ing read communication mechanism, is their deteminac . Thi:
means that the sequence of output values at each nodie doe: not depend on the order in which nodes are selected to execute computations and communications, as long as the order doe5 not cause deadlock (e.g., by scheduling a process when one ol the buffers it will read from is empty) or starvation (e.g., b) never scheduling a process with non-empty input buffers).
Petri nets and data-flow networks 4 Abstraction
Abstraction, a most powerful concept, is used in two basic ways (i) when s ecifyin a design at early stages of the design proces: to give onfy the refevant information, (ii) to hide details. that are not necessary to assess a particular behavior of the design.
When specifyin a design, an important aspect is to express all that is requirecf and known of the design at the moment Often, designers %e forced to put more details than needed tc be able to run verification tools. This has the unwanted effeci of limiting the design s ace to be explored or to overcomplicate design exploration. Often, several choices are possible at the early stage of a desi n and we wish to have a model that leaves a place-holder for tfese options to be selected later. Nondeterminism is the mathematical abstraction that allows this tc happen. Nondeterminism in an FSM setting implies that more than one transition may be taken under the same in ut. Removing nondeterminism means that the transition regtion of thc FSM is refined to eliminate the resence of multiple transition5 under the same input pattern. t h i s refinement concept is thc cornerstone of a design methodology that proceeds from a more abstract model of the desi n to a more detailed one until an implementation is obtained 6 31. Formal verification tools handle nondeterminism so that pro erties verified on the nondeterministic model still hold after t i e nondeterminism is refined away thus providing a powerful paradi m for design. Nondeterminism is of great im ortance to motel the environment where the design lives. In tiis case, nondeterminism reflects the uncertainty about the behavior of the environment. In any verificatior a proach, nondeterministic environment specification is key tc oitain a correct answer about the behavior of the system.
When abstraction is used to simplify and speed the verification process on agiven model, it is just a simpler model ol the design, usually specific to the property to be proved. Abstractions are almost always lossy -there is less information ir the abstraction than there is in the original model of the design f WI: consider our picture of design as a set of equations and neqJalities, then an abstraction is viewed as a simpler set of quations and inequalities, describing the same design.
Abstraction is critical -virtually every verification and synhesis tool relies upon some abstraction. However, abstractions mproperly done are a road to disaster. In particular, the ab-;traction must remain faithful to the property being provedhe Jroperty must hold in the actual design if it i s shown to iold in the abstracted design. An abstraction that is property-,reserving is often said to be conservative or homomorphic with .espc:ct to the property.
Here, we give some examples of homomorphic abstractions md 1 heir use.
The "Synchronous" Abstraction
The wave model of Section 3 is extraordinarily detailed -the iehavior of every signal at every point in time is captured. This s far too detailed for most properties; we can not prove them iver such a detailed model, and almost all of the information s irrelevant anyway. So we assume that the logic will evaluate 'ast enough that we can treat it as evaluating instantaneously, or itorrdcally (the synchronous hypothesis of Section 3.4.1).
Tiis is the central abstraction that underlies formal verifi-:ation of systems and the fast functional simulation methods Nhic h are currently being introduced by the ma'or CAD venlors, and the emulation methods which have ieen used for ;om(: time. Various vendors will im ose further restrictionsif the limitations of their t o o i than any real requirement of he technologies. All that is required is that timing consideraions, may be neglected. Timin is ignored and the wave space n e r which the systems are deaned is reduced to the space of initestate machines. Mathematically, this is done by examnin ; all the waveforms of the combinational logic at t = ca. 4t diis point, the waves are constant and Boolean, and may be 2bsti'acted as scalars.
Note that this abstraction is only valid when it can be shown hat the logic in a design in fact evaluates fast enough; thus, his ,%bstraction is.conditionally homomorphic. A designer who JUYS a formal verification system, a cycle simulator, or an emuator, would be well advised to purchase a good timing verifier n the bargain. in clocking methods, for exam le % ut this is more an artifact
The Functional Abstraction
Hardware emulation s stems, most Formal Verification roceIctu,illy o further than the synchronous abstraction. These tools realfy don't need to faithfully reproduce the logic between the latches; all they must do is re roduce the logicfunction 3f the logic between the latches. fhrowing out the logic and repliicing it with a more tractable representation is one of the most powerful techniques available to these advanced tools.
The most prominent replacement for the logic network in these functional abstractions is a data structure called the BDD, first devised by S. Akers and brought to high art by R. E. Bryant [5] . BDD's have the ro erty that (up to variable order) they are a canonical form 8 r i g i c functions -an important :onsideration for formal verification s stems. More recent1 it has been demonstrated that BDD's ofi& extremely fast evacation of logic functions, making them an important tool for cycle simulation.
iures, and new, high&-advanced prototype cycle simu P ators,
The Graph Abstraction
[n c'mtrast to the synchronous abstraction, the functional information of a network can be deleted; when this is done, one is left with a directed graph of nodes and edges, with weights ~~~ 'Note that it is not required that if the property holds in the design then it must hold in the abstraction. While this is deslrable, it 1s not essential -[he % orst that will happen is that the property wjll be "proved" false, and the designer will have to investigate this "false negative". on the edges --the weights represent the time re uired for a value to travel down the wire represented by the elge. This is the abstraction taken by first-generation timing analyzers (those on the market today). This abstraction is homomorphic -the outputs of a circuit will certainly stabilize b the time a graphbased timing analyzer says they will -but i a s been criticized as too conservative. The conservatism of this abstraction is manifested in the so-called "false path problem". Briefly, the implicit assumption in this abstraction is that an event can travel down any ath in the circuit; however, inconsistent values on the inputs to t ! e logic nodes on the path may make this impossible.
Quantification
An important abstraction in formal verification is projection, or quantiJcution. Briefly, given a s stem described as a set of equations, and a property to be decked over that system, information about some variables is i nored and the property in question is examined. Physically, &e variables in question are often sim Ily deleted from the equations. It is possible to do this so that tl?e abstraction in uestion is homomorphic -that is, that the property is preserve1 by the transformation. An extreme exam le of this abstraction is the Graph Abstration, given above, wiere the logic value of every variable is forgotten. Similarly, the conservatism associated with the Graph Abstraction is simply the most visible example of the inherent conservatism associated with the quantification abstraction.
Pioneering work on abstraction was done by Clarke and his colleagues, and by others[l2, 11, 101.
Granularity of Time
Though we often discuss time as a continuous variable, in fact it is uantized -at least so far as our mathematics can describe it. d o r e precisely, given any extant model of timing behavior of di ita1 systems, one can demonstrate that time is quantized and tiat the behavior of systems is constant except at integral boundaries of the quantum.
This does permit us to demonstrate a conservative abstraction of a s stem -we can increase the uantum of time. We ensure that tzis abstraction is homomorpkc by modeling an signal that changes over a quantum as being an uncertain vaKue over the quantum. This is conservative, since roperties examined in a digital system must rely monotonicalfy on the stability of signals. The synchronous ab?traction, described above, may be viewed as the lo ical extension of this abstraction -the time quantum is raisefto the level of a cycle.
The Power Abstraction
One interestin abstraction that has arisen of late is the power abstraction, wkich ignores details of function of a system and computes only its power consumption. Exact power consumption is extraordinarily difficult to compute, since it involves perfect knowledge of the state of every signal in the system at every time. What is worse, average power consumption over millions of cycles is desired, since power supplies cycle in the millisecond range while computers operate in the nanosecond range.
The abstraction used is due to Brodersen and Chandrakasan [9] . Average activity on the I/O pins of a block is computed and multiplied by the capacitance and clock frequency, to obtain the power of a block.
Discussion
Abstraction is essential in a top-down desi n methodology that pro resses through successive refinement ofa specification [ 131. In t b s process, refinement is the basic mechanism that ma s one level of abstraction into another that is consistent with t t e previous one. Designers may appl refinement by "hand" and in this case, there should be a set o&ools that guarantee, that fhe "hand" refinement is indeed a refinement so that the verification work done at earl sta es of the design still holds and that the various models ozthe tesign are consistent. In order for the abstraction mechanism in simplifying the verification process to be valid, the abstractions must be homomorphic in nature -that is, they must preserve the property to be proved. Thus the nature of abstraction itself imposes verification obligations on the designer and toolset.
Some abstractions must be done, manually. For example, as systems grow more complex, it will be infeasible to simulate an entire chip at the gate level, even with highly advanced cycle simulation capabilities. Designers will thus be forced to create abstracted models of their part, similar to a bus-functional model for a microprocessor, such that the simulation of the abstracted models together may be certified as a simulation of the whole chip. Abstraction is thus necessarily tied tightly to decomposition -the subject of the next section.
Decomposition
Decomposition is the rocess of breaking up a system desion into components descried at the same level of abstraction. TRe main goal of decomposition is to allow the design and verification of each component to be performed almost independent of each other. There are varying degrees of inde endence that can be achieved between the components depengng on the design and verification roblem at hand. Some of these are described below to highligtt the differences and similarities in decompositions across problem instances.
Timing Analysis
Consider a synchronous sequential logic circuit where each memory element (or latch) is enabled by a single clock. Given a set of initial states on the latches and the maximum delay of each ate, the timing anal sis problem is to determine the lowest ckck period at which tKe circuit operates correctly. The problem may be decom osed into two: (1) Determine the set of reachable states in t i e circuit; (2) Find the latest time at which all the outputs of the combinational logic have reached their final stable value and at least one vector that causes this condition.
The first problem is solved usin standard techniques for reachability analysis in formal veri?cation[ 161 and logic synthesis [17] . Next, functional timing analysis is invoked using the complement of the reached set as don't cares [ 151. Thus, the timing analysis roblem on a sequential circuit is decomposed into a functionaf (timing independent) analysis of the sequential behavior followed by a timing dependent analysis of the combinational behavior.
Combinational Equivalence Checking
The problem of equalit checking of Boolean functions can be solved by comparing t i e BDD's for the functions built using an initial multi-level description of the functions. An alternate scheme is to use a satisfiability or test generation program (based on classical branch and bound search techniques) to determine if the functions are different. Both techniques have limited applicability and the range of examples on which the techniques can be applied can be significantly increased by using a divide and conquer approach.
Suppose that functions F ( a , b , e, X , Y ) and G ( a , b , e, P, &) are to be compared -a, b and c are primary inputs and X , Y , P and Q are functions over a, b, and e. The approach in [4] attempts to replace the occurrence of the logic computing the sub-function X by that for P. This replacement is correct if no difference between the functions X and P can be observed at the output of F . This check is performed by first introducing an XOR gate between X and all its fanout -the other input of the XOR gate is connected to P . If the stuck-0 fault on the output on the XOR gate is untestable at output of F , P is a safe replacement for X . Repeating this process from inputs towards outputs leads to F having more and more of its circuit replaced by parts of G.
Finite State Machines
Most complex designs have compact representations when expressed as a set of intercommunicatin processes. For example communication protocols and embedfed systems are often expressed as a set of communicating FSMs. When properties are formally checked against this description, both lan uage containment and model checking require to compose the 8SMs into a single one. Since the composition has number of states bounded by the product of the number of states of the FSMs in the decomposed representation, we often have a state explosion problem.
Maintaining the representation compact is key to make formal verification applicable. An approach [lo] is to automatically extract from each component machine only the behavior relevant to the verification of the given property through abstraction, and compose these extracted subcomponents to represent only the part of the behavior of the entire system needed to verify the property. This approach is powerful when the properties to be verified are local i.e., involve only variables that are in a single FSM. Decomposition then is accomplished when properties are either given in local form or they are decomposed into a set of local properties. In [2] , an embedded control application to automotive electronics (a shock absorber automatic setting system) is expressed as a set of interacting FSMs and the properties to be verified are successively reformulated and decomposed until they are localized to allow verification in reasonable time. In this approach, the decomposition and abstraction mechanisms inter la to solve the complexity issues and are carried out manual$. 6 is conceivable that in a not too distant future some of these actions could be carried out with the help of tools.
5.4
A recent approach to cycle-based logic simulation em loys the use of decision diagrams to achieve orders of magnituze s eedup in simulation speed. The ap roach consists of bugding the BDD's for the output and 1atcR functions of a circuit, and performing simulation via a sequence of lookups on a tabuar representation of the BDD's. One of the key optimization criteria that determines the simulation s eed is the number of lookups needed to determine the output Function Cycle Simulation using Decision Diagrams
Discussion
The examples above illustrate that decompositions may be obtained manually or automatically. For example, the timing analysis problem is a one-time manual decomposition, whereas the decomposition for cycle based simulation is wholly automatic. In contrast, the automatic decom osition for combinational equivalence checking can be sutstantially aided by manual hints from the user [4, 81. Depending on the problem being solved, decompositions may be exact or conservative. In the former case, a property holds on each com onent of the decom osition if and only if it holds on the compyete system. In the Ltter case, the roperty is guaranteed to hold on the complete system if it holzs on on each component of the decomposition, however, the converse need not be true.
Conclusion
We summarize the conclusions that naturally follow from our contention that the three concepts of formalization, abstraction and decomposition as cornerstones for a design methodology that could alleviate the problems facing the design community when the implementation technolo y allows, and new applica-0 From the specification, the design process has to ro ress the design gerarchy into other Formal models. The design process has to be characterized b the successive refinement concept, so that anything tzat has been proven or verified by any available tool is still true at all successive steps unless a ma'or re-design is re uired in face of errors.
Tools should be developed to he1 t#e designer to maintain 0 The specification of a design must have clear semantics.
When the underlying model is hardware, the HDL must have hardware semantics. Both Verilog and VHDL violate this with underlying event-queue semantics. It is im er ative that the formalization process be complete, d i c h implies that the specification should also ex licitly include all constraints and roperties re uired for tge design, thus avoiding the lack of clarity and %ocumentation that occurs in their absence.
0 There must be support for abstraction in a specification language. Two critical abstractions that necessarily must be supported are the separation of function and time, and nondeterminism. Abstraction should be supported by tools that verify the consistency of the abstraction with respect to the original formalization. An important side-effect of the use of abstraction is the elimination of the over-specification problem, i.e. to avoid iving implementation details that may limit the quality of the design without reflecting accurately the initial goals and functionality requested of the desi n. Little or. no support is provided by both Verilog and &HDL on this front. If'these paradigms (or others similar in concept) are followed, then all verification techniques can be used with maximum efficiency. In fact, formal verification is unthinkable without complete formalization and the use of abstraction to make it feas: ble on large designs. In addition, the problem of having mull iple not formally correlated descriptions of the same design to br: able to run different verification tools severely hampers the quality of verification.
It is clear that desi ners are searching for some breakthrough to CCI e with the probfems the encounter: it is by no chance that that major com anies are setting up groups to investigate new verilication tectniques. However, we strongly recommend not to fcicus on techniques only but to focus instead on a rigorous tionis require, ever increasing comp f exity.
towards im lementation by ma ping the various P g l eve s of consistency and to verify that re R nement holds.
pan& and tutorials on forma Y verification are now common and desi n process.
T i e future is dense with op ortunities and dangers. A verification aware design methodofogy can be the light to avoid the pitfalls and to cho&e the right pgfh to take. 
