Designs are often modied for use in new circumstances. If formal proof is to be an acceptable verication methodology for industry, it must be capable of tracking design changes quickly. We describe our experiences formally verifying an implementation of an ATM network component, and on our subsequent verication of modied designs. Three of the designs veried are in use in a working network. They were designed and implemented with no consideration for formal methods. This case study gives an indication of the diculties in formally verifying a real design and of subsequently tracking design changes.
INTRODUCTION
Designs are frequently modied as requirements change. Such modications often take a fraction of the original design time to complete. Even if a design can initially be validated in an acceptable time scale, a validation method is unlikely to be accepted if a similar amount of time is required to validate subsequent modied designs. This is a problem even with testing. Ideally, all test cases should be rerun when changes are made. However, this takes the same amount of time as the original validation so there is a temptation to take shortcuts. For example, a bug in the 3 modied lines of a several million line telephone switching program caused telephone outages in several US states in 1991. The error was missed because the full 13 weeks of tests were not rerun after the modications were made (Wiener 1993) .
Formal machine-checked proof is a very timeconsuming validation method. However, much of the eort is invested in developing proof scripts. Once developed they can be rerun by a theorem prover far more quickly. Thus if the proof scripts can be reused for modied designs the validation time for the new designs should be signicantly shorter. In this paper we describe an experiment aimed at demonstrating that this is so for real designs and of quantifying any speed up. We describe our experiences validating a fabricated hardware design using machine-checked formal proof and of our attempts to subsequently track real changes that were made to the implementation.
The device we have considered is a component of an Asynchronous Transfer Mode (ATM) switch. Our work is part of a larger project to investigate the formal verication of an ATM network as a whole. We are investigating a working network which carries real user data: the Fairisle ATM network (Leslie and McAuley 1991) , designed at the University of Cambridge. It provides a realistic formal verication case study. The network component we have considered is the Fairisle 4x4 switching element. It is particularly suitable for this case study because several versions with slightly dierent designs exist. Four distinct designs had been fabricated prior to this case study and three were in use in the Fairisle network. We formally veried the original design and then modied the proofs for the variations. In the process we also veried several other versions that had not been fabricated.
FORMAL MACHINE-CHECKED PROOF
Formal hardware verication involves mathematically proving that an implementation of a piece of hardware satises its specication for all valid combinations of input values. It is possible to consider all input combinations because the reasoning is symbolic and mathematical techniques such as induction can be used to consider many (even innitely many) cases at once. This contrasts with testing in which only the particular combinations that are tested are validated. Formal verication essentially involves proving that two dierent descriptions of a circuit correspond in an appropriate way. This is illustrated in Figure 1 . The two descriptions correspond to the implementation (giving its structure) and to the specication (giving its behaviour).
The description of the implementation gives the hardware's structure: the components it is constructed from and the way they are wired together. Such a structural description is similar to a Hardware Description Language (HDL) structural program. We used higher-order Hardware Verication logic as the structural description language. An alternative would have been to use a HDL embedded in a proof system (Boulton et al. 1992) .
Whilst a structural description implicitly describes the behaviour of a piece of hardware, that behaviour is normally dicult to discern. The behavioural specication of the circuit describes the behaviour in a more direct way. Our behavioural specications correspond to timing diagrams plus state. That is, they describe the functional behaviour of the outputs of the circuit in terms of the values on the inputs over various time intervals. As with the structural descriptions, we have used higher-order logic to give the behavioural specications. We thus work in a single unied framework.
The two descriptions, structural and behavioural, are represented as higher order logic predicates over the input and output signals. Signals are traces of the values on a particular input or output over time. They are represented as functions from time to the value on the signal at that time. The predicates are true of a set of input and output signals if the given output signals could have resulted from the given input signals. With this representation correctness can be expressed simply using logical implication. The implementation predicate must imply the specication predicate. The formal verication of the device involves formally proving this fact using the inference rules of the underlying logic, here higher-order logic.
Formal proofs can be performed using pencil and paper. However, to verify a real system, machine help is required due to the size of the proofs concerned. General purpose theorem proving systems such as HOL (Gordon and Melham 1993) or Nqthm (Boyer and Moore 1988) can provide such help. Current stateof-the art theorem provers cannot verify realistic systems automatically. Instead the user provides the outline of the proof in some way, with the system lling in the details. In many systems, including HOL, the proof is given in the form of a series of proof commands in some meta-language. These proof commands can encode complex proof procedures, thus automating large parts of the proof process. The theorem prover checks The Fairisle Switch the proof steps ensuring they do prove the stated goal. The proof steps are generally stored as a script which can be rerun at a later date to regenerate the proof. The formal specication and verication work described here was carried out using the HOL90 theorem prover: an implementation of HOL in which Standard ML is used as the meta-language. Thus the scripts are Standard ML programs.
Since formal verication involves validating descriptions of the circuit and not the real physical hardware, it can never give absolute assurances of correctness. A formally veried circuit is not necessarily a correct circuit (Cohn 1989) . Formal verication should be thought of as a way of nding errors and of increasing condence in the correctness of a circuit, rather than as a way of giving absolute guarantees of correctness.
THE FAIRISLE SWITCH
We have veried components of the Fairisle Switch. The switch consists of two types of component: port controllers and a switching fabric. Each port controller is connected to a transmission line and by uni-directional lines to the switching fabric. The port controllers process incoming or outgoing cells of data and can be thought of as consisting of separate input and output port controllers as shown in Figure 2 . A cell consists of a xed number of bytes which arrive one at a time. Some of the bytes contain control information giving, for example, an indication of the ultimate destination 3 of the cell. The port controllers use this information to determine the outgoing line that the cell should be transmitted on. The new information is placed in a routeing byte appended to the front of the cell. After use it is removed by the fabric.
The fabric switches cells from input port controllers to output ones according to the routeing byte. The switching fabric is the place where cells contend for access to the outgoing transmission lines. If dierent port controllers inject cells destined for the same output port controller (as indicated by the routeing byte) into the fabric at the same time, then only one will succeed. The others must retry later. The routeing byte also includes one bit of priority information which is used by the fabric when arbitrating clashes. Arbitration takes place in two stages. Firstly, high priority cells are given precedence over low priority ones. Of the remaining cells, the choice is made on a round-robin basis. The input port controllers are informed of whether their cell was successful using acknowledgement lines. The fabric sends a negative acknowledgement to the unsuccessful input ports, and passes the acknowledgement from the requested output port to the successful input ports. This means the output port controllers may reject cells even if they successfully pass through the fabric.
The port controllers and fabric all use the same clock so bytes are read in on each link synchronously. They also use a higher level cell frame clock|the frame start signal. It ensures that the port controllers inject data cells into the fabric synchronously so that the routeing bytes arrive at the same time. The behaviour of the switching element is cyclic. In each cycle or frame, the element waits for cells to arrive, reads them in, processes them, sends successful ones to the appropriate output ports and sends acknowledgements. It then waits for the next round of cells to arrive. The cells from all the input ports start when a particular bit (known as the active bit) of any one of them goes high.
We have been concerned with the verication of the fabric, not the port controllers. In particular, we have veried several versions of the switching elements from which the fabric is built. The switching fabric consists of a series of switching elements connected in a regular array. The simplest (4x4) switching fabric consists of a single element which connects 4 input ports to 4 output ports. It is this fabric that we initially formally veried. To make larger fabrics, several elements can be connected together in a regular array. A 16x16 fabric can be made from 8 elements in two rows as shown in Figure 3 . Such a fabric has been fabricated. However, the design of the elements used diered from the original. We modied the specications and proofs for the fabricated designs used in the 16x16 fabric. We also considered an erroneous design which had been fabricated. We further veried four other versions of the element which were not fabricated. These were intermediary designs consisting of some but not all of the dif- ferences between the 4x4 fabric element and the 16x16 fabric elements. Verifying these designs allowed us to evaluate the time taken to make smaller changes than for the fabricated designs.
The elements were designed using a Hardware Description Language: Qudos HDL. This is a simple HDL which allows the structure of hardware to be specied. It does not allow behaviour to be specied directly.
THE 4 BY 4 FABRIC
The rst element veried was that for the 4x4 fabric. The rst task was to produce structural specications in a formal language. The designers of the element had used Qudos HDL. These descriptions could not be used directly because no formal semantics or proof system for Qudos HDL exists. Instead, we manually translated the HDL descriptions into higher-order logic: the logic of the HOL theorem prover. The style of Qudos HDL and higher-order logic structural descriptions are very similar. Consequently, the translation could have been done mechanically, involving only a change of syntax. However we made some changes to the description to aid the verication. It was not intended that these changes alter the design, only the description of it. Both descriptions should describe the same collection of logic gates. In fact several errors were introduced which were discovered during the verication. The most serious was that two wires were swapped. This was discovered due to a subgoal of the form [T,F] = [F,T] being generated. One side of this equality originated from the specication and the other from the implementation. It was thus obvious that two wires had been crossed, and also The design hierarchy of the original element which they were from the context of the proof. It was not immediately clear whether the mistake was in the implementation or specication. More details of the errors discovered are given in Curzon (1994) . To ensure that changes to the design had not inadvertently been made, the netlists from the two descriptions could have been compared. This was not done, however. The errors were instead found during the proof eort.
Two kinds of changes were made: adding extra layers to the hierarchy and simplifying the description using features of HOL which are not available in Qudos HDL. Multi-level words (that is, vectors of bit-vectors) were used to replace single level ones where appropriate. Also, several of the descriptions were made generic. The resulting descriptions were fairly standard HOL structural hardware descriptions (Gordon and Melham 1993) . The nal module hierarchy is shown in Figure 4 . It consists of 43 distinct modules. The design consists of 441 basic components. We took as basic components single bit latches and logic gates (allowing any number of inputs), corresponding to the basic units of the simulator used by the designers to test the designs.
The design consists of three main modules, as shown in the circuit diagram for the module FAB4B4 given in Figure 5 . The ARBITRATION module reads the routeing bytes of the cells, makes arbitration decisions and passes the results to the other modules with the grant signal. It controls the timing of the decision with respect to the external frameStart signal and the time the routeing byte arrives. The outputDisable signal indicates to the other units when a new arbitration decision has been made. The PAUSE DATASWITCH module switches the cell bytes from inputs to outputs according to the most recent arbitration decision. If no cell is to The Implementation of FAB4B4 be transmitted to an output port zeroed bytes are output. The cell bytes are delayed just long enough in the dataswitch before being output for an arbitration decision to be made on their routeing byte. The acknowledgement unit, ACK, passes acknowledgement signals in the reverse direction. Negative acknowledgements are sent to the input ports until a decision is made. Ports that did not make a request or whose request was turned down continue to receive a negative acknowledgement until the end of the frame. To formally verify a hardware design, formal behavioural specications of the design and of its modules are needed. The switching element had been designed and implemented without any form of formal behavioural specication being created. There was only sketchy, informal documentation. Therefore the formal specications were reverse-engineered from the HDL description. This was a very time-consuming process and the early versions of the specication contained many errors. The specications for each of the 43 modules 5 (both behavioural and structural) were written prior to any proof. This took between one and two personmonths. No detailed breakdown of this time has been kept, though much of the time was spent attempting to understand the design.
The formal behavioural specications describe timing diagrams and associated state for each output signal. As the behaviour of the element is cyclic, the specications of most modules are based on the frame cycles. The behaviour of each output signal over the period of a frame is described in terms of the state and values on the inputs during that frame. Frames can either be inactive or active. During the former no cells arrive, so no arbitration need be performed. During the latter at least one input port injects a cell into the fabric. A cell being injected is indicated by bit zero of the data signal (the active signal) going high. An inactive frame could be thought of as just a degenerate case of an active one. However, the specication is cleaner if the two cases are treated separately.
A relation AFRAME was dened which determines whether a triple of times constitutes an active frame for given frame start and active signals. The rst and third time of the triple must correspond to consecutive times that the frame start signal is high. The second time must correspond to the earliest time within this interval that the active signal of any input is high, i.e., when the routeing bytes arrive. A similar relation IFRAME denes an inactive frame for a pair of times.
For inactive frames, the behaviour of the element over the whole frame can be treated uniformly. For example, the specication of the data output signal of the element in an inactive frame has the following form. IFRAME ts te : : : STABLE (ts + 3) (te + 3) dOut default dOut Under the assumption that times ts and te represent an inactive frame, this states that the signal dOut is stable in the interval from ts+3 to te+3, outputting the constant value default dOut.
For an active frame, the behaviour is typically split into two parts: that up to some xed time after the active signal arrives; and that from this point until the end of the frame. The specication of the data output signal in an active frame has the following form. AFRAME ts ta te : : : STABLE (ts + 3) (ta + 5) dOut default dOutD URING (ta + 5) (te + 3) dOut (t. : : : (dIn ta): : : (dIn (t -2)): : : )
Under the assumption that times ts, ta and te represent an active frame, this states that the signal dOut is stable and outputs the constant value default dOut in the interval from ts+3 to ta+5. In the interval ta+5 to te+3, the bytes of the successful cells are output. Which cells are successful is dependent on the routeing bytes (that is, the data input at time ta). The actual bytes to be output at a time t in the interval are those input at time t-2, due to the delay through the element. The functional behaviour of the element is dependent on the arbitration process. We specied this process as a function on the cell routeing bytes and state. Given this information, the function describes the arbitration decision which will be made. The acknowledgement signals, data to be output and new state are specied in terms of this function. The arbitration for each output is independent of the others. This is done in several stages. First the inputs requesting the output under consideration are determined. They are then ltered on the basis of their priorities and round-robin arbitration is performed on the result.
Each module in the design was formally veried separately. The proofs were roughly of two kinds. The simplest were for the low level modules. Their specications were in the form of an equation stating that the outputs at some time were a function of the inputs at earlier times. The specication for the module ARB XEL given below is a simple example of this kind.
ARB XEL SPEC ((reqA, y, reqB, reqC), xjk) = 8t. xjk t = ((y t) _ (reqA t))^((reqB t) _ (reqC t)) The proofs for such modules were generally straightforward. Most of each proof could be done automatically with manual intervention required just at the end, for example, to call on specic lemmas about words.
A second kind of proof involved modules with specications based on timing diagrams over the period of a frame such as that for the full element outlined earlier. A separate proof was performed for each output and state variable. Each of these proofs was split into separate proofs for inactive frames and for each interval within active frames. The proofs for inactive frames were virtually identical to the proofs for the start of the interval of an active frame. These proofs normally involved considering a typical point within the interval, and showing that the output in question had the value specied at that time. The start of an interval was normally treated separately, because at that point a change of behaviour occurred. For example, the frame start signal might trigger a change in behaviour at the start of the interval putting the module into a dierent state. Once in that state it might remain there as long as no active signal occurs. The reasoning required in the two situations is dierent so they were proved separately.
As with proofs about equational specications, the proofs of interval specications involved an initial, largely automatic, part. It was concerned with expanding denitions and rewriting the values of output signals using the specications of the sub-modules. This was followed by a user-guided part, which involved proving that two expressions on the input values were the same. These proofs were more tricky, due to the more complex notions being reasoned about. For example, modules involved with arbitration require reasoning about Time taken to verify the 4x4 fabric modules round-robin arbitration. Many errors were found in the specications by the proof process. For example, the timing of many modules was incorrectly specied. Such errors resulted in goals such as ts=ts+1 so were generally easy to detect and correct. A more signicant error concerned the grant signal which encodes the successful input for an output as a two bit word. It was assumed that the two bits were sampled at the same time. However, they are actually sampled on consecutive cycles. This resulted in a goal in which the value of the grant signal at one time was needed, but it was only known to have the required value at a dierent time.
All the proofs were done under self imposed time pressure. Thus, little time was spent developing general purpose tools to automate the proofs or trying out new techniques. The aim was to determine the time required using standard tools and techniques. 39 persondays were spent performing the proof. Figure 6 shows the cumulative time taken as each module was veried. The time (5 days) spent proving general purpose theorems about machine words and signals is not included. Nor is the three days spent at the end, combining the separate proofs for each module into a single proof for the whole design. Approximately half the remaining time was spent verifying just two of the upper modules of the element. The proofs of these modules were more time-consuming partly because their behaviour was more complex than the lower modules. The times for all the upper modules were slowed to some extent because of this. However, the slow-down for the two modules in question was much more dramatic than is explained by this alone. The main reason was that there were a large number of errors in the formal behavioural specications of these modules due to their increased complexity: understanding and correcting the errors was very time consuming. The plateau in the graph for module DMUX2B4CAll similarly corresponded to a major error in the structural specication (two wires had been inadvertently swapped).
No detailed record of the time spent designing the element was recorded. In fact, it evolved from earlier designs. However, the designer estimated that had it been designed from scratch the initial design and implementation time would have been in the order of several months. Thus the time spent to formally specify and verify the design was not unreasonable. Had it been performed as an integral part of the design, it is unlikely that it would have unduly slowed the design cycle. The formal specication and verication would have been much quicker if done as the element was designed, for the reasons given earlier. Much of the time was spent attempting to understand the design. An error was discovered after the testing process had been completed when the fabric was in use. It is likely that this error would have been discovered by the formal verication if it had been performed prior to fabrication. We did not attempt to verify the faulty design, however.
VARIATIONS ON THE DESIGN
Several modications were made to the element for the 16x16 fabric. This resulted in two new designs, both of which were fabricated: one for the front elements and one for the back elements.
An extra 5 cycle delay was placed on the frame start line on entry to the front elements and an 8 cycle delay was used for the back elements. This allows the port controllers more time to process the data. The longer delay is required for the back element to allow the routeing byte to pass through the front element. The data is delayed by 5 cycles in the port controllers. Thus the change ensures that the data and frame start signal still arrive at the same time relative to each other. A faulty version of the back element which had only a 5 cycle delay was originally fabricated. The error was only discovered when the fabricated fabric was tested. This was prior to the verication attempt. Initially the verier was both unaware that the 5 cycle delay design was faulty and that the 8 cycle delay design existed.
For the 16x16 fabric the routeing byte is split in two. The front elements read only the rst nibble of the routeing byte. This is the same as for the 4x4 fabric. However, the back elements read the second nibble, so their design was changed accordingly. This involved changing the wiring in the routeing byte decoding circuitry. The need for dierent behaviour on the top and bottom boards
The fabric as a whole strips o the routeing byte as it passes through the element since it is not needed by the output port controllers. This is done by the original element and the back elements of the 16x16 fabric. The front elements must forward the routeing byte, however, since the back elements must receive it. This is achieved by adding an extra delay on the data path of the front elements. With the delay, outputs are enabled in time for the routeing byte to be output. Without it, they are enabled one cycle too late, so it is discarded.
One further change was made to the front elements. The full fabric was implemented on two boards. It was desired that an identical board be used to implement the top and bottom halves of the fabric (each holding two front and two back elements). According to the documentation this was to \keep the design simple". However, the two halves are mirror images of each other. Dierent outputs from the front element need to go o the board in the two halves. For the top half, the data bytes routed to outputs 0 and 1 need to go to the back elements on the same board, whereas those for outputs 2 and 3 need to go to the elements on the other board. The opposite is required for the bottom half. This can be seen from Figure 7 . To overcome this an extra single bit input was added to the element which, when set, makes the decoder swap the meanings of the route eld in the route byte. Requests for outputs 0 and 1 are sent to outputs 2 and 3 respectively, and vice versa.
We adapted the implementation, specication and proofs of the original 4x4 element to the new 4x4 designs, including the erroneous back element. In the process, we also veried four further versions, in which only some of the changes had been made. The front element eectively consists of two dierent designs one for the top element and one for the bottom element with a ag to switch between them. We thus veried these two designs (with no ag input) as designs in their own right. Two other designs veried were versions of the front fabric which removed the routeing byte as the cell passed through. Verifying the designs separately allowed us to evaluate the time taken to make each change. In fact the two designs which removed the byte resulted from a mistake: the verier initially did not realize that the extra delay had been inserted into the design.
The rst new design veried was the erroneous back element. This diers from the original in that the second nibble of the routeing byte is accessed rather than the rst. Also a 5 cycle delay occurs on the frame start data path. This design was successfully veried! This was because the specication was reverse engineered from the implementation. Thus the specication erroneously required a 5 cycle delay. This highlights how bugs can become features if the specication is produced from the implementation rather than the other way round. The error was discovered when an attempt was made to verify the full 16x16 fabric constructed from the faulty elements. It was found because the active signal needed to be dened over one interval for the back elements, but the front elements specied its value over a dierent interval.
The faulty element took three person-days to verify. This was longer than expected because the new design invalidated an assumption which had been made in the original. It had been assumed that a frame start signal did not occur on the very rst cycle after a power up. This was to ensure that the element reset properly. However, in the new design, the signal of interest was on an internal signal|the output of the new delay. Thus its value could not be guaranteed. It had not occurred to the designer that this might cause a problem. On closer inspection, it was found that the assumption was actually stronger than required, and that on the rst real frame start signal from outside the chip, the element did reset itself. The element could be dened as well-behaved irrespective of the behaviour up until this reset took eect. Previously we had required that it have specic behaviour from the start. Changing this assumption involved changing the specications of modules other than those whose implementation had been changed, notably the timing circuitry. In particular the modules, TIMING, OUTDIS and all modules dependent on them had to be reveried to account for the new assumption (see Figure 4) . Despite this it still only took a few days to complete the verication. We reveried a total of seven modules due to changes having been made either to their structural or behavioural specications. We also added two new modules.
After the verication attempt on the 16x16 fabric had exposed the error in the original back element, the correct version of the back element was veried. We reveried a total of 8 modules. This took less than two hours 8 Paul Curzon to complete. It involved adding 3 to various time osets in the specications, goals and proofs of the original back element proof to account for the change in the delay from 5 to 8 cycles. It would have been better in the long term to make the proof generic with respect to this delay. Then a single proof would cover both designs as well as any future designs with dierent delays. This would have taken slightly longer however, so was not done since our aim was to complete the verication as quickly as possible.
The next design veried was the version of the front fabric that strips o the routeing byte, delays the frame start signal, but interprets the route information normally. It is the same as the original element except for the delay on the frame start signal. The proof of the back element was modied to obtain the new proof. Changes were made to three modules. This took about a quarter of a person-day. Had the problem with the assumption not occurred, the verication of the back element would have taken little more than this.
We then veried the version of the front element that strips o the routeing byte, delays the frame start signal and interprets the route information dierently. The previous proof was modied. This involved adding an extra module above DECODE in the hierarchy and changing the proofs of all modules dependent on it. Six modules were modied and one new module added. This took three-quarters of a person-day.
We next veried the front element that does not strip o the routeing byte but delays the frame start. One new module was added above PAUSE DATASWITCH to include the extra delay. The specications and proofs for three others were modied. This took half a person-day. The next version veried was the front element that does not strip o the routeing byte, delays the frame start and reinterprets the route information. Three modules were reveried. This took a quarter of a person-day.
Finally, the fabricated front element was veried. It has an input which switches its behaviour between that of the previous two versions. Seven modules were reveried. This took a day and a half. This was longer than for the previous versions of the front element, because rather than just making small changes to the earlier specications, their structure was radically changed. The new specication consisted of a case split between two specications of the previous form. This meant that for the main lemmas new proofs had to be created. The new proofs were far simpler than those they replaced, but creating them took more time than making modications to an existing proof.
The cumulative time taken to verify the new designs is shown in Figure 8 . The modules that were reveried were the top-level ones which had originally taken the most time to verify. However, they were reveried at a rate corresponding to the lowest level modules in the original verication. This is shown in Figure 9 Time taken to verify the modied designs which combines the two previous graphs. The original fabricated back element was veried in three days, despite the new design invalidating an assumption in the original proof. The fabricated front element was veried in just over three days, despite several other designs being veried unnecessarily on the way. It should also be stressed that these times include the time taken to understand, formally specify and verify the new designs as well as to combine the proofs for the separate modules back into a proof for the whole design. The original times in Figure 6 only include the verication time and should be roughly doubled to give a comparable time. Comparable times were not recorded due to the fact that in the original proofs, all the specication was done prior to the verication attempt, whereas for the modied designs specication and verication proceeded hand in hand. The reverication was quicker for several reasons. The most obvious reason was that the design was modular. Only modules that were actually aected needed to be reveried. This does not account for all the improvement, however, as the aected modules were veried far more quickly than originally. This can be seen from Figure 9 . One reason these proofs were quicker was because they were split into a series of lemmas. Many lemmas did not need to be changed and so their proofs were not aected. Furthermore, most proofs that did need to be changed only needed to be changed in small ways. Thus the scripts could be rerun with only a few modications. Also, the reason why the design was correct Comparison of original and modied proofs was well-understood by the verier. Finally, and perhaps most importantly, the new specications did not contain errors because they were produced by making small changes to specications that were error-free (in the sense that the structural and behavioural specications satised the correctness statement). Working with error-free specications can save a signicant amount of time, because understanding and correcting errors and redoing proofs accordingly can be very time consuming, especially when multiple errors interact. It accounted for much of the time spent verifying the top-level modules of the original element.
DISCUSSION
We have investigated the reuse of proofs to track changes to a hardware design. Lincoln and Rushby (1994) have reused proofs in a similar way. They note that if proof scripts can be quickly modied to account for changing assumptions and designs, the proof process can be used to experiment with such changes, determining their consequences. The ability to quickly perform formal proofs by reusing old proof scripts is thus of great importance if formal proofs are to be used in a commercial environment. Currently proof creation is the main concern of tool developers. Proof tools and methods need to be developed to aid this proof reengineering. This has been addressed in the KIV system (Reif and Stenzel 1993) . If a proof fails due to an error in the design, the system automatically uses the failed proof script to help generate new scripts for corrected designs. This approach has also been used at Philips in the validation of telecommunications software.
An alternative to repeatedly modifying the specications and proofs to track design changes is to give generic specications, with associated general proofs. Thus the original proof would serve to verify all designs covered by the generic specications. The specications and correctness theorems would simply need to be instantiated for any particular concrete instance of the design with minimal additional proof eort. Where practical this is obviously a better approach than modifying the scripts. The designs we veried dier in only small ways, so it would be possible for a generic version to be veried which covers several, if not all, of them. However, each modication would have required the design to be made generic in a dierent way. The verier would therefore have needed to anticipate future changes. It is thus important that whenever possible the verier is aware of the kind of design changes that are likely, since this means that generic specications can be written from the outset. It is easy to see that the delay on the frame start signal could be made generic. In the long term this would have saved time. However, in the short term it would have been slower. In a commercial setting, this is a problem that is likely to arise frequently. If a design is being veried under time pressure, there will be a strong temptation to do the minimum required to verify that design, even if it means modications will take longer to verify.
We validated completed implementations. This is harder than if formal methods are integrated into the design process for several reasons. (i) Why the design is believed to be correct must be at least partially rediscovered. (ii) If the implementors work to a formal specication, the specication and implementation are more likely to agree and less time will be wasted correcting specication errors. (iii) Since it involves analysing the design in great detail, the specication and verication process can identify changes to the implementation that simplify the verication task. Such changes do not necessarily compromise other design aims such as eciency. (iv) Reverse engineering a specication from the implementation is a very time consuming process. (v) Finally, a hardware description language amenable to verication can be used, thus avoiding translation problems. The above problems were exacerbated further for this case study by the fact that little documentation of the implementations had been produced. A signicant amount of reverse engineering was required.
The study highlighted a problem when modifying proofs to track design changes. The two versions of the front fabric that removed the routeing byte resulted from a mistake. The verier forgot that the extra delay had been added. It was only after the verication of the two versions was completed that this was noticed. This problem arose because two separate descriptions of the implementation were being used: Qudos HDL and HOL. The structural specication of the original design was obtained by editing the actual HDL from which the design was implemented. Thus, there was little opportunity for errors of this kind to be introduced. However, in the modied designs, the formal structural specications were obtained by editing the formal descriptions of the original design rather than the sources since this was quicker. Thus it was easy to miss some of the changes. The verication was still \successfully" completed because the behavioural specications were written from the implementation. The errors became \features". The faulty design of the back element was initially veried rather than the correct one for similar reasons. It was only when the specications were used in the proof of a higher level of the design hierarchy that the errors were highlighted by the proof attempt. Using specications for proofs of higher levels of the design is a good way to validate them. However, we are always dependent on the top level specication being correct. The problem would not have arisen if the original designs had been written in HOL rather than Qudos HDL, or if the designs had been implemented from formal behavioural specications. Formal methods should be an integral part of the design process, even if the verication is not attempted until after the designs have been completed.
If the specication or implementation are erroneous, the verication time will be longer. A reason that the modied switching element designs were veried more quickly than the original was that the specications were error-free before the verication commenced. Formal proof should only be used to nd the most obscure bugs. Faster techniques such as animation of specications and model checking should be used to nd as many errors as possible prior to formal proof.
CONCLUSIONS
We have demonstrated that a fully machine-checked formal verication of a real piece of communications hardware can be completed in a time scale roughly comparable to that required for its original design, implementation and informal testing. This was despite the formal specication and verication being done after the design had been implemented, the documentation being sketchy, and the verier having little previous knowledge of the design or its application. The formal verication of communications hardware has been performed before. For example, a network interface chip has also previously been veried (Herbert and Gordon 1986) initially using LCF-LSM and later the HOL system. In unpublished work from 1991, Carreño veried a simplied version of the Fairisle fabric. The main contribution of our paper is not that we have veried a particular piece of hardware. Rather it is that we have demonstrated that real changes made to a real design can be quickly tracked. It took several months to specify and formally verify the original design. Modied designs could be specied and veried in a matter of hours or days. This was despite the fact that it was the upper level modules of the design, which took the most time to verify originally, that needed to be reveried. Thus, the eort invested in verifying a design need not be wasted if the design is subsequently changed. It seems probable that these results hold in general rather than to the specic case study considered. However, further studies must be performed to demonstrate this conclusively.
