Synchronous Equivalence for Embedded Systems: A Tool for Design Exploration Harry Hsieh * Felice Balarin Alberto Sangiovanni-Vincentelli Luciano Lavagno Department of Electrical Engineering and Computer Sciences Cadence Berkeley Laboratories University of California, Berkeley Cadence Design Systems {hahsieh,alberto}@eecs.berkeley.edu {felice,lavagno}@cadence.com Abstract Design exploration consists of analyzing several alternative im- plementations of the “same” function to determine the most de- sirable one. A fundamental question is whether an “implementa- tion” is consistent with the high-level specification or whether two implementations are “equivalent”. In this paper, we define syn- chronous equivalence for embedded systems that strongly resem- bles the concept of functional equivalence for sequential circuits. We then present equivalence analysis algorithms that are of low polynomial complexity. We show an example of application of the algorithms to a real-life design (a shock absorber controller) and demonstrate that synchronous equivalence opens design ex- ploration avenues uncharted before. 1 Introduction Current embedded system design practice is quite informal and application specific. Designers often start with a requirement writ- ten in plain English, use “intuition” to pick a particular interpreta- tion of this requirement, and write a so called reference (or golden) model in VHDL, Verilog, or C. The golden model is executed on a computer to investigate whether it satisfies a set of require- ments including a match with the original informal specification. A (candidate) implementation 1 is then generated through a com- bination of manual labor and often poorly connected tools. The correctness and optimality of the (candidate) implementations are assessed with filtered simulation traces obtained from the reference model and from the candidate implementation. This contorted and highly informal design flow is very error-prone and does not pro- mote efficient design space exploration since the set of “correct” implementations cannot be precisely identified. A fundamental clarification to improve the design methodology is the formal definition of correctness. We advocate the principle of “separation of concerns” in verification. Functional correctness and timing are verified independently. This principle is the basis of the synchronous design methodology for sequential circuits [1], where latches decompose the circuit into combinational islands. Signals are propagated from island to island when an enabling in- * This author is supported by SRC contract DC-324-028 1 An “implementation” may only be considered a candidate because it may not be correct. The implementation in this context is not generated through formal refinement. Some ad hoc manual procedures are involved. put (clock) is given to the latches. Any design of the combinational islands ensuring that the combinational circuits stabilize before the enabling signal arrives at the latches, can be verified for equiv- alence paying attention only to the Boolean functions computed by the circuits irrespective of the propagation time. Timing can then be verified independently by performing a worst-case timing analysis and making sure that this bound is within the clock cy- cle. This powerful approach can be extended to higher level of abstraction as demonstrated by synchronous languages [2]. Syn- chronous languages describe complex systems consisting of inter- connected components each represented by a Finite-State Machine model. Both communication and computation take zero time to perform. While very powerful, synchronous languages support a model of computation that restricts the design space considerably because of the synchronous communication hypothesis. In this paper, we relax the “synchronous hypothesis” by adopt- ing a more general model of computation (the one supported by Co-design Finite State Machines(CFSM) [3]), while retaining the fundamental idea of separation between timing and functionality. We establish synchronous equivalence, a “functional” equivalence among a set of candidate implementations of embedded system specifications. Equivalence analysis can be done precisely through reachable state methods (e.g. formal verification tools [4, 5]), or conservatively (but more efficiently) through structural methods. We derive efficient structural algorithms for synchronous equiva- lence analysis that can be used to explore the design space effec- tively. In the next section, we briefly review a formal model for control- dominated embedded system design, CFSMs, that provides a con- venient representation of the design space. In section 3, we present the synchronous equivalence relation. In section 4, we show how synchronous equivalence can be checked by structural methods. In section 5, we show some results of applying this methodology to a real-life industrial example. In section 6, we discuss future directions. 2 Network of CFSMs Embedded systems can be represented as networks of interact- ing Codesign Finite State Machines [3]. CFSMs extend Finite State Machines with side-effect-free computation on the transi- tion edge. The communication entities between CFSMs are events, which may or may not carry values. A CFSM can transition only 0-7803-5832-X /99/$10.00 ©1999 IEEE.