Formal hardware verification methodology and its application to a network interface chip

We describe how the functional correctness of a circuit design can be verified by machine checked formal proof. The proof system used is LCF_LSM, a version of Milner´s LCF with a different logical calculus called LSM. We give a tutorial introduction to LSM in the paper. Our main example is the ECL chip of the Cambridge fast ring (CFR). Although the ECL chip is quite simple (about 360 gates) it is nevertheless real. Minor errors were discovered as we performed the formal proof, but when the corrected design was eventually fabricated it was functionally correct first time. The main steps in the verification were: (a) writing a high-level behavioural specification in the LSM notation, (b) translating the circuit design from its modula-2 representation in the Cambridge design automation system to LSM, (c) using the LCF_LSM theorem-proving system to generate mechanically a proof that the behaviour determined by the design is equivalent to the specified behaviour. To accomplish the second of these steps, an interface between the Cambridge design automation system, and the LCF_LSM system was constructed