A Theory of Engineering Design

Keynote Speaker: C.A.R. Hoare Oxford University Computing Laboratory

Wolfson Building Parks Road

Oxford OX1 3QD, England

e-mail: carh @comlab.ox.ac .uk

Introduction

Boolean algebra is the mathematical theory which forms the basis of Computing Science and Information Engineering. It is applicable at all levels, from the collection and analysis of requirements for computer applications, through the specification and development of reliable computer programs, to the gates and wires that implement in hardware, the logic of the executing mechanism. Based on my experience in the study of computing, I suggest that Boolean algebra has an even wider role as the basis for a general methodology of engineering. For this lecture, my examples are drawn from simple theories of electronic hardware design.

Specification, Implementation, Correctness

Any serious engineering project begins with a careful exploration of the requirements of the user of the eventual product. Requirements are captured as predicates, describing the observable properties and behaviour of the product in the environment of its use. Requirements formulated separately are collected together by the Boolean connective “and’ (conjunction). Their consequences are explored by the Boolean relationship of implication. Disjunction (“or”) keeps open options for later decision by the implementor; and negation (“not”) describes most clearly any dangers that must be avoided. The full power of Boolean algebra, as well as the concepts of any relevant branch of mathematics, must be exploited to ensure that only the true requirements are described, and not, by oversight, something other than that.

An engineering product is usually constructed by careful assembly from more primitive components. Each component has a specification describing its observable properties and behaviour. This includes its potential interactions with other components when linked in an assembly. Any uncertain or uncontrollable aspects of behaviour can be described by a disjunction of all physically possible alternatives. The behaviour of an assembly is described by a conjunction of predicates describing the behaviour of all its components. Their interactions, which are not observable in the delivered product, can be concealed by existential quantification, that is, the least upper bound in the Boolean algebra. Product description uses all the Boolean connectives except negation; and there is a good reason for that.

331

A product meets its specification if every observation of its actual behaviour satisfies the predicate describing its desired behaviour. This is guaranteed only if the predicate describing the product logically implies the specification. The engineering concept of correctness is nothing but the familiar Boolean concept of implication, the same concept that forms the basis of all reasoning in science and mathematics.

Engineering Design Method A significant engineering project usually passes through several design phases. A transition between phases is marked by delivery of a design document. This, too, may be interpreted directly or indirectly as a description of the behaviour of any product built in accordance with the design. The design is correct if it logically implies the specification; the product is correct if it logically implies the design. The fact that the end product also satisfies the specification follows from the fundamental law of Boolean algebra-that implication is transitive. This is the simple principle which justifies the widespread engineering practice of stepwise design.

Stepwise design is even more effective if it is accompanied by decomposition. The design is expressed as the conjunction of the descriptions of two or more subassemblies, which together are proved to imply the specification. The implementation of each subassembly may then be delegated to separate teams working independently, perhaps even using different technologies. Their products may then be assembled and delivered to meet the original specification. The need for integration testing, and the risk of errors in the interface between components and between technologies, have been averted by a proof that was conducted even before design of the subassemblies began. The practice of stepwise decomposition is justified by the basic law of Boolean algebra that conjunction is monotonic, in the sense that it respects the implication ordering.

Efficient engineering depends on widespread reuse of previously designed assemblies and components. The remaining task is to implement the minimal new design to adapt the existing assembly to a new purpose. The most general specification for the new part of the design can be directly calculated from the original specification and the description of the reused components. The calculation uses only the Boolean operators of negation and disjunction, There is no need to postulate a new design by intuition or guesswork, and prove its correctness afterwards. Whenever possible, mathematical theory should replace intuition by routine calculation-this frees the engineer to apply his human insight and invention to the parts of the design that mathematics cannot reach.

Abstraction

In the taming of complexity, the most powerful tool available to the human intellect is abstraction. In physical science, the same material objects may in principle be described at many levels of granularity and detail. The ultimate constituents of matter are described by particle physics using the terminology of quantum mechanics; at the level of atoms, a different language is used to describe completely different aspects of observable behaviour; and for molecules, yet another language is found most useful. At each level, scientists have developed separate free-standing theories, simple enough for practical calculations of phenomena described at a single homogeneous level of abstraction. But

332

the real achievement of modem science is to show, by mathematical calculation and proof, that each of its theories is logically derivable, possibly as an approximation, from the theory at the next lower level of granularity. Atomic theory is firmly based in quantum theory and therefore, indirectly, so is molecular dynamics. A standard technique in crossing adjacent levels of abstraction is to describe, as accurately as is reasonable, the relationships between the observations that might be recorded of the same system at both the levels simultaneously. In mathematics this is often called a change of coordinate, and in software design it has been called a simulation, an abstraction, or a data representation. The transformation is applied to the lower level description to yield a description of the corresponding observations at the higher level of abstraction.

The concepts and techniques of abstraction are equally important in engineering design. Requirements and specifications are usually expressed in terms of what can be controlled or observed in the external world by the eventual user of the product. At each stage of design, the conceptual level changes to include more detail of the structure of the product and the interactions among its components. Each level of design may have its own theory and methods for reasoning about correctness and efficiency. But the real risks of subtle and dangerous errors arise at the interfaces between the levels of abstraction. Fortunately, they can be averted by rigorous application of the same transformation method which establishes the structure of physical science. What is more, the abstraction relation can also be applied in the direction appropriate for design, namely from the top-level specification down to the more detailed level design. It is possible to ask and answer the question: “What is the most general low-level description of the product which will ensure that it meets its specification, given as a description at the higher level of abstraction?”

C-mos Transistors

The philosophy of the previous sections is illustrated by somewhat simplified examples drawn from the realm of hardware design. At the lowest level, we have a switching model of the behaviour of networks of C-mos transistors. This is described in terms of voltages measurable on each named wire of the network. The observation is made only when the network has reached stability-at the end of a typical cycle of operation. The observable states of each wire are:

connected only to power

connected only to ground

connected to neither

connected to both

The last state leads to a short-circuit or oscillation, which must be avoided. To prove their absence, one needs a theory which explicitly models such error states.

A transistor acts like a switch, which either disconnects or connects its source with its drain. The choice is made by the wire at its gate. A P-transistor transmits connection to power when its gate is connected to ground. An N-transistor is complementary: It transmits connection to ground when its gate is connected to power. For each transistor

333

there is a predicate describing the stable relationships among the wires connected to its gate, its source, and its drain.

A transistor network, by definition, is stable only when all its component transistors are stable. An observation taken at that time will satisfy the conjunction of the predicates describing the stable states of its component transistors. The state of internal wires can be hidden by existential quantification. This simple model gives a reasonable analysis of several standard and non-standard designs.

Combinational Circuits

The purpose of a transistor network is often to implement a logic gate. The wires connected to a logic gate are classified as either input wires or output wires. At the end of each cycle, each wire can take only one of two states, either connected to power or connected to ground. The behaviour of a logic gate is described as a conjunction of one or more equations, each of which defines the value of an output wire as a Boolean function of the values of its input wires. Each output wire appears exactly once on the left hand side of one of the equations. When gates are combined into combinational circuits, the behaviour of the circuit is described by the conjunction of all the equations describing the individual gates. But there is one restriction-it must be possible to sort the equations into an order such that each output wire is defined before it is used. This restriction may also be described as a ban on cycles in the standard picture of the circuit. This vital property is preserved by existential quantification of local wires. In crossing the abstraction levels between transistor networks and combinational circuits, the main requirement is to prove the absence of the two unwanted values, floating and short- circuit. For each gate, it is assumed that the input wires are two-valued, and the proof shows that the two-valued property is transmitted to the output wires. This is why the acyclic property is so essential when joining combinational gates and circuits.

Sequential Circuits A sequential circuit is one whose behaviour during any cycle of operation may depend on the state that it achieved at the end of the immediately preceding cycle of operation. The voltage on each wire must therefore be recorded as a subscripted variable, where the subscript is an integer identifying which cycle is being recorded.

As in the case of combinational circuits, the behaviour is described by an acyclic conjunction of equations, one for each output wire. All variables are subscripted by the same subscript C, with only one exception: the variable defined on the left of an equation may also appear with subscript (t-1) on the right of the same or any other equation-there is no ban on cycles. The value of a wire at cycle “minus-one” is non-deterministic, and no reliance can be placed upon it. The basic components of sequential circuits are delays and latches. They are built from transistor networks, using the fact that floating wires tend to retain the same voltage that they had at the end of the previous cycle of operation. The tendency can be reinforced by introduction of electronic feedback. These facts form the basis of the abstraction relation which transforms between these two levels of abstraction.

334

Conclusion

The only purpose of my example theories of hardware design is to illustrate the principles of engineering methods based on Boolean algebra. The theories have been grossly oversimplified, and ignore many sources of error that in all prudence should be taken into account. Simplification is an indispensable aid to introduction of new ideas, both in talks like this and in general education. But I think it is more important than that. Science can progress only by postulating simple theories, and controlling their inaccuracies by meticulous design and the conduction of experiments. Sometimes a systematic deviation from expectation is observed; and it is only then that a deeper understanding is obtained of the underlying factors on which a new and more sophisticated theory is based. Even then, the simpler theory retains its value as a practical approximation for general use.

The engineer takes similar advantage of a simple theory in the early stages of design, in the reasonable expectation that inaccuracies can be compensated for at a later stage. Again, the real challenge for the theorist is to clarify the links between simple and more complex theories; and to use this understanding to formulate conditions and design rules that will allow the engineer to continue to safely use the simplest possible theory for its appropriate purpose.

This theory of engineering design has been derived from my study of computing science, and I would most like to see the results of its wider application in the same area. The need is great. We need a connected structure of theories to deal with all the levels of abstraction. We need a range of theories specialised to the collection and analysis of requirements in all their primary areas of application. We also need theories for specification design and implementation of computer software in a variety, or of its combinations, of programming paradigms-procedural, functional, logical, parallel and more. In all this, we gain ideas, insight and encouragement from the simple example of Boolean algebra, and the excellent contribution that it makes to the well-established disciplines of hardware engineering.

335