Open side-bar Menu
 Real Talk
Graham Bell
Graham Bell
Graham is VP of Marketing at Real Intent. He has over 20 years experience in the design automation industry. He has founded startups, brought Nassda to an IPO and previously was Sales and Marketing Director at Internet Business Systems, a web portal company. Graham has a Bachelor of Computer … More »

Fundamentals of Clock Domain Crossing Verification: Part One

July 10th, 2014 by Graham Bell

The increase in SOC designs is leading to the extensive use of asynchronous clock domains. The clock-domain-crossing (CDC) interfaces are required to follow strict design principles for reliable operation. Also, verification of proper CDC design is not possible using standard simulation and static timing-analysis (STA) techniques. As a result, CDC-verification tools have become essential in design flows.

A good understanding of the CDC problem requires an understanding of metastability and the associated design challenge.


When the input signal to a data latch changes within the setup-and-hold window around the transition of the latching clock, the latch output can become metastable at an intermediate voltage between logical zero and one. Figure 1 shows a simplified latch implementation. The metastable state is a very high-energy state as shown in Figure 2. Because of noise in the chip environment, this metastable voltage gets disturbed and eventually resolves to a logical value. The resolution time is dependent upon the load on the latch output and the gain through the feedback loop. It is impossible, however, to predict this logical value. Also, there is an inherent delay in the resolution of the metastable output as shown in the timing diagram of Figure 3. This logical and timing uncertainty introduces unreliable behavior in the design and, without proper protection, can cause it to fail in unpredictable ways.

Figure 1. A simplified latch.

Figure 2. The metastability energy curve.
Figure 3. Metastability timing diagram.

For synchronous clock designs, timing closure with static timing analysis ensures that all paths meet timing specifications; metastability is avoided and the designs operate reliably.

Limitations of functional verification

The prevalent functional-verification methodology is based upon functional simulation. A simplified view of the simulation model is that the design behavior is evaluated using zero-delay evaluation for logic, unit-delay for flops and ideal clock behavior. Also, formal analysis makes use of the same evaluation assumptions. But both of these techniques have an inherent limitation because they only analyze the steady-state behavior of the design.

Functional verification makes a fundamental assumption that static timing analysis will account for the uncertainty in clock behavior caused by jitter and skews, and ensure that all hazards in the design subside before the clock event (timing closure). This is the default timing rule. Functional verification will be invalidated if this assumption is violated. Static timing analysis lets users specify exceptions to the default timing rules. These exceptions invalidate the functional-verification and default-timing assumptions. It is imperative that these exceptions be properly verified using timing-closure verification (TCV) for a robust design methodology. Because static timing of CDC interfaces is not possible and requires timing exceptions, CDC verification is a unique and essential component of TCV.

CDC terminology

A clock domain is defined as the set of all flops that are clocked by the associated clock. A clock-domain crossing (CDC) is defined as a flop-to-flop path where the transmitting flop is triggered by a clock that is asynchronous to the receiving flop clock. These two clock domains are considered to be relatively asynchronous. Figure 4 describes the CDC terminology used in this article. The receiving flops are referred to as CDC flops. The signals feeding the CDC flops are referred to as CDC signals.

Figure 4. Defining CDC terminology.

Unavoidable metastability and the CDC problem

Asynchronous clocks operate without any mutual frequency and phase relationships. As a result, it is impossible to guarantee timing on CDC paths because the launch- and capture-clock edges can be arbitrarily close, and metastability is unavoidable for CDC designs. This invalidates the assumptions of both functional simulation and formal verification, and robust design behavior cannot be assured using simulation and static timing analysis. Without proper design, CDC errors can cause random and unpredictable failures in a chip that are impossible to debug.

Metastability introduces the following failure modes in the design:

  • Loss of correlation (error E1). This happens when two or more correlated CDC flops become metastable as shown in Figures 5a and 5b. Figure 6 shows the timing diagram where these flops resolve to arbitrary logical values and lose correlation, leading to a bad design state.
  • Hazard (glitch) capture (error E2). A hazard on a CDC path can get captured in the CDC flop leading to bad design state as shown in Figure 7.
  • Loss of signal (error E3). CDC signals that are stable for less than one clock cycle of the receiving clock may not get captured in the receiving domain because of clock network uncertainties, clock alignment and metastability. Figure 8 shows the situation where functional verification view concludes signal transmission. However, the signal transmission can actually fail, leading to a bad state in the design.
  • Metastability propagation (error E4). Metastability may propagate to the next level of flops in the design if it is not resolved in a timely manner. The resolution time is dependent upon the load on the flop. Propagation of metastability may lead to a cascading of errors E1-E3.
Figure 5a. Loss of correlation.
Figure 5b. Loss of correlation.
Figure 6. Loss of correlation timing diagram.
Figure 7. Glitch capture.
Figure 8. Loss of signal.

Next posting, we will look at CDC design principles.

Related posts:

Tags: , , , ,

4 Responses to “Fundamentals of Clock Domain Crossing Verification: Part One”

  1. Nora says:

    Could you post the images?

  2. Graham Bell Graham Bell says:

    The images are now back!

  3. […] Last time we looked at how metastability is unavoidable and the nature of the clock domain crossing (CDC) problem.   This time we will look at design principles. […]

  4. […] Fundamentals of Clock Domain Crossing Verification: (a four part series) […]

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

CST Webinar Series

Internet Business Systems © 2016 Internet Business Systems, Inc.
595 Millich Dr., Suite 216, Campbell, CA 95008
+1 (408)-337-6870 — Contact Us, or visit our other sites:
TechJobsCafe - Technical Jobs and Resumes EDACafe - Electronic Design Automation GISCafe - Geographical Information Services  MCADCafe - Mechanical Design and Engineering ShareCG - Share Computer Graphic (CG) Animation, 3D Art and 3D Models
  Privacy Policy