Graham is VP of Marketing at Real Intent. He has over 20 years experience in the design automation industry. He has founded startups, brought Nassda to an IPO and previously was Sales and Marketing Director at Internet Business Systems, a web portal company. Graham has a Bachelor of Computer Science degree from Carleton University, Ottawa, Canada. « Less
Graham is VP of Marketing at Real Intent. He has over 20 years experience in the design automation industry. He has founded startups, brought Nassda to an IPO and previously was Sales and Marketing Director at Internet Business Systems, a web portal company. Graham has a Bachelor of Computer … More »
Fundamentals of Clock Domain Crossing Verification: Part One
July 10th, 2014 by Graham Bell
The increase in SOC designs is leading to the extensive use of asynchronous clock domains. The clock-domain-crossing (CDC) interfaces are required to follow strict design principles for reliable operation. Also, verification of proper CDC design is not possible using standard simulation and static timing-analysis (STA) techniques. As a result, CDC-verification tools have become essential in design flows.
A good understanding of the CDC problem requires an understanding of metastability and the associated design challenge.
When the input signal to a data latch changes within the setup-and-hold window around the transition of the latching clock, the latch output can become metastable at an intermediate voltage between logical zero and one. Figure 1 shows a simplified latch implementation. The metastable state is a very high-energy state as shown in Figure 2. Because of noise in the chip environment, this metastable voltage gets disturbed and eventually resolves to a logical value. The resolution time is dependent upon the load on the latch output and the gain through the feedback loop. It is impossible, however, to predict this logical value. Also, there is an inherent delay in the resolution of the metastable output as shown in the timing diagram of Figure 3. This logical and timing uncertainty introduces unreliable behavior in the design and, without proper protection, can cause it to fail in unpredictable ways.
For synchronous clock designs, timing closure with static timing analysis ensures that all paths meet timing specifications; metastability is avoided and the designs operate reliably.
Limitations of functional verification
The prevalent functional-verification methodology is based upon functional simulation. A simplified view of the simulation model is that the design behavior is evaluated using zero-delay evaluation for logic, unit-delay for flops and ideal clock behavior. Also, formal analysis makes use of the same evaluation assumptions. But both of these techniques have an inherent limitation because they only analyze the steady-state behavior of the design.
Functional verification makes a fundamental assumption that static timing analysis will account for the uncertainty in clock behavior caused by jitter and skews, and ensure that all hazards in the design subside before the clock event (timing closure). This is the default timing rule. Functional verification will be invalidated if this assumption is violated. Static timing analysis lets users specify exceptions to the default timing rules. These exceptions invalidate the functional-verification and default-timing assumptions. It is imperative that these exceptions be properly verified using timing-closure verification (TCV) for a robust design methodology. Because static timing of CDC interfaces is not possible and requires timing exceptions, CDC verification is a unique and essential component of TCV.
A clock domain is defined as the set of all flops that are clocked by the associated clock. A clock-domain crossing (CDC) is defined as a flop-to-flop path where the transmitting flop is triggered by a clock that is asynchronous to the receiving flop clock. These two clock domains are considered to be relatively asynchronous. Figure 4 describes the CDC terminology used in this article. The receiving flops are referred to as CDC flops. The signals feeding the CDC flops are referred to as CDC signals.
Unavoidable metastability and the CDC problem
Asynchronous clocks operate without any mutual frequency and phase relationships. As a result, it is impossible to guarantee timing on CDC paths because the launch- and capture-clock edges can be arbitrarily close, and metastability is unavoidable for CDC designs. This invalidates the assumptions of both functional simulation and formal verification, and robust design behavior cannot be assured using simulation and static timing analysis. Without proper design, CDC errors can cause random and unpredictable failures in a chip that are impossible to debug.
Metastability introduces the following failure modes in the design:
Next posting, we will look at CDC design principles.
4 Responses to “Fundamentals of Clock Domain Crossing Verification: Part One”