Professional Documents
Culture Documents
1428254
1428254
Abstract – Moore‘s law has been motivating the increase in complexity of current system-on-chips. The
semiconductor industry to churn out multi-clock traditional register transfer level (RTL) verification
(mostly unrelated) complex system on chip (SoC) techniques like Functional simulation, Timing analysis, and
designs. Data/signals that crosses such unrelated or many other complex formal techniques cannot guarantee
asynchronous clock domains are more likely to be fabricated chips free of CDC and reset domain crossing
sampled before they are stable, and can cause issues (RDC) errors, and glitches. Some of the CDC and RDC
like metastability. Such clock domain crossing (CDC) related faults responsible for chip re-spins if not verified,
signals must be synchronized between the domains are as follows [1], [2].
using a valid synchronizer, and must be verified in
some way exhaustively before quality sign-off. If not Metastability due to setup and hold-time
verified appropriately or detected late in the design violations in CDC path.
cycle, these crossings will result into chip re-spins and Metastability due to asynchronous RDC.
prove too costly, as sometimes the product itself will be Glitch propagation due to convergence and
out of market. The typical challenge in flat netlist- divergences of crossover paths.
based CDC verification checks is huge run time, Clock jitter.
memory consumption & millions of violations to debug
counts. In this paper, therefore, a hierarchical CDC For a complex design like SoC, it is very common to
verification methodology has been implemented for have multiple independent clock domains, and so there
system-on-chip integrated circuits. This hierarchical exists huge number of CDC crossing paths in design
approach improves the CDC verification for SoC in where the data can face CDC issues like metastability,
terms of memory consumption, time taken for sign-off data loss, data incoherency etc. Data crossing the clock
without compromising quality. domains are vulnerable to CDC issues and can cause
functional failure of chip. It is very hard or impossible to
Keywords: SoC; metastability; clock domain crossing; detect such CDC issues at simulation level [3]. There is
synchronization; reset domain crossing; glitch. no way one can be sure that this issue can be prevented
by this method or that method. But one can try to reduce
I. INTRODUCTION the detrimental effects of such issue on chips with the
help of synchronizers. Different synchronizers are
Earlier ASIC/Custom chip designs use to have only proposed for different scenarios of data crossing the
one or two clocks that used to drive the entire chip. clock domains, and thus it becomes very crucial to verify
Following the road-map of Moore's law, the attempt of the correctness of synchronizer [4]. Several design
putting more number of transistors on same silicon size automation tools are available which aid in finding
is continuing. By putting more on single chip, one is missing synchronizers, reconvergence of synchronized
putting more unrelated things being driven by different signals, divergences in the crossover, etc. [5], [6].
clocks which leads to data crossing clock domains, Besides, research works are available that reports
which is now a very common scenario. Data crossing System Verilog Assertions (SVA) for finding CDC
the clock domains further leads to different issues like faults in simulation [7], [8]. CDC verification of SoC
metastability, data loss and glitch etc. which can be has multidimensional challenges like huge run time,
clubbed and termed as clock domain crossing (CDC) memory consumption & million violation counts.
issue [1]. This CDC problem is continuing to increase in Considering all challenges, one should try to improve
modern system-on-chip (SoC) as one is making more the CDC verification techniques for SoCs.
complex systems. Therefore, solutions are needed to scale An attempt has been made in this paper to
down the problem as design complexity grows with the understand CDC concept together with its issues of
19
JEEE, Volume 14, Number 2, October 2021
For any pair of sequential elements, i.e., flip-flop to The design engineer would never want a signal at the
flip-flop, flip-flop to latch, latch to flip-flop, etc., that output of the RX-flop element to be metastable. The
have different launching and capturing clock, the possible case when the signal at the output of capturing
designer does not know exactly how much edge sequential element can go in the metastable state is
difference exists there between the clocks. Even in cases based on the clock event at TX-flop and RX-flop. But
wherein the phase is known, design engineer cannot do that’s not the only possibility, it can also go to metastable
setup / hold, or max. / min. checks, because phase state based on asynchronous reset events at TX-flop
relation is not constant. Such scenarios are termed as which CDC tools never check. For any pair of sequential
Clock Domain Crossing (CDC). In these scenarios, it is elements, if TX-flop has asynchronous reset, then the
very difficult to avoid metastability, or stop glitch to event at the output of TX-flop is not only based on the
propagate in the design, and it finally leads to chip activity of 'CLK1', but also it is to be dictated based on
failure. A simple CDC case is shown in Figure 1. Input the activity of 'RST1' (asynchronous reset). If the output
data ‘Din’ is launched by the ‘CLK1’ (TX-flop) clock TX-flop changes based on the clock event, then the
domain and should be captured properly by ‘CLK2’ crossing checks that are done for that falls under CDC
(RX-flop) clock domain. Depending on the clock checks. If the output of TX-flop changes asynchronously
relationships between ‘CLK1’ and ‘CLK2’, one might because of the reset, then the crossing checks that are
get different problems when input data travels from done for that comes under RDC checks [11] [12].
input of TX-flop to output of RX-flop. If data at input of A simple RDC case is shown in Figure 2. The TX-
RX-flop changes between the setup-hold window of flop and RX-flop have resets 'RST1' and 'RST2'
RX-flop, then it may lead to metastability. Hence, one respectively. 'RST1' and 'RST2' are not the same or have
needs special CDC checks to ensure that the data at the any defined relationship. Assume a scenario when
input of RX-flop never lands in the setup and hold 'RST1' is asynchronously asserted, but 'RST1' is not in
window of RX-flop. This is the fundamental and the only reset. Besides, also assume 'CLK2' is active so that RX-
check required for CDC sign-off [1], [9], [10]. flop will be sampling the output of TX-flop. So, when
So, in cases, when designer does not have a an asynchronous assertion is active on ‘RST1’
relationship between ‘CLK1’ and ‘CLK2’, metastability regardless of the state clock ‘CLK1’, the output of TX-
can occur. However, there are many different ways for flop will change. In that case, if output at TX-flop falls
avoiding this metastability or enabling synchronization. between the setup-hold window of 'CLK2', it can make
For synchronization, one can take advantage of the the output of RX- flop go into a metastable state. So, in
design architecture or different clock relationships. RDC check, one checks that if reset of TX-flop and RX-
Therefore, the designer must be aware of design flop are not same, or both have an asynchronous
architecture and clock relationships to effectively relationship with each other and with the clocks.
perform CDC checks.
When the CDC tools were designed, it was not
common to have a design where resets were more than
one/two in a block. So, during the development of the
tool, it was assumed that if TX-flop has asynchronous
reset asserted, then every RX-flop would be in reset. So,
while considering CDC checks with a tool, the tool
checks for the clock events in sequential elements, and
never checks for the reset events. Hence, RDC check
got into existence when designs were made more
complex.
Fig. 2 Simple design with RDC
20
JEEE, Volume 14, Number 2, October 2021
It checks if the output of TX-flop changes with active programmable gate array (FPGA) implementation and
reset regardless of 'CLK1' falls between the setup-hold applying it to several synthesized benchmarking circuits.
window of RX-flop, which can cause the output to be The outcome of this method shows an average saving of
metastable, is synchronized or not to ensure output is 135% and 204% in area and about 100% in power costs
reliable. Thus, RDC is still a CDC problem, but due to as compared to other existing speculative method
tool limitations, the industries conduct RDC checks discussed in the paper. In another work, a novel
separately. approach has been devised for analyzing the behavior
Few important points about RDC checks are as and performance of synchronizers [17]. In this, the time
follows. to voltage gain of a synchronizer has been formulated
Even if RX-flop has no reset pin, the check is still a and the results have proven that the gain increases
valid check, because if there is a free-running clock exponentially in the synchronizer circuit as a function of
at RX-flop, then asynchronous reset on TX-flop can time from the regenerative feedback.
still lead to metastability at the output of RX-flop if A number of factors have been identified affecting
the output from TX-flop is changing in between the performance measure of synchronizer like process
setup-hold window of RX-flop. So, one must do technology, operating conditions, and circuit design
RDC checks based on the activity of asynchronous [18]. The authors in this paper have made an attempt to
reset at TX-flop regardless of reset is present at RX- prove that such global constraints apply to entire
flop or not. integrated circuit, whereas other factors can be tuned for
Even if ‘CLK1’ and ‘CLK2’ are equal or an individual synchronizer in the design. Furthermore, a
synchronous, RDC problem still exists, because the method has been proposed here in the paper for
problem is not based on the clock event. One can improving the synchronizers i.e., selection of minimum
have a synchronous system that can have multiple size flip-flop cells, avoiding scan and reset, minimizing
asynchronous resets coming in. So, if reset on TX- routing, choosing a high performance flavor and
flop is asserted, but reset on RX-flop is not active, minimum threshold voltage (VTH), and by reducing jitter
in that case, while clocks are actively running, in coherent clock domain crossings. The literature also
metastability can still be injected. So, RDC is still a contains SAL model based checker being used for
problem even if CDC is not being a problem. verifying the correctness of a simple CDC interfacing
In order to solve RDC, there are many ways to do it. circuit [19]. In this paper, the CDC interface is modelled
Number of synchronization methods exists. There is with SAL based model. The paper also provides a proof
not one particular solution to the problem. As verifying the compliance of the circuit with the basic
synchronization occurs in different ways, so, tools invariant. Besides this, some other works in literature
also need to understand the way synchronization has suggested use of SMV model checker for
has occurred. verification of multiple clock designs [20], [21].
Multiple efforts have been made for performing If data / signal crossing the clock domain is not
CDC verification for a design in VLSI industry. In properly synchronized, then it may lead to one of the
literature resources, important works on many CDC issues depending on the architecture of the
verification of CDC issues exists [13], [14]. The design. Few common CDC issues are discussed in the
authors herein describes two methods for verifying CDC following sub-sections.
interfaces. In one, rule base model checker is applied for
verifying the protocol specification based onA. A. Metastability
generated rule through Property Specifiation Language
(PSL) properties from the Signal Transition Graph Metastability in electronics is the ability of a dgital
(STG). In the second method, the correctness of data electronic system to persist for an unbounded time or
transfers, and duplicate data or missing data is verified. bounded time in an unstable equilibrium or metastable
Another important work is reported, wherein the authors state [22-25]. The circuit may be unable to settle into a
have proposed a novel SAT-based method to verify stable ‘0’ or ‘1’ logic level within the time required for
CDC protocols [15]. The focus here is on modeling proper circuit operation. In digital design, anything other
multiple clocks by assigning a state variable for each than logic 0 or logic 1, say 0.8VDD, 0.5VDD, or
clock which takes the value 0 or 1 at each verification 0.2VDD is not resolved to logic ‘0’ or logic ‘1’in the
tick. The assumption here is that setup and hold–time time that one is supposed to sample, then the operation
are zero for any sequential flip-flop. of that system becomes unstable/unpredictable. As
Modern SoCs have many clock domains at different shown in Figure 3, CLK1=C1 and CLK2=C2 are
interface, so it uses different synchronizers. A solution asynchronous clocks and A is the output of TX-flop.
has been described in one of the research work for Here, signal ‘A’ changes very close to the active edge of
preventing synchronization delay by overlapping it with C2, and it falls between the setup hold window of RX-
computational cycles [16]. In this paper, the correctness flop which causes output of RX-flop to be unstable for
of the method has been validated through a field- an indefinite period of time or output of RX-flop is in
21
JEEE, Volume 14, Number 2, October 2021
metastable state. After indefinite time, output will settle clock. Both have same phase. In Figure 4 (b), 0101111
to logic ‘1’ or logic ‘0’ based on how the unstable state sequence is the output of TX-flop at the active edge of
is resolved. ‘C1’, and that is sampled by RX-flop. The output of RX-
flop will be ‘0011’. Here the transition from 0 to 1
which was there on third active edge of source clock
‘C1’ is not captured by the destination flop and hence
data is lost.
22
JEEE, Volume 14, Number 2, October 2021
23
JEEE, Volume 14, Number 2, October 2021
TABLE 1. Comparison of Flat CDC with Hierarchical CDC [7] K. R. Talupuru and S. Athi, “Achieving Glitch- Free
Clock Domain Crossing Signals Using Formal
Parameter Methodology for CDC verification Verification, Static Timing Analysis, and Sequential
Flat CDC Hierarchical % Equivalence Checking”, 12th Intl. Workshop on
CDC Improvement Microprocessor Test and Verification, Austin, pp.5-9,
No. of N.A. 20 N.A. 2011.
abstracted [8] Y.Peng, I.W. Jones and M. Greenstreet, “Finding
IP/Block Glitches Using Formal Methods”, Intl. Symp. on
Setup X (K) X/2 (K) ~ 50% Asynchronous Circuits and Systems, pp. 45-46, 2016.
violation [9] S. Verma, A. Dabare, “ Understanding clock domain
CDC verify ~ Y Lacs ~ Y/32 Lacs ~ 96% crossing issues”, SoC Designline, EE Times, 2007.
violation [10] G. Plassan, H. Peter, K. Morin-Allory, F. Rahim, S.
Glitch check Z (K) Z/4 (K) 25% Sarwary, and D. Borrione, “Conclusively verifying clock-
Memory P (GB) P/2 (GB) 50% domain crossings in very large hardware designs”, Intl.
Run time Q (hrs.) Q/6 (hrs.) ~ 83% Conf. on Very Large-Scale Integration, (VLSI-SoC),
Tallin, Estonia, pp.1-6, 2016.
[11] C. Cummings, D. Mills, S. Golson, “Asynchronous &
VI. CONCLUSIONS AND FUTURE SCOPE Synchronous Reset Design Techniques–Part Deux”,
SNUG Boston, Rev.1.3, pp. 1-38, 2003.
[12] C. Cummings, and D. Mills, “Synchronous Resets?
In this paper, focus has been made towards
Asynchronous Resets? I am so confused! How will I ever
improving verification of clock domain crossing issue know which to use?”, SNUG San Jose, pp. 1-31, 2002.
appearing in modern complex SoC designs. [13] T. Kapschitz and R. Ginosar, “Formal verification of
Implementation of the hierarchical CDC flow has shown synchronizers”, Proc. 13th IFIP Correct Hardware Design
an improved result in comparison to flat CDC flow in and Verification Methods, Germany, pp. 359-362, Oct 2005.
terms of run time, memory utilization, and violation [14] R. Dobkin, T. Kapshitz, S. Flur and R.Ginosar, “ Assertion
count. This hierarchical method shall help design Based Verification of Multiple-Clock GALS Systems”,
engineers for on time delivery of design to next stage of Proc. IFIP/IEEE Int. Conference on Very Large- Scale
design cycle. Integration (VLSI-SoC), Greece, pp. 1-6, Oct. 2008.
[15] E. Clarke, D. Kroening, and K. Yorav, “Specifying and
In the presented flow, abstract information for each Verifying Systems with Multiple clocks”, P roc. Intl. Conf.
IP has been used in SoC/subsystem. In future, one can on Computer Design, CA, USA, pp. 48-55, 2003.
focus on CDC analysis for large complex SoCs which [16] G.Tarawneh, A.Yakovlev, and T.Mak, “Eliminating
has more than hundred subsystem instance that makes Synchronization Latency Using Sequenced Latching”,
CDC analysis more complex for analysis. By dividing IEEE Transactions on Very Large-Scale Integration
entire SoC into logical partitions, top level CDC analysis Systems, vol.22, no.2, pp.408–419, 2014.
can then be performed at each logical partitions and [17] S.Beer, J. Cox, R. Ginosar, T. Chaney, and D. M. Zar,
generated partition abstracts that is consumed at the SoC “Variability in Multistage Synchronizers”, IEEE
level. It shall have the advantage of reducing the run Transactions on Very Large Scale Integration Systems,
vol. 23, no. 12, pp. 2957–2969, 2015.
time by performing the CDC analysis in parallel at
[18] S. Beer and R. Ginosar, “Eleven Ways to Boost Your
different portion levels. Synchronizer”, IEEE Transactions on Very Large Scale
Integration Systems, vol. 23, no. 6, pp. 1040–1049, 2015.
REFERENCES [19] G. M. Brown, “Verification of a Data Synchronization
Circuit for All Time”, Intl. Conf. on Application of
[1] N. Karimi and K. Chakrabarty, “Detection, Diagnosis, and Concurrency to Sys. Design, Finland, pp. 217-228, 2006.
Recovery from Clock-Domain Crossing Failures in Multi [20] A. Smrcka, V. Rehak, T. Vojnar, D. Safranek, P.
clock SoCs”, IEEE Transactions on Computer-Aided Matousek, and Z. Rehak, “ Verifying VHDL Design with
Design of Integrated Circuits and Systems, vol. 32, no. 9, Multiple Clocks in SMV”, FMICS, , pp. 148-164, 2007.
pp. 1395-1408, September 2013. [21] A. Smrcka, “Verification of Asynchronous and
[2] Y. Feng, Z. Zhou, D. Tong, X. Cheng, “Clock domain Parametrized Hardware Designs”, Information Sciences
crossing fault model and coverage metric for validation of and Technologies Bulletin of the ACM Slovakia, vol. 2,
SoC design”, Proc. Design, Automation & Test in Eur. no. 2, pp. 60-69, 2010.
Conf. &Exhibition, Nice, France, pp. 1-6, 2007. [22] R. Ginosar, “Metastability and Synchronizer: A Tutorial”,
[3] P. Ashar and V. Viswanath, “Closing the Verification IEEE Design and Test of Computers, pp. 23-35, Oct. 2011.
Gap with Static Sign-off”, International Symposium on [23] C. Portmann, and T. Meng, “Metastability in CMOS
Quality Electronic Design, CA, USA, pp. 343-347, 2019. library elements in reduced supply and technology scaled
[4] C. Szàsz, and R. Şinca, “The Nontrivial Problem of applications”, IEEE Journal of Solid-State Circuits, vol. 30,
Matching in Redundant Digital Systems”, Journal of no. 1, pp. 39-46, 1995.
Electrical and Electronics Engineering, vol. 12, no.1, pp. [24] J. Reiher, M. Greenstreet, I. W. Jones, “ Explaining
51-56, May 2019. Metastability in Real Synchronizers”, Intl. Symp. on
[5] S. Yang and M. Greenstreet, “Computing Synchronizer Asynchronous Circuits and Systems, Austria, pp. 59-67,
Failure Probabilities”, Proc. Design, Automation & Test in 2018.
Europe Conf. & Exhibition, Nice, France, pp. 1-6, 2007. [25] M. Thakur, B. B. Soni, P. Gaur and P. Yadav, “ Analysis
[6] I.W. Jones, S. Yang, and M. Greenstreet, “Synchronizer of metastability performance in digital circuits on flip-flop”,
Behavior and Analysis”, Int’l Symp. on Asynchronous International Conference on Communication and Network
Circuits and Systems, NC, USA, pp. 117-126, 2009. Technologies, Sivakasi, India, pp. 265-269, 2014.
24