Methodologies for Reliable Design Implementation

12004 MAPLD VHDL Synthesis Introduction

Methodologies for Reliable Design Implementation

Melanie Berg

NASA Office of Logic Design

2004 MAPLD International Conference

September 8-10, 2004

Washington, D.C.


Overview

• This session will present methodologies for reliable design implementation

• Designs that are covered will first be explained. Following the design description, the corresponding VHDL will be presented

• Topics that will be covered:– Counters: Ripple vs. Synchronous– Triple Mode Redundancy (TMR)– Asynchronous Clock domain crossing– FIFO Memories– State Machines and Mitigation


Common VHDL/Synthesis Misperceptions

• VHDL and its synthesis tools produce unexpected results

• VHDL does not produce efficient circuitry• The synthesis tool will not produce what is

desired• VHDL is for software folks


VHDL and Design

• One should not start writing VHDL code until the design is well understood and analyzed

• Anyone can pick up a VHDL book and learn syntax

• Anyone can pick up a synthesis manual and learn directives

• But how do we create reliable circuits?


Key Ingredients for Successful and Reliable Designs: VHDL through Synthesis

• Remember … the goal is to design reliable hardware.• VHDL – looks like software, however, the designer must understand proper

hardware design techniques including the electrical characteristics of the employed technology

• VHDL RTL must functionally match gate level (post synthesis) for simulation purposes. This requires enforcing strict coding rules

• Designer must be familiar with the synthesis tools and their interpretation of VHDL code

– Combinatorial circuits vs. Sequential– Clock structures and potential skew– Proper State machine implementation– Arithmetic circuitry– Clock domain crossings– Reset logic– Mitigation– When to use specific Synthesis directives– Etc…

• VHDL Coding Style is very important


What is the Importance of VHDL Coding Styles.

• No Synthesis tool can be as efficient as proper Coding Style

• ASICS and FPGAs will be smaller and faster.• Proper VHDL Coding Style is easier to verify• We would like to shorten the Design Cycle.

Coding Style will affect– Quality of Synthesis: drive to tool to better results, – FPGA mapping or design: can take advantage of the technology– Place and Route: designs that are well thought out will have a

clean route


Coding Style Specifics - Think “Hardware”

• Architect with comprehension of your target’s features (ASIC and FPGA)

• Separate Combinational and Registered blocks• Watch out for inferred latches• Pay attention to large fan-out nets• Consider how you code state machines• Be careful with designing long paths of logic• Be aware of when you are able to use Resource

sharing


Code Restructuring

If (Aflag=‘1’) outdata <= Adata;elsif (Bflag=‘1’) outdata <= Bdata;elsif (Cflag=‘1’) outdata <= Cdata;else outdata <= ‘0’;

• What circuit structure does this code produce?• Which line of code is likely to be in the critical

path?


Answer:

If (Aflag = ‘1’) outdata <= Adata;elsif (Bflag = ‘1’) outdata <= Bdata;elsif (Cflag = ‘1’) outdata <= Cdata;else outdata <= ‘0’;

Cdata

0

Cflag BflagAflag

BdataAdata

outdata


Code for Late-Arriving Signalif (cflag=‘1’ and aflag=‘0’ and bflag=‘0’)

outdata <= Cflag;elsif (aflag=‘1’)

outdata <= Aflag;elsif (bflag=‘1’)

outdata <= Bflag;else outdata <= ‘0’;

muxmux

mux

Cdata

0

Cflag

BflagAflag

Bdata Adata outdata

and


Duplicating Logic to Improve Speed• Most synthesis tools have a fanout control

– Be careful, the tools don’t always pick the best implementation creating a more difficult design to place and route

• Better to explicitly duplicate logic in code– you may need to use the syn_keep option for

combinational logic

• Good Examples to duplicate:– Address and control lines to large RAM– Clock enables – Synchronous reset signal– Other high fanout nets


Pipelining Logic to Improve Speed

• Pipelining is most efficient for critical paths which can not be fixed by special coding schemes.

• Some may think that it will increase area. However, with very long paths, synthesis may be duplicating logic in order to meet timing. Pipelining can reduce the replication.

• It also will help while in Place and route


Synthesis Tools

• Synthesis Optimization Algorithms are geared towards synchronous designs.– Unexpected synthesis gate level output can occur if the design is

extremely asynchronous – tool gets confused

• The major parameters within the optimization algorithm are Timing and area– Timing is measured from a starting DFF (or input) through a

combinatorial path to the next DFF (or output). Timing can only accurately be measured (during optimization) when the DFFs are connected to the same clock

– Redundancy within VHDL code is usually synthesized away (area optimization). The designer must place synthesis directives (attributes) on the nets that are part of the redundant path


Synthesis Tools

• Designers should beware of push-button mitigation within synthesis.– Mitigation must be glitch-free

– Safe directive for state machines is not effective … false sense of safety

– When logic is added after VHDL-RTL phase, it is generally difficult/tedious to verify. Remember, reliable circuits must be verified

– Companies are aware and are working on some of these issues

• Synthesis output can be trusted if proper synchronous design techniques (including cleanly written VHDL) are followed. However, Formal Verifiers are needed! This will increase our test coverage.– Companies are also aware of this… but … where is it?


Reliability

• Design can be verified to work under worse case conditions

• Aerospace specifics includes verifiable mitigation techniques under worse case conditions

• Circuit has predictable behavior• Circuit has a definable reset state• Bottom line is to Use the following Techniques:

– Design for Verification (DFV)

– Design for Test (DFV)

– Design for Reliability (DFR)


Example: Reliability…Assumes a Technology with no Built-in TMR


Unreliable Circuit Design Example: Ripple Counters

Q

QSET

CLR

D

N MHz

Q

QSET

CLR

D

Q

QSET

CLR

D

Q

QSET

CLR

D

SEU Hits Bit 0 as output of Bit 1 changes. Bit 1 can go metastable. Bit 1 output can Oscillate. Clock pin to Bit 2 will Oscillate: Will violate DFF specifications -

can damage the FPGA As the input clock frequency increases, the probability of this

event occurring grows exponentially

Bottom line: DFF clock pins need to be protected.

0 1 2 3

reset


VHDL Example of a Data output feeding a Clock input: Avoid for Reliability

Process (sysclk,reset)

Begin

if reset = ‘0’ then

dff0 <= ‘0’;

elsif rising_edge(sysclk) then

dff0 <= not dff0;

end if;

End process;

Process (dff0,reset)

Begin

if reset = ‘0’ then

dff1 <= ‘0’;

elsif rising_edge(dff0) then

dff1 <= not dff1;

end if;

End process;


Adding TMR to Circuitry

• It is up to the designer to pick the strategic places that TMR will be inserted.

• TMR must be glitch free• TMR must be verifiable• Synthesis directives (attributes) generally need

to be used in order to not optimize away the Mitigation


Shared TMR Logic

• In this scheme – The designer must triple the number of DFF’s.

• The DFFs feed 1 TMR block

• If the technology is susceptible to transients, this method will not be efficient

Q

QSET

CLR

D

Q

QSET

CLR

D

Q

QSET

CLR

D

TMRCombinatoriallogic

Combinatoriallogic

Combinatoriallogic


Distributed TMR

• In this scheme – The designer must triple the number of DFF’s and triple the number of inserted TMR blocks.

• Although more area extensive, this method adds a level of reliability, If the technology is susceptible to transients

Q

QSET

CLR

D

Q

QSET

CLR

D

Q

QSET

CLR

D

TMRCombinatorial

logic

TMR

TMR

Combinatoriallogic

Combinatoriallogic


More Reliable Ripple Counter – Distributed TMR: Picture Depicts bit 0 and bit 1

Q

QSET

CLR

D

N MHz

Q

QSET

CLR

D

reset

TMRglitchfree

Q

QSET

CLR

D

Q

QSET

CLR

D

reset

TMRglitchfree

Q

QSET

CLR

D

Q

QSET

CLR

D

reset

TMRglitchfree

Path A

Path B

Path C

One line can oscillate -but the voting logic will

override


More Reliable Ripple Counter – Still a Potential Problem

• Paths delays due to routing differences are never exact• What happens if (referencing paths A, B, and C) A, B,

and C are all logic 0 and are expected to go to a logic 1:– Path A comes in first– Path B comes in second (TMR logic will go to logic 1)– Path B gets hit by a SEU – path C has not come in yet – TMR logic will

go to logic 0 … start of GLITCH!– Path C comes in – TMR now turns on once again

• Probability can be very small to negligible – depends on clock speed, and routing delay differences

• The glitch will have a relatively small period – will probably violate device specifications and can damage the device

• Also adds a major level of complexity within verification


Synchronous Reliable Solution

• Instead of a ripple counter, use a synchronous counter – Without Mitigation Case (no SEUs):

• Assumes a reset will clear any SEU hits that cause incorrect counting

– With mitigation (glitch free TMR for example).• Assumes counter must always be correct for Single Event Upsets

• Clock tree feeds the clock pin – Assuming a hardened clock tree (SET – free), SEU hits should not create DFF clock oscillations

• Data feeds data pins• Although the SEU is Asynchronous, the glitch free TMR circuit will

override the possible metastable oscillation on the data pin.• The following example shares TMR circuitry per stage (unlike the

other example where each path has separate TMR logic per stage). This design choice assumes a technology that will not have (or has an extremely low probability of) internal transient glitches or SETs.


VHDL Synchronous Counter without Mitigation

Counter <= counter_in;Counter_plus_1 <= counter_in + 1 ; -- need special library for this statement

Process (sysclk,reset)Begin

if reset = ‘0’ then -- counter is resetable to a constant valuecounter_in <= (others=> ‘0’);

elsif rising_edge(sysclk) then -- clock pin is connected to system clockcounter_in <= counter_plus_1;

end if;End process;


Post Synthesis RTL View without TMR (non-technology dependent)


VHDL Synchronous Counter with Mitigation

----------------------------------------------------------------------------------------------------------------------- signal declarations: For this circuit we will use 3 counters that feed into TMR voting logic.-- the output of the TMR will be fed into a combinatorial logic for the counter.-- the output of the combinatorial logic of the counter will be fed back into counter register---------------------------------------------------------------------------------------------------------------------

signal counter_plus_1 : std_logic_vector(3 downto 0);

signal counter0_in : std_logic_vector(3 downto 0);signal counter1_in : std_logic_vector(3 downto 0);signal counter2_in : std_logic_vector(3 downto 0);signal counter_tmr : std_logic_vector(3 downto 0);

----------------------------------------------------------------------------------------------------------------------- attributes used as synthesis directives: Important so that mitigation logic will not get optimized away---------------------------------------------------------------------------------------------------------------------

attribute syn_preserve : boolean;

attribute syn_preserve of counter0_in : signal is true;attribute syn_preserve of counter1_in : signal is true; attribute syn_preserve of counter2_in : signal is true;


VHDL Synchronous Counter with Mitigation

-- generate TMR logic for each bit of counter … works across the 3 counters-- TMR is a compiled entity in the work directory-- TMR_OUT <= (a and b) or (a and c) or (b and c)-- This TMR entity is written bit-wise, however, the designer can make a more

robust entity that will accept vector inputs

counter_string_tmr: for i in 3 downto 0 generatebeginucount_bit : entity work.TMRport map(

A => counter0_in(i),B => counter1_in(i),C => counter2_in(i),TMR_OUT => counter_tmr(i));

end generate;


VHDL Synchronous Counter with Mitigationcounter_plus_1 <= counter_tmr + 1; -- Output of TMR circuitrycounter <= counter_TMR;


if reset = '0' then -- counter is resetable to a constant valuecounter0_in <= (others=> '0');

elsif rising_edge(sysclk) then -- clock pin is connected to system clockcounter0_in <= counter_plus_1;

end if;End process;




end if;End process;




end if;End process;


Post Synthesis RTL View with TMR (non-technology dependent)


VHDL Synchronous Counter with Mitigation Analysis

• No SEUs:– After static timing analysis has been verified and all paths meet timing

with slack, all data is considered to be stable at each clock edge – no concerns for metastability or incorrect data capture

• SEU Hit– If an SEU hits a DFF, then the glitch free TMR will override any one

DFF input change (output of TMR is stable), thus, data is still considered to be stable near a clock edge - no concerns for metastability or incorrect data capture

• Synchronous Advantage Meets Reliability Requirements – Easily verifiable in the RTL domain if static timing is met and gate level

is functionally equivalent to RTL– Mitigation and general functional behavior is predictable under worse

case conditions– TMR circuitry is verifiable (due to it being within the RTL vs being

inserted in synthesis)– A Definable reset state exists


Asynchronous Clock Domain Crossing


Asynchronous Clock Domain Crossing

• Most common problem within designs.• Why?

– Designers usually don’t design for all corner cases – i.e. data must be synchronized to capturing clock domain before usage

– Multiple clock domains add an extra level of complexity to the synthesis optimization algorithm.

• The major optimization parameters for the synthesis algorithm are timing and area

• Timing is measured for each synchronous path (DFFs connected to the same clock tree)

• Generally, extra timing constraints are necessary when crossing clock domains


Design Example

• Implement a serial asynchronous input port that receives: DCLK, DATA, and DENV. Skew relative to DCLK will be less than 10 ns

• Input speed can range from 5Khz to 10Mhz.• DATA and DENV will change at the rising edge of the

DCLK signal (thus will be stable at the falling edge).• Input Data is in the form of 16 bit words MSB first.• DENV is active high• Technology has glitch-free hardened by design

mitigation within the silicon (attached to DFFs)


Determine FPGA System Clock speed

• Limiting factor is the 10MHZ input – new data can come every 100 ns

• Data is asynchronous – need a metastability filter …

Q

QSET

CLR

D

Q

QSET

CLR

DAsynchronousInput

Clock

Reset fro

mclock tree

No otherconnection tothese points

Edge detectioncan be placed

at this point


Need an Edge Detection for the Input signal

• Remember – there is a difference between the input clock and the FPGA system clock (asynchronous)

• Goal: Capture data while data is stable (avoid metastability)

• We want to detect an edge of the input control (DCLK), then look at the envelope (DENV) - see if it is active, then grab the data.

• Why the edge and not the level …We only want to sample input data once per input clock period …at a stable place in the clock period …

• Which edge should we use (falling or rising)?…


Analysis

• Most people will want to capture at the falling edge because data is known to be stable there.

• However, once you detect the stable edge you only have half an input clock period minus overhead … minus data to clock skew …

• Therefore – you will be required to implement a much faster system clock


Data1 Data2 Data3

Positive Edge ClockTransition - Data changes

CLOCK Input

Data Input

Negative Edge ClockTransition - Data stable

If we implement a detection scheme thatlooks for the falling edge of the clock - weonly have half a clock to do the detection

and capture data - thus designer must usea fast clock relative to the input clock - may

be impossible to implement!!!!!!

If we implement a detection scheme that looksfor the rising edge of the clock - we have moretime (approx. 1 clock cycle) to do the detectionand capture data - This enable the designer to

use a slower clock - great for power!!!!

100 nsclock

period


Data1 Data2 Data3

CLOCK Input

Data Input

Delay

from

cloc

k

dete

ction

Gra

b da

ta

Data1 Data2 Data3Data Input

Delay

from

cloc

k

dete

ction

Grab data

Rising Edge Detection Example

Falling Edge Detection Example

CLOCK Input

Data is valid after the delay forclock detection is complete!

Now we have plenty of time tograb the new data

Not too much time left to grab data - needFAST internal FPGA clock


Best Choice

• Look for the rising edge of the input clock. Although data is changing here… by the time you actually detect the clock – data will be valid!

• Remember – because the DCLK is asynchronous to your FPGA, it must go through a metastability filter before you can sample – THIS TAKES TIME … how much?…


Q

QSET

CLR

DSynchronousSignal

Clock

Reset fro

mclo

ck tree

Synchronous signal —want to edge detect

Synchronous signal —1 cycle delay: DFF output

Output of edgedetection

FPGA system clock

Rising Edge Detect Circuit

One c

ycle

wid

e e

dge

det

ect

If signal=’1' and signal_d1 = ‘0’ thenedge_det <= ‘1


Metastability Filter uses DFFs … data only gets passed at a clock edge

Q

QSET

CLR

D

Clock

Reset fro

m

clock tre

e

Q

QSET

CLR

D

Q

QSET

CLR

DSignal fromother clock domain

0 1 2

Edge detectonly performedafter 2nd Meta

DFF


Design Decision…• Envelope will be captured by one DFF (no metastability filter)

and will be “anded” with the clock edge detect in order to enable data capture …’

• I.e. if the clock edge is detected and the envelope is valid then capture data. Thus the data does not go through a metastability filter either!!! Saves gates and is safe – we only look at data (and envelope when they are stable – the input clock edge tells all)

• We can use only one DFF because the enable is guaranteed to be stable by the time the clock edge is detected …clock edge detection has to take at least 2 system clock cycles – by then envelope is clean.

• Why not send the DENV signal through a metastability filter too??


Q

QSET

CLR

D

Q

QSET

CLR

DAsynchronousclock Input

Clock

Rese

t from

clock tre

e

Q

QSET

CLR

D

Q

QSET

CLR

DAsynchronousEnvelope Input

Rese

t from

clock tree

Do not send both the Clock and Envelope Asynchronous Signal through aMetastability Filter

Evn_d2

Clock_d2

Clock Input

Clock_d2

Rising edge detect

Env

Env_d2

Watch Out!!!!!!!Data is captured at therising edge of the clock

detection … but env_d2 isnot valid Yet!!!! We willmiss the first piece of

DATA!!!!!!!!!!!!!

Env_d2 not valid yet

Skew < 10 ns


Q

QSET

CLR

D

Clock

Reset from

clock tree

Q

QSET

CLR

D

Q

QSET

CLR

DInput Clock Signal

0 1 2

Rising Edge detect onlyperformed after 2nd Meta

DFF

FPGA systemclock

Input Clock

Input clock Missed this edge Data capture happens inapproximately 3 clock cycles

DFF0

DFF1

DATA CaptureDFF

Q

QSET

CLR

D

Data InputE

DFF2

Dat

a is sta

ble

here

for ca

ptur

e

Rising_edge_detect

D0

D0DATA Input

Rising edge is detected becauseDFF1= ‘1’ and DFF2 = ‘0’ during

this clock cylce


FPGA systemclock

Input Clock

Input clock Captured at this edge: Data Capturehappens with in 2 system clock cycles

DFF0

DFF1

DATA CaptureDFF

DFF2


Metastability Filter Recap:• Choose only one signal (control signal) to send through the

metastability filter – avoid skew of asynchronous input signal near clock edge problems

• Determine where the signals are stable relative to the incoming control signal

• Sample and grab data• Do a complete timing analysis: watch out for skew, setup & hold,

input clock frequency vs. system clock frequency.

• Watchout!!!! For large Fan-out of output of metastability filter – Synthesis tool may duplicate the filter. This will cause data to possibly be out of sync within different portions of the circuit – use a don’t_replicate attribute on the filter output


Metastability Filter Recap:

• Remember – Our example’s timing analysis applies to capturing the data relative to the same edge of the input clock that the input data changes – we can do this because we have a delay due to the metastability filter and this delay is larger than the 10 ns skew (between the clock, data, and envelope) listed in the spec.

• We chose to capture data relative to the same clock edge that the input data changes so that we can choose a slower clock – slower clock means less power and easier design implementation requirements.


Metastability Filter Recap:

• The designer could make the decision to capture data relative to the edge that the input clock is changing – however, that would require a much faster FPGA system clock for proper implementation -- see timing analysis.

• The designer could also choose to send the DENV and DDATA lines though metastability filters (not a good choice – unnecessary extra logic). However, this can only be done if you detect the input clock where data and envelope are stable …and capture there– otherwise (due to skew) incorrect results can occur


Based on the two previous Cases…Best and Worse

• Upon the worse case – we see that we will need at least 3 FPGA system clock cycles to capture the data… however we also need some overhead (20%) due to variations in environment (voltage, temperature, clock skew, process…)

• Clock needs to be…3x < 100 ns - .20x –10 ns

X becomes about 28.125 ns … or 36MHZFor ease …Lets choose a 40 MHZ FPGA system clock (25 ns clock period

… definitely fast enough)


Rule of Thumb: Asynchronous Data Capture

• Use a system clock that is 4 times faster than input clock… if possible…

• Otherwise you might be able to use both edges of the clock – can be tricky

• Or… use an asynchronous FIFO to capture the input data and then extract the data with the system clock … great choice if input clock and data rates are too fast!


Rule of Thumb: Asynchronous Data Capture (cont…)

• Only send one signal – a control signal – through a metastability filter. Otherwise, signal skew can cause data to be incorrectly captured.

• Determine where to sample the control signal such that data is stable (under all conditions)

• Use an edge detection circuit on your control signal (after the metastability filter) because your clock domain will be faster than your input clock domain.

• Use this one-cycle edge detection output to control data capture and other necessary functions – avoids multiple samples or counts per clock/data input pair


Next…Now that we figured out the FPGA System Clock Frequency … Let’s Construct the Input Block

• We need to shift the data into a shift register• Count how many bits we have shifted in – this will need 4

bits in order to count to 16• Once we have captured 16 data bits… store the shift

register into a Dout (data out) register and raise a ready flag.

• For our design, ready flag will only be valid for one system clock cycle

• Dout will only change once a full 16 bits have been captured into the shift register.

• Let’s check out the VHDL code


How Does VHDL Tie Into This?

• We need to create DFF’s and we need to create combinatorial logic.

• DFF’s store information and can only change at a clock edge.– Counters– Delay elements (I.e. an edge detection delay)– Flags– Shift registers


How Do We Create a DFF in VHDL ?

• Our job is to direct the synthesis tool to do exactly what we want… its difficult to get precisely what you want if you do not take the time to understand how the tool works.

• The synthesis tool looks for:process(sysclk,reset) -- sensitivity list for clock and resetbegin

if reset = '0' then -- connect the reset to the DFFDFF <= ‘0’; -- DFF gets a constant at reset

Elsif rising_edge(sysclk) then -- clock connectionDFF <= data; -- at clock edge DFF gets new data

end if;End process;


Using a DFF Enable connection

process(sysclk,reset) -- sensitivity list for clock and reset

begin

if reset = '0' then -- connect the reset to the DFF

DFF <= ‘0’; -- DFF gets a 0 at reset

Elsif rising_edge(sysclk) then

if enable = ‘0’ then -- if statement creates an enable condition

DFF <= data; -- at clock edge and enable DFF gets data

end if;

end if;

End process;


Using an Enable Connection

• In our case, we only want to capture data, and then count up (we’re counting how many bits we have), once per clock/data input pair.

• This input is generated at a slower rate than our FPGA internal clock. So it sits around for several of our clock periods.

• Thus we will use an enable that is only valid for one clock cycle in order to capture data and count it.

• This enable (as described earlier) will be active if we have detected a rising_clock_edge and an active envelope signal


Data1 Data2 Data3

DCLK (Clock Input)

DDATA (Data Input)

FPGA CLOCK

FPGA CLOCK is faster than CLOCK/DATA Input

DENV (Envelope)

Rising_clock : occurs 2FPGA clock edges afterDCLK transition occursbecause of metastability

filter

Env_reg ==DENV delayedby one cycle

Enable for capturingand counting data =>rising_clock is ‘1’ and

env_reg is ‘1’


Q

QSET

CLR

D

E

CLOCK

rising_edge_detect

ENV_reg

elsif rising_edge(sysclk) then -- clock connection

if rising_clk = '1' and env_reg = '1' then -- enable connection

counter <= counter+1; -- 4 DFF’s created here

data_shft <= data_shft(14 downto 0) & DDATA -- 16 DFF’s created here

end if;

Notice we are connecting to the enable ofthe DFF by using an if statement inside thesequential process

This enable has beendesigned to only beactive for one FPGAclock signal

From Metastability Filter and edge detection ofinput clock edge: DCLK

Using an If statement in VHDL cancreate a direct connection to a DFFEnable pin - This depends on the

Technology being targeted


Synchronous Shift Register: Shifts at eachclock edge - Can also use an enable

(VHDL if statement to selectively shift)

Q

QSET

CLR

D

Q

QSET

CLR

D

Q

QSET

CLR

D

d1

Q

QSET

CLR

D

...d11 d2 d0

9 8 7 6 5 4 3 2 1 0 D_in0

11 10 9 8 7 6 5 4 3 2 1 0

10

Shifting : shft_reg <= shft_reg(10 downto 0) & data_in

Bi t 11gets lost

Assuming shft_reg is defined as 12 bits it is the same as:shft_reg(11 downto 0) <= shft_reg(10 downto 0) & data_in

Bit positions (11 downto 1) Bit position 0

D_in

9 8 7 6 5 4 3 2 1 0 D_in0

11 10 9 8 7 6 5 4 3 2 1 0

7 6 5 4 3 2 1 0 D_in2

9 8 7 6 5 4 3 2 1 0 D_in1D_in0

D_in0 D_in18

10

Sysclk n

Sysclk n+1

Sysclk n+2

Sysclk n+3


Metastability Filter Implementation within a Device without built in Mitigation

• A tradeoff analysis between mitigation techniques should be performed based off of:– clock speed

– transient pulse width and probability of occurrence

– additional area due to of an increase of logic gates

• Example: Distributed TMR with asynchronous inputs incurs a larger fanout (vs. shared TMR) on the DFF that can go metastable – this increases the probability of metastability on the second DFF of the metastability filter. However, with a slow enough clock speed, this may not be an issue.


FIFO Memory Control


FIFO Memories

• Definition: First in – First out memory• Simultaneous write and read access to memory

(dual port)• Data written into a FIFO is sequentially read out

in a pipelined manner – such that the first written will be the first read


General Package

FIFOMEMORY

WR_CLK

DATA_IN

RD_CLK

DATA_OUT

FIFO_FULL

FIFO_EMPTY


FIFO Memory Ports

• Input port: write• Output port: read• Each port has an associated pointer (I.e. counter,

address)• No random access• Write operation will increment the write pointer• Read operation will increment the read pointer


0

1

2

3

4

N-3

N-2

N-1

N

5

Write Pointer

Read Pointer

Read Pointer = 1Write Pointer = 4

The contents of memory location 1 is available on the data output pins

If a read is invoked the contents of address location 2 is on the output data pins

If a write occurs then the input data bus is written to address location 4


Clock Domains

• READ enable and READ pointer is synchronous to the read domain (rd_clk)

• WRITE enable and WRITE pointer is synchronous to wr_clk

• Rd_clk and wr_clk do not have to be synchronous!!!!!… Asynchronous FIFO


0 0 0 0 0 0 1 1 0 1

0 0 0 0 0 0 1 1 1 1

1

1

Read Pointer = 25

Write Pointer = 31

Each of these bits are DFFs

Q

QSET

CLR

DRd_clk

1

Q

QSET

CLR

DWR_clk

1


0

1

2

3

4

N-3

N-2

N-1

N

5

Write Pointer Read Pointer

Are we full or empty?


New Package

FIFOMEMORY

WR_CLK

DATA_IN

RD_CLK

DATA_OUT

FIFO_FULL

FIFO_EMPTY

WR_EN RD_EN


FIFO Full and Empty

• FIFO full when both pointers are equal• FIFO empty when both pointers are equal• Use an extra bit (MSB of counter) as a flag

– If MSB’s are equal : Both pointers have wrapped around the memory an equal amount of time: EMPTY

– If MSB’s are not equal: Write pointer has wrapped around one more cycle than the read - FULL


Pointer Compare

• How do we compare two pointers (counters) that are located in two different clock domains?


0 0 0 0 0 0 1 1 0 1

0 0 0 0 0 0 1 1 1 1

1

1

Read Pointer = 25

Write Pointer = 31

Each of these bits are DFFs

Q

QSET

CLR

DRd_clk

1

Q

QSET

CLR

DWR_clk

1

COMPARE


Synchronization

• We need to synchronize the pointers before we do a compare (test for empty or full)

• Full Test:– Can not write another item if full!– As soon as write pointer reaches the read pointer set full flag– Synchronize the read pointer to the write clk before doing

compare


Synchronization

• Empty Test:– Can not read another item if empty!– As soon as read pointer reaches the write pointer set empty flag– Synchronize the write pointer to the rd_clk before doing compare


0 1 1 1

Q

QSET

CLR

DRd_clk

1

Q

QSET

CLR

DWR_clk

1

Q

QSET

CLR

D

0 1 1 1

T0

WT0

Synchronizing the Rdcounter to the wr_clk

Desired Synchronization: Each DFF (BIT) will gothrough a metastability synchronizing filter:


0 1 1 1

Q

QSET

CLR

DRd_clk

1

Q

QSET

CLR

DWR_clk

1

1 0 0 0

Q

QSET

CLR

D

0 1 1 1

T0 T1

WT0

? ? ? ?WT1

Synchronizing the Rdcounter to the wr_clk

Desired Synchronization: Each DFF (BIT) will gothrough a metastability synchronizing filter:

Every bit of the read counter has changed in theRd_clk domain - that’s ok for the rd_clk domain

but...

What happens if a rd_clkhappens at a wr_clk edge!

Every bit is changing - maycatch it in the wr_clk domain -

may not!


Synchronization Solution

• Use Gray Code Counter• Only 1 bit changes per clock period.• Will not end up with a non deterministic value• May still miss the bit as it changes, but will catch it by the next cycle• Algorithm:

– Convert the binary counters to Gray– Send the Gray encoded counter through a metastability filter in the other clock

domain– The other clock domain will convert the Gray encoded counter (output of

metastability filter) back to binary– The other clock domain will use the newly converted binary encoded counter to

make a comparison with its counter


Gray Code Counters

• Very easy to implement … only 1 bit changes per transition0000000100110010011001110101010011001101111111101010101110011000


FIFO VHDL CODE

• Please see handout


State Machines


Definition of Fault Tolerance

• Masking or recovering from erroneous conditions in a system once they have been detected

• The degree of fault tolerance implementation is defined by your system level requirements… I.e. what actually is acceptable behavior upon error

• Questions that must be answered within the system requirements documentation:– Does your system only need to detect an error?– How quickly must the system respond to an error?– Must your system also correct the error?– Is the system susceptible to more than one error per clock cycle?


Synchronous State Machines

• A Finite State Machine (FSM) is designed to deterministically transition through a pattern of defined states

• A synchronous FSM transitions according to a clock edge and only accepts inputs that have been synchronized to the same clock

• Generally FSMs are utilized as control mechanisms

• Concern: – If an SEU occurs within a FSM, the entire system can lock up

into an unreachable state


Synchronous State Machines

• The structure consists of four major parts:– Inputs

– Current State Register

– Next State Logic

– Output logic

Next State

Curren

t State

Outputs

Inputs

Clock


Encoding Schemes

• Each state of a FSM must be mapped into some type of encoding (pattern of bits)

• Once the state is mapped, it is then considered a defined (legal) state

• Unmapped bit patterns are illegal states

IDLE

GetData

ProcessData

SendData

BadData

Start=0

Start=1

Example:Five states need to be mapped.There is only one input: Start


Encoding Schemes

1 1 0

STATES (5):

IDLE :000GET_DATA :001PROCESS_DATA:010BAD_DATA :011SEND_DATA :100

1 0 0

Registers: binaryencoding

Good state : SEND_DATA

Bad state: unmapped

1 0 0

0 0 0

Registers: OneHot encoding

1

1

Good state : SEND_DATA

Bad state: unmapped

STATES (5):

IDLE :00001GET_DATA :00010PROCESS_DATA:00100BAD_DATA :01000SEND_DATA :10000

0

0


Safe State Machines???• A “Safe” State Machine has been defined as one that:

– Has a set of defined states

– Can jump to a defined state if an illegal state has been reached (due to a SEU).

• Precision and Leonardo Synthesis tools offer a “Safe” option:TYPE states IS ( IDLE, GET_DATA, PROCESS_DATA, SEND_DATA, BAD_DATA );

SIGNAL current_state, next_state : states;

attribute SAFE_FSM: Boolean;

attribute SAFE_FSM of states: type is true;

• Designers Beware!!!!!!!– If using a CASE statement to implement the state machine: The others (or

default) clause in your HDL is ignored by the synthesis tools. This logic will not get synthesized unless you explicitly attribute your FSM as “Safe”

– Some versions of synthesis tools will not synthesize a “Safe” One-Hot


Binary Encoding: How Safe is the “Safe” Attribute?

• If a Binary encoded FSM flips into an illegal (unmapped) state, the safe option will return the FSM into a known state that is defined by the others or default clause

• If a Binary encoded FSM flips into a good state, this error will go undetected. – If the FSM is controlling a critical output, this phenomena can be

very detrimental!– How safe is this?


Safe State Machines???

1 1 0STATES (5):

IDLE :000TURNON_A :001TURNOFF_A :010TURNON_B :011TURNOFF_B :100

1 0 0

Using the “Safe” attribute will transition the user toa specified legal state upon an SEU

Good State

Illegal State:unmapped

0 0 1

Using the “Safe” attribute will not detect the SEU:This could cause detrimental behavior

Good State:TURNON_A

0 1 1

legal State: TURNON_B

State(1) Flips upon SEU:

012

012


One-Hot vs. Binary

• There used to be a consensus suggesting that Binary is “safer” than One-Hot– Based on the idea that One-Hot requires more DFFs to

implement a FSM thus has a higher probability of incurring an error

• This theory has been changed!– The community now understands that although One-Hot

requires more registers, it has the built-in detection that is necessary for safe design

– Binary encoding can lead to a very “un-safe” design


One-Hot vs. Binary Analysis

• One-Hot– Synthesis “Safe” directive will generally not work – FSM becomes too large– Each state in a One-Hot encoding has a hamming distance of two.– Error Detection:

• During normal operation, only one bit is turned on, thus It inherently has SEU error detection• SEU Error detection can be accomplished using combinational logic• SEUs occurring near a clock edge will always be detected

• Binary– Synthesis “Safe” directive generally will not meet requirements – can flip into a good

state undetected– Binary Encoding has a hamming distance of One– Error Detection:

• It needs extra DFFs in order to implement error detection• Utilizing an extra DFF can cause a SEU to go undetected due to glitches and routing

differences between combinational logic and DFFs.


Conclusion of One-Hot vs. Binary

• Within a reliable architecture, it is best for the designer to use a one-hot state machine. True Error detection can be accomplished.

• However, if your system needs error correction, a more complex encoding scheme is required


FSM SEU: Error Correction : Using Companion States

• There exists many publications on Error Correction theory.

• None directly address how to correctly implement FSM fault correction while using current day synthesis tools.– Glitch control: Generally synthesis tools will produce “glitchy”

logic– Synthesis “optimization” algorithms will erase the necessary

redundancy for EDAC– The user must sometimes hand instantiate logic– The user must place the necessary attributes to avoid

redundant logic erasure.


Error Correction within One Cycle: Using Companion States

STATEAOusig=’1'

STATEBOutsig = ‘0’

STATECOutsig=’0'

STATEDOutsig=’0'

Intrans=’1'

Intrans=’0'Original FSM



• 1. Find an encoding such that the states have a hamming distance of 3 (at least 3 bits must be different from state to state)...

00000 (state-A), 11100(state-B), 01111(state-C), 10011(state-D).

• Five bits are necessary to encode a four-state machine in order to achieve the required hamming distance of three.


Error Correction within One Cycle: Hamming 3 Encoding …Using

Companion States• For each encoding, calculate the companion

encodings such that the hamming distance is one… for example:– Companion encoding for state A (00000) is:

• 00001,00010,00100,01000,10000

– Companion encoding for state B (11100) is:• 11101,11110,11001,10100,01100



• When implementing the state machine, state A is encoded as 00000 and then (theoretically) “OR-ed” with all of its companion encodings. This covers all possible SEUs

• Do the same for all other states

• Use the output of the “OR-ed” states to determine next state logic.

– Thus if a bit flips… the companion state will catch it and the FSM will be able to correctly determine the next state

• Be careful! The “OR” logic is more complex than simply using a string of “OR” gates.


Error Correction within One Cycle: Glitch Control

• One major issue that is extremely overlooked is SEUs are asynchronous and can occur near clock edges

• If this occurs, your error checking logic may cause a glitch

• Due to routing timing differences, this can cause incorrect values to be latched into the current state registers.

• Refer to a Karnaugh Map for glitch-less implementation

• The designer may have to hand instantiate the logic if the synthesis tool does not adhere to the VHDL as expected


Error Correction within One Cycle: Glitch ControlState(0)

State(3)

State(1)

State(2)

00 01 11 10

00

01

11

10

1 1 1

1

StateA companion states SOP (including State(4) dimension):

State(0)State(1)State(2)State(3) + State(0)State(1)State(2)State(4) +

State(0)State(1)State(3)State(4) + State(0)State(2)State(3)State(4) +

State(1)State(2)State(3)State(4)

1


Error Correction within One Cycle: Glitch Control

• The designer will have to include the synthesis directives:– Preserve_driver– Preserve_signal

• Always check the gate level output of the synthesis tool.

Documents

Methodologies for Reliable Design Implementation