Case Study Overview
This case study covers Nvidia’s clock domain crossing CDC handshake advanced sign-off methodology for ensuring that unsafe scenarios are consistently identified within Real Intent Meridian CDC’s full violation report, to minimize the additional engineering effort required to complete full CDC sign-off.
Problem Statement
Complex SoCs can have more than 100 asynchronous clock domains, and millions of clock domain crossing paths.
Designers add “handshake” mechanisms (CDC interfaces) for common design patterns, to safeguard those paths. The interfaces must be fully reviewed as part of CDC sign-off to avoid missing out on CDC issues that may lead to silicon failure.
CDC sign-off tools identify all issues that could impact reliable data transfer across domains; given that all CDC sign-off tools have some noise, the tools classify the paths into “safe” and “unsafe” paths, to improve the efficiency of the review effort.
Goal
Ensure that Nvidia’s CDC sign-off methodology with Meridian CDC would minimize the violation review effort, while leveraging the CDC handshake information to ensure that all unsafe paths associated with the CDC handshake mechanisms were categorized properly.
CDC Structural Sign-Off – Current Methodology Limitations
Clock domain crossing tools do structural verification, where they analyze design connections and then, to minimize the follow-on engineering effort, classify a path to be safe or unsafe. Many CDC flows rely on this type of structural sign-off method.
Unfortunately, analyzing and classifying the paths based entirely upon design connections, is not a full proof. In complex handshake scenarios, unsafe paths can mistakenly be classified as safe.
For example, classification based on structural connection-based principles alone can incorrectly classify as safe: Unintended drivers in interfaces and unintended feedback.
Missed unsafe path during structural-only CDC analysis: Unintended driver in interface
CDC Analysis using Formal Methods
Limitations of CDC Sign-Off using Formal Methods
Formal verification works using mathematical proofs, so when it calls something “safe” its guaranteed to be safe, which adds strength to structural-only CDC analysis. This method can be applied to further analyze the violations reported by the CDC tool.
However, signing-off with formal verification requires an enormous engineering effort. Further, it does not scale to the full chip level. Even verifying a subsystem or block can take weeks to sign off.
Requirements for New Advanced CDC Handshake Sign-Off Methodology
Nvidia wanted to improve their existing CDC methodology to meet the following criteria:
1.
Build on top of their current structural sign-off flow
2.
Properly categorize all unsafe paths in the tool reports
3.
Not require a tremendous increase in designer effort
4.
Be portable across multiple designs
5.
Be easily implemented into existing flow
New Advanced CDC Handshake Sign-Off Methodology
Nvidia collaborated closely with Real Intent to develop the following advanced CDC handshake solution:
- The companies looked across all Nvidia designs and identified handshake schemes which designers usually use.
- It was identified that there were only a few specific handshake schemes that were used across all designs.
- The identified schemes were classified as “library interfaces”. (e.g. pulse synchronizer and FIFO).
- A set of flows & scripts were developed that would automatically detect the presence of these components.
- Whenever these library interfaces are present in the design, a Meridian CDC tool-specific command called “create_association” is automatically enabled.
- Complete structural and formal verification is done at the library level for all the identified library handshakes.
When Nvidia has an interface instantiated at SoC level or subsystem level, Meridian CDC now verifies that it has been instantiated as per library specifications.
Interface instantiated as per library specification
Unintended driver region as specified by interface library
Nvidia’s CDC Handshake Advanced Methodology Results
This new methodology avoids the limitations currently associated with structural analysis. Following the tool analysis:
- If unintended drivers or feedback are present, the interface will be now be classified as an unsafe interface.
- If the interface is instantiated correctly, it will be classified as a safe interface.
Nvidia’s initial results showed a very high (> 85%) of smaller IPs handshake schemes were part of the library interfaces.
Continued effort: The two companies are exploring those IPs and adding more library components to further improve the coverage.
Nvidia’s overall result was that the flow requires only an incremental effort over structural structural-only CDC analysis, while eliminating the weeks of effort that would have been required by formal methods.