Completing Clock Domain Crossing Verification
Nvidia wanted a methodology for complete clock domain crossing verification that used CDC static sign-off along with simulation to verify their protocols and static sign-off design constraint assumptions, as well as mitigate metastability issues.
This article covers highlights of NVIDIA’s successful evaluation of Real Intent Meridian CDC with Simportal to link CDC static sign-off and simulation for this purpose.
To see the original case study, please visit: https://www.realintent.com/clock-domain-crossing-verification-completing-sign-off-by-linking-static-dynamic-verification/
Nvidia’s CDC Verification Workflow
Nvidia’s clock domain crossing verification workflow for this was divided into two primary parts.
- They ran Meridian CDC static sign-off based on their RTL design and design constraints – resolving all identified errors and setting waivers for unintended behavior. The Meridian CDC Simportal feature automatically created a checker file.
- Nvidia plugged the Simportal checkers file into their simulation environment, along with their RTL and their SystemVerilog test bench. Simportal’s checkers let them catch functional issues by verifying that the protocols and constraint assumptions from CDC static sign-off were reflected in their simulation testbench.
Simportal’s checker files contain protocol checks and intent checks.
- Protocol checks. The protocol checks assess if their design protocols were met – ensuring the design will work in certain conditions. They cover two CDC analysis path types: data crossings (data stability checks and metastability injection) and control crossings (testability injection, pulse width checks, and gray code checks for FIFO synchronizers).
- Intent Checks. Nvidia used Meridian CDC Simportal’s intent checks to cross-verify that their CDC static sign-off constraint assumptions held true during dynamic CDC verification.
- Protocol checks. The protocol checks assess if their design protocols were met – ensuring the design will work in certain conditions. They cover two CDC analysis path types: data crossings (data stability checks and metastability injection) and control crossings (testability injection, pulse width checks, and gray code checks for FIFO synchronizers).
Full simulation coverage with low noise
After getting full coverage during CDC static sign-off, Nvidia wanted to also ensure coverage during dynamic CDC verification. To achieve this, their engineering teams collaborated to ensure that the simulation testbench had the correct test vectors to simulate/trigger the checkers during functional verification.
Simportal writes out checkers for every constraint and every design scenario. During simulation, the thousands of test vectors may trigger conditions which are not possible and can produce false violations.
Nvidia collaborated with Real Intent on how to reduce this noise, and Real Intent added a mechanism for engineers to specify waivers to suppress Simportal from writing out checkers for simulation on a certain path or for check types they know are safe. Nvidia’s approach was to first run the analysis without any waivers; then the CDC static sign-off owner and dynamic functional verification engineers would review the violations and collaborate on waivers for later runs.
Errors Found by Meridian CDC Simportal
Below are errors Nvidia was able to catch during their CDC verification case study with Real Intent.
- Pulse width failure. Nvidia’s protocol is that the width of the pulse should be held stable for at least 1.5 times the clock period of the received clock. The width of the data coming into the flop’s D pin input was less than one clock cycle, so this particular pulse at the output of the flop would not have been registered. This meant there was an error, either in their test vectors or in the design itself.
- Constant Failure. The signal was set to the constant value 0 in static CDC sign-off but had a constant value 1 in simulation at the given timestamp.
- Simulation Environment Error. Simportal’s metastability injection library artificially introduced metastability and showed the signal was not protected; the delay was increased and exceeded tolerance.
Conclusion
Nvidia’s clock domain crossing verification methodology includes data sharing and collaboration between different domains, which is key to a complete clock domain crossing sign-off process. In this way, they avoid a single point of failure that results from either a design error or different assumptions between the teams.
The engineers verify that their design is bug free, that the design is being tested under the correct conditions, and that their constraint assumptions hold from one domain to another domain.