A flexible approach to RDC verification allows skip-depth to be defined on a per-path basis, with different Tx resets and Rx clocks.
As system-on-chip (SoC) designs evolve, they aren’t just getting bigger — they’re becoming more intricate. One of the trickiest challenges in this evolution lies in handling resets. Today’s architectures often juggle multiple asynchronous reset sources alongside sequential elements such as non-resettable registers (NRRs), which operate without dedicated reset pins. When a signal crosses from an asynchronous reset domain to an NRR within the same clock domain, it is known as a reset domain crossing (RDC). If these crossings are overlooked, the consequences can be serious — ranging from metastability issues to functional failures. This is why static RDC verification tools play such a crucial role: they not only flag potential vulnerabilities but also ensure that signals transition smoothly and safely across reset domains.
Figure 1 illustrates that the RDC from flip-flop Tx to flip-flop NRR is safe, as the flip-flop F1 exists after the NRR flip-flop and has the same reset as Tx, provided the reset signal Rst1 is long enough to suppress metastability.
Fig. 1: RDC from Tx to NRR flip-flop.
Existing tools perform safe fanout analysis to determine whether the fanout elements of an NRR are safe; i.e., whether they are unconnected, share the same reset domain as the source/transmitter (Tx), or follow an ordered reset relationship. However, they struggle with scenarios involving complex combinational reset logic and overlapping reset domains and thereby report both safe and unsafe RDC paths without the necessary granularity to distinguish between them. This occurs due to inefficient fanout analysis and insufficient optimization of reset assertion sequences. As a result, designers are often faced with large volumes of verification data, much of which is irrelevant or non-critical, turning the process into a time-consuming task and heightening the risk of critical problems slipping through unnoticed. These current tools rely on global preferences — like the specification of the number of NRRs to skip (often termed skip-depth) to determine if a crossing is safe — that are not configurable at finer granularities, such as specific design boundaries or combinations of reset/clock domains.
This article proposes a flexible approach that allows the skip-depth to be defined on a per-path basis, with different Tx resets and Rx clocks. In addition, it introduces an intelligent filtering methodology that enhances the static RDC verification process by allowing context-aware filtering of safe RDCs to NRRs. By incorporating proactive functional analysis of reset assertion sequences, especially for complex combinational reset logic, this approach enables precise identification and elimination of safe crossings, reducing false positives and significantly easing the verification burden for designers. The following approaches are explored and discussed in detail: path-specific skip-depth configuration for N clock cycle stability and intelligent RDC filtering using Rx fanout reset dependency.
In existing RDC analysis flows for NRRs, tools typically depend on global preferences, such as a fixed skip-depth value that defines how many NRRs can be skipped for the safe fanout analysis. If functionally a particular asynchronous reset remains asserted for N clock cycles of the slowest clock, it will ensure that N NRRs in the design will also receive the RESET value. While useful in some cases, these global settings lack the flexibility to handle specific design boundaries or combinations of Tx reset and Rx clock domains.
For instance, consider the crossings to NRRs shown in Figure 2 and Figure 3. If the user globally sets a skip-depth value of 3, both illustrated crossings would be treated as safe by verification tools. In Figure 2, after skipping the delays introduced by Nrr1 and Nrr2, the fanout F1 effectively receives the same reset domain as Tx1. Similarly, in Figure 3, when the delays caused by Nrr3, Nrr4, and Nrr5 are skipped, the fanout F2 inherits the same reset domain as Tx2. As a result, both crossings are automatically filtered out as safe, regardless of their individual reset or clock domain context. However, if the intent is to mark only one of them as safe based on its unique reset and clock configuration, the global setting falls short.
Fig. 2: RDC from Tx1 to Nrr1 flip-flop.
Fig. 3: RDC from Tx2 to Nrr3 flip-flop.
To address this, a more granular approach is necessary, where the skip-depth can be configured on a per-path basis, taking into account the specific Tx reset and Rx clock for each crossing. This ensures that only crossings matching the defined context are considered safe, as the specified asynchronous reset is asserted for a defined number of clock cycles on a particular clock. This approach significantly enhances the accuracy of the verification process.
As reset architectures grow more complex, RDC tools often report an overwhelming number of violations, particularly involving NRRs, many of which are false positives. Traditional static analysis tools struggle to keep pace with intricate reset logic, especially when dealing with multiple reset domains combining to form combinational resets. To ensure meaningful results, RDC verification must strike a balance between detecting critical issues and minimizing noise through smarter, context-aware analysis.
Figure 4 illustrates a scenario where multiple asynchronous reset signals interact within the same design segment, potentially introducing metastability at the output register. In this setup, register F1 is controlled by two independent resets, Rst1 and Rst2. These two reset signals are not inherently synchronized or grouped under a unified reset domain unless explicitly constrained by the designer. Due to the lack of such specialized constraints or significant design-level adjustments to align these resets, verification tools interpret the reset domains of Tx and F1 as distinct. As a result, the RDC from flip-flop Tx to flip-flop NRR can cause metastability and hence is considered an unsafe crossing.
Fig. 4: RDC from Tx to NRR flip-flop, with multiple overlapping asynchronous resets.
Let us work with different reset sequences and figure out the presence of RDC issue here. Based on the schematic in Figure 4, listed in Table 1 are four reset assertion scenarios involving two primary asynchronous resets: Rst1 and Rst2. In the first two scenarios, reset Rst1 is asserted, thereby resetting both the transmitter and receiver. In this case, there is no possibility of an RDC issue as when Rst1 is asserted (low) it changes the state of F1 to the reset state regardless of the state of the other reset. The third and fourth scenarios trigger no RDC due to Tx not going into the reset state, and therefore there is no metastability at the crossing of Tx to NRR.
Table 1: Reset assertion combinations in RDC analysis.
| Combination No. | Rst1 | Rst2 | Result |
| 1 | 1 -> 0 | 1 -> 0 | No RDC issue |
| 2 | 1 -> 0 | 1 | No RDC issue |
| 3 | 1 | 1 -> 0 | No reset assertion at Tx, hence no RDC issue |
| 4 | 1 | 1 | No reset assertion at Tx, hence no RDC issue |
The above scenario highlights how multiple reset dependencies and combinational logic can give rise to false RDC to NRR violations. In cases where reset grouping isn’t explicitly defined, tools must step in and “read between the lines,” smartly analyzing reset behavior to distinguish real risks from harmless crossings.
To demonstrate the effectiveness of incorporating proactive functional analysis of reset assertion sequences, particularly for complex combinational reset logic, we applied our proposed methodology to multiple SoC-based designs with a skip-depth value of 3. As summarized in Table 2, this approach allowed for the accurate identification and filtering of functionally safe RDCs to NRRs, thereby reducing the number of false positives typically flagged by conventional verification tools. As a result, there was a significant decrease in the number of reported unsynchronized RDCs to NRRs across the tested designs. Key improvements included the accurate detection of safe crossings that do not pose a metastability risk and an overall reduction in the manual effort required to analyze and debug RDC issues.
Table 2: Reduction in RDC violations using intelligent Rx fanout reset dependency analysis.
| Designs | Count of Unsafe RDCs to NRR Using Existing Solutions | Count of Unsafe RDCs to NRRs Using Proposed Methodology (Fanout Reset Dependency Analysis) | Percentage Reduction in Unsafe RDCs Compared to Existing Solutions |
| Design 1 | 17982 | 16887 | 6.08 % |
| Design 2 | 30125 | 26430 | 12.26 % |
| Design 3 | 98231 | 70486 | 28.24 % |
The integration of functional reset analysis into static RDC verification flows has proven to be a valuable enhancement for handling complex reset scenarios in modern SoC designs. By intelligently distinguishing between safe and unsafe crossings, involving NRRs, this methodology not only improves the accuracy of reported results but also significantly lightens the verification burden for design teams. Designers are now better equipped to focus on actual violations, which improves productivity and accelerates the path to closure. Furthermore, the need for path-specific filtering, especially for crossings involving varied Tx reset and Rx clock combinations, highlights the limitations of relying solely on global skip-depth. Together, these innovations mark a substantial step forward in RDC verification, offering a smarter, more scalable approach for today’s increasingly intricate reset environments.
To learn more, kindly download the full paper: No reset, no risk: Smart handling of reset domain crossings to non-resettable flip-flops.
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
Leave a Reply