And how it affects your DO-254 project
Part of the Planning Process in DO-254 is knowing the appropriate FPGA tools and capabilities that you need and intend to use for your FPGA design. Particularly if your FPGA device operates with multiple asynchronous clocks which necessitates using advanced verification techniques targeting anomalies related to clock domain crossings (CDCs).
Typical electronic design automation (EDA) tools for functional simulation and static timing analysis are insufficient to uncover CDC effects, leaving systems at risk of failure without further specialized analysis. EDA tools typically concentrate on implementing and verifying functional requirements efficiently, but since CDCs are non-functional, they often elude traditional approaches.
What does RTCA/DO-254 guidance say about CDCs? The quick answer is nothing. The guidance does not mention clock domain crossings at all.
But does that mean you don’t have to worry about it? No it certainly does not.
Keep in mind that DO-254 is a design assurance guidance. “Design Assurance” as defined in RTCA/DO-254 Appendix C, Page C-3 is as follows:
“All of those planned and systematic actions used to substantiate, at an adequate level of confidence, that design errors have been identified and corrected such that the hardware satisfies the application certification basis.”
So as a designer of an FPGA device that will be installed on commuter aircraft with peoples’ lives at stake, you carry a tremendous responsibility to ensure that you have eliminated all of the potential design errors at an adequate level of confidence. If your FPGA design has multiple asynchronous clocks, you should worry about the effects of CDCs and perform the appropriate mitigation strategies. When it comes to FPGA designs with multiple asynchronous clocks, certification authorities will most likely ask you three main questions (see below).
In this blog, I thought I’d help you learn some important CDC concepts and provide an overview of the bad effects of CDCs to your FPGA design.
Figure 1: Example of metastability, courtesy Altera
Effects of CDCs
Inevitably, CDCs appear in large FPGA designs. When logic spans a boundary between two separately clocked asynchronous domains, the result can be unpredictable. If clocks happen to align properly, all is well. When they misalign for even a brief moment, two probabilistic effects become major concerns.
CDCs are a non-functional phenomenon, resulting from how logic maps into an FPGA. Two issues are associated with unmitigated CDCs: metastability and data incoherence.
Metastability
The cause of metastability is a violation of register set up and hold times, based on when a clock signal arrives at a register. Depending on semiconductor processes and operating conditions, a register presented with a violation may enter an unstable state that is neither binary high nor low, and then an incorrect state when stabilized. As shown in Figure 1, an input signal is transitioning just as the clock arrives. Instead of clocking in a firm logic 1 as intended from the input, the output waffles indecisively. In case A, it eventually recovers to the post-clock logic 1 after a clock-to-output delay. In case B, it reverts to the logic 0 seen prior to the clock. Before a metastable register returns to stability at either a correct or incorrect level, the interpretation of that output by receiving logic – which may see the same unstable level differently in various destinations – can propagate a bad result across an FPGA quickly. Unpredictability in one signal leads to safety risk.
Figure 2 – Example of data incoherence, courtesy Virginia Tech
Data Incoherence
FPGA logic often combines several signals. Data incoherence can occur when multiple signals, even ones individually synchronized, from one or more source domains change simultaneously. In the destination domain, some data is captured on one clock, and the remainder on the next clock. In the simple example in Figure 2, Sig [1] and [2] are each captured properly, and Sig [0] is missed.
The result can be an invalid control state that can avalanche into a system-wide failure.
Metastability and Data Incoherence are the two main effects of CDCs which often leads to bad propagation of data to the rest of your design. The cost of not finding defects in avionics systems can be massive, even up to failures with fatalities. To help reduce that possibility, RTCA/DO-254, Design Assurance Guidance for Airborne Electronic Hardware, calls for thorough verification and validation of designs.
So prior to starting your DO-254 Planning Process for your FPGA project with multiple asynchronous clocks, I highly encourage that you read this white paper regarding CDCs and how to properly mitigate them, Finding CDC Issues Before They Find You: Advanced CDC Verification for DO-254 Compliance.
Leave a Reply