1. Pre-Tape-Out CDC Verification
Before committing to silicon, CDC must be verified comprehensively:
Phase 1: RTL Design (Weeks 1-2)
- CDC lint daily: Run Conformal/SpyGlass, fix violations immediately
- CDC expert review: Early design review with CDC specialist
- Documentation: Start CDC map, list all synchronizers
Phase 2: Functional Verification (Weeks 3-5)
- Testbenches: Write CDC-aware tests (metastability injection)
- Coverage: Target 95%+ on CDC modules
- PVT simulation: All corners (SS, FF, TT, SF, FS)
- Formal verification: Run OneSpin or JasperGold on critical paths
Phase 3: Pre-Synthesis (Week 6)
- Final CDC lint pass: MUST have zero high-severity warnings
- CDC expert sign-off: Written approval from CDC lead
- Documentation complete: CDC map, MTBF targets, constraints, test results
Phase 4: Post-Synthesis (Week 7)
- Formal equivalence: Verify synthesis didn't break CDC (Conformal)
- Timing closure: STA pass on CDC constraints
- Review netlist: Check CDC synchronizers still in place (no optimization removed them)
Phase 5: Post-Implementation (Week 8)
- Final timing verification: All CDC paths meet timing
- Layout review: CDC synchronizers properly placed (close together, no long routes)
- Final sign-off by project lead and CDC expert
2. Sign-Off Criteria
Design can tape-out only if ALL of these are true:
- ✅ CDC lint: Zero high-severity violations (low-severity with justification acceptable)
- ✅ CDC expert review: Formal sign-off document
- ✅ Simulation coverage: ≥95% on all CDC modules
- ✅ PVT testing: All corners passed (especially slow-slow)
- ✅ Formal verification: MTBF bounds proven (or formal-verified infeasible and simulation adequate)
- ✅ Setup/hold timing: Met everywhere except intentional metastable windows
- ✅ Equivalence check: Synthesis didn't change CDC logic (Conformal passes)
- ✅ Documentation: CDC map, synchronizer list, MTBF targets, test results, constraints
- ✅ Design review: Project lead approval (aware of CDC status, risks, mitigations)
3. Required CDC Documentation
1. Clock Domain Diagram
ASCII or diagram showing:
- All clock domains (names, frequencies, relationships)
- Data flows between domains
- Synchronizer locations (2FF, Gray, FIFO, pulse)
- Reset synchronization
2. CDC Crossing Map**
| From Domain | To Domain | Signal Name | Type | Synchronizer Type | MTBF Target |
|---|---|---|---|---|---|
| clk_core | clk_usb | config_data[31:0] | Data | Gray FIFO | > 1M years |
| clk_usb | clk_core | int_req | Pulse | Pulse sync | > 100M years |
3. Synchronizer Inventory**
- For each synchronizer: module name, instantiation location, parameters
- For each: expected MTBF, formal verification status
4. MTBF Analysis Report**
- MTBF targets by application (consumer, datacenter, automotive)
- Achieved MTBF for each CDC crossing
- Sensitivity analysis (how MTBF changes with frequency, voltage, temp)
5. Timing Constraint Report**
- False paths (CDC crossings allowed to violate setup/hold)
- Recovery/removal constraints for reset synchronizers
- Justification for each constraint
6. Test Results Summary**
- Coverage metrics (line, branch, CDC-specific)
- PVT test results (all corners passed)
- Metastability injection test results
- Frequency stress test results
7. Formal Verification Report**
- Properties verified (MTBF, deadlock-free, no data loss)
- Tool used, time to proof
- Any assumptions or restrictions
4. Post-Silicon Validation Strategy
Even with comprehensive pre-silicon verification, post-silicon testing is critical:
Phase 1: Bring-Up (Day 1-3)
- Basic clock domain functionality (clocks present, domains operational)
- Reset propagation verified (all domains reset correctly)
- Basic data crossing (simple writes and reads through CDC)
Phase 2: Stress Testing (Days 4-7)
- Frequency sweep (test at all specified frequencies)
- Temperature sweep (cold to hot, check for temp-dependent failures)
- Voltage margin testing (check MTBF at low voltage)
- Burst traffic (max frequency crossing, all domains simultaneous)
Phase 3: Long-Term Testing (Week 2+)
- Extended burn-in (weeks at temperature, looking for rare failures)
- Rotation through PVT corners (simulate customer usage patterns)
- Collect failure data (any CDC-related failures recorded)
5. Production Risk Mitigation
High-Risk Designs**
- Automotive (AEC-Q100): Stricter MTBF requirements, more formal verification
- Aerospace (AS9100): Complete traceability, exhaustive testing
- Medical (IEC 60601): Safety-critical, extensive documentation
Mitigation Strategies**
- Triple-FF synchronizers for safety-critical signals (triple redundancy)
- Separate CDC review board (independent expert review)
- Extended post-silicon validation (months of stress testing)
- Field telemetry (collect failure data from deployed devices)
- Field updates (ability to push fixes if CDC issue discovered)
6. Common Pre-Tape-Out Mistakes
- ❌ Mistake: Scheduling tape-out before CDC verification complete
- ✓ Fix: Buffer time (2-3 weeks) for CDC sign-off before planned date
- ❌ Mistake: CDC expert not involved until very late
- ✓ Fix: CDC expert reviews design from day 1
- ❌ Mistake: Assuming simulation proves all CDC bugs caught
- ✓ Fix: Use formal verification for high-risk crossings
- ❌ Mistake: Documentation as afterthought
- ✓ Fix: Document continuously throughout design
7. Final Verification Checklist (Pre-Tape-Out)
- ✅ CDC lint: Zero high-sev violations
- ✅ CDC lint detailed report: All findings justified
- ✅ Simulation: ≥95% coverage on CDC modules
- ✅ Metastability injection: Tested with random clock skew
- ✅ PVT corners: All passed (SS, FF, TT, SF, FS)
- ✅ Formal verification: MTBF bounds proven (or decision doc on why not used)
- ✅ Equivalence check: Synthesis didn't break CDC
- ✅ Timing closure: All CDC paths meet timing
- ✅ CDC expert sign-off: Written approval
- ✅ Documentation complete: All 7 documents present
- ✅ Design review meeting: Project lead aware and approved
- ✅ Post-silicon plan: Test strategy documented
8. Post-Tape-Out Responsibilities
CDC Expert (Weeks 1-8 of Silicon Bring-Up)
- Available for emergency CDC issues
- Review any failures that might be CDC-related
- Approve workarounds if CDC bug discovered
Design Team (Ongoing)
- Collect CDC-related failure data
- Verify pre-silicon MTBF predictions against real data
- Document lessons learned for next design
9. Post-Production Handoff Checklist**
- ✅ Documentation package: All CDC docs in shared repository
- ✅ RTL with CDC markers: Clear comments on synchronizer locations
- ✅ Verification collateral: Testbenches, test results
- ✅ Constraint files: CDC constraints saved (for future respin)
- ✅ Formal results: Proof certificates (OneSpin, JasperGold)
- ✅ Lessons learned: Document any issues found, how resolved
10. 15-Day Course Completion Checklist
You now understand:
- ✅ Days 1-5: Metastability physics, synchronizer design (2FF, Gray, pulse, FIFO)
- ✅ Days 6-8: Testing, formal verification, metastability simulation
- ✅ Days 9-10: Reset sync, multi-domain architecture
- ✅ Days 11-12: FPGA CDC, tools & EDA integration
- ✅ Days 13-15: Design patterns, debugging, production sign-off
You can now:
- ✅ Design safe CDC synchronizers from first principles
- ✅ Verify CDC designs comprehensively (simulation + formal)
- ✅ Debug CDC issues systematically
- ✅ Lead CDC sign-off for production chips
- ✅ Mentor others on CDC best practices
Congratulations on completing the Clock Domain Crossing Enhanced Course!