12004 MAPLDVHDL Synthesis Introduction Methodologies for Reliable Design Implementation Melanie Berg NASA Office of Logic Design 2004 MAPLD International Conference September 8-10, 2004 Washington, D.C.
22004 MAPLDVHDL Synthesis Introduction Overview This session will present methodologies for reliable design implementation Designs that are covered will first be explained. Following the design description, the corresponding VHDL will be presented Topics that will be covered: –Counters: Ripple vs. Synchronous –Triple Mode Redundancy (TMR) –Asynchronous Clock domain crossing –FIFO Memories –State Machines and Mitigation
32004 MAPLDVHDL Synthesis Introduction Common VHDL/Synthesis Misperceptions VHDL and its synthesis tools produce unexpected results VHDL does not produce efficient circuitry The synthesis tool will not produce what is desired VHDL is for software folks
42004 MAPLDVHDL Synthesis Introduction VHDL and Design One should not start writing VHDL code until the design is well understood and analyzed Anyone can pick up a VHDL book and learn syntax Anyone can pick up a synthesis manual and learn directives But how do we create reliable circuits?
52004 MAPLDVHDL Synthesis Introduction Key Ingredients for Successful and Reliable Designs: VHDL through Synthesis Remember … the goal is to design reliable hardware. VHDL – looks like software, however, the designer must understand proper hardware design techniques including the electrical characteristics of the employed technology VHDL RTL must functionally match gate level (post synthesis) for simulation purposes. This requires enforcing strict coding rules Designer must be familiar with the synthesis tools and their interpretation of VHDL code –Combinatorial circuits vs. Sequential –Clock structures and potential skew –Proper State machine implementation –Arithmetic circuitry –Clock domain crossings –Reset logic –Mitigation –When to use specific Synthesis directives –Etc… VHDL Coding Style is very important
62004 MAPLDVHDL Synthesis Introduction What is the Importance of VHDL Coding Styles. No Synthesis tool can be as efficient as proper Coding Style ASICS and FPGAs will be smaller and faster. Proper VHDL Coding Style is easier to verify We would like to shorten the Design Cycle. Coding Style will affect –Quality of Synthesis: drive to tool to better results, –FPGA mapping or design: can take advantage of the technology –Place and Route: designs that are well thought out will have a clean route
72004 MAPLDVHDL Synthesis Introduction Coding Style Specifics - Think “Hardware” Architect with comprehension of your target’s features (ASIC and FPGA) Separate Combinational and Registered blocks Watch out for inferred latches Pay attention to large fan-out nets Consider how you code state machines Be careful with designing long paths of logic Be aware of when you are able to use Resource sharing
82004 MAPLDVHDL Synthesis Introduction Code Restructuring If (Aflag=‘1’) outdata <= Adata; elsif (Bflag=‘1’) outdata <= Bdata; elsif (Cflag=‘1’) outdata <= Cdata; else outdata <= ‘0’; What circuit structure does this code produce? Which line of code is likely to be in the critical path?
92004 MAPLDVHDL Synthesis Introduction Answer: If (Aflag = ‘1’) outdata <= Adata; elsif (Bflag = ‘1’) outdata <= Bdata; elsif (Cflag = ‘1’) outdata <= Cdata; else outdata <= ‘0’; Cdata 0 CflagBflag Aflag Bdata Adata outdata
MAPLDVHDL Synthesis Introduction Code for Late-Arriving Signal if (cflag=‘1’ and aflag=‘0’ and bflag=‘0’) outdata <= Cflag; elsif (aflag=‘1’) outdata <= Aflag; elsif (bflag=‘1’) outdata <= Bflag; else outdata <= ‘0’; mux Cdata 0 Cflag Bflag Aflag Bdata Adata outdata and
MAPLDVHDL Synthesis Introduction Duplicating Logic to Improve Speed Most synthesis tools have a fanout control –Be careful, the tools don’t always pick the best implementation creating a more difficult design to place and route Better to explicitly duplicate logic in code –you may need to use the syn_keep option for combinational logic Good Examples to duplicate: –Address and control lines to large RAM –Clock enables –Synchronous reset signal –Other high fanout nets
MAPLDVHDL Synthesis Introduction Pipelining Logic to Improve Speed Pipelining is most efficient for critical paths which can not be fixed by special coding schemes. Some may think that it will increase area. However, with very long paths, synthesis may be duplicating logic in order to meet timing. Pipelining can reduce the replication. It also will help while in Place and route
MAPLDVHDL Synthesis Introduction Synthesis Tools Synthesis Optimization Algorithms are geared towards synchronous designs. –Unexpected synthesis gate level output can occur if the design is extremely asynchronous – tool gets confused The major parameters within the optimization algorithm are Timing and area –Timing is measured from a starting DFF (or input) through a combinatorial path to the next DFF (or output). Timing can only accurately be measured (during optimization) when the DFFs are connected to the same clock –Redundancy within VHDL code is usually synthesized away (area optimization). The designer must place synthesis directives (attributes) on the nets that are part of the redundant path
MAPLDVHDL Synthesis Introduction Synthesis Tools Designers should beware of push-button mitigation within synthesis. –Mitigation must be glitch-free –Safe directive for state machines is not effective … false sense of safety –When logic is added after VHDL-RTL phase, it is generally difficult/tedious to verify. Remember, reliable circuits must be verified –Companies are aware and are working on some of these issues Synthesis output can be trusted if proper synchronous design techniques (including cleanly written VHDL) are followed. However, Formal Verifiers are needed! This will increase our test coverage. –Companies are also aware of this… but … where is it?
MAPLDVHDL Synthesis Introduction Reliability Design can be verified to work under worse case conditions Aerospace specifics includes verifiable mitigation techniques under worse case conditions Circuit has predictable behavior Circuit has a definable reset state Bottom line is to Use the following Techniques: –Design for Verification (DFV) –Design for Test (DFV) –Design for Reliability (DFR)
MAPLDVHDL Synthesis Introduction Example: Reliability…Assumes a Technology with no Built-in TMR
MAPLDVHDL Synthesis Introduction Unreliable Circuit Design Example: Ripple Counters
MAPLDVHDL Synthesis Introduction VHDL Example of a Data output feeding a Clock input: Avoid for Reliability Process (sysclk,reset) Begin if reset = ‘0’ then dff0 <= ‘0’; elsif rising_edge(sysclk) then dff0 <= not dff0; end if; End process; Process (dff0,reset) Begin if reset = ‘0’ then dff1 <= ‘0’; elsif rising_edge(dff0) then dff1 <= not dff1; end if; End process;
MAPLDVHDL Synthesis Introduction Adding TMR to Circuitry It is up to the designer to pick the strategic places that TMR will be inserted. TMR must be glitch free TMR must be verifiable Synthesis directives (attributes) generally need to be used in order to not optimize away the Mitigation
MAPLDVHDL Synthesis Introduction Shared TMR Logic In this scheme – The designer must triple the number of DFF’s. The DFFs feed 1 TMR block If the technology is susceptible to transients, this method will not be efficient
MAPLDVHDL Synthesis Introduction Distributed TMR In this scheme – The designer must triple the number of DFF’s and triple the number of inserted TMR blocks. Although more area extensive, this method adds a level of reliability, If the technology is susceptible to transients
MAPLDVHDL Synthesis Introduction More Reliable Ripple Counter – Distributed TMR: Picture Depicts bit 0 and bit 1
MAPLDVHDL Synthesis Introduction More Reliable Ripple Counter – Still a Potential Problem Paths delays due to routing differences are never exact What happens if (referencing paths A, B, and C) A, B, and C are all logic 0 and are expected to go to a logic 1: –Path A comes in first –Path B comes in second (TMR logic will go to logic 1) –Path B gets hit by a SEU – path C has not come in yet – TMR logic will go to logic 0 … start of GLITCH! –Path C comes in – TMR now turns on once again Probability can be very small to negligible – depends on clock speed, and routing delay differences The glitch will have a relatively small period – will probably violate device specifications and can damage the device Also adds a major level of complexity within verification
MAPLDVHDL Synthesis Introduction Synchronous Reliable Solution Instead of a ripple counter, use a synchronous counter –Without Mitigation Case (no SEUs): Assumes a reset will clear any SEU hits that cause incorrect counting –With mitigation (glitch free TMR for example). Assumes counter must always be correct for Single Event Upsets Clock tree feeds the clock pin – Assuming a hardened clock tree (SET – free), SEU hits should not create DFF clock oscillations Data feeds data pins Although the SEU is Asynchronous, the glitch free TMR circuit will override the possible metastable oscillation on the data pin. The following example shares TMR circuitry per stage (unlike the other example where each path has separate TMR logic per stage). This design choice assumes a technology that will not have (or has an extremely low probability of) internal transient glitches or SETs.
MAPLDVHDL Synthesis Introduction VHDL Synchronous Counter without Mitigation Counter <= counter_in; Counter_plus_1 <= counter_in + 1;-- need special library for this statement Process (sysclk,reset) Begin if reset = ‘0’ then-- counter is resetable to a constant value counter_in ‘0’); elsif rising_edge(sysclk) then-- clock pin is connected to system clock counter_in <= counter_plus_1; end if; End process;
MAPLDVHDL Synthesis Introduction Post Synthesis RTL View without TMR (non-technology dependent)
MAPLDVHDL Synthesis Introduction VHDL Synchronous Counter with Mitigation signal declarations: For this circuit we will use 3 counters that feed into TMR voting logic. -- the output of the TMR will be fed into a combinatorial logic for the counter. -- the output of the combinatorial logic of the counter will be fed back into counter register signal counter_plus_1: std_logic_vector(3 downto 0); signal counter0_in: std_logic_vector(3 downto 0); signal counter1_in: std_logic_vector(3 downto 0); signal counter2_in: std_logic_vector(3 downto 0); signal counter_tmr: std_logic_vector(3 downto 0); attributes used as synthesis directives: Important so that mitigation logic will not get optimized away attribute syn_preserve : boolean; attribute syn_preserve of counter0_in : signal is true; attribute syn_preserve of counter1_in : signal is true; attribute syn_preserve of counter2_in : signal is true;
MAPLDVHDL Synthesis Introduction VHDL Synchronous Counter with Mitigation -- generate TMR logic for each bit of counter … works across the 3 counters -- TMR is a compiled entity in the work directory -- TMR_OUT <= (a and b) or (a and c) or (b and c) -- This TMR entity is written bit-wise, however, the designer can make a more robust entity that will accept vector inputs counter_string_tmr: for i in 3 downto 0 generate begin ucount_bit: entity work.TMR port map( A=> counter0_in(i), B=> counter1_in(i), C=> counter2_in(i), TMR_OUT=> counter_tmr(i) ); end generate;
MAPLDVHDL Synthesis Introduction VHDL Synchronous Counter with Mitigation counter_plus_1 <= counter_tmr + 1;-- Output of TMR circuitry counter <= counter_TMR; Process (sysclk,reset) Begin if reset = '0' then-- counter is resetable to a constant value counter0_in '0'); elsif rising_edge(sysclk) then-- clock pin is connected to system clock counter0_in <= counter_plus_1; end if; End process; Process (sysclk,reset) Begin if reset = '0' then-- counter is resetable to a constant value counter1_in '0'); elsif rising_edge(sysclk) then-- clock pin is connected to system clock counter1_in <= counter_plus_1; end if; End process; Process (sysclk,reset) Begin if reset = '0' then-- counter is resetable to a constant value counter2_in '0'); elsif rising_edge(sysclk) then-- clock pin is connected to system clock counter2_in <= counter_plus_1; end if; End process;
MAPLDVHDL Synthesis Introduction Post Synthesis RTL View with TMR (non- technology dependent)
MAPLDVHDL Synthesis Introduction VHDL Synchronous Counter with Mitigation Analysis No SEUs: –After static timing analysis has been verified and all paths meet timing with slack, all data is considered to be stable at each clock edge – no concerns for metastability or incorrect data capture SEU Hit –If an SEU hits a DFF, then the glitch free TMR will override any one DFF input change (output of TMR is stable), thus, data is still considered to be stable near a clock edge - no concerns for metastability or incorrect data capture Synchronous Advantage Meets Reliability Requirements –Easily verifiable in the RTL domain if static timing is met and gate level is functionally equivalent to RTL –Mitigation and general functional behavior is predictable under worse case conditions –TMR circuitry is verifiable (due to it being within the RTL vs being inserted in synthesis) –A Definable reset state exists
MAPLDVHDL Synthesis Introduction Asynchronous Clock Domain Crossing
MAPLDVHDL Synthesis Introduction Asynchronous Clock Domain Crossing Most common problem within designs. Why? –Designers usually don’t design for all corner cases – i.e. data must be synchronized to capturing clock domain before usage –Multiple clock domains add an extra level of complexity to the synthesis optimization algorithm. The major optimization parameters for the synthesis algorithm are timing and area Timing is measured for each synchronous path (DFFs connected to the same clock tree) Generally, extra timing constraints are necessary when crossing clock domains
MAPLDVHDL Synthesis Introduction Design Example Implement a serial asynchronous input port that receives: DCLK, DATA, and DENV. Skew relative to DCLK will be less than 10 ns Input speed can range from 5Khz to 10Mhz. DATA and DENV will change at the rising edge of the DCLK signal (thus will be stable at the falling edge). Input Data is in the form of 16 bit words MSB first. DENV is active high Technology has glitch-free hardened by design mitigation within the silicon (attached to DFFs)
MAPLDVHDL Synthesis Introduction Determine FPGA System Clock speed Limiting factor is the 10MHZ input – new data can come every 100 ns Data is asynchronous – need a metastability filter …
MAPLDVHDL Synthesis Introduction Need an Edge Detection for the Input signal Remember – there is a difference between the input clock and the FPGA system clock (asynchronous) Goal: Capture data while data is stable (avoid metastability) We want to detect an edge of the input control (DCLK), then look at the envelope (DENV) - see if it is active, then grab the data. Why the edge and not the level …We only want to sample input data once per input clock period …at a stable place in the clock period … Which edge should we use (falling or rising)?…
MAPLDVHDL Synthesis Introduction Analysis Most people will want to capture at the falling edge because data is known to be stable there. However, once you detect the stable edge you only have half an input clock period minus overhead … minus data to clock skew … Therefore – you will be required to implement a much faster system clock
MAPLDVHDL Synthesis Introduction
MAPLDVHDL Synthesis Introduction
MAPLDVHDL Synthesis Introduction Best Choice Look for the rising edge of the input clock. Although data is changing here… by the time you actually detect the clock – data will be valid! Remember – because the DCLK is asynchronous to your FPGA, it must go through a metastability filter before you can sample – THIS TAKES TIME … how much?…
MAPLDVHDL Synthesis Introduction
MAPLDVHDL Synthesis Introduction Metastability Filter uses DFFs … data only gets passed at a clock edge
MAPLDVHDL Synthesis Introduction Design Decision… Envelope will be captured by one DFF (no metastability filter) and will be “anded” with the clock edge detect in order to enable data capture …’ I.e. if the clock edge is detected and the envelope is valid then capture data. Thus the data does not go through a metastability filter either!!! Saves gates and is safe – we only look at data (and envelope when they are stable – the input clock edge tells all ) We can use only one DFF because the enable is guaranteed to be stable by the time the clock edge is detected …clock edge detection has to take at least 2 system clock cycles – by then envelope is clean. Why not send the DENV signal through a metastability filter too??
MAPLDVHDL Synthesis Introduction
MAPLDVHDL Synthesis Introduction
MAPLDVHDL Synthesis Introduction
MAPLDVHDL Synthesis Introduction Metastability Filter Recap: Choose only one signal (control signal) to send through the metastability filter – avoid skew of asynchronous input signal near clock edge problems Determine where the signals are stable relative to the incoming control signal Sample and grab data Do a complete timing analysis: watch out for skew, setup & hold, input clock frequency vs. system clock frequency. Watchout!!!! For large Fan-out of output of metastability filter – Synthesis tool may duplicate the filter. This will cause data to possibly be out of sync within different portions of the circuit – use a don’t_replicate attribute on the filter output
MAPLDVHDL Synthesis Introduction Metastability Filter Recap: Remember – Our example’s timing analysis applies to capturing the data relative to the same edge of the input clock that the input data changes – we can do this because we have a delay due to the metastability filter and this delay is larger than the 10 ns skew (between the clock, data, and envelope) listed in the spec. We chose to capture data relative to the same clock edge that the input data changes so that we can choose a slower clock – slower clock means less power and easier design implementation requirements.
MAPLDVHDL Synthesis Introduction Metastability Filter Recap: The designer could make the decision to capture data relative to the edge that the input clock is changing – however, that would require a much faster FPGA system clock for proper implementation -- see timing analysis. The designer could also choose to send the DENV and DDATA lines though metastability filters (not a good choice – unnecessary extra logic). However, this can only be done if you detect the input clock where data and envelope are stable …and capture there– otherwise (due to skew) incorrect results can occur
MAPLDVHDL Synthesis Introduction Based on the two previous Cases…Best and Worse Upon the worse case – we see that we will need at least 3 FPGA system clock cycles to capture the data… however we also need some overhead (20%) due to variations in environment (voltage, temperature, clock skew, process…) Clock needs to be… 3x < 100 ns -.20x –10 ns X becomes about ns … or 36MHZ For ease …Lets choose a 40 MHZ FPGA system clock (25 ns clock period … definitely fast enough)
MAPLDVHDL Synthesis Introduction Rule of Thumb: Asynchronous Data Capture Use a system clock that is 4 times faster than input clock… if possible… Otherwise you might be able to use both edges of the clock – can be tricky Or… use an asynchronous FIFO to capture the input data and then extract the data with the system clock … great choice if input clock and data rates are too fast!
MAPLDVHDL Synthesis Introduction Rule of Thumb: Asynchronous Data Capture (cont…) Only send one signal – a control signal – through a metastability filter. Otherwise, signal skew can cause data to be incorrectly captured. Determine where to sample the control signal such that data is stable (under all conditions) Use an edge detection circuit on your control signal (after the metastability filter) because your clock domain will be faster than your input clock domain. Use this one-cycle edge detection output to control data capture and other necessary functions – avoids multiple samples or counts per clock/data input pair
MAPLDVHDL Synthesis Introduction Next…Now that we figured out the FPGA System Clock Frequency … Let’s Construct the Input Block We need to shift the data into a shift register Count how many bits we have shifted in – this will need 4 bits in order to count to 16 Once we have captured 16 data bits… store the shift register into a Dout (data out) register and raise a ready flag. For our design, ready flag will only be valid for one system clock cycle Dout will only change once a full 16 bits have been captured into the shift register. Let’s check out the VHDL code
MAPLDVHDL Synthesis Introduction How Does VHDL Tie Into This? We need to create DFF’s and we need to create combinatorial logic. DFF’s store information and can only change at a clock edge. –Counters –Delay elements (I.e. an edge detection delay) –Flags –Shift registers
MAPLDVHDL Synthesis Introduction How Do We Create a DFF in VHDL ? Our job is to direct the synthesis tool to do exactly what we want… its difficult to get precisely what you want if you do not take the time to understand how the tool works. The synthesis tool looks for: process(sysclk,reset) -- sensitivity list for clock and reset begin if reset = '0' then-- connect the reset to the DFF DFF <= ‘0’;-- DFF gets a constant at reset Elsif rising_edge(sysclk) then-- clock connection DFF <= data;-- at clock edge DFF gets new data end if; End process;
MAPLDVHDL Synthesis Introduction Using a DFF Enable connection process(sysclk,reset) -- sensitivity list for clock and reset begin if reset = '0' then-- connect the reset to the DFF DFF <= ‘0’;-- DFF gets a 0 at reset Elsif rising_edge(sysclk) then if enable = ‘0’ then -- if statement creates an enable condition DFF <= data; -- at clock edge and enable DFF gets data end if; End process;
MAPLDVHDL Synthesis Introduction Using an Enable Connection In our case, we only want to capture data, and then count up (we’re counting how many bits we have), once per clock/data input pair. This input is generated at a slower rate than our FPGA internal clock. So it sits around for several of our clock periods. Thus we will use an enable that is only valid for one clock cycle in order to capture data and count it. This enable (as described earlier) will be active if we have detected a rising_clock_edge and an active envelope signal
MAPLDVHDL Synthesis Introduction
MAPLDVHDL Synthesis Introduction
MAPLDVHDL Synthesis Introduction
MAPLDVHDL Synthesis Introduction Metastability Filter Implementation within a Device without built in Mitigation A tradeoff analysis between mitigation techniques should be performed based off of: –clock speed –transient pulse width and probability of occurrence –additional area due to of an increase of logic gates Example: Distributed TMR with asynchronous inputs incurs a larger fanout (vs. shared TMR) on the DFF that can go metastable – this increases the probability of metastability on the second DFF of the metastability filter. However, with a slow enough clock speed, this may not be an issue.
MAPLDVHDL Synthesis Introduction FIFO Memory Control
MAPLDVHDL Synthesis Introduction FIFO Memories Definition: First in – First out memory Simultaneous write and read access to memory (dual port) Data written into a FIFO is sequentially read out in a pipelined manner – such that the first written will be the first read
MAPLDVHDL Synthesis Introduction General Package
MAPLDVHDL Synthesis Introduction FIFO Memory Ports Input port: write Output port: read Each port has an associated pointer (I.e. counter, address) No random access Write operation will increment the write pointer Read operation will increment the read pointer
MAPLDVHDL Synthesis Introduction
MAPLDVHDL Synthesis Introduction Clock Domains READ enable and READ pointer is synchronous to the read domain (rd_clk) WRITE enable and WRITE pointer is synchronous to wr_clk Rd_clk and wr_clk do not have to be synchronous!!!!!… Asynchronous FIFO
MAPLDVHDL Synthesis Introduction
MAPLDVHDL Synthesis Introduction
MAPLDVHDL Synthesis Introduction New Package
MAPLDVHDL Synthesis Introduction FIFO Full and Empty FIFO full when both pointers are equal FIFO empty when both pointers are equal Use an extra bit (MSB of counter) as a flag –If MSB’s are equal : Both pointers have wrapped around the memory an equal amount of time: EMPTY –If MSB’s are not equal: Write pointer has wrapped around one more cycle than the read - FULL
MAPLDVHDL Synthesis Introduction Pointer Compare How do we compare two pointers (counters) that are located in two different clock domains?
MAPLDVHDL Synthesis Introduction
MAPLDVHDL Synthesis Introduction Synchronization We need to synchronize the pointers before we do a compare (test for empty or full) Full Test: –Can not write another item if full! –As soon as write pointer reaches the read pointer set full flag –Synchronize the read pointer to the write clk before doing compare
MAPLDVHDL Synthesis Introduction Synchronization Empty Test: –Can not read another item if empty! –As soon as read pointer reaches the write pointer set empty flag –Synchronize the write pointer to the rd_clk before doing compare
MAPLDVHDL Synthesis Introduction
MAPLDVHDL Synthesis Introduction
MAPLDVHDL Synthesis Introduction Synchronization Solution Use Gray Code Counter Only 1 bit changes per clock period. Will not end up with a non deterministic value May still miss the bit as it changes, but will catch it by the next cycle Algorithm: –Convert the binary counters to Gray –Send the Gray encoded counter through a metastability filter in the other clock domain –The other clock domain will convert the Gray encoded counter (output of metastability filter) back to binary –The other clock domain will use the newly converted binary encoded counter to make a comparison with its counter
MAPLDVHDL Synthesis Introduction Gray Code Counters Very easy to implement … only 1 bit changes per transition
MAPLDVHDL Synthesis Introduction FIFO VHDL CODE Please see handout
MAPLDVHDL Synthesis Introduction State Machines
MAPLDVHDL Synthesis Introduction Definition of Fault Tolerance Masking or recovering from erroneous conditions in a system once they have been detected The degree of fault tolerance implementation is defined by your system level requirements… I.e. what actually is acceptable behavior upon error Questions that must be answered within the system requirements documentation: –Does your system only need to detect an error? –How quickly must the system respond to an error? –Must your system also correct the error? –Is the system susceptible to more than one error per clock cycle?
MAPLDVHDL Synthesis Introduction Synchronous State Machines A Finite State Machine (FSM) is designed to deterministically transition through a pattern of defined states A synchronous FSM transitions according to a clock edge and only accepts inputs that have been synchronized to the same clock Generally FSMs are utilized as control mechanisms Concern: –If an SEU occurs within a FSM, the entire system can lock up into an unreachable state
MAPLDVHDL Synthesis Introduction Synchronous State Machines The structure consists of four major parts: –Inputs –Current State Register –Next State Logic –Output logic
MAPLDVHDL Synthesis Introduction Encoding Schemes Each state of a FSM must be mapped into some type of encoding (pattern of bits) Once the state is mapped, it is then considered a defined (legal) state Unmapped bit patterns are illegal states
MAPLDVHDL Synthesis Introduction Encoding Schemes
MAPLDVHDL Synthesis Introduction Safe State Machines??? A “Safe” State Machine has been defined as one that: –Has a set of defined states –Can jump to a defined state if an illegal state has been reached (due to a SEU). Precision and Leonardo Synthesis tools offer a “Safe” option: TYPE states IS ( IDLE, GET_DATA, PROCESS_DATA, SEND_DATA, BAD_DATA ); SIGNAL current_state, next_state : states; attribute SAFE_FSM: Boolean; attribute SAFE_FSM of states: type is true; Designers Beware!!!!!!! –If using a CASE statement to implement the state machine: The others (or default) clause in your HDL is ignored by the synthesis tools. This logic will not get synthesized unless you explicitly attribute your FSM as “Safe” –Some versions of synthesis tools will not synthesize a “Safe” One-Hot
MAPLDVHDL Synthesis Introduction Binary Encoding: How Safe is the “Safe” Attribute? If a Binary encoded FSM flips into an illegal (unmapped) state, the safe option will return the FSM into a known state that is defined by the others or default clause If a Binary encoded FSM flips into a good state, this error will go undetected. –If the FSM is controlling a critical output, this phenomena can be very detrimental! –How safe is this?
MAPLDVHDL Synthesis Introduction Safe State Machines???
MAPLDVHDL Synthesis Introduction One-Hot vs. Binary There used to be a consensus suggesting that Binary is “safer” than One-Hot –Based on the idea that One-Hot requires more DFFs to implement a FSM thus has a higher probability of incurring an error This theory has been changed! –The community now understands that although One-Hot requires more registers, it has the built-in detection that is necessary for safe design –Binary encoding can lead to a very “un-safe” design
MAPLDVHDL Synthesis Introduction One-Hot vs. Binary Analysis One-Hot –Synthesis “Safe” directive will generally not work – FSM becomes too large –Each state in a One-Hot encoding has a hamming distance of two. –Error Detection: During normal operation, only one bit is turned on, thus It inherently has SEU error detection SEU Error detection can be accomplished using combinational logic SEUs occurring near a clock edge will always be detected Binary –Synthesis “Safe” directive generally will not meet requirements – can flip into a good state undetected –Binary Encoding has a hamming distance of One –Error Detection: It needs extra DFFs in order to implement error detection Utilizing an extra DFF can cause a SEU to go undetected due to glitches and routing differences between combinational logic and DFFs.
MAPLDVHDL Synthesis Introduction Conclusion of One-Hot vs. Binary Within a reliable architecture, it is best for the designer to use a one-hot state machine. True Error detection can be accomplished. However, if your system needs error correction, a more complex encoding scheme is required
MAPLDVHDL Synthesis Introduction FSM SEU: Error Correction : Using Companion States There exists many publications on Error Correction theory. None directly address how to correctly implement FSM fault correction while using current day synthesis tools. –Glitch control: Generally synthesis tools will produce “glitchy” logic –Synthesis “optimization” algorithms will erase the necessary redundancy for EDAC –The user must sometimes hand instantiate logic –The user must place the necessary attributes to avoid redundant logic erasure.
MAPLDVHDL Synthesis Introduction Error Correction within One Cycle: Using Companion States
MAPLDVHDL Synthesis Introduction Error Correction within One Cycle: Using Companion States 1. Find an encoding such that the states have a hamming distance of 3 (at least 3 bits must be different from state to state) (state-A), 11100(state-B), 01111(state-C), 10011(state-D). Five bits are necessary to encode a four-state machine in order to achieve the required hamming distance of three.
MAPLDVHDL Synthesis Introduction Error Correction within One Cycle: Hamming 3 Encoding …Using Companion States For each encoding, calculate the companion encodings such that the hamming distance is one… for example: –Companion encoding for state A (00000) is: 00001,00010,00100,01000,10000 –Companion encoding for state B (11100) is: 11101,11110,11001,10100,01100
MAPLDVHDL Synthesis Introduction Error Correction within One Cycle: Using Companion States When implementing the state machine, state A is encoded as and then (theoretically) “ OR-ed ” with all of its companion encodings. This covers all possible SEUs Do the same for all other states Use the output of the “ OR-ed ” states to determine next state logic. – Thus if a bit flips … the companion state will catch it and the FSM will be able to correctly determine the next state Be careful! The “ OR ” logic is more complex than simply using a string of “ OR ” gates.
MAPLDVHDL Synthesis Introduction Error Correction within One Cycle: Glitch Control One major issue that is extremely overlooked is SEUs are asynchronous and can occur near clock edges If this occurs, your error checking logic may cause a glitch Due to routing timing differences, this can cause incorrect values to be latched into the current state registers. Refer to a Karnaugh Map for glitch-less implementation The designer may have to hand instantiate the logic if the synthesis tool does not adhere to the VHDL as expected
MAPLDVHDL Synthesis Introduction Error Correction within One Cycle: Glitch Control
MAPLDVHDL Synthesis Introduction Error Correction within One Cycle: Glitch Control The designer will have to include the synthesis directives: –Preserve_driver –Preserve_signal Always check the gate level output of the synthesis tool.