Automating Clock-Domain Crossing Verification for DO-254 (and other Safety-Critical) Designs

DO-254 methodologies must ensure that a device is going to behave as specified, and that everything possible is done to catch bugs before the device will be operating in flight. DO-254 projects should use an automated solution such as Questa CDC designed specifically for CDC verification to bridge the knowledge gap between design and verification teams and to ensure comprehensive prevention of this problem.

The metastability challenge in safety-critical designs

Metastability is the term used to describe what happens in digital circuits when the clock and data inputs of a flip-flop change values at approximately the same time. This is not a problem in single-clock designs, but this becomes a problem on paths transmitting data between asynchronous clock domains. When the data changes in the setup/hold window, this leads to the flip-flop output oscillating and settling to a random value.

In this case, the output of the flip-flop is said to have gone metastable and will lead to incorrect design functionality, such as data loss or data corruption on CDC paths. This situation happens in every design containing multiple asynchronous clocks, which occurs any time two or more discrete systems communicate.

Metastability is a serious problem in safety-critical designs, frequently causing chips to exhibit intermittent bugs that may not be caught until an in-flight failure. Traditional simulation does not accurately analyze multi-clock designs and relies on a manual, error-prone process. This paper describes the automated clock domain crossing verification solution DO-254 projects need and tool assessment tips.