12004 mapld/1002??? when should you and when should you not use vhdl? richard b. katz nasa office of...
TRANSCRIPT
12004 MAPLD/1002 ???
When Should You and When Should You Not Use VHDL?
Richard B. Katz
NASA Office of Logic Design
2004 MAPLD International Conference
September 8-10, 2004
Washington, D.C.
22004 MAPLD/1002 ???
Abstract
Many designers will design all of their ASIC and FPGA logic circuits in VHDL or some other HDL.
Is that the correct approach for “critical” applications of digital logic?
When should you and when should you not design with VHDL in critical military and aerospace applications?
32004 MAPLD/1002 ???
Sample Applications to Discuss(Some Real, Some Hypothetical)
• Critical Timing Circuit in a Scientific Instrument– Timing unit with < 400 ps resolution
• Controller for a Crane in an Industrial Environment.– Moving a Space Shuttle Orbiter
• Initiation Circuit for Explosives and Rockets– Warhead Fuzes
– Self-Destruct Charges on a Solid Rocket Booster (manned)
– Rocket Motor On Fighter Aircraft Missile
42004 MAPLD/1002 ???
Critical Timing Circuit in a Scientific InstrumentTiming unit with < 400 ps resolution
• Don’t have to like it, you just have to do it.
• Requires hand placement of many critical modules– Minimize Delays
– Match Delays• Aid in calibration
• Try to cancel temperature coefficients for tPD
– Assume on order of 100 modules must be hand placed.
• Schematic:– Straightforward to identify modules and place them. Names in the
design match the names in the back end tool.
• VHDL:– Munges names, names constant from run to run? Effects on timing
constraint/analysis tools?
52004 MAPLD/1002 ???
Skew and Clocks
62004 MAPLD/1002 ???
Quick Review of Clock Skew
Early FF1:CLK
Late FF2:CLK
D
E
Note: used min, best case for prop delays and max, worst-case for clock path to FF2.
72004 MAPLD/1002 ???
An Excerpt from OLD News #13
The findings below are accurate at the time of this posting and is the manufacturer's current guidance.
• Minimum delay numbers calculated by the timing analysis tools are not guaranteed. They are not bound and actuals may be less then the reported values. This is true for Designer's TIMER as well as files containing extracted delays such as .sdf files.
• For an arbitrary flip-flop pair, with a common edge (either rising or falling), when clocked by a global routed array clock:
– There is no guarantee that it will be correct by construction under all conditions and placements.
– There is no certified technique to prove adequate margin by analysis with the current tool set.
– Skew-tolerant design techniques are recommended.
Reference: http://www.klabs.org/richcontent/old_news/old_news_13/
82004 MAPLD/1002 ???
A Schematic Approach to Skew-Tolerant Circuits
92004 MAPLD/1002 ???
A VHDL Approach to Skew Tolerant Circuits
DTCountIntNEProc:Process ( Clock, Reset )Begin if Reset = ActiveReset then DTCountIntNE <= "00000000"; elsif Falling_Edge ( Clock ) then if ReadPulse = '1' then DTCountIntNE <= DTCountInt + 1; end if; end if; End Process DTCountIntNEProc;
DTCountIntProc:Process ( Clock )Begin if Rising_Edge ( Clock ) then DTCountInt <= DTCountIntNE; end if; End Process DTCountIntProc;
102004 MAPLD/1002 ???
Verification
• Is functional level simulation adequate?
• Examine circuit level result of the VHDL synthesis process. Is this practical?– Labor Intensive– Redo for each synthesizer revision?– Redo for each synthesis run?
112004 MAPLD/1002 ???
Functional level simulation adequate?
Original
“Optimized”
The two circuits are logically equivalent when analyzed with Boolean logic equations with the lower, CAE-optimized circuit, permitting higher device speeds. An SEU analysis shows the addition of a second state variable with an upset resulting in the "optimized" circuit containing a state where Q = QN, violating the system equations and causing a failure.
122004 MAPLD/1002 ???
Critical DelaysOK, not a VHDL slide, but shows the need for examination of circuits
An old slide but the principle resurfaces many times. In a recent examination of a military safety-critical system, it was found that the designer was making delays with gates, the back end software was removing them, and he was unaware since he did not understand either the software he was using or the actual design as implemented.
132004 MAPLD/1002 ???
VHDL Code and Synthesizer AnalysisCase Study - Hardened Clock Generator
• The VHDL synthesizer, unknown to the designer, generated a poor circuit for a TMR voter– Used 3 C-Cells for a voter
– Slowed the circuit down
• The implementation of the voter is hidden from the user– Synthesizer generated a static hazard
– An SEU can result in a glitch on the "hardened" clock signal.
• Designer did not examine the synthesizer’s output.
142004 MAPLD/1002 ???
VHDL Code and Synthesizer AnalysisCase Study - Hardened Clock Generator
-- Divide 25 MHz (40 ns) clock by 4-- to produce 6.25 MHz clock (160 ns)-- This clock should be placed on-- an internal global buffer
clkint1: clkintPort Map ( A => clk_div_cnt(1), Y => clk_div4 );
clkdiv: Process (reset_n, clk)Begin If reset_n = '0' Then clk_div_cnt <= "00"; Elsif clk = '1' And clk'EVENT Then clk_div_cnt <= clk_div_cnt + 1; End If;End Process clkdiv;
152004 MAPLD/1002 ???
VHDL Code and Synthesizer AnalysisCase Study - Hardened Clock Generator
Most significant bit of the counter. 3 C-Cells are used for the voter.
25MHz
CLK_DIV4
162004 MAPLD/1002 ???
How Do You Verify Circuit Correctness for Safety Critical
Applications?