When Should You and When Should You Not Use VHDL?

1
When Should You and When Should You Not Use VHDL?

• Richard B. Katz
• NASA Office of Logic Design
• 2004 MAPLD International Conference
• September 8-10, 2004
• Washington, D.C.

2
Abstract
Many designers will design all of their ASIC and
FPGA logic circuits in VHDL or some other
HDL. Is that the correct approach for critical
applications of digital logic? When should you
and when should you not design with VHDL in
critical military and aerospace applications?
3
Sample Applications to Discuss(Some Real, Some
Hypothetical)

• Critical Timing Circuit in a Scientific
  Instrument
• Timing unit with lt 400 ps resolution
• Controller for a Crane in an Industrial
  Environment.
• Moving a Space Shuttle Orbiter
• Initiation Circuit for Explosives and Rockets
• Warhead Fuzes
• Self-Destruct Charges on a Solid Rocket Booster
  (manned)
• Rocket Motor On Fighter Aircraft Missile

4
Critical Timing Circuit in a Scientific
InstrumentTiming unit with lt 400 ps resolution

• Dont have to like it, you just have to do it.
• Requires hand placement of many critical modules
• Minimize Delays
• Match Delays
• Aid in calibration
• Try to cancel temperature coefficients for tPD
• Assume on order of 100 modules must be hand
  placed.
• Schematic
• Straightforward to identify modules and place
  them. Names in the design match the names in the
  back end tool.
• VHDL
• Munges names, names constant from run to run?
  Effects on timing constraint/analysis tools?

5
Skew and Clocks
6
Quick Review of Clock Skew
Early FF1CLK
D
E
Late FF2CLK
Note used min, best case for prop delays and
max, worst-case for clock path to FF2.
7
An Excerpt from OLD News 13

• The findings below are accurate at the time of
  this posting and is the manufacturer's current
  guidance.
• Minimum delay numbers calculated by the timing
  analysis tools are not guaranteed. They are not
  bound and actuals may be less then the reported
  values. This is true for Designer's TIMER as well
  as files containing extracted delays such as .sdf
  files.
• For an arbitrary flip-flop pair, with a common
  edge (either rising or falling), when clocked by
  a global routed array clock
• There is no guarantee that it will be correct by
  construction under all conditions and placements.
  
• There is no certified technique to prove adequate
  margin by analysis with the current tool set.
• Skew-tolerant design techniques are recommended.

Reference http//www.klabs.org/richcontent/old_ne
ws/old_news_13/
8
A Schematic Approach to Skew-Tolerant Circuits
9
A VHDL Approach to Skew Tolerant Circuits
DTCountIntNEProcProcess ( Clock, Reset
)Begin  if Reset ActiveReset then   
DTCountIntNE lt "00000000"     elsif
Falling_Edge ( Clock ) then      if ReadPulse
'1' then        DTCountIntNE lt DTCountInt
1        end if    end if End Process
DTCountIntNEProcDTCountIntProcProcess (
Clock )Begin  if Rising_Edge ( Clock ) then   
DTCountInt lt DTCountIntNE    end if End
Process DTCountIntProc
10
Verification

• Is functional level simulation adequate?
• Examine circuit level result of the VHDL
  synthesis process. Is this practical?
• Labor Intensive
• Redo for each synthesizer revision?
• Redo for each synthesis run?

11
Functional level simulation adequate?
Original
Optimized
The two circuits are logically equivalent when
analyzed with Boolean logic equations with the
lower, CAE-optimized circuit, permitting higher
device speeds. An SEU analysis shows the
addition of a second state variable with an upset
resulting in the "optimized" circuit containing a
state where Q  QN, violating the system
equations and causing a failure.
12
Critical DelaysOK, not a VHDL slide, but shows
the need for examination of circuits
An old slide but the principle resurfaces many
times. In a recent examination of a military
safety-critical system, it was found that the
designer was making delays with gates, the back
end software was removing them, and he was
unaware since he did not understand either the
software he was using or the actual design as
implemented.
13
VHDL Code and Synthesizer AnalysisCase Study -
Hardened Clock Generator

• The VHDL synthesizer, unknown to the designer,
  generated a poor circuit for a TMR voter
• Used 3 C-Cells for a voter
• Slowed the circuit down
• The implementation of the voter is hidden from
  the user
• Synthesizer generated a static hazard
• An SEU can result in a glitch on the "hardened"
  clock signal.
• Designer did not examine the synthesizers
  output.

14
VHDL Code and Synthesizer AnalysisCase Study -
Hardened Clock Generator
-- Divide 25 MHz (40 ns) clock by 4 -- to
produce 6.25 MHz clock (160 ns) -- This clock
should be placed on -- an internal global
buffer clkint1 clkint Port Map ( A gt
clk_div_cnt(1), Y gt clk_div4
) clkdiv Process (reset_n, clk) Begin If
reset_n '0' Then clk_div_cnt lt "00"
Elsif clk '1' And clk'EVENT Then
clk_div_cnt lt clk_div_cnt 1 End If End
Process clkdiv
15
VHDL Code and Synthesizer AnalysisCase Study -
Hardened Clock Generator
25MHz
CLK_DIV4
Most significant bit of the counter. 3 C-Cells
are used for the voter.
16
How Do You Verify Circuit Correctness for Safety
Critical Applications?