Industry Article

How Automated CDC Protocol Verification Accelerates Testing Processes

November 14, 2019 by Kurt Takara, Mentor

This article describes a methodology that automates set up, constraints, and results analysis as designs move from static CDC analysis to formal verification to simulation and avoid manual scripting efforts, thus reducing setup effort and errors.

Design teams realize that clock domain crossing (CDC) verification is a critical verification task, but many design teams only statically verify CDC synchronization structures. CDC synchronization structures alone will not prevent CDC errors, since incorrect synchronizer usage will result in data loss, data corruption or, in the worst case, metastability.

CDC protocol verification using assertions will prevent incorrect synchronizer usage, but traditional protocol verification is difficult and time-consuming. An automated methodology is required to avoid the traditional protocol verification challenges that create a very complex task for design and verification engineers.

Here are challenges encountered with traditional CDC protocol verification methodologies:

  • Significant effort and time is required to set up the design and assertions for formal and simulation
  • Complex and involved effort to integrate between structural analysis, formal verification, and simulation tools
  • Considerable effort required to review and debug firings in formal and simulation

In this article, we describe a methodology that automates set up, constraints, and results analysis as a design moves from static CDC analysis to formal verification to simulation. The automation provided by this methodology avoids manual scripting efforts and thus reduces setup effort and setup errors. This methodology also improves designer debug productivity by addressing the important issue of correlating structural analysis, formal verification, and simulation results. 


What Are CDC Protocols and Why Are They Needed?

Today’s complex designs include multiple asynchronous clocks. The signals crossing between asynchronous clock domains may result in functional errors. When a signal from one asynchronous clock domain is sampled by a register on a different asynchronous clock domain, the setup/hold timing requirement will inevitably be violated on the destination register and this register will become metastable. When designers add synchronization logic to prevent this propagation of metastable events, designers should implement and verify the correct CDC protocol associated with the logic structure. Without a correctly implemented protocol, a CDC structure will not function correctly and, thus, lose or corrupt data or propagate metastability. 

Although CDC synchronization structures are required to prevent metastability on CDC paths, designers often overlook the fact that a good logic structure alone is not sufficient to avoid CDC errors. If a CDC synchronizer is not used correctly, the CDC path may experience data loss or data corruption or, in the worst case, metastability. The rules that define the correct usage of a CDC synchronizer are called CDC protocols.

In the simplest protocol case, a 2DFF synchronizer requires a stability protocol where the transmit data must be held stable for at least two receive clock cycles in order for the RX register to reliably capture the TX data and prevent data loss or data corruption. In a more complex protocol case, a data-mux (DMUX) synchronizer requires that the TX data must be stable when the mux-enable is active and allows the RX register to sample the TX data. If the DMUX synchronizer protocol is violated, the RX register will become metastable even though a correct DMUX structure was implemented.


DMUX protocol rules

Figure 1. DMUX protocol rules


CDC protocol errors must be identified and addressed early in the design cycle, otherwise they can lead to functional failures in later stages. These functional failures can further result in increased iterations and even silicon re-spins. To ensure such issues are not missed, design and verification engineers verify synchronizer protocols by generating assertions for synchronizer protocols and verifying them using formal model checking and simulation techniques.


CDC Protocol Verification Challenges

Protocol verification is critical for avoiding CDC errors, but often project teams do not utilize protocol verification due to the multitude of deployment challenges. The common challenges for deployment include protocol verification set up, constraints set up, and difficulty in reviewing and debugging protocol results.


Protocol Assertion Generation and Verification Set Up Challenges

CDC structural analysis identifies the CDC synchronization structures, then CDC utilities automatically generate protocol assertions for the CDC synchronization structures. The CDC utilities generate assertion instantiations that connect the TX register, RX register, TX clock, RX clock, TX reset, and RX reset to the appropriate protocol assertion. 

After CDC protocol assertions are generated, it can be difficult for designers to incorporate these assertions into formal verification and simulation environments. For designers unfamiliar with formal analysis, it is challenging to generate formal compilation and analysis run scripts. For complex simulation environments, it is challenging to incorporate the protocol assertions into simulation regressions.


Formal Constraints Generation Challenges

The formal environment requires designers to specify formal setup constraints that include design configuration information, clock information, and input port information. The formal design configuration information includes constants specified for configuration ports and registers. The formal clock information includes the specification of the design clocks and the clock frequencies. The formal port information includes the specification of the primary input ports and their related clock domain information. For engineers unfamiliar with formal analysis, this specification can be a daunting task.


CDC Protocol Assertion Debug Challenges

In traditional CDC protocol methods, the protocol verification review and debug are isolated from the CDC structural analysis. This makes it more difficult for designers to correlate protocol assertion violations in the simulation or formal environment to the associated CDC synchronization structure. This lack of correlation between structural and protocol verification causes more time and effort to be spent by designers for review and debug of protocol verification results.


An Automated CDC Protocol Methodology

In response to these challenges and needs, we developed an automated methodology that not only helps overcome the common challenges of traditional protocol verification methods, but also better integrates formal model checking and simulation technologies to improve protocol verification results.


Automated protocol verification flow

Figure 2. Automated protocol verification flow


Automated Methodology Workflow

This automated methodology has a workflow consisting of four steps.


Static CDC Analysis

Static CDC analysis performs static CDC analysis on the design to ensure that all the relevant CDC paths are synchronized using proper synchronizers. In addition, it automatically generates protocol assertions, generates formal verification constraints, and generates formal verification and simulation setups.

  • Automatic Protocol Assertion Generation: Based on static CDC analysis, the CDC protocol generation utility generates protocol assertions specific to each CDC synchronizer type (Figure 3).


CDC protocol assertion instantiation

Figure 3. CDC protocol assertion instantiation


  • Automatic Formal Verification Constraints Generation: The CDC protocol generation utility converts the CDC constraints information for constant, stable, and gray-code signals into SVA assumptions for formal verification. In addition, input and output port clock domain information are converted into formal constraints to improve the accuracy of formal counter-examples.
  • Automatic Formal Verification and Simulation Set Up: The CDC protocol generation utility generates formal model checking run scripts. The utility also generates a simulation arguments file to be added to the designer’s existing simulation environment, so designers can easily add protocol assertions and avoid manually adding multiple assertion and bind module files to their simulation.


Formal Analysis

Formal analysis runs formal model checking compile and run scripts to verify the auto-generated synchronizer protocol assertions using the generated formal verification setup. The automated formal setup significantly reduces the effort required to set up the design for formal analysis and also avoids the debug effort to resolve incomplete or incorrect setup issues.

A formal proof for any protocol assertion indicates that the protocol can never be violated for the associated CDC synchronization structure, so the structure is safe from data loss, data corruption, and the propagation of metastability. For designers without formal model checking expertise, it is difficult to debug and/or resolve fired and inconclusive assertions, so instead of debugging these difficult cases, designers will promote these assertions to simulation.



Simulation verifies the non-proven protocol assertions by adding the auto-generated setup files to the existing simulation environment. The CDC protocol generation utility generates simulation arguments files for compilation and simulation. 

During the formal analysis, the formal analysis script automatically updates the simulation setup files to remove the proven assertions from the list of assertions for simulation. Removing the proven assertions from simulation will reduce the simulation runtime and reduce the effort of reviewing simulation results for proven assertions that cannot be violated in simulation.

Any simulation assertion firings indicate a violation of the CDC synchronizer protocol that would result in data loss, data corruption, or metastability propagation on the associated CDC path. Designers must debug simulation firings and fix the CDC logic to adhere to the synchronizer protocol rules.


Review and Debug CDC Protocol Results

Review and debug CDC protocol results by first reviewing the aggregated structural CDC analysis, formal verification, and simulation results. The correlation between the multiple technologies (static CDC analysis, formal model checking, and simulation) enables designers to more quickly and easily debug and resolve protocol errors. This correlation enables designers to find the CDC structure associated with a protocol failure, then quickly diagnose the cause of the protocol error. This improved review and debug ensures that bugs are correctly analyzed and that protocols errors for CDC synchronizers are not missed or incorrectly analyzed.


Real-World Results

The deployment of the automated protocol verification methodology on actual designs has provided evidence of reduced design and verification effort and faster design closure.

When the automated methodology was performed on a set of designs, ranging from 1 to 30 million gates, the following improvements were realized (see Tables 1 and 2):

  • Significant reduction in formal set up time. Due to the automation of setup generation and the reduction of incremental debug iterations for incomplete and incorrect setups, the overall formal set up time was reduced by 3-5x.
  • Reduction in set up time for simulation. Due to the automation of set up generation and the reduction of incremental debug iterations for incomplete and incorrect setups, the overall simulation set up time was reduced by 6-17x.
  • Reduction in false firings in formal analysis. The automated setup generation and the import of CDC design constraints into formal analysis reduced the formal setup errors and caused a reduction in false firings. The formal assertion firings were reduced by 59%-68%.
  • Increased formal coverage. The improved formal setup and constraints resulted in less inconclusive assertions and more proofs and firings.
  • Increased simulation coverage. Removing proven assertions from simulation resulted in a higher percentage of fired and covered simulation assertions. Since the proven assertions were not simulated in the proposed methodology, the proven assertions were considered covered in order to maintain simulation coverage consistency between the traditional and proposed methodologies.
  • Reduction in simulation verification time and effort. There was a reduction in the number of assertions passed to simulation due to exclusion of formally proven assertions thereby reducing the verification effort required for reviewing proven assertions in simulation. The correlation of structural CDC analysis, formal verification, and simulation results improved debug productivity and led to easier correlation of protocol errors with their associated CDC paths. The time and effort for reviewing and debugging simulation results was not measured for these design case studies.

During the verification, the following were unaffected:

  • Minimal change in simulation runtime. The reduction in the number of assertions run in simulation due to the exclusion of formally proven assertions did not significantly change the simulation runtime.


Table 1. Results Using Traditional Protocol Verification Methodology

Table 1. Results Using Traditional Protocol Verification Methodology


Table 2. Results Using Proposed Protocol Verification Methodology

Table 2. Results using proposed protocol verification methodology


Conclusions Regarding Automated CDC Protocol Verification

This automated CDC protocol verification methodology is a systematic and repeatable solution for achieving closure on CDC protocol verification. The automated setup process reduces set up errors and the debug iterations required to resolve set up issues. Automated conversion of CDC constraints into formal model checking constraints improves the accuracy of formal analysis and reduces false formal firings. Finally, the integrated CDC structural analysis, formal verification, and simulation results enable an easier to use debug environment that allows designers to debug and fix protocol errors more quickly and with less effort.

This article was co-authored by Sukriti Bisht and Sulabh Kumar Khare, both of Mentor, a Siemens Business. 



  1. Mark Litterick, “Pragmatic Simulation-Based Verification of Clock Domain Crossing Signals and Jitter using System Verilog Assertions”, Verilab.
  2. William K. Lam, “Hardware Design Verification: Simulation and Formal Method-Based Approaches”, Prentice-Hall, Mar 3, 2005.
  3. Sulabh K. Khare, Ashish Hari, “Systematic Speedup Techniques for Functional CDC Verification Closure”, Mentor Graphics, advanced verification white paper.
  4. Ping Yeung, “Five Steps to Quality CDC Verification,” Mentor Graphics, advanced verification white paper.
  5. Sukriti Bisht, Sulabh K. Khare, Ashish Hari, “A Systematic Take on Addressing Dynamic CDC Verification Challenges”, DVCon US, 2019.

Industry Articles are a form of content that allows industry partners to share useful news, messages, and technology with All About Circuits readers in a way editorial content is not well suited to. All Industry Articles are subject to strict editorial guidelines with the intention of offering readers useful news, technical expertise, or stories. The viewpoints and opinions expressed in Industry Articles are those of the partner and not necessarily those of All About Circuits or its writers.