The following figure shows a typical multistage synchronizer. The N synchronizer stages are all clocked from the right-hand clock (fc), but data transitions produced in the left-hand clock domain (fd) may violate the setup and hold constraints of the first synchronizer flip-flop. These violations can result in metastable behavior of each of the N stages, but each added flip-flop reduces the width of the synchronizer’s window of vulnerability. Data transitions within that narrow window can cause serious mischief in the right-hand domain since the outputs from logic blocks L1 and L2 can then be inconsistent and lead to an unknown state. N must be chosen so that the chance of a data transition falling within the narrow window of vulnerability is extremely rare and the resulting MTBF is exceedingly long.
Today, two-stage (N=2) synchronizers are routine and three and four stages are becoming more common. However, the calculation of MTBF for these multistage devices is not straightforward. In fact, our recent paper, “MTBF bounds for multistage synchronizers” makes it clear that published MTBF models give widely varying results: the MTBF calculated at a single process corner and at a single operating condition gave results that varied over five orders of magnitude among the existing models. When compared with complete circuit simulation, our model gave consistently accurate results as shown in the following figure.
As one can see, calculated results can accurately predict simulated MTBF values. Some noteworthy comments about this result:
- Only four parameters are required to predict MTBF over a wide range of clock periods and number of stages.
- These four parameters can be obtained from a few circuit simulations at a single clock frequency.
- As discussed in Part 1. the clock duty cycle must be known to calculate an effective settling time-constant.
- Also as discussed in Part 1, parameters from both Sam and Ian must be known to determine the multistage MTBF.
For the above figure, it is clear that at a 1 GHz clock rate, a 200 MHz data transition rate and the SS corner, this 90 nm single-stage, master-slave circuit was clearly unreliable for synchronizer service. A two-stage circuit has an MTBF of less than a year and even a three-stage circuit had an MTBF of less than 1000 years (considering you may have hundreds or even thousands of them in an ASIC, that’s still unreliable).
Risk of failure increases substantially at 45 nm and below, at lower supply voltages and at lower operating temperatures. Clearly, multistage synchronizers will find increasing use, particularly in multi-synchronous, custom silicon that goes into mission critical applications. Such applications include, for example, automotive engine control modules, lithium battery charger circuits, implantable medical devices, certain avionics products and industrial control systems. These designs should all have a critical sign-off covering all CDC MTBF specifications. The fact that it is not happening today is troubling.