NASA Office of Logic Design

A scientific study of the problems of digital engineering for space flight systems,
with a view to their practical solution.

Please e-mail comments and suggestions for these guidelines and criteria.

Design Guidelines and Criteria

for

Space Flight Digital Electronics

IX. Timing Analysis

A. Introduction

Timing analysis of digital systems can be summarized quite simply: ensure that every parameter on the data sheet is met for all elements of the design.  In practice it can be a significant effort and care must be taken to ensure that the calculations are performed correctly.  A circuit properly designed and analyzed will work properly for all combinations of components over the entire specified operating environment.  Every time.

It is tempting to simply use Computer Aided Engineering (CAE) software tools and "push the button."  This does not work in the general case.   Typically, if the design style and circuits fit the model that the CAE tool vendor desires, than a lot of analysis can be done accurately and rapidly.  However, this doesn't work for all analyses and not all legitimate circuits fit the tool vendor's model, as we often have stringent requirements in power, area, functionality, etc.  CAE tools are not the answer.

B. Basics of Timing Analysis

The basis of all timing analysis is the clock and the flip-flop.

For the clock, which is covered in detail in a previous section, it must be well understood parametrically and glitch-free.  Thus, the timing analysis must ensure that any clocks that are generated by the logic are clean, are of bounded period and duty cycle, and of a known phase relationship to other clock signals of interest.   Using voting circuits, for example, to generate clocks may result in problems if the voter is not hazard-free.  Logic synthesizers are capable of and have generated logic hazards in clock generation circuits.

The flip-flop (or latch) is the basis of this section.  Quite simply, one must prove that all of the flip-flops parameters are always met.  The only exception to this is when synchronizers are used to synchronize asynchronous signals, the topic of another section of these guidelines.

The clock must, for both high and low phases, meet the minimum pulse width requirements.  Certain circuits, such as PLLs, may have other requirements such as maximum jitter.  As the clock speeds increase, jitter becomes an increasingly important parameter.  For clocks that are close to the device's specifications, note how the high and low time are measured and the characteristics of the clock, as the threshold voltage may differ between the clock specification and the input device's.   Also, the transition time of the clock signal, effected by loading and the environmental factors, can degrade the available pulse width.  Failure to maintain a proper pulse width can result in the flip-flop going "metastable."

For asynchronous presets and clears, there are two basic parameters that must be met.  Obviously, there is a pulse width requirement that must be guaranteed.   However, removing the preset or clear from a device asynchronously to the clock may result in metastable states in the sequential circuit.  This parameter is frequently called the removal time and is denoted as t_REM.  Unfortunately, many data sheets do not specify the removal time.  That does not mean that it is not a requirement.

For data (or J, K, T, EN, synchronous clear, etc.) inputs, show that all setup and hold times are met for the earliest/latest arrival times for the clock.   Setup times are generally calculated by designers and suitable margins can be demonstrated under test.  Hold times, however, are frequently not calculated by designers and CAE tools sometimes calculate this incorrectly, use inaccurate databases, or some combination of the two.  One of the leading causes of digital logic malfunction is hold time violations.  Check the specification for the device carefully, for FPGAs, to see if the manufacturer will guarantee that hold times will always be met when using the global clocks.  This is not always the case.

When "passing" data from one clock edge to the other, ensure that the worst-case duty cycle is used for the calculation.  A frequent source of error is the analyst assuming that every clock will have a 50% duty cycle.

When passing data from one clock domain to another, ensure that there is either known phase relationships which will guarantee meeting setup and hold times or that the circuits are properly synchronized.

If you are relying on measured values to "screen" the parts for meeting the worst-case analysis, ensure that the parts' testing is done for both the best and the worst case access times.  For example:

• Differences of 4:1 have been found for ROM/PROM access times when addressing different parts of the array.

• Some memories may be slower at higher supply voltages, as the threshold for the sense amplifier may rise, more than offsetting the increased speed from the higher supply voltage.

• The access times from some memory devices may be a function of the sequence in which data is read.  For example, the preceding read, depending on location, may leave lines and sense amplifiers in particular states. So, reading a '0' preceded by a '0' may give a different result than reading a '0' preceded by a '1'.

C. Environmental Effects

For robust circuits, designs must be tolerant of various environmental effects.  These include:

1. Temperature

2. Voltage

3. Life time

4. Radiation

5. Process, Speed Grade, and Programming

In general, analysts will do an extreme value analysis (EVA) based on the widest possible corners of each environmental factor, simultaneously.  This will result in a system with very wide margins and tolerance of unforeseen, off-nominal conditions.  However, this process will also in many cases needlessly limit performance, increase resource consumption, or force more complex architectures and analysis.  For example, for two flip-flops located on the same die just a few microns apart, one flip-flop will not be at -55 șC while its neighbor is at +125 șC.  In this case, it would be reasonable to "sharpen the pencil."  Assuming 100% tracking is not valid either for this parameter; for others, no tracking can be assumed.   Often the designer/analyst will be limited by the data and/or models available and will not be able to determine how much tracking will occur.  In this case, the least amount of tracking will have to be assumed, a conservative approach.

The temperatures and voltages used will be a function of each particular mission and the location of the electronics.  Ensure that worst-case values are used plus margin, as specified in the project's reliability plan, and not the more optimistic expected values.  There have been many missions where the actual values were outside the bounds of the expected values.

Components do age and their characteristics change.  However, one can not assume that all propagation delays, as an example, will track and that the relative delays will remain unchanged.  For examples, for certain FPGAs, several studies of life test data showed that not only will the delays not track, but that they may not even have the same sign, with devices sampled from a single manufacturing lot.  Hence, one can not demonstrate hold time margin by test.  In general, most programs will specify ±10% for propagation delay change over the mission lifetime.

The approach for radiation is similar to life, above.  One can not assume perfect tracking.  Again, ±10% for propagation delay change over the mission is generally used.

Typical timing analysis programs will allow one to select a setting for process, typically best, typical and worst.  To effectively use these settings, note that this is not a predictor of circuit speed but a bound for circuit speed.  Many engineers and analysts assume that this will predict speed or prove that two circuits can not lose a race.  This is not the case.  For example, no two transistors will be processed identically, although often it will be fairly close.  There are lot to lot variations, wafer to wafer variations within a lot, die to die variations on a wafer, and transistor to transistor variation on a die.  Hence, one must treat these values as bounds and not as actual values.  There will be a certain degree of tracking.  How much you can use in an analysis depends on the data available and algorithms available in the CAE tools. 

The speed grade setting can often be misleading for timing analyses.   For the worst or slowest case, the speed grade, as stamped on the part, is the correct setting to use.  For the best or fastest case, using the grade on the case can give you an incorrect answer.  For example, some FPGAs are binned by measuring the speed of a special test circuit and ensuring that the speed is less than some threshold value.  This is a one-sided relation and parts that would pass a faster speed grade will be binned and stamped with the lower one; otherwise the parts can not be shipped, since the part number would be wrong.  So, for the best or fastest case, use the fastest speed grade the tool supplies, unless you have specific knowledge.  This may come from a specification or from read and record data from the vendor.

For antifuse based FPGAs, the amount of "tracking" that can be assumed in an analysis will be less than is often found in other device types.  While the transistors on a die will track to a certain degree, as they are fabricated together, the distribution of programmed antifuse resistance will resemble a random variable.

Taken together, this means that if you wish to guarantee that signal A always arrives before signal B by T nanoseconds, running a dynamic simulation with all values set to the worst-case will give an incorrect answer as there is no guarantee that all path will be the worst.  In reality, they will not.  That is why min-max or extreme value analysis is required for accurate timing analysis.

References, Notes, and Related Documents

1. Digital Timing Analysis Tools and Techniques

2. Root-Sum-Square (RSS) Calculations of Digital Timing Delays

3. NSCAT Digital Subsystem Design Documentation and Analyses

4. Galileo AACSE: Worst Case Analyses (WCA) Description and Criteria

5. "Propagation Delay and Aging," OLD News #4, August 3, 2002.

6. "Minimum Delays and Clock Skew in SX-A and SX-S FPGAs," OLD News #13, July 15, 2003.

7. "Logic Design: Clocking, Timing Analysis, Finite State Machines, and Verification," Presented at the 2002 MAPLD International Conference, Laurel, MD, September 9, 2002.

8. Timing Analysis of Asynchronous Signals

9. Discussion of MetastableStates.

10. Signal integrity of the clocks is important, not only for ensuring that the propagation delays are calculated correctly, but that the devices function properly.  Often the clock inputs must meet more stringent requirements than typical signals, with fast transition times specified as well as lower values for V_IL and higher values for V_IH.

11. "RT54SX72S: Propagation Delay vs. Life," June 6, 2004.

TOP LEVEL: "Design Guidelines and Criteria for Space Flight Digital Electronics"

Home - NASA Office of Logic Design
Last Revised: February 03, 2010
Digital Engineering Institute
Web Grunt: Richard Katz