Hello, In the past, Altera recommended (in an older version of the Quartus handbook) to always explicitly specify the default state of state machines, to ensure that whenever a state machine jumps into some illegal state (as a result of a timing glitch or a SEU), it will at least return to a valid state quickly. In VHDL, it translates to (assume the machine has only two valid states): case (my_state) is when state_1 => -- do stuff when state_2 => -- do other stuff when others => my_staet <= state_1; end case; The key here is the transition in "others", which isn't strictly required because the case covers all the real cases. However, this is important in "safe state machine" design. But now I've seen other recommendations in the Quartus handbook. The latest edition says that Quartus will ignore such explicit transitions. Instead, one has to use the "safe" attribute for state machines (or set them globally in the analysis settings). I hope I'm wrong, but have Altera really changed the policy just like that? Why can't Quartus just preserve the "others" logic whenever I specify it explicitly? Isn't it simpler for the designer to specify his state machines like this, than explicitly setting attributes? What have been your experiences with the safe encoding, manual and automatic? Thanks in advance

I didn't know about this new change you mentioned but I don't see how quartus will then compile old VHDL programs, it doesn't make sense to ignore the "when others" but must stay as an option. I always use reset as safety feature and wouldn't bother much about when others. when others is needed if you don't have reset and the circuit powers up in illegal state(even if you think you covered all legal states). I don't know of this problem occuring during normal running of design but only at power-up.

My unerstanding was that, the "others" case might be redundant in the VHDL simulation as you've covered every value of the enumerated state type; but this enumerated type is converted to a binary encoding during synthesis. This encoding might therefore not cover all states unless you have included the "others". The Quartus handbook that I have isn't entirely clear but seems to back up what you're saying, eliben: --- Quote Start --- "...synthesis tools detect if state machine logic is unreachable and minimize or remove the logic." --- Quote End --- I think that this is saying that the synthesis tools might / will remove any logic associated with the "others" if it thinks it can optimise it. If you're using third party synthesis tools then I'd check what they say. The manual doesn't explicitly say what Quartus does either - it seems a comment on synthesis tools generally - but I guess the implication is that Quartus will ignore the "others". Also: --- Quote Start --- "If the state machine is implemented as safe, the recovery logic forces its transition from an illegal state to the reset state." --- Quote End --- I guess it's something that Altera could do with clarifying - why ignore the "others" part of the case statement? It just seems a bit daft to me to explicitly ignore a piece of code.

The fact that the statement refers to reset state possibly means the discussion is in the context of having reset in the FSM. Therefore the reset will ensure that no unreachable state occurs at power up and thus any "when others" can be removed. If and due to an operational timing glitch an unreachable state occured then it is the fault of timing, the remedy is to not have timing problem in the first place. I know many designs(fpga or asic) that depend entirely on the startup value of a signal and don't care about operational glitches - not very healthy but in practice it works in a good design.

--- Quote Start --- I didn't know about this new change you mentioned but I don't see how quartus will then compile old VHDL programs, it doesn't make sense to ignore the "when others" but must stay as an option. I always use reset as safety feature and wouldn't bother much about when others. when others is needed if you don't have reset and the circuit powers up in illegal state(even if you think you covered all legal states). I don't know of this problem occuring during normal running of design but only at power-up. --- Quote End --- I think I was misunderstood. I didn't mean the reset state at all, but rather the "unreachable" states (holes in the encoding) that can be reached because of timing or SEU (radiation) glitches. The "safe" setting ensures that logic is generated to transfer the machine into its reset state if such an "illegal" state is reached. Previously, Altera said it's ok to just specify "when others" even when all the states have been covered in the case statements. Now, they've changed it, saying that Quartus will optimize away such code, and one should use the safe setting instead. This is what bothers me.

--- Quote Start --- I hope I'm wrong, but have Altera really changed the policy just like that? --- Quote End --- --- Quote Start --- Previously, Altera said it's ok to just specify "when others" even when all the states have been covered in the case statements. Now, they've changed it, saying that Quartus will optimize away such code, and one should use the safe setting instead. --- Quote End --- I haven't looked into how it works myself, but I do know that Altera had a change for safe state machines in Quartus integrated synthesis a few Quartus versions back. It's not a policy change--the tool changed.

safe state machines | Altera Community

32 Replies

Altera_Forum
Honored Contributor
17 years ago
It seems we are still learning from this interesting post.

I am surprised to conclude two points:
- managing illegal states needs a lot of logic(a bucket of logic) and so most tools abandoned it
- safety critical applications demand it and so some tools have this safety option

The following excerpt from the link below explains it well:
http://klabs.org/mapld04/papers/d/d219_berg_p.doc

State

Most designers believe that they are implementing a bucket-approach to fault tolerance when using the default clause (VHDL- when others) within a CASE statement. However, the synthesis tools ignore these statements when synthesizing state machines. Most designers are not aware that these statements (that suggest “bucketing” unused states and supplying a transition out of a fault condition) have no bearing on the actual gates being created. The reasoning behind this is that if the synthesis tool were to implement all unused states, the required area would be excessive.

Synthesis tools have a directive that the designer can use called “safe”. When applying this directive to a state machine, the tool can produce a bucket of illegal states. However, the designer must be forewarned that using the “safe” directive has many flaws:

1. It generally creates more gates than desired, i.e. buckets of illegal states can become very large.
2. Synplify will implement a “safe” one-hot but Leonardo and Precision will only implement a sequential state machine (binary or Gray encoding) while using the “safe” directive.
how Safe

Recently, there has been a surge of designers using the “safe” options offered by several different synthesis tools. They have defined a safe state machine as one that will always transition to a known state - i.e., if an SEU occurs and an illegal or unmapped state is reached, one will recover to a known state.

Synthesis tools offer a “safe” option (demand from the Aerospace industry):TYPE states IS ( IDLE, GET_DATA, PROCESS_DATA, SEND_DATA, BAD_DATA );

[/INDENT]SIGNAL current_state, next_state : states;

[/INDENT]attribute SAFE_FSM: Boolean;

[/INDENT]attribute SAFE_FSM of states: type is true;

[/INDENT]Although this scheme may appear to be “fool-proof”, it is not. The “safe” option will not always transition to a reliable (or known) state. Some have defined the word “known” as mapped. However, the idea is to be deterministic. The idea is to always flip into some “ERROR” or “IDLE” state upon getting an SEU. Flipping into a mapped state, in which the rest of the system may not know the state machine is there, is not deterministic. It is not good enough to transition to a mapped state:
The machine can get stuck waiting for an input that will never occur (rest of the system doesn’t know that you have flipped into this mapped state).
Unexpected signals can turn on (or off).
And many more reasons…
Altera_Forum
Honored Contributor
17 years ago
Good post. It doesn't usually add a ton of logic, but it's more than the decode of the other states(especially one-hot encoded machines, which have 2^n-n unencoded states). For one-hot, probably the best thing to do is not look for an unencoded state, but OR together something that looks for all the available states, and if it's a 0 then we're in no-man's land.

For safety critical, this is definitely an improvement, but my personal feeling is that it is far from safe. A safe state-machine with binary encoding will most likely jump to a known state, which often suffers from that previous problem of waiting for a signal that will never come because the rest of the system thinks it's in another state. And even if state-machines could be truly safe, everything in the design that has a feedback path will need checks. If a counter jumps to a different count value it may never recover from that(yes it could flip, but if the incrementer is dependent on some value decode, i.e. it counts different values based on it's current state) then it might be in an out of bounds value. It's just really, really difficult to be sure, and the people who really need it usually resort to redundant systems and polling, or stuff like that.
I'm not saying safe encoding is not important, just that most users don't really know how much it helps their system reliability, as it is not the only consideration. And I've seen users argue they need it for stuff that probably really doesn't, like a video game.
Altera_Forum
Honored Contributor
17 years ago
If a designer is concerned about this because of the risk of single event upset (http://en.wikipedia.org/wiki/single_event_upset), then maybe that design should use a device family like Stratix III that has particular support for mitigating that risk.
Altera_Forum
Honored Contributor
17 years ago
An Altera page about SEU is at http://www.altera.com/support/devices/reliability/seu/seu-index.html.
Altera_Forum
Honored Contributor
17 years ago
To refer to the initial discussion theme, Rysc summarized the Quartus 5.1 Handbook statements regarding safe FSM correctly. It clarifies, that OTHERS doesn't implement safe behaviour respectively, that Quartus didn't have a means to implement safe FSM behaviour. By using a binary state coding without unused states, a similar behaviour could be achieved anyway, if necessary for some reason.

The most common reasons for geting stuck in illegal states are violations of timing requirements, either with asynchronous inputs to a FSM or the clock itself, e. g. if the clock is supplied from an unsafe source, that can show glitches in some situations.
While the first problem can be easily avoided, the latter to my opinion contains a residual risk and may be a reason to use safe FSM. Although I basically agree with kaz, that safe behaviour must be achieved for the design as a whole, not only for an individual FSM, I think, that safe FSM in fact can help to make machines recover automatically from accidental states.
Altera_Forum
Honored Contributor
17 years ago
Excellent discussion chaps - very useful informative and demonstrative of what the forum is here for.

Good form.
Altera_Forum
Honored Contributor
17 years ago
I apologize that this comes late, but I've finally found the printed Altera booklet where this information appears. It's named "qil51006-5.0.0" and dated May 2005. In chapter 5 ("Design Recommendations for Altera Devices"), in the "State Machines" sections, the second bullet says:

--- Quote Start ---
Assign a default clause or statement to direct the state machine if it accidentally reaches an unused state.
--- Quote End ---

It doesn't say anything about minimizing such clauses automatically in this section, and nothing about the safe state machine option.
Altera_Forum
Honored Contributor
17 years ago
Safe state machine option wasn't yet available with Quartus V5, so it can't play a role in the said document.

I don't have the May 2005 version of the Quartus Handbook, but I found the same statement in the previous December 2004 edition. In October 2005, (with Quartus V5.1) the chapter was completely edited. Particularly the limited effect of a default statement had been clarified:

--- Quote Start ---
Synthesis tools remove any logic generated by a default state if it is not reachable by normal state machine operation.
--- Quote End ---

According to a more recent revision history, your May 2005 version is reflecting Quartus V5.0 functionality. I doubt however, that Quartus V5.0 is behaving different regarding default state.
Altera_Forum
Honored Contributor
17 years ago
It's a shame that we were misleaded by this particular version of the handbook.

As far as I understand, it's hard to check what Quartus really implements there? Can I see if it has actually minimized the states without digging in the netlist file?
Altera_Forum
Honored Contributor
17 years ago
Quartus is not minimizing the states rather than the connecting logic, with the result, that some illegal state codings may be non-escapable. You can check this with the Quartus FSM template design. In default one-state-hot coding, it uses four state variables. The FFs (with the input signal as clock enable) are simply connected to a chain with two inverters.
You can immediately identify two illegal state codings "1000" and "0111" that are non-escapable, cause they have an identical successor.

P.S.: I apologize for the picture quality. Unfortunately good quality gif files are resampled to bad quality jpg by the forum software.

Forum Discussion

safe state machines

32 Replies

Recent Discussions

Automatically added negative node for TDS output doesn't work with Agilex 5

Design Space Explorer - *** Fatal Error: Access Violation at 0X000000001E19EB30

Tensor block usage

Error (169008): Can't turn on open-drain option for differential I/O pin HPS_DDR3_DQS_N[1]

Highlight similar instances of a selected word fails when scrolling