You already know power-on reset gets the chip into a known state. But there's a subtle problem nobody warns software engineers about: asserting reset is easy, releasing it is hard. If reset deasserts asynchronously to your clock, every flip-flop in the design races to exit reset, and any one of them can land in metastability if reset's falling edge happens too close to a clock edge.

The fix is the reset synchronizer: a tiny circuit that lets reset assert immediately (asynchronously) but releases it synchronously to the clock. The canonical design is two cascaded flip-flops:

• Both flip-flops have D tied high (logic 1).
• Both have their async-reset input tied to the raw external reset.
• The output of the second flip-flop becomes your internal synchronous reset distributed to the rest of the design.

When external reset asserts, both flip-flops clear instantly — reset propagates without waiting for a clock. When reset deasserts, the first flop samples a 1 (may go metastable), the second flop samples the first flop's output one clock later. By the time the signal reaches the rest of the chip, it's resolved. This is asynchronous assert, synchronous deassert, and it's the standard pattern in every serious ASIC and FPGA design.

Real example: Xilinx's UltraScale FPGAs explicitly recommend this pattern in UG949. Their tools won't infer it from a plain always @(posedge clk or posedge rst) block — you must instantiate it. Skip it, and you'll see a chip that boots fine 999 times then hangs on power cycle #1000 because two flip-flops came out of reset on opposite clock edges and the FSM landed in an illegal state.

Rule of thumb for MTBF: Use the standard metastability formula MTBF = exp(t_r / τ) / (f_clk × f_data × T₀). For a 200 MHz clock with τ = 20 ps and T₀ = 1 ns, a single-flop synchronizer gives MTBF on the order of seconds — unusable. Two flops in series multiply the resolution time and push MTBF past 10⁹ years. Three flops are common in high-reliability designs (automotive, aerospace).

One more subtlety: every clock domain needs its own reset synchronizer fed from the master reset. A single synchronized reset distributed to multiple clock domains recreates the original problem in every domain that isn't the source clock.