The correct behaviour of storage elements like flip-flops or latches depend on a clock (or latch enable signal as the corresponding signal is named in case of a latch) being reliably provided at their respective clock input terminal. A failure to provide a valid clock or a compromised clock signal may result in invalid behaviour of the flip-flop, e.g. unintended overwriting of its value, storing an incorrect value or no storage at all. This may cause faults in subsequent logic components relying on the output of the flip-flop in question, thus putting the system in risk of device failures. Therefore, especially for safety critical applications, it is desirable to monitor the provision of clock signals to flip-flops in order to identify possible clock or storage issues. In many cases, clock monitors are employed that observe the related clock signals (which is only possible for the common clock path between the observed storage element(s) and the observer element), but do not check that the main feature of those storage elements, i.e. the storage function, has not been compromised.
FIG. 9 schematically depicts the viewpoint of a safety specification on the left hand side. On the right hand side of FIG. 9, a more realistic physical implementation within a semiconductor device is exemplarily depicted. A safety specification usually reflects the intention that the complete wire from the clock source 1001 to the flip-flop 1002 being part of a safety function is being observed using an observer 1005. However, the reality implemented within a semiconductor device is impacted by the need to distribute the clock signal from its single source 1001 to multiple (sometimes several thousands) flip-flops 1002; this requires several levels of clock buffers 1007 (which are named “clock tree”) to provide the required drive strength to the clock ports of all those flip-flops. This is due to the fact that the clock buffers used can only drive a limited amount of subsequent elements. Furthermore the required routing of the corresponding clock wires 1003 over the semiconductor device results in the ability to only observe a portion of the clock wires (the common portion 1004 of the path from the clock source to the observed flip-flop 1002 and a clock observer 1005). A possibly very large portion 1006 of the remaining path may not be observed at all.
Furthermore, many safety applications observe the recorded value within those storage elements to identify failures due to an inadvertent change of such a value (which might be caused by environmental effects, e.g. alpha or beta particles or gamma rays) and try to at least detect and sometimes even correct such failures. A prominent example for such a functionality is the Triple Voting Flop (TVP); three redundant flip-flops with a subsequent voting logic that select the final value based on a majority vote—thus having the capability to provide the correct value despite any single inadvertent change to one of its flip-flops that might have occurred.
Providing the capability to detect (or even correct) such incidents while also detecting failures of a storage element with respect to a compromised clock avoids the need for traditional clock observers and provides a higher coverage of the involved clock signals, due to the complete coverage of the involved sub-tree of the clock tree. It also enables a significantly increased coverage of the clock driving this clock tree, as well as the detection of incidents caused by a compromised clock.
The document WO 87/07793 A1 discloses a standard triple modular redundancy scheme based on a majority vote to reduce the impact of clock faults.
The document U.S. Pat. No. 7,594,150 B2 discloses a method for operating of a flip-flop that is tolerant to crosstalk faults by sampling the input data multiple times before and after the active clock edge. The final stored value at the flip-flop is determined by the resolution of a counter circuit residing in the flip-flop, which is activated at the change of the sampled input data.
The document U.S. Pat. No. 7,428,694 B2 discloses a logic circuit comprising a logic module comprising a functional synchronous flip-flop receiving a functional result comprising several bits in parallel, and supplying a synchronous result. A module for checking the integrity of the functional flip-flop includes a first coding block receiving the functional result and supplying a first code, a second coding block receiving the synchronous result and supplying a second code, a checking synchronous flip-flop receiving the first code and supplying a third code, and a comparator for comparing the second code with the third code and for supplying a first error signal.
There is, however, a need for improved solutions that are not only able to preserve data integrity of a storage element by redundant processing of the data, but are also able to verify the correct storage function of the storage element in combination with observing the involved clock tree.