Schematically shown in FIG. 1 is a plot of an idealized clock signal 100. The clock signal 100 is presented, by way of example, as an electrical voltage V varying as a function of time t. More generally, the clock signal is the time-dependence of a physical quantity. For example, the clock signal could be provided optically by a variation of an intensity of light. The signal V(t) shown here is a regular succession of high and low values, V0 and V1, respectively. The low values last a time T0, the high values last a time T1. In the example shown, T0 and T1 are equal, but other ratios are also commonly used in the art. Transitions from the low value V0 to the high value V1 are referred to as a rising edges. In the example, rising edges occur at equidistant times t1, t3, and t5. Transitions from the high value V1 to the low value V0 are termed falling edges. In the example, falling edges occur at equidistant times t0, t2, and t4. Rising edges and falling edges are summarily referred to as clock edges.
A synchronous circuit generally relies on the presence of a clock signal similar to the one illustrated in the Figure. Operations to be performed by the components of the circuit are triggered by clock edges, for example, only by rising edges, or only by falling edges, or by both falling and rising edges. After an operation has been performed, the component waits for the next edge before executing the next operation. The various components can thus be synchronized. This is necessary because an operation to be executed by a component requires time during which the data put into the component must not change. Synchronization is used, for example, in state of the art systems to keep input values of components unchanged until the components have computed the corresponding output values. In the art, the term “synchronous circuit” is used for this. Any component thus controlled by the clock signal is said to be clocked by the clock signal. In this application, those edges which during standard operation trigger an operation of the synchronous circuit are referred to as triggering edges. In most synchronous circuits, the triggering edges are either rising edges or falling edges. However, in the case of a synchronous circuit operating at double data rate both rising and falling edges are triggering edges. More complicated schemes, in which only certain rising edges and/or only certain falling edges are triggering edges, may also be devised. Throughout this application, the time between two correctly timed consecutive triggering edges is referred to as the trigger period. In a double data rate scheme each clock period comprises two trigger periods. A synchronous circuit generally comprises flip-flops, or other digital components, which are interconnected by so called paths. The paths typically comprise signal lines and combinatorial logical components which implement an operation (function) to be performed within one or multiple trigger periods (multicycle paths),In a circuit containing multicycle paths, certain operations can last more than one cycle. The paths may have different lengths, corresponding to different propagation times. The longest single-cycle paths are typically referred to as critical paths. The critical paths define a shortest acceptable trigger period of the circuit.
A problem may arise if an edge in the clock signal is generated early, late, or unexpectedly. Less critical are cases where the interval between two subsequent triggering edges is longer than usual, for example, due to a stall of the device generating the clock signal. In contrast, functional errors may occur if either T0 or T1 (or both) are shorter than expected. These are typical examples of clock glitches. Clock glitches can be caused by, for example, crosstalk, electromagnetic interference, or particle impact. In the event of a clock glitch, components of the synchronous circuit may still be busy with an operation when receiving a triggering edge and therefore that triggering edge will either not trigger an action or trigger a faulty action. In FIG. 2, the time T0″ is shorter than expected. In FIG. 3, the time T1′ is shorter than expected. The dashed lines in FIG. 2 illustrate an example of an “insertion glitch”, where an additional falling edge (at time t6″) and an additional rising edge (at time t7″) occur without affecting the clock signal at later times, i.e., without causing a phase shift in the clock signal.
In order to achieve a high ratio of detected faults versus occurring faults, safety related systems often employ redundancy, e.g. by replicating a part of their hardware and comparing the results of the copies. In order to save costs, newer approaches usually no longer replicate the hardware in several packages or dies but on a single chip. An example of this is the MPC564xL project, which replicates the CPU core, interrupt controller, bus, memory controllers, and some other components in two so-called lakes within its so-called sphere of replication (SoR). A problem with replication on a single chip is the existence of common cause failures (CCF) where one fault within the system can influence all replicas. This defeats the approach of replicated hardware. The copies behaving identically in the case of a CCF, such failures may in general not be detected by comparing the results of different replica. Glitches on the clock network are an example of such CCFs. One glitch, caused by e.g. electromagnetic interference or neutron impact, can propagate into both lakes and cause wrong results there due to violation of setup and/or hold times or by not allowing the logic function to be correctly completed before the next edge arrives.
Clock glitches are a prominent root cause for many functional errors of an electronic device. For safety related applications, detecting clock glitches is of special importance, since many CCFs are either generated by clock glitches or will also result in clock glitches. Detection allows taking measures to prevent further propagation of fault effects which could lead to more dangerous system failures.