For manufacturers and suppliers of apparatuses, as a functional safety standard of international standard, IEC61508 standard “Functional safety of electrical/electronic/programmable electronic safety-related systems” of International Electrotechnical Commission is established.
With respect to a functional safety system for specific industrial use, a derivative standard adapted for specific use is established. For example, with respect to a safety instrumentation system, Process Application Standard IEC61511 is established for a designer, an integrator, and a user of a system.
In these standards, safety in the life cycle of a system from design, maintenance to disposition is assessed, and Safety Integrity Level (SIL) that is a required level for risk reduction is established as a quantitative assessment measure.
From the background like this, in a safety instrumentation system, there is a request for clock diagnosis in order to improve the safety and reliability of the system. That is, in order to prevent the system from becoming in an abnormal state caused by the malfunction of a circuit which is operated by a clock, such as a CPU and a FPGA used in a controller, there is a request for diagnosis for the clock to be used.
The malfunction of a clock is caused by a random failure of a clock oscillator circuit, a voltage variation of a power source to supply power to a clock circuit, the change in ambient temperature of the clock circuit, and so on. For this reason, it is necessary to monitor the clock during the system operation and detect an abnormal clock.
Generally, a method to detect the malfunction of a clock by comparing two clock signals (Refer to JP, P2008-191924A, for example.), and a method in which a clock signal is delayed by one clock cycle and the waveform of the clock signal at a preceding clock cycle and the waveform of the present clock signal are compared (Refer to JP, P1998-240374A, for example.) are known.
In the above-described JP, P2008-191924A, in order to diagnose clocks in two redundant systems, clocks in the two systems are compared to thereby diagnose the malfunction of the clocks. Since two clocks are required in this method, it can not be applied to a system in which only a single clock signal is used.
In the above-described JP, P1998-240374A, a clock signal is delayed by one clock cycle, and the waveform of the clock signal at a preceding clock cycle and the waveform of the present clock signal are compared. For this reason, the malfunction can be detected if the variation in the clock cycle and clock pulse width is large during two consecutive clock cycles. But in the case of a slow variation which occurs with a period not less than two clock cycles, this method can not detect such a malfunction.
For example, when the variation during the adjacent clock cycles is sparse and the variation accumulates gradually, it is difficult to detect such a malfunction. Here, such a malfunction is called “a cumulative variation in a clock”.