US20170053710A1 - Storage element with storage and clock tree monitoring circuit and methods therefor - Google Patents

Storage element with storage and clock tree monitoring circuit and methods therefor Download PDF

Info

Publication number
US20170053710A1
US20170053710A1 US15/104,809 US201315104809A US2017053710A1 US 20170053710 A1 US20170053710 A1 US 20170053710A1 US 201315104809 A US201315104809 A US 201315104809A US 2017053710 A1 US2017053710 A1 US 2017053710A1
Authority
US
United States
Prior art keywords
storage element
state information
data
information storage
clock
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US15/104,809
Other versions
US9589637B1 (en
Inventor
Michael Rohleder
Thomas Koch
Harald Luepken
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NXP USA Inc
Original Assignee
NXP BV
NXP USA Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NXP BV, NXP USA Inc filed Critical NXP BV
Assigned to FREESCALE SEMICONDUCTOR, INC. reassignment FREESCALE SEMICONDUCTOR, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: KOCH, THOMAS, LUEPKEN, Harald, ROHLEDER, MICHAEL
Assigned to NXP, B.V., F/K/A FREESCALE SEMICONDUCTOR, INC. reassignment NXP, B.V., F/K/A FREESCALE SEMICONDUCTOR, INC. RELEASE BY SECURED PARTY (SEE DOCUMENT FOR DETAILS). Assignors: MORGAN STANLEY SENIOR FUNDING, INC.
Assigned to NXP B.V. reassignment NXP B.V. RELEASE BY SECURED PARTY (SEE DOCUMENT FOR DETAILS). Assignors: MORGAN STANLEY SENIOR FUNDING, INC.
Assigned to NXP USA, INC. reassignment NXP USA, INC. CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: FREESCALE SEMICONDUCTOR INC.
Assigned to NXP USA, INC. reassignment NXP USA, INC. CORRECTIVE ASSIGNMENT TO CORRECT THE NATURE OF CONVEYANCE PREVIOUSLY RECORDED AT REEL: 040626 FRAME: 0683. ASSIGNOR(S) HEREBY CONFIRMS THE MERGER AND CHANGE OF NAME EFFECTIVE NOVEMBER 7, 2016. Assignors: NXP SEMICONDUCTORS USA, INC. (MERGED INTO), FREESCALE SEMICONDUCTOR, INC. (UNDER)
Publication of US20170053710A1 publication Critical patent/US20170053710A1/en
Publication of US9589637B1 publication Critical patent/US9589637B1/en
Application granted granted Critical
Assigned to NXP B.V. reassignment NXP B.V. CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE APPLICATION 11759915 AND REPLACE IT WITH APPLICATION 11759935 PREVIOUSLY RECORDED ON REEL 040928 FRAME 0001. ASSIGNOR(S) HEREBY CONFIRMS THE RELEASE OF SECURITY INTEREST. Assignors: MORGAN STANLEY SENIOR FUNDING, INC.
Assigned to NXP, B.V. F/K/A FREESCALE SEMICONDUCTOR, INC. reassignment NXP, B.V. F/K/A FREESCALE SEMICONDUCTOR, INC. CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE APPLICATION 11759915 AND REPLACE IT WITH APPLICATION 11759935 PREVIOUSLY RECORDED ON REEL 040925 FRAME 0001. ASSIGNOR(S) HEREBY CONFIRMS THE RELEASE OF SECURITY INTEREST. Assignors: MORGAN STANLEY SENIOR FUNDING, INC.
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C14/00Digital stores characterised by arrangements of cells having volatile and non-volatile storage properties for back-up when the power is down
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F1/00Details not covered by groups G06F3/00 - G06F13/00 and G06F21/00
    • G06F1/04Generating or distributing clock signals or signals derived directly therefrom
    • G06F1/10Distribution of clock signals, e.g. skew
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C29/00Checking stores for correct operation ; Subsequent repair; Testing stores during standby or offline operation
    • G11C29/02Detection or location of defective auxiliary circuits, e.g. defective refresh counters
    • G11C29/023Detection or location of defective auxiliary circuits, e.g. defective refresh counters in clock generator or timing circuitry
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C29/00Checking stores for correct operation ; Subsequent repair; Testing stores during standby or offline operation
    • G11C29/04Detection or location of defective memory elements, e.g. cell constructio details, timing of test signals
    • G11C29/08Functional testing, e.g. testing during refresh, power-on self testing [POST] or distributed testing
    • G11C29/12Built-in arrangements for testing, e.g. built-in self testing [BIST] or interconnection details
    • G11C29/1201Built-in arrangements for testing, e.g. built-in self testing [BIST] or interconnection details comprising I/O circuitry
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C29/00Checking stores for correct operation ; Subsequent repair; Testing stores during standby or offline operation
    • G11C29/04Detection or location of defective memory elements, e.g. cell constructio details, timing of test signals
    • G11C29/08Functional testing, e.g. testing during refresh, power-on self testing [POST] or distributed testing
    • G11C29/12Built-in arrangements for testing, e.g. built-in self testing [BIST] or interconnection details
    • G11C29/12015Built-in arrangements for testing, e.g. built-in self testing [BIST] or interconnection details comprising clock generation or timing circuitry
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C29/00Checking stores for correct operation ; Subsequent repair; Testing stores during standby or offline operation
    • G11C29/04Detection or location of defective memory elements, e.g. cell constructio details, timing of test signals
    • G11C29/08Functional testing, e.g. testing during refresh, power-on self testing [POST] or distributed testing
    • G11C29/12Built-in arrangements for testing, e.g. built-in self testing [BIST] or interconnection details
    • G11C29/44Indication or identification of errors, e.g. for repair
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C29/00Checking stores for correct operation ; Subsequent repair; Testing stores during standby or offline operation
    • G11C29/04Detection or location of defective memory elements, e.g. cell constructio details, timing of test signals
    • G11C29/50Marginal testing, e.g. race, voltage or current testing
    • G11C29/50012Marginal testing, e.g. race, voltage or current testing of timing
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C7/00Arrangements for writing information into, or reading information out from, a digital store
    • G11C7/10Input/output [I/O] data interface arrangements, e.g. I/O data control circuits, I/O data buffers
    • HELECTRICITY
    • H03ELECTRONIC CIRCUITRY
    • H03KPULSE TECHNIQUE
    • H03K3/00Circuits for generating electric pulses; Monostable, bistable or multistable circuits
    • H03K3/02Generators characterised by the type of circuit or by the means used for producing pulses
    • H03K3/027Generators characterised by the type of circuit or by the means used for producing pulses by the use of logic circuits, with internal or external positive feedback
    • H03K3/037Bistable circuits
    • H03K3/0375Bistable circuits provided with means for increasing reliability; for protection; for ensuring a predetermined initial state when the supply voltage has been applied; for storing the actual state when the supply voltage fails
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F30/00Computer-aided design [CAD]
    • G06F30/30Circuit design
    • G06F30/39Circuit design at the physical level
    • G06F30/396Clock trees
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C29/00Checking stores for correct operation ; Subsequent repair; Testing stores during standby or offline operation
    • G11C29/04Detection or location of defective memory elements, e.g. cell constructio details, timing of test signals
    • G11C29/08Functional testing, e.g. testing during refresh, power-on self testing [POST] or distributed testing
    • G11C29/12Built-in arrangements for testing, e.g. built-in self testing [BIST] or interconnection details
    • G11C2029/4402Internal storage of test result, quality data, chip identification, repair information
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C29/00Checking stores for correct operation ; Subsequent repair; Testing stores during standby or offline operation
    • G11C29/70Masking faults in memories by using spares or by reconfiguring
    • G11C29/74Masking faults in memories by using spares or by reconfiguring using duplex memories, i.e. using dual copies

Definitions

  • This invention relates to a storage element with a storage and clock tree monitoring circuit and methods therefor, in particular for monitoring flip-flops or latches.
  • clock monitors are employed that observe the related clock signals (which is only possible for the common clock path between the observed storage element(s) and the observer element), but do not check that the main feature of those storage elements, i.e. the storage function, has not been compromised.
  • FIG. 9 schematically depicts the viewpoint of a safety specification on the left hand side.
  • a safety specification usually reflects the intention that the complete wire from the clock source 1001 to the flip-flop 1002 being part of a safety function is being observed using an observer 1005 .
  • the reality implemented within a semiconductor device is impacted by the need to distribute the clock signal from its single source 1001 to multiple (sometimes several thousands) flip-flops 1002 ; this requires several levels of clock buffers 1007 (which are named “clock tree”) to provide the required drive strength to the clock ports of all those flip-flops.
  • the clock buffers used can only drive a limited amount of subsequent elements.
  • the required routing of the corresponding clock wires 1003 over the semiconductor device results in the ability to only observe a portion of the clock wires (the common portion 1004 of the path from the clock source to the observed flip-flop 1002 and a clock observer 1005 ). A possibly very large portion 1006 of the remaining path may not be observed at all.
  • TVP Triple Voting Flop
  • Providing the capability to detect (or even correct) such incidents while also detecting failures of a storage element with respect to a compromised clock avoids the need for traditional clock observers and provides a higher coverage of the involved clock signals, due to the complete coverage of the involved sub-tree of the clock tree. It also enables a significantly increased coverage of the clock driving this clock tree, as well as the detection of incidents caused by a compromised clock.
  • WO 87/07793 A1 discloses a standard triple modular redundancy scheme based on a majority vote to reduce the impact of clock faults.
  • U.S. Pat. No. 7,428,694 B2 discloses a logic circuit comprising a logic module comprising a functional synchronous flip-flop receiving a functional result comprising several bits in parallel, and supplying a synchronous result.
  • a module for checking the integrity of the functional flip-flop includes a first coding block receiving the functional result and supplying a first code, a second coding block receiving the synchronous result and supplying a second code, a checking synchronous flip-flop receiving the first code and supplying a third code, and a comparator for comparing the second code with the third code and for supplying a first error signal.
  • the present invention provides a storage element with clock tree and storage monitoring circuit, a method for monitoring a storage element and a method for monitoring the related clock tree as described in the accompanying claims.
  • the correct functioning of a state information storage element is monitored by observing the data at the data input interface and the data at the output terminal in order to check whether the monitored state information storage element should have performed a state change, by recording the previous state of the monitored state information storage element, and by observing the data at the output terminal of the monitored state information storage element and the recorded previous state of the monitored state information storage element in order to determine whether the result of this observation is in line with whether the state should have changed or not.
  • the phrase “in line with” may be understood in that the state change of the state information (recorded in the state information storage element) and the state change of the previous state information (recorded in the previous state information storage element) corresponds to each other with respect to one clock period and one storage cycle, respectively.
  • the previous state information storage element is provided to record the previous state information of the state information storage element when new state information is recorded in the state information storage element.
  • FIG. 1 schematically shows an exemplary embodiment of a storage element with monitoring circuit.
  • FIG. 2 schematically shows another exemplary embodiment of a storage element with monitoring circuit.
  • FIG. 3 schematically shows yet another exemplary embodiment of a storage element with monitoring circuit.
  • FIG. 4 schematically shows yet another exemplary embodiment of a storage element with monitoring circuit.
  • FIG. 5 schematically illustrates an exemplary clock tree.
  • FIG. 5 a schematically illustrates some subtrees of an exemplary clock tree.
  • FIG. 6 schematically illustrates an exemplary clock tree with storage elements distributed among its subtrees.
  • FIG. 7 schematically shows an exemplary embodiment of a method for monitoring a storage element.
  • FIG. 8 schematically shows an exemplary embodiment of a method for detecting a failure in a clock tree.
  • FIG. 9 schematically depicts an environment of a monitored clock tree with storage elements.
  • FIG. 1 schematically illustrates a storage element with monitoring circuit 10 .
  • the circuit 10 comprises a data input interface DIN, a data output interface DOUT, a clock signal input interface CLK, and a storage fault indicator interface SF.
  • data items d are input to a state information storage element Q 0 under monitoring.
  • the state information storage element Q 0 is fed with a clock c from the clock signal input interface CLK at a respective clock input terminal coupled to the clock signal input interface CLK.
  • a data input terminal of the state information storage element Q 0 is coupled to the data input interface DIN.
  • Data processed by the state information storage element Q 0 is output at a data output terminal as data output d 0 .
  • the data output d 0 is input to a data input terminal of a state information storage element Q 2 that is configured to record the previous state of the monitored state information storage element Q 0 . Since the state information storage element Q 2 has a clock input terminal coupled to the clock signal input interface CLK and being clocked with the same clock c as the state information storage element Q 0 , the data output d 2 at an output terminal of the previous state information storage element Q 2 resembles the state of the state information storage element Q 0 delayed by one clock period or storage cycle.
  • a state change indication unit CIU which has a clock input terminal coupled to the clock signal input interface CLK and being clocked with the same clock c as the state information storage element Q 0 and the state information storage element Q 2 , observes the data input d and the data output d 0 of the state information storage element Q 0 and compares the two detected states.
  • the state change indication unit CIU is configured to generate a state change indicator x 0 indicative of whether the monitored state information storage element Q 0 shall have performed a state change.
  • the state change indicator x 0 is fed to an input terminal of a state change confirmation unit CCU coupled to the state change indication unit CIU.
  • the state change confirmation unit CCU observes the data d 0 at the output terminal of the monitored state information storage element Q 0 and the data d 2 at the output terminal of the previous state information storage element Q 2 .
  • the state change confirmation unit CCU is configured to generate a storage fault indicator x 3 at the storage fault indicator interface SF.
  • the storage element with monitoring circuit 10 may further comprise a data fault unit DFU that includes a clock input terminal coupled to the clock signal input interface CLK, a first data input terminal coupled to the data input interface DIN, and a second data input terminal coupled to the data output terminal of the monitored state information storage element Q 0 .
  • the data fault unit DFU is configured to generate a data fault indicator x 2 at a data fault indicator interface DF when the data recorded by the monitored state information storage element Q 0 does not match a redundant copy of this data within the data fault unit DFU.
  • the data fault detection and correction unit DFCU may be implemented instead of the data fault unit DFU, the data fault detection and correction unit DFCU having a clock input terminal coupled to the clock signal input interface CLK, a first data input terminal coupled to the data input interface DIN, and a second data input terminal coupled to the data output terminal of the monitored state information storage element Q 0 .
  • the data fault detection and correction unit DFCU may further receive the storage fault indicator x 3 at a third input terminal connected to the storage fault indicator interface SF.
  • the data fault detection and correction unit DFCU may be configured to generate a data fault indicator x 2 at the data fault indicator interface DF when the data recorded by the monitored state information storage element Q 0 does not match a redundant copy of this data within the data fault detection and correction unit DFCU.
  • the data fault detection and correction unit DFCU may select an appropriately corrected data output to be output at the data output interface DOUT either from the data output terminal of the monitored state information storage element Q 0 or a redundant copy of this data. For example, if neither the storage fault indicator x 3 nor the data fault indicator x 2 or only the data fault indicator x 2 indicate a failure, the actual output of monitored state information storage element Q 0 may be selected for output at the data output interface DOUT.
  • the data fault detection and correction unit DFCU may select the output of the redundant copy of the data d input at the monitored state information storage element Q 0 as data output instead.
  • FIG. 3 schematically illustrates a more detailed diagram of the storage element with monitoring circuit 10 according to an exemplary variant of FIG. 1 or 2 .
  • the state change indication unit CIU may comprise a first comparison element Q 0 that has a first input terminal coupled to the data input interface DIN and a second input terminal coupled to the data output terminal of the monitored state information storage element Q 0 .
  • a state change indication is input to a change indicator storage element Q 3 that is clocked by the clock c at its clock input terminal which is coupled to the clock signal input interface CLK.
  • the output terminal of the change indicator storage element Q 3 may issue the state change indicator x 0 at its output terminal in sync with the clock c.
  • the state change confirmation unit CCU may for example comprise a second comparison element C 1 with a first input terminal coupled to the data output terminal of the monitored state information storage element Q 0 , and a second input terminal coupled to the data output terminal of the previous state information storage element Q 2 . Similar to the operation of the first comparison element C 0 , the second comparison element C 1 compares the recorded state information of the monitored state information storage element Q 0 and the recorded state information at the previous state information storage element Q 2 in order to generate an output x 1 indicative of whether the monitored state information storage element Q 0 has changed its state.
  • a storage check unit C 3 is coupled to the output of the second comparison element C 1 and the change indicator storage element Q 3 of the state change indication unit CIU in order generate a storage fault indicator SF dependent on the state change indicator x 0 and the output x 1 of the second comparison element C 1 .
  • the state change indicator x 0 indicates whether a state change shall have occurred at the monitored state information storage element Q 0 .
  • the output x 1 of the second comparison element C 1 indicates whether the monitored state information storage element Q 0 has performed a state change. If these indications are equivalent, this means that the monitored state information storage element Q 0 has correctly stored data d provided at its data input terminal.
  • the storage check unit C 3 is able to issue a storage fault indicator x 3 at the storage fault indicator interface SF which is indicative of whether or not the monitored state information storage element Q 0 correctly stored data provided at its data input terminal.
  • FIG. 3 shows a storage element with monitoring circuit 10 according to FIG. 2 where a data fault unit DFU is implemented.
  • the data fault unit DFU of FIG. 3 includes a redundant state information storage element Q 1 that is clocked with the clock c at a clock input terminal coupled to the clock input signal interface CLK.
  • the redundant state information storage element Q 1 has further a data input terminal coupled to the data input interface DIN so that the redundant state information storage element Q 1 may provide a redundant copy d 1 of the data recorded by the monitored state information storage element Q 0 .
  • a third comparison element Q 2 is configured to compare the data output d 0 of the monitored state information storage element Q 0 with the data output d 1 of the redundant state information storage element Q 1 .
  • FIG. 4 schematically illustrates another variant of the storage element with monitoring circuit 10 with a data fault detection and correction unit DFCU being embodied.
  • the circuit 10 of FIG. 4 differs from the circuit 10 of FIG. 3 mainly in that the data fault detection and correction unit DFCU further comprises a data selection unit DSU connected to the outputs of the monitored state information storage element Q 0 and the redundant state information storage element Q 1 .
  • the data selection unit DSU may be configured to select the appropriate output of one of the storage elements Q 0 and Q 1 depending on whether and what kind of fault has been detected.
  • the data selection unit DSU may select one of the original data output d 0 of the monitored state information storage element Q 0 and the data output d 1 output by the redundant state information storage element Q 1 , dependent on the storage fault indicator x 3 and the data fault indicator x 2 . This may for example be done in a two-step selection stage which firstly considers whether a storage fault has occurred in a first selection unit S 1 and secondly considers whether a data fault has occurred in a second selection unit S 2 .
  • the selection units S 1 and S 2 are exemplarily illustrated as multiplexers, however, any similar logic or selectors may be chosen as well.
  • the original data output d 0 of the monitored state information storage element Q 0 may be output at the data output interface DOUT. In all other cases, it is relied upon the data output of the redundant state information storage element Q 1 as being the correct data output.
  • each of the storage elements Q 0 , Q 1 , Q 2 and Q 3 is implemented as flip-flop and described in relationship to the behaviour of flip-flops with clock inputs. Anybody skilled in the art will recognize that the same functionality can also be implemented with other storage elements, e.g. latches, which will show a slightly different behaviour with respect to their latch enable input.
  • the circuits 10 as illustrated and explained in FIGS. 1 to 4 may be implemented within an integrated circuit.
  • Such an integrated circuit may comprise at least one of the afore-mentioned circuits 10 .
  • such an integrated circuit may include at least one clock root CR that is driving the clock input terminal of multiple clock subtrees CS 1 to CSn.
  • Each clock subtree may comprise a chain of one or more buffer elements B, Bi, Bij, . . . that route the clock from the clock root through the branches of the clock tree CT to at least one of the storage elements FFi.
  • the buffers B, B 1 , and B 12 are driving the clock input terminal of FF 1 .
  • any of the clock subtrees CSi may itself be considered a clock tree CTi, with the corresponding driving buffer B being the clock root CR of this clock tree CTi.
  • these clock subtrees are recursively defined as (CSi, CSi+1, . . . , CSk), with the buffer driving the clock subtree CSi being itself the clock root of the clock subtrees CSi+1, with this definition recursively applied to all its clock subtrees until the final set of clock subtrees CSk.
  • Storage elements FF 1 and FFn may be considered as being placed in one of the clock subtrees, if the clock provided to the storage elements is routed through the respective clock subtree CS 1 and CSn.
  • the clock subtree CS 1 originates from the root buffer B 1
  • the clock subtree CSn originates from the root buffer Bn.
  • the number of clock subtrees n is generally not limited.
  • each of the clock subtrees may hierarchically divided into further sub-subtrees, not explicitly shown in FIG. 5 due to reasons of clarity and lucidity.
  • FIG. 5 a illustrates this recursive definition on the example of two different clock subtrees (CS 1 , CS 3 , CS 2 ) and (CSn) for two storage elements, FFj and FFk respective.
  • a set of storage elements comprising at least the monitored state information storage element Q 0 , the change indicator storage element Q 3 and the previous state information storage element Q 2 of a first one of the circuits 10 of the integrated circuit may be either directly or indirectly driven by the clock root CR. As illustrated in FIG. 6 , the set of storage elements may be divided according to a predetermined arrangement with respect to the clock subtrees.
  • the change indicator storage element Q 3 of the first one of the circuits 10 is arranged in a different clock subtree (CSn) than the clock subtree (CS 1 , CS 2 ) driving the clock input terminal of the monitored state information storage element Q 0 of the first one of the circuits 10 .
  • the previous state information storage element Q 2 of the first one of circuits 10 is arranged in a different clock signal subtree (CS 1 , CS 4 ) than the clock signal subtree driving the clock input terminal of the respective change indicator storage element Q 3 .
  • the clock root (CS 1 ) for both storage elements Q 0 and Q 2 differs by the clock root (CSn) for the storage element Q 3
  • the clock tree for the storage elements Q 0 and Q 2 differs not with respect to its clock root CS 1 , but with respect to its subtrees driven by different clock roots (CS 1 , CS 2 ) and (CS 1 , CS 4 ).
  • the monitored state information storage element Q 0 and the previous state information storage element Q 2 may be implemented in the clock subtree CS 1 , whereas the change indicator storage element Q 3 may be implemented in the clock subtree CSn.
  • the redundant state information storage element Q 1 may be implemented in a clock subtree different to the clock signal subtree driving the clock input terminal of the monitored state information storage element Q 0 and/or the previous state information storage element Q 2 , for example in the clock subtree of the change indicator storage element Q 3 .
  • the failure may be located at the previous state information storage element Q 2 or the change indicator storage element Q 3 , depending on the state of the change indicator storage element Q 3 . This way, a whole clock tree CT may be monitored for clock failures with the circuit 10 in operation.
  • FIG. 7 schematically illustrates a method M 0 for monitoring a storage element with its monitoring circuits with respect to a clock signal c; for example by describing the operations before and after the clock active edge as well as the operations triggered by the clock edge.
  • a positive clock edge is assumed to trigger the storage of information.
  • the method M 0 comprises at M 01 feeding a monitored state information storage element Q 0 with state information d from a data input interface DIN clocked with a clock signal CLK, at M 02 a , detecting whether the current state information d 0 of the monitored state information storage element Q 0 is different from the state information d, followed by, at M 02 b , feeding the indicator for this difference to the change indicator storage element Q 3 and thus generating a state change indicator x 0 based on the detection result.
  • a previous state information storage element Q 2 is fed with state information output d 0 from the monitored state information storage element Q 0 .
  • the method M 0 comprises, at M 04 a , detecting whether the current state information d 0 of the monitored state information storage element Q 0 is different from the previous state information d 2 from the previous state information storage element Q 2 , followed by, at M 04 b , generating a storage fault indicator SF based on comparison of the detection result and the state change indicator x 0 .
  • the current state information d 0 of the monitored state information storage element Q 0 is compared with the current state information d 1 of the redundant state information storage element Q 1 .
  • a data fault indicator DF may optionally be generated, if the data output d 0 of the monitored state information storage element Q 0 and the data output d 1 of the redundant state information storage element Q 1 are not equivalent.
  • FIG. 8 schematically illustrates a method M 1 for detecting a clock failure in a clock tree, for example the clock tree CT in FIGS. 5 and 6 used within an integrated circuit having a storage element with monitoring circuit as shown and explained in conjunction with FIGS. 1 to 4 .
  • the method M 1 comprises at M 11 a determination if a failure is present in the monitored state information storage element Q 0 .
  • M 12 it may be determined, whether a failure is present in the previous state information storage element Q 2 .
  • M 13 it is determined, if a failure is present in the change indicator storage element Q 3 .
  • the determined failure indications of M 11 to M 13 may then be used at M 14 to determine a faulty clock signal of the clock tree CT depending on a combination of the determined failure indications.
  • connections may be a type of connection suitable to transfer signals from or to the respective nodes, units or devices, for example via intermediate devices. Accordingly, unless implied or stated otherwise the connections may for example be direct connections or indirect connections.
  • assert or “set” and “negate” (or “deassert” or “clear”) are used herein when referring to the rendering of a signal, status bit, or similar apparatus into its logically true or logically false state, respectively. If the logically true state is a logic level one, the logically false state is a logic level zero. Conversely, if the logically true state is a logic level zero, the logically false state is a logic level one. It will be apparent to the skilled person in the field that the exemplarily depicted logic components and units in the figures may equally be implemented by inverse logic components and units being fed with respectively inverse logic signals or status bits.
  • any two components herein combined to achieve a particular functionality can be seen as “associated with” each other such that the desired functionality is achieved, irrespective of architectures or intermediate components.
  • any two components so associated can also be viewed as being “operably connected,” or “operably coupled,” to each other to achieve the desired functionality.
  • the invention is not limited to physical devices or units implemented in non-programmable hardware but can also be applied in programmable devices or units able to perform the desired device functions by operating in accordance with suitable program code.
  • the devices may be physically distributed over a number of apparatuses, while functionally operating as a single device.
  • Devices functionally forming separate devices may be integrated in a single physical device.

Abstract

A storage element with monitoring circuit, comprising a previous state information storage element configured to record a previous state of a monitored state information storage element, a state change indication unit having a clock input terminal coupled to the clock signal input interface, a state change indication unit being configured to generate a state change indication signal indicative of whether the monitored state information storage element shall have performed a state change by observing the data at a data input interface and a data output terminal, and a state change confirmation unit configured to generate a storage fault indicator by observing the data output terminal of the monitored state information storage element and the data output of the previous state information storage element and checking whether the result of this observation is in line with the state change indicator.

Description

    FIELD OF THE INVENTION
  • This invention relates to a storage element with a storage and clock tree monitoring circuit and methods therefor, in particular for monitoring flip-flops or latches.
    • BACKGROUND OF THE INVENTION
  • The correct behaviour of storage elements like flip-flops or latches depend on a clock (or latch enable signal as the corresponding signal is named in case of a latch) being reliably provided at their respective clock input terminal. A failure to provide a valid clock or a compromised clock signal may result in invalid behaviour of the flip-flop, e.g. unintended overwriting of its value, storing an incorrect value or no storage at all. This may cause faults in subsequent logic components relying on the output of the flip-flop in question, thus putting the system in risk of device failures. Therefore, especially for safety critical applications, it is desirable to monitor the provision of clock signals to flip-flops in order to identify possible clock or storage issues. In many cases, clock monitors are employed that observe the related clock signals (which is only possible for the common clock path between the observed storage element(s) and the observer element), but do not check that the main feature of those storage elements, i.e. the storage function, has not been compromised.
  • FIG. 9 schematically depicts the viewpoint of a safety specification on the left hand side. On the right hand side of FIG. 9, a more realistic physical implementation within a semiconductor device is exemplarily depicted. A safety specification usually reflects the intention that the complete wire from the clock source 1001 to the flip-flop 1002 being part of a safety function is being observed using an observer 1005. However, the reality implemented within a semiconductor device is impacted by the need to distribute the clock signal from its single source 1001 to multiple (sometimes several thousands) flip-flops 1002; this requires several levels of clock buffers 1007 (which are named “clock tree”) to provide the required drive strength to the clock ports of all those flip-flops. This is due to the fact that the clock buffers used can only drive a limited amount of subsequent elements. Furthermore the required routing of the corresponding clock wires 1003 over the semiconductor device results in the ability to only observe a portion of the clock wires (the common portion 1004 of the path from the clock source to the observed flip-flop 1002 and a clock observer 1005). A possibly very large portion 1006 of the remaining path may not be observed at all.
  • Furthermore, many safety applications observe the recorded value within those storage elements to identify failures due to an inadvertent change of such a value (which might be caused by environmental effects, e.g. alpha or beta particles or gamma rays) and try to at least detect and sometimes even correct such failures. A prominent example for such a functionality is the Triple Voting Flop (TVP); three redundant flip-flops with a subsequent voting logic that select the final value based on a majority vote—thus having the capability to provide the correct value despite any single inadvertent change to one of its flip-flops that might have occurred.
  • Providing the capability to detect (or even correct) such incidents while also detecting failures of a storage element with respect to a compromised clock avoids the need for traditional clock observers and provides a higher coverage of the involved clock signals, due to the complete coverage of the involved sub-tree of the clock tree. It also enables a significantly increased coverage of the clock driving this clock tree, as well as the detection of incidents caused by a compromised clock.
  • The document WO 87/07793 A1 discloses a standard triple modular redundancy scheme based on a majority vote to reduce the impact of clock faults.
  • The document U.S. Pat. No. 7,594,150 B2 discloses a method for operating of a flip-flop that is tolerant to crosstalk faults by sampling the input data multiple times before and after the active clock edge. The final stored value at the flip-flop is determined by the resolution of a counter circuit residing in the flip-flop, which is activated at the change of the sampled input data.
  • The document U.S. Pat. No. 7,428,694 B2 discloses a logic circuit comprising a logic module comprising a functional synchronous flip-flop receiving a functional result comprising several bits in parallel, and supplying a synchronous result. A module for checking the integrity of the functional flip-flop includes a first coding block receiving the functional result and supplying a first code, a second coding block receiving the synchronous result and supplying a second code, a checking synchronous flip-flop receiving the first code and supplying a third code, and a comparator for comparing the second code with the third code and for supplying a first error signal.
  • There is, however, a need for improved solutions that are not only able to preserve data integrity of a storage element by redundant processing of the data, but are also able to verify the correct storage function of the storage element in combination with observing the involved clock tree.
    • SUMMARY OF THE INVENTION
  • The present invention provides a storage element with clock tree and storage monitoring circuit, a method for monitoring a storage element and a method for monitoring the related clock tree as described in the accompanying claims.
  • According to an aspect of the present invention the correct functioning of a state information storage element is monitored by observing the data at the data input interface and the data at the output terminal in order to check whether the monitored state information storage element should have performed a state change, by recording the previous state of the monitored state information storage element, and by observing the data at the output terminal of the monitored state information storage element and the recorded previous state of the monitored state information storage element in order to determine whether the result of this observation is in line with whether the state should have changed or not. By properly distributing the elements of the storage element with monitoring circuit within a clock tree it is possible to further monitor the proper distribution of the clock signal from the clock source to the flip-flops.
  • It should be noted that the phrase “in line with” may be understood in that the state change of the state information (recorded in the state information storage element) and the state change of the previous state information (recorded in the previous state information storage element) corresponds to each other with respect to one clock period and one storage cycle, respectively. The previous state information storage element is provided to record the previous state information of the state information storage element when new state information is recorded in the state information storage element.
  • Specific embodiments of the invention are set forth in the dependent claims.
  • These and other aspects of the invention will be apparent from and elucidated with reference to the embodiments described hereinafter.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • Further details, aspects and embodiments of the invention will be described, by way of example only, with reference to the drawings. Elements in the figures are illustrated for simplicity and clarity and have not necessarily been drawn to scale.
  • FIG. 1 schematically shows an exemplary embodiment of a storage element with monitoring circuit.
  • FIG. 2 schematically shows another exemplary embodiment of a storage element with monitoring circuit.
  • FIG. 3 schematically shows yet another exemplary embodiment of a storage element with monitoring circuit.
  • FIG. 4 schematically shows yet another exemplary embodiment of a storage element with monitoring circuit.
  • FIG. 5 schematically illustrates an exemplary clock tree.
  • FIG. 5a schematically illustrates some subtrees of an exemplary clock tree.
  • FIG. 6 schematically illustrates an exemplary clock tree with storage elements distributed among its subtrees.
  • FIG. 7 schematically shows an exemplary embodiment of a method for monitoring a storage element.
  • FIG. 8 schematically shows an exemplary embodiment of a method for detecting a failure in a clock tree.
  • FIG. 9 schematically depicts an environment of a monitored clock tree with storage elements.
    •  DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
  • FIG. 1 schematically illustrates a storage element with monitoring circuit 10. The circuit 10 comprises a data input interface DIN, a data output interface DOUT, a clock signal input interface CLK, and a storage fault indicator interface SF. At the data input interface DIN, data items d are input to a state information storage element Q0 under monitoring. The state information storage element Q0 is fed with a clock c from the clock signal input interface CLK at a respective clock input terminal coupled to the clock signal input interface CLK. A data input terminal of the state information storage element Q0 is coupled to the data input interface DIN. Data processed by the state information storage element Q0 is output at a data output terminal as data output d0.
  • The data output d0 is input to a data input terminal of a state information storage element Q2 that is configured to record the previous state of the monitored state information storage element Q0. Since the state information storage element Q2 has a clock input terminal coupled to the clock signal input interface CLK and being clocked with the same clock c as the state information storage element Q0, the data output d2 at an output terminal of the previous state information storage element Q2 resembles the state of the state information storage element Q0 delayed by one clock period or storage cycle.
  • A state change indication unit CIU, which has a clock input terminal coupled to the clock signal input interface CLK and being clocked with the same clock c as the state information storage element Q0 and the state information storage element Q2, observes the data input d and the data output d0 of the state information storage element Q0 and compares the two detected states. When the data input d and the data output d0 are different, i.e. not equivalent, the state change indication unit CIU is configured to generate a state change indicator x0 indicative of whether the monitored state information storage element Q0 shall have performed a state change. The state change indicator x0 is fed to an input terminal of a state change confirmation unit CCU coupled to the state change indication unit CIU. The state change confirmation unit CCU observes the data d0 at the output terminal of the monitored state information storage element Q0 and the data d2 at the output terminal of the previous state information storage element Q2. When the result of this observation is in not in line with the state change indicator x0, i.e. when there is no difference between the output d0 of the monitored state information storage element Q0 and the previous state information d2 provided by the storage element Q2 although the state change indicator x0 indicated that the monitored state information storage element Q0 should have performed a state change, the state change confirmation unit CCU is configured to generate a storage fault indicator x3 at the storage fault indicator interface SF.
  • As schematically illustrated in FIG. 3 the storage element with monitoring circuit 10 may further comprise a data fault unit DFU that includes a clock input terminal coupled to the clock signal input interface CLK, a first data input terminal coupled to the data input interface DIN, and a second data input terminal coupled to the data output terminal of the monitored state information storage element Q0. The data fault unit DFU is configured to generate a data fault indicator x2 at a data fault indicator interface DF when the data recorded by the monitored state information storage element Q0 does not match a redundant copy of this data within the data fault unit DFU.
  • Alternatively, it may be possible to implement a data fault detection and correction unit DFCU instead of the data fault unit DFU, the data fault detection and correction unit DFCU having a clock input terminal coupled to the clock signal input interface CLK, a first data input terminal coupled to the data input interface DIN, and a second data input terminal coupled to the data output terminal of the monitored state information storage element Q0. The data fault detection and correction unit DFCU may further receive the storage fault indicator x3 at a third input terminal connected to the storage fault indicator interface SF. The data fault detection and correction unit DFCU may be configured to generate a data fault indicator x2 at the data fault indicator interface DF when the data recorded by the monitored state information storage element Q0 does not match a redundant copy of this data within the data fault detection and correction unit DFCU. Depending on the matching result, the data fault detection and correction unit DFCU may select an appropriately corrected data output to be output at the data output interface DOUT either from the data output terminal of the monitored state information storage element Q0 or a redundant copy of this data. For example, if neither the storage fault indicator x3 nor the data fault indicator x2 or only the data fault indicator x2 indicate a failure, the actual output of monitored state information storage element Q0 may be selected for output at the data output interface DOUT. However, if the storage fault indicator x3 or both, the storage fault indicator x3 and the data fault indicator x2 indicates that the state information recorded by the monitored state information storage element Q0 is erroneous, the data fault detection and correction unit DFCU may select the output of the redundant copy of the data d input at the monitored state information storage element Q0 as data output instead.
  • FIG. 3 schematically illustrates a more detailed diagram of the storage element with monitoring circuit 10 according to an exemplary variant of FIG. 1 or 2. For example, the state change indication unit CIU may comprise a first comparison element Q0 that has a first input terminal coupled to the data input interface DIN and a second input terminal coupled to the data output terminal of the monitored state information storage element Q0. At an output terminal thereof, a state change indication is input to a change indicator storage element Q3 that is clocked by the clock c at its clock input terminal which is coupled to the clock signal input interface CLK. The output terminal of the change indicator storage element Q3 may issue the state change indicator x0 at its output terminal in sync with the clock c.
  • The state change confirmation unit CCU may for example comprise a second comparison element C1 with a first input terminal coupled to the data output terminal of the monitored state information storage element Q0, and a second input terminal coupled to the data output terminal of the previous state information storage element Q2. Similar to the operation of the first comparison element C0, the second comparison element C1 compares the recorded state information of the monitored state information storage element Q0 and the recorded state information at the previous state information storage element Q2 in order to generate an output x1 indicative of whether the monitored state information storage element Q0 has changed its state. A storage check unit C3 is coupled to the output of the second comparison element C1 and the change indicator storage element Q3 of the state change indication unit CIU in order generate a storage fault indicator SF dependent on the state change indicator x0 and the output x1 of the second comparison element C1. The state change indicator x0 indicates whether a state change shall have occurred at the monitored state information storage element Q0. The output x1 of the second comparison element C1, on the other hand, indicates whether the monitored state information storage element Q0 has performed a state change. If these indications are equivalent, this means that the monitored state information storage element Q0 has correctly stored data d provided at its data input terminal. However, if these indications are not equivalent, it may be assumed that the monitored state information storage element Q0 failed to correctly store the data d input to its data input terminal, hence, the storage check unit C3 is able to issue a storage fault indicator x3 at the storage fault indicator interface SF which is indicative of whether or not the monitored state information storage element Q0 correctly stored data provided at its data input terminal.
  • The exemplary variant of FIG. 3 shows a storage element with monitoring circuit 10 according to FIG. 2 where a data fault unit DFU is implemented. The data fault unit DFU of FIG. 3 includes a redundant state information storage element Q1 that is clocked with the clock c at a clock input terminal coupled to the clock input signal interface CLK. The redundant state information storage element Q1 has further a data input terminal coupled to the data input interface DIN so that the redundant state information storage element Q1 may provide a redundant copy d1 of the data recorded by the monitored state information storage element Q0. In order to check for data faults, a third comparison element Q2 is configured to compare the data output d0 of the monitored state information storage element Q0 with the data output d1 of the redundant state information storage element Q1. If the data output d0 of the monitored state information storage element Q0 and the data output d1 of the redundant state information storage element Q1 are not equivalent, it may be assumed that a data fault occurred at the monitored state information storage element Q0. In this case, a data fault indicator x2 is issued at the data fault indicator interface DF.
  • FIG. 4 schematically illustrates another variant of the storage element with monitoring circuit 10 with a data fault detection and correction unit DFCU being embodied. The circuit 10 of FIG. 4 differs from the circuit 10 of FIG. 3 mainly in that the data fault detection and correction unit DFCU further comprises a data selection unit DSU connected to the outputs of the monitored state information storage element Q0 and the redundant state information storage element Q1. The data selection unit DSU may be configured to select the appropriate output of one of the storage elements Q0 and Q1 depending on whether and what kind of fault has been detected. The data selection unit DSU may select one of the original data output d0 of the monitored state information storage element Q0 and the data output d1 output by the redundant state information storage element Q1, dependent on the storage fault indicator x3 and the data fault indicator x2. This may for example be done in a two-step selection stage which firstly considers whether a storage fault has occurred in a first selection unit S1 and secondly considers whether a data fault has occurred in a second selection unit S2. The selection units S1 and S2 are exemplarily illustrated as multiplexers, however, any similar logic or selectors may be chosen as well. Only if the combination of those faults indicates no error in the monitored state information storage element Q0, the original data output d0 of the monitored state information storage element Q0 may be output at the data output interface DOUT. In all other cases, it is relied upon the data output of the redundant state information storage element Q1 as being the correct data output.
  • In the shown embodiment, each of the storage elements Q0, Q1, Q2 and Q3 is implemented as flip-flop and described in relationship to the behaviour of flip-flops with clock inputs. Anybody skilled in the art will recognize that the same functionality can also be implemented with other storage elements, e.g. latches, which will show a slightly different behaviour with respect to their latch enable input.
  • The circuits 10 as illustrated and explained in FIGS. 1 to 4 may be implemented within an integrated circuit. Such an integrated circuit may comprise at least one of the afore-mentioned circuits 10. As exemplarily illustrated in FIG. 5, such an integrated circuit may include at least one clock root CR that is driving the clock input terminal of multiple clock subtrees CS1 to CSn. Each clock subtree may comprise a chain of one or more buffer elements B, Bi, Bij, . . . that route the clock from the clock root through the branches of the clock tree CT to at least one of the storage elements FFi. In the example of FIG. 5 the buffers B, B1, and B12 are driving the clock input terminal of FF1.
  • It is worth to note that any of the clock subtrees CSi may itself be considered a clock tree CTi, with the corresponding driving buffer B being the clock root CR of this clock tree CTi. As such these clock subtrees are recursively defined as (CSi, CSi+1, . . . , CSk), with the buffer driving the clock subtree CSi being itself the clock root of the clock subtrees CSi+1, with this definition recursively applied to all its clock subtrees until the final set of clock subtrees CSk.
  • Storage elements FF1 and FFn may be considered as being placed in one of the clock subtrees, if the clock provided to the storage elements is routed through the respective clock subtree CS1 and CSn. The clock subtree CS1 originates from the root buffer B1, whereas the clock subtree CSn originates from the root buffer Bn. It should be noted that the number of clock subtrees n is generally not limited. Moreover, each of the clock subtrees may hierarchically divided into further sub-subtrees, not explicitly shown in FIG. 5 due to reasons of clarity and lucidity. FIG. 5a illustrates this recursive definition on the example of two different clock subtrees (CS1, CS3, CS2) and (CSn) for two storage elements, FFj and FFk respective.
  • A set of storage elements comprising at least the monitored state information storage element Q0, the change indicator storage element Q3 and the previous state information storage element Q2 of a first one of the circuits 10 of the integrated circuit may be either directly or indirectly driven by the clock root CR. As illustrated in FIG. 6, the set of storage elements may be divided according to a predetermined arrangement with respect to the clock subtrees. The change indicator storage element Q3 of the first one of the circuits 10 is arranged in a different clock subtree (CSn) than the clock subtree (CS1, CS2) driving the clock input terminal of the monitored state information storage element Q0 of the first one of the circuits 10. Similarly, the previous state information storage element Q2 of the first one of circuits 10 is arranged in a different clock signal subtree (CS1, CS4) than the clock signal subtree driving the clock input terminal of the respective change indicator storage element Q3. It is worth to note that the clock root (CS1) for both storage elements Q0 and Q2 differs by the clock root (CSn) for the storage element Q3, however, the clock tree for the storage elements Q0 and Q2 differs not with respect to its clock root CS1, but with respect to its subtrees driven by different clock roots (CS1, CS2) and (CS1, CS4).
  • In the example of FIG. 6, the monitored state information storage element Q0 and the previous state information storage element Q2 may be implemented in the clock subtree CS1, whereas the change indicator storage element Q3 may be implemented in the clock subtree CSn. Additionally, the redundant state information storage element Q1 may be implemented in a clock subtree different to the clock signal subtree driving the clock input terminal of the monitored state information storage element Q0 and/or the previous state information storage element Q2, for example in the clock subtree of the change indicator storage element Q3.
  • With the distribution of the storage elements Q0, Q2 and Q3 (and possibly Q1) among the different subtrees CS1 to CSn it becomes possible to determine whether a clock failure might have occurred. By combining the information from multiple storage elements with monitoring circuits 10 it might be even possible to determine the subtree in which a clock failure has occurred. If both a storage fault and a data fault are determined, the clock failure was present at the monitored state information storage element Q0, hence in the first clock subtree CS1. If only a data fault is determined, the clock failure was present at the redundant state information storage element Q1. If only a storage fault is determined, the failure may be located at the previous state information storage element Q2 or the change indicator storage element Q3, depending on the state of the change indicator storage element Q3. This way, a whole clock tree CT may be monitored for clock failures with the circuit 10 in operation.
  • FIG. 7 schematically illustrates a method M0 for monitoring a storage element with its monitoring circuits with respect to a clock signal c; for example by describing the operations before and after the clock active edge as well as the operations triggered by the clock edge. In this example, a positive clock edge is assumed to trigger the storage of information.
  • The method M0 comprises at M01 feeding a monitored state information storage element Q0 with state information d from a data input interface DIN clocked with a clock signal CLK, at M02 a, detecting whether the current state information d0 of the monitored state information storage element Q0 is different from the state information d, followed by, at M02 b, feeding the indicator for this difference to the change indicator storage element Q3 and thus generating a state change indicator x0 based on the detection result.
  • At M03, a previous state information storage element Q2 is fed with state information output d0 from the monitored state information storage element Q0.
  • In parallel to the above operations M01, M02 a, M02 b and M03, it may optionally be possible at M05 a to feed a redundant state information storage element Q1 with state information d of the data input interface DIN.
  • Any of the above operations are performed before the edge CE of the clock signal CLK. With this edge CE the fed information is taken over by the respective storage elements.
  • After the clock edge CE, the method M0 comprises, at M04 a, detecting whether the current state information d0 of the monitored state information storage element Q0 is different from the previous state information d2 from the previous state information storage element Q2, followed by, at M04 b, generating a storage fault indicator SF based on comparison of the detection result and the state change indicator x0.
  • In parallel to M04 a and M04 b, at M05 b the current state information d0 of the monitored state information storage element Q0 is compared with the current state information d1 of the redundant state information storage element Q1. At M05 c a data fault indicator DF may optionally be generated, if the data output d0 of the monitored state information storage element Q0 and the data output d1 of the redundant state information storage element Q1 are not equivalent.
  • Additionally, after executing M04 b and M05 c it may be possible to select one of the data outputs of the monitored state information storage element Q0 and the redundant state information storage element Q1 as a corrected data output dependent on the evaluation of the storage fault indicator SF in combination with the data fault indicator DF at M06.
  • FIG. 8 schematically illustrates a method M1 for detecting a clock failure in a clock tree, for example the clock tree CT in FIGS. 5 and 6 used within an integrated circuit having a storage element with monitoring circuit as shown and explained in conjunction with FIGS. 1 to 4. The method M1 comprises at M11 a determination if a failure is present in the monitored state information storage element Q0. At M12, it may be determined, whether a failure is present in the previous state information storage element Q2. Similarly, at M13 it is determined, if a failure is present in the change indicator storage element Q3. The determined failure indications of M11 to M13 may then be used at M14 to determine a faulty clock signal of the clock tree CT depending on a combination of the determined failure indications.
  • In the foregoing specification, the invention has been described with reference to specific examples of embodiments of the invention. It will, however, be evident that various modifications and changes may be made therein without departing from the broader spirit and scope of the invention as set forth in the appended claims. For example, the connections may be a type of connection suitable to transfer signals from or to the respective nodes, units or devices, for example via intermediate devices. Accordingly, unless implied or stated otherwise the connections may for example be direct connections or indirect connections.
  • The terms “assert” or “set” and “negate” (or “deassert” or “clear”) are used herein when referring to the rendering of a signal, status bit, or similar apparatus into its logically true or logically false state, respectively. If the logically true state is a logic level one, the logically false state is a logic level zero. Conversely, if the logically true state is a logic level zero, the logically false state is a logic level one. It will be apparent to the skilled person in the field that the exemplarily depicted logic components and units in the figures may equally be implemented by inverse logic components and units being fed with respectively inverse logic signals or status bits.
  • Because the apparatus implementing the present invention is, for the most part, composed of electronic components and circuits known to those skilled in the art, details of the circuitry and its components will not be explained in any greater extent than that considered necessary as illustrated above, for the understanding and appreciation of the underlying concepts of the present invention and in order not to obfuscate or distract from the teachings of the present invention.
  • Some of the above embodiments, as applicable, may be implemented using a variety of different circuitry components. For example, the exemplary topology in the figures and the discussion thereof is presented merely to provide a useful reference in discussing various aspects of the invention. It should be understood by those skilled in the art that the description of the topology has been simplified for purposes of discussion, and it is just one of many different types of appropriate topologies that may be used in accordance with the invention. Those skilled in the art will recognize that the boundaries between logic blocks are merely illustrative and that alternative embodiments may merge logic blocks or circuit elements or impose an alternate decomposition of functionality upon various logic blocks or circuit elements.
  • Thus, it is to be understood that the architectures depicted herein are merely exemplary, and that in fact many other architectures can be implemented which achieve the same functionality. In an abstract, but still definite sense, any arrangement of components to achieve the same functionality is effectively “associated” such that the desired functionality is achieved. Hence, any two components herein combined to achieve a particular functionality can be seen as “associated with” each other such that the desired functionality is achieved, irrespective of architectures or intermediate components. Likewise, any two components so associated can also be viewed as being “operably connected,” or “operably coupled,” to each other to achieve the desired functionality.
  • Also, the invention is not limited to physical devices or units implemented in non-programmable hardware but can also be applied in programmable devices or units able to perform the desired device functions by operating in accordance with suitable program code. Furthermore, the devices may be physically distributed over a number of apparatuses, while functionally operating as a single device. Devices functionally forming separate devices may be integrated in a single physical device.

Claims (15)

1. A storage element with monitoring circuit, comprising:
a data input interface providing data;
a data output interface;
a clock signal input interface providing a clock;
a storage fault indicator interface;
a monitored state information storage element having a clock input terminal coupled to the clock signal input interface, a data input terminal coupled to the data input interface and a data output terminal;
a previous state information storage element having a clock input terminal coupled to the clock signal input interface, and a data input terminal coupled to the data output terminal of the monitored state information storage element, the previous state information storage element being configured to record the previous state of the monitored state information storage element;
a state change indication unit having a clock input terminal coupled to the clock signal input interface, the state change indication unit being configured to generate a state change indicator indicative of whether the monitored state information storage element shall have performed a state change by observing the data at the data input interface and the data at the output terminal of the monitored state information storage element; and
a state change confirmation unit coupled to the state change indication unit, the state change confirmation unit being configured to generate a storage fault indicator by observing the data at the output terminal of the monitored state information storage element and the data at the output of the previous state information storage element and checking whether the result of this observation is in line with the state change indicator.
2. The storage element with monitoring circuit of claim 1, wherein the state change indication unit comprises:
a first comparison element having a first input terminal coupled to the data input interface, a second input terminal coupled to the data output terminal of the monitored state information storage element and an output terminal; and
a change indicator storage element having a clock input terminal coupled to the clock signal input interface, and a data input terminal coupled to the output terminal of the comparison element, and an output terminal; the change indicator storage element being configured to issue the state change indicator at its output terminal.
3. The storage element with monitoring circuit of claim 1, wherein the state change confirmation unit comprises:
a second comparison element having a first input terminal coupled to the data output terminal of the monitored state information storage element, and a second input terminal coupled to the data output terminal of the previous state information storage element; and
a storage check unit configured to generate the storage fault indicator from the state change indicator and the output of the second comparison element, the storage fault indicator being indicative of whether or not the monitored state information storage element correctly stored data provided at its data input terminal.
4. The storage element with monitoring circuit of claim 1, further comprising:
a data fault unit, including a clock input terminal coupled to the clock signal input interface, a first data input terminal coupled to the data input interface, and a second data input terminal coupled to the data output terminal of the monitored state information storage element, wherein the data fault unit is configured to generate a data fault indicator when the data recorded by the monitored state information storage element does not match a redundant copy of this data within the data fault unit.
5. The storage element with monitoring circuit of claim 4, wherein the data fault unit comprises:
a redundant state information storage element having a clock input terminal coupled to the clock input signal interface and a data input terminal coupled to the data input interface, the redundant state information storage element being configured to provide a redundant copy of the data recorded by the monitored state information storage element; and
a third comparison element configured to compare the data output of the monitored state information storage element with the data output of the redundant state information storage element and configured to generate a data fault indicator, when the data output of the monitored state information storage element and the data output of the redundant state information storage element are not equivalent.
6. The storage element with monitoring circuit of claim 1, further comprising:
a data fault detection and correction unit, having a clock input terminal coupled to the clock signal input interface, a first data input terminal coupled to the data input interface, and a second data input terminal coupled to the data output terminal of the monitored state information storage element, and a third input terminal connected to the storage fault indicator interface,
the data fault detection and correction unit being configured to generate a data fault indicator when the data recorded by the monitored state information storage element does not match a redundant copy of this data within the data fault detection and correction unit, and to generate a corrected data output selected from the data output terminal of the monitored state information storage element and the redundant copy of this data depending on the storage fault indicator and the data fault indicator.
7. The storage element with monitoring circuit of claim 6, the data fault detection and correction unit further comprising:
a redundant state information storage element having a clock input terminal coupled to the clock input signal interface and a data input terminal coupled to the data input interface, the redundant state information storage element being configured to provide a redundant copy of the data recorded by the monitored state information storage element;
a third comparison element configured to compare the data output of the monitored state information storage element with the data output of the redundant state information storage element and configured to generate a data fault indicator, when the data output of the monitored state information storage element and the data output of the redundant state information storage element are not equivalent; and
a data selection unit configured to select one of the original data output of the monitored state information storage element or data output by the redundant state information storage element dependent on the storage fault indicator and the data fault indicator and to provide the selected data at the data output interface.
8. An integrated circuit, comprising at least one storage element with monitoring circuit of claim 1.
9. The integrated circuit of claim 8, comprising at least one clock root that is driving the clock input terminal of a set of storage elements either directly or indirectly, the set of storage elements comprising at least the monitored state information storage element, the change indicator storage element and the previous state information storage element of a first one of the storage elements with monitoring circuit.
10. The integrated circuit of claim 9, wherein the change indicator storage element of the first one of the storage elements with monitoring circuit is arranged in a different clock signal subtree than the clock signal subtree driving the clock input terminal of the monitored state information storage element of the first one of the storage elements with monitoring circuit.
11. The integrated circuit of claim 8, wherein the previous state information storage element of the first one of the storage elements with monitoring circuit is arranged in a different clock signal subtree than the clock signal subtree driving the clock input terminal of the change indicator storage element of the first one of the storage elements with monitoring circuit.
12. A method for monitoring a state information storage element, the method comprising:
feeding a monitored state information storage element with state information from a data input interface clocked with a clock signal;
detecting whether the current state information of the monitored state information storage element is different from the state information fed in the next clock period and generating a state change indicator with the clock signal CLK based on the detection result;
feeding a previous state information storage element with state information output from the monitored state information storage element clocked with the clock signal; and
detecting after the clock signal whether the current state information of the monitored state information storage element is different from the previous state information from the previous state information storage element and generating a storage fault indicator based on comparison of the detection result and the state change indicator.
13. The method of claim 12, further comprising:
feeding a redundant state information storage element with state information of the data input interface clocked with the clock signal in parallel to the monitored state information storage element; and
comparing after the clock signal the data output of the monitored state information storage element with the data output of the redundant state information storage element and generating a data fault indicator, if the data output of the monitored state information storage element and the data output of the redundant state information storage element are not equivalent.
14. The method of claim 13, further comprising:
selecting one of the data outputs of the monitored state information storage element and the redundant state information storage element as a corrected data output dependent on the evaluation of the storage fault indicator in combination with the data fault indicator.
15. The method of claim 12, further comprising:
detecting a clock failure in a clock tree including:
determining, if a failure is present in a monitored state information storage element;
determining, if a failure is present in a previous state information storage element;
determining, if a failure is present in a change indicator storage element; and
determining a faulty clock signal subtree depending on a combination of the determined failure.
US15/104,809 2013-12-18 2013-12-18 Storage element with storage and clock tree monitoring circuit and methods therefor Expired - Fee Related US9589637B1 (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/IB2013/061100 WO2015092487A1 (en) 2013-12-18 2013-12-18 Storage element with storage and clock tree monitoring circuit and methods therefor

Publications (2)

Publication Number Publication Date
US20170053710A1 true US20170053710A1 (en) 2017-02-23
US9589637B1 US9589637B1 (en) 2017-03-07

Family

ID=53402184

Family Applications (1)

Application Number Title Priority Date Filing Date
US15/104,809 Expired - Fee Related US9589637B1 (en) 2013-12-18 2013-12-18 Storage element with storage and clock tree monitoring circuit and methods therefor

Country Status (3)

Country Link
US (1) US9589637B1 (en)
EP (1) EP3084648B1 (en)
WO (1) WO2015092487A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180329780A1 (en) * 2017-05-15 2018-11-15 The Boeing Company High Data Integrity Processing System
CN112685424A (en) * 2021-01-04 2021-04-20 潍柴动力股份有限公司 Processing method and device for engine fault storage
US20210278815A1 (en) * 2018-08-21 2021-09-09 Pilz Gmbh & Co. Kg Automation System For Monitoring A Safety-Critical Process

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10379927B2 (en) * 2016-11-01 2019-08-13 Xilinx, Inc. Programmable clock monitor

Family Cites Families (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS5198006A (en) 1975-02-21 1976-08-28
WO1987007793A1 (en) 1986-06-13 1987-12-17 Valtion Teknillinen Tutkimuskeskus Method for realizing a fault-tolerant electronic system and a corresponding system
US5159279A (en) 1990-11-27 1992-10-27 Dsc Communications Corporation Apparatus and method for detecting out-of-lock condition in a phase lock loop
US5343301A (en) 1992-11-05 1994-08-30 Ampex Systems Corporation Input clock presence detector for a digital video input
US5471488A (en) 1994-04-05 1995-11-28 International Business Machines Corporation Clock fault detection circuit
US6078193A (en) 1998-04-06 2000-06-20 Graychip, Inc. Apparatus and method for providing a static mode for dynamic logic circuits
US6343096B1 (en) 1998-07-16 2002-01-29 Telefonaktiebolaget Lm Ericsson Clock pulse degradation detector
US6222413B1 (en) * 1999-03-16 2001-04-24 International Business Machines Corporation Receiver assisted net driver circuit
US6362675B1 (en) 1999-07-12 2002-03-26 Ramtron International Corporation Nonvolatile octal latch and D-type register
US7627029B2 (en) 2003-05-20 2009-12-01 Rambus Inc. Margin test methods and circuits
US7428694B2 (en) 2004-03-02 2008-09-23 Stmicroelectronics S.A. Device for protection against error injection into a synchronous flip-flop of an elementary logic module
US7594150B2 (en) 2006-05-10 2009-09-22 Alcatel-Lucent Usa Inc. Fault-tolerant architecture of flip-flops for transient pulses and signal delays
US7679404B2 (en) 2006-06-23 2010-03-16 Intel Corporation Missing clock pulse detector
EP1950577A3 (en) * 2007-01-29 2012-01-11 Stmicroelectronics Sa Method for verifying the integrity of a clock tree
US7646224B2 (en) 2007-05-04 2010-01-12 Exar Corporation Means to detect a missing pulse and reduce the associated PLL phase bump
DE602008003051D1 (en) 2007-05-18 2010-12-02 St Microelectronics Rousset Detection of a state fault of a bistable toggle switch of an electronic circuit
EP2193444A2 (en) 2007-09-03 2010-06-09 Nxp B.V. Clock supervision unit
US8334707B2 (en) * 2008-12-29 2012-12-18 Infineon Technologies Ag Storage circuit with fault detection and method for operating the same
TWI347752B (en) 2009-04-30 2011-08-21 Nat Chip Implementation Ct Nat Applied Res Lab Edge-missing detector structure

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180329780A1 (en) * 2017-05-15 2018-11-15 The Boeing Company High Data Integrity Processing System
US10740186B2 (en) * 2017-05-15 2020-08-11 The Boeing Company High data integrity processing system
US20210278815A1 (en) * 2018-08-21 2021-09-09 Pilz Gmbh & Co. Kg Automation System For Monitoring A Safety-Critical Process
CN112685424A (en) * 2021-01-04 2021-04-20 潍柴动力股份有限公司 Processing method and device for engine fault storage

Also Published As

Publication number Publication date
EP3084648A4 (en) 2017-08-09
EP3084648B1 (en) 2019-06-12
US9589637B1 (en) 2017-03-07
WO2015092487A1 (en) 2015-06-25
EP3084648A1 (en) 2016-10-26

Similar Documents

Publication Publication Date Title
US9589637B1 (en) Storage element with storage and clock tree monitoring circuit and methods therefor
US8516339B1 (en) Method of and circuit for correcting adjacent bit errors in a memory
US8909941B1 (en) Programmable integrated circuit and a method of enabling the detection of tampering with data provided to a programmable integrated circuit
US9342402B1 (en) Memory interface with hybrid error detection circuitry for modular designs
KR102283686B1 (en) Error detection in stored data values
US8433950B2 (en) System to determine fault tolerance in an integrated circuit and associated methods
US20130061094A1 (en) Apparatus and Method for the Protection and for the Non-Destructive Testing of Safety-Relevant Registers
Fiorin et al. Fault-tolerant network interfaces for networks-on-Chip
CN103514962A (en) Error-tolerant memories
KR102271054B1 (en) Error detection in stored data values
US10108486B2 (en) Error protection
US6055660A (en) Method for identifying SMP bus transfer errors
US20100162269A1 (en) Controllable interaction between multiple event monitoring subsystems for computing environments
US7089484B2 (en) Dynamic sparing during normal computer system operation
US8219864B2 (en) Circuit arrangement
WO2014115289A1 (en) Programmable device and electronic syst em device
Choi et al. Modeling and analysis of fault tolerant multistage interconnection networks
US4943969A (en) Isolation for failures of input signals supplied to dual modules which are checked by comparison
US11138054B2 (en) Clock fractional divider module, image and/or video processing module, and apparatus
JP2003316599A (en) Integrated circuit
Zhang et al. Fine-grained splitting methods to address permanent errors in network-on-chip links
EP3296874B1 (en) Apparatus and associated method
JP2008084080A (en) Failure information storage system, service processor, failure information storage method, and program
US9983926B2 (en) Apparatus, system and method for protecting data
EP3106988A2 (en) Configuration error detector

Legal Events

Date Code Title Description
AS Assignment

Owner name: FREESCALE SEMICONDUCTOR, INC., TEXAS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:ROHLEDER, MICHAEL;KOCH, THOMAS;LUEPKEN, HARALD;REEL/FRAME:038921/0457

Effective date: 20140108

AS Assignment

Owner name: NXP, B.V., F/K/A FREESCALE SEMICONDUCTOR, INC., NETHERLANDS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:MORGAN STANLEY SENIOR FUNDING, INC.;REEL/FRAME:040925/0001

Effective date: 20160912

Owner name: NXP, B.V., F/K/A FREESCALE SEMICONDUCTOR, INC., NE

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:MORGAN STANLEY SENIOR FUNDING, INC.;REEL/FRAME:040925/0001

Effective date: 20160912

AS Assignment

Owner name: NXP B.V., NETHERLANDS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:MORGAN STANLEY SENIOR FUNDING, INC.;REEL/FRAME:040928/0001

Effective date: 20160622

AS Assignment

Owner name: NXP USA, INC., TEXAS

Free format text: CHANGE OF NAME;ASSIGNOR:FREESCALE SEMICONDUCTOR INC.;REEL/FRAME:040626/0683

Effective date: 20161107

AS Assignment

Owner name: NXP USA, INC., TEXAS

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE NATURE OF CONVEYANCE PREVIOUSLY RECORDED AT REEL: 040626 FRAME: 0683. ASSIGNOR(S) HEREBY CONFIRMS THE MERGER AND CHANGE OF NAME;ASSIGNOR:FREESCALE SEMICONDUCTOR INC.;REEL/FRAME:041414/0883

Effective date: 20161107

Owner name: NXP USA, INC., TEXAS

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE NATURE OF CONVEYANCE PREVIOUSLY RECORDED AT REEL: 040626 FRAME: 0683. ASSIGNOR(S) HEREBY CONFIRMS THE MERGER AND CHANGE OF NAME EFFECTIVE NOVEMBER 7, 2016;ASSIGNORS:NXP SEMICONDUCTORS USA, INC. (MERGED INTO);FREESCALE SEMICONDUCTOR, INC. (UNDER);SIGNING DATES FROM 20161104 TO 20161107;REEL/FRAME:041414/0883

STCF Information on status: patent grant

Free format text: PATENTED CASE

AS Assignment

Owner name: NXP B.V., NETHERLANDS

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVEAPPLICATION 11759915 AND REPLACE IT WITH APPLICATION11759935 PREVIOUSLY RECORDED ON REEL 040928 FRAME 0001. ASSIGNOR(S) HEREBY CONFIRMS THE RELEASE OF SECURITYINTEREST;ASSIGNOR:MORGAN STANLEY SENIOR FUNDING, INC.;REEL/FRAME:052915/0001

Effective date: 20160622

AS Assignment

Owner name: NXP, B.V. F/K/A FREESCALE SEMICONDUCTOR, INC., NETHERLANDS

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVEAPPLICATION 11759915 AND REPLACE IT WITH APPLICATION11759935 PREVIOUSLY RECORDED ON REEL 040925 FRAME 0001. ASSIGNOR(S) HEREBY CONFIRMS THE RELEASE OF SECURITYINTEREST;ASSIGNOR:MORGAN STANLEY SENIOR FUNDING, INC.;REEL/FRAME:052917/0001

Effective date: 20160912

FEPP Fee payment procedure

Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

LAPS Lapse for failure to pay maintenance fees

Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STCH Information on status: patent discontinuation

Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362

FP Lapsed due to failure to pay maintenance fee

Effective date: 20210307