Mission-critical MCU-based systems under severe electrical situations cause malfunctioning by the disturbance in the clock path. MCU-based systems in clockless status loses their contrability in high-current output or glitch-clock injection may destroy status value of flip-flops. In this paper, we propose the automatic clock failure detection and protection by implementing a fully synthesizable edge detector, noise canceller logic and glitch-free clock changer circuit. To determine several noise-vulnerable data/clock paths, we propose a presimulation framework to reconstruct a clock noise propagation path from the entire circuit netlist. We successfully increased the noise immunity characteristics by allocating the detector units into efficient locations.
Introduction
The software-powered embedded system design based on microcontrollers (MCUs) is becoming one of the popular approaches to implement fully standalone operative embedded systems. Traditionally, normal MCUs, which are widely used in home appliance applications, are known as not enough to guarantee the reliability specification of system operations in the industrial applications. Therefore, there have been asked for the needs of highly reliable MCUs, still working the onchip software to invoke the embedded hardware [1] . The SoC-based MCUs are applied to the mission-critical applications [2] requiring high reliability of the system operations in severely noisy environments.
To protect the designed system from the external disturbances, embedded system integrators using MCU as a main controller first analyze the path of noise injection by emulating the system operations in runtime. Then, they iterative try to make up for the weak points by adding protection, such as shielding, and making the ground/power line thick, which is considered an ad-hoc iteration method at the engineering level [3] .
The unexpected exception cases, which cannot be handled by the preinstalled recovery routines to resolve errors, may cause unknown system mal- Fig. 2 . System malfunctions by external noise function [4] . The complex functions based on on-chip software in MCUs have the possibility to cause abnormal operations of the target systems, which were not covered in the system validation time.
In the case of typical consumer applications, such as mobile devices and home appliances, system malfunctions can be easily resolved by a simple useractivated reset or hardware watchdog timer [5] for the cases where the system is stuck happens on an endless loop, including the persistent executions of unexpected functions.
The clock input pin is directly connected into the initial input of the amplifier in an analog circuit, by assuming that the system integrator protects the noise in the clock pin. As shown in Figure 1 (a), noise in ambiguous frequency is injected into the clock pins, and then the clock generation unit will seamlessly bypass the oscillation pulses into the internal area of the systems. Unprotected injection of harmful clock oscillation causes the data hazard of the registers due to the short pulse duty, so that setup/hold margin shortage, and small fractions of errors are gradually propagated into the entire systems.
The propagation of noise injected from clock pins is too fast to protect the hazards over the entire system through the clock tree network. The simple restriction policy of the clock in an unwanted range of frequency may halt the system operation temporarily, which causes an unsafe situation by turning systems into unhandled status. As shown in Figure 1 (b), the smart clock protection to for wider range of noise injection spectrum guarantees the safe system operation is a very important issue in applying conventional MCUs into the mission-critical applications.
This paper is organized as follows. In Section 2, our research motivation and related work are discussed. Section 3 describes the details of the proposed architecture. The implementation and experimental results are presented in Section 4. Finally, we conclude the paper by summarizing our contributions in Section 5. Figure 2 (b) describes a case that small errors may propagate into the entire system by executing the software on weak hardware. Software-driven hardware systems are too complex to cover all cases of operations in runtime to inspect dynamic fault coverage [6] . A weak point of hardware, which is passed in the test time, causes small errors randomly through an unsafe software code. The unexpected errors in hardware or software are recursively propagated into adjacent hardware and status registers in runtime [7] . These mechanisms are why error protection in initial design time is difficult and, in addition, it is not easy to reproduce the error situation in the debugging time to analyze the hidden root of the exposed errors [8] .
As in conventional approaches, physical protection to filter out the noise of a specific frequency band in the clock pin can be integrated using statically installed R-C low pass filters or band pass filters. However, these approaches fundamentally remove the unwanted clock frequency, causing a system halt during periods with absence of the clock. In mission-critical applications, system halt means stopping all kinds of routines including the important tasks to manage the system safety. Therefore, active operations of systems under absence of clock are more preferred to guarantee the minimum safety of the plant.
In this paper, we propose the clock protection unit for supporting seamless operations of MCU-based systems in an unsafely noisy environment in the clock pin. The proposed data-path in the clock generation unit enables the clock switching mechanism through an internally activated backup clock instead of simple removal of the unwanted clock frequency. By using the proposed clock changer, the main clock source, which has an extremely low frequency or high frequency injected from the clock pin, are safely replaced with the internally generated low-power clock source. The proposed clock switcher finishes detecting the clock's invalid status and switching into safe clock source within several clock pulses.
The unwanted clock noise injection affects the victim cells and the faulty Fig. 4 . Hardware data-path of proposed glitch-free backup clock changer meta-status propagates into the connected adjacent cells recursively. The effectiveness of proposed protection unit is dependent on the proper location and the multiple number of units than single unit. The previous work [9] introduced that the efficiency of multiple glitch detector location is dependent on initial location of the fault injection and dynamic propagation result. We extended this concept to determine where the protection unit is properly inserted and visualized how the fault is propagated to obtain a full fault detection coverage according to the fault propagation simulation model under the pre-designed circuit and its corresponding layout.
3 Proposed Architecture
Overall system architecture
The designed on-chip glitch-free backup clock changer architecture is summarized in Figure 3 (a). These systems are comprised of a noise canceller (NC) and edge detector (ED) to detect the abnormal state of clock input by external electric noise, and glitch-free clock changer (GFCC) switch to the safe backup clock. Figure 3 (b) describe the whole operations of this system. If an external electric noise causing various MCU malfunction is injected into the OSC pin, which is the input source of system clock, the proposed structure of clock input path redirects clock into the input of NC block to cancel out the unknown high frequency components.
The output signal refined from the NC circuit is directly connected to the input source of the ED circuit to extract the abnormal low frequency or temporary clockless state of the input clock. By connecting the output of the ED circuit to a clock input of D-FF (flip-flop), the "Backup Enable" signal will be activated to run the GFCC circuit at the condition of low frequency detection. Finally, the GFCC circuit will start the clock changing operation to switch the main clock source from external OSC clock to internal backup clock for the stable clock supply. This circuit makes the stable high duty of clock source and generates the glitch-less clock changed output. Through these hardware-driven processes, the proposed systems automatically detect the clock failure situations and replace the distorted clock with safe clock to guarantee the safe operation of MCU against the electric interference.
Noise canceller
The noise canceller circuit is placed on the first input of the on-chip glitchfree backup clock changer circuit to filter out the high frequency noise of the original input clock, such as glitches, which are generated by an external electric shock.
This circuit is composed of delay chain, OR and NAND gate and SR Latch. Figure 4(a) shows the block diagram of the noise canceller. At first action, the input clock signal is outed through the delay chain and then the set, reset signals of the SR Latch circuit are generated by the NAND and OR gating operation of output of delay chain and input clock signal.
Finally, the input clock, which period is shorter than the delay value of the delay chain, is considered noise and cancelled out by the operation of SR Latch. Figure 4(b) indicate the detailed operation of the noise canceller by displaying a waveform of the input/output signal of each circuit.
Edge detector
Although the abnormal high frequency noise is removed by noise canceller, there are still the risks of low frequency, such as a much longer period than the original period of input clock or temporary oscillation stop state. To solve this problem, we adopt the edge detector circuit and one D-F/F circuit.
These circuits monitor the abnormal low frequency condition of the clock and activates the "Backup Enable" signal, which controls the operation of the glitch-free backup clock changer circuit.
The block diagram of edge detector the circuit is described in Figure  4 (c). The circuit is composed of two delay circuits and a combination of AND/OR/NOT gate with D-F/F in which each delay circuit has a different delay value. Similar to the high frequency filtering concept, it identifies the abnormal low frequency. As you can see from the timing diagram of Figure  4(d) , the "IN" signal is passed through the delay chain and generates the "IN delay" signal.
This "IN delay" signal makes a rising/falling edge signal, which is generated by a combination of the AND/NOT gate and the delay buffer. The edge signals are used as a source clock of two D-F/F to sense the high/low state of the "IN" signal. If low frequency is detected, the edge detector (ED) "OUT" signal will rise from low to high. By connecting the ED output to the clock pin of D-F/F, this circuit will be automatically turned on and then the on-chip glitch-free backup clock changer circuit will be activated.
Glitch-free backup clock changer
In case of a backup clock enabled by the edge detector, the system has to switch automatically the clock source from the original external clock into the internal backup clock to guarantee the stable supply of the system clock without any glitch in the clock. For this, we implement the glitch-free clock changer (GFCC) circuit. The proposed GFCC is designed by using two D flip flop circuits, which are operated in synchronization with the different clock, and a combination of the AND and OR gates, shown in Figure 4 (e). Figure 4 (f) specifies the functional timing diagram of GFCC. The GFCC selects one of the two clock sources by the "Backup-Enable" signal determined from monitoring the original main clock failure. Although the "Backup-Enable" signal is activated, the clock changing operation is not immediately activated because there is a potential possibility that a glitch occurs.
Two AND clock gating signals, which are generated by a separated clock source, make stable high duty of the clock source and hold the clock without glitches. After that, they generate the glitch-less clock changed output. The internal backup clock only holds the active status until the external clock is recovered into the safe status.
Experimentation
The proposed method was implemented by using a dedicated hardware circuit to detect the abnormal frequency range of the external system clock and to switch the system clock with the internal OSC clock. Figure 5 illustrates the schematic view of each circuit, which is designed by using the Cadence Virtuoso T M schematic editor.
The circuit-based simulation was performed to verify the operation of each circuit in the Verilog and SPICE simulation environment. The functional simulation results could be easily monitored by using the fully synthesizable hardware design code of the proposed data-path, shown in Figure 6 .
The MagnaChip 0.18um process library was used for the size estimation of the chip control part, and the implementation was performed by using only about 1200 NAND logic gates and a stable internal clock source. Most of the hardware overhead is caused by the delay-chain to obtain a timer effect, so the logic circuit for the synchronizer required little overhead. For the elaborate system operation, it may be necessary to use the internal dedicated clock generator to guarantee the accurate clock frequency. But in this system, a backup clock only needs to keep the oscillation until the external clock is recovered, so we just adopt a circuit of simple RC-OSC type and its size is negligible. The proposed method includes a combinational logic circuit, which is based on an asynchronous delay timer operation to determine the presence or absence of a normal system clock. When switching to the internal clock, the synchronization matching circuit based on the clock edge is also required to remove the glitch of the clock. Most of the additional hardware circuits are delay chain in order to perform the timer operation, and the remaining circuit has been devised as a simple circuit, which operates within a few clocks.
The judgment failure of a system clock is forecasted depending on the power supply voltage and temperature variations, because the RC-based circuit is applied, so they are not considered in order to reduce the size of the delay chain. In the next research study, the verification according to the effect of the power supply voltage and variations of temperature condition have to be considered. The Synopsys Nanosim(C) has been used to perform the circuit level simulation of a whole system operation built in the MCU. We run the SPICE simulation of the clock generation circuit to describe the malfunctioning of the input clock under external noise injection through the power supply, as shown in Figure 7 . We adopted agent-based cell modeling, which describes the meta-state propagation to describe the internal and external transitions in Figure 8(a) . The initial Normal of each cell agent, which is a DEVS atomic model, is never changed by itself, and changes to the Fault state after receiving an input glitch (X glitch ) and fault signals (X f ault ) that are delivered from neighbors in the Fault state. When a cell receives the X glitch and X f ault at a certain time in the operation, the duty cycle of a glitch can guarantee the required time constraints and the fault input might not affect the internal states or output signals. To reflect these stochastic features, the transition considers the state transition probabilities, which can be defined based on the complexity of the target cells and IO simulation results, as shown in Figure 8 The simulation framework is described as shown in Figure 8(c) . The X glitch is delivered from the experimental frame to check clock networks. The cell agents are grouped as much as the number of cores and computed The unknown noise causes to increase the probability for the faulty broken data of logic status. However, the fault propagation under the physical placement of circuits is more severe than fault itself. Actually, the fault propagation noise injection eventually results in system mal-function, so that we evaluate the weakness of the fabricated ICs under specific clock noise and noise-protection performance by the proposed clock switch technique using the IC-level field test. However, this method limits the range of evaluation due to the lacks of noise injection method and location into internal chip. Figure 9 (a) shows our custom-designed simulation of the system unsafe operation under the noise injection and visualization framework to evaluate the fault propagation effect. First, explicit noise is injected and then the protection unit filtered out the disturbance. By using this special framework, we could iterative determined the effective location for prohibiting the faults caused by the noise injection. In case of protection unit absence, Figure 9 (b) explains the weakness of safe system operation under the unknown noise injection.
The performance test against the real noise environment was completed by using a fabricated MCU chip, which is designed by the 0.18um CMOS process and and the proposed method is applied. Figure 10 describes the performance test environment and test mechanism. For more realistic test conditions, we set up the noisy circumstance Fig. 11 . Performance evaluation and IC fabrication that noise is injected directly to the clock generation path through the power supply pin, as shown in Figure 10(a) . By using the test evaluation board like in Figure 10(b) , the abnormal noise is injected to the test board through the VDD pin. This noise path is illustrated in Figure 10(d) .
We implemented the MCU firmware, which controls the LED on/off signal of MCU output to verify the LED flashing during the normal operation. In order to compare the performance of conventional MCU and the performance of MCU, which is applied with the proposed control algorithm and hardware design technique, we forced the noise such as in Figure 10 (b) to an external clock pin of the target MCU. Figure 11(a) presented as a spectrum shows how much the internal system clock is affected. An external injection noise, such as Figure 10(b) , is changed depending on the frequency range and amplitude of the clock signal. At this time, the surge that is input to the MCU I/O pin by the amplitude transition of the clock signal may be ignored by the internal ESC circuit, and the impact of internal noise according to the difference of the clock period is shown in Figure 7 .
The result of Figure 11 (a) 1 represents that there is no signal processing in typical cases. By processing the recognition of the defined frequency range, passing, block and backup clock changing, the proposed method achieved the most desired effect against unexpected signal suppression, as shown in Figure  11 (a) 4 . And Figure 11 (a) 2 3 shows the result of the circuit, which adopts only the general RC type of filter to stabilize the clock signal.
The proposed GFCC is integrated with the base circuits of clock oscillation unit. Figure 11(b) shows a case of our implementation using the proposed system architecture. The additional hardware can be located for area optimization near PAD layout. Figure 11 (c) summarizes the overall features of the proposed clock protection unit in the fabricated MCU. The protected clock frequency range is from 128KHz to 16MHz.
The power consumption of hardware, which is adopted by the proposed method may be less than the conventional one because the proposed clock changing method is just activated at the pre-defined condition of clock frequency and duty. The MCUs equipped with proposed method supports to prohibit the temporary pause of the system operations using the low speed backup clock in unusual circumstances, but there are many difficulties to measure the power consumption of the target device, so it is necessary that the dedicated test scheme is added to measure the power consumption in the next research study.
Conclusion
The clock source is the main factor of its system operation in embedded microcontrollers, which is operated by the logic gates synchronized on the clock pulse. In this paper, we proposed the architectural clock protection method and fully synthesizable hardware data-path of the custom-designed glitch-free clock changer based on the noise canceller and edge detector to protect the system from abnormal clock failure in all ranges of clock frequency. The automatic on-chip glitch-free backup clock switch technique enable the seamless operations of the software-driven MCUs-based system possible by monitoring the input clock in real-time and changing the source clock into a safe backup clock. The proposed method has been successfully implemented using only small logic gates and an additional internal clock source.
