For applications that need to comply with safety standards, the prevention and detection of errors is an important concern. For many of these applications, semiconductor devices, for example Microcontroller Units (MCUs) and sensors, are used. Most semiconductor devices possess configuration or control registers, which are often holding critical information for the correct functionality of such devices.
For a given application, incorrect setting of these registers can have a severe impact upon safety and so it is important to ensure that the settings of the configuration registers are accurate. Often, the configuration registers are initialised once by a Central Processing Unit (CPU) or an MCU, for example during a setup phase, and thereafter the practical application is reliant upon the integrity of the configuration registers. For some applications, the configuration registers within an MCU may be initially programmed by the CPU. For other applications, configuration registers of, for example, a sensor can be programmed by an MCU.
However, the configuration registers are sometimes at risk of being unintentionally programmed by software and so known measures can be employed to prevent such unintentional programming. For example, it is known to protect configuration registers by register locking or use of a Memory Protection Unit (MPU). Whilst a degree of protection can be enjoyed by the configuration registers, such measures do not protect the configuration registers against so-called soft errors, which may be caused by unintentional environmental influences like alpha-particles, neutron, electromagnetic interference or electrical signal noise. A soft error may lead to the information stored by a configuration register changing.
One known prevention measure is implemented where a configurable module is used by, for example, an Automotive Safety Integrity Level (ASIL) application. A cyclic Redundancy Check (CRC) checksum of the configuration registers of the configurable module is calculated in software and compared at least once with an expected CRC value every Fault Tolerant Time Interval (FTTI) in order to verify whether configuration of the configurable module is correct. However, while this prevention measure incurs no overhead in hardware, a significant amount of software overhead is incurred in terms of creation of the software, consumption of CPU capacity and/or bus bandwidth. Additionally, the detection of an unintentional change to one or more of the configuration registers can be late with respect to when the change occurred. Additionally or alternatively, an unintentional change to one or more of the configuration registers can lead to an encumbrance that prevents detection or reaction to errors. As a result of these problems, the value modified unintentionally may be used by, for example, the configurable module and thus may cause further errors and the possibility of deploying counter-measures becomes limited.
Another known prevention measure is the use of Triple-Voting Flip-flops (TVFs) to protect certain configuration registers identified as critical to operation. Sometimes, it is known for remaining configuration registers to be protected by the CRC-based technique described above. However, a significant hardware overhead is incurred by implementing the TVFs in respect of the critical configuration registers and a significant software overhead is incurred to protect the less-critical configuration registers.
In relation to the detection of soft errors, U.S. Pat. No. 6,975,238 relates to a circuit for detecting such errors, e.g. those caused by cosmic radiation, occurring in so-called concatenated latches. A circuit is described that generates and stores a parity bit for a number of latches, each comprising a fuse. However, such a circuit is inflexible, because it cannot address intentional changes of states of data that require supervision, and the circuit is single event use in nature and so once a configuration change is necessary the circuit requires replacement.