1. Field of the Invention
The present invention relates to a semiconductor integrated circuit and more particularly to a semiconductor integrated circuit equipped with a plurality of storage elements for storing and holding an input signal and a majority circuit that outputs a result of a majority decision of outputs from these storage elements.
2. Description of Related Art
Functional safety standard IEC 61508 (functional safety of electrical, electronic, and programmable electronic safety-related systems) was established in 2000. In Europe, it is obligated to obtain a functional safety certification on an ECU level with regard to a motor vehicle, inter alia, before obtaining a certification as the motor vehicle. This is for the purpose that a government is to verify in advance the conformity of a motor vehicle, inter alia, to the standard.
In the context as above, an MCU (Memory Control Unit) that performs control and management of a memory within a CPU (Central Processing Unit) is also required to support IEC 61508. Correspondingly, in order to fulfill the reliability enhancement and functional safety of registers provided in peripheral circuits in the MCU, there is a demand for enhancing the reliability of a signal that is used in a digital circuit using a majority circuit, inter alia.
One of the causes inducing a digital circuit malfunction is a soft error. When radiant rays (for example, alpha rays, neutron rays, etc.) intrude into a semiconductor integrated circuit, a reaction between a semiconductor substrate and the radiant rays generates charges and the thus generated charges building up in an output element of a logic circuit give rise to logic inversion; this kind of disorder is called the soft error. Unlike a hard error due to a physical fault such as a stuck-at fault in a circuit, the soft error is temporary and recovery to a normal state is possible by rewriting.
A technique for making an automatic rectification of this soft error is disclosed in Japanese Application Publication No. 2004-38468. FIG. 9 is a block diagram showing a configuration of a memory system with an automatic soft error rectification function.
The memory system with an automatic soft error rectification function of Japanese Application Publication No. 2004-38468, as shown in FIG. 9, comprises: a control device 90 equipped with a memory device 80 storing and holding computer programs and data, a CPU 35 that accesses the memory device 80 and performs processing such as calculation, arithmetic operation, and control, a radio I/F (Interface) 40 coupled to the CPU 35, and a wired I/F 50 coupled to the CPU 35; and a server 60 that is an formation processing device holding computer programs and data and having a function capable of delivering any of these computer programs and data by request.
The memory device 80 provided in the control device 90 comprises a set of three memories 10 (10-1, 10-2, 10-3) that store and hold computer programs and data, wherein these programs and data can be read from and written into the memories 10, and an error detection control circuit 20 that reads data from and writes data into the memories 10 and performs detection and rectification of a fault such as a soft error occurred in the memories 10.
FIG. 10 is a detailed block diagram showing an example of the memory device 80 in FIG. 9. In FIG. 10, components corresponding to those shown in FIG. 9 are assigned the same reference numbers or symbols.
In FIG. 10, first, each of the three memories 10 in the set is partitioned into a user data area 11 (11-1, 11-2, 11-3) and a redundant data area 12 (12-1, 12-2, 12-3). The user data area 11 is freely accessible to a user who uses the present memory device 80 and data can freely be read from and written into this area under control of the CPU 35. Depending on usage of the present memory device 80, data may be read and written in arbitrary units: for example, in units of bytes, words, or records (a unit of storage comprising a plurality of bytes or a plurality of words).
Then, as for the memory system with an automatic soft error rectification function shown in FIGS. 9 and 10, how it operates is stated explicitly below.
When writing data from a user who uses the memory device 80 into the memories 10, the CPU 35 of the control device 90 sends the memory device 80 a write request to write the data into a specified address in the memories 10. The write request may be issued to write data in arbitrary units of bytes, words, or records, depending on usage of the present memory device 80. The memory device 80 is adapted to generate redundant data in units of bytes in response to a write request for data in units of bytes, generate redundant data in units of words in response to a write request for data in units of words, and generate redundant data in units of words in response to a write request for data in units of records.
The memory device 80, once having received the write request for data, sends the write request to a memory write unit 21 of the error detection control circuit 20. The memory write unit 21 writes the write requested data into the specified address within the user data area 11-1 of the memory 10-1 and, moreover, automatically generates redundant data for the data and writes and stores the redundant data into a location corresponding to the specified address in the redundant data area 12-1. Then, it copies the data and the redundant data to locations corresponding the specified address in other two memories 10-2, 10-3, thus overwriting the previous data in these locations. Upon completion of writing the data into the three memories 10 (10-1, 10-2, 10-3), the memory write unit 21 makes sure of the consistency of the data stored and held in the three memories 10 and sends a data write complete notification to the CPU 35.
The CPU 35, once having received the data write complete notification, if next data to be written into the memories 10 exists, sends a write request for the next data to the memory device 80. Thereby, the memory device 80 performs the same operation as described above and stores and holds the same data in the three memories 10 (10-1, 10-2, 10-3).
Next, when reading data from the memories 10, the CPU 35 sends the memory device 80 a read request for data whose address in the memories 10 is specified.
The memory device 80, once having received the read request for the data, sends the read request to a memory read unit 22 of the error detection control circuit. The memory read unit 22 reads the read requested data from the specified address within the user data area 11-1 of the memory 10-1 and, moreover, reads redundant data for the data from a location corresponding to the specified address in the redundant data area 12-1. Then, it checks from the data and the redundant data whet her or not a fault such as a soft error occurs in the data.
As a result of the check, if a fault such as a soft error is not detected in the data, the data read unit sends this data with a read complete notification to the CPU 35, because the data is free of error.
As a result of the check by the memory read unit 22, if a fault such as a soft error is detected in the data, the memory read unit 22 notifies an error rectification unit 23 of the address of the data.
The error rectification unit 23 reads the addressed data from the specified address within the user data area 11-2 of the memory 10-2, not the memory 10-1 from which the data has already been read, and, moreover, reads redundant data for the data from a location corresponding to the specified address in the redundant data area 12-2. Then, it checks from the data and the redundant data whether or not a fault such as a soft error occurs in the data. As a result of the check, if a fault is not detected in the data, the error rectification unit 23 sends the data, that is, the data read from the memory 10-2 to the memory read unit 22. The memory read unit 22 sends that data with a read complete notification to the CPU 35. Further, the error rectification unit 23 rectifies the data in error in the memory 10-1 by writing again the data and the redundant data read from the memory 10-2 into the user data area 11-1 and the redundant data area 12-1 of the memory 10-1.
If an error is detected from the memory 10-2 as well, when the error rectification unit 23 reads the memory 10-2, the error rectification unit 23 reads the addressed data from the specified address within the user data area 11-3 of the memory 10-3, not the memories 10-1, 10-2 from which the data has already been read, and, moreover, reads redundant data for the data from a location corresponding to the specified address in the redundant data area 12-3. Then, it checks from the data and the redundant data whether or not a fault such as a soft error occurs in the data. As a result of the check, if a fault is not detected in the data, the error rectification unit 23 sends the data, that is, the data read from the memory 10-3 to the memory read unit 22. The memory read unit 22 sends that data with a read complete notification to the CPU 35. Further, the error rectification unit 23 rectifies the data in error in the memories 10-1, 10-2 by writing again the data and the redundant data read from the memory 10-3 into the user data areas 11-1, 11-2 and the redundant data areas 12-1, 12-2 of the memories 10-1, 10-2.
If the error rectification unit 23 has detected an error from both the memory 10-2 and the memory 10-3, it notifies the memory read unit 22 that the error is not rectifiable, because it is impossible for the error rectification unit 23 to rectify the error. The memory read unit 22 sends the CPU 35 a notification that the error is not rectifiable with the address of data in error.
In a case that the CPU 35 has received the read complete notification from the memory read unit 22, the CPU 35 executes required processing using the data sent with the read complete notification, that is, the error-free data.
In a case that the CPU 35 has received the notification that the error is not rectifiable from the memory read unit the CPU 35 activates the wired I/F 50 and instructs it to transmit address information of the data in error to the server 60. The wired I/F 50 transmits this information to the server 60 via a wired network 55. The server 60 stores and logs the error occurred at the address in a history file and retrieves the addressed data from its own storage device that it maintains. The server 60 delivers this addressed data via the wired network 55 and transmits it to the wired I/F 50. The wired I/F 50 sends the data delivered from the server 60 to the CPU 35.
From the wired I/F 50, once having received the data delivered from the server 60, the CPU 35 sends the memory device 80 a write request to write again the data into the specified address in the memories 10. The memory device 80 performs the same operation as it received a write request as normal, described above, and writes the data into the specified address in the memories 10 (three memories 10-1, 10-2, 10-3). Thereby, the addressed data will be rectified to error-free data as it was originally. Besides, it is possible further enhance the reliability of data rectification by sending again a query about the data rewritten into memories 10 under control of the CPU 35 to the server 60 via the wired I/F 50, requesting the server 60 to deliver the data again, and checking the validity of the data.