An integrated circuit (IC) providing for instance a sensing functionality is considered. A data processing unit in the IC receives the sensor output signal and processes the signal further. To carry out the data processing the data processing unit works together with one or more peripheral devices, like an analog-to-digital converter wherein the analog sensor output signal is sampled, digital filters receiving a digital representation of the analog sensor output signal, a timer unit providing a time base for the digital filters and supervising the data processing flow etc . . . . These peripheral devices are usually connected to the data processing unit through ports. The data processing unit can via a data bus read and write data from/to these ports.
In harsh environments, as encountered for instance in the automotive industry, several disturbances, e.g. voltage peaks on the car battery supply line or electrostatic discharge (ESD) and electromagnetic compatibility (EMC) disturbances, may influence the data in these ports. Further, latent defects in the integrated circuit itself might lead to non-consistent data as well. All these effects lead to failing data integrity.
In view of the functional safety requirements imposed by ISO26262, such effects must be covered in safety relevant applications. Failing data integrity must be flagged during operation of the integrated circuit by an error signal to a higher level system or device. With data integrity is in this description meant data consistency to any checking means. The checking means can for example be a redundant register, parity information on the register itself or a comparator that checks whether the data is in a predefined data range. If no data consistency is found, an error signal is generated. When such an error occurs, the higher level system must take adequate measures to keep the overall system in a secure operation. The error signal also may be used to drive the integrated circuit into a secure state.
Hence, there is a need for such a higher level verification unit capable of supervising the proper behaviour of the various system components. In the state of the art several solutions have been proposed.
An easy way to provide supervision is the use of redundant components. E.g. a given port is used two times for the same function in the system. Via data comparison in the ports it can be ensured that failing data in one register flags an error condition, which can be handled by a higher level unit. As an integrated circuit can have several hundreds of ports each having a length of one byte (8 bits), a two times redundancy of these ports leads to a large silicon area and high system cost.
A well-known solution to ensure port data integrity is to exploit parity. This implies the use of one or more additional bits on byte or double byte (word) level to represent the data parity in the port. The use of one or more parity bits guarantees that a single static fault is found at a reasonable cost.
Furthermore peripheral devices are connected to the ports, which are accessed by a central processing unit (CPU) (which acts as a master device) sometimes very often (e.g. when reading a sensor signal via an ADC) and sometimes very rarely (for instance when writing a calibration register for an oscillator).
The CPU (master) performs read and write operations in ports at a rate only known by the application. However, a data integrity loss in a port might immediately affect the system performance, e.g. when the data changes in a port controlling an oscillator, the oscillator frequency changes as well and the system might run in an undefined state.
An illustration of the use of one or more parity bit is given in FIG. 1, where the example is taken of a reset of ports wherein the ports are initialized with predefined data by carrying out a sequence of instructions. A reset is in the prior art mostly described as an asynchronous routine triggered by a reset signal. On the left hand side in FIG. 1 a port is during a classic reset sequence initialized with a certain initialization data (Di) by means of a reset signal. The parity bit(s) is (are) initialized according to this initialization data with Pi. During a next write operation a new data (Dn) with (a) new parity bit(s) (Pn) is written. If everything goes correctly, data and parity match with each other and the verification unit confirms the correct operation of this sequence. FIG. 1 describes on the right hand side an error case. During a reset sequence the port is again initialized with a certain initialization data (Di) and the matching parity bit(s) Pi. Suppose further that the reset signal is now in a so called “stuck at” condition. In such condition the reset signal as a control signal remains tied to active level due a latent fault in the integrated circuit. This may for instance be caused by a leakage current. The reset signal is then always present and continuously forces the port to initialize with the predefined initialization data. During a next write operation the new data (Dn) with the new parity bit(s) (Pn) does not arrive at the port. This is an error. The verification unit does not detect this error condition as the previous initialization data (Di) in the port and its matching parity (Pi) bit(s) are still consistent.
Implementing the parity monitoring and/or the checking function inside each port also increases the silicon size as this mechanism must be typically implemented on the several hundreds of IC ports. Furthermore, the master access in read and write must correlate with the data integrity check, which increases the complexity level and, hence, again the silicon area.
Patent U.S. Pat. No. 5,784,393 is describing an apparatus using a fault detection mechanism on a bus when one or more connected users do not have fault detection capability. This apparatus allows detecting a fault on a communication bus. Also an apparatus is described for performing fault detection on a bus when the bus width is insufficient to accommodate a number of parity bits.
U.S. Pat. No. 7,774,690B2 describes a process completion interrupt and a parity error interrupt. U.S. Pat. No. 7,774,690B2 is concerned with errors in control signals while maintaining the synchronization between the parity computation and the parity checking. The parity is only checked during access of the peripheral function. However, such an approach still leaves room for errors as in the above-mentioned example of an oscillator connected to a port.
Hence, there is a need for a verification unit capable of supervising the safety and in specific the port data integrity. Moreover, there is need for a way to deal errors with ‘stuck at’ conditions on control signals as illustrated above.