The present invention relates to a failure detection technique of an interrupt signal system configured to give an instruction to interrupt a central processing unit on the basis of an interrupt request, and relates to, for example, a technique effective when being applied to failure detection of a safety-related interrupt signal system in a microcomputer used for onboard control equipped with a fail-safe function.
As regulations on hardware and software of a microcomputer used for onboard control equipped with a fail-safe function, for example, there are functional safety standards, such as ISO 26262 and IEC 61508, because the microcomputer is used in an electronic control device strongly related to human life. As means to implement the fail-safe function, the lock-step architecture is applied widely. For example, the core of the central processing unit is dualized and each of the cores is caused to execute the same software in parallel, and a failure of the system is detected quickly by determining whether or not a discrepancy occurs between the operation results. Such a lock-step architecture considerably increases the scale of the hardware. As an example of a literature that describes the lock-step operation in the onboard microcomputer, there is Japanese Patent Laid-Open No. 2010-262432 (Patent Literature 1).
In the onboard microcomputer, a very large number of functional safety-related interrupt requests are generated. In the improvement of the fail-safe function in the onboard microcomputer, it becomes necessary to enable detection of a failure in the interrupt controller and interrupt signal system configured to perform interrupt control on the central processing unit by performing processing in accordance with the priority level and interrupt mask on such interrupt requests. As the techniques to detect a failure and malfunction of the interrupt control function, there are descriptions in, for example, Japanese Patent Laid-Open No. 1997-198280 (Patent Literature 2), Japanese Patent Laid-Open No. 2000-347880 (Patent Literature 3), and Japanese Patent Laid-Open No. 1991-109644 (Patent Literature 4).
Patent Literature 2 describes the technique to enable detection of a failure and malfunction related to generation of a real-time processing request coupled to the interrupt request input terminal of the interrupt controller by using the watchdog timer monitoring function.
Patent Literature 3 discloses the technique to solve trouble in the case where, after the interrupt controller having received an interrupt request signal outputs an interrupt signal to the CPU, the interrupt request signal is invalidated during the time until the CPU returns a response signal corresponding thereto. In other words, the technique cancels the state where the CPU cannot read the vector address for a long time, by the fact that the interrupt controller monitors such a state and notifies the CPU of that.
Patent Literature 4 describes that in the case where the interrupt controller is tested using a tester, it is not easy to create a test pattern due to the relationship with the operation of the CPU and the test takes time, and thus the internal data and vector of the interrupt controller are output directly to the outside of the LSI or it is made possible to supply necessary data to the interrupt controller through the internal bus.