It is known to provide fault detection capabilities in integrated circuits so that faults can be detected “in the field”, i.e. when the integrated circuit is employed in an application. Such a facility is of particular, but not exclusive, benefit in the automotive industry, where it is desirable to detect a fault that can have safety implications with respect to the application of the integrated circuit, for example in a vehicle. Corrective or preventative action can then hopefully be taken as a result of detection of the fault.
In this respect, the International Organisation for Standardisation (ISO) provides the ISO 26262 standard, which is a functional standard for road vehicles in order to prevent a hazardous situation arising as a result of automotive electronic and electrical safety-related system malfunctions. As such, a system operating in accordance with the ISO 26262 standard should assess the risk of a hazardous operational situation and execute one or more safety measures to detect and mitigate the effects of random hardware faults. In such circumstances, the system may be put into a so-called “safe state”, where for example a slower, reliable, clock may be used for system clocking. Where a system is placed into the safe state, use of logic is limited in order to avoid operation in the safe state generating a fault. The clock speed is also limited. As such, only very limited or no debug capabilities are provided to diagnose the cause of the condition that has caused the system to enter the safe state. The requirement of the system, from a safety perspective, is to enter the safe-state reliably, but not to debug the cause.
For non-safety applications, it is known to provide systems with a diagnostic data logging capability. The “Keystone” series of processors available from Texas Instruments, Inc. comprises a so-called “embedded trace buffer” for the purpose of monitoring application code execution, timing, and data accesses in order to detect bugs and analyse performance of the processors. The embedded trace buffer is an on-chip circular memory buffer for storing compressed trace information. Another known fault monitoring apparatus is the advanced communication controller unit, as described in International Patent publication no. WO 2011/058389, for recording protocol events in FlexRay communications networks for fault analysis purposes.
However, known fault detection apparatus in safety systems have as their primary focus an objective of triggering a transition of a system to a safe state and for reasons stated above such apparatus are not designed to diagnose or debug the cause of a fault. Whilst the embedded trace buffers described above do provide a data recordal capability, only data associated with a single instance of a failure is recorded and detailed data relating to the context of the failure is not recorded.
Such measures do not help the manufacturer of an integrated circuit to determine the cause of a fault. Indeed, the cause of the fault may not be as a result of a random hardware failure, for example an overly sensitive sensor, or a systematic hardware or software failure. Similarly, another example of a cause of the fault can be improper use of the integrated circuit, such as operating the integrated circuit outside the specification defined by the manufacturer. It is, of course, desirable to identify the true cause of the fault and the existing fault detection apparatus do not always enable the manufacturer of the integrated circuit to achieve this aim.