Patent Application
20140201583
1. Field of the Invention
The invention generally relates to emulation of random failures within an integrated circuit (IC) and more particularly to detection and validation thereof.
2. Prior Art
Failure detection and correction mechanisms that are integrated within an integrated circuit (IC), aim to deal with malfunctions that randomly appear during the IC life cycle. Since such failure occurs randomly, there is no direct way to test that those embedded mechanisms work as expected on silicon. It would therefore be advantageous to provide a solution to overcome the problem.
Various techniques may be used to provide the fault or error detection, depending on the function of the IC and its application. In some cases, a duplicate circuit may be incorporated on chip, with a comparison of the outputs or intermediate results showing the occurrence of an error or fault. In other cases, errors or faults may be detected by an irregularity in the results provided by the IC, such as by exceeding a maximum allowed incremental change between successive outputs. In still other cases, error detection and correction codes may be used. In practice, in any one IC, a number of different techniques for error detection may be incorporated, as use of any one technique generally does not preclude use of another technique on the same chip. Various specific techniques that may be used on chip are well known, and not the subject of the present invention, other than at least one such technique be present on chip.
Another test technique is to incorporate what is commonly referred to as scan chains, wherein registers in the IC can be temporarily coupled in series by on chip switches so that the registers may be tested by clocking various test data patterns through the chain and comparing the output of the chain with its input. Such a technique will quickly show a bad flip flop, and using a variety of test data patterns, will also show any cross talk between flip flops. This technique does not test the function of the error detection/error detection and correction provided on chip.
The subject matter that is regarded as the invention is particularly pointed out and distinctly claimed in the claims at the conclusion of the specification. The foregoing and other objects, features and advantages of the invention will be apparent from the following detailed description taken in conjunction with the accompanying drawings.
It is important to note that the embodiments disclosed by the invention are only examples of the many advantageous uses of the innovative teachings herein. In general, statements made in the specification of the present application do not necessarily limit any of the various claims. Moreover, some statements may apply to some inventive features but not to others. In general, unless otherwise indicated, singular elements may be in plural and vice versa with no loss of generality. In the drawings, like numerals refer to like parts through several views.
The present invention is used to demonstrate and/or improve the safety of IC embedded in domains such as automotive or avionics where compliance of the electronics with safety norms (such as ISO26262 for automotive or DO254 for avionics) is more and more requested by final customers. According to the invention a failure injection is enabled and the detection of the failure allows demonstration of the safety feature embedded in the IC and the compatibility of the IC to a safety standard. Other applications may include space vehicles and medical applications wherein an undetected failure of the IC may risk the success of the mission or death of a patient, particularly if not detected either before the critical use or during use of the IC.
The apparatus and methods allow random hardware failure emulation of an integrated circuit (IC) by emulation of potential defects to enable behavior evaluation of the rest of the design in such situation. This emulation can non-intrusively address multiple points of failure. The emulation is performed in a pseudo-functional mode in order to evaluate the IC behavior in its standard functional mode. The system allows creation of a failure, and tracking both the detection of this failure and the required time for this detection. The system further allows generation of a failure in different points of the IC, on a single or multipoint failure approaches. Failure detection and correction mechanisms for a product life cycle are therefore provided. In an embodiment the system checks the conformity of the safety function of an IC, and makes sure the safety control logic behaves as expected in case of data corruption in any register.
A failure emulation system on register apparatus 200 is configured to turn part of the overall scan chains 103 of the system to scan mode while the rest of the system works in functional mode which includes its error detection capability. The apparatus 200 takes control of the scan enable signals 102 and propagates dummy values (one or more corrupted values in otherwise functional data) along the corresponding scan chain, such as the scan chain 104 that is part of the overall scan chains 103, in order to corrupt the functional data that is stored, for example, in register 106. Failure detection system (FDS) 107, which is embedded in the system 100, and is outside of the scope of the invention, detects the data corruption according to well-known principles of operation. Thus individual scan chains may be enabled while the registers of associated with the other scan chains may remain in their respective functional mode.
The system 200 allows the scan chains which are candidates for corruption to be used in shift mode while the rest of the design remains in functional mode. The system 200 may include a detection timer 202. Detection timer 202 may measure the time between the start of corruption and its detection through the FDS 107. Detection timer 202 has an interface 216 with DCM 300. The detection timer 202 is implemented through a counter running with respect of a reference clock. Interface 216 enables the counter to initialize when the corruption starts, and stopping the data corruption when the failure emulation is detected. A dedicated signal 212 of the FDSI 211 indicates to the system when the emulated fault has been detected. Then, the time elapsed between the fault emulation and its catching can be read back through the Setup Interface 213.
The principles of the invention are implemented as hardware or a combination of hardware, firmware, and software of any combination. With respect of firmware and software these are preferably implemented as an application program tangibly embodied on a program storage unit or computer readable medium. The application program may be uploaded to, and executed by, a machine comprising any suitable architecture. Preferably, the machine is implemented on a computer platform having hardware such as one or more central processing units (“CPUs”), a memory, and input/output interfaces. The computer platform may also include an operating system and microinstruction code. The various processes and functions described herein may be either part of the microinstruction code or part of the application program, or any combination thereof, which may be executed by a CPU, whether or not such computer or processor is explicitly shown. In addition, various other peripheral units may be connected to the computer platform such as an additional data storage unit and a printing unit and/or display unit. An IC includes, also and without limitation a system on chip (SoC). The IC may be implemented as a monolithic semiconductor device.
Thus the present invention uses existing test features (SCAN or BIST) to improve the safety of an IC in functional mode by injecting a fault (corrupted data) to validate that the safety mechanism is able to detect it, and when it is detected in comparison to the time the fault was simulated. As an example, the prior art section mentioned that some ICs include redundancy for safety purpose, that is, they embed the same function twice, such as in the case of a processor, to allow the application comparing the results obtained to detect a failure in the system. Using the present invention, the output of some registers of one of the two processors may be modified, which will emulate a failure in the given processor. This will produce a wrong result that has to be detected. By injecting a fault, the user is able to check that the safety feature is working. This can be used to validate the safety procedures in an initialization phase (e.g. in an aircraft application, before the plane leaves, the pilot can check the safety features to ensure a failure detection during the flight). The delay between the fault injection and the error detection may also be important, both as an indication of which fault detection mechanism caught the error, but also to indicate whether unsatisfactory consequences can result from such an error before automatically switching to a backup or a manual system.
All examples and conditional language recited herein are intended for pedagogical purposes to aid the reader in understanding the principles of the invention and the concepts contributed by the inventor to furthering the art, and are to be construed as being without limitation to such specifically recited examples and conditions. Moreover, all statements herein reciting principles, aspects, and embodiments of the invention, as well as specific examples thereof, are intended to encompass both structural and functional equivalents thereof. Additionally, it is intended that such equivalents include both currently known equivalents as well as equivalents developed in the future, i.e., any elements developed that perform the same function, regardless of structure.
