In a semiconductor device according to the related art, unfortunately, a non-safety unit mounted on the same device as a safety unit is modified with low flexibility. According to one embodiment, a first semiconductor chip and a second semiconductor chip each have space domain separation hardware for limiting access to hardware resources in a functional safety system. Safety unit software and space domain and time domain separation software are executed in a time sharing manner. Based on a timer installed on the semiconductor chip, the space domain and time domain separation software performs separation for intermittently executing the safety unit software in a predetermined cycle, self-diagnosis for examining an operation of the safety unit software, and mutual diagnosis made between the first semiconductor chip and the second semiconductor chip to mutually diagnose the operation of the space domain and time domain separation software for performing the separation and the self-diagnosis.

In a semiconductor device according to the related art, unfortunately, a non-safety unit mounted on the same device as a safety unit is modified with low flexibility. According to one embodiment, a first semiconductor chip and a second semiconductor chip each have space domain separation hardware for limiting access to hardware resources in a functional safety system. Safety unit software and space domain and time domain separation software are executed in a time sharing manner. Based on a timer installed on the semiconductor chip, the space domain and time domain separation software performs separation for intermittently executing the safety unit software in a predetermined cycle, self-diagnosis for examining an operation of the safety unit software, and mutual diagnosis made between the first semiconductor chip and the second semiconductor chip to mutually diagnose the operation of the space domain and time domain separation software for performing the separation and the self-diagnosis.