SEMICONDUCTOR CHIP AND SECURITY CIRCUIT ASSEMBLY COMPRISING SUCH A SEMICONDUCTOR CHIP

Abstract

A semiconductor chip with functions implemented thereon in circuitry has a first region, in which a first group of safety-relevant base functions are implemented in circuitry, and a second region, which is separated from the first region using technological safety measures and in which a first group of monitoring functions that monitor the base functions are implemented in circuitry. It also contains a third region, which is formed on the semiconductor chip and is separated from the other regions using technological safety measures and in which a second group of monitoring functions that monitor the base functions are implemented in circuitry.

Claims

1-5. (canceled)

6. A semiconductor chip with functions that are implemented thereon in circuitry, the semiconductor chip comprising: a first region in which a first group of safety-relevant base functions are implemented in circuitry; a second region being separated from said first region using technological safety measures and in which a first group of monitoring functions that monitor the safety-relevant base functions are implemented in circuitry; and a third region, formed on the semiconductor chip and is separated from said first and second regions using the technological safety measures and in which a second group of monitoring functions that monitor the safety-relevant base functions are implemented in circuitry.

7. The semiconductor chip according to claim 6, wherein said first group of safety-relevant base functions contain a number of voltage regulators.

8. The semiconductor chip according to claim 6, wherein said first and the second groups of monitoring functions each have a fail-safe pre-driver and/or a fail-safe machine and/or a watchdog circuit and/or a voltage monitoring circuit.

9. The semiconductor chip according to claim 6, wherein the technological safety measures include a separation of an energy supply or a layout and/or an electrical insulation and/or voltage robustness and/or a decoupling of a redundant shut-off path.

10. The semiconductor chip according to claim 8, wherein said watchdog circuit performs watchdog and voltage monitoring functions.

11. A safety circuit configuration, comprising: a semiconductor chip, containing: a first region in which a first group of safety-relevant base functions are implemented in circuitry; a second region being separated from said first region using technological safety measures and in which a first group of monitoring functions that monitor the safety-relevant base functions being implemented in circuitry; and a third region, formed on said semiconductor chip and being separated from said first and second regions using the technological safety measures and in which a second group of monitoring functions that monitor the safety-relevant base functions are implemented in circuitry; at least one safety switch connected to said semiconductor chip; and an apparatus, selected from the group consisting of a switch and an actuator, connected to said at least one safety switch, wherein the safety circuit configuration is configured to activate or deactivate said apparatus by means of said at least one safety switch, said at least one safety switch being connected to both said first and second groups of monitoring functions.

12. The safety circuit configuration according to claim 11, wherein said first group of safety-relevant base functions contain a number of voltage regulators.

13. The safety circuit configuration according to claim 11, wherein said first and said second groups of monitoring functions each have a fail-safe pre-driver and/or a fail-safe machine and/or a watchdog circuit and/or a voltage monitoring circuit.

14. The safety circuit configuration according to claim 11, wherein said technological safety measures include a separation of an energy supply or a layout and/or an electrical insulation and/or voltage robustness and/or a decoupling of a redundant shut-off path.

15. The safety circuit configuration according to claim 13, wherein said watchdog circuit performs watchdog and voltage monitoring functions.

Description

[0025] The invention is explained in more detail below on the basis of an exemplary embodiment with the aid of a FIGURE, in which:

[0026] FIG. 1 shows a semiconductor chip 1 having a first region 2, in which a first group 3 of safety-relevant base functions is implemented in circuitry. These base functions in the illustrated exemplary embodiment are in particular linear regulators LDO1 to LDO6, which are used to generate different supply voltages in the range of, for example, 3 volts to 5 volts, in particular from a vehicle battery voltage (main battery). These supply voltages can be used in the illustrated example of FIG. 1 to supply a microprocessor 11 or sensors 12. The safety-relevant base functions can include additional functions such as a sensor interface or an SPI interface.

[0027] In particular, a microprocessor 11 requires a stable supply voltage in order to work properly. It is true that the function of a microprocessor 11 is usually monitored via a watchdog function, which in the illustrated exemplary embodiment is also realized on the semiconductor chip 1 in a second region 4 in a first group 5 of monitoring functions. However, it can still happen that the faulty function of the microprocessor is detected, but the output of the incorrect control signals can nevertheless no longer be prevented. For this purpose, safety switches 9 are provided, which can either prevent the forwarding of these control signals or can deactivate the receiver modules, such as a communication module 10.

[0028] The second region 4 is also implemented on the semiconductor chip 1, however, it is protected by means of safety measures such as a separation of the energy supply or the layout, and/or an electrical insulation and/or voltage robustness and/or a decoupling of a redundant shut-off path. The essential aim of this is to prevent faults that occur in the circuits of the first region 2 from having a direct effect in the second region 4.

[0029] However, it can still happen that an error that affects one of the linear regulators LDO1 to LDO6 also persists through to the second region 4 and negatively affects the local monitoring functions of the first group of monitoring functions 5 or at least parts thereof, so that the safety switch 9 can no longer be actuated in a timely manner.

[0030] Therefore, according to the invention a third region 6 is provided on the semiconductor chip 1, which is also separated from the other two regions 3, 4 by suitable safety measures and in which a second group of monitoring functions 7 is implemented in circuitry. The monitoring functions of the second group of monitoring functions 7 can perform the same function or task as the monitoring functions of the first group of monitoring functions 5; the redundant design is only intended to significantly reduce the probability that an error in the first region 2 within the first group of safety-relevant base functions 3 will affect the monitoring functions.

[0031] For this purpose, the circuits of the second group of monitoring functions 7 are also connected to the corresponding safety switches 9, so that in the event of a failure of one of the two groups of monitoring functions 5, 7 there is a high probability that at least the other group will remain functional and able to activate the safety switches 9, in order, for example, to prevent communication devices 10 from forwarding incorrect control signals of a defective microprocessor 11.

[0032] The integration according to the invention of two groups of monitoring functions on only one semiconductor chip 1 achieves a high level of safety with only a low space requirement and thus also meets the requirements of bis ASIL D of ISO 262.