1. Patent Search
  2. Details

PROCESSING SYSTEM, RELATED INTEGRATED CIRCUIT, DEVICE AND METHOD

20220318109 · 2022-10-06

    Inventors

    Cpc classification

    International classification

    Abstract

    A processing system includes a processing core including a microprocessor, a memory controller configured to read software instructions for execution by the processing core, a plurality of safety monitoring circuits configured to generate a plurality of error signals by monitoring operation of the processing core and the memory controller, a fault collection and error management circuit implemented as a hardware circuit, and a connectivity test circuit. The fault collection and error management circuit is configured to receive the plurality of error signals from the plurality of safety monitoring circuits and generate one or more reaction signals as a function of the plurality of error signals. The connectivity test circuit is configured to, during a diagnostic phase executed by the processing system after executing a reset phase and before executing a software runtime phase, test connectivity between the plurality of safety monitoring circuits and the fault collection and error management circuit.

    Claims

    1. A processing system comprising: a processing core comprising a microprocessor; a memory controller configured to read software instructions for execution by the processing core; a plurality of safety monitoring circuits configured to generate a plurality of error signals by monitoring operation of the processing core and the memory controller; a fault collection and error management circuit implemented as a hardware circuit, the fault collection and error management circuit being configured to: receive the plurality of error signals from the plurality of safety monitoring circuits, and generate one or more reaction signals as a function of the plurality of error signals; and a connectivity test circuit configured to, during a diagnostic phase executed by the processing system after executing a reset phase and before executing a software runtime phase, test connectivity between the plurality of safety monitoring circuits and the fault collection and error management circuit.

    2. The processing system according to claim 1, wherein the connectivity test circuit comprises for each error signal, a circuit configured to selectively assert or de-assert the error signal generated by a corresponding safety monitoring circuit using a corresponding selection signal, and a control circuit configured to: determine whether the error signals of a first subset received by the fault collection and error management circuit are de-asserted, determine whether the error signals of a second subset received by the fault collection and error management circuit are asserted, and in response to determining that at least one of the error signals of the first subset is not de-asserted or at least one of the error signals of the second subset is not asserted, set a status signal to a value indicating an error of the connectivity test.

    3. The processing system according to claim 2, wherein each circuit corresponding to each error signal comprises: a first combinational logic gate configured to selectively assert the respective error signal as a function of a first bit of the respective selection signal; and a second combinational logic gate configured to selectively de-assert the respective error signal as a function of a second bit of the respective selection signal.

    4. The processing system according to claim 2, wherein the control circuit comprises: one or more registers configured to provide the selection signals; and a state machine configured to control the operation of the one or more registers in order to set the selection signals in order to de-assert the first subset of the error signals and assert the second subset of the error signals.

    5. The processing system according to claim 1, wherein the connectivity test circuit is configured to de-assert all of the plurality of error signals, and to determine whether each error signal received by the fault collection and error management circuit is de-asserted.

    6. A processing system comprising: a digital processing core comprising a microprocessor programmable via software instructions; a memory controller configured to read the software instructions from a non-volatile memory; a communication system connecting the processing core to the memory controller and a resource; a plurality of safety monitoring circuits configured to generate a plurality of error signals by monitoring the operation of the processing core, the memory controller, or the resource; a fault collection and error management circuit configured to: receive the plurality of error signals from the plurality of safety monitoring circuits, and generate one or more reaction signals as a function of the plurality of error signals; a reset circuit configured to selectively reset the processing system; a diagnostic circuit configured to selectively execute one or more tests of the processing system; wherein, in response to switching on the processing system, the processing system is configured to execute the following phases in sequence: a reset phase, wherein the reset circuit executes a reset of the processing system, a diagnostic phase, wherein the diagnostic circuit executes the one or more tests of the processing system, and a software runtime phase, wherein the microprocessor is started and executes software instructions; and wherein the processing system comprises a hardware connectivity test circuit configured to test, during the diagnostic phase, the connectivity between the plurality of safety monitoring circuits and the fault collection and error management circuit, wherein the hardware connectivity test circuit comprises, for each error signal, a circuit configured to selectively assert or de-assert the respective error signal generated by a respective safety monitoring circuit as a function of a respective selection signal, and a control circuit configured to: set the selection signals in order to de-assert a first subset of the error signals via the circuit, determine whether the respective error signals of the first subset received by the fault collection and error management circuit are de-asserted, set the selection signals in order to assert a second subset of the error signals via the circuit, determine whether the respective error signals of the second subset received by the fault collection and error management circuit are asserted, and in response to determining that at least one of the error signals of the first subset received by the fault collection and error management circuit is not de-asserted or at least one of the error signals of the second subset received by the fault collection and error management circuit is not asserted, set a status signal to a value indicating an error of the connectivity test.

    7. The processing system according to claim 6, wherein the first subset of the error signals comprises all error signals, and wherein the control circuit is configured to: set the selection signals in order to de-assert all error signals via the circuit, and determine whether all error signals received by the fault collection and error management circuit are de-asserted.

    8. The processing system according to claim 6, wherein the second subset of the error signals comprises a single error signal, and wherein the control circuit is configured to: set the selection signals in order to selectively assert the single error signal via the circuit, and determine whether the respective single error signal received by the fault collection and error management circuit is asserted.

    9. The processing system according to claim 8, wherein the control circuit is configured to sequentially assert different single error signals.

    10. The processing system according to claim 6, wherein the processing system comprises a plurality of connectivity test circuits configured to test, during the diagnostic phase, the connectivity between respective subsets of the safety monitoring circuits and the fault collection and error management circuit.

    11. The processing system according to claim 6, wherein each safety monitoring circuit is configured to monitor one or more signals of the processing core, the memory controller or the resource and perform at least one of: a combinational analysis of one or more monitored digital signals; a sequential analysis of one or more digital monitored signals; and an analysis of one or more monitored analog signals.

    12. The processing system according to claim 6, wherein each circuit comprises: a first combinational logic gate configured to selectively assert the respective error signal as a function of a first bit of the selection signal; and a second combinational logic gate configured to selectively de-assert the respective error signal as a function of a second bit of the selection signal.

    13. The processing system according to claim 6, wherein the control circuit comprises: one or more registers configured to provide the selection signals; and a state machine configured to control the operation of the one or more registers in order to set the selection signals in order to de-assert the first subset of the error signals and assert the second subset of the error signals.

    14. The processing system according to claim 13, wherein the one or more registers are shift registers.

    15. The processing system according to claim 13, comprising: one or more further registers connected to the communication system and programmable via software instructions executed by the microprocessor; and a combinational logic circuit configured to generate the selection signals by combining the signals provided by the one or more registers and the one or more further registers.

    16. The processing system according to claim 6, wherein the fault collection and error management circuit is arranged at a respective position within the processing system, wherein each safety monitoring circuit is arranged at a respective position within the processing system, wherein each circuit is arranged at a respective position within the processing system, and wherein, for each circuit, the distance between the positions of the circuit and the respective safety monitoring circuit is smaller than the distance between the positions of the circuit and the fault collection and error management circuit.

    17. The processing system according to claim 6, wherein the fault collection and error management circuit is configured to generate, as a function of the plurality of error signals, at least one of: an interrupt signal provided to the microprocessor; a reset request signal provided to the reset circuit; a first digital signal provided to a terminal of the processing system; and a second digital signal used to set the output level of one or more safety critical terminals of the processing system.

    18. The processing system according to claim 6, wherein the processing system is implemented as an integrated circuit.

    19. A device comprising a plurality of the processing systems according to claim 6, wherein the plurality of processing systems are connected via a further communication system.

    20. A method of operating a processing system comprising a control circuit, a fault collection and error management circuit, and a plurality of safety monitoring circuits, the method comprising: in response to the processing system being powered on, sequentially executing a reset phase, a diagnostic phase, and a software runtime phase; and executing, by a control circuit of the processing system, the following operations during the diagnostic phase to perform a connectivity test to test connectivity between the plurality of safety monitoring circuits and the fault collection and error management circuit: setting selection signals to de-assert a first subset of error signals generated by the plurality of safety monitoring circuits, determining whether the error signals of the first subset received by the fault collection and error management circuit are de-asserted, setting the selection signals in order to assert a second subset of the error signals, determining whether the error signals of the second subset received by the fault collection and error management circuit are asserted, and in response to determining that at least one of the error signals of the first subset is not de-asserted or at least one of the error signals of the second subset is not asserted, setting a status signal to a value indicating an error of the connectivity test.

    Description

    BRIEF DESCRIPTION OF THE DRAWINGS

    [0064] Embodiments of the present disclosure will now be described with reference to the annexed drawings, which are provided purely by way of non-limiting example and in which:

    [0065] FIG. 1 shows an example of an electronic system comprising a plurality of processing systems;

    [0066] FIGS. 2 and 3 show examples of processing systems;

    [0067] FIG. 4 shows an example of a processing system comprising a fault collection and error management circuit;

    [0068] FIG. 5 shows an example of the fault collection and error management circuit of FIG. 4;

    [0069] FIG. 6 shows an example of the connection between a plurality of safety monitoring circuits and the fault collection and error management circuit;

    [0070] FIG. 7 shows an embodiment of a processing system according to the present disclosure, wherein the processing system comprises a fault collection and error management circuit and a diagnostic circuit;

    [0071] FIG. 8 is a flow-chart showing an embodiment of the operation of the processing system of FIG. 7;

    [0072] FIG. 9 shows a first embodiment of a fault collection and error management circuit and a respective control circuit adapted to be used in the processing system of FIG. 7;

    [0073] FIG. 10 shows a second embodiment of a fault collection and error management circuit and a respective control circuit adapted to be used in the processing system of FIG. 7;

    [0074] FIG. 11 is a flow-chart showing an embodiment of the operation of the control circuits of FIGS. 9 and 10; and

    [0075] FIG. 12 shows an embodiment of the control circuits of FIGS. 9 and 10.

    DETAILED DESCRIPTION OF ILLUSTRATIVE EMBODIMENTS

    [0076] In the following description, numerous specific details are given to provide a thorough understanding of embodiments. The embodiments can be practiced without one or several specific details, or with other methods, components, materials, etc. In other instances, well-known structures, materials, or operations are not shown or described in detail to avoid obscuring aspects of the embodiments.

    [0077] Reference throughout this specification to “one embodiment” or “an embodiment” means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment. Thus, the appearances of the phrases “in one embodiment” or “in an embodiment” in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.

    [0078] The headings provided herein are for convenience only and do not interpret the scope or meaning of the embodiments.

    [0079] In the following FIGS. 7 to 12 parts, elements or components which have already been described with reference to FIGS. 1 to 6 are denoted by the same references previously used in such Figure; the description of such previously described elements will not be repeated in the following in order not to overburden the present detailed description.

    [0080] FIG. 7 shows an embodiment of a processing system 10a according to the present description.

    [0081] In the embodiment considered, the underlying architecture of the processing system 10a corresponds to the processing system described with respect to FIGS. 1 to 6, and the respective description applies in their entirety. Thus, also in this case, the processing system 10a, such as an integrated circuit, comprises: at least one circuit configured to generate an error signal ERR, such as a processing core 102 comprising a microprocessor 1020, a memory controller 100 configured to be connected to a (internal or external) non-volatile memory 104 and/or a volatile memory 104b, and/or a resource/peripheral 106; and a fault collection and error management circuit 120a.

    [0082] Specifically, in various embodiments, the processing system 10a comprises also: a reset management circuit 116; and a diagnostic circuit 118.

    [0083] In various embodiments, the processing system may also comprise a hardware configuration circuit 108. For example, in line with the description of European Patent Application No. EP 3 413 194 A1, the configuration data CD may be written into specific areas of the non-volatile memory 104 and retrieved when the processing system 10a is powered on. Preferably, the non-volatile memory 104 is integrated in the integrated circuit and may also be used to store the firmware of the processing core(s) 102. However, the firmware may also be stored in a separate non-volatile memory 104. For example, the non-volatile program memory may be used, in case the program memory is integrated in the integrated circuit. Conversely, an additional internal non-volatile memory 104 may be used in case the program memory is an external memory. Accordingly, in various embodiments, the configuration data CD are stored in a non-volatile memory of the integrated circuit comprising the blocks requiring configuration data, such as the processing unit 102, one or more of the hardware resources 106, the fault collection and error management circuit 120a, the reset management circuit 116 and/or the diagnostic circuit 118.

    [0084] For example, the configuration data CD may comprise calibration data used to guarantee that the hardware behavior is uniform, thereby compensating possible production process tolerances. For example, this applies often to the calibration of analog components of the processing system, such as a temperature sensor, analog-to-digital converter, voltage reference, etc. For example, a voltage monitor threshold level of an analog comparator could be “trimmed” to the exact intended value by adjusting some levels with configuration/calibration data, which are written by the producer of the hardware of the processing systems, e.g., the micro-controller producer. Moreover, the configuration data CD may also be used to customize the behavior of the hardware.

    [0085] In various embodiments, the hardware configuration module 108 may be configured to read the configuration data CD from the non-volatile memory 104 by sending read requests to the memory controller 100 via the communication system 114. Additionally or alternatively, the hardware configuration module 108 may also be connected directly to the memory controller 100 or be configured to read directly the data from the memory 104.

    [0086] Similarly, the hardware configuration module 108 may be configured to send the configuration data CD to the various circuits by sending write requests via the communication system 114. However, the hardware configuration module 108 may also use a separate communication channel for the configuration data CD.

    [0087] For example, in line with the description of document EP 3 413 194 A1, each circuit requiring configuration data may have associated one or more configuration data client, which may also be integrated in the respective circuit. For example, the configuration module 108 and the configuration data clients may be connected via the communication system 114 or an additional bus, and each configuration data clients may have associated a respective target address. Accordingly, each configuration data client may be configured to receive the configuration data from the module 108, store them into the internal register, e.g., store them into one or more internal flip-flops or latches. The data stored in the register may then be used to generate one or more signals, which influence the behavior of one or more associated circuits.

    [0088] Accordingly, in line with the description of document EP 3 413 194 A1, the configuration circuit 108 may comprise: a data read module configured to read the configuration data CD from the memory 104, a dispatch module configured to transmit the configuration data to the configuration data clients, and a state control module configured to manage the various configuration phases of the processing system 10a.

    [0089] For example, the communication between the dispatch module and the configuration data clients may be based on data frames in accordance with a given format, called Device Configuration Format (DCF). For example, each data frame may comprise two fields: the payload (i.e., the real data), called DCF Format payload, and possible additional data attributes used to identify the receiver of the data, called DCF Format attributes, wherein the receiver is one of the configuration data clients representing a DCF client. For example, the data attributes may consist in 16 or 32 bits, wherein a given number of bits specifies the address of one of the configuration data clients, and the payload may consist in 16 or 32 bits. For example, in this case, the data read module of the configuration circuit 108 may be configured to read blocks of 64 bits from the memory 104, wherein the first 32 bits contain the data attributes (including the address of a configuration data client) and the second 32 bits contain the configuration data to be transmitted to the address specified in the data attributes. As mentioned before, the address may correspond to a physical address of the communication system 114 or of a separate communication bus.

    [0090] For example, as shown in FIG. 7, in various embodiments, once the processing system 10a is switched-on, the reset module 116 of the processing system 10a may generate a reset signal RESET, which is used to perform a reset of the various components of the processing system 10a. For example, the processing circuit 10a may comprise for this purpose a power supply monitoring circuit 115 configured to generate a trigger in a reset request signal IR.sub.1, when the supply voltage applied to terminals VDD and GND increase above a given threshold value. For example, the power supply monitoring circuit 115 may comprise for this purpose a comparator, e.g., a comparator with hysteresis, i.e., a Schmitt trigger. Accordingly, in this way, the processing system 10a is reset when the processing system 10 is switched on. For example, the reset signal RESET may correspond to a reset pulse of a given number of clock cycles, provided to the circuits of the processing system 10a.

    [0091] Similarly, in response to a reset, the reset circuit 116 may activate the state control module of the configuration circuit 108, thereby activating the configuration phase.

    [0092] As disclosed in European Patent Application No. EP 3 719 636 A1, and which is incorporated herein by reference for this purpose, indeed two types of resets may be used in conventional processing systems. The first reset corresponds to a “simple” reset as described essentially in the foregoing, where some kind of reset event activates the internal reset stage 116 in order to perform a reset of the processing system. The second type of reset corresponds to a complex reset wherein further operations may be executed.

    [0093] FIG. 8 schematically shows an embodiment of the operation of the reset circuit 116.

    [0094] At a step 3000 the reset circuit 116 is activated and a reset is performed at a step 3002. For example, the reset module 116 may set the signal RESET at the step 3002. Accordingly, in response to the reset requested at the step 3002, the various latches/registers of the processing system 10a are reset (e.g., the processing core(s) 102 and the resources 106).

    [0095] Next, in case the configuration circuit 108 is used, the reset module 116 starts at a step 3004 the configuration phase, e.g., by setting a signal SCP, which is provided to the state control module of the configuration circuit 108. In response to the signal SCP, the configuration circuit 108 reads and distributes the configuration data CD. Generally, the signal SCP is optional because the configuration phase could be started automatically when the reset signal RESET is de-asserted.

    [0096] At the end of the configuration phase, the configuration circuit 108 may set a signal ECP in order to indicate that the configuration phase is completed.

    [0097] Accordingly, as shown in FIG. 8, the reset circuit 116 may proceed from the step 3004 to a verification step 3006, where the reset module 116 waits until the signal ECP is set by the configuration circuit 108 (output “N” of the verification step 3006). Once the signal ECP is set (output “Y” of the verification step 3006), the processing system 10a is configured. Accordingly, the steps 3004 and 3006 implement a configuration phase CP1 of the processing system 10a. As mentioned before, due to the fact that the configuration circuit 108 is optional, the configuration phase CP1 is also optional.

    [0098] Accordingly, in general, after the verification step 3006, the processing core(s) 102 may be started at a step 3022 and the reset procedure may terminate at a step 3024. Accordingly, at the step 3022 is started a software runtime phase SW.

    [0099] Substantially, the reset phase 3002 and the configuration phase CP1 implement a reset stage, where the various circuits of the processing system are reset and then the configuration data CD are distributed, thereby storing given values to the registers and/or internal flip-flops of the processing system 10a prior to starting the processing core(s) 102.

    [0100] However, as shown in FIG. 8, the processing system 10a may also be configured to run a diagnostic phase DP where the processing system 10a executes one or more optional system diagnostic operations, i.e., the processing system 10a executes a Built-In Self-Test (BIST). For example, in the embodiment shown in FIG. 7, the processing system 10a comprises a hardware diagnostic circuit 118, which is activated via a signal SDP.

    [0101] Accordingly, in various embodiments, once the signal ECP is set (output “Y” of the verification step 3006), the reset circuit 116 may set the signal SDP at a step 3010, thereby starting the diagnostic circuit 118. Next, the reset module 116 may wait at a step 3012 until the diagnostic operations have been executed, i.e., the self-test has been completed. For example, as shown in FIG. 7, the diagnostic circuit 118 may set a signal EDP once the diagnostic operations have been executed.

    [0102] Accordingly, as shown in FIG. 8, the reset circuit 116 may proceed from the step 3010 to a verification step 3012, where the reset module 116 waits until the signal EDP is set by the diagnostic circuit 118 (output “N” of the verification step 3012). Once the signal EDP is set (output “Y” of the verification step 3012), the diagnostic phase DP (steps 3010 and 3012) has been completed.

    [0103] In various embodiments, the self-test operations executed by the diagnostic circuit 118 may test one or more registers of the processing system 10a, which usually involves write and/or read operations, thereby modifying the content of such registers or internal flip-flops.

    [0104] Accordingly, in various embodiments, once having executed the diagnostic phase DP, the reset module 116 may execute a further reset of the processing system 10a at a step 3014. For example, the reset circuit 116 may set again the signal RESET at the step 3014.

    [0105] Generally, the reset executed at the step 3002, representing a first reset, and the reset executed at the step 3016, representing a second reset, may be different, e.g., with respect to the registers and/or circuits which are reset by the reset circuit 116. For example, this is schematically shown in FIG. 7, where the reset circuit 116 generates also a reset mode signal RM, which is set to a first logic level at the step 3002 and a second logic level at the step 3014. However, the reset circuit could also set a first reset signal RESET1 at the step 3002 (used to reset a first sub-set of circuits) and a second reset signal RESET2 at the step 3014 (used to reset a second sub-set of circuits).

    [0106] In various embodiments, the diagnostic circuit 118 may also test the registers of one or more of the configuration data clients used to distribute the configuration data CD. Accordingly, in this case, it is also useful to read again the configuration data CD at a second configuration phase CP2. As mentioned before, due to the fact that the configuration circuit 108 is optional, the configuration phase CP2 is also optional.

    [0107] Accordingly, in various embodiments, the reset module 116 may proceed from the step 3014 to a step 3016, where the reset circuit 116 starts again a configuration phase, e.g., by setting a signal SCP, which is provided to the state control module 1084. In response to the signal SCP, the configuration circuit 108 reads and distributes the configuration data CD. At the end of the configuration phase, the configuration circuit 108 sets again the signal ECP in order to indicate that the configuration phase is completed.

    [0108] Accordingly, the reset circuit 116 may proceed from the step 3016 to a verification step 3018, where the reset module 116 waits until the signal ECP is set by the configuration circuit 108 (output “N” of the verification step 3018). Once the signal ECP is set (output “Y” of the verification step 3018), the processing circuit may thus proceed to the step 3022 for starting the processing core(s) 102.

    [0109] Substantially, the reset phase 3014 and the configuration phase CP2 implement a further reset stage, where the various circuits of the processing system are again reset and then the configuration data CD are distributed.

    [0110] As mentioned before, the reset circuit 116 may be configured to optionally start the diagnostic phase DP after the configuration phase CP1. This configuration may be hardwired or programmable. Specifically, as mentioned before, in various embodiments, the optional configuration data CD are already distributed at the end of the configuration phase CP1. Accordingly, the configuration data CD may also include data which indicate whether the self-test function should be activated or not, possibly also including data specifying which self-test should be executed. For example, these data may be provided to the reset circuit 116 and/or the diagnostic circuit by associating respective configuration data clients with these circuits.

    [0111] According, at the end of the step 3006, the reset circuit 116 may indeed proceed to a verification step 3008. Specifically, when the execution of the diagnostic phase DP is enabled (output “Y” of the verification step 3008), the reset module 116 proceeds to the step 3010. Conversely, when the execution of the self-test is disabled (output “N” of the verification step 3008), the procedure may directly proceed to the step 3022 in order to start the normal-operation mode of the processing system.

    [0112] Thus, essentially, a simple reset implements only a single reset (step 3002) and the optional configuration phase CP1. Conversely, a complex reset implements also the diagnostic phase DP and optionally the further reset at the step 3014 and optionally the further configuration phase CP2. Generally, as mentioned before, the processing system 10a may also support both types of resets, wherein a complex reset is executed in response to a first set of events and a simple reset is executed in response to a second set of events (e.g., verified at the step 3008). For example, a complex reset may be executed in response to a start-up of the processing system 10a or in response to given (critical) errors, while a simple reset may be executed in response to a reset request by the processing unit 102. For example, as shown in FIG. 7, the fault collection and error management circuit 120a may provide for this purpose one or more reset request signals IR.sub.2 to the reset management circuit 116. Generally, the type of reset to be triggered in response to a given reset request signal IR.sub.2 may be static/hardwired or may be configurable.

    [0113] Typically, the first reset at the step 3002 is called “destructive reset” DR, because usually all registers of the processing system 10a are reset to a reset value, while the second reset at the step 3014 is usually identified as a functional reset FR, because not necessarily all registers of the processing system are reset, such as registers of one or more of the resources 106. For example, the registers of the reset module 116 cannot be reset at the step 3016, because otherwise the reset module 116 would lose the information whether already a first reset at the step 3002 had been performed. Generally, in case the BIST does not test the registers of the configuration data clients 112, the functional reset at the step 3014 may also be a so called “Short Functional Reset”, where the processing system 10a is reset but the configuration circuit 108 does not read again the configuration data CD, i.e., the configuration phase CP2 may be omitted also in case the configuration circuit 108 is used.

    [0114] As described in the foregoing, given reset request signals (such as the signal IR.sub.1 indicating a power-on of the processing system 10a) may trigger the complex reset procedure shown in FIG. 7 (starting at a destructive reset 3002), while other reset request signals (e.g., a reset requested by a resource 106 or the error management circuit 120a) may trigger only a functional reset, i.e., start immediately the step 3014. Moreover, further reset request signals (e.g., a reset requested by a processing unit 102) may trigger only a short functional reset. Typically, the reset requests are classified as functional, short functional or destructive at design time, and/or may be configured via configuration data CD. Similarly, as mentioned before, the execution of the BIST may be set at design time, and/or may be configured via configuration data CD, possibly for each trigger associated with a destructive reset.

    [0115] Accordingly, in various embodiments, when executing a complex or simple reset, i.e., between the steps 3002 and 3020, the processing core(s) 102 are not running, i.e., the processing core(s) 102 do not execute any software. For example, this may be obtained by keeping the processing core(s) 102 under reset. Conversely, other circuits of the processing system 10a may be operative, e.g., the reset circuit 116, the diagnostic circuit 118, the hardware configuration circuit 108, the non-volatile memory 104, one or more of the resources 106, etc. In this respect, the reset circuit 116 and/or the state control module of the configuration circuit 108 may also implement further steps, such as an initialization phase, where the reset circuit 116 and/or the state control module, e.g., wait that the non-volatile memory 104 completes its initialization, thereby ensuring that the data read circuit of the configuration circuit 108 may read the configuration data CD from the non-volatile memory 104.

    [0116] As shown in FIG. 7, in various embodiments, the reset circuit 116 may be configured to reset the processing system 10a in response to a reset request signal ER received via a reset terminal RP of the processing system 10a, such as a pad of a respective integrated circuit die or a pin of a respective packaged integrated circuit. In this case, the reset circuit 116 may be configured to verify whether the signal ER applied to the reset terminal RP is asserted/has a first logic level, e.g., is low. For example, in this case, the processing system 10a may be configured to start a complex reset at the step 3000 when the signal applied to the reset terminal RP has the first logic value, e.g., low. Next the reset circuit executes the steps 3002 to 3018, and the processing system 10a remains at a step 3020 while the signal applied to the reset terminal RP is asserted/has the first logic level (output “Y” of the verification step 3020), i.e., the processing system 10a proceeds from the step 3020 to the step 3022 (output “N” of the verification step 3020) when the logic level of the signal applied to the reset terminal RP is de-asserted/has a second logic level, e.g., high. Accordingly, in the embodiment considered, the processing core(s) are only started at the step 3022 when the signal applied to the reset terminal RP is de-asserted/has the second logic level.

    [0117] Generally, while FIG. 7 shows an embodiment where the various reset phases are managed by the reset circuit 116, these phases could also be managed by the state control circuit of the configuration circuit 108 or another state machine. Thus, in general the operation shown in FIG. 7 may be implemented in any suitable manner by the processing system 10a.

    [0118] As mentioned in the foregoing, in various embodiments, the processing system 10a is configured to also test the fault collection and error management circuit 120a. For example, as mentioned before, in various embodiments, also the connection between the safety monitoring circuits SM (which are usually located near the respective circuit to be monitored) and the fault collection and error management circuit 120a (which is usually centralized for the processing system 10a) should be verified.

    [0119] Generally, the behavior of the safety monitor circuits SM and the fault collection and error management circuit 120a could be verified via software instructions executed by a processing core 102. For example, for this purpose, the processing core 102 may send requests via the communication system 10a to each safety monitor circuit SM (or the respective associated circuit), wherein the request corresponds to an instruction to simulate a given error event. Accordingly, by monitoring the error bits EB of the fault collection and error management circuit 120a, e.g., by sending respective read requests via the communication system 114, a processing core may verify the correct transmission of the error signals ERR. Similarly, the processing core 102 may enable one or more interrupts IRQ generated by the fault collection and error management circuit 120a, e.g., by programming the bits IE.

    [0120] Accordingly, the testing of the safety monitor circuits SM, the fault collection and error management circuit 120a and the connection between these circuits may be controlled via software instructions executed via a processing core 102, wherein the software instructions perform write and read requests to various registers of the safety monitor circuits SM (or the respective associated circuits) and the fault collection and error management circuit 120a.

    [0121] However, when increasing the number of circuits and/or functionalities to be monitored, also the number of the safety monitor circuits SM or at least the number of error signals ERR generated by these safety monitor circuits SM increases, which may render such a software-based solution rather inefficient in terms of software complexity and execution time.

    [0122] In fact, increasing the complexity of software implies investing in resources and scheduling within the project significant time to develop the corresponding software routines (for example each safety monitor may have a different mode to inject a fault via software).

    [0123] Moreover, due to the fact that the test routines should be executed at least during the start-up of the processing system 10a, the software test routines have to be included in the firmware of the final application. On the one hand, this implies that memory area has to be allocated to these routines, thereby increasing the cost of the processing system. On the other hand, a significant time may be dedicated to these tests during the initialization of the processing system. However, the overall boot time may be constrained, thus not permitting the execution of all software test routines.

    [0124] Accordingly, in various embodiments, the diagnostic circuit 118 and the fault collection and error management circuit 120a may be configured to execute one or more self-test operations during the diagnostic phase DP. For example, this is shown in FIG. 7, where the diagnostic circuit 118 provides a diagnostic request signal SFD to the fault collection and error management circuit 120a and the fault collection and error management circuit 120a returns one or more diagnostic status signals STATE to the diagnostic circuit 118.

    [0125] Accordingly, in various embodiments, a hardware solution is used to test the connections between the safety monitor circuits SM and the fault collection and error management circuit 120a. In this way, the connectivity test may be executed in HW during the initialization phase of the processing system 10a, in particular during the diagnostic phase DP as part of the “built-in self-test” architecture. Accordingly, when the initialization phase is completed and the software is started at the step 3022, connectivity has already been tested and the software can rely on the fact that an error is not lost because of a broken connection between a safety monitor circuit SM and the fault collection and error management circuit 120a.

    [0126] Specifically, a fault collection and error management circuit 120a is a dedicated hardware circuit configured to collect the error signals ERR of the processing system 10a. Here, each of these signals may be asserted, e.g., set to high, when a given failure occurs in the processing system 10a. These error signals ERR are generated by several safety monitor circuits SM distributed within the processing system 10a. For example, the safety monitor circuit SM.sub.102 of a processing core 102, in particular the respective microprocessor 1020 is located near (or is integrated in) the processing core 102, i.e., the distance between the safety monitor circuit SM and the respective circuit to be monitored is usually smaller than the distance between the safety monitor circuit SM and the fault collection and error management circuit 120a. As mentioned before, in addition to monitoring given circuits, the safety monitor circuit SM may also monitor other conditions, such as a detection of a supply voltage, a temperature, or a clock frequency being out-of-range. Moreover, the fault collection and error management circuit 120a is a hardware circuit generating given internal (e.g., a reset or an interrupt) and/or external reactions (driving of the pin EP or setting the safety level of a pin SCP) for the error signals ERR.

    [0127] As mentioned before, preferably these reactions are programmable for one or more of the error signals ERR. For example, in various embodiments, the fault collection and error management circuit 120a is connected to the communication system 114 and comprises a register interface.

    [0128] For example, in order to control the internal reaction, this register interface may comprise for each error signal ERR a respective interrupt enable flag (bits IE in FIG. 5) and/or respective reset enable flag. Thus, as shown in FIG. 7, in case a given error signal ERR is asserted, the fault collection and error management circuit 120a may be configured to: when the respective interrupt enable flag is set, set an interrupt signal IRQ; and when the respective reset enable flag is set, set an internal reset request signal IR.sub.2, which is provided to the reset circuit 116.

    [0129] For example, the interrupt signal IRQ may be provided to a processing core 102, which may be configured to start a given software error handling routine in response to the interrupt. Generally, the fault collection and error management circuit 120a may also be configured to generate a plurality of interrupt signals IRQ. For example, in this case, the interrupt enable flag may be provided for each error signal. For example, this may be useful in order to handle different errors in a different manner (without having the need to read the error bits EB in order to understand the type of error) and/or in case of multi-core processing systems 10a, wherein one or more interrupt signals IRQ may be provided to each processing core 102.

    [0130] As mentioned before, the reset management circuit 116 may be programmable, e.g., in order to specify which type of reset (e.g., destructive, functional or simple functional) should be executed in response to the signal IR.sub.2. However, also in this case, the fault collection and error management circuit 120a may be configured to generate a plurality of reset request signals, which are associated with given reset types, i.e., the type of reset to be executed may be programmed by programming the fault collection and error management circuit 120a rather than the reset management circuit 116.

    [0131] An external reaction is usually accomplished by a change, done in hardware, of the level of one or more error pins EP, thereby signaling the error event to an external circuit, and/or by setting the level of a safety-critical pin SCP. For example, in response to a change of the logic level of a pin EP, the external circuit may be configured to shut-down/switch-off the processing system 10a and optionally activate a second processing system, which may be a redundant processing system 10a, or a processing system implementing only a reduced set of back-up functionality. For example, this may be the case for an electromechanics braking systems.

    [0132] As mentioned before, preferably these reactions are again programmable for one or more of the error signals ERR. Generally, in addition to or as alternative to the use of a register interface programmable via software instructions executed by a processing core 102, one or more of the reactions may also be programmable via the configuration data CD, i.e., the fault collection and error management circuit 120a may have associated a configuration data client, and the fault collection and error management circuit 120a may be configured by storing the respective configuration data together with the address of the respective configuration data client to the configuration data CD, which may thus be read during the optional configuration phase CP1, which in any case is prior to the diagnostic phase DP.

    [0133] FIG. 9 shows an embodiment of a fault collection and error management circuit 120a according to the present disclosure.

    [0134] Specifically, in FIG. 9 are shown three blocks: a first block 1208 corresponding to an overwrite circuit configured to selectively overwrite the error signals ERR.sub.1, . . . , ERR.sub.n generated by the safety monitoring circuits SM; a block 1206 corresponding the portion of the circuit 120a handling the fault collection and error management; and a block 1210 corresponding to a control circuit, configured to perform the testing operations.

    [0135] Specifically, the first block 1208 shows that with each error signal ERR may be associated a respective set circuit SL in the form of a combinational logic circuit, such as set circuits SL.sub.1, . . . , SL.sub.m, and a respective clear circuit CL in the form of a combinational logic circuit, such as clear circuits CL.sub.1, . . . , CL.sub.m. Specifically, the set circuits SL and the clear circuits CL are provided at the output of the respective safety monitor circuit SM and may also be integrated within the respective safety monitoring circuit SM. Accordingly, the circuits SL and CL may be used to generate a modified error signal ERR′, i.e., modified error signals ERR′.sub.1, . . . , ERR′.sub.m, by selectively overwriting the original error signal ERR. Specifically, by setting for each set circuit SL a respective set signal SE, i.e., signals SE.sub.1, . . . , SE.sub.m (schematically shown in vector form SE[m:1]), and for each clear circuit CL a respective clear signal CE, i.e., signals CE.sub.1, . . . , CE.sub.m (schematically shown in vector form CE[m:1]), the modified error signal ERR′ may: correspond to the original error signal ERR, e.g., in case the respective set signal SE and the respective clear signal CE are de-asserted, e.g., set to low; be asserted (via the circuit SL), e.g., in case the respective set signal SE is asserted, e.g., set to high, and the respective clear signal CE is de-asserted, e.g., set to low; be de-asserted (via the circuit CL), e.g., in case the respective clear signal CE is asserted, e.g., set to high.

    [0136] For example, in the embodiment considered, the clear signal CE has priority, i.e., the modified error signal ERR′ is de-asserted when the respective clear signal CE is asserted (irrespective of the value of the respective error signal ERR and optionally the value of the respective set signal SE). For example, this permits to de-assert the modified error signal ERR′, even in case an actual error is signaled via the error signal ERR.

    [0137] Specifically, the modified error signal ERR′ is generated prior to the transmission via the lines within the integrated circuit, i.e., the distance between the circuit SL (and similarly the circuit CL) and the respective safety monitoring circuit SM is smaller than the distance between the circuit SL (and similarly the circuit CL) and the circuit 1206 indeed handling the fault collection and error management.

    [0138] For example, assuming that an error signal ERR is asserted when the respective logic level is high: the respective set circuit SL may be configured to selectively set the signal ERR′ to high, e.g., by using a logic OR gate receiving at a first input terminal the respective original error signal ERR and at a second input terminal the respective set signal SE; and the respective clear circuit CL may be configured to selectively set the signal ERR′ to low, e.g., by using a logic AND gate receiving at a first input terminal the signal at the output of the respective set circuit SL and at a second input terminal the inverted version of the respective clear signal CE.

    [0139] Those of skill in the art will appreciate that also other combinational logic circuits may be used to selectively assert or de-assert the signal ERR′ as a function of the signals SE and CE. For example, substantially the set and clear circuits SL and CL implement a selection/overwrite circuit 1208, which permits selection, for a given modified error signal ERR′: the logic value of the respective original error signal ERR, the logic level indicating that the error signal is asserted (e.g., high), or the logic level indicating that the error signal is de-asserted (e.g., low).

    [0140] For this reason, the signals SE and CE essentially represent a selection signal, which possibly may also use a different encoding in order to select the above values for the modified error signal ERR′.

    [0141] Accordingly, in the embodiment considered, the modified error signal ERR′ is transmitted within the integrated circuit and is received by the fault collection and error management circuit 1206. Accordingly, in the embodiment considered, the fault collection and error management circuit 1206 is configured to receive the modified error signals ERR′ (instead of the original error signals ERR).

    [0142] For example, in the embodiment considered, the fault collection and error management circuit 1206 comprises, again for each error signal ERR′, a respective register EB (i.e., registers EB.sub.1, . . . , EB.sub.m), such as a flip-flop or latch, for storing the logic level of the respective error signal ERR′. As mentioned before, these registers EB are optional.

    [0143] Accordingly, in the embodiment considered, the control circuit 1210 is configured to: generate the selection signal (e.g., the signals SE and CE), monitor the signals provided by the registers EB (schematically shown again in vector form EB[m:1]) or directly the modified error signal ERR′ received by the circuit 1206, determine whether the monitored signals are congruent with the selection signal (e.g., the signals SE and CE), and set a status signal STATE in order to indicate a connectivity error when the monitored signals are not congruent with the signals SE and CE or with the selection signal).

    [0144] Specifically, the term congruent indicates that: when the selection signal is set in order to assert a given modified error signal ERR′ prior to transmission (e.g., the signal SE is asserted and the signal CE is de-asserted), also the respective registers EB (or the respective modified error signal ERR′ received by the circuit 1206) has to be asserted; and when the selection signal is set in order to de-assert a given modified error signal ERR′ prior to transmission (e.g., the signal SE is de-asserted and the signal CE is asserted), also the respective registers EB (or the respective modified error signal ERR′ received by the circuit 1206) has to be de-asserted.

    [0145] As shown in FIG. 9, the control circuit 1210 may then provide the state signal STATE to the diagnostic circuit 118.

    [0146] Specifically, as mentioned before, the test of the connectivity of the fault collection and error management circuit 120a should be performed during the diagnostic phase DP. For example, for this purpose, the control circuit 1210 may also receive the start signal SFD indicating a request to start the connectivity test. For example, the diagnostic circuit 118 may be configured to set the signal SFD during the diagnostic phase DP. Accordingly, in response to determining that the signal SFD is set, the control circuit 1210 may generate the selection signal (e.g., the signals SE and CE) and generate the state signal STATE as a function of the monitored signals provided by the registers EB or directly the modified error signal ERR′ received by the circuit 1206.

    [0147] Specifically, independently from the implementation of the selection circuit (e.g., circuits SL and CL), and the encoding of the selection signal (e.g., signals SE and CE), in various embodiments, the control circuit 1210 is configured to set the selection signal (e.g., signals SE and CE) in order to: assert each modified error signal ERR′ for a first time period; and de-assert each modified error signal ERR′ for a second time period.

    [0148] In general, the control circuit 1210 may be configured to vary contemporaneously plural modified error signals ERR′ (e.g., by varying plural selection signals, such as plural signals SE and CE), or preferably, vary only one modified error signal ERR′ at each instant. In fact, this permits determining possible short-circuits between the modified error signals ERR′ at the input of the fault collection and error management circuit 1206.

    [0149] In various embodiments, once the connectivity test has been completed, the control circuit 1210 may also set a signal EFD indicating the end of the connectivity test to the diagnostic circuit 118. Generally, the signal EFD is optional, because the end of the connectivity test could also be signaled directly via the state signal STATE.

    [0150] In line with the description of FIG. 5, the error bits EB (or directly the modified error signals received by the circuit 1206) may be provided to a fault reaction circuit 1202 configured to generate one or more signals indicating an internal reaction, such as the generation of a reset request signal IR.sub.2 and/or an interrupt signal IRQ, and/or a fault reaction circuit 1204 configured to generate a one or more signals indicating an external reaction, such as the signal ET and/or the signal SET.

    [0151] Moreover, in line with the description of FIG. 5, in various embodiments, each reaction may be enabled separately for each bit EB. For example, this is schematically shown in FIG. 9, via enable flags EN, i.e., enable flags EN.sub.1, . . . , EN.sub.m for the bits EB.sub.1, . . . , EB.sub.m. For example, the enable flags EN may correspond to the previously mentioned flags for selectively enabling the generation of the reset request signal IR.sub.2, the interrupt signal IRQ, the signal ET and/or the signal SET. Generally, the flag EN may also be a global enable flag for a given signal and the specific enable flags for enabling a given reaction may be implemented within the circuits 1202 and/or 1204. For example, in this case, the enable flags EN may be configured via the configuration data CD, while the specific reaction enable flags may be programmed via software instructions.

    [0152] As shown in FIG. 9, in various embodiments, the control circuit 1210 may be configured to selectively disable the reaction circuit 1202 and/or the reaction circuit 1204. For example, for this reason, the fault collection and error management circuit 1206 may comprise for each bit EB a respective masking circuit EL (i.e., masking circuits EL.sub.1, . . . , EL.sub.m) in the form of a combinational logic circuit, such as an AND gate, configured to mask the respective bit EB provided to the reaction circuit 1202 and/or the reaction circuit 1204.

    [0153] For example, in the embodiment considered, the control circuit 1210 is configured to generate a signal BIST_ON when the connectivity test is executed by the control circuit 1210 (e.g., between the instant when the signal SFD is set by the diagnostic circuit 118 and the instant when the signal EFD is set by the control circuit 1210). Accordingly, when the signal BIST_ON is set, each masking circuit EL disables the reaction by the reaction circuits 1202 and/or 1204.

    [0154] Accordingly, in the embodiment considered, the control circuit 1210 is essentially a hardware finite state machine and may be implemented with a sequential logic circuit.

    [0155] Accordingly, the control circuit 1210 and the selection circuits SL and CL permit to temporarily overwrite the error signal ERR. However, this implies that a possible error signaled by a safety monitor circuit SM before the connectivity test is executed may be lost. This may be avoided by running the connectivity test as a first test.

    [0156] However, some components may already be running before the diagnostic phase DP is started, such as the memory 104 and the configuration circuit 108. Accordingly, these circuits may already set an error signal, e.g., in response to determining that at least part of the configuration data CD read from the memory 104 contain errors.

    [0157] Accordingly, as shown in FIG. 10, in various embodiments, the processing system 10a comprises a storage element 1212 between a safety monitor circuit SM and the respective selection circuit (e.g., circuits SL and CL), wherein the storage element 1212 is configured to maintain the value of the respective error signal ERR while the connectivity test is running. For example, the storage element 1212 may be implemented with a latch or flip-flop driven as a function of the signal BIST_ON.

    [0158] Due to the fact that the connectivity test is run during the initialization phase, usually only a limited number of errors may occur. Accordingly, it is not necessary to store all error signals ERR, but only the error signals ERR possibly signaling an error before the connectivity test is run. For example, this is schematically shown in FIG. 10, where only the safety monitoring circuit SM.sub.n has associated a storage circuit 1212.sub.m configured to maintain the value of the error signal ERR.sub.m.

    [0159] FIG. 11 shows in more detail a possible embodiment of the operation of the control circuit 1210. As mentioned before, the connectivity test may be started in response to the start signal SFD received from the diagnostic circuit 118.

    [0160] After a start step 4000, the control circuit 1210 sets at a step 4002 the selection signal (e.g., signals SE and CE) in order to de-assert all modified error signals ERR′, e.g., by setting all clear signals CE to high and optionally all set signals SE to low. Next, the control circuit 1210 waits at a wait step 4004 for a given number of clock cycles in order to permit that the modified error signals ERR′ are transmitted to the fault collection and error management circuit 1206. Generally, the minimum number of clock cycles depends on the maximum propagation delay for the transmission of the modified error signals ERR′ and the clock frequency of the clock signal provided to the control circuit 1210, and may range, e.g., from a single clock cycle to several clock cycles.

    [0161] At a following verification step 4006, the control circuit 1210 reads the values of the error bits EB (or directly the modified error signals ERR′ received by the fault collection and error management circuit 1206).

    [0162] In case at least one of the monitored signals (EB or ERR′) is asserted (output “N” of the verification step 4006), e.g., set to high, the control circuit 1210 proceeds to an error step 4024, where the control circuit 1210 sets the signal STATE to a value being indicative of a connectivity error, e.g., sets the signal STATE to a first logic level, e.g., high. Next, the control circuit 1210 may set at a step 4028 the signal EFD in order to indicate that the connectivity test has been completed and the procedure terminates at a stop step 4030.

    [0163] Conversely, in case all monitored signals (EB or ERR′) are de-asserted (output “Y” of the verification step 4006), e.g., set to low, the control circuit 1210 sets at a step 4008 the selection signal (e.g., signals SE and CE) in order to assert a given modified error signal ERR′[i], e.g., by setting the respective clear signal CE[i] to low and the respective set signal SE[i] to high. Next, the control circuit 1210 may wait at a wait step 4010 again for a given number of clock cycles in order to permit that the modified error signal ERR′[i] is transmitted to the fault collection and error management circuit 1206.

    [0164] At a following verification step 4012, the control circuit 1210 may thus read the value of the error bit EB[i] (or directly the modified error signal ERR′[i] received by the fault collection and error management circuit 1206). In case the monitored signal (EB[i] or ERR′[i]) is de-asserted (output “N” of the verification step 4010), e.g., set to low, the control circuit 1210 proceeds to the error step 4024, where the control circuit 1210 sets the signal STATE to the value being indicative of a connectivity error.

    [0165] Conversely, in case the monitored signal (EB[i] or ERR′[i]) is asserted (output “Y” of the verification step 4010), e.g., set to high, the control circuit 1210 sets at a step 4014 the selection signal (e.g., signals SE and CE) in order to de-assert the given modified error signal ERR′[i], e.g., by setting the respective clear signal CE[i] to high and optionally the respective set signal SE[i] to low. Next, the control circuit 1210 may wait at a wait step 4016 again for a given number of clock cycles in order to permit that the modified error signal ERR′[i] is transmitted to the fault collection and error management circuit 1206.

    [0166] At a following optional verification step 4018, the control circuit 1210 may again read the value of the error bit EB[i] (or directly the modified error signal ERR′[i] received by the fault collection and error management circuit 1206). In case the monitored signal (EB[i] or ERR′[i]) is asserted (output “N” of the verification step 4018), e.g., set to high, the control circuit 1210 may proceed to the error step 4024, where the control circuit 1210 sets the signal STATE to the value being indicative of a connectivity error. Conversely, in case the monitored signal (EB[i] or ERR′[i]) is de-asserted (output “Y” of the verification step 4018), e.g., set to low, the control circuit 1210 may proceed to a verification step 4020. In case the verification step 4018 is omitted, the control circuit 1210 may also directly proceed to the verification step 4020.

    [0167] Specifically, at the verification step 4020, the control circuit 1210 verifies whether the current given modified error signal ERR′[i] was the last modified error signal ERR′[i], e.g., i=n. In case the given modified error signal ERR′[i] was not the last modified error signal ERR′[n](output “N” of the verification step 4010), e.g., i<n, the control circuit 1210 selects at a step 4022 the next modified error signal ERR′[i], e.g., increases the index i, and proceeds to the step 4008 for verifying the connectivity of the next modified error signal ERR′[i].

    [0168] Conversely, in case the given modified error signal ERR′[i] was the last modified error signal ERR′[n] (output “Y” of the verification step 4010), e.g., i=n, the control circuit 1210 proceeds to a step 4026, where the control circuit 1210 sets the signal STATE to a value being indicative of a correct connectivity, e.g., sets the signal STATE to a second logic level, e.g., low. Next, the control circuit 1210 may set at the step 4028 the signal EFD in order to indicate that the connectivity test has been completed and the procedure terminates at the stop step 4030.

    [0169] Accordingly, in the embodiment considered, the control circuit 1210 is configured to selectively assert in sequence the error signals ERR′, each time asserting only a single error signal ERR′.

    [0170] Generally, when using a binary signal STATE, one of the steps 4024 or 4026 may also be omitted, because the signal STATE could simply maintain a default value in this case.

    [0171] Moreover, instead of using separate steps 4014 and 4016, these steps may also be combined in the steps 4010 and 4012. For example, at the step 4014, the control circuit 1210 may: set the set signal SE[i] to high and the clear signal CE[i] to low; and set all other clear signals CE to high and optionally all other set signals SE to low.

    [0172] Moreover, in various embodiments, instead of verifying at the step 4012 a single signal EB[i] or ERR′[i], the control circuit 1210 may verify plural (and possible all) signals EB or ERR′, and determine whether only the signal EB[i] or ERR′[i] is asserted. Similarly, the control circuit 1210 may be configured to verify at the step 4018 (when used) whether plural (and possibly all) signals EB or ERR′ are de-asserted.

    [0173] FIG. 12 shows a possible hardware implementation of the control circuit 1210.

    [0174] In FIG. 12 a generic safety monitoring circuit SM[i] is also shown, wherein the selection circuit used to overwrite the error signal generated by the safety monitoring circuit SM[i] is directly integrated in the safety monitoring circuit SM[i], i.e., the safety monitoring circuit SM[i] provides directly the signal ERR′.

    [0175] Specifically, in the embodiment considered, the control circuit 1210 comprises: a register 1218 configured to store the values of the set signals SE[n:1]; a register 1220 configured to store the values of the clear signals CE[n:1]; a combinational logic circuit 1216 configured to provide one or more control signals to the registers 1218 and 1220; and a state machine 1214 in the form of a sequential logic circuit 1214 configured to monitor the start signal SFD and the error bits EB[n:1] of the fault collection and error management circuit 1206 (or the error signals ERR′[n:1] received by the fault collection and error management circuit 1206) and generate one or more control signals for the combinational logic circuit 1216.

    [0176] For example, in line with the description of FIG. 11, in response to determining that the start signal SFD is set, the state machine 1214 may set the control signal(s) provided to the circuit 1216 to a first value indicating a clear phase. Specifically, in various embodiments, when the control signal(s) have the first value, the combinational logic circuit 1216 is configured to set the bits of the register 1218 to “0” and the bits of the register 1220 to “1”, thereby implementing the step 4002.

    [0177] Next, the state machine 1214 may set the control signal(s) provided to the circuit 1216 to a second value indicating an initialization phase. Specifically, in various embodiments, the combinational logic circuit 1216 is configured to: set the first bit of the register 1218 to “1” and all other bits of the register 1218 to “0”; and set the first bits of the register 1220 to “0” and all other bits of the register 1220 to “1”.

    [0178] Accordingly, in this way is asserted the first error signal ERR[1], thereby implementing the step 4010 for the first error signal ERR[1].

    [0179] Next, the state machine 1214 may control the value of the signal EB[1] (or ERR′[1]) and either: terminate the connectivity test by setting the state signal STATE to the error state and optionally setting the end signal EFD, thereby implementing the steps 4024 and 4028; or setting the control signal(s) provided to the circuit 1216 to a third value indicating a run phase.

    [0180] Specifically, in various embodiments, during the run phase, the combinational logic circuit 1216 is configured to drive the registers 1218 and 1220 as shift registers, while applying to the serial input of the register 1218 a “0” and to the serial input of the register 1220 a “1”. Thus, essentially, during the run phase, the register 1218 shifts the logic value “1” and the register 1220 shift the logic value “0”, i.e., each time only a single error signal ERR′ is asserted and the other error signals ERR′ are de-asserted.

    [0181] Accordingly, the state machine 1214 may control the values of the signals EB (or ERR′), and verify whether the error signal ERR′[i] for with the selection signal SE[i] is set to “1” and the clear signal CE[i] is set to “0” is asserted, while the other error signal ERR′ are de-asserted.

    [0182] Accordingly, the state machine 1214 may end the procedure by either: when an error is detected, setting the state signal STATE to the error state and optionally setting the end signal EFD; or when the last error signal ERR′[n] has been tested, setting the state signal STATE in order to indicate that the connectivity is working correctly and optionally setting the end signal EFD.

    [0183] Specifically, in the embodiment considered, once the connectivity test is terminated, the content of the registers 1218 and 1220 is reset, e.g., as a function of the signal EFD.

    [0184] Generally, instead of using shift registers 1218 and 1220, the state machine 1214 could also provide a count value, wherein the count value is increased until the count value corresponds to the number n of error signals ERR. For example, in this case, the combinational logic circuit 1216 may act as a decoder providing, for each count value, respective bit sequences to the registers 1218 and 1220. For example, in this case, the registers 1218 and 1220 may also be omitted. However, by using shift registers 1218 and 1220, the control circuit 1210 has a significantly reduced complexity.

    [0185] In various embodiments, the control circuit 1210 comprises also further registers 1222 and 1224. In various embodiments, these registers 1222 and 1224 are connected to the communication system 114 and are programmable via software instructions executed by a processing core 102. Specifically, these registers 1222 and 1224 may be used to set via software instructions the values of the set signals SE and the clear signals CE (or the values of similar selection signals). For example, for this purpose, the set signals SE may be generated by combining the logic values of the registers 1218 and 1222, e.g., via logic OR gates 1226, and the clear signals CE may be generated by combining the logic values of the registers 1220 and 1224, e.g., via logic OR gates 1226.

    [0186] Accordingly, by using a hardware solution, the connectivity test between the safety monitors SM and the fault controller 1206 may be executed in just a few clock cycles. This reduces also the complexity and cost associated with the development of complicated software to test the safety monitor connections.

    [0187] Conversely, the registers 1222 and 1224 permit that a processing core 102 may assert or de-assert one or more of the error signals ERR′ via software instructions. For example, in this way, the firmware may still be used to execute a complete connectivity test via software, or the processing core 102 may selectively test signal error signals ERR′, e.g., in case an error is signaled via the fault collection and error management circuit 120a.

    [0188] Generally, while the selection circuits, e.g., the gates SL and CL, are configured to assert or de-assert a respective error signal ERR′ by overwriting the original error signal ERR generated by the respective safety monitoring circuit SM, in general, the selection signal may also be provided to the safety monitoring circuit and/or the circuit monitored by the safety monitoring circuit in order to indirectly assert or de-assert the error signal ERR generated by the safety monitoring circuit SM. This may also include that the safety monitoring circuit SM or the circuit monitored by the safety monitoring circuit simulates an abnormal behavior.

    [0189] For example, in various embodiments, one or more safety monitor circuits SM are configured to not only signal a binary error signal ERR but also an additional error information signal identifying in detail the error. For example, in this case, the fault collection and error management circuit 120 or a separate circuit may be configured as logging circuit configured to store a log/table of these error information signals. For example, a safety monitor circuit associate with a memory may also provide with the error information signal data identifying the memory address of the read or write request. Similarly, a safety monitor signal associate with a communication interface may provide data concerning the communication having generated an error.

    [0190] In various embodiments, such a logging circuit operates with a clock signal having a frequency, which is lower than the clock frequency of the monitored circuit. In fact, a memory or a communication interface may operate at a rather high frequency, while a (safe) low-speed clock signal is preferably used for the logging circuit. Accordingly, in this case, the safety monitor circuit SM may comprise a FIFO memory for storing the error information signal, thereby using a buffer for the transmission of the error information signal to the logging circuit.

    [0191] In general, such a FIFO memory comprises a given number N of locations, which usually should not be too high, because such FIFO memories occupy space. However, this implies that the FIFO memory may be filled in case a plurality of consecutive errors are generated, e.g., in case of consecutive read operations to damaged areas of a memory.

    [0192] Accordingly, also the full state of such a FIFO memory may correspond to an error condition, e.g., because some error conditions would not be logged. In this case, the FIFO full flag of the FIFO memory may be used as an additional error signal. Accordingly, in order to test the connectivity of such an error signal, the test circuit 1208 may comprise: a selection circuit used to overwrite the error signal; or a circuit used to selectively fill the FIFO memory.

    [0193] For example, the FIFO may be filled by asserting a write enable signal of the FIFO memory, e.g., the set signal SE may be used to selectively assert the write enable signal of the FIFO memory. Accordingly, by maintaining the write enable signal asserted for N clock cycles, the full flag of the FIFO memory will be asserted, whereby the respective error signal is asserted. Conversely, the error signal may be de-asserted, e.g., by resetting the FIFO memory, e.g., the clear signal CE may be used to selectively reset the FIFO memory.

    [0194] Moreover, by splitting the control circuit 1210 into plural control circuits, each control circuit 1210 could also test only a subset of the error signals, thus permitting that a parallel solution is used, thereby further reducing the execution time.

    [0195] Accordingly, the features described in the foregoing have one or more of the following advantages: independence from the clock speed of the various circuits to be monitored and/or the safety monitoring circuits, because the overwrite function of the error signals ERR may be implemented via combinational logic circuits 1208, and the control circuit 1210 may either use a low-speed clock signal or wait one or more clock cycles until the error signals ERR′ are propagated to the fault collection and error management circuit 1206; the control circuit 1210 may be configured to: a) sequentially test single error signals ERR′, thereby implementing a reliable test of the connectivity between each safety monitoring circuit SM and the fault collection and error management circuit 120a, and/or b) assert and/or de-assert (possibly during the runtime of the processing core(s) 102) all error signals ERR′, thereby implementing a fast connectivity test, e.g., in order to detect whether an error signal ERR′ is stuck to high or low; and/or c) perform the above operations in parallel for different subsets of error signals ERR′, e.g., first de-assert the error signals ERR′ of each subset and then sequentially test the error signals ERR′ of each subset, wherein these operations are executed in parallel for the various subsets; and the selection circuits 1208 and the control circuit 1210 may implemented with low complexity circuits.

    [0196] Generally, the diagnostic circuit 118 and/or the control circuit 1210 may also signal an error of the connectivity test (as indicated via the signal STATE) to the fault collection and error management circuit 1206, e.g., by generating a further error signal ERR, which may then be used to generate one or more of the signals IRQ, IR.sub.2, ET and SET.

    [0197] Of course, without prejudice to the principle of the invention, the details of construction and the embodiments may vary widely with respect to what has been described and illustrated herein purely by way of example, without thereby departing from the scope of the present invention, as defined by the ensuing claims.