In devices used for controlling machines or processes, it is vitally important to absolutely ensure the integrity of the data which are accessed by these devices to execute their control tasks. Errors in these data, which are attributable to a technical fault in the device itself, or to an unauthorized access by a third party, must be detected with certainty, in order to be able to block every function whose operational reliability is no longer ensured.
It has been known for quite some time to ensure the integrity of data in a data-processing device by storing the data in an encoded form, and to then only utilize the data when they represent a valid code word of the code being used. In the simplest case, the encoding process can entail adding a parity bit or a checksum.
The significant advantage of these codes is their simplicity, which makes it possible for a test to be conducted to check whether a data word read in the memory is an existing code word, in real time or even independently of a read access to the code word in question. Microcomputers are known, for example, which, for every eight memory components, which store various bits of a data byte, have a ninth memory component for a parity bit, and which have a control circuit, which, for every byte read from the eight memory components, calculates the parity bit, which is compared to that stored in the ninth memory component, and, if there is no agreement, signals a fault.
Using this method, it is, in fact, possible to detect errors in the stored data, however, it is not possible to correct the errors. Therefore, a control process, which attempts to access faulty data can, at best, be terminated; no provision is made for continuing the process on the basis of corrected data. However, this is not a satisfactory approach for applications where terminating a process can pose a safety risk, as can, just as well, continuing the process using faulty data.
In the field of motor-vehicle control units, it is known to avoid these problems by storing safety-critical data multiple times, so that, if a data value that is to be accessed, is identified as faulty, a copy is available, which can be used instead of the faulty value.
This procedure typically requires a substantial amount of memory, since, on the one hand, at least two copies of each safety-critical datum must be stored, and, moreover, redundant information must be available to allow one to discern whether the datum to be accessed is faulty or not.