The present invention relates to a method of operating a microprocessor system provided with safety functions, which comprises two or more processor cores on a joint chip carrier, a microprocessor system for at least partly safety-critical regulations, comprising at least two processor cores which are connected to periphery elements (5,6,7,8,9,10) by way of at least two bus systems associated with the cores, and at least two bus driver circuits able to transmit bus information from one bus to the other bus, and a motor vehicle control/regulation system comrising such a microprocessor system.
EP 0 843 853 A1 discloses a microprocessor system for safety-critical control systems comprising two synchronously operated central units or CPU cores which can have access to periphery elements integrated on the same chip such as memory and input/output components by way of two separate bus systems. The microprocessor system described is especially used for safety-critical control and regulation systems in vehicles, for example, for the active control, or a control activated by the brake function, of the brake pressure applied to the wheels, such as in yaw rate control systems (ESP, TCS), lock control or anti-lock systems (ABS) and traction slip control systems (TCS, etc.). By doubling the processor core, the bus system and at least partly also the periphery elements it is possible to monitor processing errors in one of the two processors either by the respectively second processor or by a device checking whether the result of a working step is identical in both processors. This method permits a drastic increase of the error detection rate because errors that occur simultaneously in both processor branches are comparatively unlikely. Once an error is detected, appropriate measures can be taken such as deactivation of the control system or implementation of an emergency program (trap/interrupt) or a reset, thereby enhancing the reliability of operation of a brake system.
The periphery elements, which are connected to the two bus systems, generally comprise permanent stores (ROM, OTP, Flash) and read-write memories (RAM), and input and output units or further bus systems connected by way of bus driver circuits. The bus systems are connected or coupled to each other by drive stages so that the processor cores can also write data into the respectively other bus system, or read the data. The design of the microprocessor system described in EP 0 843 853 A1 is not fully redundant with respect to the memory. At least part of the memory, which is connected to one of the two buses, is reproduced virtually by a hardware comparator. The reproduced memory in this case does not contain the same data word as the first memory at the same address but parity information linked to the complete data word that was calculated or produced from the data word written in the storage. The advantage involved hereby is that a major part of the memory existing for redundancy reasons can be saved practically without any loss of safety.
An object of the present invention is to further improve upon the above-mentioned microprocessor system in that way that a distinction can be made between data and/or programs being uncritical with respect to safety and critical data and/or programs.
Another objective of the invention is to provide a microprocessor system, which now as before reaches a high rate of error detection as in prior-art systems with respect to the critical data and/or programs so that the reliability of operation mandatory for safety-critical applications is complied with, and which additionally offers the opportunity of executing programs which do not meet the high safety requirements of the safety-critical programs without disturbing the run of the safety-critical programs by any additional programs. In addition, it is desired that the microprocessor system involve comparatively low effort in manufacture.