The present invention relates to a microcomputer system, for example, for use in a regulator for internal combustion engines in controlling and regulating the fuel injection and other functions in a motor vehicle in dependence on operating magnitudes of various parameters. Exemplary parameters are engine revolutions, charging pressure, gas pedal position, etc., which are determined with the aid of measuring value sensors. Sensor signal lines are connected with the microcomputer system. Outputs of the microcomputer to include drive circuits, are connected with servo members, signal displays or the like. The microcomputer system includes at least two microcomputers. The function of each system is distributed over the individual microcomputers, and a parameter storer (memory) is provided, for example, for data specific to the motor and the vehicle.
Microcomputer systems are used in many fields and in consequence of the steadily growing demands in respect to the rapid processing of much data. The systems are becoming more and more complex, and in most cases, increased demands are also placed to achieve low error rate and high reliability. In the following, this set of problems is discussed with the example of a regulator for diesel motors, but similar problems arise in many other areas, for example, in the field of medical apparatus.
Many parameters may be controlled with the aid of a regulator. For example, in diesel motors, the amount of injected fuel, the injection time point, the gas feedback, etc., are controlled in dependence on various sensed parameters. Drive circuits, for example, through a stepping motor, operate the setting rod of the injection pump. From various sensors, operating data are fed to the microcomputer system, such as, for example, the engine revolutions, the water temperature, the charging pressure, the fuel temperature, etc.
A regulator for a diesel engine requires much greater reliability than those previously employed for gasoline engines. An unloaded diesel motor can be destroyed with even a very small amount of excess injected fuel leading to excessive engine revolutions or a runaway. In the case of faulty behavior of the regulators, however, serious accidents are possible even before the diesel motor reaches a turning speed that leads to its destruction. Safety arrangements that have hitherto become known, which in parallel to the regulator electronic system proper, provide for the stopping of the motor on exceeding of a limit speed, do not suffice. It is desirable to enhance protection against engine runaway. As is known, one could have two computers operate in parallel and compare the result. Such a use of computers, however, is highly uneconomical, and the comparison only indicates that the result is erroneous. In general, a comparison of two computers does not say which of the two computers is operating faultily and which is correct.
One of the specific problems in use of microcomputers in motor vehicles lies in electrical interference, which can often lead to a faulty behavior of the system or a total program failure. The regulators that have hitherto become known, operate with a single microcomputer and mostly with external program memory (EPROM).
These so-called "multi-chip microcomputer systems" are those in which the address and data buses are led out as in a microprocessor. As a result of these external buses, the multi-chip microcomputer systems are extremely susceptible to electrical interferences. Data communication on address and data buses occur very rapidly at low signal levels, rendering the communication susceptible to interference. Any relatively great interference peak can lead to a program or data falsification, or to a total collapse of program, or crash.
Known watchdog circuits can be employed to restart a microcomputer after detecting a potential crash. Essentially, the watchdog circuits are counters with a certain counting capacity which are reset again and again on the starting value by a resetting signal generated with software from the microcomputer. In a crash, one hopes that the resetting signal in the software ceases, so that the counter finally overflows. As a result, the microcomputer is reset at its reset input and begins the program entirely from the beginning. Unfortunately, this method is not certain, for watchdog circuits are not triggered by all faults.
Any microcomputer has a finite number of input and output ports. The ports required for the control of external components, such as, for example, program storers, are lost for the input/output lines of the microcomputer. It is often desirable to recover ports by adding so-called port-extension components with increased expenditures of costs and space and usually less performance. Port-extension components lead to a larger current supply and possibly to a larger microcomputer housing to include cooling ribs. For example, to connect an external 4K program storer, there are needed first of all 13 address lines and eight data lines, whereby altogether there are lost 21 terminals (ports) for the control of the apparatus proper. Most usual commercial microcomputers have only 32 terminals total, so that only 11 terminals remain for the control inputs and outputs.
It is a further known practice to connect several processors to common buses with common storers. It is also a known practice to connect one-chip microcomputers with one another. Serial interfaces are often provided on the chip for such interconnection. Insofar as parameter values are contained in separate storers, these are driven over the buses present. More frequently, the parameter values and the program are contained in the same storer.
A regulator for internal combustion engines that has become known from European EP-A-127,789, contains exactly two microprocessors, over which there are distributed the various assignments. Between the two processors, there is provided a bus system. A "Personality Prom" in this system, contains motor-specific or vehicle-specific data and communicates over an additional bus with the first microprocessor. Therefore, only the first microprocessor can directly access the parameter storer. The second microprocessor must communicate with the program storer through the first microcomputer. As a result, the first microprocessor is additionally burdened and, the access times to the parameter storer become longer.
In "Electronik" (1982), No. 4, pages 55-62, there are described various multi-microprocessor systems. A common storer (FIG. 6 of the literature reference) communicates with individual microprocessors over a common bus. The common bus like a computer-internal bus, carries the entire data and address traffic, i.e., also the program information. Unfortunately, this externalization of the internal bus is very susceptible to interference as discussed above.