The present invention relates to a microprocessor system for safety-critical control systems, including two synchronously operated central units or CPUs which receive the same input data and process the same program, equipped with read-only memories (ROM) and random-access memories (RAM), and memory locations for test data and test data generators, and also including comparators which check the output data of the central units and issue disconnecting signals in the event of non-correlation.
Safety-critical control systems are, for example, automotive vehicle control systems which intervene into braking operations. Among these control systems, especially wheel-lock control systems or anti-lock systems (ABS) and traction slip control systems (TCS, etc.) are very important and available on the market in many versions. Driving stability control systems (DSC, ASMS), suspension control systems, etc., are also critical in terms of safety because they are based on brake management, and their malfunction may impair the driving stability of the vehicle in other ways. Therefore, it is imperative to constantly monitor the operability of such systems in order to disconnect the control when an error occurs, or to switch the control over in a condition which jeopardizes safety less.
German patent No. 32 34 637 discloses an example of a circuit arrangement or a microprocessor system for controlling and monitoring an anti-lock vehicle brake system. In this patent, the input data are sent in parallel to two identically programmed microcomputers where they are processed synchronously. The output signals and intermediate signals of the two microcomputers are checked for correlation by redundant comparators. In the event of non-correlation of the signals, disconnection of the control is effected by a circuit which also has a redundant design. In this known circuit, one of the two microcomputers is used to produce braking pressure control signals, while the other one is used to produce the test signals. Thus, two complete microcomputers, including the associated read-only memories and random-access memories, are required in the symmetrically designed microprocessor system.
In another prior art system, based on which the circuit described in German patent application No. 41 37 124 is configured, the input data are also sent in parallel to two microcomputers, only one of which, however, performs the complete complicated signal processing operation. The second microcomputer is mainly used for monitoring, so that the input signals, after being conditioned and time derivatives being produced, etc., can be further processed by way of simplified control algorithms and a simplified control philosophy. The simplified data processing is sufficient to produce signals which permit indications of the proper operation of the system by comparison with the signals processed in the more sophisticated microcomputer. The use of a test microcomputer of a reduced capacity permits diminishing the expenditure in manufacture compared to a system having two complete, sophisticated microcomputers of identical capacity.
German patent application No. 43 41 082 also discloses a microprocessor system of the previously mentioned type. However, the system is especially intended for use in the control system of an anti-lock brake system. The prior art microprocessor system, which can be mounted on one single chip, includes two central units, or CPUs, in which the input data are processed in parallel. The read-only memories and the random-access memories, to which both central units are connected, comprise additional memory locations for test data, each having a generator to produce test data. The output signals of one of the two central units are further processed for producing the control signals, and the other central unit, i.e. the `passive` one, is only used to monitor the `active` central unit. The expenditure in manufacture is considerably reduced, without deteriorating the error detection ability, by eliminating the need for a double provision of the memories in this system and by accepting a relatively small extension of the memories to store the test data.
Also, an object of the present invention is to develop a microprocessor system which detects and signals malfunctions of the system with the extremely high degree of probability and reliability which is required for safety-critical applications. Additionally, a comparatively low expenditure in manufacture should be sufficient for a microprocessor system of this type.