The invention relates to a single-processor system for carrying out a required system function, the system having both a single processor unit carrying out the system function and fault reaction means which monitor the system for system faults occurring and, if a fault is discovered, react by putting the system into a predetermined fault reaction state.
A single-processor system is understood here to mean a system having only one processor unit for carrying out a particular system function, in contrast to multiprocessor systems, such as described in laid-open specifications EP 0 086 601 A2, EP 0 635 784 A1 and DE 35 02 721 A1, in which a plurality of processor units operate in parallel on a particular system task. To carry out further functions, the present single-processor system can, of course, also have further processor units.
In comparison to multiprocessor systems, the use of only one processor unit to carry out a particular system function has the advantage of less implementational complexity, because the former require additional processor units and measures for collision-free parallel operation of the plurality of processor units. One difficulty in single-processor systems, however, is that, in the event of partial or complete failure of the processor unit, the system function is possibly no longer carried out and the system can reach an undefined state. This is particularly undesirable in safety-critical applications, such as during use in motor-vehicle engineering for performing a safety-critical control function.
A known measure for eliminating this difficulty comprises a redundant system design in which at least two parallel processor units form a multiprocessor system which ensures that, even if one processor unit fails, the required system function is carried out by the other, still operable processor unit. This is again associated with a corresponding implementational complexity, however.
Hence, it is also already known practice to monitor a single processor unit using a so-called watchdog unit, which can be designed in hardware or software and monitors the program execution performed by the processor unit for any fault which may occur. This is achieved as a result of predetermined points in the program execution of the processor unit involving the watchdog unit being called, i.e. driven. If this call does not take place correctly, e.g. within a time period counted off by a timer in the watchdog unit, the watchdog unit outputs a reset command to the processor unit and thus puts the latter into a defined initial state. Particularly for safety-critical applications, however, this measure is still not always satisfactory, because, if the watchdog unit fails, for example, the measure is no longer assured and, in addition, in some cases where a fault occurs, it may be desirable not only for the processor unit to be reset but also for at least one further fault reaction measure to be implemented. Thus, if a safety-critical actuator is driven by the processor unit, for example, it may be desirable, when a fault occurs, not only to reset the processor unit to its defined initial state but also to put the actuator into a defined safety state.
The invention is therefore based on the technical problem of providing a single-processor system of the type mentioned in the introduction which contains fault reaction means which can be implemented with relatively little complexity, are able to put the system into a predetermined fault reaction state when a fault is discovered and which operate in a fail-safe manner to a certain extent.
The invention solves this problem by providing a single-processor system having the features of Claim 1. In this system, the fault reaction means allocated to the single processor unit contain at least two mutually independent watchdog units which are allocated to the processor unit to monitor faults and which, if a system fault is discovered, cause the processor system to be put into the predetermined fault reaction state, for example a noncritical safety state.
This system according to the invention avoids the complexity of multiprocessor systems and yet affords a certain level of security against failure, as a result of the two parallel watchdog units, especially with respect to operational failure of one of these watchdog units. In their fundamental principle, the latter can be designed as conventional watchdog units, and additional functional features can be implemented depending on the application. In the present case, the fact that the two watchdog units are independent of one another is intended to mean that one and the same system fault does not cause them both to fail, so that, in this regard, the desired reliability-increasing watchdog redundancy is provided.
A single-processor system developed according to Claim 2 comprises an actuator driven by the processor unit. In this case, the watchdog units are designed such that they put the actuator into a predetermined state when a fault which has occurred is recognized, where said predetermined state can, in the case of an actuator operating in a safety-critical area, be a noncritical safety state, in particular. In addition, provision may be made for the watchdog units to reset the processor unit to its defined initial state when a fault is recognized. In a further refinement of this measure, Claim 3 provides that the watchdog unit which recognizes the fault keeps the actuator in the predetermined state until said watchdog unit obtains enable information from the processor unit, after receipt of which the watchdog unit enables the actuator again for normal operation.
In a single-processor system developed according to Claim 4, the watchdog units are called at one or more defined points in the program execution performed by the processor unit, in which case the respective watchdog call can contain information about which program execution point is initiating it. The watchdog units contain suitable execution checking means which are able to evaluate the calls and thus recognize whether the processor unit is executing the program correctly or whether there is a system fault. An appropriately intelligent design of the watchdog units can, in particular, allow faults to be recognized in which the processor unit is now running only part of the complete program execution cyclically. If this program part and the remaining program part each contain a call for an intelligent watchdog unit of this type, then although the watchdog unit is driven at sufficiently short time intervals, it nevertheless recognizes the fault on account of the missing call from the rest of the program, which is no longer being processed.