The present invention relates to an integrated circuit arrangement and its use in electronic brake systems for motor vehicles or in electronic control systems for governing the driving dynamics of motor vehicles or for controlling electronically controlled parking brakes or for controlling vehicle restraint systems such as airbag controls. The integrated circuit arrangement is for safety-critical applications, for regulating and controlling tasks in an electronic brake system for motor vehicles. The arrangement having a plurality of electronic, cooperating functional groups interconnected by electric lines (30. There are functional groups of a first type and a second type, with the functional groups of the first type comprising at least the functional group redundant microprocessor system (1) such as the functional group input/output devices (19), and the functional groups of the second type comprising at least the functional groups actuator drivers (11, 15, 24, 35) and safety circuits (5, 5′, 7, 7′). The functional groups of the first type and the second type are grouped on a joint chip or chip support member (23).
Microprocessor systems for safety-critical regulations are disclosed in DE 197 16 197 A1, for example. The microprocessor systems disclosed therein include redundant data processing in order to be appropriate for safety-critical applications such as in ABS or ESP control units. To achieve redundancy, the microprocessor system comprises duplicated functional groups which comprise in each case central units (CPUs), bus systems, and additional functional groups such as memories and input/output components (I/O). Special comparators and bypasses, which perform comparisons of the data, the output data or output signals of the central units, are used to check the proper function of the functional groups.
Among the safety-critical control systems according to the invention are e.g. the control systems which intervene into the brake function of a motor vehicle, being on the market in large quantities and great varieties. Examples of these systems are anti-lock systems (ABS), traction slip control systems (TCS), driving stability control systems (ESP, TCS, DDC, ASMS), chassis control systems, and also control units for parking brakes and restraint systems, etc. For example, failure of an ESP control system would jeopardize the driving stability of the vehicle. For this reason, the operability of the systems is constantly monitored in order to disable the control when a fault occurs (‘fault silent’) or to switch it over to a condition less dangerous for safety (‘fault tolerant’).
Monitoring the proper function of integrated circuits is still much more important when they are used in brake systems or motor vehicle control systems where it is not possible to switch over to a mechanical or hydraulic system when the electronics fails. This concerns current brake system concepts such as ‘brake-by-wire’. The brake function in such systems depends on an intact electronic circuit so that the microprocessor systems equipped with a fault-tolerant redundancy concept (‘fault tolerant’) are especially significant for these brake systems.
Another example for a circuit arrangement or a microprocessor system for controlling and monitoring an anti-lock vehicle brake system is disclosed in DE 32 34 637 C2. According to this specification, the input data is sent in parallel to two identically programmed microcomputers and processed synchronously therein. The output signals and intermediate signals of the two microcomputers are checked for concurrence by means of redundant comparators. When the signals differ from each other, the control will be disabled using a circuit which is also designed redundantly. In this prior art circuit arrangement, one of the two microcomputers is used to produce the brake pressure control signals, while the other microcomputer provides the test signals. This means two complete microcomputers, including the associated read-only memories and write-read memories, are required in this symmetrically designed microprocessor system.
According to another system known from the art, based on which the circuit described in DE 41 37 124 A1 is designed, the input data is also sent in parallel to two microcomputers, of which only one microcomputer performs the complete, sophisticated signal processing, however. The second microcomputer is mainly used for monitoring purposes, for what reason the input signals, after having been conditioned, after the formation of time derivatives, etc., can be processed further with the aid of simplified control algorithms and a simplified control philosophy. The simplified data processing is sufficient to produce signals which allow making conclusions with respect to the proper operation of the system by way of comparison with the signals processed in the more sophisticated microcomputer. The use of a test microcomputer of reduced efficiency allows reducing the complexity of manufacture effort compared to a system having two complete sophisticated microcomputers of equal output.
DE 43 41 082 A1 discloses a microprocessor system which is provided in particular for the control system of an anti-lock brake system. This prior art system, which may be accommodated on one single chip, comprises two central units in which the input data is processed in parallel. The read-only memories and the write-read memories connected to the two central units comprise additional storage locations for test information and in each case one generator for generating test information. The output signals of one of the two central units are further processed to produce the control signals, while the other central unit, being the passive one, is only used to monitor the active central unit.
Thus, the necessary safety in the prior art systems mentioned hereinabove is principally reached by redundancy of data processing. In the first case (DE 32 34 637 C2) the system is based on the use of two processors with identical software, being referred to as symmetrical redundancy among experts. In the second case (DE 41 37 124 A1), two processors with different software are used (so-called unsymmetrical redundancy). It is principally also possible to employ one single processor processing the input data based on different algorithms, while additional test algorithms are used then in order to identify fault-free operations.
Eventually, DE 195 29 434 A1 (P 7959) discloses a system of the type mentioned hereinabove which is also referred to as a system with core redundancy. In this prior art microprocessor system, two synchronously operated central units are provided on one chip or on several chips which receive identical input information and execute the same program. As this occurs, the two central units are connected by way of separate bus systems to the read-only memories and the write-read memories as well as to input and output units. The bus systems are interconnected by driver stages or bypasses allowing the two central units to jointly read and process the available data, including test data and commands. The system permits saving storage locations. Only one of the two central units is connected (directly) to a high-value read-only memory and a write-read memory, while the storage capacity of the second processor is limited to storage locations for test data (parity monitoring) in connection with a test data generator. There is access to all data by way of the bypasses. This makes the two central units capable of executing the full program in each case.
The above-described highly integrated and complex safety-critical microprocessor systems have so far not been grouped on a joint chip or chip support member with the components which are active in actuating energy-dissipating consumers such as valve coils for the hydraulic brake pressure control. For this reason, it has previously been necessary to accommodate several integrated circuits (e.g. ICs or separately housed chips, respectively) on one or more conducting path carriers in the electronic controllers for electronic brake systems. Only this way was it possible to realize the failsafe assemblies required for the actual electrohydraulic function (e.g. actuator control, redundant final stages, drivers) as well as for the operation of the microprocessor. In this two-chip system, the first chip comprises the redundant microprocessor system, while the second chip comprises both digital and analog circuit parts (mixed signal) with subassemblies for signal conditioning (signal conditioning), actuator control, and for handling the failsafe functionality e.g. watchdog).