The present invention relates to a method of monitoring a data processing circuit which includes two or a plurality of data processing systems such as microprocessors, microcomputers, or the like, which are mounted on a joint chip and connected by data lines. Circuitries for implementing the method are also comprised by the present invention.
The proper, fail-free operation of data processing circuits, comprising microprocessors, microcomputers and other programmed circuit systems, must be monitored, as is known in the art. This applies especially when the circuits form part of safety-critical control systems. One example of a safety-critical application is the controlling intervention in the brake system of an automotive vehicle, for example, for anti-lock control purposes, for traction slip control or driving stability control. When a malfunction of the data processing circuit is detected, the control is deactivated or changed over to a mode of operation which is still possible despite the error occurred, and is less critical in safety respects.
It is important for such monitoring actions that the malfunction is detected quickly and with a high degree of reliability. To achieve this object, in a control circuit disclosed in German patent No. 32 34 637 (P 5248), the input data produced in wheel sensors are processed in two parallel, identically designed and identically programmed microcontrollers which are independent of each other. The output signals of the two microcontrollers are then checked for correlation. When differences indicative of a malfunction arise, the electronic control is disabled, and brake functioning is thereby maintained. Thus, the prior art control circuit is based on redundant data processing in two complete systems, and the sole purpose of the redundance is to identify occurring errors with a high degree of reliability so that the control system can be disabled in this case. The monitoring circuit for identifying and evaluating arising differences and the deactivation electronics also have a virtually redundant design. Thus, greater complexity must be tolerated for saftey reasons.
Further, German patent application No. 41 37 124 discloses a circuitry wherein the input signals are processed in two parallel microcontrollers which have a different design and program, however. Only one of the two microcontrollers performs the complete, complicated signal processing operation. The second microcontroller is mainly used for monitoring, for what purpose the input signals, after being conditioned and after time derivatives are produced, are further processed on the basis of simplified control algorithms and a simplified control philosophy. In comparison to the above mentioned prior art circuit, the complexity is reduced by the simplified data processing operation in the monitoring microcontroller.
Nowadays, it is in principle also possible to accommodate a plurality of complete data processing systems, for example, two microcomputers, on one single chip, to furnish both microcomputers with the same input data and to compare the data processing results of both systems for checking the proper operation of the systems. However, when the electronic systems are constructively linked in this fashion, it cannot be ruled out with a sufficiently high degree of reliability that, with defined circuit defects or a malfunction having equal effect on both systems, a correct monitoring signal will be produced even if an error exists.
A sufficiently reliable detection of malfunctions cannot be expected at all in a circuit based on one single data processing system in connection with a monitoring operation of the conventional type.
Finally, German patent application No. 40 04 782 discloses an anti-lock system having two microcontrollers which both generate a monitoring signal that represents an alternating signal with a predetermined frequency and a predetermined variation. A safety circuit compares the alternating signals with a time standard derived from a clock generator which is independent of the working clock of the microcontroller. A variation of the alternating signal as well as failure of the time standard leads to a deactivation of the anti-lock control. The control is disabled when the pulses drop from the predetermined time window. This circuit is also based on using two microcontrollers of redundant operation.
An object of the present invention is to monitor a data processing circuit comprising two or a plurality of processors mounted on one single chip, or other data processing systems and to achieve that malfunctions are detected and signalled with a high degree of safety and reliability. Further, the expenditure required to achieve the present method and the corresponding circuit should be minimized.