The present invention relates to a monitoring device for a microprocessor designed for operation within a system equipped with a microprocessor, safety of which is an important parameter. It also relates to a system comprising at least one microprocessor and equipped with such a monitoring device, this system being able to function as a circuit breaker for an electric installation. Finally, it relates to a method for monitoring a microprocessor enabling establishment of a diagnostic of operation of the microprocessor.
It is common practice to equip a device comprising a microprocessor with a time-based monitoring device, also called watchdog. The function of such a monitoring device is to detect a possible anomaly of sequencing of the microprocessor in order to trigger a safety intervention, such as reset of the microprocessor or switching of the device to a safety configuration. The function of the watchdog is therefore to respond to certain dysfunctionings of the microprocessor which could lead to a dangerous, unsafe situation.
But such a device proves insufficient when a higher functional safety level is necessary, in particular when it is necessary to check the functional integrity of the microprocessor in performing safety functions. A first solution consists in using a second microprocessor dedicated to monitoring of the main microprocessor, the latter generally being unable to perform self-testing with a sufficient test coverage. However, such a solution is costly in both product manufacturing cost and development cost, and cumbersome as it requires a large space location on a printed circuit to add the additional microprocessor. Due to its complexity, such a solution further results in making the product less dependable.
French patent document FR2602618 illustrates a solution in which a watchdog monitors periodic performance of data processing controlled by a microprocessor for a circuit breaker of an electric installation. Such a microprocessor performs a certain number of digital processing operations on the electric signals of an electric installation, and generates a circuit breaker tripping order when certain predefined thresholds are reached. The microprocessor thus performs an essential function for safety of the system, and malfunctioning of the microprocessor would lead to a very risky situation for the monitored electric installation. To minimize such malfunctioning, the watchdog monitors any disturbances that may occur, which it detects in delays of a periodic cycle of a periodic operation the microprocessor has to perform. The watchdog can thus detect malfunctionings of the microprocessor: in such a situation, it transmits a re-initialization order to the microprocessor, and if this intervention does not solve the problem and is not accompanied by normal restart of the periodic cycle managed by the microprocessor, the watchdog then transmits a circuit breaker tripping order to place the electric installation in a safety configuration, because its circuit breaker is faulty. However, such a solution does not enable all the malfunctionings of the microprocessor to be detected, certain malfunctions of the microprocessor being able not causing any repercussion on the periodic cycle being monitored. This approach can therefore be improved.