Electronic data processing systems comprising a number of functional units are known. These functional units may, for instance, be implemented in semiconductor devices comprising integrated circuits that are adapted to perform the corresponding functions. Microcontroller or microprocessor systems are, for instance, known which comprise one or a plurality of (central) control or processing units (CPU). The CPU or the CPUs may, in combination with one or a plurality of memory means, e.g., a program and a data memory means, perform various objects or programs or fulfill various functions, respectively.
System integrity and the possibility of detecting a system that operates incorrectly or faultily is important in many fields of use of electronic data processing systems. A reliable operating mode is particularly important with electronic data processing systems that control or monitor, for instance, life-supporting functions or fulfill observing tasks. Such systems therefore have safety functions that are executed on occurrence of a malfunction by the system with the object of achieving or maintaining a safe system state.
The detecting of systems that operate incorrectly or faultily and the possible activating of safety functions is, as a rule, done by the implementation of redundancy, whereby it is possible to test the operability or to detect a malfunction of the system, respectively. In the instant context, redundancy means that the system performs the same function multiple times, so that a misconduct or a malfunction, respectively, of corresponding functional units of the system may be detected by a comparison of the corresponding functional products.
Three classes of redundancies may be differentiated. A first class of redundancy that is adapted to be used for testing the operability or for detecting a malfunction of the system is the temporal redundancy. When using the temporal redundancy, a function is performed at different points in time as a rule on the same implementation, and the corresponding functional behavior of the system is compared with one another. This may, for instance, be the performance of a function during the development time of a system which is compared with the performance of the function under normal operating conditions or in the field, respectively, which is also referred to as a test routine.
A second class of redundancy that is adapted to be used for testing the operability or for detecting a malfunction of the system is the local redundancy. For applying the local redundancy, a system resource is, for instance, implemented multiple times at different places and thus the performance on the same implementation. Thus, it is possible to perform the same function of the system on several resources and to compare the functional behavior of the system. This way it is, for instance, possible to test the operability of synchronized dual processor systems in vehicle dynamic control systems.
A local redundancy may, for instance, be installed wherein two or more resources or functional units of a system perform the same function and their functional products are compared with one another. In the case of concurrence of the functional products delivered by the functional units, a correct function of the system may be concluded, and in the case of a deviation of the functional products delivered by the functional units, a malfunction of the system may be concluded.
A third class of redundancy that is adapted to be used for testing the operability or for detecting a malfunction of the system is the functional redundancy. When applying the functional redundancy, a system operability is implemented multiple times in a different manner. For error detection, these functionally similar implementations are compared with one another either to show a behavior that is harmonious or concurrent with respect to each other, or to show a deviating behavior.
Each of these three redundancy classes causes an additional resource effort in the electronic system, e.g. processor performance, digital gate, additional bandwidth, or additional performances. Since the redundancies required in a system strongly depend on the application of the electronic system, application-specific developments may entail the following problems.
On the one hand, an application-specific development may, due to the reduced complexity vis-à-vis an application-comprehensive development, reduce the number of the systematic and random errors. However, in the case of an application-comprehensive development, the statistic liability vis-à-vis an application-specific development may be increased to detect systematic errors and seize adequate measures to avoid them by a plurality of different fields of use. On the other hand, many such application-specific developments may increase the development time and the costs of the development and of the operation.
Multiple available locally redundant devices usually operate pursuant to the same synchronously performed programs and algorithms, and in accordance with the same initial values. In so doing, however, they basically operate independently of each other, e.g., with MIMD (“Multiple Instruction Multiple Data”). For increasing the function, redundant systems are frequently established, wherein the system operability may be distributed or provided statically or dynamically to the redundant resources. Such redundant systems either operate independently and on an equal footing, e.g., with MIMD (“Multiple Instructions Multiple Data”), or sequentially hierarchically, e.g., in the manner of coprocessors.
A strategy for safeguarding electronic data processing systems has so far been to implement the resources redundantly and to partially also implement them multiple times. Thus, the German Patent publication DE 19800311 A1 and Korean Patent publication KR 2002033254 describe, for instance, the multiple implementation of the substantial digital control means. Here, the principles of local redundancy (dual processor core) and of functional redundancy (parity or “ECC” error correction memory redundancy) may also be applied.
Redundant systems that enable a switching of local redundant resources in two different configurations are known. U.S. Pat. No. 6,772,368, for instance, discloses a system in which two locally redundant systems operate in a completely self-sustaining manner in one configuration, and in another configuration discloses a system in a completely parallel-synchronized manner. The possibility of a mutual replacement of the resources (so-called “Hot Swap”) or the mixing of different redundancy classes, especially of the functional redundancy with the local redundancy, does, however, not exist.
Further, redundant systems are known whose redundancy is capable of mutually replacing in the case of a system failure. The object in this case is to increase the availability of the system. Thus, the European Patent publication EP 0185704, for instance, describes a system in which redundant processors perform algorithms and programs independently of each other (MIMD: “Multiple Instructions Multiple Data”). If a part of the functional units or processors of the system fails, the functional units or processors that are still capable of operating, additionally assume the tasks of the failed functional units or processors. This function transfer is also referred to as configurability. However, the configurability does not permit any operation of the system in which configurable errors are detected or alternative functions are promoted.