Highly available or failsafe vehicle systems, such as are required for applications in automated driving, make increased demands of the availability and free interaction between electronic components of individual motor vehicle systems, and here specifically of a respective microcontroller which runs the underlying software of a vehicle system that is operated by the microcontroller. For these vehicle systems, the lowest possible failure probability is therefore correspondingly aimed at. An example of a high-availability or failsafe vehicle system is a brake system of a motor vehicle. Failure of such a system would imply a risk for road users, for which reason the functional capability of this system has to be continuously monitored in order to activate, for example, a fallback level when a fault occurs. Fault-tolerant redundancy concepts are significant to a particular degree for motor vehicle systems which have exclusively electronic fallback levels.
In order to increase the fail safety, it is known from DE 32 34 637 C2 to operate two processors having identical software, which can also be referred to as symmetrical redundancy. DE 41 37 124 A1 describes a microprocessor system with asymmetrical redundancy, where two processors are operated with different software.
A further system with core redundancy is described in DE 195 29 434 A1, in which two processor cores which operate synchronously are provided on one or more chips which contain the same input information and process the same program. The two processor cores are connected here to the read-only and random access memories as well as to input and output units via separate bus systems. The bus systems are connected to one another by driver stages or bypasses which permit the two processor cores to carry out common reading and processing of the available data, including the check data and commands. Only one of the two processor cores is connected (directly) to a fully fledged read-only and random access memory, while the memory capacity of the second processor core is limited to memory locations for check data (parity monitoring), in conjunction with a check data generator. Access to all the data is via the bypasses. As a result, the two processor cores are each capable of processing the entire program.
EP 1 673 667 B1 describes a microcontroller system with core redundancy for safety-critical applications, in which microcontroller system digital circuit components and analogue circuit components for actuating high-performance consumers are accommodated on a common chip or chip carrier and protected from one another by isolated regions.
Microcontrollers (MCU) which are known per se for safety-critical motor vehicle systems are, from the view of the programming model, a single core system, but frequently a plurality of processor cores are physically present in order to bring about parallel software implementation. Resources such as, for example, memory resources and/or peripheral resources, are, however, frequently not implemented multiple times and are shared by the processor cores. In contrast to this, multi-chip microcontrollers make available the entire resources multiple times. According to this description, a chip is understood to be an integrated circuit accommodated on a separate semiconductor substrate.
A significant disadvantage of the shared resources of multi-core microcontrollers is their susceptibility to fault such as e.g. random hardware faults, since the cores which share these resources are always affected. The independence of the multiple subsystems (cores) present is therefore only present for faults in the subsystems. The failure probability of a multi-core microcontroller is therefore determined essentially by faults in the shared resources and is, for example, of the order of magnitude of 40% of the overall failure rate.
Due to this multiple implementation, multi-chip systems are, however, more expensive compared to multi-core systems, which is the case, in particular, in respect of, by present day standards, large program and data memories with, for example, read-only memories greater than 4 MB, and main memories greater than 256 kB. The use of a plurality of chips for high-availability systems therefore constitutes a significant increase in the costs, to which, in particular, a larger number of integrated circuits and increased complexity of the underlying circuit carrier contribute.
Due to the large production numbers of integrated circuits, there is an enormous cost pressure on all the components. However, their functionalities which are designed, in particular, for safety are not restricted by cost-reducing measures.