Safety-critical control operations of this type include, among others, control systems which intervene into the braking function of an automotive vehicle. These control systems are widely marketed and they are available in many different designs. Examples are anti-lock systems (ABS), traction slip control systems (TCS), driving stability control systems (DSC, ASMS), suspension control systems, etc. Failure of such control systems may jeopardize the driving stability of the vehicle. Therefore, operability of the systems is continuously monitored in order to deactivate the control when a malfunction occurs, or to switch it to a condition which offers maximum stability under the circumstances. Matters are even more critical for brake systems or automotive vehicle control systems where a switch-over to a mechanical or hydraulic system is not possible upon failure of the electronics. Among those systems are brake system concepts such as `brake-by-wire` which are likely to gain in significance in the future. The braking function in such systems strongly depends on an intact electronics.
German patent No. 32 34 637 discloses one example of a microprocessor system for controlling and monitoring an anti-lock vehicle brake system. In this patent, the input data are sent in parallel to two identically programmed microcomputers where they are processed synchronically. The output signals and intermediate signals of the two microcomputers are compared for correlation. In the event of non-correlation of the signals, the control is disconnected.
According to another prior art system, the way the circuit described in German patent application No. 41 37 124 is designed, the input data are also sent in parallel to two microcomputers, only one of which executes the complete sophisticated signal processing operation, however. The main purpose of the second microcomputer is for monitoring the input signals and for producing time derivatives which can be processed further by way of simplified control algorithms and a simplified control philosophy. The simplified data processing is sufficient to generate signals which indicate the proper operation of the system by comparison with the signals processed in the more sophisticated microcomputer.
German patent application No. 43 41 082 discloses a microprocessor system which is provided especially for the control system of an anti-lock brake system. The system known from the art which can be incorporated on one single chip comprises two central units in which the input data are processed in parallel. The read-only and the random-access memories which are connected to the two central units have additional memory locations for test information, each comprising a generator to produce the test information. The output signals of one of the two central units are further processed to produce the control signals, while the other central unit, being a passive central unit, is only used to monitor the active central unit.
Finally, a system of the above-mentioned type is known from German patent application No. 195 29 434 wherein two synchronously operated central units are provided on one chip or on several chips which receive the same input information and execute the same program. The two central units are connected to the read-only and the random-access memories by way of separate bus systems as well as to input and output units. The bus systems are interconnected by drivers or bypasses, respectively, which enable both central units to jointly read and execute the data and commands available. The system renders it possible to economize memory locations. Only one of the two central units is connected (directly) to a complete read-only and random-access memory, while the memory capacity of the second processor is limited to memory locations for test data (parity monitoring) in connection with a test data generator. Access to all data is possible by way of the bypasses. This makes it possible for both central units to execute the complete program.
All above-mentioned systems are principally based on the comparison of redundantly processed data and the generation of an error signal when differences appear. The control can be deactivated upon the occurrence of an error or malfunction of a system. An emergency operation mode, i.e., continuing the control after the occurrence of the error, is in no case possible. Basically, such an emergency operation mode would be possible only by doubling the systems in connection with an identification and elimination of the source of errors.
An object of the present invention is to configure a microprocessor system of the above-mentioned type with at most little additional effort so that an emergency operation mode becomes possible upon the occurrence of an error.
The system of the present invention includes at least three central units with at least the double memory capacity compared to the memory capacity for a non-redundant system, in that the central units are extended by redundant periphery units to provide at least two complete control signal circuits and are interconnected in such a manner that, upon failure of a central unit and/or associated components or upon the occurrence of an error in one of the data processing systems, the faulty central unit can be identified by a majority decision in an identification unit, and a change-over to an emergency operation mode is effected where at least one control signal circuit with a full memory capacity is available and an output of output signals or control signals as a function of the faulty central unit is prevented.
According to the present invention, redundancy, i.e. maintaining the redundant data processing, is refrained from in determined, rare cases in favor of a particularly simple controller design, because the occurrence of another error during a short emergency operation period is extremely unlikely and because disconnection of the control is out of the question, or would increase the safety risk. Instead, the effects of errors are eliminated and the control and/or regulation is continued on the basis of the faultless systems and signals upon the occurrence of errors after the identification of the error source or the intact systems.
In a preferred aspect of the present invention, there is provision of three central units with each one bus system, and the memory locations in the three central units are distributed such that upon failure of one central unit, the other two central units have at disposal at least the full read-only and random-access memory capacity, and all central units are connected to the memory locations in the write and read directions and to all input and output wits by way of the bypasses.
It has been found to be particularly expedient that one central unit has the full (100%) memory capacity and the other two have respectively at least 50% of the read-only and random-access memory capacity required for a non-redundant system.
Thus, the present invention builds upon the above-mentioned system known from German patent application No. 195 29 434 which is principally composed of one complete and one incomplete data processing system, and extends this system by an additional complete data processing system with the associated periphery units. Two complete control signal circuits or control signal processing systems are achieved which are interconnected to provide a total system that permits an emergency operation mode and ensures maintaining the control even upon failure of a processor and identification of the error source. This means that the interconnection of the individual systems or components according to the present invention permits continuing the control and regulation upon failure of one processor by utilizing the intact circuits.
The total number of memory locations needed which generally determines the price of the microprocessor system is merely doubled, compared to processing in a non-redundant system, and the distribution and allocation of the memory locations to the individual processors is variable within wide limits. It must be ensured that each individual processor or each individual processor unit can execute the full program.
The configuration of the microprocessor system according to the present invention permits accommodating all or the main components, especially all central units, memories, comparators and bypasses as well as, if necessary, the input and output units, on one single chip.
The three central units, along with the memories, the input and output units and the periphery units, including the voltage supply, etc., form two complete and one incomplete data processing systems in total. The memory locations required for a complete program run are distributed among two data processing systems. Favorably, each of the data processing systems comprises at least one central unit, one bus system, as well as read-only and random-access memories, and the memory locations are distributed among the individual data processing systems so that, upon the occurrence of an error and change-over to the emergency operation mode, the intact systems have a sufficient number of memory locations for the complete data processing and execute the complete program.
In another aspect of the present invention, the system is configured for a plurality of, or a combination of, automotive vehicle control systems such as brake-by-wire, ABS, TCS, ASMS, etc., and the emergency operation mode either covers maintaining the operation of all control systems, or only maintaining selected control functions, for example, functions which are especially critical in terms of safety.