In many applications of integrated circuits, particularly in call-processing systems, increased fault protection is demanded for security reasons. This is done by self-monitoring and fault detection within the integrated circuit. In many cases, an integrated circuit includes both clocked primary components, which are actuated by a common external or internally produced clock, and components which are independent of this clock. The latter components are referred to as asynchronous components. One example among many is a PCI module (‘Personal Computer Interface’), which includes as asynchronous component the PCI circuit for controlling a PCI bus.
A known practice for self-monitoring in integrated circuits is based on tests implemented by means of software. These software tests are invoked regularly, e.g. by means of a test loop. Of course, this solution requires the user to implement a suitable test program which reliably checks all the functions needing to be checked. Such a software test also requires a not inconsiderable proportion of the time which can otherwise be used for the application tasks. In addition, a fault state is detected only at the time of a test pass. The known BIST solution (for ‘Built-In Self-Test’) implements a self-test on an integrated circuit using hardware. The BIST self-test has an execution time of, normally, 2-10 ms or even more, however, and a fault is not detected until the time of the test pass in this case either.
Another approach to a solution for achieving fault protection involves duplicating the fundamental hardware parts within the integrated circuit. The circuit thus includes at least two similar implementations of its primary components. The way in which such a duplicated circuit operates is, by way of example, that one of the primary components, as the active component, performs the tasks of the circuits, while the other primary component is passive and operates in idle mode; or both primary components operate microsynchronously in parallel in a “tandem mode”.
WO 94/08292 describes a duplicated processor control unit comprising two identical, interconnected control units which each have a processor unit, a RAM data store and peripheral circuits. Each processor unit is set up to establish whether it is active or in standby mode. The active processor unit performs the write cycles to the RAM store synchronously in both duplicated RAM stores or in one of the two RAM stores. The standby unit remains in standby until it is invoked on account of a fault in the active unit, in order to replace the unit which has been active up to then. The activities of the two processor units based on WO 94/08292 are thus fundamentally asymmetrical; peripheral components, including the main memory, are, in principle, accessed only by the active processor unit. If there is no comparison with a second processor unit running in parallel, for example, any malfunction in the active processor unit therefore results in the main memory being written incorrectly or in incorrect states in the peripheral area which first need to be subsequently corrected after changeover to the previous standby unit.
In addition, each of the two processor units in WO 94/08292 is equipped with two microprocessors operating in microsynchronized mode. The microsynchronism of the two microprocessors is monitored by means of a comparator block which at all times checks the identity of the two processors' address, data and control signals. Any discrepancy is interpreted as a fault in the processor unit in question. A fault in the microsynchronous operation of the microprocessor pair thus results in an interrupt signal or reset for the entire processor unit. Duplication of the microprocessors within a processor unit results in a “tandem unit” fed by a standard clock signal. However, WO 94/08292 does not reveal how to operate asynchronous components, namely components running independently of the clock for the duplicated microprocessors.
Since, even in a microsynchronous mode, the components involved still operate with a residual clock error, there is the risk when processing asynchronous input signals, particularly if they change in the region of such a clock error, that these input signals will be interpreted differently by the various microsynchronous components. This would thus result in a rapid loss of microsynchronism and would trigger a fault state.