In the field of embedded systems, for example in automotive engineering or automation engineering, there are applications where an error in the μC hardware can potentially have safety-critical consequences. To avoid these consequences or minimize their effect, monitoring measures for detecting errors are employed. There are applications where such monitoring is required on a virtually permanent basis; in other applications, monitoring functions regularly check (i.e., periodically) or in response to specific prompts, whether the computer or other components as well are still functioning correctly. The present invention is directed to such applications.
The monitoring functions in these applications include the execution of a check routine, for example, to check whether a specific component is still functional. This can involve calculating a part of the real functional algorithm using default input values and then comparing the result, that is known, to a stored reference value. This stored reference value can be calculated in advance since the default input values and the algorithm are already known at the time the software is set up.
Another type of monitoring function is implemented by selectively loading output channels. This is potentially combined with a process of reading back sensor values which should then reside within a specific range. There are also a multiplicity of other variations.
All of these monitoring methods have in common that they are executed and controlled by software (possibly with the aid of a μC-external hardware module) and that they check the operability of the system.
In the case of the test measures under consideration, great care should be taken to ensure that an error in the μC core, which, after all, influences all of the software, does not cause the monitoring routine itself to malfunction. It is particularly with regard to verifiability that it should be ensured when assessing a measure that the core itself and the check software running thereon are operating correctly. Under this condition, it can be verified that the check routines themselves are also running correctly. Overall, therefore, substantial outlay is expended to check the core itself and to check that the other check routines are independent of core errors.
In automation technology, it is customary to speak of what are known as security functions. These functions are to be uniquely identified and documented in the overall application and typically need to meet the requirements of a standard (for example, IEC 61508). Even if no standard applies, rigorous demands in terms of fault detection are made of these security functions, and it is not always possible to execute a monitoring function on the object to be monitored.
Moreover, when testing operability using the conventional test measures, this test is often directed only to the operability in one specific context. This means it is often not the operability in each or in the currently valid context that is monitored, rather, it is the operability in only one default context that is checked.