In the field of embedded systems, for example in automotive engineering or automation engineering, an error in the μC hardware can potentially have safety-critical consequences in some applications. To avoid these consequences or minimize their effect, monitoring measures for detecting errors are employed. There are applications where such monitoring is required on a virtually permanent basis; in other applications, monitoring functions regularly check (i.e., periodically) or in response to specific prompts, whether the computer or other components as well are still functioning correctly.
German Published Patent Application No. 103 32 700 describes a method and a device for switching between two operating modes of a processor unit. The processor unit has at least two execution units, and the purpose of the different operating modes is to allow the processor unit to be operated at least in what is known as a performance mode, as well as in what is known as a comparison mode (CM). In the performance mode, various programs are executed on two execution units, for example. On the other hand, in the comparison mode, identical programs are executed on both execution units; the results generated by the two executions units are compared to one another; and, in the event of a discrepancy, an error signal is triggered.
From the standpoint of computing capacity, it is generally advantageous to allow as many tasks as possible to run in the most efficient mode possible (performance mode). On the other hand, in safety-critical applications in particular, virtually all tasks should be computed at a high level of error detection. Under the conventional arrangements, it is thus difficult or impossible to utilize a substantial share of the computing capacity of a performance mode for such applications.
Some applications have relatively complex error detection requirements. In numerous control engineering applications, a fault that is only active for a short duration, for example, is tolerated by the application itself; thus, in many situations, there is no error detection requirement for transient errors. However, there is such a requirement for permanent errors. Nevertheless, conventional arrangements do not provide any generally usable options for optimally resolving these conflicting requirements in terms of cost.
The time required for switching between the different operating modes (performance mode, comparison mode) is considerable. It is important that this overhead be taken into consideration when working with very frequent switchover operations. To allow for optimal strategies in the case of a scheduling problem, the application software requires that a more frequent changing of tasks be initiated, even in the short term.