The invention relates to a method and apparatus for synchronizing and checking at least one processor and at least one associated monitoring circuit according to the preambles to the claims.
DE 35 39 407 A1 has disclosed a computer system with two processors in which during normal operation, the computing workload is evenly distributed to the two processors and in the event that one of the processors malfunctions, the other processor switches into a corresponding emergency function. In order to detect malfunctions, each processor is associated with precisely one monitoring circuit. A synchronization of the monitoring circuit with the processor is not provided, nor is the association of a number of monitoring circuits with one processor.
This kind of monitoring circuit, also referred to as a watchdog, is disclosed in many ways in the prior art, e.g. also in DE 40 23 700 A1. In this instance, a watchdog signal that is transmitted by the processor at regular chronological intervals is received in the monitoring circuit. If the frequency of the signal sequence produced from the individual watchdog signals lies outside a particular applicable frequency window, then the watchdog sends a reset signal to the processor on the assumption that an error has occurred. A testing of the watchdog or its synchronization with the processor is thereby not provided, nor is the association of a number of monitoring circuits with one processor.
In contrast, DE 36 38 947 C2 has disclosed a method for synchronizing computers of a multicomputer system and has disclosed a multicomputer system, particularly for safety devices in motor vehicles such as an antilock brake system, seatbelt-tightening systems, or airbags. The multicomputer system is intended for the rapid processing of large quantities of data by distributing them to a number of processors. The computers contain individual timing markers and are connected to one another by means of data and/or control lines. After the starting or resetting of the computers, they each produce a starting signal, which is transmitted to the other computers and is received and evaluated by them. After the arrival of the last starting signal, the timing markers simultaneously begin to generate time markers. As a function of the time markers, the computers generate synchronization signals which are received by the other computers. The received synchronization signals are compared with the own time markers and in the event of a shift, the time marker sequence of the timing marker is changed. Through the exchange of synchronization signals among the processors of the multicomputer system, a reciprocal function monitoring is disclosed by means of which the use of a monitoring circuit is not provided. The simultaneous use of a number of watchdogs per processor and the synchronization of the processors with the associated watchdogs is not disclosed.
With an elimination of multicomputer systems or a direct connection of individual processors for cost reasons or in systems that are self-sufficient for safety reasons, such as control units and peripherals in safety devices of vehicles, in particular an airbag, the monitoring must be carried out by a monitoring circuit.
With a utilization of separate control units or computer peripherals, a number of interface components are connected to a processor, for example application-specific integrated circuits, (so-called ASICs). If these have a monitoring circuit in the standard manner, then a non-operation of this circuit by the processor would lead to errors.
The use of a number of independent watchdogs per processor or per microcontroller on the one hand has the advantage of a level of safety that is higher due to redundancy, on the other hand, standard components can be used to control separate computer or control unit peripherals, e.g. front and side airbags, each by means of a respective ASIC.
In order to be able to use a number of independent watchdogs per microcontroller without malfunction, they must be synchronized. If independent watchdogs are not synchronized, situations can arise in which the system with a microcontroller freezes during the HW reset when the watchdogs trigger a reset or pulse reset in a staggered fashion in such a way that at least one pulse reset comes from at least one watchdog during the startup phase, the power-on reset, of the microcontroller. The method according to the invention assures that this does not occur. In this connection, a synchronization step in so short a time after the power-on reset that no pulse reset of a watchdog in turn triggers a reset, results in the fact that the time bases of the individual ASICs or watchdogs are synchronized and encourages simultaneous starting. Furthermore, through the use of a synchronization, components can be used which have greater component-specific tolerances that have an effect on the respective time base, which permits a cost reduction.
With the use of a single synchronization signal or pulse, this can occur at a time that is valid for the watchdog, by means of which no synchronization is carried out. The preferred use of a double pulse, i.e. two pulses in quick succession, as the synchronization signal sent by the processor for the synchronization has the advantage over the prior art that an incorrect synchronization or the lack of a synchronization is prevented.