This invention relates to microprocessor modules, and particularly but not exclusively to such modules in distributed multi-processor systems.
Distributed multi-processor systems (having a system bus and a number of distributed processors at nodes of the bus), are increasingly used in the automobile industry for providing distributed functions within a vehicle. Many applications of such a system (for example an Electro-Mechanical Braking (EMB) System or xe2x80x98Brake-by-Wirexe2x80x99) are safety critical and a high level of dependency is typically designed into the nodes of the system bus.
One example of this dependency is an arrangement where processors of each node redundantly perform tasks which mirror tasks of the other nodes"" processors, and then cross-checks with the other processors via the system bus. If a processor is faulty, it will in some instances recognise the fault due to the cross-checking with the other processors, and then perform corrective actions to partially or completely recover from the fault.
However, a problem exists in instances when the faulty processor does not recognise that it has been identified by the other processors as faulty, either due to an internal error or an error relating to the communication with the system bus. Even if such an error is detected, in some instances the faulty processor is not able to perform corrective actions under software control.
In either of these cases the processor and hence the node may suffer from reduced or incorrect operation, which in a safety critical application could have fatal results. This invention seeks to provide a microprocessor module and method which mitigate the above mentioned disadvantages.
According to a first aspect of the present invention there is provided a microprocessor module arranged to be coupled to a communications network having a plurality of distributed modules, the distributed modules being arranged to transmit status signals pertaining to the perceived status of the module, the module comprising: a reset arrangement coupled to the network and arranged for providing a reset signal to reset the module in dependence upon a reset condition, wherein the reset condition is determined by a voting scheme applied to the status signals received from the plurality of modules.
According to a second aspect of the present invention there is provided a method of resetting a microprocessor module, the module arranged to be coupled to a communications network having a plurality of distributed modules, the method comprising: receiving status signals from the distributed modules pertaining to the perceived status of the module; applying a voting scheme to the received status information to determine whether a reset condition is met; and, providing a reset signal to reset the module in dependence upon the reset condition being met.
Preferably the status information comprises indications from the plurality of modules as to whether the microprocessor module appears to be faulty. The voting scheme preferably comprises a summation of the indications and a comparison of the summed indications with a threshold value in order to determine whether the reset condition is met.
The reset arrangement is preferably further arranged to provide an interrupt request signal to the microcontroller in dependence upon an interrupt request condition. Preferably the interrupt request condition is determined according to the voting scheme. Preferably the reset condition is determined in dependence upon a predetermined number of interrupt request conditions being met.
The interrupt request is preferably non-maskable. The module or method is preferably further arranged to provide status signals to the communications network indicating the perceived status of the plurality of modules.
In this way a microprocessor module and method are provided in which a faulty module can be reset remotely, based on xe2x80x98votesxe2x80x99 cast by other modules of the system, even though the module itself may not be able to rectify the fault.