As digital processors, and especially microprocessors, are applied to a wide variety of tasks, it has become apparent that the processors are subject to failure. Desirably, auxiliary apparatus is arranged to restart the processor in the face of such a failure on the assumption that the condition causing the failure was temporary, and if restarted, the processor will continue to run. The use of of such techniques and the associated apparatus reduces the burden on maintenance personnel.
However, it is also apparent that it may sometimes be necessary to determine or verify that the processor is actually executing the steps which are expected of it. In this way, we can verify that the appearance it gives to the outside world of appropriate functioning, actually corresponds to the steps carried out internal to the processor. Thus, it is not only necessary for the processor to give the appearance of actually working, but what is desired is some verification that the processor is actually functioning correctly.
Prior art solutions have included what is sometimes termed a watchdog timer or the like. This solution provides, external to the processor, a timer which is set to time out a predetermined period, that period might be several seconds, or it might even be less than a second, for example 200 milliseconds. The program included in the processor is arranged to output a pulse at a rate which is more frequent that the period being timed by the timer. Additional external apparatus is arranged responsive to the output pulse to reset the timer each time the output pulse is present. So long as the processor is functioning correctly, the program causes the processor to output the necessary pulse to reset the timer, the timer begins timing out a new period, and before the new period expires, it is again reset, and so forth. See U.S. Pat. Nos. 4,363,092; 4,072,852 and 3,795,800, for example.
Unfortunately, experience has shown that this method is far from foolproof. If for some reason the processor falls into a loop which causes the pulse to which the timer is responsive to be output at a sufficiently rapid rate to maintain the timer reset, the timer gives the appearance that the processor is functioning correctly. In reality, however, this may merely be due to the processor's faulty operation coincidentally providing the output necessary to hold off the reset. Admittedly, this is an unlikely condition, but the probability of this condition is sufficiently great so that the watchdog timer by itself is inadequate to provide sufficient evidence of proper processor functioning.
Another technique which has also been employed is providing redundant processors, both operating with the same program and on the same data. Periodically, data or controls from both processors are compared (in apparatus which may be external to both processors); the system being arranged on the assumption that if the comparison is an equality, then no failures have occurred. This prior art arrangement has at least two defects, in the first place the assumption that an equal comparison indicates lack of failures may be overly optimistic, and the second defect is the more than 100% increase in overhead for the purpose of the checking function.
It is therefore an object of the present invention to provide apparatus for tracking appropriate program execution for decreasing the probability that improper processor functioning can give the appearance of appropriate operation. It is another object of the present invention to so decrease the probability of the failure to detect improper processor operation without requiring complicated apparatus external to the processor, nor execution, internal to the processor of complicated processing dedicated solely to proving appropriate operation. It is thus a further object of the invention to provide relatively simple apparatus for verifying appropriate program execution, but yet capable of significantly decreasing the probability of failing to detect improper program execution.