The design and function of programmable units such as microprocessors, microcontrollers and signal processors, etc., are known and require no further explanation.
One known problem with programmable units is that they can operate incorrectly for widely differing reasons. This is a major problem, particularly when using programmable units in safety-critical systems, for example when using programmable units for controlling an antilock braking system (ABS) or for controlling an airbag. Programmable units which are used in systems such as these have to operate correctly in all circumstances or, at least, it has to be possible to ensure that the system changes to a defined state when a fault occurs.
By far the most widely used option for this purpose is to design such systems to be redundant, that is to say to contain two or more specific components such as programmable units or parts of them, memory devices, etc.
If the redundantly provided components are operated in parallel, that is to say they carry out the same actions at the same time, then it is possible by comparison of specific results, states or events to determine whether and if appropriate which of the redundantly provided components is or are operating incorrectly and to automatically replace a component which is operating incorrectly by a correctly operating component, or to change the system to a defined state.
However, only those faults which do not occur at the same time in the redundantly provided components can be identified in this way. For example, the same fault can occur at the same time in two or more components in the event of brief drops in the supply voltage. In order to make it possible to identify faults such as these, it is possible to provide for the redundantly provided components to operate with a certain time offset. Faults which occur at the same time in redundantly provided components then have different effects, and it is possible to compare the results, states or events in order to determine whether and, if appropriate, which of the redundantly provided components is or are operating incorrectly.
However, this type of fault identification does not always work. In particular, faults which occur while the redundantly provided components are in the sleep mode cannot be identified. The fact that faults which occur in the sleep mode are not identified may at first glance appear to be insignificant. However, if these faults result in the same remaining change in the redundantly provided components, this is actually of major importance. This is because faults such as these cannot be identified after waking up the redundantly provided components. The system then appears to be operating correctly even though this is in reality not in fact the case.