1. Field of The Invention
The present invention relates generally to a circuit and method for detecting a failure of a microcomputer.
2. Description of The Background Art
How to detect a failure in a microcomputer or a microprocessor (both are hereinafter referred to as a microcomputer) includes the following four techniques.
First, the detection of failure in the microcomputer is based on a hardware failure detection using a redundant coding, e.g., a parity checking method. This method needs to be used according to an object to be detected in viewpoint of a fault tolerance. This method is referred to as an ECC (=Error Correcting Code) including an error correction and is described in a Japanese Magazine titled "Microcomputer Architecture" (Ohm Sha, page 209).
Second, a self-checking function is incorporated into the circuit itself so as to perform the error check operation by it self. This is exemplified by a Japanese Paper "Electronic Information and Communication Society, Vol. 73, No. 9" (page 991 to page 999). In this case, a perfect check is possible for a failure model prerequisite for its circuit construction such as a uni-regenerate model, i.e., a uni node fixed to 0 or 1.
Third, for example, the three microcomputers are prepared to carry out a multiple time division transmission with each other and to take a majority logic. This can construct a functionally reasonable system architecture. This can be used in a large-scale system such as a non-stop computer or aircraft running control.
Fourth, a monitoring function such as a watch-dog timer is added to the microcomputer as exemplified by a Japanese book called "microcomputer handbook" in page 751. As disclosed in the Japanese book, the watch-dog timer is externally attached to the microcomputer.
In more detail, a counter installed in the watch-dog timer is reset in response to an instruction in a program of the microcomputer. When the program runs in an abnormal loop, the counter overflows to output an error signal. The error signal is used as a reset signal or interrupt signal to reset the microcomputer or to resume a series of processings tasked to the microcomputer or so as to exchange the microcomputer with a back-up microcomputer. In such a failure detection by means of the watch-dog timer, the failure model is not supposed. Therefore, the hardware failure is not limited to the uni-regenerate model failure and the detection of failure by means of the watch-dog timer has an advantage that it can also detect software bugs, circuit design errors, and software errors in memories and/or gates as well.
However, in the first and second techniques described above, it is difficult to detect all failures. For example, the ECC method limited to a restricted hardware source, has a limitation such that the number of bits which can be detected and corrected is limited and as the number of errors are increased, the error correction and detection cannot be performed.
In addition, in the self-checking function, it is difficult to cope with a multiplex regenerate failure, a failure such that any of transistors become conductive in an intermediate state between its turn on and turn off, or such a gate software failure as a gate circuit software error due to a defective .alpha. ray irradiation on the gate circuit. In the microcomputer wherein a real time processing is carried out, processing speed is a major problem. Therefore, a large scale circuit structure incorporating such a sign check or self-checking function as described above undesirably increases in the number of gate circuits and delays.
In the third technique, a hardware structure tremendously increases so that it is not practical to apply to a small or middle sized computer system.
In the fourth technique, although the failure model is not limited but the source of errors cannot be located. Furthermore, it takes a long time to detect the failure and the error may be propagated over the whole system until the error is detected.
To cope with such problems as described above raised against each technique, such a combination that the microcomputer having the function of the parity check or structure of ECC is externally attached with the watch-dog timer can be considered. However the combination technique makes the whole structure complex and the processing speed of the microcomputer is reduced.