The background description provided herein is for the purpose of generally presenting the context of the disclosure. Work of the presently named inventors, to the extent it is described in this background section, as well as aspects of the description that may not otherwise qualify as prior art at the time of filing, are neither expressly nor impliedly admitted as prior art against the present disclosure.
Referring now to FIG. 1A, a functional block diagram of a processor system according to the prior art is presented. A processor 100 executes instructions and reads and stores data. The data may be stored in a memory 104. In various implementations, the processor 100 may execute instructions from the memory 104 or from another memory (not shown), which may include flash memory or read only memory.
When the processor 100 writes safety-critical variables to the memory 104, the processor 100 uses a dual store module 108. Safety-critical variables may include throttle position, for example. If the stored value of the desired throttle position is erroneously increased, an increase in torque that the driver was not expecting may occur. The dual store module 108 therefore stores two copies of safety-critical variables from the processor 100 into the memory 104. These copies can be compared to detect inadvertent changes to one or the other of the copies.
A direct memory access (DMA) module 112 communicates with the memory 104. In various implementations, the DMA module 112 may be located on the bus between the dual store module 108 and the memory 104. The DMA module 112 transfers data to and from the memory 104 on behalf of peripherals 116. The DMA module 112 allows for memory transfers without burdening the processor 100.
Referring now to FIG. 1B, a functional block diagram of the memory 104 is shown. The dual store module 108 may store copies of the safety-critical variables into two memory blocks. For example, a first variable may be stored at 120-1 and at 120-2. This dual storage may also be performed for variable 2, variable 3, and so on.
When the processor 100 requests a read of one of the safety-critical variables, the dual store module 108 compares the two values read from the memory 104. A difference between the two values will signal an error condition. For example, a discrepancy between values of a desired throttle position may cause the processor 100 to choose the lower of the two throttle positions.