The present invention discloses a method and device for checking an error control unit in a circuit.
In many digital circuits it is highly important that their serviceability can be checked reliably. The operational reliability of such digital circuits, for example, must be acknowledged definitely when they are applied in safety-related circuits; for example, in the construction of automobiles. For this reason, digital circuits frequently include error control units that observe the performance of the digital circuits and generate an error signal when a state indicating an error occurs. Thus, for example, it can be determined whether redundant components run synchronously, and an error signal would be generated if the data in the redundant components were not the same. In the same way, signals can be picked up at individual points in the circuit and queried about non-permissible states or similar conditions. The error control also can monitor signals on interconnecting cables, e.g. on a system bus, and generate an error signal when a state indicating an error occurs.
A process for automatically controlling the execution of a sequence of orders in a microprocessor is described in the journal Electronique, issue no. 24, January 1993, pp. 53-59. In this process the time period for executing a sequence of orders is specified and compared to a preset reference time. An external circuit WD which receives a pulse for the reset is provided for defining the time period for executing the sequence of orders. If the time needed for carrying out the orders is too long or too short, if the reset pulse is generated not at all, too early or too late, then the executing time will deviate from the reference time and the occurrence of an error can be indicated immediately. In addition, a test routine is described for this process, by means of which the operational reliability of the circuits can be checked. For this purpose, software is applied to suppress reset pulses to the circuit WD, causing the duration of the program run to be extended in a non-permissible way. Then it is checked whether an error can be detected. In order to ensure that this xe2x80x9cintentionalxe2x80x9d error is not interpreted as an actual error from outside, the method provides, on the one hand, for a reset pulse to be emitted again and, on the other hand, for a filtering process to be carried out with the aid of a filtering device, so that an error signal is generated only on the basis of an error that is recognized as a relevant error.
Since errors occur relatively seldom in digital circuits, corresponding error control units become active comparatively seldom. Hence, it cannot be proven definitively whether the error control unit is working properly.
The object of the present invention is a method and device for checking an error control unit, wherein these have a simple design and can detect different error conditions.
Before individual embodiments of the invention are described on the basis of the drawings, the terminology used in this application will be explained so as to avoid any misunderstandings. The above-mentioned safety-related circuit whose operational reliability is to be checked is referred to as xe2x80x9ccircuitxe2x80x9d or xe2x80x9cdigital circuitxe2x80x9d. When it does not work properly, this is referred to as an xe2x80x9cerrorxe2x80x9d. The circuit is monitored by an xe2x80x9cerror control (unit)xe2x80x9d. When an error occurs, the error control unit emits an xe2x80x9cerror signalxe2x80x9d. According to the present invention, a xe2x80x9cmethod for checkingxe2x80x9d or a xe2x80x9cdevice for checkingxe2x80x9d the proper functioning of the error signal or the error control unit generating the signal is applied. It should be noted that the monitored circuit on the one hand and the error control unit on the other hand do not necessarily have to be set up discretely, i.e. separately; for example, they can be components of a microprocessor and may not be distinguishable physically. The error control unit emits the above-mentioned error signal when a state indicating an error in the circuit occurs, with the error control unit being checked according to the present invention. If the check of the error control unit according to the present invention shows that the error control unit itself is defective (since it does not emit the error signal at all or not correctly), the checking device according to the present invention or the checking method according to the present invention generates an xe2x80x9calarm signalxe2x80x9d.