A microcontroller (hereinafter, also simply abbreviated as MCU) is a semiconductor integrated circuit that is embedded in equipment such as a home electric appliance, audio-visual equipment, mobile phone, automobile, industrial machine, or the like and carries out processings in accordance with a program stored in a memory, thereby controlling corresponding equipment.
In an automobile, a failure of a control unit may lead to an accident; therefore, parts including the MCU are required to have high reliability and are designed to have a safety function detecting a failure upon occurrence of the failure to avoid a dangerous state of the automobile. The MCU is not only required to diagnose sensors and actuators and detect failures thereof, but also required to detect failures of the MCU per se.
There are various methods for the MCU failure detection. One of them duplexes CPUs, causes them to carry out the same processings, and always compares bus values thereof and this method is often used. “IEEE MICRO December 1984” journal, “Fault Tolerance Achieved in VLSI” (Non-Patent Document 1) describes a method in which a master CPU and a checker CPU execute the same processing at the same time, and results are compared with each other by a comparison circuit.
A method capable of causing two CPUs to carry out switching therebetween and execute parallel operations and dual (redundant) comparing operations is proposed in the collection of papers “International Conference on Dependable Systems and Networks 2006”, pages 45 to 54, paper “A Reconfigurable Generic Dual-Core Architecture” (Non-Patent Document 2). When the CPU fetches a special instruction called “mode switching instruction”, the CPU stops operating and becomes a standby state for mode switching. When the two CPUs fetch the mode switching command instruction and become the standby state for mode switching, the CPUs start operating in a new mode. Performance is improved in a performance mode (parallel operation); and, in a safety mode (master/checker operation), a failure of the CPU can be detected by comparing outputs of the CPUs by a comparator, and safety is thus improved.