US Patent specification 2009/0164826 describes a data processor unit having at least two integrated execution units. Such a data processor unit is known as dual core or multi-core architecture and may be used in a computer system for applications critical with regard to safety, such as certain vehicle control applications, in a configuration in which the execution units redundantly process the same program elements in close synchronization in an error detection mode. Such a processor unit may also be used in a computer system for applications which are less critical with regard to safety in a performance mode in a configuration in which the two execution units or cores process different programs or tasks allowing enhanced performance, faster than the capacity of a single execution unit, since the execution units run in parallel. The processor unit described is capable of switching between an error detection mode and a performance mode.
Lock-step processing is an error detection mode of operation of a processor unit having redundant execution units, in which the redundant execution units run the same set of operations at the same time. Full lock-step operation requires synchronous processing of each of the operations and step-by-step comparison of the results of each operation from the different execution units. A device with the capability to perform lock-step processing as well as parallel independent processing requires to balance both modes, which often results in a suboptimal implementation for either mode.
FIG. 1 shows such a lock-step architecture. The execution unit subsystems 101 and 102 run in lock-step mode. The sub-systems 101 and 102 exchange data with each other and with memories 103 and peripherals 104 as shown by arrows 105, 106 and 107, respectively. Redundancy Control Checker Units (RCCUs) 108 compare all output data of the subsystems and produce error data to alarm the system if the output data from the different sub-systems are different. Many additional connections are required to connect the RCCUs 108 to all data coming from the subsystems 101 and 102, especially because these connections and the RCCUs have to be redundant as well to reduce common cause failure possibilities.
Lock-step operation, as any redundant execution, approximately halves the available performance due to two cores executing the work of one. Decoupled parallel operation provides the full performance of a dual-core system but suffers a greater risk of undetected errors unless using software-synchronized replication of safety-relevant software. A hybrid system is possible which executes safety-relevant software in lock-step mode and non-safety-relevant software in decoupled mode.
In the lock-step process described in US Patent specification 2009/0164826, operation of one CPU is delayed relative to the operation of the other CPU, and the output of the other CPU is delayed by the same delay before comparison with the output of the delayed CPU, so as to restore synchronization for the comparison. This is typically called “delayed lock-step”. In this way certain errors having common causes can be detected if they affect the two CPUs at different stages of execution. But this does not avoid the reduction in the performance due to redundant execution.
US Patent Specification 2008/0244305 also describes a method for delayed lock-step comparison of central processor unit (‘CPU’) outputs of a micro controller having a dual CPU architecture.
Our international Patent Application WO/2008/146091 describes a data processing system having components which are operable in a synchronized mode and a non-synchronized mode with respect to each other. A configuration control system may be arranged to enable, depending on the configuration, communication of data to the respective component via one or more selected data paths and to inhibit communication via the not selected data paths. The use of the resources, such as data processing capacity, memory use, bandwidth, and/or power consumption may be adjusted in the non-synchronised mode to the specific requirements of the application. Thereby, a more efficient use of the resources may be obtained. However, the speed of operation in the synchronized mode is not increased. This system performs explicit switching between the synchronized lock-step mode and non-synchronized decoupled parallel mode. However, the switching process is complex and time consuming as it flushes out buffers and synchronizes the internal states of both cores. Also switching between the two modes involves disabling interrupts which is normally acceptable only for very short time spans. European Patent specification EP 1496435 describes a data processing system stated to reduce software and hardware complexity using a fault tolerant processing unit for validation of operation of a CPU. However, the proposal requires pre-characterization of the software.