The typical application fields of embedded processing systems and Electronic Control Units (ECUs) covered by the proposed invention is covering the major embedded systems market segments:    1. Automotive ECUs, Multi-Media Units, Telematics-Units    2. Industrial Control Units (machinery tool control, manufacturing-line control units)    3. Home-Appliance Electronic Control Units    4. Commercial and Industrial Diagnostics Equipment tools.
The term “embedded system” is to be understood as any computing system or computing device that performs at least one dedicated function or is designed for use with a specific software application, which forms part of any larger technical context “embedding” or surrounding said system, i.e., any technical unit, technical device, technical system, technical plant, as e.g. a car, an aircraft, an undustrial production line, etc. As the electronic systems built-in (embedded) into modern automobiles are characterized by significant rates of growth, the present invention is of significant value of this emerging market, directs a specific focus thereto, and is defined from prior art of this application field next below.
In the most recent years, the embedded electronics of automobiles increased dramatically. Due to this increase of the relevance of the embedded electronics of modern automobiles, the invention is advantageous to this industry sector. The aggregated value of electronics installed in today's high-end vehicle is already representing a value of 20% to 30% of the entire vehicle. This change in the ‘nature’ of today's automobiles is encountering various consequences.
Previously—typical to the mechanical nature of automobiles—the potential vehicle defects were normally dominated by mechanical wear out and associated malfunctions. Due to the described increase of electronics complexity and electronic component volume—the nature of vehicle failures is changing. As documented in vehicle breakdown statistics, the vehicle defects throughout the vehicle lifecycle is already dominated by electronic system failures.
Thus, in order to meet future requirements of this industry sector, the general requirements particularly relevant for future automotive embedded systems are the following:    1. Improved electronics reliability,    2. Cost effectiveness of the electronic components,    3. Fault tolerance for all safety related electronic systems and mechanical systems,    4. Autonomic system behavior for the major vehicle electronic subsystems,    5. Advanced diagnostic and maintenance capabilities,    6. System ‘upgrade’ and EC change capability (embedded software and firmware update).
Before discussing the disadvantages of prior art vehicle embedded systems, their basic structure and function will be described with reference to FIGS. 1 and 2 next below.
Prior art embedded automotive systems comprise a communication ECU 10 connecting the vehicle to external systems (WAN) via an interface to a wireless network, like GSM. Further, a plurality of real-time ECUs 12, 14, 16 is provided, each ECU being dedicated to perform a specific functionality in the vehicle. Examples are open/closing the doors, the windows, controlling the light, etc. They have specific I/O subsystems connecting to a variety of real-time buses 13, like CAN1, CAN2, CAN3, VAN, J1850, and the like. Further, a multimedia (MM) ECU 18 is provided, offering the human/machine-interface (HMI) and thus audio, video (multimedia, abbreviated herein as MM) capabilities to people using the vehicle. The multimedia ECU head unit 18 is thus provided with a specific multimedia supporting I/O bus 19, e.g. a MOST bus. The functional elements of the communication ECU 10, real-time ECU 12 and multimedia head unit 18, being in a respective broken line frame are often combined in prior art to a single functional unit, further called in here “automotive telematics ECU”. The before-mentioned single ECUs are connected via an inter-ECU-bus having reference sign 11.
With further reference to FIG. 2 the before-mentioned automotive telematics ECU is described in more detail.
The real-time ECU 12 comprises a real-time processor (CPU (1)) 20, connected to a respective storage subsystem 24 and to a specific I/O subsystem 26 connecting to various sensor devices, and to the before-mentioned real-time bus, e.g. CAN, 13. An instruction sequence is processed in a processing branch 1, ie a processing element or processing subsystem having reference sign 22.
The before-mentioned multimedia ECU 18 comprises a respective, high performing main processor (CPU (2)) 28, connected to a respective storage subsystem 32 and to respective I/O subsystems 34 for providing multicolour display, voice driven system input, etc. The multimedia ECU is connected to the multimedia bus 19. Both ECU functions 12 and 18 are provided within a single housing, which plays, however, a minor role in the context of the present invention.
It should be noted that the real-time processor 20, herein referred to also as CPU (1), has less performance but should be able to quickly handle any necessary interrupts, and the storage subsystem 24 of the real-time ECU is considerably smaller than that of the multimedia ECU 18, for example 512 KB in relation to 64 MB. The two internal processing branches cooperate in a loosely coupled multiprocessing way. The typical functional services of processing branch 1, reference sign 22, are real-time related. Functions like unlock the vehicle-doors, start the engine, control the lights, etc. are processed. Typically, this processing branch requires a performance equivalent of 20 MIPS and a storage footprint of 500 KB. The processing branch 2, reference sign 30 is run by a respective high-performing multimedia processor 28—also referred to herein as main CPU(2)—representing the main processing system of the multimedia ECU 18, and is provided with the major processing performance and a respective large system storage, as mentioned above. Typical functions of the main multimedia processor are, for example, driver authentication, driver speech recognition, HMI facility in the field of audio, video and haptic capabilities.
A system fault handler 36 of the prior art system monitors the functionality of the components described above and detects error status situations of single functional units. If an error status is detected, the fault handler 36 switches to a redundantly provided “shadow system”, depicted with reference sign 39, which continues operation after a respective reboot procedure.
In case of a CPU failure, the entire processing-branch related functionality will be lost, and in case of a storage subsystem failure, the entire processing-branch-related functionality will be lost.
Typical solutions to provide fault tolerance and increased reliability are typically realized applying massive redundant systems and subsystems. The drawbacks of this redundancy are:    high system costs,    increased physical dimensions in size and mass,    increased power dissipation,    increased electronic volume—and therefore increased potential for subsequent failures.
It is thus an objective of the present invention to provide an improved embedded system and a method to operate it, which requires less redundant components.