The invention relates to an integrated microprocessor system for safety-critical control systems, which microprocessor system executes at least one main program and one monitoring program, and to the use thereof in motor vehicles.
It is known to use, as a central control unit for safety-critical control systems, two complete microprocessor systems which are connected to one another, a first of which executes a main program and a second of which executes a monitoring program. Although this ensures separation between the main program and the monitoring program and substantially prevents the two programs from undesirably influencing one another, the use of two complete microprocessor systems is relatively complicated and costly, for example, in terms of the chip area, the expenditure on connections, the connection of the two microprocessor systems to one another, the separate operating systems and the power supply.
Document DE 195 29 434 A1, which is incorporated by reference, describes a microprocessor system with core redundancy for safety-critical control applications. In this known microprocessor system, two synchronously operated processor cores are provided on one or more chips which receive the same input information and execute the same program. The two processor cores are connected here by separate bus systems to the read-only memory (ROM) and to the read/write memory (RAM) as well as to input units and output units. The bus systems are connected to one another by means of driver stages or bypasses which permit the two processor cores to carry out joint reading and execution of the available data, including the checkdata and commands. The system permits a saving in terms of memory space. Only one of the two processor cores is (directly) connected to a fully-fledged read-only memory and read/write memory, while the memory capacity of the second processor core is restricted to memory locations for checkdata in conjunction with a checkdata generator. All the data can be accessed via the bypasses. As a result, the two processor cores are capable of respectively executing the entire program. This microprocessor system can also respectively execute a main program and a monitoring program in the two processor cores. However, the two programs may possibly undesirably influence one another in such a case, as a result of which in particular the reliability of the monitoring program for particularly safety-critical control operations is not sufficient.
Document WO 02/093287 A2, which is incorporated by reference, proposes a microprocessor system comprising two processor cores, to each of which in particular a read/write memory and two read-only memories are assigned, and an address comparator which compares the addresses of a processor core with fixed address areas which are assigned to a program for safety-critical functions and to a program for comfort functions.