Error detection/correction and fault detection/recovery – Data processing system error or fault handling – Reliability and availability
Reexamination Certificate
2001-10-22
2004-11-16
Bonzo, Bryce P. (Department: 2114)
Error detection/correction and fault detection/recovery
Data processing system error or fault handling
Reliability and availability
C713S340000
Reexamination Certificate
active
06820220
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to a control unit for controlling safety-critical applications, having a microcomputer (MC), a monitoring unit (check unit, CU), and peripheral circuits (input output, IO). Furthermore, the present invention relates to a method for checking a microcomputer (MC) of a control unit for controlling safety-critical applications, the control unit having microcomputer (MC), a monitoring unit (check unit, CU), and peripheral circuits (input output, IO).
BACKGROUND INFORMATION
In control units that control or regulate applications or functions that are critical with regard to safety, errors of the microcomputer (MC) or of a processor of the microcomputer may be detected by monitoring. Such control units having safety tasks are used, for example, for anti-lock braking systems, for traction control systems, and/or for electronic stability programs. The safety-critical applications controlled by the control unit are connected to the control unit via the peripheral circuits. In the case of single-computer control units, methods having a self-test, plausibility check, and watchdog may be available.
For testing CMOS chips (integrated circuits, IC) at the manufacturer, methods and measuring devices for measuring the quiescent current are used. The background of the so-called quiescent current test is that in a digital CMOS chip in purely static logic, it is believed that almost the entire power loss during the switching operations occurs in its interior. In the rest state, the current flow is restricted to tiny leakage currents as well as to currents through pullup resistors or pulldown resistors at the inputs and through external loads at the output drivers.
It is believed that various production-dependent errors may lead to increased conductivity between the positive and negative supply voltage, and that activating such defective regions (point defects) of the circuit causes the current consumption to increase abruptly. Such defects may be Ad ascertained by a highly exact measurement of the current consumption during the test operation and a comparison to corresponding setpoint values. As already stated, such a quiescent current measurement may be used in the manufacture of CMOS chips to sort out the defective chips after the manufacturing process.
The quiescent current test method, which is believed to be available for use in the manufacturing of computer modules for the control units (as referred to above), to test the computer modules during their normal operation for detecting what may be the most frequent defects in the computer modules, in particular in the microcomputer (MC), e.g. lock-up errors (stuck-at), bridge errors (bridging), and/or interrupt errors (stuck-open).
An available approach for increasing reliability in the case of control units (as referred to above) involves providing two MCs, which reciprocally test one another by parallel computing and/or plausibility checks. However, cost considerations may suggest using only one MC for such control units.
SUMMARY OF THE INVENTION
An object of an exemplary method and/or exemplary embodiment of the present invention is to provide a control unit in which the reliability of the error detection is improved, and the detection is expanded to additional types of errors.
In an exemplary embodiment of the present invention, the monitoring unit (CU) has a first apparatus, arrangement or structure for measuring the quiescent current of the microcomputer (MC), at least one handshake line for controlling the measurement of the quiescent current runs between the first apparatus, arrangement or structure of the CU and the MC, the CU has a second apparatus, arrangement or structure for applying a test data input signal to the MC to process the test data input signal and compare the corresponding test data output signal of the MC to the corresponding test data output signal of the CU, and at least one test data signal transmission line runs between the second apparatus, arrangement or structure of the CU and the MC.
In accordance with the exemplary embodiment and/or exemplary method of the present invention, the reliability of the error detection can be increased by using two different test methods that supplement one another. In this manner, it is believed that a significantly greater number of different error types of the computer modules of the MC can be detected.
The control unit according to the exemplary embodiment of the present invention can also have a plurality of MCs and a plurality of CUs. However, the following assumes that the control unit has one MC and one CU. The CU of the control unit according to the exemplary embodiment of the present invention has a first apparatus, arrangement or structure for measuring the quiescent current of the MC.
At least one handshake line for controlling the measurement of the quiescent current runs between the first apparatus, arrangement or structure of the CU and the MC. The handshake line can, for example, be a bidirectional line.
After the control unit is switched on, the quiescent current is measured for a set number (typically 8 to 16) of selected commands within the framework of a test program. For example, 14 selected commands containing an internal machine cycle are processed for microcomputer TMS470.
To supplement the quiescent current measurement, the CU of the control unit according to the exemplary embodiment of the present invention has a second apparatus, arrangement or structure. At least one transmission line for test data signals runs between the second apparatus, arrangement or structure of the CU and the MC.
The second apparatus, arrangement or structure applies a test data signal to the MC. The MC calculates a test data output signal, which is dependent upon the test data input signal and the states inside the MC. Defective states result in a changed test data output signal of the MC.
In the second apparatus, arrangement or structure of the CU, the test data input signal is also processed to form a test data output signal that is used as a reference signal for checking the test data output signal of the MC. When calculating the test data output signal, the CU assumes an error-free, functioning MC. The completed calculation may have a “very simple” design.
The microcomputer does not have a double design, and the same computation is not carried out by the CU as by the MC, as is the case for parallel computer systems. Rather, starting from the input data of a predefined test function, the MC calculates the output data whose results are checked by the CU using the reference signal calculated by it. The test function used for calculating the output data may be “very simple” in its implementation. The calculation only requires minimal computing time. However, complex tests and results from the application programs can also be included in this test function.
Finally, the test data output signal of the CU is compared to the test data output signal of the MC. If they deviate from one another, or if the deviation exceeds a predetermined threshold value, the CU recognizes an error of the MC. The test result can be displayed by a display device and/or it can be provided that upon occurrence of an error, and the system may be controlled and/or regulated by the control unit to be switched off.
According to another exemplary embodiment of the present invention, the first apparatus, arrangement or structure includes an IDDQ measuring circuit, a voltage supply, an IDDQ measuring run control (MAS), and a control system of the CU, and that the connection between the first apparatus, arrangement or structure, and the MC includes two handshake lines that run from the IDDQ-MAS to the MC and at least one voltage supply line that runs from the voltage supply to the MC, at least one of the voltage supply lines running through {or across} the IDDQ measuring circuit. In semiconductors, IDD designates the positive supply current. IDDQ designates the quiescent current. The handshake lines are, for example, configured as START and END handshak
Dominke Peter
Harter Werner
Lindenkreuz Thomas
Pfeiffer Wolfgang
Bonzo Bryce P.
Kenyon and Kenyon
Robert & Bosch GmbH
LandOfFree
Control unit for controlling safety-critical applications does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Control unit for controlling safety-critical applications, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Control unit for controlling safety-critical applications will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3338393