CN101048746A

CN101048746A - Method and device for switching over in a computer system having at least two execution units

Info

Publication number: CN101048746A
Application number: CN 200580036442
Authority: CN
Inventors: R·魏贝尔勒; B·米勒; Y·科拉尼; R·格梅利希; E·贝尔
Original assignee: Robert Bosch GmbH
Current assignee: Robert Bosch GmbH
Priority date: 2004-10-25
Filing date: 2005-10-25
Publication date: 2007-10-03
Also published as: CN101048756A; DE102004051937A1; CN100561424C; CN101048753A; CN101069153A; CN101048760A

Abstract

The invention relates to a method and a device for evaluating a signal of a computer system comprising at least two execution units. It is possible to switch between at least two operating modes in said computer system, a first operating mode corresponding to a comparison mode and a second operating mode corresponding to a performance mode. The invention is characterised in that a mode signal indicating the current operating mode and/or changes in the mode signal can be generated in the computer system, and at least changes in the mode signal and/or the mode signal itself can be used for evaluation outside the computer system.

Description

Be used to estimate the method and apparatus of the signal of computer system with at least two performance elements

Background technology

Become the problem of integrated semiconductor circuit day by day by α particle or the caused transient fault of cosmic radiation.Increase owing to the voltage of the structure width that reduces, decline and the clock frequency of Geng Gao with lower probability, promptly in integrated circuit, make the logical value distortion by α particle or the caused voltage peak of cosmic radiation.The possibility of result is wrong result of calculation.Therefore, in the important system of security, especially in automobile, this fault must be detected reliably.Must detect reliably therein in the important system's (such as ABS regulating system in the automobile) of the security of function error of electronic equipment, redundance is used to Fault Identification usually in the control corresponding device of this system.Therefore, for example in known ABS system, complete microcontroller doubles respectively, calculates all ABS functions wherein redundantly, and consistance is checked.If the result's is inconsistent, then the ABS system is disconnected.

On the one hand, the basic module of microcontroller is memory module (for example RAM, ROM, high-speed cache), core and input/output interface, so-called peripherals (for example A/D converter, CAN interface).Because memory element can utilize check code (odd even or ECC) monitored effectively, and peripherals is exclusively monitored as the part of sensor or executive component signal path usually, so there is other redundancy scheme when doubling the core of microcontroller uniquely.

This microcontroller with two integrated cores is also referred to as dual-core architecture.Identical program segment is carried out on two core redundancy ground and clock synchronization ground (step lock (Lockstep) pattern), and the result of two cores is compared, so and when consistance was compared, fault was identified.This configuration of double-core system is also referred to as comparison pattern.

In other application, dual-core architecture also is used to raise the efficiency, and also promptly is used to improve performance.Two cores are carried out different program, program segment and instruction, can improve by implementation efficiency thus, so this configuration of double-core system can be called as performance mode.This system is also referred to as symmetric multiprocessor system (SMP).

The expansion of this system be by means of to the visit of particular address and special-purpose hardware device by the conversion of software between these two kinds of patterns.In comparison pattern, the output signal of core is compared mutually.In performance mode, two cores are worked as symmetric multiprocessor system (SMP), and carry out different programs, program segment or instruction.

Use therein in the automotive system of this computer system, answer test mode in order to ensure.Therefore, task of the present invention provide can evaluation model information method and apparatus.

Summary of the invention

Advantageously, use a kind of method that is used to estimate the signal of computer system with at least two performance elements, wherein, in this computer system, between at least two mode of operations, change, and first mode of operation is corresponding with comparison pattern, and second mode of operation is corresponding with performance mode, it is characterized in that, in computer system, produce the variation of mode signal and/or mode signal, this mode signal shows just residing mode of operation, and variation and/or this mode signal itself of the signal that supplies a pattern at least outside this computer system are used to estimate.

Advantageously, use a kind of method, the wherein variation of evaluation model signal and/or mode signal in the assembly of computer system outside.

Advantageously, use a kind of method, the wherein variation of evaluation model signal and/or mode signal in security component, especially watchdog timer.

Advantageously, use a kind of method, the wherein variation of evaluation model signal and/or mode signal in processing unit, especially second computer system.

Advantageously, use a kind of method, wherein following the evaluation, promptly only within mode of operation that can be scheduled according to the variation of mode signal and/or mode signal discharge can be scheduled operation.

Advantageously, use a kind of method, wherein following the evaluation only discharges the scheduled function of energy of external module according to the variation of mode signal and/or mode signal within mode of operation that can be scheduled.

Advantageously, use a kind of method, wherein external module monitors the conversion of comparison pattern.

Advantageously, use a kind of method, external module Be Controlled under mode of operation that can be scheduled only wherein, and this variation according to mode signal and/or mode signal is monitored.

Advantageously, use a kind of method, wherein external module comprises information, these information explanations, and by which switching signal, the especially conversion of look-at-me realization mode of operation, and this variation according to mode signal and/or mode signal is monitored.

Advantageously, use a kind of method, wherein carry out Fault Identification by carrying out question and answer communication as estimating.

Advantageously, use a kind of method, wherein carry out Fault Identification like this, make the variation of mode signal and/or mode signal and predetermined information are compared, and departing from or identifying fault when consistent as estimating.

Advantageously, use a kind of method, wherein carry out Fault Identification like this, make the information that will constitute and predetermined information compare, and departing from or identifying fault when consistent according to the variation of mode signal and/or mode signal as estimating.

Advantageously, use a kind of method, wherein according to the variation of mode signal and/or mode signal by monitor the conversion of mode of operation at the assembly of computer system outside.

Advantageously, use a kind of method, wherein the variation of mode signal and/or mode signal ensures by at least one additional information.

Advantageously, use a kind of method, wherein the variation of mode signal and/or mode signal ensures in the following manner, promptly doubles the variation of mode signal and/or mode signal at least.

Advantageously, use a kind of method, wherein the variation of mode signal and/or mode signal ensures as the double track signal.

Advantageously, use a kind of method, the mode of operation more than two wherein is set, between these mode of operations, change.

Advantageously, use a kind of method, wherein mode of operation sign in order to show that corresponding work mode setting can be configured.

Advantageously, use a kind of method, wherein pointer variable in order to show that corresponding work mode setting can be configured.

Advantageously, use a kind of method, wherein carry out Fault Identification, wherein in the scope of Fault Identification, produce at least one fault-signal according to the variation of mode signal and/or mode signal.

Advantageously, use a kind of method, wherein applicating counter in the assembly externally.

Advantageously, use a kind of method, wherein mode signal is many-valued in this wise, makes to represent pattern more than two by mode signal.

Advantageously, use a kind of equipment that is used to estimate the signal of computer system with at least two performance elements, wherein, in this computer system, between at least two mode of operations, change, and first mode of operation is corresponding with comparison pattern, and second mode of operation is corresponding with performance mode, it is characterized in that, comprise device in computer system, these devices are configured like this, make these install the variation that produces mode signals and/or mode signal, this mode signal shows just residing mode of operation, and variation and/or this mode signal itself of the signal that supplies a pattern at least outside this computer system are used to estimate.

Advantageously, use a kind of equipment, wherein the assembly in the computing machine outside is comprised in this equipment, the variation of this appraisal of equipment mode signal and/or mode signal.

Advantageously, use a kind of equipment, wherein external module is security component, particularly watchdog timer.

Advantageously, use a kind of equipment, wherein watchdog timer is the watchdog timer that successively decreases.

Advantageously, use a kind of equipment, wherein external module is executive component or executive component Control Component.

Advantageously, use a kind of equipment, wherein produce mode signal in this wise, make and to represent pattern more than two by this mode signal.

Other advantage and favourable improvement project are drawn by the feature and the instructions of claim.

Description of drawings

Figure 1 illustrates a kind of multicomputer system G60, it has two performance element G10a, G10b, comparing unit G20, converting unit G50 and conversion hope recognition unit G40.

Figure 2 illustrates a kind of multicomputer system G60, combined type comparison and converting unit G70 and conversion hope recognition unit G40 that it has two performance element G10a, G10b, is made up of comparing unit G20 and converting unit G50.

Figure 3 illustrates a kind of multicomputer system G60, the identification of combined type conversion hope, comparison and converting unit G80 that it has two performance element G10a, G10b, is made up of comparing unit G20 and converting unit G50 and conversion hope recognition unit G40.

Figure 4 illustrates a kind of multicomputer system G200 with two performance element G210a, G210b and conversion and comparing unit G260.

Show a kind of method in Fig. 5 in a flowchart, described method makes specific undefined bit pattern and NOP or other neutral bit pattern exchange in specific pipeline stages G230a, G230b.

A kind of multicomputer system H200 shown in Figure 6 with two performance element H210a, H210b and conversion and comparing unit H260.

Show a kind of method in Fig. 7 in a flowchart, how described method explanation can come separable programming stream by means of unit ID when comparison pattern is transformed into performance mode in the multicomputer system with two performance elements.

Figure 8 illustrates a kind of in multicomputer system with three performance elements in the possible method that how can come separable programming stream when comparison pattern is transformed into performance mode by means of unit ID.

Show a kind of method in Fig. 9 in a flowchart, described method makes performance element synchronous when performance mode is transformed into comparison pattern.

Figure 10 illustrates a kind of state automata, it is illustrated in the conversion between performance mode and the comparison pattern.

Figure 11 illustrates a kind of multicomputer system G400, it has interruptable controller G420a, the G420b and different interrupt source G440a to G440n of interrupt mask register G430a, G430b that two performance elements and two comprise wherein being contained.

A kind of two performance elements, conversion and comparing units and multicomputer system of comprising shown in Figure 12 with interruptable controller of three registers group.

Figure 13 illustrates the simple form of comparing unit.

Figure 14 illustrates the comparing unit with the unit that is used for the compensation of phase skew.

Figure 15 illustrates the principle features of preferred assembly M700 (conversion and comparing unit) in comparison pattern.

Figure 16 illustrates the principle features of preferred assembly M700 (conversion and comparing unit) in performance mode.

Figure 17 illustrates the form of implementation of conversion and comparing unit.

Figure 18 illustrates another form of implementation of conversion and comparing unit.

Figure 19 illustrates the conversion and the comparing unit that produce mode signal.

Figure 20 illustrates the general expression of conversion and comparing unit.

Figure 21 illustrates and produces general modfel and the conversion of generic failure signal and the general expression of comparing unit.

Figure 22 illustrates with the question and answer of external unit and communicate by letter.

Figure 23 illustrates and the communicating by letter of intelligent executive component.

Embodiment

Below, not only processor, core, CPU but also FPU (floating point unit), DSP (digital signal processor), coprocessor or ALU (ALU) can be called as performance element.

The present invention relates at the multicomputer system G60 shown in Fig. 1, Fig. 2, Fig. 3, described multicomputer system G60 has at least two performance element G10a, G10b, comparing unit G20, converting unit G50 and conversion hope recognition unit G40.Converting unit G50 has at least two output terminals at least two system interface G30a, G30b.Register, storer and as the peripherals of digital output terminal, D/A converter, communication controler can be via these interface Be Controlled.This multicomputer system can be with at least two kinds of mode of operations, be the operation of comparison pattern (VW) and performance mode (PM).

Under performance mode, different instructions, program segment or program be parallel enforcement in different performance elements.Under this mode of operation, comparing unit G20 is by deactivation.Under this mode of operation, converting unit G50 so is configured, so that each performance element G10a, G10b are connected with system interface G30a, G30b.At this, performance element G10a is connected with system interface G30a, and performance element G10b is connected with system interface G30b.

Under comparison pattern, identical or similar instruction, program segment or program are performed in two performance element G10a, G10b.Advantageously, these instructions are performed in the mode of clock synchronization, but the execution with asynchronism or defined clock jitter also can be imagined.The output signal of performance element G10a, G10b is compared in comparing unit G20.Not not simultaneously, identify fault, and can take appropriate measures.These measures can trigger fault-signal, introduce fault handling, and split and put line operate into, or the combination of these measures and other measure that can imagine.In a kind of flexible program, converting unit G50 so is configured, and makes to have only a signal to be connected to system interface G30a, G30b.In another kind configuration, that converting unit only causes compare and so identical signal be connected on system interface G30a, the G30b.

The effective patterns just in time of not relying on conversion hope recognition unit G40 detects the hope to another mode switch.

As shown in FIG. 2, in the form of implementation of above-mentioned fact of case, converting unit G50 and comparing unit G20 can be combined into common conversion and comparing unit (UVE) G70.So this common assembly G70 takes over the task of single component G50, G20.The enforcement flexible program of UVE G70 has been shown in Figure 15, Figure 16, Figure 17, Figure 18 and Figure 19.

As shown in FIG. 3, in another form of implementation, conversion hope recognition unit G40, comparing unit G20 and converting unit G50 can be combined among the common assembly G80.In another (not shown) form of implementation, conversion hope recognition unit G40 and comparing unit G20 can be combined in the common assembly.Conversion hope recognition unit G40 and converting unit G50 be combined in the common assembly can imagine equally.

Hereinafter, if there is not other explanation, then starting point is to have conversion hope recognition unit G40 and combined type conversion and comparing unit G70.

Also, figure 20 illustrates the generalized case of conversion and comparing component at application more than two performance elements.N signal N140 ..., N14n leads to conversion and comparing component N100 from n performance element to be considered.This conversion and comparing component N100 can by the generations of these input signals until n output signal N160 ..., N16n.Under the simplest situation (i.e. " pure performance mode "), all signal N14i are introduced to corresponding output signal N16i.The opposition border condition (i.e. " pure comparison pattern ") under, all signal N140 ..., N14n only be introduced among the output signal N16i just what a.

Can illustrate how to form the different patterns of imagining by this figure.For this reason, the logic module that comprises switching logic N110 in the figure.This assembly needn't exist as distinctive assembly.Conclusive is described function in the realization system.Switching logic N110 at first is determined to the end for what output signals.This switching logic further determines, which in the output signal in the input signal which help.At this, an input signal can just in time help an output signal.Differently explain just to define with minor function by switching logic with mathematical form, this function will gather N160 ..., and the element of N16n} distribute to set N140 ..., each element of N14n}.

So processing logic N120 determines at each that export among the N16i: input helps this output signal with which kind of form.This assembly also needn't exist as distinctive assembly.Conclusive is again described function in the realization system.In order exemplarily to describe different modification possibilities, suppose not limiting under the general situation, output N160 by signal N141 ..., N14m produces.If m=1, then simply corresponding to the connection of signal, if m=2, then signal N141, N142 are as for example being compared described in the comparing unit among Figure 13, Figure 14 for this.This relatively can synchronously or asynchronously be performed, can be bit by bit or only to important position or also bring execution with tolerance.

If then there is multiple possibility in m＞=3.

First kind of possibility is relatively all signals, and detects fault when having at least two different values, can signal described fault alternatively.

Second kind of possibility is to select k (k＞m/2) from m.This can realize by using comparing unit.If one in the signal is identified as difference, then generate fault-signal alternatively.If all three signals are all different, then may can be generated by the fault-signal different with this fault-signal.

The third possibility is these values are flowed to a kind of algorithm.This for example can be the formation of mean value, intermediate value or the application of tolerant fail algorithm (FTA).This FTA based on: leave out the extreme value of input value and the mode that remaining value is averaged.Can be to the whole set of remaining value or preferably the subclass that can form is easily carried out this averaging in HW (hardware).In this case, always do not need in fact value to be compared.In mean value constitutes, for example must an addition and be divided by, FTM, FTA or intermediate value require classification partly.Here also can under the situation of enough big extreme value, export fault-signal alternatively in case of necessity.

With a plurality of signal Processing is that these different described possibilities of a signal are called as compare operation for the sake of simplicity.Therefore, thus the task of processing logic be for each output signal and also determine the accurate form of compare operation for affiliated input signal.The combination of the information of switching logic N110 (also being above-mentioned function) and processing logic (that is to say each output signal, be the determining of compare operation of each functional value) is a pattern information, and this pattern information deterministic model.That yes in the ordinary course of things is many-valued for this information, also promptly can not only represent by a logical bit.The not all pattern that can imagine in theory all be significant in the given enforcement, preferably will limit the quantity of the pattern that is allowed.Be stressed that whole information can be condensed to only logical bit under the situation of two performance elements that only have a comparison pattern only.

Conversion from the performance mode to the comparison pattern characterizes in the ordinary course of things in the following manner, promptly shines upon according to identical output under comparison pattern at the performance element according to different output mappings under the performance mode.Preferably, this realizes in the following manner, the subsystem that promptly has performance element, in described subsystem, all input signal N14i that will consider in subsystem directly are transformed into corresponding output signal N16i under performance mode, and these input signals N14i all shine upon according to an output under comparison pattern.Replacedly, this conversion also can realize by changing pairing.This illustrates in the following manner, though promptly in given formation of the present invention, can limit the quantity of the pattern that is allowed like this, thus this is this situation, can not refer to performance mode and comparison pattern in the ordinary course of things.But can always refer to the conversion of from the performance mode to the comparison pattern (with opposite).

When work, can under by the situation of software control, between these patterns, dynamically change.At this, by carry out specific conversion instruction, specific instruction sequence, clearly sign instruction or trigger this conversion by at least one the visit in the performance element of multicomputer system to some address.

Maloperation (Fehlerschaltung) logic N130 collects for example by the fault-signal that comparing unit generated, and can switch output N16i alternatively in the following manner passively, and promptly this maloperation logic is for example via these output of switch interrupts N16i.

But following Example concentrates on the situation of two performance elements mostly, can describe the great majority design more simply by this situation.

Conversion between the pattern can be encoded by diverse ways.Can use special conversion instruction in a kind of possible method, described conversion instruction is detected by conversion hope recognition unit G40.The possible method of another that is used for conversion is encoded is to define by the visit to the specific memory district, and described visit is detected by conversion hope recognition unit G40 again.Other method is estimated the external signal of signaling conversion in conversion hope recognition unit G40.Method in the unemployed bit pattern of existing instruction pooled applications of processor is described below.The special benefits of this method is can continue to use existing development environment (assembly routine, compiler, connector, debugger).

Figure 4 illustrates a kind of multicomputer system G200, it has two performance element G210a, G210b and conversion and comparing unit G260.In order to change (otherwise with) between comparison pattern and performance mode, the bit pattern that is not defined in assembly routine of at least two performance element G210a, G210b is used.In the explanation of instruction set, be defined as all undefined or illegal bit patterns and all be appreciated that be not defined or undefined bit pattern on this meaning.This for example is illegal operand, disable instruction, illegal operation.The general sign of these undefined bit patterns is: normal performance element produces fault-signal or demonstrates the characteristic that is not defined when carrying out this bit pattern.Therefore, these bit patterns do not need to be used to indicate the semanteme of habitual program.

Therefore, can be used to software development as the development environment so far that for single processor system, exists.This for example can realize by defmacro " SWITCH MODE TO PM (translative mode is to PM) " and grand " SWITCH MODE TO VM (translative mode is to VM) ", described grand corresponding on above-mentioned meaning undefined bit pattern insert suitable position in the code.

So it is grand that the application of this combination can be defined as general " SWITCH (conversion) ".Cause depending on of the conversion of present pattern so this is grand to other respectively pattern.If in system, have different mode, then must have more this combination, so preferably can a this combination be used to carry out conversion identification at every kind of pattern in order to use this method more than two kinds.

According to the present invention, the conversion hope is by the incompatible coding of the hyte that is not defined in instruction set.Described combination does not allow to handle in common mode in performance element G210a, G210b.Owing to this reason, pipeline stages (REPLACE level) G230a, G230b that suggestion is additional, it is discerned corresponding bit pattern and handles so that continue by neutral these corresponding bit patterns of the incompatible replacement of hyte.For this reason, advantageously use " NOP " (not having operation) instruction.NOP instructs and is characterised in that, except instruction pointer, and the internal state of this NOP instruction change performance element.At this, REPLACE level G230a, G230b are inserted in the common first order (being FETCH level G220a, G220b) afterwards and before remaining pipeline stages G240a, G240b, and the bit pattern that is not defined in assembly routine here is combined in the unit.

According to the present invention, if the corresponding bit pattern that is used to change is identified, then as the conversion hope recognition unit G40 of specific pipeline stages G230a, G230b among pipelined units G215a, the G215b here shown in embodiment will produce additional signals G250a, G250b, described additional signals G250a, G250b signal independently converting unit and comparing unit G260: should carry out the conversion of tupe.

REP level G230a, G230b preferably are disposed between the pipelined units G215a of performance element G210a, G210b, FET G220a, the G220b and remaining pipeline stages G240a, G240b among the G215b.At this, REP level G230a, G230b discern corresponding bit pattern, and the NOP instruction are transmitted to remaining level G240a, G240b in this case.Simultaneously, corresponding signal G250a or G250b are activated.At all under other the situation, REP level G230a, G230b show neutral, also are about to all other instruction and pass to remaining level G240a, G240b without change.

Show a kind of method in Fig. 5 in a flowchart, described method makes specific undefined bit pattern and NOP or other neutral bit pattern exchange in specific pipeline stages G230a, G230b.In FETCH level G300, instruction (also being bit pattern) is removed from storer.After this distinguish in piece G310, whether the bit pattern of being taken out is corresponding to the specific undefined bit pattern that conversion is encoded.If situation is not so, then in next step G320, bit pattern is submitted to remaining pipeline stages G340 under unaltered situation, handle so that continue.If the specific bit pattern that conversion is encoded is identified in step G310, then by the incompatible replacement of NOP hyte, and this NOP bit pattern is submitted to other pipeline stages G340 then in step G330 in this bit pattern, handles so that continue.In favourable form of implementation, piece G310, G320, G330 represent that wherein these pieces also can comprise other function according to the function of REPLACE level G230a of the present invention, G230b.

Figure 6 illustrates a kind of multicomputer system H200, it has two performance element H210a, H210b and conversion and comparing unit H260.Assembly H220a, H220b, H240a, H240b have and G220a, G220b, meaning that G240a, G240b are identical.Here in the interchangeable embodiment by the described conversion hope of specific pipeline stages H230a, H230b recognition unit G40, described conversion hope recognition unit G40 also has other signal except signal H250a, H250b with the conversion signaled.In order to make performance element H210a, H210b synchronous when performance mode is transformed into comparison pattern, the pipelined units H215a of performance element H210a, H210b, H215b have signal input H280a, a H280b respectively, utilize this signal input H280a, H280b can stop to handle.Thereby this signal is provided with for that pipelined units H215a or the H215b that at first identifies conversion instruction and activated signal H250a or H250b by exchange and comparing unit H260.Have only two pipelined units H215a, H215b as performance element H210a, H210b to identify conversion instruction and made its internal state synchronous by software or other hardware measure, described signal H280a, H280b just are cancelled again.When being transformed into performance mode, comparison pattern do not needing H280a, H280b, because do not need synchronously.

The prerequisite of suggestion described here is such unit (being called as the ID unit) or method, and by this unit or method, each performance element can both be determined number or the unit ID that it is independent.In the system with two performance elements, for example a performance element self can be determined number 0, and another performance element can be determined number 1.In the system that has more than two performance element, number correspondingly is assigned with or determines.This ID does not distinguish between comparison pattern and performance mode, but represents a performance element uniquely.This ID unit can be contained in the corresponding performance element, for example be implemented as position or bit pattern in the processor status register, perhaps be implemented as distinctive register or single position or provide the unit of corresponding ID according to inquiry in the performance element outside.

After performance element has been carried out the conversion of performance mode according to the conversion hope, though comparing unit no longer is that effectively performance element is always also carried out identical instruction.This reason is that instruction pointer is not influenced by conversion, and described instruction pointer characterizes the position that execution work is worked or worked at present in next step in program.Can carry out different software modules subsequently for performance element, the program circuit of performance element must be separated.Therefore according to this situation, instruction pointer has different values usually in performance mode, because according to the present invention, independently instruction, program segment or program are processed.By definite corresponding performance element number realize the separating of program circuit in the described suggestion here.Have which ID according to performance element, this performance element is carried out certain software module.Because each performance element all has independent number or ID, so the program flow of the performance element that is participated in can be separated thus reliably.

Show a kind of method in Fig. 7 in a flowchart, described method shows in the multicomputer system with two performance elements and how can program flow separated by means of unit ID when comparison pattern is transformed into performance mode.After the conversion G500 that carries out from the comparison pattern to the performance mode, carry out the inquiry G510 of unit ID or performance element number by two performance elements.At this, according to the present invention, performance element 0 will obtain performance element number 0, and performance element 1 will obtain performance element number 1.In G510, carry out the comparison of determined performance element number and number 0.If these numbers are identical, then in step G520, proceed the coding of performance element 0 for its this more successful performance element.Relatively there is not the performance element of success in G530, to proceed comparison with number 1 for its this.If should be relatively more successful, then in G540, proceed the coding of performance element 1.If this is not success relatively, then therefore determine to be not equal to 0 and 1 performance element number for corresponding performance element.This is the fault situation, and proceeds G550.

The possible method that is used for three performance elements has been described in Fig. 8.After the conversion H500 that carries out from the comparison pattern to the performance mode, carry out the inquiry H510 of unit ID or performance element number by performance element.At this, according to the present invention, for example performance element 0 will obtain performance element number 0, and performance element 1 will obtain performance element number 1, and performance element 2 will obtain performance element number 2.In H510, carry out the comparison of determined performance element number and number 0.If these numbers are identical, then in step H520, proceed the coding of performance element 0 for its this more successful performance element.Relatively there is not the performance element of success in H530, to proceed comparison with number 1 for its this.In this more successful performance element, in H540, proceed the coding of performance element 1.Relatively there is not the comparing unit of success in H535, to proceed comparison with number 2 for its this.To in H536, proceed the coding of performance element 2 for the performance element that its this comparison is successful.If this is not success relatively, then therefore determined to be not equal to 0,1 and 2 performance element number for corresponding performance element.This is the fault situation, and proceeds H550.The comparison of replacement and number, determined performance element number also can directly be used as the index in the transfer table.

According to this explanation, this method also can be used to have the multicomputer system more than three performance element.

If be transformed into comparison pattern, then must be noted that multiple situation from performance mode.Is same at the internal state that must guarantee performance element when performance mode is transformed into comparison pattern after conversion, and different else if initial states causes different output, then may identify fault under comparison pattern.This can be by hardware, by software, carry out by firmware or with all threes' array configuration.Its prerequisite is that all performance elements are carried out identical or same instruction, program or program segment after being transformed into comparison pattern.Described a kind of method for synchronous in addition, handled identical instruction and the comparison that accurately puts in place, then can use described method for synchronous if comparison pattern is characterised in that.

A kind of method is shown in Fig. 9 in a flowchart, and described method makes performance element synchronous when performance mode is transformed into comparison pattern.In step G600, all interruptions preferably are under an embargo.This is not only important, because interruptable controller must correspondingly be reprogrammed for comparison pattern.The internal state that also should adapt to performance element by software.But,, then no longer may adapt under the situation of other cost not having if during preparing to be transformed into comparison pattern, interrupt being triggered.

Step G610: if two performance elements have independently high-speed cache, then also must before conversion, the content of high-speed cache be adapted, so that prevent from cache hit (Cache-hit) under comparison pattern, for the address of a performance element, to occur, and cache-miss (Cache-miss) for another performance element, occurs.If this is not to be carried out independently by cache hardware, then this for example can be by being labeled as invalid the realization with all cache line (Cacheline).Must wait for always, invalid fully up to this high-speed cache (perhaps a plurality of high-speed cache).This can be when needed by in the program code etc. to be recycled the assurance.This can realize that also conclusive is that high-speed cache is in identical state after this step by alternate manner.

At step G620, the write buffer of performance element is cleared, so that the activation of performance element does not take place after conversion, described activation still do as one likes can pattern cause.

At step G630, the state of the pipeline stages of performance element is by synchronously.For this reason, for example before conversion sequence/conversion instruction, carry out NOP (the not having operation) instruction of right quantity.The quantity of NOP instruction depends on the quantity of pipeline stages, thereby and depends on corresponding structure.Which instruction is suitable for depends on structure equally as NOP instruction.If performance element has instruction cache, should guarantee at this that then this instruction sequence is aimed at the border (Alignment) of cache line.Because it is invalid that instruction cache had been marked as before carrying out this NOP, so this NOP must at first be loaded in the high-speed cache.If this instruction sequence begins at the cache line boundary, then the data that finished before realizing the instruction that is used to change from storer (for example RAM/ROM/ flash memory) to high-speed cache transmit.This also must be considered when the quantity of necessity of determining NOP.

At step G640, be used to be transformed into actual being performed of instruction step of comparison pattern.

At step G650, the content of the relevant register file of each performance element is adapted.For this reason, the conversion before or afterwards, register can be loaded identical content.In this case importantly: thus before content of registers was compared to the outside transmission and by comparing unit, the content of the register in the performance element was identical after conversion.

At step G660, interruptable controller is reprogrammed, so that outside look-at-me triggers identical interruption in the performance element of all interconnection.

At step G670, interrupt being released once more.

If should when be transformed into from program circuit is not clear and definite the switch mode, then the conversion of being planned must be notified to the performance element that is participated in.For this reason, preferably in belonging to the interruptable controller of corresponding performance element, for example start interruption by software.So impelling, Interrupt Process carries out the above-mentioned sequence that is used to interconnect.

Figure 10 illustrates state automata, it illustrates the conversion of (with opposite) between performance and the comparison pattern.By " start (Power On) " or reset (software or hardware) when causing system start-up, system is placed in state G700 via transition G800.What generally be suitable for is that system always starts working at state G700 after can triggering the undefined incident that resets.Can to trigger the exemplary event that resets be the problem of external signal, power supply or make the no longer significant internal fault incident that works on.Therefore, conversion and comparing unit G70 and the state G700 that is operated in the multicomputer system G60 under the performance mode are the default conditions of system.Taking to take default conditions G700 under all situations of common undefined state.This default adjustment of state G700 guarantees by hardware measure at this.The state of system state or conversion and comparing unit G60 for example can be in register, in the position of register, be encoded by the bit pattern in the register or by trigger.

So guarantee by hardware, after resetting or starting shooting, always take state G700.This guarantees that in the following manner promptly for example reset signal or " start " signal are directed into the RESET input of trigger or register or are provided with on the input end.

In state G700, system works is at performance mode.Therefore, performance element G10a, G10b carry out different instruction, program or program block.For example can carry out specific conversion instruction and discern the conversion hope by performance element G10a, G10b.Other possibility is by to the visit of specific memory device address, by internal signal or also discern by external signal.Only otherwise have the conversion hope, multicomputer system G60 just rests on state G700, thereby and conversion and comparing unit G70 also rest on state G700.In addition, the identification of switch condition is called as the conversion hope, and described switch condition is as being characterized characterizing the conversion hope in this particular system.

Represent to rest on state G700 by transition G810.If the conversion hope is identified by performance element G10a, then conversion and comparing unit G70 are switched to state G710 via transition G820.Therefore state G710 represents following situation, and promptly performance element G10a has identified conversion hope and wait, till performance element G10b identifies this conversion hope equally.As long as situation is not so, conversion and comparing unit G70 just rest on state G710, and this represents with transition G830.

If performance element G10b identifies the conversion hope equally at state G710, then transition G840 takes place.Therefore, conversion and comparing unit G70 take state G730.This state representation two performance element G10a, G10b have identified the situation of conversion hope.In state G730, carry out method for synchronous, utilize described method for synchronous to make two performance element G10a, G10b synchronized with each other, so that subsequently in comparison pattern work.During this process, conversion and comparing unit G70 rest on state G730, and this represents with transition G890.

If at first identify the conversion hope, then be transformed into state G720 via transition G860 by performance element G10b at state G700.Therefore state G720 represents following situation, and promptly performance element G10b has identified conversion hope and wait, till performance element G10a identifies the conversion hope equally.As long as situation is not so, conversion and comparing unit G70 just rest on state G720, and this represents with transition G870.If performance element G10a identifies the conversion hope equally at state G720, then transition G880 takes place.Therefore, conversion and comparing unit are taked state G730.

If identify the conversion hope simultaneously at state G700 these two performance element G10a, G10b, then carry out the transition to immediately among the state G730.This situation is represented transition G850.

If conversion and comparing unit G70 are in state G730, then two performance element G10a, G10b have identified the conversion hope.At this state, the internal state of performance element G10a, G10b is by synchronously, so as after to finish this synchronizing process in comparison pattern work.Transition G900 takes place along with the end of this synchronous working.This transition shows synchronous end.At state G740, performance element G10a, G10b work under comparison pattern.The end of synchronous working can oneself be signaled by performance element G10a, G10b.This means that if two performance element G10a, G10b signal: they prepare to work, and then transition G900 takes place under comparison pattern.This end also can be notified with signal in the time of adjusting regularly.This means in conversion and comparing unit G70, how long encode regularly to stopping at state G730.This time so is adjusted, so that two performance element G10a, G10b its synchronous working that has been through with reliably.So after this time of process, transition G900 is activated.In another flexible program, its synchronous working if two performance element G10a, G10b have been through with is then changed and comparing unit G70 can monitor and oneself discerns the state of performance element G10a, G10b.So, after identification, import transition G900.

Short of conversion hope is identified, and multicomputer system G60 just rests on comparison pattern, and this represents by transition G910.If identified in state G740 conversion hope, then conversion and comparing unit are placed in state G700 via transition G920.As already described, system works under performance mode at state G700.So, when state G740 carries out the transition to state G700, program flow separately can as described in be performed in the method.

Figure 11 illustrates a kind of multicomputer system G400, it has two performance element G410a, G410b and comprises wherein two interruptable controller G420a, the G420b and different interrupt source G440a-G440n of the interrupt mask register G430a, the G430b that are comprised.Show conversion and comparing unit G450 in addition with special interrupt mask register G460.

Advantageously, each performance element G410a, G410b have its oneself interruptable controller G420a, G420b, so that can handle two interruptions simultaneously under performance mode.This is to be favourable in the system of bottleneck of system performance in Interrupt Process especially.At this, interrupt source G440a-G440n advantageously is connected to two interruptable controller G420a, G420b respectively in the same manner.This connected mode causes not having to trigger identical interruption under the situation of other measure on two performance element G410a, G410b.Under performance mode, interruptable controller G420a, G420b so are programmed, so that corresponding interrupt source G440a-G440n suitably is assigned to different performance element G410a, G410b according to using.This realizes by means of the suitable programming to interrupt mask register G430a, G430b.Mask register all is provided with a position for each interrupt source G440a-G440n in register.If this position is set up, then interrupt being under an embargo, also the performance element G410a, the G410b that are not connected of i.e. this interruption by handing to.Under performance mode, given interrupt source G440a-G440n is advantageously by just what a performance element G410a or G410b handle.This advantageously is applicable in the interrupt source some at least.Therefore, can realize, under the situation that interrupt nesting (Interrupt Process interrupts being interrupted by second) or interruption pending (second processing of interrupting is postponed, till first processing of interrupting finishes) do not taken place, a plurality of interrupt source G440a-G440n can be simultaneously processed.

Under comparison pattern, must guarantee that interruptable controller G420a, G420b trigger identical interruption simultaneously on all performance element G410a, G410b, otherwise will identify fault according to comparison pattern.This means, in synchronous phase, must guarantee that when performance mode is transformed into comparison pattern interrupt mask register G430a, G430b are identical.Thisly in Fig. 9, be described synchronously at step G660.Thisly can carry out with the following methods by software synchronously, promptly two interrupt mask register G430a, G430b correspondingly are programmed with identical value.The register G460 of suggestion application specific is so that quicken transfer process.In a kind of form of implementation, this register G460 is disposed among conversion and the comparing unit G460, but also can be contained in conversion hope recognition unit G40, combined type conversion hope recognition unit, comparing unit, converting unit G80 and all combinations.What it is contemplated that equally is that this register is disposed in another suitable position outside these three assemblies.Register G460 comprises the interrupt mask that be suitable under comparison pattern.Conversion and comparing unit G450 obtain to be used for being transformed into from performance mode the signal of comparison pattern from conversion hope recognition unit G40.May be after step G600 be under an embargo in interruption, interrupt mask register G430a, the G430b of interruptable controller G420a, G420b are reprogrammed.This is carried out by conversion and comparing unit G450 and remaining synchronizing step by hardware after obtained and interruptable controller G420a, G420b have been under an embargo in switching signal now concurrently.Advantageously, not individually interrupt mask register G430a, G430b to be carried out reprogramming under comparison pattern, and always central register G460 is carried out reprogramming.So this central register G460 synchronously is transferred on two interrupt mask register G430a, the G430b by hardware.Here all interrupt status registers that can migrate in interruptable controller in an identical manner to be arranged at the described method of interrupt mask register.Certainly, also it is contemplated that the storage medium that replaces register G460 and use other, can transfer to as far as possible apace on interrupt mask register G430a, the G430b from described storage medium.

A kind of multicomputer system G1000 of suggestion in Figure 12, it comprises two performance element G1010a, G1010b, conversion and comparing unit G1020 and the interruptable controller G1030 with three different registers group G1040a, G1040b, G1050.As shown in Figure 12, as the alternative of above-mentioned solution, advise a kind of interruptable controller G1030 of special use.This interruptable controller G1030 is used among the multicomputer system G1000, and this multicomputer system G1000 is shown as in this example has two performance element G1010a, G1010b and the conversion that can change and comparing unit G1020 between comparison pattern and performance mode.

At this, application register group G1040a, G1040b under performance mode.In this case, interruptable controller G1030 and two interruptable controller G420a, G420b work just the samely.This characteristic is shown and described in Figure 11.At this, registers group G1040a is assigned to performance element G1010a, and registers group G1040b is assigned to performance element G1010b.Interrupt source G1060a-G1060n suitably is assigned to performance element G1010a, G1010b by shielding.When performance mode is transformed into comparison pattern, conversion and comparing unit G1020 generation signal G1070.This signal is signaled interruptable controller G1030: be switched to comparison pattern or system and work under comparison pattern constantly from this.After this, interruptable controller G1030 application register group G1050.Therefore guarantee on two performance element G1010a, G1010b, to form identical look-at-me.Conversion and comparing unit G1020 signal the conversion from the comparison pattern to the performance mode to interruptable controller G1030 by signal G1070 again, along with described conversion from the comparison pattern to the performance mode is transformed into registers group G1040a, G1040b again.Therefore; also can advantageously realize protection in the following manner to corresponding registers group; promptly allow the writing of registers group G1040a, G1040b, and suppress writing for registers group G1050 that comparison pattern kept by hardware following of performance mode.Same on other direction, also can allow the writing of registers group G1050 following of comparison pattern, and inhibition writing registers group G1040a, G1040b.

Figure 13 illustrates the simple form of comparing unit M500, G20.The basic module that has among the multicomputer system G60 of at least two performance element G10a, G10b that change between performance mode and comparison pattern is comparing unit M500.In Figure 13, show this comparing unit M500 with the simplest form.Comparing component M500 can receive two input signal M510 and M511.Then, the consistance of two input signals relatively on consistent by turn meaning preferably in this comparing component M500 context shown here.Under the situation of unanimity, the value of input signal M510, M511 is given output signal M520, and fault-signal M530 is not activated, and also is that fault-signal M530 signals " good " state.If comparing component detects inconsistency, then fault-signal M530 is activated.So signal M520 can be alternatively by deactivation.This has the following advantages, and promptly must not be out of order from corresponding system (" mistake suppresses (faultcontainment) ").That is to say that other assembly that is positioned at outside the performance element can not be damaged owing to potential vicious signal.Also have such system, signal M520 needn't be by deactivation in these systems.If only require fail silent (Fail-silence) on system level, then for example situation is like this.So fault-signal can for example be drawn towards the outside.

Can imagine multiple form of implementation from this basic system.Assembly M500 at first may be implemented as so-called TSC (totally self-checking (totally self checking)) assembly.In this case, fault-signal M530 is drawn towards the outside at least two circuits (" double track "), and guarantees by the design and the fault discovery measure of inside: correctly exist under every kind of comparing component possible failure condition or can have this signal with discerning improperly.At this, the double track signal preferably so provides binary signal by two circuits, so that two circuits are reverse mutually under trouble-free situation.Preferred variant when using system of the present invention is to use this TSC comparing unit.

The second class form of implementation can be as the differentiation of getting off, and promptly which kind of synchronization extent two inputs M510, M511 (or M610, M611) must have.A kind of possible form of implementation also is that the comparison of data can be performed in a clock by pursuing characterizing synchronously of clock.

Slight variation forms in the following manner, application of synchronized delay element when promptly between input fixing phase deviation being arranged, this synchronization delay element make corresponding signal for example postpone a plurality of halves (halbzahlig) clock period or an integer clock period.This phase deviation helps avoid the general character cause trouble, and also promptly avoiding can be simultaneously or similarly influence this failure cause of a plurality of processing units.

Therefore, Figure 14 describes another form of implementation.Assembly and signal M600, M610, M611, M620, M630 have with Figure 13 in corresponding assembly and signal M500, M510, M511, M520, meaning that M530 is identical.Therefore, also inserted assembly M640 in Figure 14 except these assemblies, this assembly M640 makes in time the described phase deviation of input delay of morning.Preferably, this delay element is positioned in the comparing unit, so that only use this delay element in comparison pattern.Replacedly or replenish ground, intermediate buffer M650, M651 can be placed the input chain, so that can tolerate the clock that is not pure or this asynchronism of phase deviation equally.Preferably, this intermediate buffer is designed to FIFO (first in first out) storer.Sort memory has an input end and an output terminal, and can store a plurality of memory words.The memory word that arrives is being moved aspect its position when new memory word arrives.In last position (buffer depth) afterwards, described memory word " from storer " is moved out of.If there is the sort buffer device, then also can tolerate asynchronism until the depth capacity of impact damper.In this case, if impact damper overflows, then fault-signal also must be output.

In addition, can distinguish form of implementation according to how generating signal M520 (perhaps M620) at comparing unit.Preferred form of implementation is that input signal M510, M511 (or M610, M611) are placed on the output terminal, and makes that passing through switch can interrupt connecting.The special benefits of this form of implementation is, in order to change between performance mode and the possible different comparison patterns, can use identical switch.Replacedly, signal also can be generated by the intermediate store of comparing unit inside.

Last class form of implementation can promptly exist what inputs and comparing unit how to react at comparing unit as the differentiation of getting off.Under the situation of three inputs, can carry out majority voting, all three signals relatively or have only the comparison of two signals.Under the situation of four or more inputs, correspondingly can imagine multiple form of implementation.The detailed description of possible form of implementation is comprised in the description of Figure 20.

The accurate selection of form of implementation preferably should combine with the different mode of operation of total system.That is to say that if having a plurality of different performances or comparison pattern, then these pattern optimum selection ground combine with the corresponding pattern of comparing unit.

In places more of the present invention, deactivation comparing unit or general voting/processing/minute class component (the following comparing unit that always is called for simplicity) or to make these unit invalid be necessary or favourable.There is multiple possibility for this reason.On the one hand, signal can be guided into this comparing unit, utilize this comparing unit of this signal activation or deactivation.For this reason, should insert additional logic in comparing unit, this can be carried out by described additional logic.Another possibility is that the data delivery that will not compare is given comparing unit.The 3rd possibility is to ignore the fault-signal of comparing unit on system level.In addition, also can own outage signal.The common ground of all possibilities is, be compared potentially two or more multidata be different, this is inessential in system.In this case, and then comparing unit is considered to passive or deactivation.

In addition, investigate the embodiment of the converting unit (also promptly changing and comparing unit G70) that is connected with comparing unit.If should conversion and comparing unit be implemented in a chip with performance element G10a, G10b, then this embodiment is particularly advantageous.

When in a chip, implementing, only form very little hardware spending by combine component (being comparing unit and converting unit).Therefore, the preferred variation scheme of this embodiment is that these two parts are combined in the assembly.This is the assembly with described at least input signal (output performance element 1, output performance element 2), described at least output signal (output 1, output 2), logic output signal " total output " (physically can with output 1 or export 2 consistent) and comparing unit.This assembly has following ability, i.e. translative mode allows all signals to pass through under performance mode, and under comparison pattern more a plurality of signals and allow a signal to pass through in case of necessity.In addition, other input and output signal also is favourable: be used to signal detected fault fault-signal, be used to signal the mode signal of the present pattern of described assembly and the control signal of travelling to and fro between assembly.

In a preferred embodiment, two or more performance elements are connected to the bus of processor inside as main frame under performance mode.Comparing unit is by deactivation, perhaps the fault-signal conductively-closed that is produced down at one of the comparison pattern that can imagine under the situation of the different qualities of performance element.This means that conversion and comparing unit are transparent for software.In the comparison pattern of being investigated, physics performance element to be compared is treated as the logical execution units on the bus, the main frame on the bus also promptly only occurs.The fault-signal of comparing unit is activated.For this reason, conversion makes all performance elements except a performance element separate with the bus of processor inside by switch with comparing unit, and the input of logical execution units is doubled, and these inputs are offered the performance element that all participate in comparison pattern.When writing on bus, output is compared in comparing unit, and these data are write via the existing inlet to bus when unanimity.

The principle features of preferred assembly M700 (conversion and comparing unit are corresponding to G70) has been described in Figure 15 and Figure 16.For simplicity, only draw this figure at two performance elements.At this, Figure 15 is illustrated in the state of the assembly under the comparison pattern, and Figure 16 is illustrated in the state of the assembly under the performance mode.The different position of the switch under these patterns is realized by control device M760 by M700.If as shown in Figure 16 such switch M750 and M751 closure, then two performance element M730, M731 at first can write on data and address bus M710 under performance mode.To be possible write conflict solve by bus protocol or by other unillustrated assembly prerequisite.Under comparison pattern, this characteristic is another kind of characteristic from the angle of logic at least.As shown in Figure 15, switch M750, M751 are opened subsequently, and therefore direct visit possibility is interrupted.But different with Figure 16, switch M752, M753 closure subsequently in Figure 15.Signal M740, the M741 of performance element M730, M731 are drawn towards comparing component M720.This comparing component M720 being configured like that at least as shown in Figure 13, but also can comprise as in expansion illustrated in fig. 14.But, in Figure 15 and Figure 16, given up fault-signal or other signal of representing comparing component M720.If two signal unanimities, one of then switch M754 closure, and the signal of two unanimities is handed on the address/data bus M710 subsequently.In a word, what this was necessary is that conversion and comparing unit M700 can influence switch M750-M754.Pattern and Fault Identification are depended in the corresponding position of the switch.To this, also contain the always closed and flexible program that suitable system response produces by fault-signal of switch M754.

Figure 17 illustrates the flexible program of conversion and comparing unit.The multiple flexible program that for the single system that only has two performance element G10a, G10b, has also had the enforcement of conversion and comparing unit.Figure 17 illustrates another kind of flexible program, if can not use impact damper in comparing unit, then described another kind of flexible program is particularly advantageous.As among Figure 15, Figure 16, there be signal M840, the M841 of performance element.Described performance element is not illustrated in the figure.In assembly M800 of the present invention, there is mode logic M810, the pattern of the pre-locking assembly of this mode logic M810.Under performance mode, this mode logic Closing Switch M831, under comparison pattern, this mode logic is opened this switch M831.In addition, this mode logic gives comparing unit M820 with mode signal.This comparing unit M820 always compares in this embodiment, but utilizes result relatively and this mode signal to come gauge tap M830.Under performance mode, switch is always closed, under comparison pattern, and if there is no fault, then switch is always closed.If fault once was determined, then switch also can continue to keep being opened certainly, till the corresponding arrival that resets.

Figure 18 illustrates another form of implementation of conversion and comparing unit.Though this alternative has a plurality of switches, make comparing unit is unactivated under performance mode for this reason, and therefore also can tackle asynchronism more easily.Two signal M940, M941 having performance element again.Described performance element is not illustrated again in the figure.In assembly M900 of the present invention, there is mode logic M910, the pattern of its pre-locking assembly.Under performance mode, this mode logic Closing Switch M931, and open switch M932, M933.Therefore, under this pattern, do not give comparing component M920 supply data.This allows longer surge time or allow lower buffer depth when implementing when asynchronous.Under performance mode, switch M930 is closed all the time.Under comparison pattern, assembly M910 Closing Switch M932, M933, and interrupt direct visit to bus by opening switch M931.Alternatively, mode logic M910 can also be notified to pattern comparing unit M920.Under comparison pattern, switch M930 is closed under trouble-free situation.Under failure condition, comparing component M920 comes the forwarding of look-at-me M940 on the bus by opening switch M930.

In described accompanying drawing, do not having under the situation about spending to outside bootmode or fault-signal.In addition, especially in order to generate inner mode state, other signal can arrive assembly without doubt.

Therefore, the preferred embodiment of this assembly is characterised in that in a word: have a plurality of processing units, it can be write output signal on the bus (for example address/data bus).Importantly this assembly can be handled and (for example compare, but also may decide by vote or classify) in the output signal of performance element at least two, and this assembly can influence at least one switch, wherein utilizes described at least one switch to interrupt in the direct bus access at least one.If performance element is a computer core, then this is useful especially.In addition advantageously, the mode of operation of the state representation computing unit of the switch that can be affected.

If this assembly can place signal on the address data bus, then system performance, especially possible comparison pattern are converted particularly well.Advantageously, this signal is the connection of one of the output signal of one of performance element.Replacedly, this can be formed by the processing to the different output signals of different performance elements.

As for example becoming significantly in to Figure 17,18 description, can be in system and (according to the division of assembly) also recognition mode information in one of assembly.This pattern information is according to embodiment even can be present in the sub-component to dominance.In a kind of embodiment preferred, this signal also can be drawn from this assembly, and is provided for other parts of system.

In the ordinary course of things, can illustrate according to characteristic of the present invention by Figure 21.Signal has and meaning identical in Figure 20 with component N 100, N110, N120, N130, N140, N141, N142, N143, N14n, N160, N161, N162, N163, N16n.In addition, drawn in the figure mode signal N150 and fault-signal N170.Optionally fault-signal is generated by the maloperation logic N130 that collects fault-signal, and is gathering of the direct forwarding of single fault-signal or the failure message that wherein comprised.Mode signal N150 is optionally, but its many places that are applied in outside described assembly can be favourable.The combination of the information of switching logic N110 (also promptly at the function described in the description of Figure 20) and processing logic (also be each output signal, be the determining of compare operation of each functional value) is a pattern information, and this pattern information deterministic model.Certainly this information is many-valued in the ordinary course of things, also promptly can not only represent by a logical bit.The not all pattern that can imagine in theory all is significant in given embodiment, preferably limits the quantity of the pattern that is allowed.Mode signal is outwards relayed important pattern information.The hardware embodiment is preferably so represented, makes that externally visible mode signal can be configured.Preferably, processing logic and switching logic are same constitutes configurablely.Preferably, these configurations are coordinated with each other.Replacedly, also can be only or the variation of the signal that outwards supplies a pattern with replenishing.This especially has advantage in the binary configuration.

Preferably, this mode signal is protected.The embodiment of scale-of-two (Zweiersystem) for example is shown based on the embodiment shown in Figure 17 in Figure 19.There, signal M850 is drawn from conversion and comparing unit.In scale-of-two, this information logically can be represented by the position.So guarantee can preferably be represented by the double track signal.In the ordinary course of things equally can be by doubling to ensure signal, described doubling reversed alternatively.Replacedly, also can generate parity checking or use CRC (cyclic redundancy check (CRC)) or ECC (error correcting code), described parity checking preferably is generated in the inherently safe mode in inside.

Mode signal can be employed outside assembly.At first, described mode signal can be used to operating system is carried out from monitoring.Described mode signal is seen responsible conversion from the software angle, and should always know which kind of pattern is system be under, and also makes described system be in this pattern.Therefore, the check to this signal can be used to ensure.This at first can directly realize.But another interchangeable possibility also is to make the inquiry at operating system place reasonable via timer or the described signal of other " independently " unit by using.

Usually, described signal also can be used in other data sink of μ C (perhaps general-purpose computations unit) alternatively.For example MPU (storage protection unit) can so be programmed, and makes this MPU only allow (some performance element) some memory access under some pattern.At this, MPU is a kind of unit, and this unit only can guarantee to carry out the visit to data/address bus that is allowed in the following manner, and visit to some address space is forbidden at some program part in promptly for example described unit.By mode signal being guided into MPU, this MPU being carried out corresponding configuration and programming and evaluation configuration data and mode signal, can realize the guarantee that adds.If mode signal has been the sufficient information that is used to test, then this is sometimes even simplify programming.So, enough in μ C initialization quasistatic programming constantly.Content corresponding goes for peripheral cell.Here also there is such application, in these are used, only under some pattern, just allows visit corresponding peripheral cell.By mode signal being guided into peripheral cell, peripheral cell being carried out corresponding configuration and programming and evaluation configuration data and mode signal, can realize the guarantee that adds.If mode signal has been the sufficient information that is used to test, then this is sometimes even simplify programming.So it is enough in μ C initialization quasistatic programming constantly.Similarly, the evaluation to described signal also can be employed at the interruptable controller place.So this monitoring can constitute the basis or the element of security scheme.Also can in the application of being investigated, set up security scheme by suitable enforcement and software configurationization at whole failure classes according to this mode signal.If this mode signal is an inherently safe with aforesaid appropriate format, then this is especially favourable.In this case, send the open circuit possibility in path of fault-signal or manipulation if the assembly of being investigated detects to have under mode signal and the situation to the inconsistency between the visit of himself at it, then this is further favourable.

Another important use purpose is an evaluation model signal outside computing unit.Directly application is the evaluation in the watchdog timer that successively decreases (Watchdog).This " watchdog timer " comprises at least one (counter) register, should can be set to round values by microprocessor by (counter) register.After this register is set, should " watchdog timer " with successively decrease the independently value of register of fixed cycle.If the value of register is zero or occurs overflowing, then should " watchdog timer " produce fault-signal.If this fault-signal should not produced, then microprocessor must be in time the value of reseting register again.Therefore can (in the border) check, correctly whether microprocessor executive software.If not correct ground of microprocessor executive software is supposed that then " watchdog timer " also no longer correctly operated in this case, and is therefore produced fault-signal by " watchdog timer ".The integrality of hardware and data structure can be verified under comparison pattern reliably, but must guarantee that for this reason microprocessor is converted back to this comparison pattern termly again.Therefore, the task of " watchdog timer " as described herein is, not only when described watchdog timer no longer is reset, produce fault-signal in the defined time interval, and when microprocessor no longer is converted back to defined comparison pattern in the defined time interval, also produce fault-signal.For example have only when mode signal shows the defined comparison pattern of computing unit, " watchdog timer " just is reset.Therefore guarantee that computing unit is converted back to this pattern termly.Replacedly or replenish ground, has only when in microprocessor, triggering some interruption the value in the register of just successively decrease " watchdog timer ".For this reason, also the external interrupt signal of μ C must be coupled on the watchdog timer.Store in watchdog timer: which interrupts is transformed into defined comparison pattern with μ C." foundation " watchdog timer, in case this interruption arrives, described watchdog timer is with regard to owing to existing correct mode signal to be reset.

Fully usually, advantageously, especially when being applied to security scheme, evaluation model signal in the source of μ C outside.As described in the present invention, the main point that ensures software true(-)running on computers is the correct conversion between the different patterns that is allowed.At first should oneself check transfer capability, preferably yet check correct conversion.As mentioned above, also may be interested in the specific pattern that adopts termly.If mode signal itself is configured in the inherently safe mode, then this method is always particularly advantageous.

A kind of possibility is to guide mode signal into ASIC or another μ C.Described ASIC or another μ C can be what time following at least via timer and the check under the situation of using this signal of simple logic:

Does computing unit (for example per at the latest 1000 μ s) enough continually enter one or more defined pattern?

When being transformed into a kind of pattern, always export a certain signal?

Does computing unit come out from a kind of pattern termly?

Is the simple pattern of certain of the order of pattern effective?

Is general time pattern effective (for example at pattern 1 average＜70% and in pattern 2＜50%)?

The logic of mode signal, any one of time response combination replenish by using additional signals in case of necessity.

At this, the basic configuration of suggestion has in addition been described in Figure 22.This partner ASIC or μ C and investigated have a specific question-and-answer game of execution between the computing unit of the present invention.N300 is the computing unit that can send this mode signal.This for example can be μ C, another part that it has a plurality of performance elements and can generate this mode signal.For example described another assembly can be as being implemented among Figure 19 or Figure 21.N300 offers partner (for example other computing unit, other μ C or ASIC) N330 with this signal N310.This partner can ask a question to N300 by signal N320, and N300 must answer this problem via N321.This problem can be a calculation task, and the correct result of this calculation task should be provided in the defined time interval by N300 via N321.N330 can be independent of the correctness that N300 checks this result.For example this result is stored among the N330, and perhaps N330 can oneself calculate this result.When detecting incorrect value, identify fault.The characteristics of the question and answer communication of being advised are, investigate mode signal concurrently with replying.Preferably, can so ask a question, so that in order to reply the pattern that must adopt these to determine by N300.Therefore can check reliably, all mode switch all are (funktionsfaehig) that can move, and set mode switch also is performed in program circuit.Especially when system initialization, but also can be in when work, this can be as the element of security scheme.

The Another Application of this design is an evaluation model signal in the executive component control device.In many application in automotive field, current trends are so-called intelligent executive components.This is the executive component with minimum electronic circuit scale, and this electronic circuit scale is enough to receive executive component regulating command and so subsequently control actuating component, makes this regulating command also be performed subsequently.

Figure 23 illustrates basic design.Have computing unit N400 of the present invention and provide regulating command to (intelligence) executive component or executive component control device N430 via connecting N420.This computing unit provides mode signal via connecting N410 to this executive component concurrently.Executive component N430 checks according to this mode signal whether control device is allowed to and returns malfunction by signal N440 alternatively.Under the out of order situation of control device, executive component adopts fail silent state not crucial in system.

Claims

1. method that is used to estimate the signal of computer system with at least two performance elements, wherein, in this computer system, between at least two mode of operations, change, and first mode of operation is corresponding with comparison pattern, and second mode of operation is corresponding with performance mode, it is characterized in that, in computer system, produce the variation of mode signal and/or mode signal, this mode signal shows just residing mode of operation, and variation and/or this mode signal itself of the signal that supplies a pattern at least outside this computer system are used to estimate.

2. method according to claim 1 is characterized in that, the variation of evaluation model signal and/or mode signal in the assembly of computer system outside.

3. method according to claim 2 is characterized in that, the variation of evaluation model signal and/or mode signal in security component, especially watchdog timer.

4. method according to claim 1 is characterized in that, the variation of evaluation model signal and/or mode signal in processing unit, especially second computer system.

5. method according to claim 1 is characterized in that, the following evaluation, promptly only within mode of operation that can be scheduled according to the variation of mode signal and/or mode signal discharge can be scheduled operation.

6. method according to claim 2 is characterized in that, the following evaluation only discharges the scheduled function of energy of external module according to the variation of mode signal and/or mode signal within mode of operation that can be scheduled.

7. method according to claim 2 is characterized in that described external module monitors the conversion of comparison pattern.

8. method according to claim 2 is characterized in that, described external module is Be Controlled under mode of operation that can be scheduled only, and this variation according to mode signal and/or mode signal is monitored.

9. method according to claim 2, it is characterized in that described external module comprises information, described information explanation, by which switching signal, the especially conversion of look-at-me realization mode of operation, and this variation according to mode signal and/or mode signal is monitored.

10. method according to claim 2 is characterized in that, described external module is Be Controlled under mode of operation that can be scheduled only, and this variation according to mode signal and/or mode signal is monitored.

11. method according to claim 2, it is characterized in that described external module comprises information, described information explanation, by which switching signal, the especially conversion of look-at-me realization mode of operation, and this variation according to mode signal and/or mode signal is monitored.

12. method according to claim 1 is characterized in that, carries out Fault Identification as estimating by carrying out question and answer communication.

13. method according to claim 1 is characterized in that, carries out Fault Identification like this as estimating, and makes the variation of mode signal and/or mode signal and predetermined information are compared, and is departing from or identifying fault when consistent.

14. method according to claim 1, it is characterized in that, carry out Fault Identification like this as estimating, make the information that will constitute and predetermined information compare, and departing from or identifying fault when consistent according to the variation of mode signal and/or mode signal.

15. method according to claim 1 is characterized in that, according to the variation of mode signal and/or mode signal by monitor the conversion of mode of operation at the assembly of computer system outside.

16. method according to claim 1 is characterized in that, the variation of mode signal and/or mode signal ensures by at least one additional information.

17. method according to claim 1 is characterized in that, the variation of mode signal and/or mode signal ensures in the following manner, promptly doubles the variation of mode signal and/or mode signal at least.

18. method according to claim 1 is characterized in that, the variation of mode signal and/or mode signal ensures as the double track signal.

19. method according to claim 1 is characterized in that, the mode of operation more than two is set, and changes between described mode of operation.

20. according to claim 1 or 19 described methods, it is characterized in that, for the mode of operation sign that shows that corresponding work mode setting can be configured.

21., it is characterized in that, for the pointer variable that shows that corresponding work mode setting can be configured according to claim 1 or 19 described methods.

22. method according to claim 1 is characterized in that, carries out Fault Identification according to the variation of mode signal and/or mode signal, wherein produces at least one fault-signal in the scope of Fault Identification.

23., it is characterized in that applicating counter in described external module according to claim 2,3,4,6,7,8,9,10, one of 11 described methods.

24. one of require described method according to aforesaid right, it is characterized in that described mode signal is many-valued in this wise, make and can represent pattern more than two by mode signal.

25. equipment that is used to estimate the signal of computer system with at least two performance elements, wherein, in this computer system, between at least two mode of operations, change, and first mode of operation is corresponding with comparison pattern, and second mode of operation is corresponding with performance mode, it is characterized in that, in computer system, comprise device, described device is configured like this, make described device produce the variation of mode signal and/or mode signal, this mode signal shows just residing mode of operation, and variation and/or this mode signal itself of the signal that supplies a pattern at least outside this computer system are used to estimate.

26. equipment according to claim 25 is characterized in that, the assembly in the computing machine outside is comprised in this equipment, the variation of this appraisal of equipment mode signal and/or mode signal.

27. equipment according to claim 25 is characterized in that, external module is security component, particularly watchdog timer.

28. equipment according to claim 27 is characterized in that, described watchdog timer is the watchdog timer that successively decreases.

29. equipment according to claim 25 is characterized in that, described external module is executive component or executive component Control Component.

30. equipment according to claim 25 is characterized in that, produces mode signal like this, makes to represent pattern more than two by this mode signal.