EP2550598A1 - Commande à deux processeurs redondante et procédé de commande - Google Patents

Commande à deux processeurs redondante et procédé de commande

Info

Publication number
EP2550598A1
EP2550598A1 EP11711799A EP11711799A EP2550598A1 EP 2550598 A1 EP2550598 A1 EP 2550598A1 EP 11711799 A EP11711799 A EP 11711799A EP 11711799 A EP11711799 A EP 11711799A EP 2550598 A1 EP2550598 A1 EP 2550598A1
Authority
EP
European Patent Office
Prior art keywords
processor
processors
multiplexer
unit
redundant
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
EP11711799A
Other languages
German (de)
English (en)
Inventor
Adrian Traskov
Thorsten Ehrenberg
Lukusa Didier Kabulepa
Felix Wolf
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Continental Teves AG and Co OHG
Original Assignee
Continental Teves AG and Co OHG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Continental Teves AG and Co OHG filed Critical Continental Teves AG and Co OHG
Publication of EP2550598A1 publication Critical patent/EP2550598A1/fr
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1629Error detection by comparing the output of redundant processing systems
    • G06F11/165Error detection by comparing the output of redundant processing systems with continued operation after detection of the error
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1629Error detection by comparing the output of redundant processing systems
    • G06F11/1641Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1629Error detection by comparing the output of redundant processing systems
    • G06F11/1641Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components
    • G06F11/1645Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components and the comparison itself uses redundant hardware

Definitions

  • the following invention relates to a redundant two-processor controller and a control method.
  • Known fault-tolerant system architectures include at least three processor cores with shared or shared memory.
  • the lockstep operation of the processors is always by monitoring
  • DC step operation also referred to as synchronous execution of a program or program parts by the processors.
  • Figures 7 and 8 show conventional security architectures.
  • TMR triple redundancy
  • Parity bits provided and compared. After detection of a parity error on a page without occurrence of a
  • Step error is very desirable.
  • the parity check may be incorrect
  • a redundant two-processor controller includes a first processor and a second processor for synchronously executing a control program, at least one first multiplexer for selectively connecting at least one
  • control device comprises a
  • a recovery control unit configured to monitor the execution of at least one test program by the two processors upon the occurrence of a synchronization error and to evaluate the test results, and further configured to include at least the first multiplexer
  • the processors monitored. This can be done by comparing the execution of the control program "line by line” with each other, whereby the same results must be available at the same time.
  • active processor is meant here the processor that actually drives the peripheral unit.
  • passive processor is the one that only runs synchronously, i. it receives the same data and processes the same program steps as the active processor.
  • Synchronization error (lockstep error) is basically a complete shutdown and the system can only be reset externally. It should be noted that the mere resetting of a system for
  • Lock step error (lockstep error). On the other hand, if a processor was rated as faulty, the control device is controlled by the
  • Reconfigured recovery control unit in such a way that the outputs of the faulty processor are ignored from now on and ensures that the peripheral unit can now be controlled only by the error-free processor, but not by the faulty processor. Typically, this is done by reconfiguration of the first multiplexer, so that a data flow only between
  • peripheral unit and error-free processor is possible.
  • the reconfiguration causes the
  • Control device can, however, an error signal
  • Control device with means for controlling a
  • Synchronization error can be in any
  • safety-relevant systems are used.
  • One example is brake applications in the automotive sector. It is based on only two redundant processors Control device designed so that it maintains the existing security level and allows high availability of the system.
  • Actuators input / output units and sensors.
  • any errors that have occurred are analyzed to find out where the error may have occurred or by which component it was caused. On this basis, a suitable test program is then selected, wherein the test programs and the expected test results are stored in advance, for example in the recovery control unit. If the error, i. the difference between the two
  • the recovery control unit is configured to configure the first multiplexer based on the test result.
  • the multiplexer and generally the controller, is thus configured depending on the test result. It is possible that the function of the multiplexer is taken over by a bus matrix.
  • the control device further comprises at least a second
  • Multiplexer for selectively connecting at least one
  • Recovery control unit is configurable. The control device thus also allows the optional
  • control device further comprises at least a second one
  • Comparison unit for monitoring the synchronization state of the two processors and for detecting a
  • the controller includes a first bus matrix connecting the first processor to the first multiplexer and a second bus matrix connecting the second processor to the second multiplexer.
  • the first peripheral unit is a common unit that can be selectively driven by one of the two processors.
  • the control device has at least two further peripheral units, wherein the one of the two peripheral units only the first processor and the other of the two peripheral units only the second
  • a common peripheral unit or component is here understood to mean a unit which is redundant
  • control is optionally carried out by one of the two processors, the other is used for comparison.
  • a private unit is only controlled by one of the two processors. The other one
  • the two further peripheral units are redundant units, i. they are physically identical and serve to perform the same function.
  • the first and / or the second comparison unit is set up, a synchronization error signal when a
  • Synchronization error signal may be an interrupt, for example.
  • a control method comprises the synchronous execution of a control program by a first and a second processor, which are connected via a multiplexer to at least one peripheral unit to be controlled, wherein only one of the two processors controls the peripheral unit at a certain time.
  • the synchronous execution of the control program is monitored by a comparison unit.
  • a synchronization error signal is output when the two processors are desynchronized.
  • the execution of the control program is first interrupted by the two processors. Then, a test is made to check if one of the two processors is faulty. If both processors are error free, the synchronous execution of the control program will be through the two
  • Processors continued. On the other hand, if one of the two processors has been identified as faulty, the multiplexer and the compare unit are configured such that there is no further communication with the faulty processor and no further monitoring by the compare unit and that the healthy processor drives the peripheral unit. The processing of the control program is continued by the error-free processor. If both processors are faulty, the controller is shut down.
  • the test comprises the simultaneous execution of at least one
  • the processor does not have the test program within
  • the processor has not gone into the idle state after the first time period Tl for a second period of time T2. This is to ensure that not only the correct or incorrect processing is taken into account, but also whether the processors have completed the test within a predetermined time. Hibernate scanning is used to determine if a processor is still outputting data while it is not processing any instructions. This also indicates a faulty processor.
  • the synchronization error is evaluated and an error type
  • At least one test program depending on the error type is selected for checking the processors. This can be one or more if necessary
  • FIG. 1 shows a control device according to an embodiment in normal operation
  • Control device in case of failure of a processor.
  • FIG. 3 shows a control device according to one embodiment.
  • FIG. 4 shows a control device according to one embodiment.
  • FIG. 5 shows a control device according to an embodiment.
  • FIG. 6 shows the sequence of a control program according to an embodiment.
  • FIG. 7 shows an architecture with two processors.
  • FIG 8 shows an architecture with a division of peripheral modules into two groups A and B.
  • Figure 1 shows a schematic control device with a first and a second processor 1, 2 and a first and second multiplexer 91, 92.
  • Each of the multiplexers 91, 92 forms a unit with one each
  • Comparison device which is referred to in the figures as a comparator.
  • Each of the multiplexers 91, 92 is connected to a peripheral unit 95, 96, respectively, and allows optional access of the processors 1, 2 to the peripheral units 95, 96.
  • a recovery control unit 44 is operable both with the two processors 1, 2 and
  • the processors 1, 2 may also be
  • Processor 1 communicates with and controls peripheral unit 95 and processor 2 communicates with and controls peripheral unit 2.
  • Processor 1 communicates with and controls peripheral unit 95 and processor 2 communicates with and controls peripheral unit 2.
  • Multiplexer / comparator 91 and peripheral unit 95 form a branch A
  • processor 2 multiplexer / comparator 92 and peripheral unit 96 form a branch B.
  • processor A there are crosswise communication paths on the one hand between processor 2 and multiplexer / comparator 91 and on the other hand, between processor A and multiplexer / comparator 92.
  • the comparators 91, 92 respectively compare whether the processors are in sync with each other, i. whether you
  • Comparators 91, 92 output no further error signals.
  • peripheral unit control program 95 and peripheral unit 96 the execution of the control program including peripheral unit control program 95 and peripheral unit 96, to be resumed. This increases the availability of the system.
  • the architecture shown in Figures 1 and 2 comprises a division of peripheral modules into two groups A and B.
  • Each group comprises at least one processor 1, 2, a bus switch not shown here (bus matrix, bus crossbar) and to be controlled peripheral modules 95, 96.
  • Memory modules can be implemented in one group or in both groups.
  • the page A is actually (ie physically) always driven by the processor 1 (processor A).
  • Page B is actually always from the processor 2 (processor B)
  • Data of the peripheral modules 95 may be passed across to the side B across the multiplexers 91, 92.
  • the processor 1 may similarly read out data from peripheral modules 96.
  • FIG. 3 shows an embodiment in which a peripheral unit 22, which is referred to therein as peripheral modules, is redundantly driven by two processors 1 and 2, wherein at a given time actually only one of the two processors, the unit 22 drives. This is done via a multiplexer 21.
  • Another peripheral unit 5, which may be a common internal peripheral unit, for example a memory 5, is over one Multiplexer 20 connected to the two processors 1, 2.
  • the processors 1, 2 themselves are each connected to the multiplexers 20, 21 via a bus matrix 3, 4. Also in this
  • the multiplexers 20, 21, which are in unit with respective comparison units (comparators), may be suitably configured in case of failure to keep the control available.
  • Each processor 1, 2 are assigned private components or units that are only controlled by it.
  • the private components in FIG. 4, the two peripheral units 61, 62) are
  • peripheral units can be any of the two redundant ones
  • Locking step error (lockstep error) triggers a
  • autonomous hardware monitoring module in the figures the recovery control unit 44, drop.
  • test programs can be derived from the error context. For example, the error that has occurred is classified and assigned to an error type and this
  • Control program which was interrupted due to the interrupt, want to continue again. This should be prevented and the processors 1, 2 should instead in a
  • each processor should have its own
  • Hardware Monitoring Module (Restore Control Unit 44) readable registers. The duration is measured by a timer of the autonomous hardware monitoring module.
  • Time window T2 compares the
  • Recovery control unit 44 the test results of the two processors 1, 2 with the values pre-programmed in hardware. If the test results of a processor do not match the default values, the
  • Processors 1, 2 may be suitable for recovery. in the
  • Restore control unit 44 by means of an interrupt bring a return to the lockstep operation. If only one processor has completed all tests successfully, it will drive its associated peripheral modules and all shared components.
  • FIG. 4 shows a further embodiment, which is based on that of FIG.
  • the architecture of the controller is divided into two private areas 30 and 31, referred to as areas A and B, and a common area 40 divided up.
  • the private areas contain modules or
  • the recovery control unit 44 in the form of a hardware module is used for the safe recovery of the synchronization after a lock step error or lockstep error.
  • Restore control unit 44 all accesses
  • these units are the common periphery 72 and, for example, the redundant peripheral units 61 and 63. These are connected via respective peripheral bridges 60, 71, and 62.
  • the lock step error triggers an interrupt of the program flow.
  • each processor 1, 2 can only access modules that are located in its assigned private area and do not perform any security-relevant subfunctions. Furthermore, access to non-safety-relevant components 41, 42 can be made possible in multiplex mode. Such components 41, 42 are
  • Multiplexer a controller and a comparator, and the memory 52, which is designed here as RAM.
  • the interrupt routine serves to improve the integrity of the Architecture and especially the processors to consider. At the end of the interrupt processing, the processors should
  • the interrupt routine consists of test programs, whereby each test program should deliver the correct result within a certain time interval. After a predetermined
  • the recovery control unit 44 checks the correctness of the results stored by the processors. The recovery of the lockstep operation assumes that all the results to be checked by the recovery control unit 44 are correct. Otherwise, only the processor that has correct results will remain active for the running application.
  • the module 50 is configured to both
  • Processors 1, 2 can access the program memory 51 in multiplex mode.
  • FIG. 5 shows an embodiment in extension of FIGS. 1 and 2
  • Recovery control unit 44 is similar to FIG. 4. If a processor 1, 2 does not provide correct results for the recovery of lockstep operation, the
  • Peripheral controller 91 or 92 which here form the multiplexers and comparators, configure so that the underlying peripheral modules or units 95, 96 are controlled by the other processor.
  • the architecture in FIG. 4 also has two redundant RAM modules 80, 81. If the lockstep error was caused by an error in RAM, the erroneous RAM address is stored. This address is checked in the interrupt routine. If the RAM error is uncorrectable, the
  • Restore control unit 44 does not reintegrate the affected side A or B (ie processor and RAM) into the active control. Subsequently, the
  • Restore control unit 44 to ensure that the peripheral modules, so far from the now faulty
  • FIG. 6 schematically shows the sequence of a
  • the program execution 300, 500 is interrupted by the respective processors by means of an interrupt (LOLI, Lockstep loss interrupt) and the respective state (initial content) in 321, 521 stored.
  • the interrupt simultaneously activates the
  • the recovery control unit starts a timer 400.
  • the processors then execute the tests specified by the recovery control unit in step 322, 522, forcing an interrupt-free return to 323, 523 after completion of the tests (RFI, Return from
  • the recovery control unit checks whether the tests have been executed within the time period T1 (325, 525) and whether the processors have entered the idle state (401). After a predetermined period of time T2, the recovery control unit checks in 402, 326, 526 whether the processors are still idle.
  • Test results are error-free, that the respective processor until the expiration of the period Tl in the idle state
  • FIG. 7 shows a conventional architecture with two processors 1 and 2, the processor 2 serving for monitoring by the processor 1. The entire control of
  • Peripheral modules and all memory accesses are via the processor 1. This architecture is unsuitable for mastering lockstep failures resulting from the loss of synchronization.
  • FIG 8 shows a conventional architecture with a division of peripheral modules into two groups A and B.
  • Each group comprises at least one processor 1,2, a bus switch (bus matrix, bus crossbar) 3,4 and I / O modules 6,7.
  • Memory modules 5 can be implemented in a group or in both groups and via a
  • the invention is not on the present

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Hardware Redundancy (AREA)

Abstract

L'invention concerne un équipement de commande à deux processeurs redondant. L'équipement de commande comprend un premier processeur (1) et un second processeur (2) pour la réalisation synchrone d'un programme de commande ; au moins un premier multiplexeur (70, 91) pour relier comme on le souhaite au moins une première unité périphérique (72, 95) à commander avec l'un des deux processeurs (1, 2) ; au moins une première unité de comparaison (70, 91) pour le contrôle de l'état de synchronisation des deux processeurs (1, 2) et pour le dépistage d'un défaut de synchronisation, dès lors que les deux processeurs (1, 2) sont désynchronisés ; et une unité de contrôle de restauration (44) qui sert à contrôler la réalisation d'au moins un programme d'essai par les deux processeurs (1, 2) après l'apparition d'un défaut de synchronisation et à évaluer les résultats de l'essai, et qui sert à configurer au moins le premier multiplexeur (70, 91).
EP11711799A 2010-03-23 2011-03-18 Commande à deux processeurs redondante et procédé de commande Ceased EP2550598A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102010003161 2010-03-23
PCT/EP2011/054143 WO2011117155A1 (fr) 2010-03-23 2011-03-18 Commande à deux processeurs redondante et procédé de commande

Publications (1)

Publication Number Publication Date
EP2550598A1 true EP2550598A1 (fr) 2013-01-30

Family

ID=44064800

Family Applications (1)

Application Number Title Priority Date Filing Date
EP11711799A Ceased EP2550598A1 (fr) 2010-03-23 2011-03-18 Commande à deux processeurs redondante et procédé de commande

Country Status (3)

Country Link
US (1) US8959392B2 (fr)
EP (1) EP2550598A1 (fr)
WO (1) WO2011117155A1 (fr)

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AT515454A3 (de) * 2013-03-14 2018-07-15 Fts Computertechnik Gmbh Verfahren zur Behandlung von Fehlern in einem zentralen Steuergerät sowie Steuergerät
DE102013214013A1 (de) 2013-07-17 2015-01-22 Continental Teves Ag & Co. Ohg Verfahren zur Erhöhung der Verfügbarkeit eines Mikroprozessorsystems
JP6312550B2 (ja) 2014-08-01 2018-04-18 ルネサスエレクトロニクス株式会社 半導体装置
JP6360387B2 (ja) 2014-08-19 2018-07-18 ルネサスエレクトロニクス株式会社 プロセッサシステム、エンジン制御システム及び制御方法
US9734006B2 (en) 2015-09-18 2017-08-15 Nxp Usa, Inc. System and method for error detection in a critical system
JP6083480B1 (ja) * 2016-02-18 2017-02-22 日本電気株式会社 監視装置、フォールトトレラントシステムおよび方法
CN106094629B (zh) * 2016-06-28 2019-06-21 北京安控科技股份有限公司 一种二取一架构的功能安全控制器
JP6394727B1 (ja) * 2017-03-22 2018-09-26 日本電気株式会社 制御装置、制御方法、及び、フォールトトレラント装置
US10474619B2 (en) 2017-05-19 2019-11-12 General Electric Company Methods for managing communications involving a lockstep processing system
US10628274B2 (en) * 2017-12-05 2020-04-21 Qualcomm Incorporated Self-test during idle cycles for shader core of GPU
US11094392B2 (en) 2018-10-15 2021-08-17 Texas Instruments Incorporated Testing of fault detection circuit
CA3157095A1 (fr) 2019-12-09 2021-06-17 Alon Green Procede et systeme de supervision de trafic de bus can a integrite elevee dans une application critique de securite
US20220209550A1 (en) * 2020-12-30 2022-06-30 Loon Llc Redundant power distribution and monitoring for LTA vehicles
DE102021206379A1 (de) 2021-06-22 2022-12-22 Continental Autonomous Mobility Germany GmbH Steuereinrichtung sowie Assistenzsystem für ein Fahrzeug
EP4134875A1 (fr) 2021-08-10 2023-02-15 Continental Autonomous Mobility Germany GmbH Procédé et appareil pour couverture de diagnostic pour accélérateurs matériels d'ia
EP4134874A1 (fr) 2021-08-10 2023-02-15 Continental Autonomous Mobility Germany GmbH Appareil et procédé de couverture de diagnostic d'un accélérateur de réseau de neurones artificiels

Family Cites Families (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3444528A (en) 1966-11-17 1969-05-13 Martin Marietta Corp Redundant computer systems
US3864670A (en) 1970-09-30 1975-02-04 Yokogawa Electric Works Ltd Dual computer system with signal exchange system
EP0496506B1 (fr) 1991-01-25 2000-09-20 Hitachi, Ltd. Système d'ordinateur tolérant aux fautes incorporant des unités de traitement avec au moins trois processeurs
US5249188A (en) 1991-08-26 1993-09-28 Ag Communication Systems Corporation Synchronizing two processors as an integral part of fault detection
US5812757A (en) * 1993-10-08 1998-09-22 Mitsubishi Denki Kabushiki Kaisha Processing board, a computer, and a fault recovery method for the computer
FR2721122B1 (fr) * 1994-06-14 1996-07-12 Commissariat Energie Atomique Unité de calcul à pluralité de calculateurs redondants.
US5915082A (en) 1996-06-07 1999-06-22 Lockheed Martin Corporation Error detection and fault isolation for lockstep processor systems
SE511114C2 (sv) * 1997-12-10 1999-08-09 Ericsson Telefon Ab L M Metod vid processor, samt processor anpassad att verka enligt metoden
US6148348A (en) * 1998-06-15 2000-11-14 Sun Microsystems, Inc. Bridge interfacing two processing sets operating in a lockstep mode and having a posted write buffer storing write operations upon detection of a lockstep error
US7085959B2 (en) * 2002-07-03 2006-08-01 Hewlett-Packard Development Company, L.P. Method and apparatus for recovery from loss of lock step
JP2004046599A (ja) 2002-07-12 2004-02-12 Nec Corp フォルトトレラントコンピュータ装置、その再同期化方法及び再同期化プログラム
JP4155088B2 (ja) * 2003-04-18 2008-09-24 日本電気株式会社 情報処理装置
US20050240806A1 (en) * 2004-03-30 2005-10-27 Hewlett-Packard Development Company, L.P. Diagnostic memory dump method in a redundant processor
US7366948B2 (en) 2004-10-25 2008-04-29 Hewlett-Packard Development Company, L.P. System and method for maintaining in a multi-processor system a spare processor that is in lockstep for use in recovering from loss of lockstep for another processor
JP4411602B2 (ja) * 2004-12-16 2010-02-10 日本電気株式会社 フォールトトレラント・コンピュータシステム
US7496786B2 (en) * 2006-01-10 2009-02-24 Stratus Technologies Bermuda Ltd. Systems and methods for maintaining lock step operation
DE102009000045A1 (de) 2009-01-07 2010-07-08 Robert Bosch Gmbh Verfahren und Vorrichtung zum Betreiben eines Steuergerätes
JP2011123545A (ja) * 2009-12-08 2011-06-23 Toshiba Corp 比較冗長型情報処理装置

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2011117155A1 *

Also Published As

Publication number Publication date
US20130007513A1 (en) 2013-01-03
US8959392B2 (en) 2015-02-17
WO2011117155A1 (fr) 2011-09-29

Similar Documents

Publication Publication Date Title
EP2550599B1 (fr) Système d'ordinateur de commande, procédé de commande d'un système d'ordinateur de commande, et utilisation d'un système d'ordinateur de commande
EP2550598A1 (fr) Commande à deux processeurs redondante et procédé de commande
EP0238841B1 (fr) Multiprocesseur de commande protégé contre les erreurs et à grande disponibilité, dans un système de commutation, et méthode pour l'exploitation de configuration de la mémoire de cette commande centrale
EP0236803B1 (fr) Méthode pour l'exploitation d'une unité de commande centrale à multiprocesseurs à protection contre les erreurs et à haute disponibilité pour un système de commutation
DE102011086530A1 (de) Mikroprozessorsystem mit fehlertoleranter Architektur
DE102016107015A1 (de) Architektur für eine skalierbare Störungstoleranz in Systemen mit integrierter Ruhigstellung bei Ausfall und Funktionsfähigkeit bei Ausfall
EP2466466A1 (fr) Procédé de détection d'erreurs lors de l'équipement d'un système de fonctionnement en temps réel
EP1149295B1 (fr) Dispositif de commande pour commander des applications cruciales pour la securite
EP2513796A1 (fr) Procédé permettant de faire fonctionner une unité de calcul
WO2018134023A1 (fr) Architecture redondante de processeur
DE102008004205A1 (de) Schaltungsanordnung und Verfahren zur Fehlerbehandlung in Echtzeitsystemen
EP3475824A1 (fr) Procédé et dispositif de traitement de données redondant
DE19847986C2 (de) Einzelprozessorsystem
DE4113959A1 (de) Ueberwachungseinrichtung
DE10302456A1 (de) Vorrichtung für sicherheitskritische Anwendungen und sichere Elektronik-Architektur
DE102010041437B4 (de) Überprüfung von Funktionen eines Steuersystems mit Komponenten
EP1359485B1 (fr) Système de commande et surveillance
EP2228723B1 (fr) Procédé de gestion des erreurs d'un système de calcul
DE10312553B3 (de) Kraftfahrzeug
DE102013021231A1 (de) Verfahren zum Betrieb eines Assistenzsystems eines Fahrzeugs und Fahrzeugsteuergerät
DE102011007467A1 (de) Mehrkernige integrierte Mikroprozessorschaltung mit Prüfeinrichtung, Prüfverfahren und Verwendung
DE102004033263B4 (de) Steuer-und Regeleinheit
EP3557356A1 (fr) Procédé et système d'automatisation permettant le fonctionnement automatique sûr d'une machine ou d'un véhicule
DE102004051991A1 (de) Verfahren, Betriebssystem und Rechengerät zum Abarbeiten eines Computerprogramms
EP1924914B1 (fr) Systeme de traitement de donnees et procede pour l'exploiter

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20121023

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

DAX Request for extension of the european patent (deleted)
17Q First examination report despatched

Effective date: 20150528

REG Reference to a national code

Ref country code: DE

Ref legal event code: R003

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN REFUSED

18R Application refused

Effective date: 20161123