EP1915691A1 - Dispositif et procede pour commander un systeme informatique - Google Patents

Dispositif et procede pour commander un systeme informatique

Info

Publication number
EP1915691A1
EP1915691A1 EP06792539A EP06792539A EP1915691A1 EP 1915691 A1 EP1915691 A1 EP 1915691A1 EP 06792539 A EP06792539 A EP 06792539A EP 06792539 A EP06792539 A EP 06792539A EP 1915691 A1 EP1915691 A1 EP 1915691A1
Authority
EP
European Patent Office
Prior art keywords
computer system
functional units
error
faulty
functional
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
EP06792539A
Other languages
German (de)
English (en)
Inventor
Reinhard Weiberle
Bernd Mueller
Eberhard Boehl
Yorck Collani
Rainer Gmehlich
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Robert Bosch GmbH
Original Assignee
Robert Bosch GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Robert Bosch GmbH filed Critical Robert Bosch GmbH
Publication of EP1915691A1 publication Critical patent/EP1915691A1/fr
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/006Identification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/18Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/20Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1629Error detection by comparing the output of redundant processing systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2201/00Indexing scheme relating to error detection, to error correction, and to monitoring
    • G06F2201/845Systems in which the redundancy can be transformed in increased performance

Definitions

  • ECC error correcting code
  • check bits are also stored with this. The check bits are such that, if only one bit (or a known maximum number of bits) is corrupted, the error is caused by a
  • Error in execution units is not a realistic, cost-effective concept for tolerating permanent errors known.
  • a first object of the invention to improve the yield in the manufacturing process of .mu.C or of the semiconductor components, in particular by enabling use even for components with defective functional units.
  • a second object of the invention is to increase the availability of components in operation. For this purpose, means are to be made available which make it possible to identify faulty execution units (eg cores, ALUs, processors) in a component, and the "graceful degradation" or run-flat operation of a system using this component. enable.
  • a semiconductor circuit for example a ⁇ C, which contains at least two identical or similar functional units.
  • potential faulty functional units are identified by means of a test program.
  • a switching and comparison function for example in a switching and comparison unit, which compares the output signals of a functional unit with the output signals of at least one further functional unit and / or with further reference values. It is stored in a memory element, which functional units are faulty.
  • These functional units are used, e.g. deactivated by the switching and comparison unit or via an interrupt device. The device, while containing faulty functional units, is still usable and functional.
  • a method for controlling a computer system having at least two identical or similar functional units is described, wherein an activation and / or deactivation of functional units is performed.
  • a method is described, characterized in that an activation and / or deactivation of functional units takes place as a function of the results of at least a first method step for detecting an error in the computer system and / or at least a second method step for identifying a defective functional unit.
  • a method is described, characterized in that the computer system contains at least two identical or similar functional units and that is switched between at least two operating modes of the at least two identical or similar functional units of the computer system and a first operating mode a comparison mode and a second operating mode a performance mode speaks.
  • a method is described, characterized in that errors in the output signals of the functional units to be compared are detected in the comparison mode and the comparison mode corresponds to a first method step for detecting an error in the computer system
  • a method is described, characterized in that selected functional units of the computer system are switched to an operating mode in which an identification of faulty functional units by comparing the output signals of these functional units with reference values is possible and this
  • Operating mode corresponds to a second method step for identifying a faulty functional unit in the computer system
  • a method is described, characterized in that the reference values are stored in a memory device of the computer system and are read out from the memory device when switching to the operating mode for error identification.
  • a method is described, characterized in that a switchover tion between at least two operating modes during operation of the computer system cyclically or on request.
  • a method is described, characterized in that the switching between at least two operating modes for the purpose of detecting errors and / or the identification of faulty functional units is carried out.
  • a method is described, wherein a configuration status and / or error status is formed for at least the functional units of the computer system identified as faulty.
  • a method is described, characterized in that a deactivation of a functional unit takes place in that information about the configuration status or the error status of this functional unit are stored in a memory device such that they can be read during the initialization and / or operation of the semiconductor system and the stored information is processed in such a way that it is not possible to use the units designated as deactivated in operation.
  • a method is described, characterized in that a configuration status and / or an error status is formed for all activatable and / or deactivatable functional units of the computer system.
  • a method is described, characterized in that information about the configuration status and / or the error status of the activatable and / or deactivatable functional units are stored in a memory device.
  • a method is described, characterized in that the computer system contains at least two identical or similar functional units and that at least one of the same or similar functional units in the computer system is deactivated by default.
  • a method is described, characterized in that at least one information about the configuration status of the deactivated functional unit is stored in a memory device.
  • a method is described, characterized in that during or after the identification of a faulty functional unit, a reconfiguration of the computer system takes place in that at least the functional unit identified as faulty is deactivated.
  • a method is described, characterized in that in the case of deactivation of a functional unit due to an error information about the configuration status and / or an error status of this functional unit is written in a memory device.
  • a method is described, characterized in that during or after the identification of a faulty functional unit, a reconfiguration of the computer system takes place, whereby the functional unit identified as faulty is deactivated and a standard deactivated but not faulty functional unit is activated.
  • the first method step for the detection of an error corresponds to the intended operation of the at least two identical or similar functional units of the computer system in one
  • a method is described, characterized in that the second method step for identifying a faulty unit corresponds to the execution of an error detection routine on at least one functional unit and a comparison of the results of the error detection routine with reference values.
  • a method is described, characterized in that before or to the implementation of the method step for identifying a faulty unit ne ne reconfiguration of the computer system is performed, which allows the execution of different functions, commands, program segments or programs on the same or similar functional units ,
  • a method is described, characterized in that during or after the identification of a faulty functional unit, a reconfiguration of the computer system takes place, whereby at least the functional unit identified as faulty is deactivated.
  • a method is described, characterized in that in case of deactivation of a functional unit due to an error, a configuration status and an error status of this functional unit are written to a memory device.
  • a method is described, characterized in that at least part of the functions, commands, program segments or programs that are intended for processing in a first operating mode before reconfiguration of the computer system are executed after a reconfiguration of the computer system in a second operating mode ,
  • the first operating mode corresponds to a comparison mode and the second operating mode corresponds to a performance mode or an error mode with only one active functional unit.
  • a method is described, characterized in that the deactivation of functional units takes place irreversibly by interrupting electrical connections to or between functional units of the computer system.
  • a method is described, characterized in that an interruption of electrical connections in the computer system is achieved by electrical action on at least a part of the connections.
  • a method is described, characterized in that an activation and / or deactivation of functional units takes place during operation of the computer system and using devices which are part of the computer system or which are permanently connected to the computer system.
  • a device for controlling a computer system with at least two identical or similar functional units is described, characterized in that means are provided which enable activation and / or deactivation of functional units of the computer system depending on predefinable conditions.
  • a device is included, characterized in that means are provided to enable error detection in the computer system and / or identification of faulty functional units.
  • a device wherein the device contains switching means which enables a switchover between at least two operating modes of the at least two identical or similar functional units of the computer system and a first operating mode corresponds to a comparison mode and a second operating mode corresponds to a performance mode.
  • a device is included, characterized in that the device
  • a device is advantageously included, characterized in that the device comprises comparison means for comparing output signals of functional units with output signals of at least one further functional unit or with reference values and generating error information in the event of a discrepancy.
  • a device is included, characterized in that the device comprises memory means in which reference values for the output signals of functional units are stored and further comprises means for supplying reference values from the memory device to a comparison device.
  • a device is included, characterized in that means are provided to form a configuration status and / or an error status for all activatable and / or deactivatable functional units of the computer system.
  • a device is advantageously included, characterized in that the device contains means for storing data in which at least information about the configuration status or the error status of the activatable and / or deactivatable functional units is stored.
  • a device wherein the means for storing data are non-volatile storage means.
  • a device is advantageously included, characterized in that means are present which read out the configuration statuses and / or error statuses of the functional units stored in a memory device during initialization and / or operation of the computer system and activate them depending on the data read and an error signal from the comparison device and / or deactivation of functional units.
  • a device is included, wherein means are provided which can perform a deactivation of functional units irreversibly.
  • a device is included, that means are present, which interrupts at least one electrical connection to this or in these functional units for the irreversible deactivation of functional units.
  • a device in which means are provided which can bring about an interruption of electrical connections to or in functional units by electrical action on at least a part of these connections.
  • a device is advantageously included, characterized in that the means for error detection, for activation and / or deactivation of functional units are part of the computer system or are permanently connected to the computer system.
  • Figure 1 describes a general switching component with a switching logic and processing logic
  • FIG. 2 describes the connection of the switching component with a memory element
  • FIG. 3 describes a basic process for increasing the yield using a storage element
  • FIG. 4 describes a principle method for increasing availability, graceful degradation and emergency operation.
  • FIG. 5 describes the connection of the switching component with an influencing component
  • FIG. 6 describes a principle method for increasing the yield using an influencing component
  • FIG. 7 describes the structure of a possible memory element
  • An execution unit may in the following designate both a processor / core / CPU and an FPU (floating point unit), a DSP (digital signal processor), a coprocessor or an ALU (arithmetic logical unit).
  • FPU floating point unit
  • DSP digital signal processor
  • ALU arithmetic logical unit
  • FIG. 1 a general case of the switching and comparison unit is first shown, also for the use of more than two execution units.
  • n signals N 140,..., N14n go to the switching and comparison component N100. This can generate up to n output signals N160, ..., N16n from these input signals.
  • the "pure performance” In the opposite limit case, the "pure comparison mode", all the signals N140,..., N14n are only routed to exactly one of the output signals N16i.
  • switching logic N10 the logical component of a switching logic N10 is included in N100. It is first task of the switching logic to determine which inputs are switched to no output, i. which inputs are ignored, have no consequences or are inactive. This function of the switching logic is often referred to below as the first function of the switching logic. Furthermore, switching logic NI 10 determines how many output signals there are and which of the input signals contribute to which of the output signals. An input signal can contribute at most to exactly one output signal. This function of the switching logic is often referred to below as the second function of the switching logic.
  • a function is defined which assigns to each element of the set ⁇ N140, ..., N14n ⁇ an element of the set ⁇ N160, ..., N16n ⁇ .
  • a function is more generally defined by the switching logic which assigns to each element of a fixed subset of ⁇ N140, ..., N14n ⁇ (the unlocked signals) an element of the set ⁇ N160, ..., N16n assigns ⁇ .
  • the processing logic N 120 determines to each of the outputs N16i how the inputs contribute to that output signal.
  • execution units run in lockstep mode (ie same instructions at the same clock rate).
  • a first possibility is to compare all signals and to detect an error in the presence of at least two different values, which can be optionally signaled.
  • a second possibility is to make a k out of m selection (k> m / 2). This can be realized by using comparators.
  • an error signal can be generated if one of the signals is detected as deviating.
  • a possibly different error signal can be generated if all three
  • a third option is to apply these values to an algorithm.
  • This can be, for example, the formation of an average value, a median value, or the use of a fault-tolerant algorithm (FTA).
  • FTA fault-tolerant algorithm
  • Such an FTA is based on eliminating extreme values of the input values and performing a kind of averaging over the remaining values. This averaging can be done over the entire set of residual values, or preferably over a subset that is easy to form in HW. In this case, it is not always necessary to actually compare the values. For example, averaging only adds and divides, FTM, FTA, or median require partial sorting. If necessary, an error signal can optionally also be output at sufficiently large extreme values.
  • comparison operations For the sake of brevity.
  • the task of the processing logic is thus to determine the exact shape of the comparison operation for each output signal - and thus also for the associated input signals. This is referred to below as the second function of the processing logic.
  • the possible identification of faulty execution units, which is usually possible as a result of this, is referred to below as the first function of the processing logic.
  • the combination of the information of the switching logic NI10 (ie the above-mentioned function) and the processing logic (ie the determination of the comparison operation per output signal, ie per function value) is the mode information and this sets the mode.
  • this information is multivalued, ie not representable only via a logical bit. Not all the theoretically conceivable modes are useful in a given implementation, it is preferable to restrict the number of modes allowed. It should be emphasized that in the case of only two execution units, where there is only one compare mode, all the information can be condensed to only one logical bit.
  • Switching from a performance mode to a comparison mode is characterized in the general case by the fact that execution units that are displayed in the performance mode on different outputs are mapped in the compare mode to the same output. This is preferably realized in that there is a subsystem of execution units in which in the performance mode, all input signals N14i to be considered in the subsystem are switched directly to corresponding output signals N16i, while in comparison mode they are all switched to on
  • the processing logic N120 makes it possible to compare signals of different execution units. By a suitable comparison one can identify faulty execution units. This is possible if you use a sufficiently bug-covering test program. Optionally, you can also use external means of identification with.
  • fault tolerance can increase the yield, as well as faulty components can be used as long as the number of still correctly working execution units is large enough. This depends on the application.
  • switching and comparison unit One possible logical form of the switching and comparison unit is described above. While it is advantageous for the application of the invention described herein, it is not necessary that the component exist as such and that the named sub-components switching and processing logic exist.
  • a preferred option is to have all execution units execute the same program in parallel. Preferably, but not necessarily, this can be realized by operating the execution units in a lockstep mode or else with a fixed clock or phase offset.
  • a majority decision can be used to identify a potentially present defective component.
  • the results of this program can additionally be compared with the previously known results by an external unit (watchdog, other ⁇ C, test device, ASIC) during a production, initialization or band test.
  • an external unit watchdog, other ⁇ C, test device, ASIC
  • This is particularly advantageous if there are only two execution units, since in this case a third information for identifying the faulty execution unit is necessary when a difference occurs between the two execution units.
  • such a comparison can also be implemented in such a way that it is performed only in pairs or on subsets, until a clear identification of potentially erroneous execution units is possible.
  • the processing logic must thus identify the faulty components as a result of this first function.
  • the test program must be designed in such a way that an error is most likely to have an effect.
  • an error model eg, stuck-at model
  • a portion of the application code may be run, or a complete command test.
  • this may correspond to a test program today, which is based on the is limited. But you can also link this with a common today band test and test only those components with this program, which have already failed by the first band end test.
  • This last procedure has the particular advantage that only components are subjected to an additional process step, which otherwise belong to the committee. Each component gained through this last "rescue step" directly increases the yield of the manufacturing process.
  • a non-volatile storage element is preferably used. This then stores which execution units are inactive.
  • FIG. 2 shows the function of this memory element.
  • N520, N54i, N56i of the switching and comparing unit N500 in Fig. 2 have the same functions as the elements N10, N120, N14i, N16i of the switching and comparing unit N100 in Fig. 1.
  • a memory element N530 is shown.
  • the processing logic N520 sends the information about the execution units identified as faulty to the memory element N530. On this can the switching logic
  • N510 and perform the first function of the switching logic so that the elements marked as inactive by N530 actually become inactive.
  • the memory element can be located inside the switching and comparison unit, but it can also be outside, even outside the component.
  • an external element is conceivable because then a more extensive test using the periphery may possibly be used.
  • a first step N600 identification step
  • an identification of erroneous execution units takes place.
  • the identification uses the first function of the processing logic N520 and thus the test program.
  • the second step N610 storage step
  • the error information is stored.
  • the corresponding Information is given by the processing logic N520 to the memory element N530.
  • the switching logic N510 uses the information from N530 and uses the first function of the switching logic to configure the outputs of the execution units according to the required activity and passivity. It should be emphasized that although this can optionally be done by SW, in a preferred application the configuration is not exercised by SW control here.
  • test expires not only at the end of the tape but during operation (for example, in an initialization phase or even during normal operation), it is possible that faults which do not arise during operation but during operation are detected.
  • the second function of the switching logic to link the active execution units together in operation
  • the second function of the processing logic to make a comparison for the signals connected to an output
  • error-free execution units are marked as inactive, it is possible to exchange a unit identified as faulty for a faultless but inactive unit when an error occurs during operation.
  • information is preferably stored in the memory element N530 as to whether the execution unit is only inactive or whether it is also faulty.
  • FIG. 7 shows a possible structure of a memory element 0100 (corresponds to FIG.
  • N530 It contains a first memory area Ol 10, in which there are, preferably in accordance with the number of execution units, memory locations O120, ..., O12n. Each memory location is preferably realized via at least one bit. The number or address of the memory location O12i is indicated by the number or identification of an uniquely linked. For example, a bit in 0120 that is set to 0 indicates that the associated execution unit is active. If set to 1, the associated execution unit should be inactive. This information can be fault tolerant or linked to other information in the memory locations O120, ..., O12n, the basic information content, based on this application remains the same.
  • a second memory area 0140 in which there are memory locations 0130,..., O13n, preferably corresponding to the number of execution units.
  • Each memory location is preferably realized via at least one bit. The number or
  • Address of the memory location O13i is uniquely linked to the number or identification of an execution unit. For example, a bit in 0130 that is set to 0 indicates that the associated execution unit is healthy. If it is set to 1, it means that the associated execution unit is faulty. This information may be error tolerant or associated with additional information in the memory locations
  • this memory area can not be described or only under special circumstances or in a special way, so that it is ensured that an execution unit once marked as defective is not erroneously marked as error-free.
  • Another way to use the invention is to enable graceful degradation and limp home modes.
  • step N700 error detection
  • error detection can be done, for example, by using a test program.
  • the system is in a compare mode, such as can be set via the second functions of the processing logic and circuitry, there is one
  • the application software acts as a test program. This is particularly advantageous for two reasons: on the one hand, you do not need a dedicated test program, on the other hand, all errors of the execution units that have any effect are discovered in this way.
  • step N705 it is checked whether a faulty execution unit can already be identified by the existing configuration of switching and processing logic. If so, steps N710 (Fault Detection Configuration) and N720 (Identification Step) are already completed, and it goes directly to Step N730. This is the case, for example, when the error occurs in a subsystem in which the signals from 3 execution units are compared. If not (in step N705)
  • a configuration must be selected in step N710 that allows error identification.
  • the easiest way to do this is, for example, by combining the "suspected candidates" (ie all execution units involved in the subsystem that generated an error) with a sufficient number of other execution units together through the switching logic N510 to an output signal.
  • the SW part which has disclosed the error is reused as the test program, but a dedicated test program can also be used
  • the first function of the processing logic then makes it possible to execute step N720 and to identify the erroneous execution unit Alternatively, however, another method of identification may be chosen: for example, one of the suspected candidates is accepted and coupled with another error-free execution unit.
  • a fundamentally different possibility of using the idea of this invention is to dispense with the memory element and to use other means for deactivating potentially defective execution units in such a way that they are reliably and irreversibly deactivated. This can be done by influencing (for example separation or connection) of lines in the component.
  • FIG. 5 shows the function of this influencing component.
  • the elements N810, N820, N84i, N86i of the switching and comparing unit N800 in Fig. 5 have the same functions as the elements N10, N120, N14i, N16i of the switching and comparing unit N100 in Fig. 1.
  • an influencing component is N830 shown.
  • the processing logic N820 sends the information about the execution units identified as faulty to the influencing component N830. This has means, as enumerated above, to influence lines or functional groups in the component so that execution units are deactivated.
  • N830 may be a component within the device, controller, or system, but N830 may also be a machine in the manufacturing process or a human operator of such a machine. It is also possible that this component is used in maintenance. Optionally, the corresponding information can still be given to the switching logic so that it performs the first function in such a way that the elements marked as inactive by N830 actually become inactive.
  • a first step N900 identification step an identification of faulty execution units takes place.
  • Identification uses the first function of the processing logic N820 and thus the test program.
  • the error information is given by the processing logic N820 to the influencing component N830.
  • the influencing component N830 uses this information in order to use the means at its disposal to influence the lines or functional groups in the component in such a way that the faulty components are inactive.
  • the switching logic N810 uses the information and uses the first function of the switching logic to configure the outputs of the execution units according to the required activity and passivity.
  • an influencing component can also be used in operation. All the advantages that apply when using a memory element are also applicable here, since the effect on the system is the same. But then it is advantageous if the influencing component is present as HW component in the system.
  • the advantageous methods and devices can also be applied to further components of a semiconductor circuit, such as e.g. Analog / digital converters, timer modules, intrinsic controllers, communication controllers or control units are used.
  • a semiconductor circuit such as e.g. Analog / digital converters, timer modules, intrinsic controllers, communication controllers or control units are used.
  • the invention described herein is used with ECC protection for other memory elements.
  • ECC protection for other memory elements.
  • a highly available component is created in which both memory and execution units are made fault-tolerant and thus make it possible to maximize both the yield and to ensure optimal availability during operation.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Hardware Redundancy (AREA)
  • Control By Computers (AREA)
  • Multi Processors (AREA)
  • Debugging And Monitoring (AREA)

Abstract

La présente invention concerne un dispositif et un procédé pour commander un système informatique, comprenant au moins deux unités fonctionnelles identiques ou analogues, une activation et/ou désactivation d'unités fonctionnelles ayant lieu indépendamment de conditions pouvant être prédéterminées.
EP06792539A 2005-08-08 2006-07-21 Dispositif et procede pour commander un systeme informatique Ceased EP1915691A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102005037262A DE102005037262A1 (de) 2005-08-08 2005-08-08 Vorrichtung und Verfahren zur Steuerung eines Rechnersystems
PCT/EP2006/064490 WO2007017359A1 (fr) 2005-08-08 2006-07-21 Dispositif et procede pour commander un systeme informatique

Publications (1)

Publication Number Publication Date
EP1915691A1 true EP1915691A1 (fr) 2008-04-30

Family

ID=37478820

Family Applications (1)

Application Number Title Priority Date Filing Date
EP06792539A Ceased EP1915691A1 (fr) 2005-08-08 2006-07-21 Dispositif et procede pour commander un systeme informatique

Country Status (7)

Country Link
EP (1) EP1915691A1 (fr)
JP (1) JP2009506406A (fr)
KR (1) KR20080032167A (fr)
CN (1) CN101238449A (fr)
DE (1) DE102005037262A1 (fr)
TW (1) TW200732907A (fr)
WO (1) WO2007017359A1 (fr)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102017204691B3 (de) * 2017-03-21 2018-06-28 Audi Ag Steuervorrichtung zum redundanten Ausführen einer Betriebsfunktion sowie Kraftfahrzeug

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3783250A (en) * 1972-02-25 1974-01-01 Nasa Adaptive voting computer system
US4342083A (en) * 1980-02-05 1982-07-27 The Bendix Corporation Communication system for a multiple-computer system
US4327437A (en) * 1980-07-30 1982-04-27 Nasa Reconfiguring redundancy management

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2007017359A1 *

Also Published As

Publication number Publication date
CN101238449A (zh) 2008-08-06
DE102005037262A1 (de) 2007-02-15
KR20080032167A (ko) 2008-04-14
JP2009506406A (ja) 2009-02-12
WO2007017359A1 (fr) 2007-02-15
TW200732907A (en) 2007-09-01

Similar Documents

Publication Publication Date Title
EP2550599B1 (fr) Système d'ordinateur de commande, procédé de commande d'un système d'ordinateur de commande, et utilisation d'un système d'ordinateur de commande
EP2641176B1 (fr) Système ä microprocesseurs a architecture tolérante aux fautes
EP1917592B1 (fr) Systeme informatique comprenant au moins deux unites d'execution et une unite de comparaison et son procede de commande
DE102007045398A1 (de) Integriertes Mikroprozessorsystem für sicherheitskritische Regelungen
EP2550598A1 (fr) Commande à deux processeurs redondante et procédé de commande
DE19509150C2 (de) Verfahren zum Steuern und Regeln von Fahrzeug-Bremsanlagen sowie Fahrzeug-Bremsanlage
DE102013001627A1 (de) System und Verfahren zur Berechnung mittels Signaturanalyse
EP3428748B1 (fr) Procédé pour augmenter la fiabilité de deux systèmes redondants en détectant le système entaché d'un défaut
EP1358554B1 (fr) Mise en marche automatique d'un systeme a configuration en grappe apres une erreur reparable
DE102008024193A1 (de) System mit konfigurierbaren Funktionseinheiten und Verfahren
DE102005037213A1 (de) Verfahren und Vorrichtung zur Umschaltung zwischen Betriebsmodi eines Multiprozessorsystems durch wenigstens ein externes Signal
EP1807760B1 (fr) Systeme de traitement de donnees a frequence d'horloge variable
WO2007017399A1 (fr) Dispositif et procede pour configurer un circuit a semi-conducteur
EP2228723B1 (fr) Procédé de gestion des erreurs d'un système de calcul
WO2010049339A1 (fr) Dispositif et procédé pour générer des codes machine redondants mais différents à partir d’un code source de vérification pour un système essentiel pour la sécurité
EP1359485B1 (fr) Système de commande et surveillance
DE102008004206A1 (de) Anordnung und Verfahren zur Fehlererkennung und -behandlung in einem Steuergerät in einem Kraftfahrzeug
DE10302456A1 (de) Vorrichtung für sicherheitskritische Anwendungen und sichere Elektronik-Architektur
EP1915691A1 (fr) Dispositif et procede pour commander un systeme informatique
DE102011007467A1 (de) Mehrkernige integrierte Mikroprozessorschaltung mit Prüfeinrichtung, Prüfverfahren und Verwendung
DE102004051991A1 (de) Verfahren, Betriebssystem und Rechengerät zum Abarbeiten eines Computerprogramms
DE102016205109A1 (de) Mikroprozessor, insbesondere für ein Kraftfahrzeug
WO2007017372A1 (fr) Procede et dispositif pour piloter un systeme de calcul comprenant au moins deux unites d'execution
WO2022263416A1 (fr) Système de commande pour au moins un dispositif de réception dans des applications critiques en termes de sécurité
DE102021204460A1 (de) Verfahren und Hardwarevorrichtung für diverse Redundanz aus nicht diversem Software-Quellcode

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20080310

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC NL PL PT RO SE SI SK TR

17Q First examination report despatched

Effective date: 20080826

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN REFUSED

18R Application refused

Effective date: 20090821