Microcontroller system and method for safety-critical motor vehicle systems and the use thereof

[0028] in figure 1 In the description of the embodiments and the embodiments, only the components important for the understanding of the present invention are discussed.

[0029] figure 1 An embodiment of the microcontroller system according to the present invention is shown, which is implemented as a combination of a multi-core (multi-core) and a multi-chip system on a single chip or silicon substrate. The microcontroller system here includes subsystem A and subsystem B, which can be implemented as single-core or multi-core systems, respectively, and-in addition to coupling based on a common silicon substrate-are physically separated and have separate voltage sources A11 , B11 and system clock supply devices A12, B12. In order to improve functional safety, the two subsystems A and B, for example, implement a two-channel safety architecture, including redundant cores 1A, 2A, 1B, 2B, and storage buses A13-1, A13-2, B13-1, B13-2 , RAM memories A14-1, A14-2, B14-1, B14-2 and comparison units A15-1, A15-2, B15-1, B15-2. In addition, each of the subsystems A and B includes at least one troubleshooting module A9, B9, at least one non-volatile memory A18, B18, peripheral interfaces A17-1, AI7-2, B17-1, B17-2, and Peripheral bus A16-1, A16-2, B16-1, B16-2 used to connect the peripheral interfaces A17-1, AI7-2, Bl7-1, Bl7-2.

[0030] In the physical realization (placement & wiring), the subsystems A and B are designed as if they were independent circuits. Subsystems A and B are each and additionally jointly surrounded by electrical barriers A10, B10, AB10, which are formed in a particularly high-resistance manner compared to the surrounding substrate and serve as isolation against interference, such as overvoltage, Electrostatic voltage (ESD) and/or overload. The interference occurring in one of the subsystems is therefore restricted to the local area and does not extend to other subsystems or the interference of other functional components not shown on the chip 1 does not extend to subsystems A and B. Especially in the area between the subsystems A and B, instead of two separate barriers A10, B10, only one barrier can be provided. The electrical wires for communication between subsystems A and B are led out through barriers A10 and B10. In order to avoid safety restrictions, the restrictions can be generated by these wires, with buffers A24, B24 and/or ESD protection structures. . The signals used to communicate with other components on the chip 1 as sub-systems can also be guided via such on-chip drivers, as implemented for example for the chip internal interfaces A27, B27 and buffers A24, B24 described below.

[0031] According to this embodiment, three different operating modes of the microcontroller system are provided. The first operating mode realizes multi-chip operation, in which two mutually independent subsystems A and B are activated and communicate with each other through dedicated in-chip interfaces A27 and B27. In order to monitor subsystems A and B, especially in this first operating mode, each of the subsystems has a multi-chip monitoring mechanism A29, B29 ("Watchdog").

[0032] According to the second operating mode, there is a multi-core operation using non-local storage and peripheral resources. For example, A subsystem accesses another subsystem such as B's storage resources A14-1, A14-2, A18, B14-1, B14-2 , B18 and/or peripheral resources A16-1, A16-2, B16-1, B16-2. The access here is preferably implemented via the corresponding storage buses A13-1, A13-2, B13-1, B13-2 and peripheral buses A16-1, A16-2, B16-1, and B16-2 of the subsystem B. Especially for memory access alternatively, for example, a memory with double access can also be provided. The resource-providing subsystem (subsystem B according to this embodiment) must be able to execute the software itself—just no resources for application extensions—or be inactive.

[0033] Therefore, in the case of interference in one subsystem, no feedback to the other subsystem is generated. In the second operating mode, the storage expansion units A25 and B25 are used to provide subsystem A with additional storage resources of subsystem B and therefore expand subsystem B to the local memories A14-1, A14-2, and A18 of subsystem A. Part or all of the storage resources B14-1, B14-2, B18. Compared with the local memory, there is a longer access time due to the larger physical line length to the additional memory module. This state is considered in the software partition (the difference between small and large storage access latency).

[0034] In the second operating mode, the peripheral expansion units A26 and B26 are used to provide the subsystem A with additional peripheral resources of the subsystem B and thus expand the range on the peripheral interface. Due to the large physical line length to the additional peripheral module, the access time is slow compared to the locally available peripheral resources. The peripheral expansion unit A26 of the subsystem A here combines the corresponding peripheral interfaces A17-1 and A17-2 to the address area of ​​the subsystem A, so that these peripheral interfaces can operate on the software side as a local peripheral interface. The second operating mode here also includes the opposite situation, that is, subsystem B accesses the storage resources and/or peripheral resources of subsystem A.

[0035] Because subsystems A and B use independent system clock providers A12 and B12-then there are different system clock domains on subsystems A and B-then in the second operating mode, in particular, a subsystem must be used The corresponding synchronization of these signals (cross-clock domain) is implemented in the transition to another subsystem. For this purpose, synchronization units A28, B28 are provided in the communication path of the storage A25, B25 and peripheral expansion units A26, B26.

[0036] The third operating mode represents multi-core operation, in which, for example, only subsystem A is active and uses local—that is, set on the subsystem—storage and peripheral resource operation. Subsystem B is in the dormant state or deactivated according to the mode.

[0037] In addition, each sub-system A, B respectively includes an energy source or voltage source A30, B30 for monitoring its energy source or voltage source, wherein, when the deviation from the rated value is greater than one or more predetermined critical values, the corresponding sub-system is converted to safety status. Each of the subsystems A and B also includes mechanisms A31, B31 for monitoring the system clock, wherein, when the deviation from the reference value is greater than one or more predetermined critical values, the corresponding subsystem is also changed to Safe state.