MICROCONTROLLER SYSTEM AND METHOD FOR SAFETY-CRITICAL MOTOR VEHICLE SYSTEMS AND THE USE THEREOF

Abstract

A microcontroller system for safety-critical motor vehicle systems is provided. The microcontroller system includes a plurality of subsystems arranged on a common chip. At least one of the subsystems has more than one channel and is designed to carry out a plurality of operating modes. The subsystems, in a first operating mode, are operated independently of each other and communicate with each other via an on-chip interface. In a second operating mode, at least one of the subsystems is operated by data transmission means and using non-local resources of at least one further subsystem and/or at least one of the subsystems is operating and at least one further subsystem is inactive. A method for operating such a microcontroller system and to the use thereof is also provided.

Claims

1. A microcontroller system for safety-critical motor vehicle systems, the microcontroller system comprising a plurality of subsystems arranged on a common chip, at least one subsystem of the plurality of subsystems is of a multi-channel design, the microcontroller system is configured to carry out a plurality of operating modes, in a first operating mode the subsystems are operated independently of one another and communicate with one another by a chip-internal interface, and in a second operating mode at least one of the subsystems is operated by data transmission means additionally using non-local resources of at least one of the further subsystems and/or at least one of the subsystems is operational and at least a further one of the subsystems is inactive.

2. The microcontroller system of claim 1, wherein the subsystems have separate voltage supplies and/or system clock supplies which are respectively assigned thereto.

3. The microcontroller system of claim 1, wherein the additionally used non-local resources are memory resources and/or peripheral resources of the at least one further subsystem, wherein these resources are integrated into an address region of the at least one subsystem which additionally uses the non-local resources.

4. The microcontroller system of claim 1, wherein the subsystems are isolated from one another by electrical barriers.

5. The microcontroller system of claim 1, wherein the subsystems have different system clock domains, wherein during communication with the non-local resources, one subsystem is synchronized with another using synchronization units.

6. A method for operating a microcontroller system for safety-critical motor vehicle systems, wherein the microcontroller system has a plurality of subsystems which are arranged on a common chip, and at least one of the subsystems is operated in a multi-channel fashion, the subsystems are operated independently of one another in a first operating mode, and communicate with one another by a chip-internal interface, and in a second operating mode at least one of the subsystems is operated additionally using non-local resources of at least one of the further subsystems, and/or at least one of the subsystems is operational and at least a further one of the subsystems is inactive.

7. The method of claim 6, wherein the subsystems are operated by separate voltage supplies and/or system clock supplies which are respectively assigned thereto.

8. The method of claim 6, wherein in order to additionally use the non-local resources of one of the further subsystems, the non-local resources are integrated into an address region of the at least one of the subsystems which additionally uses the non-local resources.

9. The method of claim 6, wherein different access times to the non-local resources of at least one of the further subsystems are taken into account in software partitioning.

10. A method of using a microcontroller system in a safety-critical motor vehicle brake system, wherein the microcontroller system comprises a plurality of subsystems arranged on a common chip, at least one subsystem of the plurality of subsystems is of a multi-channel design, the microcontroller system configured to carry out a plurality of operating modes, in a first operating mode the subsystems are operated independently of one another and communicate with one another by a chip-internal interface, and in a second operating mode at least one of the subsystems is operated by data transmission means additionally using non-local resources of at least one of the further subsystems and/or at least one of the subsystems is operational and at least a further one of the subsystems is inactive.

Description

DESCRIPTION OF DRAWINGS

[0026] FIG. 1 shows an exemplary microcontroller system.

[0027] In FIG. 1 and the associated description, details are only given to components which are essential to understanding the disclosure.

[0028] Like reference symbols in the various drawings indicate like elements.

DETAILED DESCRIPTION

[0029] FIG. 1 shows an exemplary microcontroller system according to the disclosure which is implemented as a combination of a multi-core system and a multi-chip system on a single chip or silicon substrate. The latter includes in this context subsystem A and subsystem B which can each be implemented as a single-core system or multi-core system and which are physically separated, apart from the coupling due to the common silicon substrate, and have separate voltage supplies A11, B11 and system clock supplies A12, B12. To improve the functional safety, the two subsystems A and B implement, for example, two-channel safety architectures with redundant cores 1A, 2A and 1B, 2B as well as memory buses, A13-1, A13-2, B13-1, B13-2, RAM memories A14-1, A14-2, B14-1, B14-2 and comparator units A15-1, A15-2, B15-1, B15-2. Furthermore, each of the subsystems A and B includes at least one debug module A9, B9, at least one non-volatile memory A18, B18, peripheral interfaces A17-1, A17-2, B17-1, B17-2 and peripheral buses A16-1, A16-2, B16-1, B16-2 for connecting the peripheral interfaces A17-1, A17-2, B17-1, B17-2.

[0030] In the physical implementation (positioning and routing), the subsystems A and B are designed as if they were stand-alone circuits. The subsystems A and B are respectively and additionally surrounded jointly by electrical barriers A10, B10, AB10 which, in particular, are embodied with high impedance compared to the surrounding substrate and serve as means for providing isolation with respect to disruption such as, for example, overvoltage, electrostatic voltages (ESD) and/or overloading. Disruption which occurs in one of the subsystems is therefore locally limited and cannot propagate to the other subsystem or from disruption of other functional assemblies (not illustrated) on the chip 1 onto the subsystems A, B. In some examples, in the region between the subsystems A and B, it is also possible to have one barrier instead of the two separate barriers A10, B10. Electrical leads, which implement a communication between the subsystems A, B, are routed away via the barriers A10, B10 and beyond, where in order to avoid restrictions with respect to safety, which can arise with these leads, the buffers A24, B24 and/or ESD protective structures are provided. Signals which serve as subsystems for performing communication with other components on chip 1 can also be routed via such chip-internal drivers as is implemented, for example, for the chip-internal interface A27, B27 and buffers A24, B24 described further below.

[0031] In some implementations, three different operating modes of microcontroller systems are provided. The first operating mode implements multi-chip operation, where the two subsystems A and B which are independent of one another are activated and communicate with one another via the dedicated, chip-internal interface A27, B27. In order to monitor the subsystems A and B, in particular in this first operating mode, each of the subsystems has a multi-chip monitoring device A29, B29 (“watchdog”).

[0032] A multi-core operation using non-local memory resources and peripheral resources occurs according to the second operating mode, where a subsystem, e.g., A, accesses memory resources A14-1, A14-2, A18, B14-1, B14-2, B18 and/or peripheral resources A16-1, A16-2, B16-1, B16-2 of the other subsystem, e.g., B. In some examples, the access occurs via the respective memory buses A13-1, A13-2, B13-1, B13-2 and peripheral buses A16-1, A16-2, B16-1, B16-2 of the subsystem B. In memory access operations, memories with double access can also alternatively be provided, for example. The subsystem from which resources are made available (according to this exemplary subsystem B), can then implement software itself—merely without using the exposed resources—or be inactive.

[0033] In the case of disruption in a subsystem, there is therefore no reaction on the other. The memory-expansion units A25 and B25 serve in the second operating mode to make available additional memory resources of the subsystem B to the subsystem A, and therefore expand the local memories A14-1, A14-2, A18 of the subsystem A with parts of or with the entire memory resources B14-1, B14-2, B18 of subsystem B. Due to the relatively large physical lead length to these additional memory modules, there is a relatively slow access time compared to the local memories. This fact is taken into account in the software partitioning (differentiation of small/large memory access latency time).

[0034] The peripheral expansion units A26 and B26 serve in the second operating mode to make available additional peripheral resources of the subsystem B to the subsystem A, and therefore to expand the scope of peripheral interfaces. Due to the relatively large physical lead length to these additional peripheral modules, the access time is slowed down compared to locally available peripheral resources. The peripheral expansion units A26 of the subsystem A integrate the respective peripheral interfaces A17-1, A17-2 into the address region of the subsystem A here, with the result that the latter can be operated like local peripheral interfaces in terms of software. The second operating mode also includes here the inverse case, specifically that the subsystem B accesses memory resources and/or peripheral resources of subsystem A.

[0035] Since the subsystems A, B use independent system clock supply devices Al2, B12—at which different system clock domains are therefore present at the subsystems A and B—corresponding synchronization of these signals must be carried out, in particular, in the second operating mode at the changeover from one subsystem to the other (“clock domain crossing”). For this purpose, the synchronization units A28, B28 are provided in the communication paths of the memory units A25, B25 and peripheral expansion units A26, B26.

[0036] The third operating mode represents a multi-core operation in which, for example, only subsystem A is activated, at the same time using local memory resources and peripheral resources, that is to say resources which are arranged on the subsystem A. According to this mode, subsystem B is in a state of rest or is deactivated.

[0037] Furthermore, each subsystem A, B includes a device A30, B30 for monitoring the energy supply or voltage supply thereof, where in the case of a deviation from a setpoint value which is greater than one or more predefined limiting values, the respective subsystem is changed to a safe state. Each of the subsystems A and B additionally include a device A31, B31 for monitoring the system clock, where in the event of a deviation from a reference value that is greater than one or more predefined limiting values, the respective subsystem is also changed to a safe state.

[0038] A number of implementations have been described. Nevertheless, it will be understood that various modifications may be made without departing from the spirit and scope of the disclosure. Accordingly, other implementations are within the scope of the following claims.