METHOD AND DEVICE FOR CHECKING CALCULATION RESULTS IN A SYSTEM HAVING MULTIPLE PROCESSING UNITS

Abstract

A method for checking calculation results in a system including multiple processing units including receiving a data frame from one of the processing units, the data frame includes an application identification and a number of comparison values of the processing unit, the comparison values of the processing unit are sorted into a buffer memory on the basis of the application identification, it is checked whether the buffer memory under the application identification contains the comparison values of all processing units, and if the comparison values are completely present, the comparison values are compared.

Claims

1. A method for checking calculation results in a system having multiple processing units, the method comprising: receiving a data frame from one of the processing units, the data frame including an application identification and a number of comparison values of the processing unit; sorting the comparison values of the processing unit into a buffer memory on the basis of the application identification; checking whether the buffer memory under the application identification contains the comparison values of all processing units; and when the comparison values are completely present, comparing the comparison values.

2. The method as recited in claim 1, wherein the data frame further includes a type specification, and the method further comprises: prior to the comparison, checking based on the type specification whether the comparison values represent hash values or a content; when the comparison values represent the content, checking after the comparison whether the content of all processing units coincides; and when the content coincides, transmitting the content.

3. The method as recited in claim 2, wherein the data frame further includes an alive counter and a checksum of the comparison values, and the method further comprises: comparing the alive counter and the checksum to the content.

4. The method as recited in claim 1, further comprising: when the comparison values are present only incompletely, checking a time overrun; and when the time overrun occurs, detecting an error.

5. The method as recited in claim 1, further comprising: when the comparison values of the processing unit deviate from coinciding comparison values of a second processing unit and a third processing unit among the processing units, the comparison values of the processing unit are discarded.

6. The method as recited in claim 1, wherein an error counter is associated with the application identification, and the method further comprises: when the comparison values deviate, incrementing the error counter; when the comparison values coincide, decrementing the error counter; and when the error counter reaches a configurable threshold, triggering a configurable error reaction.

7. The method as recited in claim 6, wherein in the case of a cyclic self-test, the error counter associated with a dummy application identification is incremented by deviating comparison register contents and decremented by coinciding comparison register contents.

8. A non-transitory machine-readable storage medium on which is stored a computer program for checking calculation results in a system having multiple processing units, the computer program, when executed by a processor, causing the processor to perform: receiving a data frame from one of the processing units, the data frame including an application identification and a number of comparison values of the processing unit; sorting the comparison values of the processing unit into a buffer memory on the basis of the application identification; checking whether the buffer memory under the application identification contains the comparison values of all processing units; and when the comparison values are completely present, comparing the comparison values.

9. A device for checking calculation results in a system having multiple processing units, the device designed to: receive a data frame from one of the processing units, the data frame including an application identification and a number of comparison values of the processing unit; sort the comparison values of the processing unit into a buffer memory on the basis of the application identification; check whether the buffer memory under the application identification contains the comparison values of all processing units; and when the comparison values are completely present, compare the comparison values.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0013] Exemplary embodiments of the present invention are shown in the figures and are explained in greater detail below.

[0014] FIG. 1 shows a software sequence according to the invention in the comparator.

[0015] FIG. 2 shows the data sorting of the comparator.

[0016] FIG. 3 shows a typical data frame.

[0017] FIG. 4 shows a system architecture including triple modular redundancy.

[0018] FIG. 5 shows a self-test of the comparator.

[0019] FIG. 6 schematically shows a control unit according to one specific embodiment of the present invention.

DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS

[0020] A system according to one specific embodiment includes two or more processing units, of which at least one processing unit carries out safety-relevant functions, which communicate via a standard ethernet communication bus. According to one alternative, other bus systems are used, which enable the transmission of a data packet.

[0021] One or multiple processing units run in so-called software lockstep and carry out the redundant calculation of the safety-relevant functions. One processing unit having at least two separate cores may also carry out the redundant calculation of the safety-relevant functions in software lockstep. One processing unit forms the so-called comparator, which checks results of the redundant calculation, for the software lockstep.

[0022] FIG. 1 illustrates the sequence of such a check: the results of a safety-relevant function or a sequence of functions are summarized after the execution in a data packet and transmitted to the comparator 11.

[0023] The comparator sorts 12, as shown in detail in FIG. 2, the incoming results, for example, according to the transmitting processing unit 30, 31, 32 or a unique application identification 43 (ID). If the results from all processing units are present 14, they are compared 15, 16. The comparator differentiates on the basis of a type specification 38 in the data frame between results 16 which are only to be compared, and results 15 which are to be transmitted 22 to a vehicle bus after the comparison 15. In the case of results which are to be sent 22, the contents and some of the values described hereafter are compared 15 for end-to-end (E2E) security of the data frame 42.

[0024] The results of a safety-relevant function may include, for example, output data, internal functional states, memories occupied by the function, data which are to be sent to another control unit or an actuator, or values for continuously securing the data frame, such as a so-called alive counter or a checksum. To reduce the quantity of data to be compared 16, a hash value is formed via the overall results. If the result is a data packet 15, which is to be sent 22, the content is sent that is true to the original in the data frame 22.

[0025] In standard data frame 42 shown in FIG. 3, one or multiple comparison values 33 are transmitted to the comparator. Data frame 42 additionally also contains application identification 43, type specification 38, number 39 of included comparison values 33, a timestamp 41, an alive counter 40, and a checksum 34 for securing data frame 42, which may be based, for example, on a cyclic redundancy check (CRC) or a cryptographic hash function.

[0026] An error counter is associated with each application identification 43 for error handling. In the event of an error, particular counter 40 is incremented and it is decremented in the event of a correct comparison. If an error counter reaches a configured threshold, an error reaction is triggered, for example, in that the system is put into a safe state. The error reaction may be configured as a function of application identification 43.

[0027] In a system including three or more processing units 30, 31, 32, the comparator may also carry out a 2-of-3 comparison, to therefore achieve a higher level of availability of the system (FIG. 4). The comparator is additionally cyclically checked by a self-test, as illustrated in FIG. 5. The test checks that the comparator and error logic functions. The self-test uses a dummy application identification 43.

[0028] This method 10 may be implemented, for example, in software or hardware or in a mixed form of software and hardware, for example, in a control unit 50, as illustrated in the schematic illustration of FIG. 6.