US20080263409A1 - Self-Test System - Google Patents

Self-Test System Download PDF

Info

Publication number
US20080263409A1
US20080263409A1 US12/109,649 US10964908A US2008263409A1 US 20080263409 A1 US20080263409 A1 US 20080263409A1 US 10964908 A US10964908 A US 10964908A US 2008263409 A1 US2008263409 A1 US 2008263409A1
Authority
US
United States
Prior art keywords
fault
electronic system
processor
monitoring
signal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US12/109,649
Inventor
Peter John Miller
Andrew Charles Osborne Smith
Michael John Lindsey
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to US12/109,649 priority Critical patent/US20080263409A1/en
Publication of US20080263409A1 publication Critical patent/US20080263409A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1415Saving, restoring, recovering or retrying at system level
    • G06F11/1441Resetting or repowering
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/22Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
    • G06F11/26Functional testing
    • G06F11/267Reconfiguring circuits for testing, e.g. LSSD, partitioning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0751Error or fault detection not based on redundancy
    • G06F11/0754Error or fault detection not based on redundancy by exceeding limits
    • G06F11/0757Error or fault detection not based on redundancy by exceeding limits by exceeding a time limit, i.e. time-out, e.g. watchdogs

Definitions

  • This invention relates to a self-test process and apparatus that has inherent self-testing capabilities, for use with control system, in particular but not exclusively for use in vehicles.
  • FIG. 1 shows a functional diagram of components of an electronic system incorporating a first embodiment of a self-test system
  • FIG. 2 is a circuit diagram illustrating the an embodiment of the self-test system of FIG. 1 ;
  • FIG. 3 shows a functional diagram of components of an electronic system incorporating a second embodiment of a self-test system
  • FIG. 4 is a flow diagram illustrating the operation of the self-test system of FIG. 3 .
  • an electronic system comprising a system to be monitored and a plurality of fault-monitoring systems.
  • Each of the fault-monitoring systems is adapted to output a fault signal when an input indicates that the electronic system is in a fault condition associated with the fault-monitoring system.
  • the fault-monitoring systems are arranged in a cascade fashion such that a fault signal output from one fault-monitoring system is provided as an input to a subsequent fault-monitoring system in the cascade of fault-monitoring systems to simulate a fault condition associated with the subsequent fault-monitoring system.
  • the output of the final fault-monitoring system in the cascade gives an indication of whether there is a fault with any of the fault-monitoring systems.
  • the outputs of each of the individual fault-monitoring systems may be monitored to indicate whether there is a fault with any of the fault-monitoring systems.
  • the invention encompasses a method and a computer-readable medium for carrying out the foregoing steps.
  • the electronic system to be described is part of the electronic system used in a vehicle such as a car but the method is applicable to other electronic systems which include fault-monitoring systems.
  • FIG. 1 shows an embodiment of a self-testing fault monitoring system.
  • the electronic system incorporates the system to be monitored 2 (which will typically contain a microprocessor), a first fault detection device 4 (which may for example take the form of a watchdog for the processor) and a second (and in this case final) fault detection device 6 (which may for example take the form of a voltage level detector, monitoring the power rails of the processor).
  • a system 8 provides the required action on detection of a fault (for example to switch off the system 2 ) and non-volatile memory 10 allows storage of a record of the success or failure of the self testing process.
  • the fault action system 8 is activated either directly, via fault-monitoring system 6 , or indirectly, by fault-monitoring system 4 simulating a fault in monitor 6 which then causes the action.
  • the fault-monitoring systems 4 , 6 are designed to monitor for fault conditions. However the electronic system in which these components are implemented has no way of knowing whether the fault condition detectors are operating properly or not.
  • the embodiment shown in the figures allows an electronic system to monitor the fault-monitoring systems. Preferably, a self-test is carried out each time the system is shut down.
  • the system 2 being monitored changes its function so as to cause fault detector 4 to detect a fault. If the fault detector circuit 4 is operating properly, then it will generate an output which will cause fault detector 6 to see a fault. A record of this event is stored in the non-volatile memory 10 , as well as causing the fault response activator 8 to carry out a response to a fault condition (typically to shut down the system 2 ).
  • the system 2 next receives a signal to start up, it checks for the record in the non-volatile memory.
  • the system 2 registers that the fault-monitoring systems did not function correctly and therefore one of the fault-monitoring systems 4 , 6 is faulty. The system then takes the appropriate action e.g. shutting itself down after generating an appropriate fault message. If the system 2 determines that the test of the fault detectors was successful, then the record in the non-volatile memory is cleared, ready for the next self-test.
  • a partial self-test is also carried out on start up.
  • the supply voltage V supp ramps up to the required level. Therefore a self-test of an under-voltage detector (e.g. fault-monitoring system 6 ) may also be carried out on start up to test whether the under-voltage detector 6 is correctly detecting an under-voltage situation.
  • a start-up monitor 12 can check that the under voltage fault-monitoring system 6 initially detects a fault (when the supply voltage is low) and then detects no fault (when the supply in within specification).
  • This fault-monitoring system can inform the electronic system being monitored 2 of its result, and/or active the fault-response activator 8 , and/or store a record in the non-volatile memory 10 .
  • FIG. 2 shows an embodiment of the fault detection system, comprising under- and over-voltage detectors for two power supply lines (5V and 2.6V).
  • the actual detection of under/over voltage is performed by the 4 comparators ( 30 , 32 , 34 , 36 ).
  • a signal A indicates an input to the first fault-monitoring device comprising comparators 30 , 32 .
  • Transistor T 1 allows the system to induce a fault into the first comparator 30 which via T 2 induces a fault in the second comparator 32 .
  • the fault signal B output from the comparator 32 then induces a fault in the next fault-monitoring device comprising comparators 34 , 36 .
  • fault signal B output from the comparator 32 induces a fault in the next comparator 34 via D 1 and in turn comparator 34 induces a fault in the last comparator 36 via D 2 .
  • the fault signal C output from the second fault-monitoring system (comprising comparators 34 , 36 ) is then used to trigger the fault response activator 8 .
  • a flag or value (e.g. 1) is stored in the non-volatile memory 10 . If the microprocessor of the electronic system 2 is still running after a given period of time (i.e. the microprocessor has not shut down), then the cascade is triggered. The processor then writes a different value (e.g. 2) to the non-volatile memory 10 and switches off. On start up, by examining the non-volatile memory, the reason for the stop can be found. The value should be erased after reading so that a real fault can be distinguished from a “test” fault.
  • FIGS. 1 and 2 show embodiments in which only two fault monitoring systems ( 4 and 6 ) are provided, it will be apparent that there further fault-monitoring systems may be provided.
  • the output of a first fault-monitoring system may be provided as the input to a second, the output of the second may be input to a third, and so on.
  • FIG. 3 shows a second embodiment of a self test system.
  • the electronic system incorporates a system to be monitored 2 (typically including at least one processor), a first fault-monitoring device in the form of a voltage level detector 4 and a second fault-monitoring device in the form of a watchdog circuit 6 .
  • a second processor 8 may also be provided to monitor the operation of the first processor 2 .
  • Non-volatile memory 10 may be provided to store fault history records.
  • the voltage level detector 4 includes an op-amp, a first (non-inverting) input of which is connected to the supply voltage V supp and the second, inverting, input of which is connected to a reference voltage V ref .
  • the supply voltage of the electronic system is likely to change. For instance, when the electronic system is powered up, the voltage will increase from nominally 0V to a voltage in the region of that required by the electronic system e.g. 3V. During this ramp-up stage, the voltage may overshoot the required supply voltage. This results in a so-called over-voltage situation. As this over-voltage may result from some fault with the power supply of the electronic system, this is deemed to be a fault situation.
  • the op-amp When the magnitude of the supply voltage is greater than the magnitude of the reference voltage, the op-amp produces an output signal and hence the voltage level detector 4 outputs a fault signal.
  • the watchdog circuit 6 receives as an input a signal from the processor 2 to indicate that the processor is operating correctly. In normal conditions, the signal is output from the processor 2 in a periodic manner. If the watchdog circuit does not receive the signal when it is expecting a signal, the processor is determined to be in an abnormal state and the watchdog circuit 6 outputs a fault signal in the form of a reset signal.
  • the processor is reset i.e. the operation of the processor is stopped and re-started.
  • the level detector 4 and the watchdog circuit 6 are designed to monitor for fault conditions. However the electronic system in which these components are implemented has no way of knowing whether the fault condition detectors are operating properly or not. Thus, a self-test is carried out each time the microprocessor is shut down, either because of a reset or because the associated system has been turned off.
  • the processor monitors for the detection of an over voltage condition. If the level detector circuit 4 is operating properly, then the level detector circuit 4 should output an over voltage reset signal on shut down. Thus, when the system, in particular the processor of the electronic system, is shut down, the processor monitors for an over voltage signal at the output from the level detector 4 . When an over voltage current occurs on stopping of the operation of the processor 2 , a record to this effect is stored in non-volatile memory 10 . When the processor 2 next receives a signal to start up, the processor looks for the record in the non-volatile memory.
  • the processor 2 registers that the over voltage monitoring circuit 4 has not detected the over voltage situation on shut down and that therefore the over voltage detection device 4 is faulty. The processor then takes the appropriate action e.g. shutting itself down after generating an appropriate fault message.
  • the record in the non-volatile memory is preferably cleared when this fault message is generated.
  • An additional or alternative self test may be carried out. This relates to the self testing of the watchdog circuit 6 .
  • This self test is done automatically on shut down of the processor 2 .
  • the processor in response ceases sending the periodic signal to the watchdog circuit 6 .
  • the watchdog circuit 6 detects that it is not receiving the usual periodic signals from the microprocessor 2 and thus generates a reset signal. This is received by the processor 2 and a record of this reset signal is stored in the non-volatile memory 10 .
  • the processor 2 then shuts down.
  • the processor On subsequent commencement of operation of the processor 2 , the processor carries out a check to see if the non-volatile memory 10 includes a record of the reset signal generated by the watchdog device 6 . When the non-volatile memory does not include such a record, a fault message is then generated and the processor shut down.
  • a self test is carried out on shut-down for both the level detector 4 and the watchdog circuit 6 .
  • the watchdog self-test may be carried out first, by ceasing the periodic signal from the processor 2 to the watchdog circuit 6 , and monitoring for a fault signal from the watchdog circuit. This may then be followed by the level detector self-test.
  • a self-test may also be carried out on start up. As explained above, the supply voltage V supp ramps up to the required level on start up. Therefore a self-test of the level detector 4 is also carried out on start up to test that the level detector 4 is correctly monitoring an under-voltage situation.
  • the self-test routing monitors for the generation of a fault signal from the level detector 4 .
  • a record to this effect is stored in the non-volatile memory 10 .
  • the processor checks whether the non-volatile memory 10 includes a record of a fault signal and when the non-volatile memory does not include a record of such a fault signal, an alarm signal is generated.
  • FIG. 4 is a flow diagram showing the operation of the self test program. This routine is run on start up or shut down (e.g. when the ignition of a vehicle is started or on or after a reset or any other reason).
  • the processor receives a command to enter a fault condition for a first fault-monitoring system e.g. to switch off the processor 2 . This may be due to a reset from the watch dog application or the voltage detector (or another fault detection device).
  • the processor enters the fault condition ( 402 ) e.g. the processor initiates cessation of operation, which is intended to generate a fault condition.
  • the system then runs the self test routine as discussed above i.e. monitors ( 403 ) to see whether the watch dog application outputs a fault flag and/or whether the voltage detector outputs the fault flag. If a fault signal is output from the fault-monitoring device, then a record of the fault signal is stored ( 404 ) in non-volatile memory. In either case, the processor then shuts down all operations ( 405 ).
  • the processor checks ( 407 ) whether a record is stored in the non-volatile memory for the self-test that was carried out on shut-down. If no such record is present in the non-volatile memory, then an alarm signal is generated ( 408 ). This alarm signal or message indicates that the associated fault detection component is not operating properly. In response, the processor would usually shut down until the fault is cleared. However if the non-volatile memory does include a record for the associated fault detection component, the electronic system can continue to operate as normal ( 409 ).
  • the processor may, before step 409 , check for the existence of a record indicating that the level detector 4 detected an under-voltage situation on the previous start-up of the processor. If no such record is detected, an alarm signal may be generated ( 408 ).
  • the processor may run another sub-routine after step 409 in which the processor shuts itself down and starts itself up again to run the under-voltage routine. This additional stop/start routine will result in a small delay in starting of the processor for normal operation but is unlikely to be noticeable to a user.
  • the invention thus aims to reduce the risk of a fault in a fault-monitoring system from going undetected by testing the fault monitoring systems.
  • the fault monitoring systems are tested every time the monitored system is shutdown and restarted (e.g. in the case of a vehicle such as a car this will happen before and after every journey).

Abstract

An electronic system comprising a system to be monitored (2) and a plurality of fault-monitoring systems (4, 6) each of which is adapted to output a fault signal when an input indicates that the electronic system is in a fault condition associated with the fault-monitoring system. The fault-monitoring systems are arranged in a cascade fashion such that a fault signal output from one fault-monitoring system (4) is provided as an input to a subsequent fault-monitoring system (6) in the cascade of fault-monitoring systems to simulate a fault condition associated with the subsequent fault-monitoring system. The output of the final fault-monitoring system in the cascade gives an indication of whether there is a fault with any of the fault-monitoring systems.

Description

  • This invention relates to a self-test process and apparatus that has inherent self-testing capabilities, for use with control system, in particular but not exclusively for use in vehicles.
  • Electronic systems that are used in systems where a failure may have serious consequences need various fault monitoring systems to ensure such faults are detected and suitable corrective action taken. Many such fault monitoring systems are known (for example a comparator can be used to compare a supply voltage with a fixed reference voltage, generating an error whenever the supply voltage is under (or over) the reference). Given that failures are a rare event, it is possible for faults to develop in the fault monitoring systems before the faults they are designed to detect occur. If these faults go undetected, it is then possible that when a more serious fault occurs (one that the fault monitoring system was designed to detect) this will go undetected with serious consequences.
  • Based on the foregoing there is clearly a need for a way of monitoring the fault-monitoring systems themselves.
  • The invention will now be described, by way of example only, with reference to the accompanying drawings, in which like reference numerals refer to similar elements and in which:
  • FIG. 1 shows a functional diagram of components of an electronic system incorporating a first embodiment of a self-test system; and
  • FIG. 2 is a circuit diagram illustrating the an embodiment of the self-test system of FIG. 1;
  • FIG. 3 shows a functional diagram of components of an electronic system incorporating a second embodiment of a self-test system; and
  • FIG. 4 is a flow diagram illustrating the operation of the self-test system of FIG. 3.
    •
  • A method and apparatus for self-testing an electronic system is described. In the following description, for the purposes of explanation, numerous specific details are set forth to provide a thorough understanding of the present invention. It will be apparent to a person skilled in the art that the present invention may be practised without these specific details. In other instance, well-known structures and devices are shown in block diagram form to avoid unnecessarily obscuring the present invention.
  • The needs identified above and other needs and objects that will become apparent from the following description are achieved in the present invention which comprises, in one aspect, an electronic system comprising a system to be monitored and a plurality of fault-monitoring systems. Each of the fault-monitoring systems is adapted to output a fault signal when an input indicates that the electronic system is in a fault condition associated with the fault-monitoring system. The fault-monitoring systems are arranged in a cascade fashion such that a fault signal output from one fault-monitoring system is provided as an input to a subsequent fault-monitoring system in the cascade of fault-monitoring systems to simulate a fault condition associated with the subsequent fault-monitoring system. The output of the final fault-monitoring system in the cascade gives an indication of whether there is a fault with any of the fault-monitoring systems. Alternatively the outputs of each of the individual fault-monitoring systems may be monitored to indicate whether there is a fault with any of the fault-monitoring systems.
  • In other aspects, the invention encompasses a method and a computer-readable medium for carrying out the foregoing steps.
  • The electronic system to be described is part of the electronic system used in a vehicle such as a car but the method is applicable to other electronic systems which include fault-monitoring systems.
  • FIG. 1 shows an embodiment of a self-testing fault monitoring system. The electronic system incorporates the system to be monitored 2 (which will typically contain a microprocessor), a first fault detection device 4 (which may for example take the form of a watchdog for the processor) and a second (and in this case final) fault detection device 6 (which may for example take the form of a voltage level detector, monitoring the power rails of the processor). A system 8 provides the required action on detection of a fault (for example to switch off the system 2) and non-volatile memory 10 allows storage of a record of the success or failure of the self testing process.
  • In either of the above fault detection situations, the fault action system 8 is activated either directly, via fault-monitoring system 6, or indirectly, by fault-monitoring system 4 simulating a fault in monitor 6 which then causes the action.
  • The fault- monitoring systems 4, 6 are designed to monitor for fault conditions. However the electronic system in which these components are implemented has no way of knowing whether the fault condition detectors are operating properly or not. The embodiment shown in the figures allows an electronic system to monitor the fault-monitoring systems. Preferably, a self-test is carried out each time the system is shut down.
  • Thus when the electronic system is to be shut down, the system 2 being monitored changes its function so as to cause fault detector 4 to detect a fault. If the fault detector circuit 4 is operating properly, then it will generate an output which will cause fault detector 6 to see a fault. A record of this event is stored in the non-volatile memory 10, as well as causing the fault response activator 8 to carry out a response to a fault condition (typically to shut down the system 2). When the system 2 next receives a signal to start up, it checks for the record in the non-volatile memory. If, on start up, such a record is not in the non-volatile memory then the system 2 registers that the fault-monitoring systems did not function correctly and therefore one of the fault- monitoring systems 4,6 is faulty. The system then takes the appropriate action e.g. shutting itself down after generating an appropriate fault message. If the system 2 determines that the test of the fault detectors was successful, then the record in the non-volatile memory is cleared, ready for the next self-test.
  • In a further aspect of the invention a partial self-test is also carried out on start up. On switch on, the supply voltage Vsupp ramps up to the required level. Therefore a self-test of an under-voltage detector (e.g. fault-monitoring system 6) may also be carried out on start up to test whether the under-voltage detector 6 is correctly detecting an under-voltage situation. Thus, on starting operation of the system, a start-up monitor 12 can check that the under voltage fault-monitoring system 6 initially detects a fault (when the supply voltage is low) and then detects no fault (when the supply in within specification). This fault-monitoring system can inform the electronic system being monitored 2 of its result, and/or active the fault-response activator 8, and/or store a record in the non-volatile memory 10.
  • FIG. 2 shows an embodiment of the fault detection system, comprising under- and over-voltage detectors for two power supply lines (5V and 2.6V). The actual detection of under/over voltage is performed by the 4 comparators (30, 32, 34, 36). A signal A indicates an input to the first fault-monitoring device comprising comparators 30, 32. Transistor T1 allows the system to induce a fault into the first comparator 30 which via T2 induces a fault in the second comparator 32. The fault signal B output from the comparator 32 then induces a fault in the next fault-monitoring device comprising comparators 34, 36. Thus fault signal B output from the comparator 32 induces a fault in the next comparator 34 via D1 and in turn comparator 34 induces a fault in the last comparator 36 via D2. The fault signal C output from the second fault-monitoring system (comprising comparators 34, 36) is then used to trigger the fault response activator 8.
  • In an implementation as shown in this first embodiment described with reference to FIGS. 1 and 2, there are two fault-monitoring devices: at the beginning of the cascade of fault-monitoring devices there is a watchdog system 4 (or similar) connected to a microprocessor, while at the far end of the cascade a fault output signal from the second fault monitoring system 6 turns the system off (or resets the microprocessor).
  • In a further development, when the electronic system is placed into a fault condition for which the first fault-monitoring device is monitoring, a flag or value (e.g. 1) is stored in the non-volatile memory 10. If the microprocessor of the electronic system 2 is still running after a given period of time (i.e. the microprocessor has not shut down), then the cascade is triggered. The processor then writes a different value (e.g. 2) to the non-volatile memory 10 and switches off. On start up, by examining the non-volatile memory, the reason for the stop can be found. The value should be erased after reading so that a real fault can be distinguished from a “test” fault.
  • Although FIGS. 1 and 2 show embodiments in which only two fault monitoring systems (4 and 6) are provided, it will be apparent that there further fault-monitoring systems may be provided. In this case, the output of a first fault-monitoring system may be provided as the input to a second, the output of the second may be input to a third, and so on.
  • FIG. 3 shows a second embodiment of a self test system. The electronic system incorporates a system to be monitored 2 (typically including at least one processor), a first fault-monitoring device in the form of a voltage level detector 4 and a second fault-monitoring device in the form of a watchdog circuit 6. A second processor 8 may also be provided to monitor the operation of the first processor 2. Non-volatile memory 10 may be provided to store fault history records.
  • The voltage level detector 4 includes an op-amp, a first (non-inverting) input of which is connected to the supply voltage Vsupp and the second, inverting, input of which is connected to a reference voltage Vref. In use, the supply voltage of the electronic system is likely to change. For instance, when the electronic system is powered up, the voltage will increase from nominally 0V to a voltage in the region of that required by the electronic system e.g. 3V. During this ramp-up stage, the voltage may overshoot the required supply voltage. This results in a so-called over-voltage situation. As this over-voltage may result from some fault with the power supply of the electronic system, this is deemed to be a fault situation.
  • When the magnitude of the supply voltage is greater than the magnitude of the reference voltage, the op-amp produces an output signal and hence the voltage level detector 4 outputs a fault signal.
  • The watchdog circuit 6 receives as an input a signal from the processor 2 to indicate that the processor is operating correctly. In normal conditions, the signal is output from the processor 2 in a periodic manner. If the watchdog circuit does not receive the signal when it is expecting a signal, the processor is determined to be in an abnormal state and the watchdog circuit 6 outputs a fault signal in the form of a reset signal.
  • In either of these fault detection situations, the processor is reset i.e. the operation of the processor is stopped and re-started.
  • The level detector 4 and the watchdog circuit 6 are designed to monitor for fault conditions. However the electronic system in which these components are implemented has no way of knowing whether the fault condition detectors are operating properly or not. Thus, a self-test is carried out each time the microprocessor is shut down, either because of a reset or because the associated system has been turned off.
  • Thus, according to a first aspect, when the electronic system is to be shut down, the processor monitors for the detection of an over voltage condition. If the level detector circuit 4 is operating properly, then the level detector circuit 4 should output an over voltage reset signal on shut down. Thus, when the system, in particular the processor of the electronic system, is shut down, the processor monitors for an over voltage signal at the output from the level detector 4. When an over voltage current occurs on stopping of the operation of the processor 2, a record to this effect is stored in non-volatile memory 10. When the processor 2 next receives a signal to start up, the processor looks for the record in the non-volatile memory. If, on start up, such a record is not in the non-volatile memory then the processor 2 registers that the over voltage monitoring circuit 4 has not detected the over voltage situation on shut down and that therefore the over voltage detection device 4 is faulty. The processor then takes the appropriate action e.g. shutting itself down after generating an appropriate fault message. The record in the non-volatile memory is preferably cleared when this fault message is generated.
  • An additional or alternative self test may be carried out. This relates to the self testing of the watchdog circuit 6. This self test is done automatically on shut down of the processor 2. When a signal is sent to the processor to cease operation, the processor in response ceases sending the periodic signal to the watchdog circuit 6. The watchdog circuit 6 then detects that it is not receiving the usual periodic signals from the microprocessor 2 and thus generates a reset signal. This is received by the processor 2 and a record of this reset signal is stored in the non-volatile memory 10. The processor 2 then shuts down.
  • On subsequent commencement of operation of the processor 2, the processor carries out a check to see if the non-volatile memory 10 includes a record of the reset signal generated by the watchdog device 6. When the non-volatile memory does not include such a record, a fault message is then generated and the processor shut down.
  • Preferably a self test is carried out on shut-down for both the level detector 4 and the watchdog circuit 6. The watchdog self-test may be carried out first, by ceasing the periodic signal from the processor 2 to the watchdog circuit 6, and monitoring for a fault signal from the watchdog circuit. This may then be followed by the level detector self-test.
  • A self-test may also be carried out on start up. As explained above, the supply voltage Vsupp ramps up to the required level on start up. Therefore a self-test of the level detector 4 is also carried out on start up to test that the level detector 4 is correctly monitoring an under-voltage situation. Thus on starting operation of the processor, the self-test routing monitors for the generation of a fault signal from the level detector 4. On generation of a fault signal from the fault-monitoring device on starting of the operation of the processor, a record to this effect is stored in the non-volatile memory 10. On subsequent receipt of a message to stop operation of the processor, the processor checks whether the non-volatile memory 10 includes a record of a fault signal and when the non-volatile memory does not include a record of such a fault signal, an alarm signal is generated.
  • FIG. 4 is a flow diagram showing the operation of the self test program. This routine is run on start up or shut down (e.g. when the ignition of a vehicle is started or on or after a reset or any other reason). In the first step (401) the processor receives a command to enter a fault condition for a first fault-monitoring system e.g. to switch off the processor 2. This may be due to a reset from the watch dog application or the voltage detector (or another fault detection device). The processor then enters the fault condition (402) e.g. the processor initiates cessation of operation, which is intended to generate a fault condition.
  • The system then runs the self test routine as discussed above i.e. monitors (403) to see whether the watch dog application outputs a fault flag and/or whether the voltage detector outputs the fault flag. If a fault signal is output from the fault-monitoring device, then a record of the fault signal is stored (404) in non-volatile memory. In either case, the processor then shuts down all operations (405).
  • On subsequent reversion (406) of the system into a non-fault condition e.g. start-up of the processor (406) (either as a result of a reset signal or because the system is powered up by a user), the processor checks (407) whether a record is stored in the non-volatile memory for the self-test that was carried out on shut-down. If no such record is present in the non-volatile memory, then an alarm signal is generated (408). This alarm signal or message indicates that the associated fault detection component is not operating properly. In response, the processor would usually shut down until the fault is cleared. However if the non-volatile memory does include a record for the associated fault detection component, the electronic system can continue to operate as normal (409).
  • If an under-voltage self-test is also to be carried out, the processor may, before step 409, check for the existence of a record indicating that the level detector 4 detected an under-voltage situation on the previous start-up of the processor. If no such record is detected, an alarm signal may be generated (408). Alternatively the processor may run another sub-routine after step 409 in which the processor shuts itself down and starts itself up again to run the under-voltage routine. This additional stop/start routine will result in a small delay in starting of the processor for normal operation but is unlikely to be noticeable to a user.
  • The invention thus aims to reduce the risk of a fault in a fault-monitoring system from going undetected by testing the fault monitoring systems. Preferably the fault monitoring systems are tested every time the monitored system is shutdown and restarted (e.g. in the case of a vehicle such as a car this will happen before and after every journey).
  • In the foregoing specification, the invention has been described with reference to specific embodiments thereof. It will however be evident that various modifications and changes may be made thereto without departing from the broader spirit and scope of the invention. The description and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense.

Claims (14)

1-18. (canceled)
19. An electronic system comprising at least one fault-monitoring system, the electronic system being arranged to:
place the electronic system into a first fault condition and monitor for a generation of a first fault signal from a first fault-monitoring device,
on the generation of a first fault signal from the first fault-monitoring device after placing the electronic system into a first fault condition, store a record to this effect in non-volatile memory,
on subsequent reversion of the electronic system to a non-fault condition, check whether the non-volatile memory includes a record of a first fault signal and when the non-volatile memory does not include a record of such a first fault signal on subsequent reversion, generate an alarm signal.
20. An electronic system according to claim 19 wherein:
placing of the electronic system into a first fault condition comprises stopping operation of a processor; and
subsequent reversion of the electronic system to a non-fault condition comprises subsequent commencement of operation of the processor.
21. An electronic system according to claim 19 wherein the fault monitoring device comprises a voltage detector which generates a fault signal when an over-voltage occurs.
22. An electronic system according to claim 19 wherein the fault-monitoring device comprises a device for monitoring the operation of a processor and generating a fault signal when a fault with the operation of the processor is detected.
23. An electronic system according to any of claims 19 further arranged to clear the non-volatile memory of the record once it has been determined whether or not the non-volatile memory includes a record of a fault signal.
24. An electronic system according to any of claims 19 further comprising a plurality of fault-monitoring systems, a fault signal output of a first fault-monitoring system being provided as an input to a second fault-monitoring system, such that an input to the second fault-monitoring system simulates a second fault condition.
25. An electronic system according to claim 24 wherein the output of a final fault-monitoring system is used as an indicator of an overall fault in one of the fault-monitoring systems.
26. A self-test method for an electronic system, the method comprising:
placing the electronic system into a first fault condition and monitoring for a generation of a first fault signal from a fault-monitoring device,
on the generation of a first fault signal from the fault-monitoring device after placing the electronic system into a first fault condition, storing a record to this effect in non-volatile memory,
on subsequent reversion of the electronic system to a non-fault condition, checking whether the non-volatile memory includes a record of a first fault signal and when the non-volatile memory does not include a record of such a first fault signal on subsequent commencement, generating an alarm signal.
27. A self-test method according to claim 26 wherein the electronic system includes a processor, wherein:
the placing of the electronic system into a first fault condition comprises stopping operation of the processor; and
subsequent reversion of the electronic system to a non-fault condition comprises subsequent commencement of operation of the processor.
28. A self-test method according to claim 26 wherein the electronic system includes a processor, wherein:
the placing of the electronic system into a first fault condition comprises starting operation of the processor; and
subsequent reversion of the electronic system to a non-fault condition comprises subsequent cessation of operation of the processor.
29. A self-test method according to claim 28 wherein the fault-monitoring device comprises a voltage detector which generates a fault signal when an over-voltage occurs.
30. A self-test method according to claim 28 wherein the fault-monitoring device comprises a device for monitoring the operation of a processor and generating a fault signal on detection of a fault with the operation of the processor.
31. A self-test method according to claim 28 further comprising clearing the non-volatile memory of the record once it has been determined whether or not the non-volatile memory includes a record.
US12/109,649 2002-07-18 2008-04-25 Self-Test System Abandoned US20080263409A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US12/109,649 US20080263409A1 (en) 2002-07-18 2008-04-25 Self-Test System

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
GB0216742.7 2002-07-18
GBGB0216742.7A GB0216742D0 (en) 2002-07-18 2002-07-18 Self-testing watch dog system
PCT/GB2003/003141 WO2004010299A2 (en) 2002-07-18 2003-07-18 Self-test system
US10/522,440 US7707458B2 (en) 2002-07-18 2003-07-18 Self-test system
US12/109,649 US20080263409A1 (en) 2002-07-18 2008-04-25 Self-Test System

Related Parent Applications (2)

Application Number Title Priority Date Filing Date
PCT/GB2003/003141 Division WO2004010299A2 (en) 2002-07-18 2003-07-18 Self-test system
US10/522,440 Division US7707458B2 (en) 2002-07-18 2003-07-18 Self-test system

Publications (1)

Publication Number Publication Date
US20080263409A1 true US20080263409A1 (en) 2008-10-23

Family

ID=9940732

Family Applications (2)

Application Number Title Priority Date Filing Date
US10/522,440 Expired - Fee Related US7707458B2 (en) 2002-07-18 2003-07-18 Self-test system
US12/109,649 Abandoned US20080263409A1 (en) 2002-07-18 2008-04-25 Self-Test System

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US10/522,440 Expired - Fee Related US7707458B2 (en) 2002-07-18 2003-07-18 Self-test system

Country Status (5)

Country Link
US (2) US7707458B2 (en)
AU (1) AU2003281577A1 (en)
DE (1) DE10392916T5 (en)
GB (2) GB0216742D0 (en)
WO (1) WO2004010299A2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080275828A1 (en) * 2007-05-03 2008-11-06 Payton David W Method and system for independently observing and modifying the activity of an actor processor
US20120065823A1 (en) * 2010-09-13 2012-03-15 Denso Corporation Electronic control unit for vehicles

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7337368B2 (en) * 2004-06-07 2008-02-26 Dell Products L.P. System and method for shutdown memory testing
JP5049132B2 (en) * 2004-11-15 2012-10-17 コーニンクレッカ フィリップス エレクトロニクス エヌ ヴィ Mobile medical telemetry device with voice indicator
EP2306634A3 (en) * 2005-06-30 2015-04-29 Continental Automotive Systems US, Inc. Control system for electric drives
DE102006003740B4 (en) * 2006-01-20 2011-06-30 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V., 80686 Method and system for operating a high temperature fuel cell
JP4836732B2 (en) * 2006-09-27 2011-12-14 富士通株式会社 Information processing device
US7900093B2 (en) * 2007-02-13 2011-03-01 Siemens Aktiengesellschaft Electronic data processing system and method for monitoring the functionality thereof
US9046581B2 (en) * 2011-12-27 2015-06-02 Ford Global Technologies, Llc Supervisor monitoring system
US10018673B2 (en) * 2015-03-13 2018-07-10 Toshiba Memory Corporation Semiconductor device and current control method of semiconductor device
DE102019135553A1 (en) 2019-12-20 2021-06-24 Airbus Defence and Space GmbH System with self-checking function and method for verifying the self-checking function of a system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4586179A (en) * 1983-12-09 1986-04-29 Zenith Electronics Corporation Microprocessor reset with power level detection and watchdog timer
US4956842A (en) * 1988-11-16 1990-09-11 Sundstrand Corporation Diagnostic system for a watchdog timer
US4999837A (en) * 1989-03-20 1991-03-12 International Business Machines Corporation Programmable channel error injection
US5001712A (en) * 1988-10-17 1991-03-19 Unisys Corporation Diagnostic error injection for a synchronous bus system
US5522040A (en) * 1990-12-10 1996-05-28 Robert Bosch Gmbh Arrangement for testing a watchdog circuit

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
HU178550B (en) * 1978-04-22 1982-05-28 Girling Ltd Non-skid brake mechanism for multiple-axle wheeled vehicles
DE68905509T2 (en) * 1988-02-23 1993-07-01 Valeo Equip Electr Moteur MULTI-FUNCTIONAL CONTROL DEVICE WITH CLOCK SYNCHRONOUS ALTERNATOR.
US4943919A (en) * 1988-10-17 1990-07-24 The Boeing Company Central maintenance computer system and fault data handling method
SU1619279A1 (en) * 1989-02-28 1991-01-07 Ульяновский Научно-Производственный Комплекс "Центр Применения Микроэлектроники И Автоматизации В Машиностроении" Device for simulating faults
US5151854A (en) * 1990-07-20 1992-09-29 Honeywell Inc. Integrated low voltage detect and watchdog circuit
US6208955B1 (en) * 1998-06-12 2001-03-27 Rockwell Science Center, Llc Distributed maintenance system based on causal networks
US7035834B2 (en) * 2002-05-15 2006-04-25 Caterpillar Inc. Engine control system using a cascaded neural network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4586179A (en) * 1983-12-09 1986-04-29 Zenith Electronics Corporation Microprocessor reset with power level detection and watchdog timer
US5001712A (en) * 1988-10-17 1991-03-19 Unisys Corporation Diagnostic error injection for a synchronous bus system
US4956842A (en) * 1988-11-16 1990-09-11 Sundstrand Corporation Diagnostic system for a watchdog timer
US4999837A (en) * 1989-03-20 1991-03-12 International Business Machines Corporation Programmable channel error injection
US5522040A (en) * 1990-12-10 1996-05-28 Robert Bosch Gmbh Arrangement for testing a watchdog circuit

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080275828A1 (en) * 2007-05-03 2008-11-06 Payton David W Method and system for independently observing and modifying the activity of an actor processor
US7877347B2 (en) * 2007-05-03 2011-01-25 Payton David W Method and system for independently observing and modifying the activity of an actor processor
US20120065823A1 (en) * 2010-09-13 2012-03-15 Denso Corporation Electronic control unit for vehicles

Also Published As

Publication number Publication date
GB0503432D0 (en) 2005-03-30
AU2003281577A8 (en) 2004-02-09
GB0216742D0 (en) 2002-08-28
US7707458B2 (en) 2010-04-27
AU2003281577A1 (en) 2004-02-09
GB2407442B (en) 2006-02-22
WO2004010299A2 (en) 2004-01-29
DE10392916T5 (en) 2005-08-18
WO2004010299A3 (en) 2004-09-23
GB2407442A (en) 2005-04-27
US20060150016A1 (en) 2006-07-06

Similar Documents

Publication Publication Date Title
US20080263409A1 (en) Self-Test System
US6076172A (en) Monitoting system for electronic control unit
JP3063708B2 (en) Non-stop power supply system, backup target device used therefor, and recording medium recording program for operating computer as backup target device
JP5583244B1 (en) Electronic control apparatus having integrated circuit element and single-unit inspection apparatus for the integrated circuit element
KR101977431B1 (en) Method and device for monitoring a voltage supply for a vehicle system
US10281525B2 (en) Semiconductor device and diagnostic test method for both single-point and latent faults using first and second scan tests
US6347267B1 (en) On-vehicle controller failure diagnosing method and apparatus
JP2007264767A (en) Power supply monitoring apparatus
JP2010180776A (en) Power source control device
US6760846B1 (en) System for determining and supplying stabilized voltage from a power supply to a data processor after a fluctuating period
EP0486222B1 (en) Improvements in and relating to microprocessor based systems
JPH11502352A (en) Method and apparatus for electronic computing unit monitoring
JPH1091538A (en) Method and device for detecting life of backup battery
JP2006242968A (en) Electronic control unit
US20110172945A1 (en) Method for monitoring burn-in procedure of electronic device
US20050251704A1 (en) Method and base chip for monitoring the operation of a microcontroller unit
JP2002014726A (en) Electronic controller
JP2007121163A (en) Testing system, program, and recording medium
KR100408266B1 (en) Device for automatically recovering fault of computer system
JPH04256038A (en) Watchdog timer inspecting device
JP3034741B2 (en) Power backup device
JPH08202589A (en) Information processor and fault diagnostic method
JPS62281781A (en) Monitoring method for accident information
JPH0854922A (en) Process controller
KR0136864Y1 (en) Memory backup device

Legal Events

Date Code Title Description
STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION