1. Field of the Invention
The invention relates to a circuit configuration for protecting the operation of a computer-controlled control unit, by means of which a signal is placed at the reset input of the computer and as a result the computer is restarted, in the event of a malfunction. Such circuit configurations are important, for instance, for monitoring motor vehicle control units where reliable operation is indispensable, such as in transmission, engine, injection and ignition controls.
2. Description of the Related Art
Many versions of monitoring and reset circuits for microcomputers are known, such as from the publication Electronic Design 2, Jan. 18, 1977, pages 90 and 92; and German Published, Non-Prosecuted Application DE 34 21 584 A1, corresponding to U.S. Pat. No. 4,696,002. A microcomputer or microcontroller is monitored for correct program execution by an additional component, which is sometimes called a watchdog. The microcomputer must furnish defined signal pulses to the watchdog. An absence of the pulses or a deviation from the defined course makes the watchdog circuit send an electrical reset signal to the microcomputer, causing the latter to jump to a defined address in its program memory and begin again to execute routines. That prevents the control unit from outputting uncontrolled signals in the event of errors in executing the control unit program. The routine for generating the signal pulses is configured in such a way that the pulses are fed to the watchdog only if program execution is perfect. Such a monitoring has the disadvantage of requiring an additional external component. Moreover, it cannot be entirely precluded that the aforementioned routine will continue to generate signal pulses even if program execution is defective.
The monitoring circuit can also be disposed on the same chip as the microprocessor, in which case it is known as an on-chip watchdog that has to be turned on first by the control unit program. That means that errors in which the control unit program does not even run, cannot be eliminated. That is disadvantageous especially if the monitoring circuit is intended not only to trip a computer reset but also to influence the controlled equipment, such as the actuators or final control elements in a transmission control system, in such a way that the equipment assumes a passive state for safety reasons.
It is accordingly an object of the invention to provide a circuit configuration for protecting the operation of a computer-controlled apparatus, which overcomes the hereinafore-mentioned disadvantages of the heretofore-known devices of this general type and which assures the greatest possible safety in the operation of a computer-controlled control unit.