The present invention relates to a method for data protection of fixed and learned control parameters of duplicated, program-controlled computers, in which the parameters are stored in an EEPROM. The parameter storage area in the EEPROM is available for storing the control parameters and associated test data and is subdivided into at least two discrete subareas, which are assigned, respectively, to the one and to the other computer.
FIG. 1 shows a control system known in the related art, which functions, for example, to control an engine of a motor vehicle and for this purpose contains two redundantly arranged microcontrollers 1 and 2 (xcexcC1, xcexcC2). An electrically programmable and erasable read-only memory 3, assigned to both microcontrollers or computers 1 and 2 and abbreviated EEPROM, in its area assigned for data whose parameters have been fixedly set and for learned (self-learning) variables, is divided into two areas I and II, in a ratio of 1:1, each assigned to one of the microcontrollers 1 and 2. For each microcontroller 1 and 2, the same information is in principle stored in each of the storage areas I and II of EEPROM memory 3. In this context, in the related art all data are additionally stored along with a complement of themselves.
This data storage in electrically erasable and programmable EEPROMs is used to flexibly manipulate control units and to program into the control unit the most varied parameters for various customer requirements in the final stage of production during the final testing or even at the place of installation. In this way, changes in the software and in customer-dependent software versions are minimized.
For this reason, it is a goal to store in one EEPROM the greatest possible amount of data with the greatest possible security and accessibility.
FIG. 2 depicts in detail a data organization in an EEPROM 3 of this type, that is customary in the related art.
In a first subarea assigned to first microcontroller 1, there are stored, for example, in cells 1-128 the fixed parameters assigned to this microcontroller 1 and the learned variables of this microcontroller 1 (self-learned variables) as datum 1 through datum 64 together with their respective complements 1-64, in cascade, in cells 1-128.
In a second subarea II, assigned to second microcontroller 2, there are stored the fixed parameters assigned to this second microcontroller 2 and the variables learned from it (self-learned variables), respectively, as datum 1 through datum 64 together with their respective complements 1-64, in cascade, in cells 129-256.
In this way, the effectively usable size of the entire EEPROM area is reduced to a fourth of its overall size.
For assuring the consistency of the important control unit parameters in EEPROM 3, the following monitoring and corrective steps are provided in the related art. According to a first step, complement storage for all data is provided. If the complement does not match the datum, then the EEPROM is declared defective if it is a question of a fixed parameter, and the datum is declared implausible if it is a question of a self-learned variable. A data correction is perhaps possible on the basis of data redundancy. According to a second step, a monitoring of permissible values for self-learned variables is performed. If the datum exceeds the relevant permissible limit value, it is declared implausible. A data correction is perhaps possible on the basis of data redundancy. According to a third step, redundant data storage in the two separated storage areas I and II is provided, in order to correct the implausible data discovered in the previous two steps. In this context, the following corrective steps are carried out. If the datum and the complement are correct and identical in both microcontrollers 1 and 2, then the data are valid. If the data and its complement are correct but different in both microcontrollers 1 and 2, then the datum and its complement from microcontroller 2 are programmed using the datum and its complement from microcontroller 1, and thus complete redundancy is reestablished. If the datum or its complement from microcontroller 1 are implausible, then the datum and its complement from microcontroller 1 are programmed using the datum and its complement from microcontroller 2 and thus complete redundancy is reestablished. If the data or complements from both microcontrollers are implausible, then the default values are accepted and the EEPROM is declared defective.
It is an objective of the present invention to store as many parameters as possible in an electrically erasable and programmable memory EEPROM, that is used in common by two redundantly arranged microcontrollers and computers of a control system, without, in this context, dispensing with the assurance of the data consistency in the event of errors.
The above-mentioned objective is achieved in a method according to the present invention, in that provision is made for a step for memory management, by subdividing the parameter storage area in the EEPROM into three discrete subareas. A first subarea functions to store common, fixed parameters accessible to both computers, without their complements, and additionally a running digital sum (check sum) for all fixed parameters. A second subarea, which is accessible to only one of the two computers, functions to store learned (self-learned) variables of this computer, without their complements, and a check sum for all these learned variables. A third subarea, which is accessible only to the other of the two computers, functions to store learned (self-learned) variables of this computer, without their complements, and a check sum for all these learned variables.
According to the method of the present invention, the memory available in the EEPROM is divided into three areas. Each memory area is monitored using a check sum. Only the self-learned variables are maintained redundantly. Thus the method according to the present invention makes it possible to store more data than before in the EEPROM, with the same data security and the same accessibility, and thus offers more flexible solutions with respect to various customer requirements.
The above objective, in addition, is achieved according to the present invention by a system for carrying out the method, the system being characterized in that in each of the two computers provision is made for a memory management means, which subdivides the parameter storage area in the EEPROM into three discrete subareas. According to this arrangement, each subarea plays a certain role. A first subarea is assigned in common to the two computer and functions to store fixed parameters in common to both computers, without their complements, and a check sum for all fixed parameters. A second subarea is assigned to only one of the computers and functions to store learned variables of this computer, without their complements, and a check sum of all these learned variables. A third subarea is assigned only to the other of the two computers and functions to store learned variables of the other computer, without their complements, and a check sum of all these learned variables.