In motor vehicle control units, for example, locating the program code of a computer program for a computing unit, in particular for a microprocessor or for a CPU (central processing unit), and for any existing coprocessors, in accordance with an address mapping valid for the particular control unit and storing the code in a program memory of the control unit is available. Locating is understood as the assignment of specific parts of the computer program, referred to as program segments, to specific memory areas of the program memory.
The program code is located and stored in the program memory according to predefinable rules, which take the following facts into consideration, in particular:
Program segments which are frequently called are located in memory areas which allow rapid program execution, i.e., rapid execution of the program segments on the microprocessor or the CPU. These program segments (for example, the program code of rapid time grids) may be stored in an internal flash memory of the control unit.
The access possibilities to the program memory in the event of specific system states as a function of the hardware. Thus, for example, the internal flash memory may not be accessible in the event of undervoltage. In order to allow for this system state, the program segments which are to be reliably accessed in spite of undervoltage are located in an external flash memory and stored there.
The flash area which is located inside the CPU housing is referred to as an internal flash memory. In contrast, a separate IC (integrated circuit) component which may be accessed by the CPU via an external bus is referred to as an external flash memory.
Locating is performed after assembling, compiling, and linking the program code and before the computer program is stored in the program memory of the control unit. Overall, the method of storing a computer program in a program memory of a control unit results in program segments being distributed to different, non-contiguous address areas of the program memory.
During execution of the computer program stored in the program memory on a computing unit, in particular on a microprocessor or a CPU, it may occur for various reasons that the computer program jumps into unused memory areas of the program memory, in which no program code is stored. No defined program code is stored in the unused memory areas. After a jump into the unused memory area of the program memory, this undefined program code is therefore executed. In this way, the control unit may reach an undefined and therefore irregular state.
Causes for a jump of the computer program into the unused memory area of the program memory may be internal and external influences, for example, bit inversion in the flash memory or in a RAM (random access memory), the effects of excess EMC (electromagnetic compatibility) radiation, or latent programming errors.
Furthermore, various mechanisms may be used for recognizing an irregular state of the control unit and first transferring the system into a safe state and second ensuring the functionality of the control unit again. These available mechanisms may include, for example:                an internal controller watchdog;        monitoring of time grids;        a two-computer concept;        monitoring of the program execution for plausibility;        a check sum test.        
Through the exemplary mechanisms listed, the attempt is made to recognize, directly or indirectly, bit inversions in the flash memory or in the RAM, influences by electromagnetic radiation (EMC), or implausible states such as latent programming errors (e.g., jumps via miscalculated pointers), to transfer the control unit into a safe state, and to restore the functionality of the control unit. The robustness of the system is to be enhanced through the early recognition of irregular or undefined states of the control unit. The availability of the system is to be improved by rapidly restoring the functionality of the control unit.
Not transferring a monitoring system for a measurement and control device into a safe state immediately upon the occurrence of a malfunction of the measurement and control device, but only after multiple occurrences of a malfunction, is referred to in German Patent Application No. 100 18 859. Upon each occurrence of a malfunction, the count of a counter is increased. If the count exceeds a predefinable limit value, the monitoring system enters the safe state.