To control the functional units of a motor vehicle, control units that execute functional programs for controlling the unit concerned are used. To ensure proper functioning, it is necessary to check for error-free sequence of the functional program. Safety programs that are executed in the control units serve this purpose. In order to offer additional safety, even these safety programs are normally monitored. Monitoring modules that monitor these safety programs typically serve this purpose.
In electronic control units, single-processor concepts are often used these days. Monitoring methods that facilitate safe operation even in the event of an error exist for these single-processor concepts. In this regard, the functional program is controlled with the help of the safety program. This basically takes place by comparing the input variable of the control unit representing the driver's request with the manipulated variables that determine performance. Like the functional program, the safety program runs in the function processor contained in the control unit. The correct program sequence of the safety program is ensured through special software structures and through a suitable communication sequence between the function processor and the monitoring module. Variations in time and value of the safety software are recognized by the monitoring module. In case of an error, the manipulated variables that determine performance are deactivated and/or a reset of the function processor is triggered.
A method and a device for controlling the drive unit of a vehicle is described in published German patent document DE 44 38 714. The method described serves to control a drive unit of a vehicle, in which the performance of the drive unit as a function of preset values is controlled at least in one operating state of the vehicle. Functions for performance control, as well as for monitoring the proper functioning of the power control, are also implemented. Only a single computing element, which implements the control as well as the monitoring, is provided for power control. At least two levels independent of one another, at least outside of the fault scenario, are provided in the computing element, the first level implementing the control and the second level implementing the monitoring. A third level may additionally be provided, which examines the computer's mode of operation by monitoring the level implementing the monitoring. The monitoring of the mode of operation of the first computing element is implemented by comparing the driver's request with the position of the element influencing the air beforehand.
Published German patent document DE 41 14 999 discloses a system for controlling a motor vehicle having a first device for determining the control data required for controlling the motor vehicle and a second device for monitoring the first device. Starting from a first data, the first device determines a second data in accordance with a test function, and starting from the first data, the second device determines a third data in accordance with the test function. The first and/or the second device, by way of comparing the second and third data, recognizes a safety-relevant fault status. The two devices consequently process signal values in a question-and-answer interaction, the second device inferring the correct or erroneous work of the microcomputer by comparing the results of this process.
The disadvantage of the above-described known methods is that the entire safety program has to be revised when the functional program is modified even slightly.