This application claims the priority of German patent document 100 06 206.7, filed Feb. 11, 2000, the disclosure of which is expressly incorporated by reference herein.
The invention relates to an electronic control system having a plurality of mutually networked or communicating control units, in which safeguards are provided to avoid incorrect response of a second control unit during the transmission of a safety-related signal from a first control unit to the second control unit.
Modern motor vehicles typically include complicated control systems which, in some circumstances, have many control units for actuating subsystems of the motor vehicle.
In distributed control systems used in known vehicle drive control systems, a first control unit calculates a desired variable in a higher-level control function. The desired variable is then transmitted via a data bus to a third control unit, which uses a lower-level control function to control a device based on the desired variable, such that the desired variable is optimally set. The third control unit transmits an acknowledgment signal to the first control unit via a data bus.
For example, the control system can comprise an electronic engine controller and an electronic gearbox controller. In the event of a gear change, the gearbox controller transmits a signal to the engine controller as indicating a set point for the torque of the engine and, if appropriate, further set points for further parameters, for example the engine speed. This enables the engine controller to adopt operation of the engine to the gear change.
Control systems of this type must be secured against the generation and transmission of false signals in order to avoid the risk of serious malfunctions.
On the one hand, it is known in this context from International patent document WO 98/53374 to generate signals redundantly and, in the event of deviations between the redundantly determined results, to generate an error signal which has the effect of switching off the signal processing unit. On the other hand, WO 98/53374 also indicates a possibility of switching the control system to emergency operation upon detection of errors, so that the vehicle still remains ready for operation, although possibly at a reduced level of comfort.
One object of the present invention is to ensure particularly high operational reliability in a control system of the type mentioned previously.
This and other objects and advantages are achieved by the control system in which, according to the invention, during transmission of a safety-relevant transmitted signal from the first control unit to the second control unit,                the first control unit generates the transmitted signal and a second signal complementary thereto on different paths (that is, in different modules), and sends them to a memory, together with two additional signals which are indicative of the paths;        a third control unit reads out the transmitted signal and the second signal from the memory, and checks them, and, upon detection of an error, switches off the first control unit or, given correct signals, generates different types of test or safety signals and conducts them to a memory; and        the first control unit reads out the test or safety signals from the last-named memory and checks them and, upon detection of an error, switches itself off, or, given correct test or safety signals, feeds the transmitted signal and at least one prescribed selection of the test or safety signals to the second control unit.        
The invention is based on the general idea that, before transmitting a safety-relevant signal to a second control unit, the first control unit cooperates with a third control unit for the purpose of checking the signal to be transmitted. The third control unit initially checks the function of the first control unit and, subsequently, the first control unit checks the function of the third control unit before the transmitted signal can be relayed to the second control unit. During this mutual checking, both the first and the third control units operate asymmetrically in a redundant fashion, the paths of the redundant signal generation also being checked.
Because the signals exchanged between the first and second control units are buffered in a memory, a delay which excludes undesired or parasitic instances of feedback between these control units occurs between the sending of a signal by one control unit and the reception of the signal at the other control unit.
In accordance with a particularly preferred embodiment of the invention, it is provided, furthermore, that the second control unit pays heed to the transmitted signal fed to it only when it has recognized the test or safety signals further fed as error free.
In addition or as an alternative, the safety of the system can be further increased by providing that the second control unit returns the received transmitted signal as acknowledgment to the first control unit. In this manner, the function of the second control unit is also necessarily checked by another control unit, so that, upon detection of an error, undesired control functions cannot be triggered. Alternatively, it is possible to transfer to an emergency operating mode or standby operating mode of the control system.
Moreover, it can be provided that, when transmitting the signals to the second control unit, the first control unit reads back the signals to be transmitted, which were first input in a buffer, such that an additional signal comparison is provided here and the first control unit can be switched off again upon detection of an error.
Other objects, advantages and novel features of the present invention will become apparent from the following detailed description of the invention when considered in conjunction with the accompanying drawings.