German Published Patent Application No. 44 38 714 A1 describes an intrinsically safe control unit, e.g., in combination with control systems for controlling the drive unit of a motor vehicle. Intrinsically safe here means that when an error occurs, the error state remains limited to the system in which it occurred, and the system always remains in a secure state with respect to the outside. For example, individual errors must not lead to an increase in power at the drive unit. The watchdog concept described in the German Published Patent Application No. 44 38 714 A1 is a double-redundant structure, i.e., all safety-relevant paths are secured by redundant channels. This is also true of the safety-relevant portions of the operative software, i.e., for example, the software for fulfilling the function of the control unit. This software implementing the controller functions is monitored in a second program level by redundant software which quantitatively checks the correct formation of the control signal quantities by the operative software. In other words, the software of the second level implements the watchdog functions of the first software level. The sequence and the functionality of the second software level are monitored by communication with an external watchdog module as part of a inquiry/response communication. In concrete terms, the first software level in the conventional embodiment contains the operative software for implementing the control function as well as system-specific watchdog functions of the input quantities and the output stages. The second level has the watchdog functions. In the watchdog functions, the correct formation of the output quantities, for example the performance-determining quantities, are monitored by redundant functions. In addition, the programs of the second level formulate the response to a selected inquiry relayed by the watchdog module as part of a debugging function with the help of which the correct calculation of the watchdog functions is checked and they perform a computer monitoring by a test of the watchdog functions by simulation data. Finally, the third level contains the inquiry/response communication (based on the inquiry relayed and the response formulated) together with the watchdog module with the help of which the functioning of the programs of the second level is monitored. Furthermore, watchdog functions are allocated to this level for checking the components of the function computer, such as the memory, analog/digital converter, etc.
Modern control systems generally use multiple control units which are separate components or are structurally combined in one device. Thus, for example, modern vehicle control systems use controllers for controlling the drive unit, for controlling driving performance (ABS, ASC, ESP), for controlling an automatic transmission, for controlling the wheel brakes, etc.
Redundancies are usually provided in a safety system of a multiple controller concept. Thus, for example, individual components which supply data for further processing in the controllers or control units are usually connected directly to all the control units which require or further process the data supplied by the components in such a safety concept. These may be sensors, for example, as well as actuators which supply an acknowledging message regarding operating states.