The invention relates to a control system with a control device including a processor and a control program as well as to a method for monitoring a control program of a control system with a control device including a processor and a control program.
The invention relates to an arrangement and a method for error monitoring of the control device wherein in particular the correct procedure of the control method implemented in the control device is monitored. As the result of the monitoring an output signal is generated with the aid of which an error treatment measure, for example through an accessory control, can be initiated. The invention is in particular directed toward the monitoring of sequences in digital computers or processors or microprocessors. It is here irrelevant whether or not the fault in the sequence is to be traced back to an error in the software, the hardware or also an error function due to absent or false input signals or due to a failure of the power supply of the control.
A comparable task is resolved in prior art (DE 3728561 C2) by installing a program stored in a microprocessor such that at regular intervals a signal is output which resets a counter. If one of the otherwise regularly output signals is output later than at a previously defined time, an error signal is generated through an external circuit which measures the length of time by means of a counter.
In such an arrangement it is however not possible to determine whether or not the program stored in the microprocessor is executed in the correct order. Thus program loops, which contain a corresponding check point for a signal output, can be cycled through an infinite number of times or the program steps with the associated check points can be passed through in the entirely false order without the monitoring unit 12 realizing such and being able to generate an error signal therefrom.
An important application in which especially high operational security is demanded is the use of control systems for the control of equipment assemblies in motor vehicles. Herein the steering arrangement, for example, plays an especially important role.
FIG. 1 depicts a schematic layout of a steering arrangement 129 with power-assist booster, which corresponds substantially to prior art. It is inter alia comprised of a steering wheel 120, a steering column 121, the steering gearing 122 and the two tie rods 124. The tie rods 124 are driven by a toothed steering rack 123. The power steering booster 127 formed of components, to be not further denoted here, serves for the power-assist booster. The steering arrangement 129 further includes a superposition device 100 for rotational speed superposition. Both devices are driven by a servomotor which is preferably electrically driven. The intention of the driver, customarily a rotational angle impressed by the driver onto the steering wheel and an impressed torque, is here fed as a signal 281 into a control device 10 through the steering wheel 120 via a (not shown) sensor circuitry. Preferred are individual or several further parameters, such as for example, but not limited to: travel speed, yaw rate, side-wind speed, state of loading of motor vehicle, roughness of the road, inclination of the motor vehicle as well as: angular position of the servomotor, measured current and voltage values, measured at the power supply of the servomotors and supplied as a signal into the control device 10. Depending on the embodiment, signals 280 are furthermore also supplied from the motor vehicle control system into the control device 10. In the control device 10 from the correspondingly supplied signal the corresponding control voltage 282 for the electromotor of the power steering booster 127 and the control voltage 282 of the drive for the rotational speed superposition device 100 is determined and output to the power steering booster 127 or the rotational speed superposition device 100. Herein a sensitive and fast regulation is required which permits a rigid steering system causing low inertia and intrinsic oscillation. For such systems a highly rigorous measure of failure security is necessary. Extremely small error functions in the control device can already lead to false steering angle deviations and therewith to accidents.
The error functions can herein be traceable to various causes. First, simply a failure of the on-board voltage, for example due to line or contact break, can lead to an abrupt interruption of the control function. In this case the superposition gearing of the rotational speed superposition device 100 must be bridged by means of a forced coupling and the steering interventions must be transferred from the steering wheel 120 directly onto the horizontal angular deviation of the wheels. A sensor error or sensor failure, further, can lead to erroneous calculation results in the control device and therewith to erroneous control signals for one or both servomotors. Such cases can also be intercepted through relatively simple sensor monitoring devices such that in the control device an appropriate emergency program can be triggered. The emergency measures can also simply consist merely in the output of an acoustic or optical signal as a warning to the driver.
A problem especially difficult of solution, however, consists in rapidly detecting error sequences in the control process of the control device 10 in order for appropriate error treatment measures, such as for example the forced bridging of the rotational speed superposition device 100 already mentioned above, is initiated. Error sequences in the system can be due to software as well as to hardware. An important problem represents also the temperature problem which can lead to function faults in parts, such as for example in the electronic processor circuits of the steering mechanism.