Microprocessors are generally characterized by high operating reliability. However, this high reliability can no longer be warranted if the microprocessors operate in an environment subjected to heavy electrical interference. This is the case, for example, when microprocessors are used in automotive vehicles. Upon a malfunction or failure of the system controlling the fuel metering apparatus in automotive vehicles, a safe operating condition of the vehicle is no longer ensured. In such an event, an emergency mode of operation of the fuel metering apparatus and thus of the automotive vehicle must be ensured to enable the vehicle to continue driving at least temporarily. A vehicle that stalls on a malfunction of the controlling microprocessor is in almost any case likely to involve high cost for the user and possible subsequent damage. An example for this is the use of the microprocessor in combination with a tractor drive and the occurrence of a malfunction on a difficult terrain. Another example is the failure of a microprocessor controlling the internal combustion engine of a passenger vehicle that is just about to pass another vehicle on a narrow road. In either case, safety reasons demand that the vehicle be able to drive on, at least temporarily, and also to reach the nearest service station, for example.
From U.S. Pat. No. 4,287,565, a monitoring system for program-controlled apparatus is known wherein during each program run at least one check pulse can be obtained and, in the absence of a check pulse, a new program run is released. This known monitoring system detects whether the errors occurring in the program run are caused by temporary disturbances or by system failure, thus providing a criterion for the activation of an emergency control system. A faulty program run or a program that was stopped by a temporary fault is properly resumed by resetting it to program start. The user of the system may then decide whether or not an emergency mode of operation of the program-controlled apparatus is to be activated. In the known system, however, an automatic control of an emergency mode of operation is not provided.
Further, from German published patent application DE-OS No. 31 30 094 (corresponding to U.S. Pat. No. 4,534,328) an emergency control system for a diesel engine is known wherein a signal processing unit and/or the position controller are assigned emergency control arrangements which are switched in automatically or manually. With the emergency control system, the signal indicative of the accelerator pedal position can be transmitted to the signal processing unit directly or indirectly. The prerequisite in this system is, however, that the microcomputer itself is still intact while the one or the other sensor provided for the control of the microcomputer may be defective.