The invention relates to a method and a device for handling errors of software modules for redundantly designed systems in vehicles.
Safety-related systems in vehicles, such as “steer by wire” systems in which no permanent mechanical or hydraulic connection exists between the steering wheel and the steerable vehicle wheels, or “ESP (Electronic Stability System)” systems in which the driving behavior of the vehicle is adjusted within a driving dynamic limit, must be especially protected against failure due to errors. To increase fault tolerance, these systems are designed redundantly, so that if one control device fails, for instance, the system can switch to a redundant control device. In addition, great importance is attached to error handling in these systems. Since the goal of such safety-related systems must be to remain operable as long as possible-under certain circumstances even by means of an emergency function implemented in the system-the term quality management is also frequently used. An error then corresponds to a reduced quality, since the system can still operate, for instance, by means of the emergency function, however an error is present.
German Laid Open Application DE 196 31 309 A1 discloses a microprocessor arrangement for a vehicle control system having a plurality of redundantly designed microprocessor systems that are interconnected by bus systems. The data processing in the microprocessors serves for control systems, such as antilock and/or traction control, as well as for input signal processing. The symmetrically redundant data processing output and/or intermediate results are compared. In case of deviations, the corresponding system is turned off. In addition, data processing running in these microprocessor systems is checked, respectively, against the results of simplified data processing and for plausibility. If there are discrepancies and the data is functionally important but not “safety-critical,” the control system may be temporarily maintained.
European Application EP 415 545 A2 discloses a method for error handling in data processing systems in which the software error is detected. The origin of the error is determined, and measures are taken to correct the error as a function of the origin of the error. This method does not take into consideration problems and advantages resulting from redundant systems.
International Patent WO 00/18613 discloses a method for detecting microprocessor errors in control devices of a motor vehicle in which a control device can transmit and receive data by means of a data bus. The signals output by the microprocessor of the control device are compared with predefined signal patterns. An error is detected if the signals output by the microprocessor do not match one of the predefined signal patterns. The method, however, does not provide for any additional steps for error correction.
The object of the present invention is to improve the initially described method in order to optimize error handling in redundantly designed systems in vehicles in which errors are detected and error handling measures are initiated. In addition, error handling is designed in such a way that it can be used for a plurality of software-controlled applications that run on a control device. Furthermore, a device for performing the method is provided.
This object is attained according to the invention in which direct and/or indirect redundant input data is used to determine adjusted input data for the software modules.
The software modules run on control devices and thus correspond to software-controlled applications, e.g., those used in a vehicle, for instance “steer-by-wire” or “ESP” system applications. Preferably, the software modules run in a control device. It is also feasible, however, for a software-controlled application to be distributed over a plurality of control devices.
The direct input data is identical to the input variable expected by the software module. The indirect input data is correlated with the input variable expected by the software module based on characteristics and/or tables and/or physical state equations, so that, knowing the indirect input variables makes it possible to calculate and provide an evaluation regarding the plausibility or the quality of the direct input data.
The adjusted input data is determined by means of a plausibility check, which on the one hand is based on the predefined value range of the direct input data, and on the other hand on the physical relationship between direct and indirect input data.
The state of the system is determined by assigning data quality attributes and, based thereon, software module quality attributes, which contain information about the actual quality of the data or the software modules. With the aid of this quality attribute information, quality management measures can then be initiated, such as activating emergency functions, deactivating software modules, or activating redundant software modules.
Because of the determination of the adjusted input data, the assignment of data and software module quality attributes, as well as error handling measures, are performed outside the software modules. Furthermore the corresponding data is stored in a memory means, which is accessible to the software modules involved, so that software-controlled applications or software modules can be developed independently of the error handling. This is a significant advantage, since error handling modules are generally developed for a specific software-controlled application and can be adapted only at great cost to other applications running e.g., on the same control device.
Separating error handling from the actual software-controlled applications makes it possible to achieve increased transparency in error handling. This is the case particularly if the software-controlled applications implicitly depend on one another.
Other objects, advantages and novel features of the present invention will become apparent from the following detailed description of the invention when considered in conjunction with the accompanying drawings.
One embodiment of the inventive method and a corresponding device are depicted in the drawing.