The term system according to the exemplary embodiment of the present invention is understood to refer to any desired control device, for example, in particular an automotive control device. This system is configured, for example, as a control device for electric battery management (EBM). It includes subsystems configured as a computer unit, an ASIC (Application Specific Integrated Circuit) or as a current sensor, for example. In addition, this system includes units configured as an EBM algorithm or as a battery simulation, for example, and parts which include calculation of an alternator voltage setpoint or any desired mathematical or trigonometric functions, for example. The EBM control device is part of a higher-level system in the form of a motor vehicle. In addition to the EBM control device, a plurality of other systems, e.g., an engine control device and a transmission control device, are also provided in the motor vehicle.
To guarantee correct functioning of a system, it is referred to in other prior systems to rely on monitoring of input signals, output signals and function units of the system. German Published Patent Application No. 41 14 999 discusses a method of monitoring the functioning of an automotive control device. The intended function of the control device is executed in a microprocessor of the control device. In parallel with that, the same intended function is executed at least partially in a monitoring device. The output signals of the microcomputer and the monitoring device are compared and, depending on the result of this comparison, a determination is made as to whether or not the control device is functioning correctly. If faulty functioning of the control device is detected, appropriate substitute measures are instituted. The monitoring method discussed in this publication is based strongly on the hardware of the system to be monitored and is highly inflexible. The monitoring method discussed in the publication is not easily implemented in another control device having a different intended function. In addition, the monitoring method occurring in the monitoring device will also have to be revised completely and adapted to the revised function of the other control device. This may also include structural revision of the monitoring method.
German Published Patent Application No. 44 38 714 discusses a method of monitoring the functioning of a control device. A microcomputer of the control device is subdivided into a function level, a monitoring level and a check level. The intended function of the control device is executed in the function level. In the monitoring level, the function executed is checked, for example, by a threshold comparison or a plausibility check. In the monitoring level, the (total) intended function of the control device is therefore not executed, and instead only specific monitoring functions are executed. To nevertheless be able to detect faulty functioning of the system with adequate reliability, the additional check level is provided in which a check of the components of the system implemented in the hardware (e.g. memory elements or the microprocessor) is performed, and correct functioning of the microprocessor may be checked by using a question-answer communication. In the monitoring method discussed in this publication, it may be disadvantageous that the structure of the method is based on the hardware of the system to be monitored and is very inflexible. To be able to apply the monitoring method to a different control device having a different intended function, it is believed that the monitoring method discussed in this publication will first have to be revised completely and adapted to the new hardware and software conditions. However, this may be complicated and expensive.
It is believed that the structure of the method of monitoring the functioning of a system referred to in these two publications is based exclusively on the hardware of the system and is independent of the complexity of the function executed by the system to be monitored. If the monitoring method discussed in these publications is used to monitor functions having a high complexity, then the method would theoretically be structured exactly as indicated in these publications. However, due to the increasing complexity of the function executed as intended by the system to be monitored, it is believed that the structure of the monitoring method is also becoming more complex and increasingly difficult to understand. It is also believed that the monitoring concepts discussed in these publications may be unsuitable for complex functions. In particular in the case of the monitoring concepts, the fault occurring in the event of a fault may not be assignable to a specific function of the system. It is believed that this makes both fault diagnosis and selection of a suitable substitute function much more difficult.