A method and an arrangement for monitoring a computing element in a motor vehicle is known from U.S. Pat. No. 5,880,568. The program structure of this computing element has at least three levels. Those programs are assigned to a first level which execute the control function, for example, the control of the power of the drive unit. Programs are assigned to a second level which serve to monitor the operation of the first level. For this purpose, a permissible value for an operating variable to be adjusted is compared to a measured or determined actual value of this variable in an illustrated embodiment of a power control for a drive unit. Programs or program parts are allocated to a third level which serve to control the sequence of the monitoring programs allocated to the second level. The sequence control takes place in the context of an inquiry-response communication with a safety component (monitoring module), which checks the correct execution of the programs of the second level on the basis of the results of the inquiry-response communication (process control). If at least one fault condition is detected via the programs of the second level and/or via the monitoring module, fault reaction measures are initiated which comprise the switch-off of the supply of the operating means or other, operation-limiting measures in the example of the control of a drive unit.
According to U.S. Pat. No. 6,125,322, a command test is executed in addition to or as an alternative to the execution control to improve the monitoring of the operability of the programs of the second level. In the context of this command test, selected programs or program parts are computed with pregiven test data and the computation result(s) are checked in the monitoring module bit-for-bit to detect errors.
What is essential in the known solutions is that the programs of the first and second levels as well as the execution control and the command test are executed in a single computing element. The monitoring of the executing programs of the second level should operate with input signals which are redundant to the input signals to be processed by the programs of the first level. This measure leads to the doubling of the sensor means. Only a small number of the input signals is available for monitoring in order to avoid the use of additional sensors because of the different extent of sensors in different vehicles. The quality of the monitoring becomes ever poorer with an increasing extent of function, especially, with an increasing extent of function of power-determining functions of a drive unit such as for control systems for engines having gasoline direct injection. An example of a function which can affect the quality of the monitoring is the learning of the stops of the accelerator pedal position transducer. If, for example, the offset of the accelerator pedal position signal is changed by this learning function, this is to be considered in the monitoring via the consideration of maximum tolerances of the end stops. This relatively large tolerance range can lead to a negative effect on the quality of monitoring.