The present invention relates to a device and method for controlling operational sequences, in particular in a motor vehicle, in which a functional unit is connected to a bus system, the functional unit and/or the bus system being monitored by a monitoring unit, and, in a reliability case (that is, in a case that may be critical to operational reliability), the monitoring unit disconnects the connection from the functional unit to the bus system in an access operation.
A circuit configuration for decoupling an electronic device from a data line in a motor vehicle is discussed in European Patent Application No. 0 983 905. The electronic device and at least one additional electrical system exchange information via the data line during operation. In the case of the circuit configuration where vehicle operation can be maintained despite a malfunction of an electronic device connected to the data line, the electronic device is connected to a fault detection device. In response to the fault detection device ascertaining a fault of the electronic device, the electronic device is decoupled from the data line by the circuit configuration, the serviceability of the electrical system being maintained.
Moreover, the VDI-Bericht (VDI Report) No. 687, 1988 xe2x80x9cAntriebsschlupfregelungxe2x80x94Realisierung bei Audixe2x80x9d (Traction Controlxe2x80x94Implementation at Audi) at pages 219-222, apparently shows electronic equipment having two microprocessors that monitor one another, in which one of the microprocessors controls an output stage. In this context, in the case of an error, every processor can activate a protective circuit, which then activates the reset lines of the microprocessors and provides for defined software processing. After being reported back to the processor, a defect potentially occurring in the output stage can be intercepted by deactivating the output stage control, or, if this is not effective, the primary relay in the protective circuit is actuated by both processors.
In these systems, it is believed that there is no provision for recoupling the electronic device to the electrical system or for preventing the separation in certain situations. Particularly in the case of remedied errors, it is believed that it would be desirable to be able to easily reconnect the electronic device to the electrical system or to be able to prevent an immediate separation.
Moreover, a reliability case that results in a protective circuit isolating the electronic unit from the electrical system can be unproblematic or even desired in certain operating modes and/or operating states. The mandatory separation in the related art would then be unfavorable. These situations could be easily handled by simply recoupling the electronic device to the electrical system, or by preventing separation for these operating states. Unlike other systems, the reliability case would then not lead to a separation for these states, since the causes for the reliability case in these states are not critical with regard to stability.
Therefore, the present invention is intended to produce a method and a device that optimizes functionality when controlling operational sequences with regard to separation in a reliability case, in accordance with the above explanations.
In this context, an exemplary method and/or exemplary embodiment of the present invention is directed to a method and/or a device for controlling operational sequences, in particular in a motor vehicle, in which a functional unit is connected to a bus system, and the functional unit and/or bus system is monitored by a monitoring device. In this context, the monitoring device, in an access operation, disconnects the connection of the functional unit to the bus system in a reliability case. Advantageously, it is believed that this access operation of the monitoring device is then configurable by the functional unit. As a result, the functional unit being separated from the bus system can be prevented in certain situations. In the same way, as a result, the functional unit, which is potentially already isolated in a situation or an operational state, can be recoupled in another situation or in another operational state.
In this context, it is believed that the access operation is advantageously configured in such a manner that the functional unit, which is connected to a storage area or includes a storage area, writes at least one configuration value into this storage area or deletes it therefrom, the monitoring unit""s access (or operation) only being possible in the case of a written-in configuration value.
In another exemplary embodiment, in different operating modes and/or operating states, the monitoring unit""s access (or operation) is allowed or is blocked as a function of the different configuration values, which are tested.
In this context, different operational modes in one system, including at least the functional unit or the control unit and the monitoring unit, are effectively differentiated, the monitoring unit""s access (or operation) then being configured as a function of the operational modes.
In this context, it is believed that the following operational modes may be advantageously differentiated, and the access operation is configured as a function of at least two of these operational modes: system operation, system after-run (follow-up or tracking), system enabling run (forward run or running out), system programming, and system simulation and/or system application.
In an exemplary embodiment of the present invention, the monitoring device, a connecting device for connecting to a bus system, particularly as a bus driver, and a configuration apparatus, arrangement or structure, in particular as a storage apparatus, arrangement or structure or storage area or register, for configuring the monitoring device""s access (or operation) are combined as a spatially integrated modular unit or are integrated as a circuit, as an IC.
Thus, in an advantageous manner, it is believed that no potentially false or undesired CAN values can be transmitted in a reliability case during system operation, thereby producing intrinsically stable individual systems in the network group.
It is believed that it is also advantageously ensured that, for example, for the control unit test or control unit programming and, in some instances, in the after-run or other operational modes, the function computing device or the functional unit can enable itself using a suitable procedure. For this purpose, the configuration value, for example, may then be deleted in a specific embodiment by the function computing device, so that the function computing device may continue to send CAN messages even if the monitoring module or monitoring unit is responding.