Field of the Invention
The present invention relates to an apparatus for monitoring the proper operation of components of an electrical system that carry out the same or mutually corresponding actions.
Systems which have a plurality of components that carry out the same or mutually corresponding actions are, in particular, failsafe systems or fault-tolerant systems.
The system components that carry out the same or mutually corresponding actions and which, in the simplest case, are identically constructed and identically operated system components (for example identically constructed and identically operated microprocessors or microcontrollers), make it possible to detect faults which occur in the system components and to react to them in such a way that the system can continue to operate without faults or is deactivated.
The check as to whether a fault has occurred in one of the plurality of system components that carry out the same or mutually corresponding actions is generally carried out by a check being made as to whether these system components supply identical or mutually corresponding results or intermediate results.
This check can be carried out
with monitoring devices integrated into the system components to be checked; or
with a common monitoring device for all the system components, whereby the common device is provided outside the system components to be checked.
When one of the monitoring devices determines that the data to be compared with one another (selected results or intermediate results from the system components to be monitored, or data representing these) differ from one another or do not correspond with one another,
the faulty system component is deactivated and, if appropriate, replaced by one of the other system components (in the case of fault-tolerant systems); or
the entire system is deactivated (in the case of failsafe systems).
As a result, it is possible to avoid a fault in one of the system components leading to a failure of the system and/or threatening the safety of the system.
However, experience shows that this is not ensured reliably under all conditions.
The object of the present invention is to provide an apparatus of monitoring the proper functioning of the components of an electrical system which overcomes the above-noted deficiencies and disadvantages of the prior art devices and methods of this general kind, and which enables reliable detection, under all circumstances, whether and if appropriate which system component is operating in a faulty manner.
With the above and other objects in view there is provided, in accordance with the invention, in an electrical system with a plurality of system components carrying out the same or mutually corresponding actions, an apparatus for monitoring a proper operation of the plurality of components of the electrical system. The apparatus comprises a plurality of dedicated monitoring devices each assigned to a respective one of the system components to be monitored, each of the dedicated monitoring devices being operable independently of the respective system component to be monitored.
In other words, the apparatus according to the invention is distinguished by the fact that each of the system components to be monitored is assigned at least one dedicated monitoring device that can be operated independently of the system components to be monitored.
The fact that a large number of monitoring devices is provided to monitor the system components to be monitored means thatxe2x80x94as distinct from the provision of only a single, common monitoring device for all system componentsxe2x80x94it cannot occur, or at least not automatically, that a malfunction of a monitoring device results in complete failure of the system or of the monitoring.
The fact that the monitoring devices can be operated independently of the system components to be monitored means thatxe2x80x94as distinct from the integration of the monitoring devices into the system components to be monitoredxe2x80x94it cannot occur, or in any case not automatically, that a fault in a system component to be monitored simultaneously results in a malfunction of the associated monitoring device.
In accordance with an added feature of the invention, the monitoring devices are connected to receive monitoring data from the respectively associated system component and are configured to compare monitoring data received from the respectively associated system component and from other system components or from other monitoring devices, for determining whether or not the respectively associated system component is operating properly.
In accordance with an additional feature of the invention, the monitoring devices examine the monitoring data received from the system components and to decide whether the monitoring data meet predefined conditions.
In accordance with another feature of the invention, the monitoring devices check whether the monitoring data received from the system components to be monitored and/or from the monitoring devices associated therewith agree or correspond to one another.
In accordance with a further feature of the invention, the monitoring devices check whether the monitoring data received from the system components to be monitored and/or from the monitoring devices associated therewith are in a predetermined ratio or a predetermined relationship with one another.
In accordance with again an added feature of the invention, the monitoring devices check whether the monitoring data received from the system components to be monitored and/or from the monitoring devices associated therewith are predetermined data.
In accordance with again an additional feature of the invention, if a given monitoring device concludes that the monitoring data from one of the system components do not meet the predefined condition, the relevant system component is made to stop operating. In accordance with again another feature of the invention, the respective monitoring device is configured to stop an operation of the relevant system component.
In accordance with a specific embodiment of the invention, the system components to be monitored are constructed and operated to only process a given task when an enable signal is present. That is, the system components to be monitored are constructed and operated in such a way that they only fulfill or continue the task which they are actually obliged to carry out when an enable signal is fed to them.
In accordance with a preferred embodiment of the invention, the enable signal is generated by the monitoring device associated with the system component to be monitored.
In accordance with again a further feature of the invention, the enable signal is formed by a logical combination of control signals which are generated and output by the monitoring devices associated with a respective system component depending on whether the monitoring data output by the system component meet the predefined conditions or not.
In accordance with yet an added feature of the invention, the system components to be monitored are program-controlled units.
In accordance with yet an additional feature of the invention, the system components to be monitored are a constituent part of various bus units of a bus system. Specifically, the monitoring devices are a constituent part of the communications controllers of the bus units, by means of which data to be transmitted to other bus units are output on the bus, and by means of which data transmitted to the relevant bus unit via the bus are accepted.
In accordance with yet again an additional feature of the invention, the bus units containing the system components to be monitored are connected to one another via a plurality of buses. In accordance with a specific feature of the invention, the bus units contain a number of communications controllers corresponding to the number of buses via which they are connected to one another, each communications controller being connected to a different bus.
In accordance with a concomitant feature of the invention, a monitoring device is provided in each of the communications controllers.
In summary, with the novel apparatus it is therefore possible to detect reliably, under all circumstances, whether and, if appropriate, which of the system components to be monitored is operating in a faulty manner.
Other features which are considered as characteristic for the invention are set forth in the appended claims.
Although the invention is illustrated and described herein as embodied in an arrangement for monitoring the proper operation of components of an electrical system that carry out the same or mutually corresponding actions, it is nevertheless not intended to be limited to the details shown, since various modifications and structural changes may be made therein without departing from the spirit of the invention and within the scope and range of equivalents of the claims.
The construction and method of operation of the invention, however, together with additional objects and advantages thereof will be best understood from the following description of specific embodiments when read in connection with the accompanying drawings.