The present invention relates to an improved method for treating errors in electronic control units, especially in motor vehicles.
The electronic devices contained in modern motor vehicles, such as electronic engine controllers, anti brake-lock systems, stability controls, etc., relate to applications that are critical to safety. This means that the vehicle can be exposed to dangerous situations in the event of a malfunction of the control unit or of the components associated therewith.
The control units must therefore function reliably and must be continuously monitored for fault-free operation. Such monitoring must cover both the control unit itself and the associated peripherals, such as connected sensors, actuators and solenoid valves as well as the cabling thereof.
In modern electronics equipped with microcontrollers, such monitoring is largely ensured by self-tests.
In the case of anti brake-lock systems (ABS), for example, tests known as static tests are performed for cable breaks and short circuits as soon as the ignition is turned on. When the vehicle starts to move, all wheel-speed sensors are then checked for functional capability and compliance with limit values. During driving, further tests are initiated by the microcontrollers contained in the electronics.
By this conventional self-diagnosis, the control units of the various systems installed in the vehicle are capable of recognizing errors and reacting appropriately to them. The detected errors are also stored in memory together with information such as error type, error frequency and boundary conditions, such as the temperature prevailing at the time. Subsequently, these data can be retrieved using a tester connected to the vehicle bus, thus greatly facilitating error elimination and repair.
Simple errors may also be indicated directly inside the vehicle by means of an error light.
Technical features of self-diagnosis of electronic control units in motor vehicles are described in “Self-diagnosis of electronic control units in motor vehicles” [in German], VDI-Berichte No. 612, 1986, pages 361 to 373.
If an error is detected by the foregoing tests during driving, the control unit may react to it in various ways.
For example, an emergency-operation program that permits limited functioning of the faulty unit may be started.
Critical errors are generally indicated directly to the operator by a warning light. In this way the driver is prompted to have the error repaired as soon as possible.
In response to these critical errors, the control unit may even disable part of its own operation as an emergency measure, for example by disconnecting an output stage, in order to prevent incorrect reactions that may be dangerous for the vehicle.
It is also important to ascertain whether the error is of static or sporadic nature. Static errors can be newly recognized by the electronic check at the start of every trip. In contrast, sporadic errors occur only now and then. They can be caused, for example, by an intermittent contact. Both types of errors are stored in the error memory mentioned hereinabove.
If, after a single occurrence or prolonged sporadic occurrence, an error is no longer detectable for a relatively long time, the error in question can also be deleted from the error memory. Under these circumstances, it is assumed that, for example, an intermittent contact is no longer present, or that a different error has since been repaired but has inadvertently not been deleted from the error memory.
DE 4118692 C2 describes the use of an error-time counting device to store the respective time interval in which an error is present. Such an error is then permanently input into an error memory when it is present over more test-time intervals than specified for that error.
An existing error is newly recognized by the error test described in DE 4118692 C2 whenever the vehicle ignition is turned on. Each time, therefore, the electronics assume that the vehicle is error-free. In contrast, no record is kept of whether a static error already present in the error memory will always be newly recognized over a prolonged time period. This is the case if, after an error has occurred or after the error light has turned on, the vehicle operator does not seek to repair the error as soon as possible, even though the operator is actually presumed to have done so.
Unfortunately, such behavior by the vehicle operator leads to increasing problems. Thus multiple errors, whose effects on the vehicle are difficult to foresee, can develop over time. Furthermore, if the poorly maintained electronics in question fail to function in emergencies, the vehicle manufacturer can be exposed to product liability risks. Under these circumstances, it is then difficult for the vehicle manufacturer to prove that the failure of its electronics to function is merely the consequence of lack of maintenance.