The present invention relates to a method and a system with means for monitoring the functions and increasing the operational reliability of a complex safety-relevant control system, e.g. a motor vehicle control system, such as ABS, TCS, ESP, a ‘brake-by-wire’ system (EHB, EMB), a ‘steering-by-wire’ system, etc., and for detecting and evaluating system errors.
Safety-relevant systems among which are the above-mentioned motor vehicle control systems require measures to secure a defined mode of operation also in case system errors are detected. It is often not possible to allocate a detected error in the normal operation directly to a system component. Errors of this type, also referred to as group errors, mostly include only the information that a defined physical quantity in the system could not be maintained. Only the execution of special tests, also referred to as error localization, permits identifying the erroneous system component (that means converting the group error into an individual error) and bringing about the suitable effect on the error (by an appropriate system degradation).
Before error localization can be successfully completed (in some cases this event is delayed or error localization is not possible because e.g. undervoltage prevails or because an earlier error precludes using the system components which are necessary for performing tests), the system is in an undefined condition: it has taken note of an error condition but is not able to bring about the suitable effects on the system.
The solution of this problem is nowadays searched for in various error analysis methods, which furnish as a result of the first error consideration a decision matrix (‘error->system effect’) by means of which the effects of the errors on the functions of the system can be detected. In this respect, group errors are among the especially difficult cases of analysis because they can be due to errors of many system components simultaneously. It is often impossible for this reason to evaluate the effects of a group error and to find a satisfactory global system degradation stage for the group error. The other disadvantage of this approach consists in that the transition from the global to the individual error effect is possible only after a successful completion of the error localization. When localization is delayed due to temporary events or even prevented due to errors that occurred earlier, continuous duty of the global and mostly serious comprehensive system degradation will start. This will in turn have adverse effects on system availability and system safety.