Corresponding demands on availability and safety must be satisfied in the integration of functions into an electronic controller. One criterion for this is the degree of diagnosis and defect tolerance. If two different functions are integrated in a controller, for example an automotive braking system and a comfort system, the systems must achieve at least the same performance as separate systems provide. This means that, in the simplest case, the redundancies and error monitoring processes of both systems must be effective.
In an example of a prior art system, both the braking system and the comfort system each have two microcontrollers, four units in total. However, this is associated with substantial space requirements. Furthermore, the development risk increases due to the complexity of the arrangement. The costs for this arrangement are also comparatively high.
A controller known from DE 198 00 311 A1 includes two microcontrollers between which a synchronous comparison of the data takes place. On recognition of an inconsistency in one of the microcontrollers, the defect is recognised by the system and the total system is put into a safe state or is shut down.
So-called master-slave concepts are known from DE 10 2005 030 770 A1, for example. A check is made out diversely redundantly in these concepts. On an inconsistency, the system response is also moved to a safe state (e.g. prevented) or is shut down.
It is disadvantageous in these previously known systems that, on the recognition of a defect, the complete system is completely shut down so that functions free of defects are also no longer functional.
In an alternative system, a controller is known from DE 10 2004 032 405 A1 which can be used for space and in which three or more microcontrollers are used. A majority decision taking is carried out in this controller. However, the system is made up of a number of components and is not suitable for application in motor vehicles due to its complex design. The high system costs also stand in the way of its application in motor vehicles.
It is therefore the object of the present invention to provide a controller with a defect free system which has a less complicated design than prior art systems and which does not result in the complete shut down of the total system on a defect recognition.
It is additionally the object of the present invention to provide a method for the integrative control of a plurality of functions in a defect-free system which is less complex and/or expensive in comparison with the prior art.