In certain control units and also in motor vehicles, computing devices which are designed as microcontrollers or microprocessors may be used for controlling arbitrary functions in open or closed loop. The functions to be controlled in open/closed loop in a motor vehicle may include, for example, the internal combustion engine, an air conditioning system, or functions which are critical with regard to safety such as an electronic steering (steer-by-wire), an electronic accelerator, an anti-lock braking system (ABS), or a passenger restraint system (airbag, belt tightener, rebound-damping head restraint, etc.)
It is believed that microprocessors may contain only an arithmetic-logic unit, whereas microcontrollers may also include memory devices such as random-access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), or flash memory, as well as peripheral functions such as a digital-to-analog converter or an analog-to-digital converter. It is also believed that microcontrollers can show malfunctions which can be caused by external influences such as electromagnetic irradiation or static discharge. Further causes of malfunctions may include faults due to software errors in a specific operating mode.
To be able to detect such malfunctions of a microcontroller, modern control units possess more or less complex hardware-monitoring circuits, so-called “watchdogs”. A watchdog may be implemented, for example, on an application-specific integrated circuit (ASIC). The microcontroller may control or trigger the watchdog according to a specific temporal pattern, for example, at fixed time intervals. If the watchdog fails to be controlled, it assumes a malfunction of the microcontroller and causes a reset of the microcontroller.
Subsequently, the microcontroller is started up from the reset mode into a working mode again. The resetting of the microcontroller includes a reset of all peripheral functions and an initialization of the microprocessor. When starting up the microcontroller from the reset mode, functional performance tests are carried out to be able to detect and, if possible, also to diagnose a malfunction of the microcontroller. In contrast to the resetting and starting up of the microcontroller following a powering on and off of the microcontroller, the supply voltage is uninterruptedly applied to the microcontroller when the microcontroller is reset and started up subsequent to a reset instruction of the watchdog so that the data contents of the memory devices of the microcontroller are retained.
The watchdog can be controlled by the microcontroller in different ways, for example, by a simple digital signal via an electrical connection. It is also possible, however, to control the watchdog by a temporal sequence of signals via several electrical connections. The signals have to be transmitted from the microcontroller to the watchdog according to a specific temporal pattern. A simple watchdog has to be controlled, for example, at regular time intervals before a specific time span elapses. A window watchdog has to be controlled regularly withing a fixed time window. A window watchdog causes a reset of the microcontroller both if the watchdog is controlled too early (before the beginning of the time window) and too late (after the end of the time window).
In German Published Patent Application No. 40 23 700 is discussed a watchdog monitoring circuit which is controlled by a microcontroller at regular time intervals via a watchdog signal. If the frequency of the signal sequence resulting from the individual watchdog signals is outside a specific valid frequency window, the watchdog detects a malfunction of the microcontroller.
A “watchdog” may possess devices for generating watchdog times, the devices being independent of the microcontroller. A watchdog can be set to a fixed temporal pattern, for example to a fixed time interval until a new control, independently of a microcontroller. In case of the more stringent requirement of a window watchdog, the beginning and the end of the time window can be fixedly set independently of a microcontroller. Thus, the temporal pattern according to which the watchdog must be controlled can vary without being recognizable from outside from the watchdog or from the used microcontroller.
At least some microcontrollers may be manufactured with freely programmable program memory, for example, in the flash technology. The flash technology makes it possible for a microcontroller type to be programmed in different applications with application-specific software. The programming can be carried out already at the semiconductor manufacturer's place or only locally at the user's place. For programming, the microcontroller can be inserted in a separated programming unit.
The programming, however, may be carried out or performed at the user's place with the microcontroller being inserted in target hardware such as the control unit of a safety device for a motor vehicle. The programming in the target hardware may be controlled via serial communication between an external computer and an auxiliary program which is executable on the microcontroller. The auxiliary program is also referred to as bootloader and contains the programming algorithms and the data handling. The programming can be carried out, for example, on the manufacturing line of the control unit manufacturer or else directly in a motor vehicle. In a motor vehicle, the serial communication may take place via a so-called “K line” or via a controller area network (CAN) bus.
Different applications of the microcontroller have as a consequence that a microcontroller type may be controlled at different processor clock-pulse rates and the watchdogs may be controlled with different temporal patterns. This may present a great problem, in particular during the programming of the microcontroller with the assistance of the bootloader since, prior to the programming, the microcontroller may not or cannot know the temporal pattern according to which the watchdog is to be controlled.
As understood, individual bootloader software must exist for a specific processor clock-pulse rate and for a specific temporal pattern for controlling the watchdog, respectively, to ensure that the watchdog is controlled. This may be, however, memory-intensive, expensive, and may require too much effort.
A bootloader may prescribe different fixed temporal patterns for controlling the watchdog. The temporal pattern can be configured, for example, via microcontroller ports or internal non-volatile memory cells, which may result in a small flexibility of the bootloaders. Besides the strongly limited flexibility of such bootloaders, it is believed that a further disadvantage of such bootloaders is the relatively large outlay of hardware and software.