Distributed computer systems having a plurality of components for an electronic brake system (brake-by-wire) in a motor vehicle are described in German Patent Application No. 198 26 130, German Patent Application No. 198 26 131, German Patent Application No. 198 26 132, and German Patent Application No. 198 61 144. However, uses of such computer systems and methods of mutual monitoring of components of such computer systems are not limited to use in motor vehicles. Instead, they may be used for any safety-relevant applications, e.g., in land vehicles, rail vehicles or aircraft, for example. Safety-relevant applications are applications in which fault-free output of at least one variable is absolutely essential.
In addition to an electronic brake system, it is also possible to use such computer systems in electronic steering systems (steer-by-wire) or other x-by-wire systems, where the function of a mechanical connection is taken over exclusively by electric and electronic components. Another typical application for the computer system of the aforementioned type in a motor vehicle is use in an engine controller for camshaft-free actuation of intake and exhaust valves.
The electronic brake system described in the applications cited above has wheel brakes having an electromechanical actuation. A central control unit is used to provide setpoint values for the individual wheel brakes. To permit reliable operation of the control unit and secure monitoring of the components, the control unit is equipped with a redundant computing element and an additional monitoring unit, in addition to the actual computing element for calculation of the setpoint values. This implementation in the circuitry and a mutual monitoring strategy of the computing elements contained in the control unit based on a question-response communication permit a reliable means of providing setpoint variables for activation of the wheel brakes.
The central control unit delivers the setpoint variables to electronic control units via at least one communication system, these being distributed control units located on site in the vicinity of the wheel brakes. The control units cause actuation of the brake shoes by electric motors and tightening of the brake disks on the individual wheels as a function of the setpoints. Reliable triggering of the electric motors is achieved by an additional monitoring module provided on each control unit, detecting potential faults in the monitored control unit on the basis of a coordinated question-response communication, actuating a shutdown path if necessary.
In addition, self-test routines are implemented in the control units, permitting fault recognition to a certain extent. These self-test routines may be referred to as internal monitoring functions which detect faults in the monitored control unit. To ensure the operating functionality of the control units, two independent power sources are provided to supply power to the individual electric components. Individual electric components are supplied with power either from both power sources or from only one power source at a time to maintain at least partial operation of the electric brake system in the event of failure of one power source.
It has proven to be a disadvantage of the conventional computer systems and the conventional method of mutual monitoring of components of the computer systems that a relatively great complexity is required in terms of hardware and software to meet the high reliability requirements. On the other hand, for understandable reasons, it is not readily possible to simply lower the safety requirements in the case of safety-relevant applications.