A method and an arrangement for the mutual monitoring of control units is disclosed in U.S. Pat. No. 5,880,568. Here, an intrinsically safe control unit is described such as in combination with control systems for controlling the drive unit of a vehicle. Intrinsically safe means that, if a fault occurs, the fault condition remains limited to the system wherein the fault has occurred and the system remains in a safe state with respect to the outside. For example, individual faults may not lead to an increase of the power of the drive unit. The monitoring concept which is described in U.S. Pat. No. 5,880,568, is structurally of two channels, that is, all safety-relevant paths are made secure by redundant channels. This applies also for the safety relevant components of the operative software (for example, the software for satisfying the task of the control unit). This operative software is monitored in the context of a second program level by redundant software which quantitatively checks the correct formation of the control signal quantities by the operative software. The sequence and the functionality of the software of this second level is monitored by communication with an external monitoring module in the context of a question-answer communication.
Specifically, the first software level in the known embodiment contains the operative software for executing the control function as well as system-specific monitoring functions of the input quantities and the output stages. The second level comprises the function monitoring.
In the function monitoring, the correct formation of the output quantities and especially the power-determining quantities is monitored by means of redundant functions. Furthermore, the programs of the second level form the answer to selected questions, which are transmitted from the monitoring module in the context of a sequence control. With the aid of these questions, the correct computation of the monitoring functions is checked and the programs execute a computer monitoring by means of a test of the monitoring functions via simulation data. The third level includes the question-answer communication (on the basis of the transmitted question and the formed answer) with the monitoring module with the aid of which the functionality of the programs of the second level is monitored. Furthermore, monitoring functions are assigned to this level and check the components of the function computer such as memories, analog/digital converters, et cetera. A procedure of this kind is known from the above-mentioned state of the art.
In modern control systems, several control units are, as a rule, utilized which form separate components or are structurally united in an apparatus. Accordingly, in a modern vehicle control, for example, control apparatuses are present for controlling the following: the drive unit, the driving performance (ABS, ASR, ESP), an automatic transmission, the wheel brakes, et cetera. For intrinsic safety of these individual control apparatuses, each individual control apparatus would have to be monitored in the sense of the above-mentioned state of the art. This is associated with relatively large complexity. The same applies to at least two control units united in one apparatus (for example, computers) which execute these functions.
It is an object of the invention to provide measures for an improved monitoring of at least two control units (control apparatuses, computers, et cetera) which operate as a composite.
The method of the invention is for mutual monitoring of at least first and second control units, the first and second control units each having first, second and third program levels (I, II, III). The method includes the steps of: allocating a first program to the first program level (I) of each control unit for computing control functions; allocating a second program to the second program level (II) of each control unit for monitoring the operability of the first program of the first program level (I); allocating a third program to the third program level (III) for monitoring the operability of the second program; the third program of the third program level (III) forming an answer based on a pregiven question with the aid of the second program in the context of a sequence control; and, causing one of the control units to receive the question of the other one of the control units and to output the answer to the other one of the control units.
The procedure described below permits the mutual monitoring of at least two control units which are connected to each other in an interconnected system (for example, a system of several control apparatus). With this system, several control functions are carried out with mutual influencing of the control units. It is especially advantageous that the monitoring is executed with less complexity notwithstanding the usual reliability than would be the case for an intrinsically safe individual monitoring of each individual control unit. This is so because the monitoring module becomes superfluous because of the mutual monitoring of the control units. This monitoring module is known from the state of the art in connection with the monitoring of an individual computer. The consequence is a considerable savings potential in the development of intrinsically safe control units.
It is especially advantageous to use the reliable and tested procedure known from the state of the art for mutual monitoring of the control units. This permits that, in the usual manner, safety and availability of the control system are guaranteed without the need for providing additional complexity with respect to the monitoring of the control units.