1. Field of the Invention
The present invention relates to a method for monitoring a functional capacity of a controller running on a system having a plurality of execution units.
2. Description of Related Art
In the area of embedded systems, in particular in automotive engineering or automation technology, there are many applications or application programs in which an error in the hardware has consequences that are potentially safety-relevant. In order to avoid these consequences or to reduce their effects, monitoring measures are therefore used to detect such errors. There are applications in which such monitoring is required almost permanently. In other applications, monitoring functions are used that monitor regularly, for example periodically, or that check whether the data processing system or other hardware components are still functioning correctly in response to a particular request.
FIG. 1 shows the structure of a conventional monitoring method in an engine controller. In an engine controller, an injection system is used to inject fuel into a combustion chamber. From the point of view of safety, this exemplary application of an engine controller is structured in three levels E1, E2, E3. The application programs of the injection controller form a base level E1 that contains the actual functions that are to be carried out. The injection controller indicates how much fuel is to be injected into the combustion chamber at precisely what time. If there is a failure of the injection controller, the injection controller may inject too much fuel into the combustion chamber, or may inject fuel constantly into the combustion chamber, so that the motor vehicle accelerates very rapidly, possibly causing an accident. Therefore, in a conventional system a monitoring level E2 is provided that monitors whether the injection controller is operating without error on level E1. Monitoring level E2 is formed by additional programs or an additional software code that accesses additional sensors if warranted. In a conventional engine controller, monitoring level E2 is as a rule formed by a continuous torque monitoring system that monitors whether the torque currently produced by the engine exceeds a determined threshold value. In a conventional engine controller, the programs of injection control level E1 and monitoring level E2 run on the same hardware, or on the same execution units. Because the application programs of the injection controller in level E1 and the application programs of the torque monitoring system in level E2 run on the same execution unit or CPU, a hardware error in the execution unit can have the result that the injection controller and the torque monitoring system fail simultaneously. Therefore, in conventional engine controllers for safety reasons another safety level E3 is provided that monitors whether monitoring level E2 is functioning correctly. Safety level E3 carries out a query-response communication of the execution unit with an external hardware component, for example an ASIC, fundamentally monitoring the functional capacity of the execution unit or of the microcontroller, in particular the functioning of the application programs within monitoring level E2. The application programs of monitoring level E2 carry out a plausibility test. For example, the monitoring programs of monitoring level E2 read in an angular position α of the gas pedal. If the quantity of fuel indicated by the application programs of injection controller level E1 exceeds a particular threshold value that is a function of the gas pedal position monitored by sensors, the monitoring program running on level E2 recognizes that an error has occurred in the injection controller, and as a rule then causes the engine to switch off for safety reasons. Monitoring level E2 for example also contains a torque monitoring program that monitors the torque produced on the engine, and that shuts off the engine if a threshold value is exceeded. For the implementation of the monitoring function, the code of the monitoring programs is stored in duplicate form as E2′. The algorithm or program of E2′ is run using default data or test data. The program of safety level E3, which runs for example on an ASIC, i.e. a user-specific integrated circuit, supplies a particular bit pattern as a query to the execution unit or CPU, which executes the monitoring program, present as a copy, according to level E2′ using this default value, and outputs a response bit pattern to the safety program of level E3 in the user-specific integrated circuit ASIC. The safety program compares the response bit pattern with a reference bit pattern in order to determine whether the monitoring program is still functioning without error in the CPU. The safety program within the user-specific integrated circuit runs on different hardware, namely on the ASIC, than does the monitoring program, which runs on an execution unit or CPU. Therefore, this conventional procedure provides a certain degree of safety against hardware errors within the CPU.
However, as is shown in FIG. 1, a disadvantage of the conventional safety design is that the monitoring programs for the command test for execution using default or test values have to be present in duplicate. Therefore, the memory space for storing the duplicate program commands is required on monitoring level E2′.
Another disadvantage of the conventional command test in which default or test data are used as input data for the duplicate of monitoring program E2′ is that errors that are a function of the operand are not detected.