There are various concepts for designing a functional unit—e.g., a control device with a semiconductor circuit—for use in a motor vehicle in such a manner that the control device is free of single defects or intrinsically safe. Monitoring in the three-layer concept is one possibility of achieving an intrinsically safe control device.
A method and a device for controlling a drive unit of a vehicle are known from DE 44 38 714 A1, wherein the control device for power control has a single microcontroller only. The microcontroller performs both control and monitoring, wherein operational reliability and service quality are guaranteed by at least two layers for control and monitoring being provided in a single microcontroller, said layers being independent of each other, wherein the functions for power control are determined in a first layer and said functions, and thus the operability of the microcontroller itself, are monitored in a second layer, particularly in cooperation with a monitoring module.
Furthermore, DE 44 38 714 A1 describes a third layer, which performs a program flow check of the second layer. This monitoring by the third layer considerably enhances the reliability and service quality of the control device. In particular, the program flow check of the second layer is performed in the monitoring module in the form of dialog communication.
The three-layer monitoring concept (E-Gas concept) is usually used in engine control devices of vehicles to monitor electronic engine control systems, wherein the engine control device essentially consists of the so-called functional computer and the monitoring computer. The functional computer and the monitoring computer communicate with each other by means of a dialog procedure and have separate switch-off paths.
Layer 1 comprises the actual functional module for the functional control of the drive unit of the vehicle and is therefore also referred to as functional layer. It includes engine control functions, inter alia for the conversion of the requested engine torques, component monitoring, the diagnosis of the input and output quantities, and the control of the system reactions when an error has been detected. Layer 1 is executed on the functional computer.
Layer 2 is also referred to as function monitoring layer. It comprises the safety module and is also executed on the functional computer. It detects the defective execution of a monitoring-relevant extent of the functional module of Layer 1, inter alia by monitoring the calculated torques or the vehicle acceleration. In the event of an error, system reactions will be triggered. Layer 2 is executed in a functional-computer hardware area that is secured by Layer 3.
Layer 3 is also referred to as computer monitoring layer. It comprises the monitoring module on an independent monitoring unit (ASIC or μC) with instruction set test, program flow check, ADC test as well as cyclic and complete memory tests of Layer 2. The monitoring unit, which is independent of the functional computer, tests the proper processing of the program instructions of the functional computer, said test being a dialog procedure. In the event of an error, system reactions will be triggered independently of the functional computer.
In present-day electronic engine control systems, the entire functional and monitoring software is integrated in a control device. The monitoring concept may also be realized in other vehicle control devices, in particular in transmission control devices.
In this safety concept, the actuators will be usually put in a currentless state by means of the power-determining output stages of the control device in the event of an error of the second layer. In the event of an error in the third layer, the actuators will be put in a currentless state by means of the power-determining output stages of the control device in a first step, whereafter the functional computer is reset by the monitoring unit (third layer) in a second step. This currentless state is usually the safe state of the complete, controlled system, particularly of the automatic transmission.
This specifically means for a transmission with a clutch that is open due to a mechanical elastic force in the pressureless state that in case of emergency, when the power-determining output stages are disabled and the hydraulic system for actuating the clutch cannot be used any more, the intended emergency state is nevertheless reached because the clutch is permanently kept open by the mechanical elastic force and thus no torque can be transmitted from the engine to the driving wheels.
However, there are transmission types where the clutch is closed against a mechanical elastic force in the currentless or pressureless state (referred to as normally closed clutches). The monitoring concept discussed herein cannot be applied to them in the manner described above.
The third layer may be an ASIC or a separate microcontroller that primarily serves to monitor the functional computer. The data exchange for the dialog procedure is usually performed via a customary computer interface, e.g., SPI (Serial Peripheral Interface).
If the third layer is realized on an ASIC functioning as a monitoring unit, the actuators can only be put in one state in the event of an error occurring in the dialog procedure, i.e., the power-determining output stages will usually be switched to a currentless state. It is impossible to accomplish any switching sequences or controlled actuation sequences, wherein an actuation sequence may consist in determining the position of an actuator by means of an appropriate sensor signal and changing or controlling it when required. That is because the ASIC can only output a switching signal, which influences the electronic system accordingly. Moreover, the ASIC cannot process a sensor signal and thus cannot output a control signal, either.
If the third layer is realized on an additional computer (μC), it will be impossible—in the event of an error occurring in the dialog procedure—to ascertain beyond all doubt which of the two computers (the “interrogator” or the “responder”) really operates defectively. Therefore, in the event of an error, both computers will have to establish the safe system state (currentless output stages) and be reset, which means that it will be impossible to accomplish—even if a second computer is used in the third layer—any switching sequences or controlled actuation sequences any more in the event of an error.
In both cases, an additional disadvantage consists in the fact that the only state in which the vehicle can be immediately put is a state in which it cannot be driven (engine switched off, drive train open=breakdown) and it is impossible to operate in an emergency running mode (engine switched on, restricted transmission of torque=limp home mode) because no control functions are available.