The self-test of a core is also referred to as a “built-in self-test” (BIST). Various self-test processes are known, for example from German Patent Application No. DE 43 05 288 and the article “The Fail-Stop Controller AE 11” by Böhl, E. et al., International Test Conference, Paper 24.1, pp. 567 to 577, 0-7803-4209-7/97, 1997 IEEE. Reference is made explicitly to these publications.
The concept “intended running of a computer program on the microprocessor or microcontroller” means that, for example, a control program is run on a microprocessor or microcontroller of a controller, without which the microprocessor or the controller is unable to carry out its control functions. The core of a microprocessor or microcontroller is also referred to as the central processing unit (CPU).
In the field of motor vehicle controllers it is known, for checking the operation of a core during the intended operation of the controller, to provide two computers of equal computing power. This is also described as the redundant computer concept. The open-loop or closed-loop control algorithm runs on both computers. The results of the open-loop or closed-loop control algorithms of the two computers are constantly compared. If there are significant discrepancies between the two sets of results, it is assumed that there is an error in one of the two computers and the whole system is shut down in order to prevent the issuing of erroneous open-loop or closed-loop instructions.
However, a disadvantage of this method for checking the correct operation of a microprocessor or microcontroller core, known from the related art, is that errors which occur only during the intended operation of the controller, i.e., during the processing of an open-loop or closed-loop control program, results in shutdown of the controller at a moment when its open-loop or closed-loop control function is particularly important. For example, in the case of a stability control system, the control function becomes active when the vehicle is in danger of swerving. If an error in the controller core is detected in such a situation and the controller is shut down, this may result in dangerous situations, including, at worst, the vehicle swerving.
In order to counter such disadvantages, a diversitary computer concept has been developed and is known, for example, from German Patent Application No. DE 195 00 188, in which the first computer, known as the algorithm computer, has greater processing power than the second one, known as the monitor computer. The actual open-loop or closed-loop control algorithm, as well as a check computation, runs on the algorithm computer. The check computation is carried out on the same microprocessor or microcontroller as the open-loop or closed-loop control algorithm but in different time segments. Each time the check computation is called up, a certain area, i.e., certain gates, of the core are checked for correct operation. By means of the check computation, errors in the algorithm computer's core can be detected even if this computer is not being operated as intended, in other words if no open-loop or closed-loop control program is being processed. The check computation may be described as a type of self-test.
The same check computation runs on the monitor computer. The results of the check computations are compared, and in the event of significant discrepancies, it is assumed that there is an error in the algorithm computer's core, which is then shut down in order to avoid erroneous open-loop or closed-loop control. The check computation makes it possible to check between 80% and 85% of all the gates in the algorithm computer's core. The remaining 15% to 20% of the gates in the algorithm computer's core still have to be checked by modeling the open-loop or closed-loop control algorithm on the monitor computer and by comparing the modeled results with the actual results from the algorithm computer, thereby checking for correct operation. For these 15% to 20% of the gates in the core, the problem described above still exists, namely that errors do not occur and cannot be detected until a moment when the algorithm is being operated as intended, or in other words, for example, when an open-loop or closed-loop control program is being processed. In addition, modeling of the open-loop or closed-loop control algorithm in the monitor computer means that if there is a change in the open-loop or closed-loop control algorithm, the model also has to be changed. Consequently, two groups of developers are constantly busy developing not only the actual open-loop or closed-loop control algorithm but also the model. This results in a considerable manpower and monetary expenditure.