The invention relates to a method for computer aided detection of errors during the execution of one or more software based programs in a system of components, in particular in a motor vehicle.
In a plurality of industrial sectors, in particular also in the field of automotive engineering, the proportion of software in functions that are to be executed in the corresponding technical system, in particular the motor vehicle, is becoming increasingly more complex. In the normal case the software programs are executed in a distributed system composed of a plurality of components. At this point and in the following the term “component” is broadly defined and can include any unit with one or more functionalities during the program run. In particular, a component is a technical component with technical functions or more specifically a technical device, such as a control unit, with corresponding software, or a part of a device. Similarly, the components can also involve functions or objects in the sense of a programming language, which executes portions of a program within the system. A component can also be, in particular, a software component in the sense of the known AUTOSAR standard.
When a program is running, software errors always occur during the runtime and often sporadically. Furthermore, the cause and effect of such errors are often not time dependent. This factor makes it much harder to correct the errors when software errors occur, because the software errors cannot be reproduced, the conditions of their occurrence cannot be reconstructed, and in general it is not clear where to look for the cause of the errors.
In the field of vehicle diagnostics, the current approach is to store the detected errors in the form of so-called DTCs (diagnostic trouble codes) in the corresponding technical components, i.e., the control devices. However, there is no functional link between the error entries that are generated by this method, and the errors can be correlated only by way of the time of their occurrence.
Therefore, the object of the invention is to detect errors during the execution of a software program in a suitable manner so that thereafter the detected errors can be subjected to an improved diagnosis in order to find the reason for the error.
This and other objects are achieved in accordance with the methods, systems, and diagnostic devices disclosed herein.
In the method according to the invention, each component of the system is assigned an identification, and a respective running program is specified by a program identity. During the execution of the respective program, a component executes its assigned portion of the program, and, furthermore, the components call each other, at least to some extent, interactively, during the program run.
The method according to the invention provides that, when a component is called by another component, a program identity and an error parameter are transmitted from the other component to the component. The error parameter indicates whether an error has been identified beforehand during the execution of the program. If a component identifies an error during the execution of its assigned program portion, the component stores an active error entry that contains the program identity, the identification of the component, and an error status that indicates whether the identified error is the first error during the execution of the program. Hence, an active error entry is an error that occurs in that component, in which the error entry is also stored.
If, in the method according to the invention, a component, which has called another component, receives the identification of the other component from the other component, the component stores a passive error entry that contains the program identity, the identification of the component, and the identification of the other component. A passive error entry makes it possible to specify correspondingly that the error according to the error entry is an error that has occurred in another component as the component, in which the error entry is stored. At the same time the passive error entry indicates that an error has occurred beforehand in the call chain of the program. In this case the storage of the identification of the other component makes it possible to backtrack the call chain, in which the error has occurred.
According to the invention, a component, which stores one or more active or passive error entries during the execution of the program, returns the program identity and the identification of the component, at least once during the execution of the program, to the component, which has called the component. In this way the propagation of the error entries for the purpose of backtracking them during the program run is guaranteed.
The method according to the invention is characterized by the fact that the correspondingly generated active and passive error entries, as well as the transmission of suitable information during the mutual calling of the components, make it possible to trace software errors and also to detect whether the corresponding software error is the first error in the program run or a potential sequence error that perhaps results from the first error.
In a preferred variant of the invention the individual components are control units and/or parts of control units, which communicate with each other by way of corresponding interfaces, so that the active and passive error entries are stored in predefined memory locations of the control units. In this case a preferred application is the execution of a software program in networked control units in a motor vehicle or in a plurality of motor vehicles that communicate with each other.
In an additional preferred variant of the invention the program identity includes an identification of an initiating component, at which the program is started, as well as a corresponding start time of the program.
Another embodiment of the method according to the invention provides that, in the case that following the execution of a program portion by means of a component no errors occur in the subsequently executed program portions, the program identity and a parameter are returned to the component from a component that was called by the component. At the same time the parameter indicates that the subsequently executed program portions are error free, and upon receipt of the parameter in the component no passive error entry is stored in the component.
This feature enables suitable feedback in the respective component that following the execution of its assigned program portion no errors have occurred, and, thus, no passive error entry has to be stored in the component. Hence, the parameter replaces the identification of the called component that is returned when an error occurs.
Another variant of the method according to the invention provides that when a component is called, a call entry is stored in the component at least to some extent during the execution of the program. This approach also allows call chains that have run without errors to be detected in a program run. Preferably, a call entry in the component contains the identification of the component that has called the component. In this way the call chains of correctly running program portions can also be reconstructed. In this context there is the possibility that after the occurrence of the first error during the execution of the program the call entries are stored in the respective components. If desired, it is also possible to store call entries during the entire execution of the program.
In an additional, especially preferred embodiment of the method according to the invention, a respective error entry (that is, an active or passive error entry) in a component is described by a field having a plurality of values. In this respect, the program identity is specified in the field, and, furthermore, the field includes a first value that specifies the identification of the component, which stores the error entry, as well as a second value that specifies the component, in which the error has occurred (corresponds in the case of an active error entry to the component that stores the error entry), and a third value that indicates whether the error entry is a passive error entry or an active error entry. In the case of an active error entry, the third value also specifies whether the error is the first error during the execution of the program. The terms “first value,” “second value,” and “third value” specify only corresponding types of values and do not automatically indicate where the corresponding value may be found in the field.
In the variant of the inventive method, in which the program identity is established by the identification of the initiating component and the start time, the field for describing the error entry contains two values for specifying the program identity. In this case one of the values represents the identification of the initiating component, and the other of the values, the start time.
According to the above described method for detecting errors, the invention also relates to a method for processing errors that were identified with this method. In this case the stored active and passive error entries are read out, and for each program identity a fault tree is generated from the associated active and passive error entries and transmitted. The fault tree contains at least the call chains of the components that are called one after the other in succession and contain at least one component with an active error entry. In the fault tree, the components are characterized as to whether no error, the first error, or a potential sequence error has occurred in the respective component during the execution of the program. This information lends itself well to backtracking the relationships of the individual errors in the fault tree. The subsequent errors that occur after the first error represent potential sequence errors, and the fault tree makes it possible to identify, in particular, the original error and/or the other potential sequence errors, from which a corresponding sequence error could have resulted. Furthermore, if in the course of detecting errors the above described call entries should also be included, then the fault tree may also contain, if desired, those call chains, in which all of the components have correctly executed their portion of the program.
An additional variant of the method for reconstructing the fault tree is based on the detection of errors by use of the error entries that are specified by the above described fields. In this case the fault tree is generated in such a way that proceeding from each component with an active error entry, the respective call chains of the components that are called one after the other in succession are determined step by step by way of the first and the second value of the fields of the error entries.
In addition to the described method, the invention also relates to a system of components, especially in a motor vehicle, wherein the system is configured such that during the execution of one or more software based programs the errors are identified with the above described method for detecting errors. Moreover, the invention relates to a motor vehicle, which comprises such a system.
Furthermore, the invention relates to a diagnostic device for processing the errors detected with the above described method. In this context the diagnostic device is configured such that the device can carry out the above described method for processing the errors that are detected accordingly.
Other objects, advantages and novel features of the present invention will become apparent from the following detailed description of one or more preferred embodiments when considered in conjunction with the accompanying drawings.