There are various concepts for designing a control device with a computing element for the use in a motor vehicle in such a manner that the control device is free of single defects or inherently safe. Monitoring in the three-layer concept is one possibility of achieving an inherently safe control device.
A method and a device for controlling a drive unit of a vehicle are known from DE 44 38 714 A1, which is incorporated by reference, wherein the control device for power control has a single computing element only. The computing element performs both switch-off path control and monitoring, wherein operational reliability and service quality are guaranteed by at least two layers for control and monitoring being provided in a single computing element, said layers being independent of each other, wherein the functions for power control are determined in a first layer and said functions, and thus the operatability of the computing element itself, are monitored in a second layer, particularly in cooperation with a monitoring module.
Furthermore, DE 44 38 714 A1 describes a third layer that performs a program flow check of the second layer. This monitoring by the third layer considerably enhances the reliability and service quality of the control device. In particular, the program flow check in the monitoring module is performed in the form of dialog communication.
The three-layer monitoring concept (E-Gas concept) is preferably used in engine control devices of vehicles to monitor electronic engine control systems, wherein the engine control device consists of the so-called functional computer and the monitoring computer. The functional computer and the monitoring computer communicate by means of a dialog method and have separate switch-off paths.
Layer 1 comprises the actual functional module for the functional control of the drive unit of the vehicle and is therefore also referred to as “functional layer”. It includes engine control functions, inter alia for the conversion of the requested engine torques, component monitoring, the diagnosis of the input and output quantities, and the control of the system reactions when an error has been detected. Layer 1 is executed on the functional computer.
Layer 2 is also referred to as “function monitoring layer”. It comprises the safety module and is also executed on the functional computer. It detects the defective execution of a monitoring-relevant extent of the functional module of Layer 1, inter alia by monitoring the calculated torques or the vehicle acceleration. In the event of an error, system reactions are triggered, e.g., safety-relevant output stages are disabled.
Layer 2 is executed in a functional-computer hardware area that is secured by Layer 3. Layer 3 is also referred to as “computer monitoring layer”. It comprises the monitoring module on an independent functional computer with instruction set test, program flow check, ADC test as well as cyclic and complete memory tests of Layer 2. The monitoring module is executed on a functional computer. The monitoring computer that is independent of the functional computer tests the proper processing of the program instructions of the functional computer, said test being a dialog method. In the event of an error, system reactions are triggered independently of the functional computer.
In present-day electronic engine control systems, the entire functional and monitoring software is integrated in a control device. The monitoring concept may also be realized in other vehicle control devices, in particular in gear control devices.
Monitoring concepts in which a monitoring computer performs more than one program flow check in the functional computer by means of a single monitoring unit are known from the state of the art, wherein said single monitoring unit has to synchronize the individual responses from the individual program flow checks as well as to merge the individual responses into an overall response, wherein errors may occur both in the synchronizing operation and in the response merger operation.