1. Field of the Invention
The invention relates to a method and to the use thereof and to a computer program product for ensuring or maintaining the function of a complex complete safety-critical system.
2. Description of the Related Art
WO 2004/005096 A1 discloses a method for safeguarding or maintaining the operation of a complex safety-critical overall system, such as a motor vehicle regulatory system, e.g. an electrical, electrohydraulic or electromechanical braking system (Brake-by-Wire), an electronic steering system (Steering-by-Wire), etc., in the event of the occurrence of errors or malfunctions.
Safety-related systems having a multiplicity of different subsystems, in some cases based upon one another, require measures which safeguard a defined manner of operation even in the event of operational errors and in the event of failure of individual system components (e.g. ESP, ABS, TCS, etc.). Without a safety concept, even a relatively insignificant error results in total failure of a subsystem or even in the overall regulation.
A simple error source analysis as a result of the processing of particular, stored error patterns works only in a clear system with a small number of single errors. In a complex overall system, there are so many combinations of errors that, on the basis of the method of error pattern handling, only the most probable error patterns can be taken into account. In all other cases, the overall system is completely immobilized for safety reasons. This is unacceptable, however, if the overall system is a controller for electrical steering (without a mechanical fallback level).
The method known from WO 2004/005096 A1, which method relates to an integrated overall system (the overall system performs only a primary task, that is to say the control/regulation of a braking system, for example), therefore performs error splitting for each individual system component (e.g. pressure sensor, wheel speed sensor on the front-left wheel, etc.). In addition, individual emergency operation modes are defined for each system component. A selection system is then defined which is used to establish what modes of operation are admissible for all system components on the basis of the recognized single error.
The initial error analysis performed by the above method provides the following results:                the system is split into mutually independent system components;        the modes of operation are defined for each individual system component (besides “available/unavailable”, various emergency operation modes can be defined);        a selection system, e.g. in the form of a decision matrix, is formed which is used to establish what modes of operation are admissible for all system components on the basis of the recognized “single error”.        
In line with the known method, all sources of error are analyzed permanently (in each loop). When an error occurs, the affected system components are denied all correlated modes of operation. This achieves system-wide component degradation. From the modes of operation which are still available for the system components on the basis of the error analysis, stipulations of a mode selection system are finally taken as a basis for selecting and using those modes of operation which guarantee the optimum behavior of the overall system under the given conditions.
Although the method above basically achieves the primary object of multiple error suitability for an error handling method, the method disadvantageously evaluates exclusively system errors and faults. It does not matter whether the component availability is influenced on the basis of a system error/a system fault or on the basis of configuration measures or special system states (diagnosis and the like).
In addition, the known error handling method presupposes that it adopts a centralized position in the overall vehicle regulatory and/or control system and that all the system components are covered and available in its range of action. On the basis of this requirement, the method cannot be used in such overall regulatory and/or control systems which are distributed over the motor vehicle.
A further drawback of the known system is that many input signals in the aforementioned mode-of-operation computation system (such as final errors, online configuration signals, etc.) have a quasi-steady nature, i.e. they change their state no more than once during an operating cycle. The evaluation of these signals, which is performed afresh in each computation step, is very computation intensive.
Finally, the known method is also disadvantageous to the extent that, in each computation step, the modes of operation to be used need to ascertained even if the modes of operation which are still available for the system components have not experienced any change. Not least because of the high computation involvement does it appear not to make sense to select the modes of operation to be used for definite.