The present invention generally relates to a method and an apparatus for monitoring the control of operational sequences in a vehicle, and more particularly relates to a method and an apparatus for monitoring the program sequence of safety-critical functions by redundant hardware.
In the context of safety-critical real-time applications of the control of operational sequences in a vehicle, it may be desirable for the underlying hardware to be monitored during operation. Complete discovery of all static and dynamic hardware faults may not be possible with acceptable effort, so that the software which implements the actual functioning of the operation is monitored along its safety-critical data flows and control flows. This may occur on the one hand via hardware-proximate monitoring and on the other hand by monitoring at the functional level.
Hardware-proximate monitoring may be accomplished by monitoring the processor using hardware-proximate testing and by the use of redundant hardware.
Monitoring at the functional level may be accomplished by monitoring those regions of the volatile memory (e.g. RAM) that represent the internal state of the function, and by monitoring those regions of the nonvolatile memory (e.g. ROM) that contain the actual program code of safety-critical functions (memory test). In addition to the aforesaid memory test of the volatile and nonvolatile memories, monitoring at the functional level may be accomplished by redundant execution of safety-critical functions, and by monitoring the correct program sequence of safety-critical functions using redundant hardware.
Only when all these items have been complied with may it be assumed that the software will be correctly executed on the processor during vehicle operation. Individual safety concepts related thereto may be discussed in Standard IEC1508, Draft Standard, part 7, Appendix C.9.3. xe2x80x9cLogical monitoring of program sequence.xe2x80x9d
German Published Patent Document No. 198 26 131 discusses a program sequence monitor or program sequence monitoring system that may operate synchronously with a defined monitoring framework. On the basis of a test word or test datum (hereinafter called a xe2x80x9cqueryxe2x80x9d) that is transferred from the redundant hardware, the program sequence monitoring system may calculate a subresponse which may be combined with the subresponse of the command test that monitors the processor in hardware-proximate fashion to yield a complete response to the redundant hardware. The response may then be checked by the redundant hardware (hereinafter called the xe2x80x9cmonitoring modulexe2x80x9d). In the event of a fault, the fault debounce system may be activated; after it has executed, a fault reaction may be triggered. Therefore, in the event of a correct subresponse, the program sequence monitoring system may ensure that individual subfunctions are all invoked at the stipulated frequency and are all terminated. However, a guarantee may not be provided that the functions are invoked in the correct order in terms of the control flow, i.e. their sequence with respect to the run time. Program execution may thus be only incompletely monitored by the processor.
The same is true of German Published Patent Document No. 41 11 499, which describes a control system for a vehicle having a microcomputer and a monitoring module that may be embodied as a gate array. The monitoring module may perform an execution check of the microcomputer; both of them process signal values in the context of a query-response interaction in a defined monitoring framework synchronously with the timing framework of the program sequence monitor, and by comparison of the results of that processing, the monitoring module may draw conclusions as to correct or faulty operation of the microcomputer.
German Published Patent Document No. 44 38 714 also describes a method and an apparatus for controlling a drive unit of a vehicle, in which for performance control, only one microcomputer may be provided for the execution of control functions and monitoring functions. At least two mutually independent planes may be defined in the microcomputer, a first plane executing the control functions and second plane executing the monitoring functions. An active watchdog that performs the sequence monitoring may be used as a query-response interaction.
In the disclosed safety concepts, communication between the monitoring module and the processor may be accomplished in a fixed timing framework synchronously with the program sequence monitor. This may mean that the existing methods and associated apparatuses may synchronize to a specific, defined monitoring framework. As a result, for example, it may not be possible for safety-critical functions that are activated at a point in time or in a timing framework (sequence of equidistant points in time) that is asynchronous with the monitoring framework to be incorporated into the program sequence monitoring system or program sequence monitor. In particular, sporadically activated safety-critical functions, in particular sporadic safety-relevant control functions, may not be monitored in this fashion. Thus, existing methods and associated apparatuses may not consistently yield complete, uninterrupted monitoring of the program sequence of the control functions.
Achieving continuous, complete, and uninterrupted monitoring of all safety-critical functions may be desirable.
In order to allow mutual time-related monitoring, according to the present invention, communication between the monitoring module and the processor may be based on independent time references. In addition, a method according to the present invention and an associated apparatus may be asynchronous with a defined monitoring framework or the timing framework of the program sequence monitor, thus permitting continuous, complete, uninterrupted time-related and functional monitoring of all safety-critical functions. Even sporadically activated safety-critical functions, in particular, may thus be monitored. In this context, a function is called xe2x80x9csporadicxe2x80x9d if an upper and lower time limit for activation of the function may be indicated.
This may result in a method and an apparatus for monitoring the control of operational sequences in a vehicle, in which context control functions are executed in a control unit, and monitoring functions that monitor the control functions are also executed. The following steps may be performed: a monitoring module transfers at least one query to the control unit, a first monitoring function, in particular a sequence monitor, which in a second definable timing framework calculates a subresponse to the query, being provided in the control unit, the control unit creating, from at least one subresponse, a response to the monitoring module and creation of the response being activated in a definable first timing framework, the control unit transferring the response to the monitoring module, and the monitoring module, as a function of the response, detecting faults regarding execution of the control functions, and the first and the second timing frameworks being asynchronous with one another.
The result may be complete and continuous monitoring of safety-critical functions in the context of the asynchronous correlation, according to the present invention, between the monitoring framework and response creation. Defined fault latency times may be complied with via the asynchronicity between program sequence monitoring and response creation.
Because of the independence of the two timing frameworks, i.e. the asynchronicity of the method according to the present invention, represented by the order of the response creation activation times with respect to the monitoring framework or the program sequence monitor timing framework, response creation may be activated in a permanently predefined first timing framework, in which context the query may be transferred in event-controlled fashion, for example initiated by function calls or controlled by the end of a function processing action, or in a third timing framework that is independent of the first and/or second timing framework.
As a result, and because of the independence of the time references, the method and the apparatus may allow the incorporation of a quasi-random test word, as a query, into the calculation of the program sequence monitoring system""s subresponse. As a result, a changing program sequence monitoring system subresponse may be generated, and actual processing of the monitored functions, in particular of the control functions, may be ensured. Without incorporation of a changing test word, i.e. a query, a processor fault that leaves the subresponse at a constant value may disable the program sequence monitoring system; this may be prevented by a method according to the present invention, by incorporation of the query and by looping through the fault state in which the incorrect subresponse is transferred as the initial value into the next subresponse calculation.
The control functions may be executed in a first functional plane of the control unit and the monitoring functions in a second and a third functional plane of the control unit, at least the first and the second functional planes being independent of one another as long as no faults are detected. Redundant data paths may be thereby made available.
At least one monitoring region may be created from the control functions of the first functional plane, in such a manner that selectable functions which form a sequence that is constant with respect to the run time of the control of the operational sequences are combined in the at least one monitoring region. Subresponses are created using the monitoring regions. The method may thus additionally monitor the monitoring regions in time-related fashion via their subresponse based on the test datum or query, since they may be activated at least once within the monitoring framework. In the event of a system overload, the subresponse therefore may not be created at the proper time, and the incorrect response resulting therefrom may be detected by the monitoring module as a fault or fault state.
The response may be created in the third functional plane from subresponses of different monitoring functions of the control unit. The corresponding monitoring functions which create individual subresponses may be contained in any functional planes.
According to the present invention, the correctness of the program sequence may thus be ensured in functional terms as follows: the frequency of function calls may be monitored; the order of the function calls as a sequence may be monitored; and correct execution of the function and/or functions, with correct starting and termination thereof, may be ensured.