The present invention relates to a method of error detection of microprocessors in control units of an automotive vehicle.
Methods of this type have already become known to the applicant wherein a microprocessor and/or a data bus are monitored by means of a watchdog circuit. It is monitored cyclically by a watchdog circuit to determine if signal pulses appear, i.e., whether data are sent. In the absence of signal pulses, an error is detected. Further, it is known in the art to furnish control units with two microprocessors which process in parallel determined controlling or regulating tasks. A comparison of the results produced by the two microprocessors will also permit detection of an error in case of discrepancies in the results.
Compared thereto, an object of the present invention is to improve a monitoring system by rendering it possible that this monitoring system requires as few component parts as possible and, additionally, provides maximum reliable results in error detection.
According to the present invention, this object is achieved because the watchdog circuit compares the signals output by the microprocessor with predetermined signal patterns, and an error is detected when the signals output by the microprocessor are not concurrent with one of the predetermined signal patterns.
Compared to the use of a watchdog circuit in the prior art, it is favorable in this invention in that not only a check is made as to whether signals are sent at all, but that it is also checked whether the signals indicate a possible error. This is because a comparison of the prevailing to a plausibility test. Advantageously, it is possible to detect an error with signals still being sent.
Further, in the method according to the present invention, the data necessary for performing at least part of the controlling or regulating task of a control unit are sent from this first control unit by way of the data bus to the at least one further control unit. Corresponding to the controlling or regulating method in the first control unit, the data to be determined and, if necessary, output by the first control unit are reproduced by the at least one further control unit, and an error is detected when the data determined in the first control unit differ from the data determined in the at least one further control unit.
This method permits an especially adequate test for possible errors by parallel checking at least part of the processing of the first control unit. The effort needed for sending data to the at least one further control unit is limited in as far as data are not supplied to the control unit directly by the sensors. Instead, the data are relayed from the first control unit via the data bus which is already provided. Also, the number of components required in this method is minimized because it is not necessary to provide another microprocessor, which does not have other functions, for checking the function of one microprocessor. Rather, a function test can be performed by a microprocessor having its main task in the control or regulation of another quantity. It is possible to have the controlling or regulating task parallel processed on a second microprocessor in full, with the second microprocessor""s main function including the control or regulation of another quantity so that this microprocessor is arranged in another control unit, or to have only safety-relevant parts of the controlling or regulating task operate in parallel for checking purposes.
In a preferred embodiment, the data necessary for performing at least part of the controlling or regulating task of the first control unit are also supplied to at least one further control unit. Corresponding to the method with respect to controlling or regulating in the first control unit, the data to be determined and, if necessary, output by the first control unit are reproduced by the at least one further control unit, and an error is detected when the data determined in the first control unit differ from the data determined in the at least one further control unit.
This method differs from the other preferred methods in that the data are directly sent to the at least one further control unit. Admittedly, this increases wiring efforts and structure but also improves the scope of performance. For example, it is also possible to find out processing errors which are due to a faulty connection between e.g. a sensor and the control unit. The cause of such a faulty connection may be a wrong wiring connection or also corroded contacting, for example. Further advantages are achieved when the defective control unit shall be deactivated and said""s controlling or regulating task shall be taken over by the at least one further control unit. When the at least one further control unit receives the data from the first control unit, these data are no longer available after deactivation of the first control unit.
In a preferred embodiment, the data to be output by the first control unit are sent from the first control unit to the at least one further control unit by way of the data bus.
Checking and comparing the data is then performed in the at least one further control unit.
Also disclosed is a method for outputting the data by the first control unit and transmitting this data by way of the data bus from the at least one further control unit to the first control unit.
Checking and comparing the data is then performed in the first control unit. Preferably, the data being output are combined as check sums.
Advantageously, the quantity of data which must be transmitted by way of the data bus is reduced by producing these check sums from the data (e.g. by producing sums of digit, or the like). This is especially important in a great number of control units which perform mutual tests. The determined data are subjected to a plausibility test.
When a discrepancy in the data determined by two control units is detected, it may under certain circumstances be found out by way of a plausibility test which one of the control units has a malfunction. For example, a plausibility test may include that defined limit values are predetermined for defined quantities, and these quantities must range within these limits.
Preferably, the data to be determined by the first control unit are checked by at least two further control units. In this check, that control unit is identified as having a malfunction whose determined data differ from the determined data of the other control units, provided these determined data are concurrent.
When the data of several control units are concurrent, there is an extraordinary likelihood that the control units operate without malfunctions. In case of need, this criterion may still be linked to a plausibility test. Upon detection of an error, the control unit is deactivated. Favorably, the output of wrong control variables can thereby be avoided.
Preferably, the controlling or regulating task of the deactivated control unit is taken over by at least one further control unit. Advantageously, this maintains the function. The defective control unit may be overhauled during the next workshop service.