DE 10 2004 036 087 A1 describes such a control system. This control system envisions different operating modes to enable a specific adaptation of the functional components to a respective known operating situation. The operating modes include an inclement weather mode, an off-road mode, a mountain mode, and a freeway mode. Transmission of a valid operating mode takes place with a data bus protocol without directly addressing a receiver. The operating modes are thereby independent of the configuration of different vehicle models. For this reason, the components that transmit the operating mode are not aware of the number and type of receiver components. The adjustments for the functional components corresponding to each operating mode are stored in the control units. The control system thereby enables an adaptation of the functionality to external conditions that are detected by sensors and represented by sensor data. A problem is that the detected sensor data can include faulty data. This control system is not concerned with the recognition of faulty sensor data or other system errors.
The IEC 61508 so-called Safety Requirement Steps (also known as Safety Integrity Levels (SIL)) are designated for evaluating reliability of safety functions of electrical and programmable electronic systems. Derived standards like the ISO 26262 use the ASIL abbreviation for the automobile field. The safety integrity level represents a measure of the functional safety of a system as a function of risk and danger that may result from system operation. Functions or processes with lower risk are constructed by a safety buffer having a lower safety integrity level than processes with higher risk.
The overall function of conventional safety concepts in case of a meaningful fault or malfunction is to transfer by switching to a safer state. This means that at least some safety-critical receivers of data from sensors will lose their entire functionality. In this case, an unavailable degradation concept is detrimental. As such, in the situation where functional safety is no longer sufficient for a specified data receiver, functions and/or receivers connected with the sensor are not to be shut off immediately.
Up to now, in terms of safety concepts for an electronic sensor, in case of a detected error that may lead to damage of the highest safety integrity level specified for an overall function, the usability of the sensor information has been inhibited, for example, by a radical shutdown of the sensor. In this manner, other functions that depend on the same sensor information no longer function because information is missing regarding the remaining level of safety integrity of the delivered sensor information. Without this information, the proven safety integrity level conforming to standards is reduced to null and safety-critical applications have to at least partially discontinue their operation. Valuable availability is hereby lost.