The invention pertains to a method for controlling an internal combustion engine, to a switchover device for use in controlling an internal combustion engine, to an arrangement for controlling an internal combustion engine, and to an internal combustion engine.
Methods and arrangements of the type considered here are known. An engine control unit is provided, which generates at least one control signal to actuate at least one function of the internal combustion engine, typically many or even all of the functions of the internal combustion engine. If, however, a malfunction occurs in the engine control unit, in the sensors functionally connected to the engine control unit, or in the wiring, namely, a malfunction which endangers the proper operation of the internal combustion engine, such a situation cannot be dealt with or at least not dealt with seamlessly or not with the desired reliability.
Especially in the case of internal combustion engines which are configured as common-rail engines, especially as common-rail diesel engines, the manner in which they are built leads to the problem that it is possible to install only a single set of actuators for the required automatic control circuits, such as the circuits for automatic rpm or speed control and/or for automatic high-pressure control for the high-pressure accumulator and especially for the rail of the injection system; that is, a redundant set of actuators cannot be provided. If, therefore, automatic controllers or engine control units offering redundancy to each other are to be provided to deal with a malfunction or a failure of a controller, all of these controllers or control units must be connected to a single set of actuators, namely, to a single actuator system, but they do not have the ability to influence each other. In addition, when responsibility for control is transferred from a first controller to a second controller, the interruption which occurs in the activation of the actuators may not exceed a very short period of time, such as approximately 100 ms, which is the maximum length of time that the internal combustion engine can still operate even under full load without significant speed undershoot and at the same time without an excessive increase in the high-pressure level to the point at which a pressure-relief valve would be triggered. At the same time, it should be possible to install the complete automatic control system with the redundant engine control units on the internal combustion engine itself, that is, it should be engine-mountable.
A switching arrangement for an automatic motor vehicle control system, especially a system for automatic brake control, can be derived from European Patent EP 0 979 189 B1, which comprises two redundant micro processor systems, wherein all of the input data are sent to each micro processor system directly via communications units, which connect the individual micro processor systems to each other. When one of the micro processor systems fails, an emergency function is implemented in such a way that an actuator activation system is connected to the independent micro processor system. For this purpose, the defective micro processor system sends an error signal in the event of a malfunction. This is disadvantageous, because a complete failure of the micro processor system can lead to the situation that not even the error signal itself can be sent. In this case, the malfunction remains unnoticed and cannot be dealt with.
A method for operating a network and a network can be derived from European Patent EP 2 418 580 B1, wherein two redundant control units are provided. One of the control units functions as a primary control unit, wherein the other control unit serves as backup. The primary control unit transmits synchronization signals at regular intervals to the backup control unit. In addition, it sends activity signals at regular intervals to an actuated peripheral device. If a malfunction occurs, the primary control unit stops sending synchronization signals, as a result of which the backup control unit, which is now no longer receiving synchronization signals, checks to see whether the peripheral device has received an activity signal from the control unit within another predetermined period of time. If this is not the case, it is concluded that the primary control unit has failed, whereupon the backup control unit takes over the control responsibility. The disadvantage here is that a two-stage check by the backup control unit is carried out: in a first step, it must determine that no more synchronization signals are being received. In a second step, the peripheral device is checked to determine whether it is still receiving the activity signal from the primary control unit. This procedure is comparatively complicated and is also too slow.