A restraint system of a motor vehicle—for example an airbag—evaluates, in a control unit, acceleration signals from sensors in the context of a collision or crash, in order to trigger in suitable fashion a restraint device such as, for example, the airbag. The control unit furthermore supports various monitoring devices in order to prevent the risk of improper triggering. This is accomplished by a “plausibilization” by way of a redundant hardware section constituting a detection device, so that a triggering decision cannot be taken solely by the control unit's software.
This redundant hardware section can be embodied in a variety of versions. The possible bandwidth extends from a simple reed contact (Hamlin sensor) that enables triggering of the airbag only once a specific acceleration value has been exceeded, to a complex hardware logic that, similarly to crash detection using a software algorithm, performs an evaluation of sensor acceleration values. This ensures that triggering is enabled only if a collision is detected and plausibilized by the hardware section, i.e. the redundant detection device.
A further element of the safety concept is constituted by a monitoring device for the program sequence in the microcontroller of the control unit. This monitoring device is known as a “watchdog.” This monitoring device is intended to detect a fault condition of the microcontroller as promptly as possible, in order to prevent uncontrolled actions by the control unit. The watchdog's hardware must be regularly operated, in a predefined fixed timing pattern, by the program executing on the microcontroller. If that is not the case, interception actions are initiated, for example inhibition of the airbag triggering sections or a reset of the microcontroller.
In the motor vehicle's normal driving mode, “background programs” are predominantly what run on the microcontroller of the control unit. In this phase, the software algorithm in the control unit requires little calculation time for crash detection. Upon the occurrence of a collision and for the duration of that crash, the calculation time for the software in the control unit increases significantly as a result of the crash detection and evaluation. With a conventionally designed monitoring device, i.e. watchdog, the timing pattern constituting a threshold value must be adjusted so that even during the collision and its duration, the watchdog can be operated at the correct time by the program executing on the microcontroller, so that crash evaluation processing can proceed without interference.