Different concepts for designing a control unit to be safe against individual errors or to be intrinsically safe are known. Known ESP/ABS control units, for example, perform monitoring using the two-computer method, the functional software being computed simultaneously on a second, mostly identical computer and the results of both computers being compared. This method is known to be intrinsically safe. It is, however, expensive, due to the use of two computers.
German Patent Application No. DE 44 38 714 describes a method and a device for controlling a propulsion unit of a vehicle. Only one computing element is used here for performance control, this element performing both control functions and monitoring functions. At least two independent levels are defined in the computing element for this purpose, a first level performing the control function and a second level performing the monitoring function.
Another known, advantageous possibility to achieve intrinsic safety of a control unit is monitoring using the three-level method. In this method the second computer is replaced by a more advantageous monitoring module.
Today's engine control units monitor ETC/EGAS systems according to the three-level method. The engine control unit here includes a function computer and a monitoring module, known as a watchdog. The function computer and the monitoring module communicate via question-answer communication and have separate shut-off paths. In the three-level method, level 1 is the actual function software, which is required for operating the engine. Level 1 is executed on the function computer. On level 2, which is also executed on the function computer, a permissible torque is compared with an actual engine torque based on a simplified engine model. Level 2 is executed in a hardware area secured by level 3. Components of level 3 include the instruction test, the program sequence control, the A/D converter test, as well as cyclic and complete memory tests. In current ETC/EGAS systems, the entire function and monitoring software is located in a single control unit.
It must be taken into account that, with the increasing number of control units in the vehicle, the need for trans-controller software for smart, overall regulation of different systems increases.