German Published Patent Application No. 198 26 131 discusses a distributed safety-related system as an electric brake system of a motor vehicle. Components of this system are configured as the brakes of the motor vehicle, i.e., more precisely, as actuators for triggering the brakes. Such a system is extremely safety-related, because faulty triggering of the components, i.e., faulty actuation of the brakes, may result in an unforeseeable safety risk. For this reason, the possibility of faulty triggering of the components must be ruled out reliably.
Features of the conventional brake system include a pedal module for central determination of the driver's intent, four wheel modules for wheel-individualized regulation of the brake actuators, and a processing module for calculating higher-level brake functions. Communication among individual modules may occur through a communication system. FIG. 2 of the present patent application shows the internal structure of a wheel module including various logic levels as an example. Logic level L1 includes at least the calculation of the control and regulating functions for the wheel brakes, while logic levels L2 through L4 include different functions for computer monitoring and function testing of L1.
Triggering of the brakes, i.e., the electric motors for actuating the brake shoes, includes the following steps for each wheel module equally:                a) Determining at least one triggering signal (f_1) for the brake by a first microcomputer system (R_1A) as a function of at least one input signal (a_R2, a_R3, a_R4; a_V,ref; s_R2, s_R3, s_R4; Δs_V,ref; v_F; n_1; d_1; F_1i; a_R1; s_R1). The input signals are made available to the microcomputer system (R_1A) via a communication system (K_1), e.g., a bus system.        b) Determining at least one logic triggering signal (e_1H). The logic triggering signal (e_1H) is determined at least partially by a monitoring unit (R_1B), which is independent of the first microcomputer system (R_1A), as a function of the at least one input signal.        c) Comparing the at least one triggering signal (f_1) with the at least one logic triggering signal (e_1H) in a power electronics unit (LE_1K).        d) Determining at least one enabling signal (within the power electronics LE) as a function of the result of the comparison of the triggering signal (f_1) and the logic triggering signal (e_1H); and        e) Relaying the at least one triggering signal (f_1) or a signal (i_1K) which depends on the triggering signal (f_1) to the brake, i.e., to an actuator Akt_1 for the brake shoes if the at least one enabling signal has a preselectable value.        
The monitoring unit (R_1B) detects systematic (common mode) faults. One example of such a fault is a fault in the power supply. With the conventional brake system, the monitoring unit (R_1B) is configured as an independent microcomputer system. As an alternative, however, the monitoring unit (R_1B) may also be configured as a hardware module without its own processor, so that it is capable of executing concrete logic functions or, if it includes a register, it may even execute switching functions. An example of such a hardware module is, for example, an ASIC (applied specific integrated circuit), an FPGA (field-programmable gate array) or a monitoring circuit (watchdog).
Other systems provide that logic level L4 is always implemented in a separate component, which must also be provided multiple times within the distributed safety-related system—e.g., in wheel modules of an electric brake system.
It is an object of the present invention to simplify the configuration of a distributed safety-related system while at the same time at least retaining the safety that is achievable on enabling the components.
To achieve this object, the present invention describes, starting with the method of the type defined in the preamble, that the functions of the monitoring unit be fulfilled by the communications controller.