Monitoring the reliability-relevant characteristics of systems, for example internal combustion engines, is today guaranteed by a level structure, which is mapped to the reliability-relevant scope of functions of the system in the control device. An example is the EGAS (electronic gas pedal) monitoring concept according to the recommendations of the EGAS-AK of the VDA (Association of the German Automotive Industry).
Such a purely level-oriented concept is complicated both in the case of software structures, the provision of which is distributed among different software suppliers, and in the case of distributed hardware structures, for example in the case of parallel or redundant structures, in which parts of the reliability-relevant functions are carried out in each case. In addition, the EGAS monitoring concept makes provision for independent hardware for monitoring the processor functions of the computer performing the functions. If different functions are carried out by different control devices, an independent hardware mechanism must be provided for monitoring each of these control devices, which results in considerably higher costs being incurred.
In the case of software structures, it has not yet been possible to satisfactorily resolve the synchronization and enabling or implementation of know-how problems, for example interface definitions for defining the monitoring structure. Distributed hardware structures are not yet being used widely, but will become increasingly important in the course of the so-called AUTOSAR initiative (Automotive Open System Architecture).
The grouping of functions, for example, ignition or injection, is at present undertaken in so-called units. In this way, it is for example possible to group together, in an organized manner, into one group called the DRRQ (driver request), the entire functionality concerned with the capture and the diagnosis of the driver's request via the accelerator pedal. This group also comprises the diagnosis of the gas pedal components. Because the function of capturing the driver's request is a reliability-relevant function, there has thus far been one module in a monitoring functional group concerned with the protection of the functions in the DRRQ unit. If the DRRQ functions are now supplied by another manufacturer as a product (black box) or if these functions are carried out in another control device (e.g. carbody controller), the technical and organizational synchronization of monitoring becomes difficult, if not completely impossible, because there are requirements with respect to time, for example real-time criteria, that may be damaged by an exchange of data between the control devices.
The object underlying the present invention is to find a new way in which to synchronize reliability-relevant structures in the face of restrictions on the side of the manufacturer or product-specific restrictions in the case of software development and hardware platforms.
This object is achieved by the inventions by means of the features of the independent claims. Advantageous embodiments of the inventions are described in the subclaims. The wording of all claims is herewith drafted with reference to the content of this description.
According to the invention, a control facility is proposed for a system of an internal combustion engine in particular. The control facility may consist of a plurality of microprocessors, a plurality of individual control devices or a single control device. As a rule it will be referred to below as the “control device”.
The control device comprises a plurality of functional units. Every reliability-relevant functional unit comprises at least one functional module and at least one monitoring module. The monitoring module is separate from the functional module and monitors the functioning of the functional module. The control device also comprises a higher-order monitoring functional group. The monitoring module has an entry point for communication with the higher-order monitoring functional group.
The modules can be implemented in hardware or software, perhaps as individual microcontrollers. An entry point can for example form or consist of an interface or program class, which is for example suitable for a parameter transfer or transfer in the sense of a transmission path.
The result is that intrinsically-safe structures are defined in accordance with the structure described above. The greater part of the monitoring is self-implemented by modules in the functional units. These monitoring modules communicate with the higher-order monitoring functional group.
The advantages of the inventive structure lie in the fact that a function as product is now always equipped with the monitoring structures associated therewith. Therefore, it is also possible for a provider of a function to keep secret a great deal of know-how, because said provider defines the monitoring structures himself. It is ensured, that the monitoring function (higher-order monitoring functional group) and the corresponding functions or functional units (e.g. DRRQ) are always synchronized with each other.
Even in the case of distributed hardware, the reliability-relevant functions and the monitoring associated therewith is consistently incorporated in the same hardware. This results in short signal paths between function and monitoring. This makes a rapid response behavior possible, i.e. short latency and high transmission reliability. In addition, should monitoring access to the hardware become necessary, for example an A/D converter or a timer, this is directly possible. This results in significant advantages in the real-time behavior.
The definition of intrinsically-safe functions allows these to be used optimally as far as organizational and technical aspects are concerned. In other words, adaptation losses during the development and hidden interpretation gaps are in particular already avoided in interface definitions, which are connected with the necessary know-how transfer in the case of conventional approaches.
In addition to the initiation of a central error processing or error reaction and its handling in the higher-order monitoring functional group, provision can also be made for the implementation of a structure of distributed error reactions. Thus far, when errors were identified in the engine control device, the error reaction for this facility was initiated globally, for example by switching off output-determining stages resulting in a switched-off engine or driving mechanism. Provision has been made in an advantageous manner that, on the occurrence of an error in one of the distributed control devices, for example in the gas pedal control device, the error information in the higher-order monitoring functional group or in the monitoring module can be evaluated in such a way with the DRRQ function, that only the specific faulty signal, for example, the pedal value, is set at a specific value, for example zero, and that the facility can otherwise be used with the remaining availability.
Furthermore, the reliability-relevant signals, in particular in the case of distributed control devices, can be transmitted in such a way that, for example, initially a transmitter and a receiver are defined for the transmission path between the specific monitoring module and the higher-order monitoring functional group. In addition, a reliable transmission can be defined in such a way that the sending control device for example always takes the responsibility for the reliability of the content of a message, a time stamp, or a measured value. Accordingly, the definition may determine that the receiving control device must in principle protect or check the plausibility of the transmission path. Therefore, the independent DRRQ unit, which for example sends the data content, is subsequently responsible for or authorizes the correctness of the content, for example by a suitable codification or an integrity check. The higher-order monitoring functional group is responsible for the operation of the transmission link, for example, for supplying an internal or an external data bus connection, for the signaling, for adhering to a transmission sequence, a time behavior or for similar functionalities.
Through the definition of intrinsically-safe functions according to the invention, it becomes possible to manufacture reliable functions or software as product in the sense of the Product Liability Act as well as support distributed hardware cells with reliable characteristics, also in the sense of a reliable product.
In addition, the definition of intrinsically-safe functions for example makes it possible to not only place or move a function together with its monitoring structures flexibly within a system, but also to keep these dynamically-relocatable in cross-linked systems even across so-called hardware boundaries, i.e. an engine control functionality can be moved into the transmission control functionality according to, for example, load-dynamic criteria of a network topology, with resources distributed across different areas.
The invention also allows a synchronized and a reliable development for an arrangement with reliability-relevant functions. The time to maturity is reduced and the costs are decreased.
An example of an embodiment of the present invention shows the essential, relevant functional groups of an EGAS engine control and its monitoring on the basis of the definition of intrinsically-safe functions.
The control facility can be structured in a very flexible manner. Provision can be made, in particular, for at least two reliability-relevant functional units, which can be regarded as stand-alone hardware components in each case. This means complete units or only individual functions, including their monitoring modules can be shifted across hardware boundaries. In this way, a distributed control facility is obtained.
The object of the invention is also achieved by a method. The individual procedural steps are described in detail below. The steps need not necessarily be carried out in the given order and the method can also have additional steps which have not been mentioned.
First of all a plurality of functional units are embodied to control the system, in which case the functional units are embodied in such a way that every functional unit contains a functional module and a monitoring module. The functional units are embodied in such a way that the monitoring module is separate from the functional module. A higher-order monitoring functional group is also embodied. The monitoring module has an entry point for communication with the higher-order monitoring functional group. The monitoring module monitors errors of the functional module. The monitoring module signals a detected error to the higher-order monitoring module using the entry point.
The scope of the invention moreover includes a computer program that, when run on a computer or on a plurality of computers of a computer network, executes the method according to the invention in one of its embodiments.
The scope of the invention furthermore includes a computer program with program code means in order to execute the method according to the invention in one of its embodiments when the program is run on a computer or on a plurality of computers of a computer network. The program code means can be stored, in particular, on a data carrier that can be read by a computer.
The scope of the invention in addition includes a data carrier on which a data structure has been stored, which after loading into a working memory and/or main memory of a computer or a plurality of computers of a computer network, can execute the method according to the invention in one of its embodiments.
The scope of the invention also includes a computer program product with program code means stored on a carrier that can be read by a machine in order to carry out the method according to the invention in one of its embodiments when the program is run on a computer or on a plurality of computers of a computer network.
In this case, a computer program product means the program as a tradable product. In principle, it can be provided in any form, in this way for example on paper or a data carrier that can be read by a computer and can be distributed in particular over a data transmission network.
Finally, the scope of the invention includes a modulated data signal, which comprises instructions that can be carried out by a computer system or by a plurality of computers of a computer network in order to execute the method according to the invention in one of its embodiments. Both a stand-alone computer and a network of computers are considered as a computer system, for example, an in-house, closed network or also computers that are connected with one another via the Internet. The computer system can also be realized via a client-server constellation, in which case parts of the invention run on the server and others on a client.
Further details and features of the invention emerge from the following description of preferred exemplary examples together with the subclaims. In this case, the specific features can be implemented on their own or as a number of features in combination with one another. The invention is not limited to the exemplary embodiments.
The exemplary embodiments are specified in the schematic diagrams. In the individual figures, the same reference characters refer to the same or functionally comparable elements and/or elements that correspond with one another with regard to their functions. The figures show:
The microcontroller 114 with its components implements its functions on the basis of the program stored in the OTP block 116. After the signals from the sensors and the set point devices 102, 104 have been processed in the microcontroller 114, the further signals flow from the microcontroller 114 via the connections 128, 130, 132, 134 and through the input/output ports 136, 138, 140, 142 to the different actuators 144 (e.g. ignition coils and spark plugs), 146 (e.g. throttle valve actuators), 148 (e.g. injection valves) and 150 (e.g. main relay, tachometer, fuel pump relay, lambda probe heating, camshaft control, tank ventilation, intake pipe changeover, secondary air, recycling of exhaust gases).
Because of an increase in the number of their input and output variables, these control functions in motor vehicles are very complex, so that in order to implement these tasks, modern control systems based on the microcontrollers 114 are used.
Because different sensors, of which the measurement data must be taken into account in a timely manner, are increasingly being used in modern motor vehicles, the number of input/output ports 106, 108, 136, 138, 140, 142 of an engine control 100 have continued to increase. That is why microcontrollers 114 with a very high computing power are increasingly being used in which case the functionalities of the control device software can be modified, so that they can be adapted to the specific needs of the different users in an effective manner.
The level model 10 features a layer 20, namely the monitoring functional group, which performs monitoring functions. On the monitoring layer 20, building upwards, provision has been made for a functional layer 40, which comprises additional modules or units and connects the two aforementioned layers 20 and 40 using entry points such as for example the entry point 60. In this case the entry point 60 can for example represent or comprise an interface or a class of a programming language, which is for example suitable for a parameter transfer or a transfer in the sense of a transmission path. A plurality of transmission paths can be embodied as a channel bundle or a network connection on which the transmission protocols can be applied.
The functional layer 40 carries as a device reliability-relevant functions, which in the embodiment according to the invention for example are a DRRQ unit 80 and a plurality of additional units, in particular a first unit, namely, (AGGR_2) 151 as well as the additional units AGGR_x 152, AGGR_y 153 and AGGR_z 160.
Provision has been made for a plurality of modules in the monitoring layer 20 (shown by of a broken line), for example, a module 180. In this case, the layer 20 carries or comprises the relevant monitoring functions of the DRRQ unit 80 or the other units 151, 152, 153 and 160.
The DRRQ unit 220 and the plurality of other units further exhibit the special characteristic that at the level of the specific monitoring function there is an entry point in each case, with the entry point 520 have been taken here as an example, by means of which the specific monitoring function of the DRRQ unit 220 or the AGGR_2 unit 240 (using the entry point 540) is fed to the higher-order monitoring functional group 600. In addition, the monitoring functions 360 are coupled to the higher-order monitoring functional group 600 at a few precisely defined points 520, 540.
On an example transmission path 700 formed between the entry point 520 and the higher-order monitoring functional group 600, which can also be provided as a bidirectional path, functional commands and return signals for monitoring the processor functions can be transmitted in addition to the transmission of e.g. error information or secured output values. For this reason, individual protection hardware that carries out the reliability-relevant function is not required in an advantageous manner.
Number | Date | Country | Kind |
---|---|---|---|
10 2005 003 916.2 | Jan 2005 | DE | national |
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/EP05/57189 | 12/28/2005 | WO | 00 | 7/17/2007 |