System and method for distributing and executing program code in a control unit network

Abstract

A system and a method for distributing and executing program code in a control unit network, in which at least one of the units is able to detect a defect in its hardware and is able to transmit its code to at least one other control unit in the network, the transmitted code being executable on the target control unit.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 a shows a schematic illustration of two intact control units, which are connected to each other via a network.

FIG. 1 b shows the configuration of FIG. 1a in which the function of a defective control unit is portrayed by the other control unit.

DETAILED DESCRIPTION

FIG. 1 a shows a schematic representation of two intact control units SG1 and SG2 that are connected to each other via a network 10. Network 10 is designed as a data bus and a program bus via which control units SG1 and SG2 are able to exchange data portions and program software portions. Control unit SG1, for instance, is responsible for the operation of an antilock system and unit SG2 for engine control.

The functioning of these applications is shown by a program code P1 and P2, which are executed on units SG1 and SG2, respectively. Now, if a hardware defect is detected in control unit SG1, calculator resources in unit SG2 that are still free are reserved, program code P1 of unit SG1 is transmitted via network 10 and brought to execution on unit SG2.

FIG. 1 b shows the configuration of FIG. 1a, in which the function of a defective control unit SG1 is portrayed by the other control unit SG2. Program code P1 of unit SG1 was transmitted to unit SG2, in this context, and was brought to execution next to code P2. In principle, even only reduced programs can be transmitted by control unit SG1, in this context, in order not to impair the programs on unit SG2. Furthermore, programs or program portions which have a comparatively low priority, can also be shut down on target control unit SG2, and the programs having a high safety relevance can be activated.

Because of that, even when there are hardware defects in the especially safety-relevant control unit SG1, a residual function of the antilock system can be represented, which considerably increases its failure tolerance, and therewith its operating safety. Because of shifting code P1 from defective unit SG1 to intact unit SG2, no redundant memory portions have to be held in reserve, whereby costs can be reduced. The method according to the present invention builds upon known communications mechanisms in networks and is simple to implement, easy to maintain and cost-effective.

Claims

1. A system for distributing and executing program code in a control unit network, comprising: a source control unit and a target control unit, the source control unit being adapted to detect a defect in its hardware and to transmit its code to the target control unit in the network, the target control unit being adapted to execute the transmitted code.

2. The system according to claim 1, wherein the source control unit has a high safety relevance compared to the target control unit in the network.

3. The system according to claim 1, wherein the source control unit transmits a reduced program to the target control unit.

4. The system according to claim 1, wherein the target control unit shuts down at least one of (a) programs and (b) program portions having comparatively low safety relevance.

5. A method for distributing and executing program code in a control unit network, the method comprising: if a hardware defect is detected in a source control unit, transmitting its code to a target control unit in the network; andexecuting the transmitted code in the target control unit.

6. The method according to claim 5, further comprising: determining whether the target control unit has free resources for executing the program code; andif this is the case, reserving the free resources for executing the transmitted code.

7. The method according to claim 5, further comprising transmitting a program reduced in comparison to its full functional scope from the source control unit to the target control unit.

8. The method according to claim 5, further comprising shutting down at least one of (a) programs and (b) program portions having comparatively low safety relevance on the target control unit.