Data processing: vehicles – navigation – and relative location – Vehicle control – guidance – operation – or indication
Reexamination Certificate
2002-06-10
2003-06-17
Camby, Richard M. (Department: 3661)
Data processing: vehicles, navigation, and relative location
Vehicle control, guidance, operation, or indication
C701S036000, C701S104000
Reexamination Certificate
active
06580974
ABSTRACT:
FIELD OF THE INVENTION
The present invention generally relates to a method and an apparatus for monitoring the control of operational sequences in a vehicle, and more particularly relates to a method and an apparatus for monitoring the program sequence of safety-critical functions by redundant hardware.
BACKGROUND INFORMATION
In the context of safety-critical real-time applications of the control of operational sequences in a vehicle, it may be desirable for the underlying hardware to be monitored during operation. Complete discovery of all static and dynamic hardware faults may not be possible with acceptable effort, so that the software which implements the actual functioning of the operation is monitored along its safety-critical data flows and control flows. This may occur on the one hand via hardware-proximate monitoring and on the other hand by monitoring at the functional level.
Hardware-proximate monitoring may be accomplished by monitoring the processor using hardware-proximate testing and by the use of redundant hardware.
Monitoring at the functional level may be accomplished by monitoring those regions of the volatile memory (e.g. RAM) that represent the internal state of the function, and by monitoring those regions of the nonvolatile memory (e.g. ROM) that contain the actual program code of safety-critical functions (memory test). In addition to the aforesaid memory test of the volatile and nonvolatile memories, monitoring at the functional level may be accomplished by redundant execution of safety-critical functions, and by monitoring the correct program sequence of safety-critical functions using redundant hardware.
Only when all these items have been complied with may it be assumed that the software will be correctly executed on the processor during vehicle operation. Individual safety concepts related thereto may be discussed in Standard IEC1508, Draft Standard, part 7, Appendix C.9.3. “Logical monitoring of program sequence.”
German Published Patent Document No. 198 26 131 discusses a program sequence monitor or program sequence monitoring system that may operate synchronously with a defined monitoring framework. On the basis of a test word or test datum (hereinafter called a “query”) that is transferred from the redundant hardware, the program sequence monitoring system may calculate a subresponse which may be combined with the subresponse of the command test that monitors the processor in hardware-proximate fashion to yield a complete response to the redundant hardware. The response may then be checked by the redundant hardware (hereinafter called the “monitoring module”). In the event of a fault, the fault debounce system may be activated; after it has executed, a fault reaction may be triggered. Therefore, in the event of a correct subresponse, the program sequence monitoring system may ensure that individual subfunctions are all invoked at the stipulated frequency and are all terminated. However, a guarantee may not be provided that the functions are invoked in the correct order in terms of the control flow, i.e. their sequence with respect to the run time. Program execution may thus be only incompletely monitored by the processor.
The same is true of German Published Patent Document No. 41 11 499, which describes a control system for a vehicle having a microcomputer and a monitoring module that may be embodied as a gate array. The monitoring module may perform an execution check of the microcomputer; both of them process signal values in the context of a query-response interaction in a defined monitoring framework synchronously with the timing framework of the program sequence monitor, and by comparison of the results of that processing, the monitoring module may draw conclusions as to correct or faulty operation of the microcomputer.
German Published Patent Document No. 44 38 714 also describes a method and an apparatus for controlling a drive unit of a vehicle, in which for performance control, only one microcomputer may be provided for the execution of control functions and monitoring functions. At least two mutually independent planes may be defined in the microcomputer, a first plane executing the control functions and second plane executing the monitoring functions. An active watchdog that performs the sequence monitoring may be used as a query-response interaction.
In the disclosed safety concepts, communication between the monitoring module and the processor may be accomplished in a fixed timing framework synchronously with the program sequence monitor. This may mean that the existing methods and associated apparatuses may synchronize to a specific, defined monitoring framework. As a result, for example, it may not be possible for safety-critical functions that are activated at a point in time or in a timing framework (sequence of equidistant points in time) that is asynchronous with the monitoring framework to be incorporated into the program sequence monitoring system or program sequence monitor. In particular, sporadically activated safety-critical functions, in particular sporadic safety-relevant control functions, may not be monitored in this fashion. Thus, existing methods and associated apparatuses may not consistently yield complete, uninterrupted monitoring of the program sequence of the control functions.
Achieving continuous, complete, and uninterrupted monitoring of all safety-critical functions may be desirable.
SUMMARY OF THE INVENTION
In order to allow mutual time-related monitoring, according to the present invention, communication between the monitoring module and the processor may be based on independent time references. In addition, a method according to the present invention and an associated apparatus may be asynchronous with a defined monitoring framework or the timing framework of the program sequence monitor, thus permitting continuous, complete, uninterrupted time-related and functional monitoring of all safety-critical functions. Even sporadically activated safety-critical functions, in particular, may thus be monitored. In this context, a function is called “sporadic” if an upper and lower time limit for activation of the function may be indicated.
This may result in a method and an apparatus for monitoring the control of operational sequences in a vehicle, in which context control functions are executed in a control unit, and monitoring functions that monitor the control functions are also executed. The following steps may be performed: a monitoring module transfers at least one query to the control unit, a first monitoring function, in particular a sequence monitor, which in a second definable timing framework calculates a subresponse to the query, being provided in the control unit, the control unit creating, from at least one subresponse, a response to the monitoring module and creation of the response being activated in a definable first timing framework, the control unit transferring the response to the monitoring module, and the monitoring module, as a function of the response, detecting faults regarding execution of the control functions, and the first and the second timing frameworks being asynchronous with one another.
The result may be complete and continuous monitoring of safety-critical functions in the context of the asynchronous correlation, according to the present invention, between the monitoring framework and response creation. Defined fault latency times may be complied with via the asynchronicity between program sequence monitoring and response creation.
Because of the independence of the two timing frameworks, i.e. the asynchronicity of the method according to the present invention, represented by the order of the response creation activation times with respect to the monitoring framework or the program sequence monitor timing framework, response creation may be activated in a permanently predefined first timing framework, in which context the query may be transferred in event-controlled fashion, for example initiated by function calls or controlled by the end of a function processing action, or
Fischer Joerg
Haag Wolfgang
Camby Richard M.
Kenyon & Kenyon
Robert & Bosch GmbH
LandOfFree
Method and apparatus for monitoring the control of... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and apparatus for monitoring the control of..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and apparatus for monitoring the control of... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3118844