METHOD FOR OPERATING A CONTROL UNIT OF A MOTOR VEHICLE

Abstract

A method for operating a control unit of a motor vehicle including a function unit and a monitoring unit which have a communication connection to one another. In a first check, the function unit is checked for errors, an error of the function unit being inferred if an error counter reaches a threshold value, and the monitoring unit and the function unit exchange first data with one another. In the event of a correct exchange of the first data, a positive change of the error counter is carried out. Otherwise, a negative change of the error counter is carried out. In a second check, the monitoring unit and the function unit exchange second data with one another. In the event of an incorrect exchange of the second data, a negative change of the error counter and a negative change of the threshold value are carried out.

Claims

1-16. (canceled)

17. A method for operating a control unit of a motor vehicle including a function unit and a monitoring unit, which have a communication connection to one another, the method comprising: in a first check, checking the function unit for errors, an error of the function unit is inferred if an error counter reaches a threshold value, and in the first check, the monitoring unit and the function unit exchanging first data with one another, wherein in the event of a correct exchange of the first data, a positive change of the error counter is carried out, and in the event of an incorrect exchange of the first data, a negative change of the error counter is carried out; and in a second check, the monitoring unit and the function unit exchanging second data with one another, wherein in the event of an incorrect exchange of the second data, the negative change of the error counter and a negative change of the threshold value are carried out.

18. The method as recited in claim 17, wherein, in the event of the correct exchange of at least one of the first data and the second data, the positive change of the error counter and the positive change of the threshold value are carried out.

19. The method as recited in claim 18, wherein the positive change of the threshold value is carried out only if the threshold value has not yet reached a threshold starting value.

20. The method as recited in claim 17, wherein the monitoring unit and the function unit exchange the first data with one another in that the monitoring unit transmits questions to the function unit and the function unit thereupon transmits answers to the monitoring unit

21. The method as recited in claim 20, wherein at least one of: (i) the exchange of the first data is incorrect if the function unit at least one of: transmits incorrect answers, and transmits answers at incorrect points in time, and (b) the exchange of the first data is correct if the function unit transmits correct answers at correct points in time.

22. The method as recited in claim 17, wherein the monitoring unit and the function unit exchange the second data with one another in that the monitoring unit transmits questions to the function unit and the function unit thereupon transmits answers to the monitoring unit.

23. The method as recited in claim 22, wherein the exchange of the second data is incorrect if the function unit transmits one of incorrect answers, and answers at incorrect points in time.

24. The method as recited in claim 17, wherein at least one of the error counter and the threshold value are decremented by one or multiple decrements, in the course of the positive change.

25. The method as recited in claim 16, wherein at least one of the error counter and the threshold value are incremented by one or multiple increments in the course of the negative change.

26. The method as recited in claim 17, wherein the function unit determines when first data are exchanged and when second data are exchanged.

27. The method as recited in claim 17, wherein the monitoring unit specifies a fixed time window, using which points in time of the received data are checked for plausibility.

28. The method as recited in claim 17, wherein the function unit provides information to the monitoring unit of whether the negative change of the threshold value has to be carried out.

29. The method as recited in claim 17, wherein the function unit specifies a specific threshold value to the monitoring unit.

30. A processing unit, which is configured to operate a control unit of a motor vehicle including a function unit and a monitoring unit, which have a communication connection to one another, the processing unit configured to: in a first check, check the function unit for errors, an error of the function unit is inferred if an error counter reaches a threshold value, and in the first check, the monitoring unit and the function unit exchange first data with one another, wherein in the event of a correct exchange of the first data, a positive change of the error counter is carried out, and in the event of an incorrect exchange of the first data, a negative change of the error counter is carried out; and in a second check, the monitoring unit and the function unit exchange second data with one another, wherein in the event of an incorrect exchange of the second data, the negative change of the error counter and a negative change of the threshold value are carried out.

31. A non-transitory machine-readable storage on which is stored a computer program for operating a control unit of a motor vehicle including a function unit and a monitoring unit, which have a communication connection to one another, the computer program, when executed by a processor, causing the processor to perform: in a first check, checking the function unit for errors, an error of the function unit is inferred if an error counter reaches a threshold value, and in the first check, the monitoring unit and the function unit exchanging first data with one another, wherein in the event of a correct exchange of the first data, a positive change of the error counter is carried out, and in the event of an incorrect exchange of the first data, a negative change of the error counter is carried out; and in a second check, the monitoring unit and the function unit exchanging second data with one another, wherein in the event of an incorrect exchange of the second data, the negative change of the error counter and a negative change of the threshold value are carried out.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0028] FIG. 1 schematically shows one preferred embodiment of a control unit according to the present invention of a motor vehicle, which is configured to carry out one preferred specific embodiment of a method according to the present invention.

[0029] FIG. 2 schematically shows diagrams of an error counter and a threshold value plotted against time which may be determined in the course of one preferred specific embodiment of a method according to the present invention.

DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS

[0030] FIG. 1 schematically shows a control unit 100 of a motor vehicle, for example, an engine control unit. Control unit 100 includes a function unit 110, for example, a so-called function computer, and a monitoring unit 120, for example, a so-called monitoring module. Control unit 100 is configured, in particular by programming, to carry out one preferred specific embodiment of a method according to the present invention.

[0031] Function unit 110 is configured, for example, in the course of an engine control, to carry out computing operations, for example, the determination of injection quantities and times (inter alia) and to activate connected components, for example, injectors, accordingly. Monitoring unit 120 is configured to check function unit 110 for errors. Function unit 110 and monitoring unit 120 have a communication connection for this purpose, for example, via an MSC connection 130.

[0032] In the course of a first check, the check of function unit 110, function unit 110 and monitoring unit 120 exchange first data with one another. For this purpose, monitoring unit 120 transmits questions to function unit 110. If function unit 110 operates correctly, it transmits a correct answer to the question at a correct point in time to monitoring unit 120. Function unit 110 and monitoring unit 120 therefore carry out a correct exchange of the first data.

[0033] In the event of an incorrect answer or also in the event of a correct answer at an incorrect point in time, function unit 110 and monitoring unit 120 exchange the first data incorrectly. In this case, an error counter is changed by monitoring unit 120, by incrementing the error counter by the value one. This increment of the error counter represents a negative change of the error counter.

[0034] If the following question is correctly answered again, the error counter is decremented by the value one again. This decrement of the error counter represents a positive change of the error counter. In the event of a correct exchange of the data, the error counter is decremented by the value one in each case until it has reached the value zero. The error counter may in particular not be set to values less than zero.

[0035] An error of function unit 110 is inferred if the error counter reaches a predefined and/or externally predefinable threshold value, for example, three. As a result, for example, the monitoring unit may shut down the power output stages of the function unit in the control unit and thus ensure the safety of the vehicle. Moreover, the possibility exists of resetting the function unit at another threshold value.

[0036] In the course of a second check, a so-called plausibility check, function unit 110 may carry out a check of monitoring unit 120. In the course thereof, function unit 110 and monitoring unit 120 exchange second data with one another. In particular, the data exchange of these second data takes place by function unit 110 intentionally transmitting an incorrect answer and/or an answer at an incorrect point in time to a question of monitoring unit 120 within the framework of the exchange of the first data. The exchange of second data is therefore characterized in that function unit 110 intentionally answers incorrectly. Due to this incorrect data exchange, the error counter is incremented by one or multiple increments, the increment being able to be equal in each case (for example, one) or dependent on the error (two in the case of delayed message, otherwise one). This increment of the error counter is expected in the course of the plausibility check. Function unit 110 thereupon checks whether monitoring unit 120 correctly increments the error counter. If the error counter is not correctly incremented, an error of monitoring unit 120 is inferred. As a result, for example, the function unit may shut down the power output stages in the control unit and thus ensure the safety of the vehicle. In addition, the function unit may resynchronize the communication with the monitoring unit in individual cases of error.

[0037] However, to avoid the error counter reaching the threshold value due to the exchange of second data and an error of the function unit incorrectly being assumed, or the present distance between error counter and threshold value being changed at all in the course of an intentional error, the threshold value is dynamically adapted and changed as a function of changes of the error counter in response to the exchange of the second data, as explained hereafter on the basis of FIG. 2.

[0038] In the example shown, the monitoring unit is configured to reduce the threshold value by the value one in each case in the event of a correct exchange of data, until it reaches a predefined or predefinable minimal value, for example, the value three. In this case, a differentiation is not made between first and second data in the event of a correct answer.

[0039] Two diagrams are schematically shown in FIG. 2, in each of which the error counter and the threshold value are plotted against time t. Graphs 210a and 210b each represent the error counter, graphs 220a and 220b each represent the threshold value. FIG. 2a shows a case in which monitoring unit 120 and function unit 110 function correctly. FIG. 2b shows a case in which function unit 110 does not function correctly.

[0040] In the correct case according to FIG. 2a, at a point in time t.sub.0 the threshold value has the value three and the error counter has the value zero. A question is transmitted from monitoring unit 120 to function unit 110, which thereupon transmits a correct answer at the correct point in time to monitoring unit 120 at point in time t.sub.0. The error counter would now actually be decremented by the value one, but since it is already zero, it may not be reduced further in this case. The threshold value would now actually also be reduced by the value one, but since it is already three, it may not be reduced further in this case.

[0041] Upon a further question of monitoring unit 120, function unit 110 transmits a correct answer in the course of the plausibility check, but intentionally at an excessively early point in time t.sub.1 (and/or alternatively an incorrect answer). The error counter is thereupon incremented to the value one.

[0042] However, function unit 110 simultaneously reports to monitoring unit 120 that the incorrect answer was intentional. Thus, this involves the exchange of second data, so that the monitoring unit also increases the threshold value by one to the value four. It is therefore ensured that after a change of the error counter in response to the exchange of second data, the same distance prevails between error counter and threshold value before and after the change.

[0043] At a point in time t.sub.2, function unit 110 again transmits a correct answer at the correct point in time upon a renewed question in the course of the first check. The error counter is again decremented by the value one. Similarly, the threshold value is also reduced by the value one to the value three.

[0044] Upon a further question of monitoring unit 120, function unit 110 again intentionally answers incorrectly in the course of the plausibility check. For example, an incorrect answer is transmitted at an excessively late point in time t.sub.3. It may be provided that this double error results in an increment of the error counter by the value two to the value two. However, function unit 110 simultaneously reports to monitoring unit 120 that the incorrect answer was intentional. Thus, this involves the exchange of second data, so that monitoring unit also increases the threshold value by two to the value five.

[0045] At points in time t.sub.4 and t.sub.5, function unit 110 again answers correctly to questions of monitoring unit 120 in the course of the first check, whereupon at points in time t.sub.4 and t.sub.5, error counter and therefore also the threshold value are each decremented/reduced by one as expected.

[0046] At point in time t.sub.6, function unit 110 intentionally answers with an incorrect answer at the correct point in time in the course of the plausibility check, whereupon the error counter is increased by one. Similarly, the threshold value is increased by one. At point in time t.sub.7, function unit 110 again answers correctly, whereupon error counter and threshold value are again decremented/reduced by one.

[0047] According to the case of FIG. 2b, function unit 110 still operates correctly at first at a point in time t.sub.10. The threshold value has the value three at point in time t.sub.10, similarly to point in time t.sub.0, and the error counter has the value zero. Function unit 110 answers correctly to a question of monitoring unit 120. At a point in time t.sub.11, function unit 110 intentionally answers excessively early to a question, similarly to point in time t.sub.1. Error counter and threshold value are thereupon incremented/increased by the value one.

[0048] At a point in time t.sub.12, a defect or error of function unit 110 occurs. Function unit 110 unintentionally answers at point in time t.sub.12 with an incorrect answer. Accordingly, function unit 110 also does not report to monitoring unit 120 that the incorrect answer was intentional. The error counter is therefore incremented by the value one upon the incorrect answer. However, the threshold value is not changed and remains at the value four.

[0049] At a point in time t.sub.13, function unit 110 again unintentionally answers with an incorrect answer to a question of monitoring unit 120. The error counter is again incremented by one and the threshold value still remains at the value four.

[0050] Function unit 110 also answers unintentionally with an incorrect answer to a question at a point in time t.sub.14 and the error counter is incremented by one and the threshold value still remains at the value four. The error counter now has the value four and has reached the threshold value. An error of function unit 110 is inferred and an error response may be carried out. For example, a so-called WDA line may be activated and a torque-relevant output stage may be shut down as an error response.

[0051] It may be ensured by the method that an error of function unit 110 is recognized, for example, after three successive incorrect answers. In conventional control units, in which a constant threshold value is often selected, this may not be ensured. For example, a constant threshold value of five may be reached more slowly or quickly in the event of an error of function unit 110, depending on which value the error counter was changed to by the plausibility check. If the error counter has the value two due to the plausibility check upon the occurrence of an error of function unit 110, for example, this error will also be recognized after three successive incorrect answers. However, if the error counter has the value zero upon the occurrence of the error, for example, this error will only be recognized after five successive incorrect answers. In contrast thereto, the quickest possible recognition of an error of function unit 110 is enabled by the method.