DE102018203359A1 - Method and device for monitoring a control system - Google Patents

Abstract

The invention relates to a method of monitoring a control system (10) comprising a plurality of interconnected modules (100) which receive one or more inputs at an input and provide an output based on these inputs at an output. The control system (10) comprises a plurality of monitoring units (200) and each module (100) is associated with a monitoring unit (200), wherein all the monitoring units (200) use a common timestamp synchronized time base by the associated monitoring unit (200) from the module (100) a first time stamp is assigned to the received inputs, a second time stamp is assigned to the provided outputs by the assigned monitoring unit (200), at least one time stamp is also transferred when an output is transferred as an input to an input of a downstream module (100) and wherein the monitoring units (200) respectively generate a state score for the module (100) associated with that monitoring unit (200), wherein a time difference between the second time stamp of the output and the first time stamps of the at least one input upon which that output is based , beware is needed.
Further aspects of the invention relate to a device for monitoring a control system (10), which is set up to carry out the method.

Description

State of the art

The invention relates to a method of monitoring a control system comprising a plurality of interconnected modules which receive one or more inputs at an input and provide output based on these inputs at an output. Furthermore, the invention relates to a device for monitoring a control system.

Modern vehicles are increasingly equipped with driver assistance systems that should assist a driver in making various driving maneuvers. Furthermore, developments are known from the prior art with which vehicles are operated partially or completely automatically or autonomously, with no interventions by a driver in the control of the vehicle being required. Such driver assistance systems include, for example, parking systems, which independently detect parking spaces and can lead the vehicle into the parking space. Furthermore, driver assistance systems are known in which a driver leaves his vehicle at a delivery point, the vehicle, if necessary supported by existing infrastructure assigned a parking position and controls this parking position independently. Furthermore, systems are already being developed in which vehicles receive information about the vehicle from satellites or from other vehicles.

In order to fulfill their tasks, the driver assistance systems require reliable data which are detected by sensors of the vehicle and / or transmitted to the vehicle by infrastructure components. Furthermore, the function of all components of the control system involved in the guidance of the vehicle must be ensured. Therefore, constant monitoring of all aspects of the control system is required.

DE 10 2015 209 116 A1 describes a method for securely updating an embedded controller. In doing so, an update gateway requests an update request determined by a hardware security module for the destination controller. The update gateway establishes a communication channel based on a cryptographic identity of the update gateway to a backend that sends an update ticket in addition to the update data. After validating the update data and the update ticket, the destination controller is updated with the update data.

DE 10 2014 219 540 A1 describes a system for on-demand wireless module update. To do this, a processor is configured to receive technician-forwarded instructions for installing a software update. Also, the processor is configured to contact the technician with an acknowledgment of the processed software update upon completion of the update. Received software packages for forwarding to the vehicle computing system include a digital signature.

DE 10 2013 107 962 B4 describes a method for monitoring components of a system that includes cooperative vehicle driver assistance systems and infrastructure facilities. To monitor the system, a diagnostic server is provided which is in contact with the infrastructure via multiple communication links. The diagnosis server itself can be designed as a distributed system, so that there is redundancy. The vehicles can transmit diagnostic data directly to other vehicles or alternatively to the diagnostic server. If an accumulation of detected malfunctions or a suspected malfunction is registered for a particular vehicle, an alert message may be sent to a user of the vehicle.

A disadvantage of the known method for monitoring a control system is that they each only monitor certain aspects, such as the safe updating of a software component. A comprehensive monitoring of all functions of a control system, which allows a continuous evaluation (in defined time units) of the performance of the control system is not possible with the known methods.

Disclosure of the invention

A method is proposed for monitoring a control system comprising a plurality of interconnected modules. The modules accept one or more inputs on at least one input and provide an output based on these inputs at an output. It is further provided that the control system comprises a plurality of monitoring units and each module is assigned a monitoring unit. The monitoring units use a common timestamp for timestamps, wherein a first timestamp is assigned by the module associated with the monitoring unit received from the module inputs and the assigned monitoring unit is assigned to the provided outputs, a second timestamp. When passing an output as input to a At least one time stamp is transferred to the input of a downstream module, wherein a status evaluation for the module assigned to the respective monitoring unit is created by each of the monitoring units, wherein a time difference between the second time stamp of the output and the first time stamp of the at least one input on which this Output is taken into account.

This time difference identifies the amount of time the respective module requires after receiving the at least one input to provide the output based thereon. An increase in this time difference indicates problems or malfunctions within the module in question. For example, necessary error correction actions or repeated attempts to perform an action may increase the time required to provide the output. Furthermore, a maximum period of time that the respective module may need for providing the output can be defined. If no second time stamp is assigned after the lapse of this maximum period of time, then this is preferably also taken into account when the condition evaluation is created.

In addition to an increase in the time difference, a large variance of the time difference can also indicate problems or errors in the respective module. With proper and optimal operation of a module, the time required to provide an output should be approximately constant and not subject to significant fluctuations.

When detected fluctuations, especially with larger fluctuations, preferably causes of the fluctuations are determined. For example, temperature fluctuations can lead to deviating signal propagation times. When receiving data via satellite, runtime differences can be affected by changing conditions such as the current weather or magnetizations in the stratosphere. If the cause is known, appropriate correction mechanisms are preferably activated, which use, for example, weather data or temperature measurements for a correction.

The basis for the assignment of the time stamps is a synchronized time base, which the participating monitoring units use. For this purpose, the monitoring units have a clock which is synchronized with the other clocks of the other monitoring units. For this purpose, for example, one of the clocks can be selected as a master and the other clocks are adjusted to the time of the master. Furthermore, all the clocks of the control system can be synchronized to an external time source, such as a radio clock. The synchronization may, for example, be performed once at the beginning of the monitoring of the control system and / or carried out periodically recurring. A path difference of the synchronized clocks of the monitoring units with respect to an external time reference, such as the coordinated world time, is not critical to the performance of the method. Gap differences between the synchronized clocks of the monitoring units are preferably kept as low as possible by the synchronization with each other.

Furthermore, for the condition evaluation, diagnostic data which are provided by the respective module are preferably taken into account. In particular, error messages of the module can be taken into account when creating the condition evaluation.

The condition evaluation can be transmitted, for example, to a diagnostic or monitoring system. The diagnostic or monitoring system can then in particular decide whether the control system is able to fulfill its task. If it is determined that the control system can no longer safely perform its tasks, certain actions can be initiated which are selected from issuing an error message, deactivating the control system, repeating the data transmission or data processing, switching to another data flow, activating correction mechanisms, and Combinations of at least two of these actions. The diagnostic or monitoring system may be, for example, a guard unit.

In particular, the control system can be a control system for controlling a vehicle, which can perform driving maneuvers automatically or autonomously without the intervention of a driver. The modules of the control system can be completely assigned to the vehicle or split up between the vehicle and infrastructure components.

Preferably, the number of monitoring units is identical to the number of modules of the control system, so that each module is assigned its own monitoring unit. With a smaller number of monitoring units, several modules share a monitoring unit. To provide redundancy, more monitoring units than modules may be provided, in which case at least one module is assigned two or more monitoring units.

Preferably, a downstream module is given the second time stamp assigned to an output and / or the first time stamps on which this output is based are transferred.

Preferably, the condition score is either also passed along with an output. Alternatively, the status evaluation together with a corresponding time stamp is provided to downstream modules or their monitoring units. In this way, the status evaluations can also be evaluated according to their time sequence and taking into account deviations in time.

If a first module transfers data in the form of an output as an input to a downstream second module, different error situations can be monitored by the time stamp transferred together with the data.

A second time stamp of the first module transmitted together with the data can be used together with the first time stamp assigned to this data by the second module to determine the time required for the transport of the data or the output of the first module to the input of the first module second module was required. An extension of this time difference from the first timestamp of the second module and the second timestamp of the upstream first module indicates problems in data transport, such as required error correction measures and retransmission of the data due to data loss may occur.

A determination of the quality of the connection between a module and one or more upstream modules and / or downstream modules determined in this way preferably also enters into the status evaluation of the respective module.

Preferably, at least a first module and a second module communicate wirelessly with each other, wherein an output of the first module is input to the second module and a state of the wireless connection using the second time stamp of the output of the first module and the first time stamp Input of the second module is determined.

Especially with wireless connections, the quality of the connection can be subject to strong fluctuations. Data can be lost during transmission due to interference, so they must be retransmitted. Furthermore, in particular, the transmission rate depends on the present conditions. The proposed evaluation of the time stamps can determine the time period required for the transmission, which is referred to as latency, as well as a variance of the latency, which is referred to as jitter. For an evaluation of the function of the control system or of the relevant modules, the latency and / or the jitter are preferably compared with predetermined limit values.

Preferably, timestamps received from a module in association with an input from an upstream module are forwarded to downstream modules, wherein a relayed timestamp is assigned to that output based on the respective inputs. In this way, once assigned first timestamp and / or second timestamps are permanently connected to data as they pass through the control system from module to module. Derived data, which is an output of one or more inputs, are thus associated with all timestamps of those inputs on which the particular output is based.

Preferably, a module communicates with a plurality of different upstream modules, each providing its outputs along with associated first timestamps, second timestamps, and / or passed timestamps as inputs to the module, the module providing the order for processing the inputs based on respectively assigned first timestamp, the second timestamp and / or the passed timestamp determines. Particularly preferably, the earliest time stamp is used.

The timestamps provided by the monitoring units allow a module to place the inputs in a correct chronological order, even if the respective inputs are subject to different delays in processing or in transmission, for example. For example, in the case of sensor data as inputs, the earliest timestamp may be used as an indicator to process the sensor data in the order of their origin. The time stamps thus ensure a temporal integrity of the data. Furthermore, a comparison of the earliest and the most recent time stamp allows an estimate of the time previously required for processing data by the control system. In turn, it can be evaluated regarding the performance of a module, parts of the control system or the entire control system, whether the sensor data or inputs in real time, ie within a predetermined maximum period, are processed or not.

Preferably, at least one module of the control system is a sensor module, wherein incoming Raw data from a sensor is input as input to the sensor module and processed measurement data is output as outputs, and the output is assigned a confidence value that indicates the reliability of the processed measurement data.

Preferably, this confidence value is assigned permanently to this output and to expenses derived therefrom. That is, a module that receives as input the output with an associated confidence value associates this confidence value with outputs based thereon.

The confidence value can be influenced, for example, by the current environmental conditions and / or by the current state of the corresponding sensor and represents an indicator of the instantaneous performance of the sensor and the quality of the corresponding processed measurement data. In this way, a monitoring unit can evaluate performance of the control system also include the instantaneous performance of the sensors involved.

The monitoring unit assigned to a module preferably monitors its function and provides availability information which characterizes at least one of availability, temporary non-availability or permanent non-availability.

With the indication "Available", the availability information indicates that the respective module is working within defined parameters and is currently available to the control system. The indication "temporarily unavailable" indicates that due to current circumstances which are not permanent, the corresponding module is not available to the control system. Examples include sensor modules whose associated sensors can not provide reliable measurement data due to current environmental conditions. Other examples include transient communication disturbances, such as a temporary lack of line of sight to a navigation satellite or temporary non-availability of a communication network. The indication "permanently non-available" indicates that the corresponding module is permanently not available for the control system due to an error.

The availability information can be taken into account, in particular when assessing the performance of the control system.

Preferably, in a module associated with a plurality of redundant upstream modules that provide their respective output with associated parameters selected from the condition score, availability information, confidence value, timestamp, and combinations of at least two of these parameters as inputs to the module a choice is made between the redundant inputs based on the condition evaluation of the upstream module, the availability information of the upstream module, the time stamps, the confidence values or a combination of several of these parameters. Preferably, the redundancy and the asymmetry of the control system design, as known by the design of the control system, are used as a criterion for selection between the inputs.

It is thus preferable, in addition to the output itself as well as the time stamps and / or confidence values assigned to this output, also to transmit the status indication and / or the status evaluation of the respective module to downstream modules.

Downstream modules can use the information transferred to select inputs for which an evaluation gives the highest reliability, given that there are multiple redundant inputs for creating an output. This score may take into account one or more parameters associated with the output received as input. If, for example, several redundant sensor modules are provided, one of which, for example, delivers measured data with a lower confidence value than the other one, then the one with the higher confidence value is selected as the input.

This gives the control system improved reliability, since modules can automatically detect errors in upstream modules based on the information provided by the monitoring units and select from provided by several redundant upstream modules inputs according to their rating. Alternatively or additionally, correction mechanisms can be activated and / or a repetition of the data transmission or calculation of the data can be requested.

Preferably, the control system further comprises at least one guard unit, which communicates with at least one of the monitoring units and wherein the at least one monitoring unit parameters selected from the condition assessment, the availability indication, confidence values and combinations of at least two of these parameters are transmitted to the guard unit, and wherein the Guard unit depending on one or more of these parameters performs an action selected from activating a module, disabling a module, restarting a module, switching to a spare module, outputting an error message, enabling correction mechanisms, and combining several of these actions.

Preferably, the at least one guard unit also has a clock, which is synchronized with the clocks of the monitoring units, so that all monitoring units and the at least one guard unit use a common time base.

Preferably, an instantaneous performance is determined by the guard unit for at least part of the control system based on one or more of the transmitted parameters. Particularly preferably, an instantaneous performance is determined for the entire control system. Furthermore, it is conceivable to create a prognosis for future performance for the entire control system or for parts of the control system on the basis of the transmitted parameters and / or the temporal development of the transmitted parameters.

Preferably, the guard unit compares the determined performance of the control system or part of the control system with a predetermined minimum requirement. If the predetermined minimum requirement is not met, the guard unit can perform an action, for example, selected from outputting an error message, deactivating the control system or the relevant part of the control system, switching to redundancies, activating correction mechanisms and a combination of at least two of these actions. In a deactivation can be provided to previously put the control system in a defined safe state.

Preferably, at least one module of the control system is an actuator module and based on the output of this actuator module, an actuator is driven.

The actuator module is preferably connected to the guard unit, which receives parameters from the monitoring module which is assigned to the actuator module. If a plurality of redundant actuator modules are provided in the control system, the guard unit, upon detection of a non-availability of an actuator module, can cause a module upstream of the respective actuator module to switch over to another of the redundant actuator modules.

In addition to monitoring using the described timestamps, the method preferably provides for ensuring the integrity of the inputs when transmitting from a module to a downstream module using checksums or hashing techniques. Furthermore, it is preferable to secure the origin of the data from a particular module using cryptographic techniques. It is also preferred to encrypt the data transmission between two modules of the control system.

Another aspect of the invention relates to an apparatus for monitoring a control system comprising a plurality of interconnected modules. The device comprises a multiplicity of monitoring units, wherein in each case one module of the control system is assigned to a monitoring unit. The device preferably comprises at least one guard unit.

The device is designed and / or set up to carry out one of the methods described herein. Accordingly, features described within the scope of the method also apply to the device and, conversely, features described within the scope of the device also apply to the methods.

The apparatus and method each provide a virtual time synchronized monitoring mechanism operating in parallel with the modules of the control system.

The described methods and the described device are in particular designed and / or set up for monitoring control systems of vehicles. In this case, the control system and the device can be completely assigned to a vehicle in one embodiment. In a further embodiment, the control system and the device are split between a vehicle and one or more infrastructure components that communicate with each other, for example via a wireless connection.

The individual modules of the control system, as well as the monitoring units and optionally the at least one guard unit of the device can each be designed as separate separate hardware components. Furthermore, two or more of the modules, monitoring units, and / or at least one guard unit may be implemented together in one hardware component. A hardware component may be embodied, for example, in the form of controllers, microcontrollers, system-on-chip modules and application-specific integrated circuits (ASIC).

Preferably, the proposed method and apparatus are used to monitor control systems that are configured to control an automatic or autonomous driving function of a vehicle. The monitoring preferably extends to all functions of the control system, which in addition to the operation of the vehicle also includes a secure updating of software, which is assigned to the control system or the individual modules.

Advantages of the invention

The proposed methods as well as the proposed device allow comprehensive monitoring of the operation of a control system, whereby a variety of potential errors can be detected. In particular, not only errors of individual modules, but also errors in the connection between two modules can be revealed. Advantageously, the monitoring is not restricted to specific, previously specified error images. Instead, the function of the control system is continuously monitored and the current performance of the control system is continuously evaluated. Likewise, an instantaneous performance as well as a performance capability of the control system can be monitored.

In addition to the usual safeguarding of a data transfer with checksums, the provision of the time stamp also allows to ensure a temporal integrity of data. The correct chronological order can advantageously be related not only to the respective last step, but, for example, in the case of sensor data, the respective time of the measurement can be taken into account.

Due to the information and parameters transmitted in addition to an input, a module can independently detect errors in upstream modules and select from redundant inputs those with the highest reliability.

The monitoring is also not limited to specific operating states of the control system and thus extends in addition to a normal operation in particular to maintenance conditions such as the safe updating software of the control system.

From the determined status evaluations of the individual monitoring units, it is also possible to check for the entire control system or for a part of the control system whether the current capacity meets a predetermined minimum requirement. In this way, the security of the control system is continuously ensured.

list of figures

• Die Figur zeigt schematisch ein Steuerungssystem mit einer erfindungsgemäßen Vorrichtung zur Überwachung eines Steuerungssystems.

An embodiment of the invention is illustrated in the drawing and explained in more detail in the following description.

• The figure shows schematically a control system with a device according to the invention for monitoring a control system.

Embodiments of the invention

The figure shows schematically a control system 10 with a variety of modules 100 which communicate with each other. In the example shown in the figure are a first sensor module 131 and a second sensor module 132 shown, wherein the first sensor module 131 with a first sensor 111 and the second sensor module 132 with a second sensor 112 connected is. Arrows each indicate that the sensors 111 . 112 Raw data to the sensor modules 131 . 132 transfer.

Each of the sensor modules 131 . 132 is with two logic modules 141 . 142 connected, so that a first logic module 141 Inputs from both the first sensor module 131 as well as the second sensor module 132 can receive and according to a second logic module 142 Inputs from both the first sensor module 131 as well as the second sensor module 132 can receive. Each of the logic modules 141 . 142 again stands with two actuator modules 151 . 152 in connection. The first actuator module 151 can input from both the first logic module 141 as well as from the second logic module 142 receive. The second actuator module 152 can also input from both the first logic module 141 as well as from the second logic module 142 receive.

The first actuator module 151 stands with a first actor 161 in connection and the second actuator module 152 stands with a second actor 162 in connection. Arrows indicate again that an output of one of the actuator modules 151 . 152 the corresponding actuator 161 . 162 controls.

Each of the modules 100 is each a monitoring unit 200 associated with the function of that module 100 monitored and evaluated. There is also a guard unit 300 provided with each of the monitoring units 200 communicates.

In a first example situation is the control system 10 completely assigned to a vehicle, that is, all components shown in the figure are arranged on or in the vehicle.

At the first sensor 111 In the first example, this is a first radar sensor and the second sensor 112 it is, for example, a second radar sensor. The sensors 111 . 112 as well as the sensor modules 131 . 132 are redundant. The respective sensor raw data are passed through the sensor modules 131 . 132 processed, wherein upon receipt of Sensorrohdaten this by the respective monitoring unit 200 a first timestamp is assigned. After the sensor raw data has been processed into measured data, it is transmitted by the monitoring unit 200 assigned a second timestamp. Furthermore, the measurement data is assigned a confidence value. The sensor modules 131 . 132 associated monitoring units 200 determine a difference between the first and second timestamps. From this difference and the confidence value a conditional evaluation is calculated which is sent to the guard unit 300 is transmitted.

The processed measurement data of the first sensor module 131 and the second sensor module 132 are each as inputs to the first logic module 141 and the second logic module 142 transmitted. In this case, by the respectively assigned monitoring unit 200 based on by the monitoring unit 200 of the respective sensor module 131 . 132 assigned first time stamp ensures the correct chronological order in the processing of the inputs. Furthermore, it is checked whether the assigned confidence value is above a predetermined limit value. From the redundant sensor data those inputs are selected which have been classified as reliable. Unreliable inputs are discarded. Based on the inputs create the first logic module 141 and the second logic module 142 an output which serves to control the vehicle.

The guard unit 300 receives continuously from all monitoring units 200 Availability information. For example, is the first actor 161 defective, so can the first actuator module 151 incorrectly respond to input, which is due to the associated monitoring unit 200 discovered and sent to the guard unit 300 is reported. This then reports to the logic modules 141 . 142 in that the first actuator module 151 is not available and therefore the second actuator module 152 to use.

In this example, the second actuator module is replaced 152 two inputs which are independent from the first logic module 141 and the second logic module 142 be provided as expenses. The inputs are made by the second actuator module 152 compared to each other. If the redundantly created inputs deviate from one another, the second actuator module can 152 Using the accompanying associated information, select the input with the higher reliability and based on the second actuator 162 drive. Would be instead of the first actuator module 151 the second actuator module 152 not available, so would the first actuator module accordingly 151 the inputs of the logic modules 141 . 142 receive.

In a second example, the first sensor is 111 a sensor associated with an infrastructure component. Also the first sensor module 131 is assigned to this infrastructure component and has a wireless connection to the logic modules 141 . 142 in connection. The other hardware components of the control system 10 , in particular the second sensor 112 and the second sensor module 132 are assigned to a vehicle and arranged in or on this.

In this second example, the logic modules use 141 . 142 the earliest timestamp associated with an input to that from the sensor modules 131 . 132 in a correct chronological order. In this way, the measurement data of the sensors 111 . 112 in the order of their creation and not in the order of arrival in the logic modules 141 . 142 are processed. Furthermore they monitor the logic modules 141 . 142 associated monitoring units 200 the transmission quality of the wireless connection to the first sensor module 131 , This transmission quality flows into a condition evaluation which is sent to the guard unit 300 is transmitted. The guard unit 300 can then for the control system 10 determine an instantaneous performance. This instantaneous performance can be compared to a predetermined minimum requirement. If the specified minimum requirement is exceeded, countermeasures such as the transfer of the control system 10 in a safe state and then deactivating the control system 10 be made.

The invention is not limited to the embodiments described herein and the aspects highlighted therein. Rather, within the scope given by the claims a variety of modifications are possible, which are within the scope of expert action.

QUOTES INCLUDE IN THE DESCRIPTION

This list of the documents listed by the applicant has been generated automatically and is included solely for the better information of the reader. The list is not part of the German patent or utility model application. The DPMA assumes no liability for any errors or omissions.

Cited patent literature

• DE 102015209116 A1 [0004]
• DE 102014219540 A1 [0005]
• DE 102013107962 B4 [0006]

Claims (12)

A method of monitoring a control system (10) comprising a plurality of interconnected modules (100) which receive one or more inputs at at least one input and provide output based on these inputs at an output, characterized in that the control system (100) 10) comprises a plurality of monitoring units (200) and each module (100) is assigned a monitoring unit (200), wherein all monitoring units (200) use a common synchronized time base for time stamps, by the associated monitoring unit (200) from the module (100). is assigned a first timestamp by the associated monitoring unit (200), the outputs (100) provided by the module (100), wherein at a transfer of an output as input to an input of a downstream module (100) at least one timestamp with pass wi and wherein each of the monitoring units (200) generates a state score for the respective module (100) associated with the respective monitoring unit (200), wherein a time difference between the second time stamp of the output and the first time stamp of the at least one input on the this issue is based, is considered. Method according to Claim 1 , Characterized in that a downstream module (100) of the associated output of a second time stamp is transferred to and / or that the first time stamp is passed from inputs on which this output is based. Method according to Claim 1 or 2 characterized in that at least a first module (100) and a second module (100) are wirelessly in communication with one another, wherein an output of the first module (100) is provided as input to the second module (100) and a state of wireless Connection using the second timestamp of the output of the first module (100) and the first timestamp of the input of the second module (100) is determined. Method according to one of Claims 1 to 3 characterized in that timestamps received from a module (100) in association with an input from an upstream module (100) are forwarded to downstream modules (100), a handover timestamp being assigned to that output based on the respective inputs. Method according to one of Claims 1 to 4 characterized in that a module (100) communicates with a plurality of different upstream modules (100) each providing their outputs along with associated first timestamps, second timestamps, and / or handed-over timestamps as inputs to the module (100), wherein the module (100) determines the order for processing the inputs based on the respectively associated first timestamps, the second timestamps and / or the passed-on timestamps. Method according to one of Claims 1 to 5 characterized in that at least one module (100) is a sensor module (131, 132), incoming raw data from a sensor (111, 112) being input to the sensor module (131, 132) and processed measurement data being output as outputs, and the output is assigned a confidence value that indicates the reliability of the processed measurement data. Method according to one of Claims 1 to 6 characterized in that the monitoring unit (200) associated with a module (100) monitors its function and provides availability indications indicating at least one of availability, temporary non-availability or permanent non-availability. Method according to one of Claims 1 to 7 characterized in that a module (100) is in communication with a plurality of redundant upstream modules (100) which select their respective output with associated parameters selected from condition evaluation, availability information, confidence value, timestamping, and combinations of at least two of these parameters as inputs Module, wherein a selection between the redundant inputs based on the condition assessment of the upstream module, the availability information of the upstream module, the timestamps, the confidence values or a combination of several of these parameters. Method according to one of Claims 1 to 8th characterized in that the control system (10) further comprises at least one guard unit (300) in communication with at least one of the monitoring units (200), and wherein at least one monitoring unit (200) selects parameters selected from condition evaluation, availability information, the confidence value and combinations of at least two of these parameters are transmitted to the guard unit (300), and wherein the guard unit (300) performs an action selected from activating one or more of these parameters a module (100), disabling a module (100), restarting a module (100), switching to a spare module, activating correction mechanisms, outputting an error message, and combinations of several of these actions. Method according to Claim 9 characterized in that the guard unit (300) determines a current performance for at least a portion of the control system (10) based on one or more of the communicated parameters. Method according to one of Claims 1 to 10 , characterized in that at least one module (100) is an actuator module (151, 152), and based on the output of an actuator (161, 162) is driven. Apparatus for monitoring a control system (10) comprising a plurality of interconnected modules (100), characterized in that the apparatus comprises a plurality of monitoring units (200), one module (100) each being associated with a monitoring unit (200) and wherein the control system (10) is arranged, one of the methods according to one of Claims 1 to 11 perform.

Images