DE10330695B4 - Fail-safe program - Google Patents

Abstract

The method for controlling components of a transport means, whereby a program loaded in a control unit controls the components based on a sensor or input signal. When the control unit boots-up initialization data is loaded which includes limiting conditions for controlling the components. Once the control unit is booted up the initialization data are periodically loaded from a work memory of the control unit microcomputer so that the data are automatically cyclically reset to their correct values, even if an unforeseen program crash has taken place.

Description

The The invention relates to a method for controlling components of a Means of transport, wherein a program implemented on a controller polls an input signal from a sensor or input means and drives one or more components based on the input signal when booting the controller initialization data such as Variables, interrupts and / or parameters from a storage means loaded into a working memory of a microcomputer of the control unit be to the for the control of the components necessary boundary conditions for the program and in which the input signal is polled cyclically by the program or repeatedly provided to the program.

From WO 96/41273 a method for controlling components of a means of transport is known. Via a data bus within the means of transport, a plurality of control units are networked with each other and each control unit is electrically connected via connecting lines directly to various actuators, sensors or input means. As there in particular in 5 can be transmitted via a keyboard, mouse or trackball or via audio media such as a CD-ROM input signals to a control unit. The control unit controls components of the means of transport, such as a display, the telephone or a video camera, based on the input data.

The control unit has a microcomputer with memory and a storage means which in the de-energized state initialization data, such as variables, Restores interrupts and / or parameters. This initialization data is necessary when booting up the controller, around the running on the microcomputer programs with the necessary Conditions to ensure a proper program flow to guarantee. The initialization data include characteristics or maps, which include, for example, engine control data, or belong to it Parameters such as speed values or speed values that a Trigger switching of the automatic gearbox. In terms of a video camera can be a zero position over Parameter defined and related to a seat electronics within of a means of transport a basic setting of the seat and the end positions of the individual adjustable seat elements over the parameters are set. The initialization data are by definition those data that the program needs to start the program to run properly.

such on control units implemented software programs often use a polling method, to query input signals. These are the sensors or Input means, such as switches, buttons, a mouse or a touch screen, coming Input signals via Transfer analog lines to the controller and there converted analog / digital. The digital value, the switch-on or switch-off indicates is at a designated space in the storage means of the control unit stored. The program can then cyclically store this storage means Queries, d. H. through a cyclic polling procedure. As a result, the program is aware of the switch position every cycle.

To Problems arise with such programs in means of transport due to EMC interference (Electromagnetic Compatibility). This EMC interference caused by induced voltages on lines inside the transport are coupled. This will cause input signals falsified or whole data areas in the storage means with respect to the stored ones Data destroyed. In the simplest case, the program then reads incorrect data from the main memory and the program is executed incorrectly. More problematic are such Error if the complete program sequence is interrupted due to the EMC interference and the program can not be continued. Especially at such polling method The problem is that even fault detection routines often go through strong EMC interference falsified become. As a result, it happens that, for example, the display and driver information system due to the EMC interference no longer recognize the input by sensors or input means can because the program has crashed. Such serious bugs can often only be done by rebooting of the means of transport. Until this happens, often follow errors in program execution, so that such bugs can reproduce and over the Data bus also neighboring control devices in the execution of their Disturb function can.

The DE 199 63 214 A1 discloses a method for a control unit, which is restarted at low voltage, eg. When starting the engine. In order not to have to repeat the entire initialization process when restarting, a time memory is carried along and the restart of the vehicle is then started after the startup of the microcomputer where it was canceled. A procedure that detects information before resetting a microcomputer is also shown by the DE 195 13 939 A1 ,

It is an object of the present invention to develop a method of the type mentioned in such a way that implemented on ECUs software programs ensure a fail-safe program flow without the transport must be restarted in program flow disturbances.

These The object is achieved by the Characteristics of claim 1 solved. In the process, the initialization data loaded when the control unit starts up after starting up the control unit additionally cyclically from the storage means loaded into the memory of the microcomputer and the program is put into a defined initial state, so that the program even after an unforeseen crash after the cyclical Loading the initialization data automatically from the defined initial state continues, the Control components of the means of transport.

According to the invention is recognized been that the program cyclically in. After a period of time an initial state can be offset and from this initial state can restart. This is a second cycle with a cycle time for example, from 1 to 30 seconds during which both the initialization data into the main memory of the Microcomputers are loaded, the program is re-stored in memory is loaded and the program starting from the defined initial state starts to interrogate the input signals of the sensor or the input means. Since the program always expires after the second cycle all initialization data is restarted, it plays no Whether in the meantime a program failure took place Has.

For example related to a seat control or the driver information system can be control units with their programs put back into an executable state and the seat adjustments or the reading of telephone book data is also still possible, after a program crash has taken place. By the cyclic restart of the program with all initialization data let yourself after a short disturbance phase, mostly not noticed by the vehicle operator, adjust the seat again, or be in the driver information system the right data is displayed. Restarting the program allows also a proper fault diagnosis and error handling by other software programs by the program could not have completed the error routine.

The Input signals of the sensors and input means are within one polled cyclically. The duration of the first cycle may be, for example a few milliseconds. The Sitzverstellschalter is, for example queried by the program within a cycle of 10 milliseconds. The second cycle for restarting the program takes a few seconds or a few minutes. As a result, the second cycle is longer than the first cycle for Query of the input signals. This allows for a certain period of time an undisturbed execution the program on the controller, until then the second cycle has expired and the program restarts becomes. The program restart is designed so that a possible short duration to reload the initialization data and start of the program is provided by a defined initial state. By the overlay the first cycle with the second cycle to restart the program a very high failure safety (fail-safe functionality) is possible.

The Input signal of the sensors or input means is in an input storage means in the control unit cached and gets off the program with the first cycle each queried. The program goes through the polling routine a program loop cyclically and continuously to the input signal query. The input signals can but also about a so-called interrupt mode the microcomputer provided with the microcomputer interrupting the program to make the change store in the input signal in the main memory and this at the program execution to take into account. The query of the input signals by interrupt is only suitable for very high-priority input data, because every time the program flow is interrupted.

at a development of the invention is in addition to the program and the Microcomputer, especially during the operation of the means of transport, cyclically in an initial state added. For this example, the reset pin of the microcomputer automatically populated with a reset signal, allowing the microcomputer goes into its reset state and starts from this, where the initialization data and all other data as at startup of the entire control unit be reloaded. This procedure ensures that next to the failed Program also all further on the control unit existing programs are restarted and so a secure function allows is. It can now be provided that with a second cycle a program start is performed cyclically and with a third Cycle, for example after half an hour of the microcomputer is transferred to the reset state, so that on the one hand cyclically a program start takes place and on the other hand Cyclically the microcomputer itself is restarted.

In another embodiment of the invention, a so-called cold start of the control device may be provided by the microcomputer de-energized for a short time and restarting after the transient condition over the reset state. In this way even serious software errors within the data bus system in a means of transport can be remedied.

at monitored a particularly advantageous embodiment of the invention a watchdog the second cycle to start the program. The watchdog is a routine that checks if that Program was put into the defined initial state, and the can additionally check whether the initialization data has been reloaded. The watchdog signals in the absence of the defined program start an error to to start an error routine. The watchdog is mostly a software routine executed however, it can also be implemented in hardware using logic gates.

Of the Watchdog brings significant error security for the controller of the components, since an error signal is generated when the program is not restarted cyclically. In this way a program failure is detected immediately after the second cycle has expired. The watchdog checks if the Initialization data, such as variables, interrupts and Parameters are reset after the second cycle has elapsed. Of the Watchdog can also check if the microcomputer has been reset. In addition to reviewing the second cycle, the watchdog or a separately arranged therefrom Watchdog check if the input signals in the input memory means after expiration of the first Cycle were rewritten. The watchdog can also change edges, d. H. from high to low edge or vice versa, detect and fail such an edge change in the input signal report an error. Of the Watchdog prefers to check whether the program is going through a particular command line. For example, the watchdog checks whether the command line "Go to the reset start address "(Beg the program).

Prefers the watchdog is independent from the microcomputer of the controller, on which the program runs, provided so that when a program crash the watchdog continues. In addition to the watchdog are various error handling programs present on the microcomputer, which is a plausibility check of the perform data in memory and detect errors that occur not by the program itself, but by a failed sensor originate.

The Input storage means may be rewritten, for example Memory can be provided, which is also in the de-energized state of the microcomputer retains its last saved information. For example, here a flash memory may be provided. In the input memory means can then in each case also the last and penultimate input signal in digital Form restored so that when the program is restarted, the last state of the Input means is known. For example, in the event of a program failure back in the input memory means stored that the driver had switched on the seat heater, before the program has failed or before the program is in its by default cyclic Process has been restarted. In this way it is possible one Restart the program and, if necessary, the microcomputer without that the driver of the means of transport through the program restart or the Error disturbed or charged.

It are now different ways to design the teaching of the present invention in an advantageous manner. On the one hand to the subordinate claims and on the other hand, to the following explanation of the method according to the invention to refer.

In The drawing is a flow chart of the method according to the invention shown for controlling components of a means of transport.

The method for controlling components in a means of transport is particularly suitable for seat control including seat adjustment, cooling, seat heating and seat massage functions, as well as the vehicle display for retrieving input data relating to audio and video functions. If the means of transport is opened, for example, via an electronic vehicle key or via a mechanical vehicle key, the control units arranged on the interior data bus of the means of transport travel in the first method step 1 high. From a read-only memory then the initialization data in step 2 loaded from a read-only memory in the main memory of the respective control unit. Parallel to this or later, the program will be added 3 started and starts to execute the implemented functions. One of these functions is the polling of the input signals from the sensors and input means 4 , Is thereby by a sensor or an input means, such as a switch, at 5 receive a new input signal, the program usually changes the control 6 of the components. Without an input signal, the changed control will normally occur 6 the components omitted and the components are still controlled in the previous way.

As long as the second cycle time has not expired 7 , the input signals are included 4 cyclically with a first cycle time from the input memory tel queried. At the end of the second cycle time, the program enters the program loop 9 and initially the initialization data is included 2 reloaded and the program is reloaded, and at 3 the program will be restarted. The second cycle 9 is not controlled by the program itself, but initiated by an independent component, so that the second cycle 9 even with crashed program works. The initialization data and the program itself are loaded by a first watchdog 10 monitored during the program even by a second watchdog 11 is monitored.

With the method according to the invention for controlling components of a means of transport, programs for the cyclic retrieval of input signals can prevent a crash of the interrogation routine from crippling the entire data bus system. In an alternative embodiment, after the second cycle time has elapsed, the entire control unit can also be used 1 be started up and thereby cyclically a ECU or microcomputer reset can be performed. This ensures that after the second cycle time has elapsed, the program will reboot every time. The monitoring by the two watchdogs ensured that the program was started. This creates a particularly fail-safe program routine for querying input signals of components of a means of transport.

Claims (5)

Method for controlling components of a means of transport, wherein a program implemented on a control unit receives an input signal ( 4 ) from a sensor or an input means and, based on the input signal, one or more components ( 6 ), at which at startup ( 1 ) of the control unit initialization data such as variables, interrupts and / or parameters are loaded from a storage means in a working memory of a microcomputer of the control unit to set the necessary conditions for the control of the components boundary conditions for the program, and wherein at startup ( 1 ) of the control device loaded initialization data after the startup of the control unit in addition after a predetermined period of time from the storage means in the main memory of the microcomputer ( 2 . 9 ) and the input signal ( 4 ) is polled cyclically by the program in a first cycle, characterized in that a second cycle ( 9 ) during which both the initialization data and the program are newly loaded into the working memory of the microcomputer, and that the program is in a defined initial state ( 14 ), so that even after an unforeseen program crash after the cyclic loading of the initialization data, the program automatically moves from the defined initial state ( 14 ) continues to control the components of the means of transport and that a watchdog ( 10 . 11 ) the second cycle ( 9 ) and in the absence of the defined program start ( 3 ) signals an error to start an error routine. Method according to claim 1, characterized in that in a second cycle ( 9 ) the program from the defined initial state ( 3 ) and that the second cycle ( 9 ) lasts longer than the first cycle ( 8th ). Method according to Claim 1 or 2, characterized in that the input signal is buffer-stored in an input memory means and, with the first cycle ( 8th ) is queried by the program. A method according to claim 1, characterized in that the microcomputer during operation of the means of transport cyclically in the initial state ( 9 ). Method according to claim 1, characterized in that the initial state is a reset state ( 3 ) is in which the microcomputer is briefly de-energized and resumes from the reset state.