Classifications

• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F11/00—Error detection; Error correction; Monitoring
  • G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
  • G06F11/16—Error detection or correction of the data by redundancy in hardware
  • G06F11/1629—Error detection by comparing the output of redundant processing systems
  • G06F11/1641—Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F11/00—Error detection; Error correction; Monitoring
  • G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
  • G06F11/0703—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
  • G06F11/0706—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment
  • G06F11/0736—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment in functional embedded systems, i.e. in a data processing system designed as a combination of hardware and software dedicated to performing a certain function
  • G06F11/0739—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment in functional embedded systems, i.e. in a data processing system designed as a combination of hardware and software dedicated to performing a certain function in a data processing system embedded in automotive or aircraft systems
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F11/00—Error detection; Error correction; Monitoring
  • G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
  • G06F11/0703—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
  • G06F11/0751—Error or fault detection not based on redundancy
  • G06F11/0754—Error or fault detection not based on redundancy by exceeding limits
  • G06F11/076—Error or fault detection not based on redundancy by exceeding limits by exceeding a count or rate limit, e.g. word- or bit count limit
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F11/00—Error detection; Error correction; Monitoring
  • G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
  • G06F11/0703—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
  • G06F11/0793—Remedial or corrective actions
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F11/00—Error detection; Error correction; Monitoring
  • G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
  • G06F11/0796—Safety measures, i.e. ensuring safe condition in the event of error, e.g. for controlling element

Definitions

• Method and device for monitoring functions of a computer system preferably an engine control system of a motor vehicle
• the invention relates to a method for monitoring functions of a computer system, preferably an engine control system of a motor vehicle, which has at least two arithmetic units, wherein at least one first arithmetic unit is operated in a safe mode.
• monitoring functions In safety-related applications, in particular in motor vehicles, it is customary to monitor functions of the computer program with safety-relevant properties. For this purpose, specially provided monitoring functions are used. These monitoring functions either validate the results of the functions to be monitored or check critical resources. The monitoring function itself is often classified as particularly important and worthy of protection. Therefore, the monitoring functions are self-monitored, such as in a three-level concept used in engine control in automobiles.
• a method for monitoring functions of a computer system having at least two execution units wherein at least two operating modes of the execution units are switched and a first operating mode corresponds to a comparison mode, in which the two execution units have identical or similar instructions, Execute program segments or programs and output signals of the two execution units are compared with each other and a second operating mode, which corresponds to a performance mode in which the Execution units execute different commands, program segments or programs in parallel, and a first function is monitored by a second monitoring function.
• the monitoring function is executed in comparison mode on at least two execution units. This further safeguards the monitoring.
• this method is not feasible on all computer architectures, since it requires a switch between the operating modes.
• the invention is therefore based on the object of specifying a method for monitoring functions of a computer system in which the independence between monitored function and monitoring is given and which is executable on general computer architectures.
• the object is achieved by operating a monitoring level of a computer program executed on the computer system, which monitors an application level of the computer program, on the first computer operated in the safe mode.
• This has the advantage that the monitoring level is processed on a different arithmetic unit than the function to be monitored in the form of the application level.
• this method has a multi-core capability, and it ensures an optimal handling of the selected computer architectures, the method is not limited to selected computer architectures.
• the secured mode is realized by a lockstep operation or a fault-redundant operation.
• this method can be executed on a general type of computer architecture, since the monitoring level is always processed on a secure computing unit and there is at least one further arithmetic unit that does not necessarily have to be protected on which, for example, the functions of the application level are processed. By securing the monitoring level, it can be considered more trustworthy than other parts of the computer program.
• the computer program is divided into, belonging to the monitoring level computing program parts and in the monitoring level not belonging computing program parts, in particular the belonging to the monitoring level computational program parts are checked for affiliation to the monitoring level and after confirming affiliation to the monitoring level these computational program parts of the processing on the be assigned in the safe mode operated computing unit.
• further computation program parts belonging to the application level and / or to a security level monitoring the monitoring level are processed by the computing unit operated in the safe mode.
• This is particularly advantageous whenever the processing unit operated in the safe mode is not fully utilized by the functions of the monitoring level.
• safety-relevant computational program parts of the application level and the security level, which monitors the monitoring level also on the first Arithmetic unit to be processed.
• the computation program parts which do not belong to the monitoring level are subdivided into whether or not they are monitored by the monitoring level, the computation program parts, which are not monitored by the monitoring level, being supplied to the second arithmetic unit, which does not have a safe mode, for processing.
• This allows a good separation of monitored and unmonitored functions, as they are processed on different arithmetic units. Spatial independence is achieved by the distribution to different arithmetic units since the monitoring is performed by a different hardware element than the execution of the monitored functions.
• the computation program parts belonging to the monitoring level or the computational program parts which belong to the application level and / or the security level and which are relevant for safety become at least one security object, preferably one
• Runtime object summarized, which is managed by an operating system. This summary allows the security objects to be run via the operating system that runs the first secure unit operating in safe mode.
• a suitable strategy of the operating system for example by a time-controlled strategy, a temporal independence between monitoring and monitored object can be represented very well.
• the at least one security object accesses a defined memory area, provided exclusively for the security object, of the first computing unit operated in the safe mode.
• the security objects have their own memory area, on which only these can access. Such a memory limit further increases the independence between monitoring and monitored object.
• the memory area provided for the security object is protected by a memory protection unit, wherein it is preferably ensured that no computer program that is being processed on the second arithmetic unit accesses the memory area.
• At least one element of a monitoring periphery of the computer system directly accesses only the first computing unit operated in the safe mode.
• the influence of the second arithmetic unit on the first arithmetic unit or the elements of the monitoring periphery controlled by it is further suppressed, in particular whenever they are connected to the first arithmetic unit in such a way that they are connected to the first arithmetic unit be configured and read out or controlled.
• a development of the invention relates to a device for monitoring functions of a computer system, preferably an engine control system of a motor vehicle, which has at least two arithmetic units, wherein at least one first arithmetic unit is operated in a safe mode.
• a device in which the independence and the proof of independence of monitored function and monitoring is given means are provided which operate on the operated in the safe mode first computing unit a monitoring level of processed on the computer system computer program which an application level of the computer program supervised.
• This has the advantage that the monitoring level is processed on a different arithmetic unit than the function to be monitored in the form of the application level, whereby the independence between monitored function and monitoring function is given. This separation is independent of the computer architecture used.
• the first arithmetic unit in the safe mode forms a lockstep pair with a third arithmetic unit, the first and the third arithmetic unit processing the same program sequences whose output signals are evaluated for error monitoring in a comparator.
• This embodiment allows a structurally simple monitoring of the surveillance level.
• the invention allows numerous embodiments. One of them will be explained in more detail with reference to the figures shown in the drawing. It shows:
• Figure 1 an embodiment of the device according to the invention
• Figure 2 a safety concept for an engine control system of a motor vehicle
• FIG. 3 shows a flow chart for the method according to the invention
• Figure 1 shows a computer architecture, as used in an engine control unit of a motor vehicle.
• the computer architecture is designed as a microprocessor 1 and contains three computing units 2, 3, 4 designated as computer core.
• the arithmetic unit 2 is connected directly to a system bus 5, while the arithmetic units 3 and 4 are connected to the system bus 5 via a comparator 6. In this case, the arithmetic unit 3 is monitored by the arithmetic unit 4.
• the arithmetic units 3 and 4 form a so-called lockstep
• the three-level concept which is shown in FIG. 2, has all the application functionalities of the engine control in a first application level 11.
• the three-level concept which is shown in FIG. 2, has all the application functionalities of the engine control in a first application level 11.
• Monitoring level 12 the application functionalities of the application monitored on-line 1 1 by monitoring functions, while the security level 13 in turn monitors the functions of the monitoring level 12.
• the Application Level 1 which includes the application functionalities, the calculation of the torque to be set by the engine takes place as a particularly safety-relevant part. This moment affects the acceleration of the vehicle. In the simplest security case, only too high a torque is to be classified as critical and this can be detected by the second monitoring level 12 by means of the monitoring functions. In somewhat more complex cases, for example, too small a moment can already be classified as safety-relevant and must then also be determined by the monitoring level 12.
• monitoring level 12 the monitoring of this moment expires. This can be carried out, for example, by the monitoring level 12 likewise calculating a moment or an upper and / or lower limit for the moment and then checking whether the torque calculated by the application level 1 1 coincides with the torque calculated in the monitoring level 12 or within tolerated barriers. Another possibility is that the torque calculated by the application plane 11 may be compared with other sensor signals, e.g. the driver request recording, plausibility. It can also be used a determined from a map barrier. If the monitoring functions of the monitoring level 12 determine that the torque calculated by the application level 11 is wrong in a safety-relevant manner, then it can initiate suitable countermeasures for establishing a safe state. Such countermeasures include, for example, the shutdown, the triggering of a reset or the limitation of the moment.
• the security level 13 is intended to monitor the functionality and the actual functioning of the monitoring level 12. Only if it is ensured that the monitoring level 12 actually works, can it be assumed that the monitoring implemented by the monitoring level 12 actually prevents a safety-critical state. The correct and error-free functioning of the monitoring level 12 is therefore of great importance for such a security concept. For this reason, the monitoring functions of the monitoring level 12 on the lockstep pair, consisting of the arithmetic units 3, 4, processed. The software sees the two arithmetic units 3, 4, which work in a safe mode, thereby only as a computer core.
• the assignment of the software stored as a computer program for running on the arithmetic units 2, 3, 4 can then be made according to the following flow chart.
• the computer program running on the microprocessor 1 is divided into the various known three levels 1 1, 12, 13.
• a predetermined computer program part is checked whether it belongs to monitoring level 12 of the safety concept of the motor vehicle. If this is the case, then in block 9 this computer program part is assigned to the lockstep pair 3, 4 for processing. If the examined computer program part does not belong to the monitoring level 12, then there is no fixed assignment of the computer program parts to be processed to a computer unit 2 or 3 (block 10).
• Strategy for example, a timed strategy, can thus also very well presented and argued a temporal independence between monitoring and monitored object.
• the individual functions regardless of their affiliation to the levels 1 1, 12, 13 divided into intervals of 5 ms, 10ms, etc. This is particularly advantageous when functional interrupts are not executed on the monitored arithmetic unit 3.
• This also allows a division of the functions into the computer program-technical functions, which not only run along temporal differences but also along the safety-related relevance.
• a particular advantage is given if in block 7 the computation program is decomposed not only into functions of the monitoring level 12 or functions not belonging to the monitoring level 12, but if there is a further decomposition in the case of the computation program parts not belonging to the monitoring level 12 whether or not a given computational program part is being monitored by the monitoring plane 12. If independence, for example in the form of a "freedom from interference" argument as required by the ISO 26262 standard, is to be demonstrated between the surveillance and the monitored functions, then it is advantageous to have the monitored functions, in this case the Functions, which do not belong to the computer program part of the monitoring level 12, to run on the independent second arithmetic unit 2. This spatial independence over the distribution to several arithmetic units 2, 3 is an additional argument, since the monitoring is performed by a different hardware element is considered the processing of the monitored functions.
• a further possibility for expansion of the considered method consists in the targeted additional use of a memory protection unit in the form of an MPU (Memory Protection Unit).
• MPU Memory Protection Unit
• a two-stage MPU which can be realized via an additional safety MPU on the system bus 5 or on a slave side of the microprocessor 1, is used. If the security objects have their own memory area (for example in a flash, RAM, ROM), which only these security objects are allowed to access, then this memory limit can be forced by programming the security protection unit in the microprocessor 1. This can be improved even further by realizing this via the second layer of the MPU or the Safety MPU.
• the independence between monitoring and monitored function can also be further improved if a monitoring periphery, for example in the form of special sensors, is connected directly to the arithmetic unit 3, so that these sensors are configured and read or controlled by the arithmetic unit 3 without the arithmetic unit 2 has an influence on it.
• a monitoring periphery for example in the form of special sensors

Landscapes

• Engineering & Computer Science (AREA)
• Theoretical Computer Science (AREA)
• Quality & Reliability (AREA)
• Physics & Mathematics (AREA)
• General Engineering & Computer Science (AREA)
• General Physics & Mathematics (AREA)
• Debugging And Monitoring (AREA)
• Combined Controls Of Internal Combustion Engines (AREA)

Applications Claiming Priority (2)

Publications (2)

Family

ID=48190954

Family Applications (1)

Country Status (2)

Cited By (2)

Families Citing this family (5)

Citations (1)

Family Cites Families (3)

• 2012
  • 2012-04-30 DE DE201210207215 patent/DE102012207215A1/de not_active Withdrawn
• 2013
  • 2013-04-23 WO PCT/EP2013/058382 patent/WO2013164224A2/fr not_active Ceased

Patent Citations (1)

Also Published As

Similar Documents

Legal Events