E-gas Monitoring Concept - 3 level monitoring concept

Introduction

This is the core concept of EGAS monitoring concept: 3-level monitoring concept.
Quite old, but still useful. They are confine this concept to  drive by wire systems for gasoline and diesel engines, nevertheless, it is tremendous monitoring reference for all kinds of ECUs.

System overview

You need to know this before read this post: the black letter is from EGAS monitoring concept document

Level 1

It is referred to as the functional level.

Level 1 contains the engine control functions, i.a. implementation of the requested engine torque, component monitoring, input/output variable diagnostic and to control the system reactions if a fault shall be detected.

As you know, diagnostic function in hardware level and in software level are included. OBDs also are included in this level.

Level 2

It is referred to as function monitoring level

Level 2 detects the defective process of level 1 functional software, e.g., by monitoring the calculated torque values or the vehicle acceleration. In case of fault, system reactions are triggered.

When I work , many persons have misunderstood of this level. Level 2 monitoring gets same input with level 1 and calculate another way differ from level 1 way. And level 2 monitoring receives level 1 result, and then compare between two values. This is not back up, but many people think level 2 monitoring is a backup function. This is why you must let software engineers know level 1 functions. Or, you can't implement level 2 monitoring.   

Level 3

It is designated controller monitoring level
The monitoring module shall be an independent part of the function controller, which tests the correctly executed program during the question-answer process.


This concept also can be misunderstood. level 3 monitoring contain external monitoring module and memory test level 2. Test section will be in MCU, only monitor module is out of MCU. Pay attention to diagram.


Level 2 and level 3 can shutdown actuators if they detect fatal failure(look "Enable" up)
With lockstep core, you will reduce main core's task load. I am using the system that MCU is AURIX TC2xx made by Infineon.

Reference

As you read previous topics, General part 2, you might guess the 3 level monitoring concept. So I am posting 3 level monitoring concept in detail. most information is from

Standardized E-GAS monitoring concept for gasoline and diesel engine control units 

If you want to read original document, googling this document, please.

Also, feel free to fix my misunderstood and wrong

Thank you.