CN111007713A - Heterogeneous redundant vehicle control unit conforming to functional safety - Google Patents
Heterogeneous redundant vehicle control unit conforming to functional safety Download PDFInfo
- Publication number
- CN111007713A CN111007713A CN201910619027.1A CN201910619027A CN111007713A CN 111007713 A CN111007713 A CN 111007713A CN 201910619027 A CN201910619027 A CN 201910619027A CN 111007713 A CN111007713 A CN 111007713A
- Authority
- CN
- China
- Prior art keywords
- vehicle
- power
- voltage
- signal
- control unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 claims abstract description 61
- 238000013461 design Methods 0.000 claims abstract description 46
- 230000008569 process Effects 0.000 claims abstract description 40
- 238000005516 engineering process Methods 0.000 claims abstract description 21
- 230000002829 reductive effect Effects 0.000 claims abstract description 5
- 238000013459 approach Methods 0.000 claims abstract 2
- 238000000053 physical method Methods 0.000 claims abstract 2
- 230000006870 function Effects 0.000 claims description 57
- 238000012545 processing Methods 0.000 claims description 38
- 238000004891 communication Methods 0.000 claims description 27
- 238000011217 control strategy Methods 0.000 claims description 24
- 238000003745 diagnosis Methods 0.000 claims description 21
- 238000012360 testing method Methods 0.000 claims description 20
- 238000011161 development Methods 0.000 claims description 18
- 239000000306 component Substances 0.000 claims description 9
- 238000003860 storage Methods 0.000 claims description 8
- 230000000670 limiting effect Effects 0.000 claims description 6
- 238000012795 verification Methods 0.000 claims description 6
- 238000004364 calculation method Methods 0.000 claims description 5
- 238000009826 distribution Methods 0.000 claims description 4
- 238000011084 recovery Methods 0.000 claims description 4
- 238000005096 rolling process Methods 0.000 claims description 4
- 238000004458 analytical method Methods 0.000 claims description 3
- 206010010144 Completed suicide Diseases 0.000 claims description 2
- 230000001133 acceleration Effects 0.000 claims description 2
- 239000008358 core component Substances 0.000 claims description 2
- 230000000994 depressogenic effect Effects 0.000 claims description 2
- 230000002452 interceptive effect Effects 0.000 claims description 2
- 238000012502 risk assessment Methods 0.000 claims description 2
- 238000004573 interface analysis Methods 0.000 claims 1
- 230000009347 mechanical transmission Effects 0.000 claims 1
- 238000005457 optimization Methods 0.000 claims 1
- 239000003990 capacitor Substances 0.000 description 28
- 239000000047 product Substances 0.000 description 26
- 238000012544 monitoring process Methods 0.000 description 14
- 238000001514 detection method Methods 0.000 description 12
- 238000010586 diagram Methods 0.000 description 10
- 230000007246 mechanism Effects 0.000 description 9
- 238000001914 filtration Methods 0.000 description 8
- 238000004146 energy storage Methods 0.000 description 5
- 238000004519 manufacturing process Methods 0.000 description 5
- 239000003381 stabilizer Substances 0.000 description 5
- 230000008859 change Effects 0.000 description 4
- 230000001360 synchronised effect Effects 0.000 description 4
- 238000006243 chemical reaction Methods 0.000 description 3
- 238000007667 floating Methods 0.000 description 3
- 230000010354 integration Effects 0.000 description 3
- 230000002093 peripheral effect Effects 0.000 description 3
- 230000002265 prevention Effects 0.000 description 3
- 230000002441 reversible effect Effects 0.000 description 3
- 230000001052 transient effect Effects 0.000 description 3
- 239000011324 bead Substances 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000033228 biological regulation Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000009977 dual effect Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000011156 evaluation Methods 0.000 description 2
- 230000000737 periodic effect Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000012827 research and development Methods 0.000 description 2
- 238000004092 self-diagnosis Methods 0.000 description 2
- HEZMWWAKWCSUCB-PHDIDXHHSA-N (3R,4R)-3,4-dihydroxycyclohexa-1,5-diene-1-carboxylic acid Chemical compound O[C@@H]1C=CC(C(O)=O)=C[C@H]1O HEZMWWAKWCSUCB-PHDIDXHHSA-N 0.000 description 1
- 244000186140 Asperula odorata Species 0.000 description 1
- 102100024452 DNA-directed RNA polymerase III subunit RPC1 Human genes 0.000 description 1
- 235000008526 Galium odoratum Nutrition 0.000 description 1
- 101000689002 Homo sapiens DNA-directed RNA polymerase III subunit RPC1 Proteins 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000004888 barrier function Effects 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 230000001143 conditioned effect Effects 0.000 description 1
- 230000003750 conditioning effect Effects 0.000 description 1
- 230000009193 crawling Effects 0.000 description 1
- 239000013078 crystal Substances 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 230000005669 field effect Effects 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000005484 gravity Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- PWPJGUXAGUPAHP-UHFFFAOYSA-N lufenuron Chemical compound C1=C(Cl)C(OC(F)(F)C(C(F)(F)F)F)=CC(Cl)=C1NC(=O)NC(=O)C1=C(F)C=CC=C1F PWPJGUXAGUPAHP-UHFFFAOYSA-N 0.000 description 1
- 230000036961 partial effect Effects 0.000 description 1
- 238000011056 performance test Methods 0.000 description 1
- 239000012466 permeate Substances 0.000 description 1
- 238000003825 pressing Methods 0.000 description 1
- 238000004904 shortening Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000001629 suppression Effects 0.000 description 1
- 230000009897 systematic effect Effects 0.000 description 1
- 238000003466 welding Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B9/00—Safety arrangements
- G05B9/02—Safety arrangements electric
- G05B9/03—Safety arrangements electric with multiple-channel loop, i.e. redundant control systems
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/04—Programme control other than numerical control, i.e. in sequence controllers or logic controllers
- G05B19/042—Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/04—Programme control other than numerical control, i.e. in sequence controllers or logic controllers
- G05B19/042—Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
- G05B19/0421—Multiprocessor system
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/04—Programme control other than numerical control, i.e. in sequence controllers or logic controllers
- G05B19/042—Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
- G05B19/0428—Safety, monitoring
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/22—Pc multi processor system
- G05B2219/2231—Master slave
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/24—Pc safety
- G05B2219/24015—Monitoring
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/24—Pc safety
- G05B2219/24054—Self diagnostic
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/25—Pc structure of the system
- G05B2219/25252—Microprocessor
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/25—Pc structure of the system
- G05B2219/25257—Microcontroller
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/26—Pc applications
- G05B2219/2637—Vehicle, car, auto, wheelchair
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Abstract
The invention relates to a heterogeneous redundant vehicle control unit which accords with functional safety and is based on a heterogeneous redundancy design technology; in order to reduce the common cause failure problem among multiple channels in a redundant structure, a heterogeneous design idea is adopted, and the physical independence and the design diversity of different channels are ensured as much as possible; the diversity design technology requires that a required function is realized by different methods, and different physical methods or different design approaches can be adopted; the heterogeneous redundancy design technology can ensure that the whole system has higher reliability as long as one subsystem runs reliably, the subsystem with high reliability can be intelligently selected to process tasks when the system runs safely, when the reliability of a certain subsystem is reduced sharply, the reliability of the whole system is not changed greatly, and the reliability of the system has certain stability.
Description
Technical Field
The invention relates to the technical field of new energy automobiles, in particular to a heterogeneous redundant whole vehicle controller which accords with functional safety.
Background
The software architecture of the whole vehicle controller tends to be standardized, and the cooperation among the whole vehicle plants is continuously deepened, so that the unified standard is established for the whole architecture of the whole vehicle controller. The architecture of the AUTOSAR automobile development system is developed on the background, the unified standard is convenient for engineering personnel to shorten the development time, the compatibility and reliability of the software of each company are improved, and the industry barrier is broken.
Disclosure of Invention
The invention aims to develop a heterogeneous redundant vehicle control unit which meets the functional safety, and a vehicle control unit product which meets the functional safety requirement and is platform-based. The development process of the vehicle controller follows an ISO26262 development process, a double-V-shaped process is realized on hardware and software, the hardware architecture meets the requirements of ASIL-D, and the software passes links such as module testing, system testing, hardware-in-the-loop testing and the like, so that the occurrence of logic faults and failure faults of products after mass production is avoided.
In order to achieve the purpose, the invention adopts the technical scheme that:
compared with the prior art, the invention has the advantages that:
(1) the functional safety requirement is met;
functional safety is generally adopted as a method for systematic design, evaluation and safety verification, and permeates the automobile industry from important industrial fields such as nuclear power, petrochemical industry and the like. Colloquially, first, functional safety products are highly reliable. Secondly, even if the product fails, the product is required to be degraded to operate, safely shut down and stop on the premise of ensuring that equipment, vehicles and people do not have serious damage.
(2) A graphical programming method;
generally, the whole vehicle designers do not understand computer programming language, the detail of the algorithm at statement level is not the key point of interest, and the designers hope to put the center of gravity of the design on the research and test of the high-level algorithm. The graphical programming method can enable a designer of the whole vehicle to program and debug on a computer like drawing, and the debugged program is downloaded to hardware of the whole vehicle controller to be executed.
(3) Platform development;
the graphical programming needs a corresponding software tool to ensure the programming and debugging of the program, the generation and downloading of the computer executable code, and simultaneously needs a corresponding basic primitive library, a corresponding functional module library and a corresponding typical algorithm library to support, and also needs to enable a user to develop a high-level algorithm to enrich the algorithm library. The functions are converged together to form a platform development environment.
(4) In order to ensure the reliability of the vehicle control unit system, an effective heterogeneous redundant fault-tolerant control technology needs to be adopted,
the method mainly solves the problems of failure analysis and safety evaluation of the heterogeneous redundant system of the vehicle controller system.
With the increasing and sophisticated nature of automotive electronic systems, software and mechatronic applications are increasing, and the risks from system failures and random hardware failures are increasing. According to the advanced hardware technology at home and abroad, the design technology and the manufacturing process are greatly improved compared with the prior art, compared with software, the hardware detection technology is mature, and the probability of hardware design errors is very low. Therefore, the main purpose of adopting hardware is to effectively prevent the problems caused by transient or accidental faults. A software fault is a deviation of a value or condition calculated, observed, measured, or otherwise calculated, by the software or a portion of the software, from an actual, specified, or theoretical value or condition. Without taking heterogeneous redundancy into account, a software failure can result in a failure, i.e., a loss of the functional unit's ability to perform its function.
(5) The invention adopts a task-level synchronization technology of system call to carry out double-MCU synchronization work, realizes heterogeneous redundant fault-tolerant control technology of hardware and software of the vehicle controller under the environment with high safety requirement, and realizes the safe operation of the vehicle controller.
(6) The method can realize detection failure, diagnosis results and error reporting based on a self-test program of the system, realize safety processing under dangerous conditions, and complete unit self-diagnosis technology of each component of the heterogeneous redundant whole vehicle controller.
(7) Each task module in the vehicle controller system is executed according to given scheduling time, execution sequence and the like, the control is realized by a task scheduling technology, and management software of the whole system is realized by adopting the same algorithm. The system adopts the realization of double-MCU fault tolerance, which is based on the synchronization of double MCUs. If the double MCUs cannot be well synchronized and respectively process respective tasks, the double-computer fault tolerance under the mode has no difference from the single-computer fault tolerance. Therefore, in the control processes of coordinately finishing judgment of the multi-module fault-tolerant system, isolation of fault modules, degradation and the like, the synchronization technology is the core of the whole vehicle controller system. The invention adopts task-level synchronization to make the double MCUs execute the same algorithm, and carries out synchronous comparison when the calculation is completed. The fault detection of the system is monitored by adopting a cross comparison method. And when the double MCUs are inconsistent, starting respective self-test programs to perform autonomous fault detection. Stopping cross comparison when the self-test program can locate the fault, shielding the output of the fault MCU by the system, and switching the output to the MCU which normally works; when the self-test program fails to locate the fault, the last output is maintained or switched to a safe output.
Drawings
Fig. 1 is a diagram of a vehicle control unit system software architecture according to the present invention.
Fig. 2 is a hardware block diagram of the vehicle control unit according to the present invention.
Fig. 3 is a diagram of a dual MCU work machine.
Fig. 4 is a block diagram of the operation of the power supply unit.
Fig. 5 is a schematic diagram of a power supply circuit for an external sensor.
Fig. 6 is a schematic diagram of a frequency signal input circuit.
Fig. 7 is a circuit diagram of a frequency output.
Fig. 8 stores a processing unit circuit diagram.
Detailed Description
The invention is further described below with reference to the accompanying figures 1 to 8 of the specification.
A heterogeneous redundant vehicle control unit conforming to functional safety is used for managing a whole power system and coordinating the work of a BMS, a motor controller, an AMT and other parts; determining the on and off of the high-voltage contactor; the whole vehicle controller is used as a core control module of the power system, and the control of the whole vehicle mainly realizes the control of torque; the actions of starting, stopping, accelerating, decelerating, advancing, retreating and the like are realized through torque control. The vehicle controller needs to calculate the torque required by the vehicle and control the vehicle to run according to the current state and efficiency of the parts. The software of the vehicle control unit can distribute a multi-energy management strategy and an auxiliary function module according to the functional division. The multi-energy management strategy comprises a whole vehicle required torque calculation part, a mode scheduling part, a torque distribution part and the like, and is a core part of software. The auxiliary function module comprises a signal processing and driving module, a communication and calibration module, a fault diagnosis module, a high-voltage safety management module, a startup and shutdown module and the like.
Low-voltage power management, including power-on strategies, power-off strategies, low-voltage power supply diagnosis, charging management and the like of each controller;
high-voltage power management, including fault diagnosis, power-on management and power-off management of a high-voltage power system on the whole vehicle level, and a whole vehicle safety control strategy (such as high-voltage power safety and high-voltage part safety in the driving process) of the high-voltage power system;
the fault diagnosis and failure control strategy combined with hardware self-diagnosis forms a complete fault diagnosis system through independent diagnosis and interactive diagnosis of information of each sensor, thereby preventing the damage of parts and simultaneously preventing the driving safety problem caused by faults;
the driving force and dynamic coordination control strategy calculates the driving force demand in real time according to the driving information and meets the driving force demand of the vehicle under the steady and dynamic working conditions;
and the energy management and SOC balance control strategy realizes the functions of braking energy recovery and the like.
The system integrates the whole vehicle control functions, such as vehicle awakening, driving control and braking control, vehicle cruise control, vehicle acceleration and deceleration control, vehicle overspeed limitation and the like;
and a calibration strategy is adopted, a CCP protocol is designed, the dynamic calibration of the whole vehicle is realized, the operating parameters of the controller and the operating parameters of each part of the vehicle and the power system are provided, and the aim of efficiently and accurately optimizing the system is fulfilled.
The system software design of the vehicle control unit comprises a bottom layer interface design, an algorithm design and a communication interface design (CAN bus). Designing a task scheduling model, and dividing the functions of the gearbox controller into a time task scheduling module, a CAN receiving module, a10 millisecond period task, a 20 millisecond period task, a 50 millisecond period task, a 100 millisecond period task, a1 second period task, a CAN message communication interface variable name, a software functional module framework and interface variables among all software modules. And the task scheduling module comprises a control strategy of the whole vehicle. The method comprises the following steps: the method comprises the steps of a whole vehicle power-on and power-off process, gear control, a charging process, a gear shifting strategy, a vehicle driving control strategy and the like. Namely, the overall task scheduling module of the vehicle control unit based on MATLAB modular design.
(1) Power-on process of vehicle control unit
After the Key door is screwed to Key On, the power supply management chip of the whole vehicle controller is waken up by the On power supply, and then the main chip is waken up
Chip and other ICs, and the whole vehicle controller performs power-on self-test;
after initialization and self-checking are finished, reporting to other devices of the whole vehicle controller through a CAN bus, and carrying out power-on self-checking on controllers such as a BMS (battery management system), an MCU (microprogrammed control unit) and the like;
after the Key door is screwed to Key Start for 1 second, and no 2 stages exist between no charging interlock signal and BMS and MCU
And under the condition of upper fault, the vehicle control unit enters a waiting high-voltage state, the vehicle control unit sends a BMS high-voltage power-on command, the BMS closes the total negative and pre-charging relay, the BMS state is completed by detecting the pre-charging process within the specified time, then the total positive relay is closed, and the pre-charging relay is disconnected.
(2) Current range of vehicle control unit
After the Key door is closed by Key On, the vehicle control unit changes the output torque of the driving motor into 0Nm, and the vehicle control unit sends a BMS high-voltage power-down command;
after the BMS detects the power-off command, the BMS enters a power-off state, and a total positive relay and a total negative relay are disconnected to complete a power-off high-voltage process;
after the high-voltage power-down process is finished, the vehicle control unit cuts off the main relay, and the BMS and other controllers enter the low-voltage power-down process;
then, after delaying for 10s, the vehicle controller performs suicide power-off through an internal power management chip;
if the Key door is screwed to Key On in the low-voltage and delay waiting process, the vehicle controller considers that the driver expects to reenter the power-On mode, and the vehicle controller is matched with the BMS and the Inverter to complete the power-On process.
(3) IO volume input interface module
Carrying out anti-shake processing on the digital signal to filter out noise in the signal;
when the digital signal has instantaneous faults, determining whether the signal has problems through multiple judgments, and after the digital signal faults are confirmed, processing the faults after the digital signal values after anti-shake processing are equal to default values;
the digital input signal should have a calibratable rewrite function for subsequent test verification.
(4) CAN signal input interface module
Whether each frame of the received CAN message is valid or not and whether the frame is overtime or not needs to be judged, whether the frame contains a checksum or a rolling counter or not needs to be detected, and whether the checksum and the rolling counter are correct or not needs to be detected;
converting a raw value (raw value) of a signal into an engineering quantity with actual physical significance;
the CAN input signal needs anti-shake processing, and when the CAN input signal has instantaneous faults, whether the signal has problems is determined through multiple judgments; when the CAN input signal fault is confirmed, the CAN input signal value after anti-shake processing is equal to a default value, and then the fault is processed;
the CAN input signal has the function of calibration rewriting so as to facilitate the subsequent test verification.
(5) Accelerator pedal signal processing module
The whole vehicle adopts an electronic accelerator pedal assembly. In order to prevent the interference of power supply fluctuation, two independent power supplies are needed for supplying power.
The power supply voltage of an accelerator pedal is 5V, and the feedback voltage and the pedal angle are in a direct proportion relation according to the feedback voltage of two paths of accelerator pedal signals collected by the vehicle controller;
when the accelerator pedal feedback voltage 1 is below 0.75V or above 3.84V, the pedal signal is considered invalid;
when the accelerator pedal feedback voltage 2 is below 0.35V or above 1.92V, the pedal signal is considered invalid;
after multiplying the accelerator pedal feedback voltage 2 by 2, carrying out safety check on the accelerator pedal feedback voltage 1, and if the difference value is greater than a preset value, considering that the pedal signal is invalid;
in the D gear or the R gear, when a driver steps on an accelerator pedal, the vehicle control unit enables the motor to enter a torque control mode, and the torque output linearly changes along with the stepping on of the pedal.
(6) Brake pedal signal processing module
The whole vehicle adopts an electronic brake pedal assembly. The brake pedal signal is an analog signal output by 0.5-4.5V.
The voltage of a signal acquired by a brake pedal is too low to exceed 3s (<0.1V), a three-level fault analog quantity brake signal is reported to be too low, the output torque of the whole vehicle is set to be 0, and the vehicle is stopped at a high voltage continuously; when the voltage of a signal acquired by the brake pedal is over 3s (>4.8V), a first-stage fault is reported, and the value of the brake pedal is over high;
the brake pedal value is too low, and the brake depth is 0; the brake pedal value is too high, and the brake depth is 100%.
The depth of the brake pedal is calibrated according to the voltage-depth characteristic curve of the brake pedal.
If the time that the accelerator and the brake have signals simultaneously is more than 1s, the first-level fault is reported that the brake pedal and the accelerator pedal have signals simultaneously, but the calculation of the pedal depth is not influenced.
The effective initial value of the braking signal is set to 0.88V by the vehicle control unit
(7) Shift logic control strategy module
The gear signal is judged through a digital input port of a VCU connector;
all three RND gears are digital input low-effective, the judgment is carried out by adopting a truth table, and other states except D, R gears are N gears through permutation and combination;
under the R gear, the working rotating speed of the motor is reversed, so that the reversing light can be driven;
in the N gear, slowly changing the target torque of the motor to 0 Nm;
and under the D gear, the working rotating speed of the motor is made to be positive rotation.
(8) Vehicle drive control strategy module
Under the condition of a D gear or an R gear, a driver steps on an accelerator, and then the vehicle enters a vehicle driving mode;
in the drive mode, the torque output is achieved primarily by a look-up table,
under different pedal depths, the torque output is different, and a user can realize different driving feelings by adjusting the torque MAP;
the whole vehicle energy management is also realized by optimally distributing the power or torque output of high-voltage components such as a main driving motor, a battery and the like in a vehicle driving mode according to the information of BMS SOP on the premise of meeting the driving requirement to realize the optimal management of energy, and when the total current of a battery pack is greater than a specified value in the SOP, limiting the torque output;
in the case where the brake pedal and the accelerator pedal are simultaneously depressed, the torque calculated by the brake pedal is preferentially executed.
The application of the electric automobile control system is the inevitable trend of high and new technology development in the automobile industry at present, and four main control units of the electric automobile control system are an electric automobile whole control system, a motor control system, a charger control system and a battery management system. The whole electric vehicle control system is composed of a whole vehicle controller, a communication system, a part controller and a driver operation system, and has the main function of selecting a working mode and an energy distribution proportion which are optimized as far as possible on the premise of ensuring safety and dynamic property according to the operation of a driver and the current working conditions of the whole vehicle and parts so as to achieve the best economy, dynamic property and reliability.
The vehicle control unit mainly aims at the matched vehicle types of pure electric vehicles and hybrid vehicles, is used as a main control unit of the whole vehicle to coordinate the work of each sub-controller, functionally realizes the function of the new energy vehicle control unit, has the expansibility of later re-research and development, meets the hardware requirements of EMS and TCU, has sufficient interfaces as a platform product, and is convenient for users to re-develop other types of products. The method takes improvement of the safety level of the whole vehicle controller as a design target, carries out hazard analysis and risk assessment on the hardware design of the whole vehicle controller, and adds a heterogeneous redundant double controller with fault detection and fault redundancy functions through the design of a corresponding safety mechanism; and the software part realizes the functions of fault detection and fault redundancy of the double controllers, and tests show that the double microcontrollers can realize mutual fault monitoring and can replace one microcontroller to work under the condition that the other microcontroller fails. The design of the heterogeneous redundant system enables the vehicle control unit to meet the ASIL grade requirement specified in ISO26262, which is of great significance for improving the functional safety grade of the vehicle control unit.
The functional block diagram of the vehicle control unit system is shown in fig. 2.
The vehicle controller is a core component of a vehicle control system of the electric vehicle, collects signals of a motor control system, signals of an accelerator pedal, signals of a brake pedal and other component signals, comprehensively analyzes and makes corresponding judgment according to driving intention of a driver, and then monitors the work of each unit of the vehicle. In the hardware design, the vehicle control unit is based on modularization as a design concept and mainly comprises a microcontroller unit, an advanced power management unit, an input signal processing unit, an output signal processing unit, a communication processing unit, a storage management power supply and a fault processing unit.
(1) Microcontroller unit
The microcontroller is a core device of the vehicle controller and is responsible for collecting and processing vehicle data and performing logical operation of the system, so as to improve the safety of the vehicle controller. The core of safety design in the vehicle control unit system lies in heterogeneous redundancy technology. The invention is realized by adopting a heterogeneous redundant dual-processor architecture with higher diagnosis coverage rate and increasing the number of functional circuits, and the overall redundancy reaches more than 60 percent.
AURIX with British flying adopted as main control microcontrollerTMThe TC275 tri-core processor. AURIXTMThe multi-core architecture is developed and designed by adopting the process certified by ISO26262, and can efficiently meet the requirements of ASIL-D level application. Abundant communication interfaces such as CAN, SPI, LIN, CAN _ FD, Flexray and Ethernet CAN meet the requirements of the communication interfaces of the automobile power assembly system in the next 10 years. The power management adopts an integrated safety solution, conforms to the design standard of ISO26262 ASIL-D, and has the functions of 1.3V, 3.3V and 5V voltage regulators. The power supply unit stabilizes the 24V voltage of the external storage battery to 5V or 3.3V and supplies power to the single chip microcomputer. Besides, the system also comprises a crystal oscillator, a debugging interface, a basic configuration pin and the like. A CAN bus transceiving function, a voltage monitoring function and an off-chip watchdog function; the scheme of double watchdog inside and outside the chip guarantees the safety of software and hardware systems to the maximum extent, and the integrated safe power management chip reduces the number of components on the PCB, reduces the complexity of the system and improves the reliability of the product.
The TC275 has interleaved voltage monitoring mechanisms with a primary and a redundant secondary monitor on each power rail. The start-up power supply is tested each time the power supply is slowly ramped up. When the basic elements of bandgap and internal clock are running, bandgap BI ST, internal clock check and power supply test are needed. If the test is successful, EVR13 and EVR33 are enabled, configured via SMU pins. When power failure occurs and the lowest operation threshold value cannot be reached, the main monitoring ensures that the micro controller can enter a cold power-on reset state. The brown-out main monitor is applicable to the VEXT power supply, the 3.3V VDDP3 power supply rail and the 1.3V VDD power supply rail. Additional comparators are also used to monitor the VEXT and VEVRSB power rails to ensure proper standby mode function execution. Once the SMU is alarmed by overvoltage and undervoltage, the function of the auxiliary monitor is equivalent to safety monitoring. The auxiliary monitoring ensures that each time the embedded regulator output or power rail is monitored by an independent monitoring mechanism through a minimum common cause failure. The auxiliary brown-out monitoring monitors the external VEXT power supply, the 3.3V VDDP3 power supply rail, and the 1.3V VDD power supply rail. The auxiliary overvoltage monitor monitors the external VEXT power supply, the 3.3V VDDP3 power supply rail, and the 1.3VVDD power supply rail. When the external power supply is supplied, the EVR power supply is higher than the lowest main reset threshold value, and the PROST cold reset state is released. The firmware begins to execute and the user software configures and activates the over-voltage and under-voltage auxiliary monitors.
The auxiliary MCU uses a low-cost MCU, and adopts a 16-bit MC9S12 series singlechip of NXP. The chip is widely used in automobiles and aeromodelling and has strong anti-electromagnetic interference capability; from the viewpoint of chip resources, the running requirement of a simple electric vehicle CAN be met, the internal memory is 384KB, the dominant frequency is 50Mhz at most, the CAN, the SPI, the I2C and the SCI communication interfaces are complete, the chip belongs to an ultrahigh-reliability automobile-grade chip, and the chip CAN run under severe conditions.
Under normal conditions, a 32-bit main core of the main microcontroller TC275 collects an input signal of the whole vehicle and outputs a corresponding control instruction to a controlled mechanism according to a control logic strategy to control the running of the whole vehicle; a whole vehicle control strategy with 32-bit slave core running and main core running in parallel realizes the safe redundant design of system hardware and software; the 8-bit kernel is responsible for task arbitration and fault detection of the system.
The task arbitration mainly monitors data, and the monitoring of the 8-bit kernel to the master kernel and the slave kernel in the system is mainly embodied in the following aspects: monitoring a periodic self-checking signal; detecting the signal relative to the change gradient of the last period; and detecting the difference value of the master kernel signal and the slave kernel signal. In most cases, the fault signature of the core was compared to Min county. The periodic self-checking signal is an important index for normal operation of the kernel, and the normal state of the heartbeat indicates the integrity of the system software function. For most signals, there is also a clear upper limit requirement for the instantaneous signal change gradient, and if there is an excess, it is clear that the group of data errors is present. Under the normal state of self-checking, synchronization and gradient change, if the difference value of the transmission signals is within the range of the allowed threshold value, the main kernel and the slave kernel are considered to work normally; if the signal difference exceeds the threshold value, starting an alarm, setting a state feedback signal as a fault, enabling the system to enter a preset safe mode state, and simultaneously operating a data validity arbitration program; if the channel is in permanent failure, setting the state feedback signal as a single kernel, and indicating the system to enter a single kernel operation mode.
And fault detection is monitored by adopting a cross comparison method. And when the master core and the kernel are inconsistent, starting respective self-test programs to carry out self-contained fault detection. Stopping cross comparison when the self-test program can locate a fault, shielding the output of the fault kernel by the system, and switching the output to the kernel which normally works; when the self-test program fails to locate the fault, the last output is maintained or switched to a safe output.
System monitoring and fault detection between the dual MCUs are also achieved by the 8-bit core of the main microcontroller. The monitoring between the two MCUs is mainly embodied as the following aspects: under the normal operating mode, supplementary microcontroller MC9S12X is mainly responsible for the operating condition who monitors main control unit, do not participate in any external control work, the operating condition of auxiliary control unit through "heartbeat" signal monitoring main microcontroller, main microcontroller and auxiliary control unit communicate based on the CAN bus of SAEJ1939 agreement, be responsible for the signal collection and carry out data processing by main microcontroller, then export corresponding control command to the controlled mechanism according to the control logic strategy, accomplish the function of vehicle control unit, guarantee vehicle control unit safe and reliable' S operation. The software design of the auxiliary microcontroller is the same as that of the main controller in the heterogeneous redundancy working mode, and the auxiliary microcontroller is in a double-MCU synchronous state. When the main microcontroller fails, the auxiliary microcontroller replaces the main microcontroller to work, and the auxiliary microcontroller analyzes the operation intention of the driver by receiving various input signals and CAN bus signals so as to continuously complete the control function of the whole vehicle.
The specific operating conditions were analyzed as follows: under the condition that the main microcontroller breaks down, the auxiliary microcontroller continues to collect key signals such as an accelerator pedal, a brake pedal, gears, a collision switch and the like, under the condition that the safety of the vehicle is ensured, a CAN transmitting and receiving bus of the main microcontroller is closed to carry out communication with each node of a finished vehicle CAN network under the safety state, the main microcontroller is replaced to control the normal operation of a fan, a high-pressure air pump, an oil pump and other relays, and finally the basic safe running function of the vehicle under the fault state is ensured. On the contrary, when the auxiliary microcontroller fails, the main microcontroller can perform fault monitoring and fault redundancy processing through the internal 8-bit kernel, and finally complete system data processing and control instruction output, thereby ensuring safe and reliable operation of the whole vehicle.
(2) The advanced power management unit: a proper power supply is provided for the singlechip module, the input module, the output module and the communication module;
the number of electronic control units in the automobile is large, and the whole automobile is in a complex electronic environment. The environment in which the automobile runs is very strict on the body control unit. The circuit of the 24V power supply system is required to work normally in a voltage range of 9-32V. But also the requirements of satisfying electrical performance tests including overvoltage, slow drop and slow rise of supply voltage, reverse voltage, transient change of supply voltage and the like; meanwhile, the vehicle controller is the most sensitive device on the vehicle which is most likely to receive electromagnetic interference, so the electromagnetic interference problem is an important index for considering the performance of the vehicle controller. For a finished automobile control unit, low power consumption is an important performance index for measuring a finished automobile controller. The power supply part circuit designed by the invention meets the requirements of the whole vehicle controller on low power consumption and electromagnetic interference resistance.
TriCore AURIXTMFamily series products require only a single power supply chip to generate all internal voltages. TLF35584 for TriCore AURIXTMThe family of systems for multiple voltage outputs integrates power chips, also ASIL-D class chips. The enabling control end of the chip is an ignition switch signal and a wake-up signal, and the high level is effective. The uC load current of 600mA can be realized, the output voltage VLDO _ QUC is 5.0V or 3.3V through a front voltage stabilizer of step-down and step-up and a LDO rear-end voltage stabilizer, and the regulation precision is +/-2%; the communication unit load current of 200mA can be realized, the output voltage is VLDO _ QCO of 5.0V and the regulation precision is +/-2% through a buck-boost front voltage stabilizer and an LDO rear voltage stabilizer; for ADC load current up to 150mA, outputting accurate special reference voltage with VREF _ QVR of 5.0V to ADC with accuracy of +/-1%; in addition, the power supply chip can output two paths of 5.0V voltage with the precision of +/-1 percent and supplies power for the sensor. TLF35584 can output a system standby voltage VLDO _ QST of 5.0V or 3.3V with an accuracy of + -2% and support a standby current of 20 muA to 10 mA. Thus, in practice, they are combined for use and permanently connected to VBAT. In addition, one can also be connected to the output of the front-end voltage stabilizerAn additional switch-mode back-end regulator, such that an external 1.3V core supply voltage can be achieved using TLF 35584.
The power module part realizes the heterogeneous redundancy design of a hardware circuit, meets the requirement of multi-path voltage output, supplies power to different functional modules, ensures that each functional module can work normally and safely and stably, and cannot influence the normal operation of other functional modules due to abnormal single-path voltage output.
The main power supply is powered by a normal power KL _30, the KL _30 flows out of the cathode of the diode D2 through the anode of a reverse connection prevention protection diode D2, and the diode D2 has a reverse connection prevention protection function; the ignition key signal KL _15 flows out from the cathode of the diode D1 through the anode of the diode D1, and the diode D1 has an anti-reverse protection function; the VD1 is a TVS transient suppression diode at the power inlet, the negative electrode of the VD1 is connected with the TR1, and the positive electrode of the VD1 is connected with the KL _31, so that the effect of preventing heavy current surge at the power inlet is achieved, current spikes are absorbed, and a back-end circuit is protected; the capacitors C10 and C9 are common-mode filter capacitors; l3 is a common mode filter connected in series with the power inlet, the P1 pin and the P4 pin are connected in series with the power line, the P2 pin and the P3 pin are connected in series with the ground line, and L3 plays a role of common mode filtering at the power inlet. The capacitors C10, C9, L3, C8 and C7 form a pi-type filter circuit; the capacitor C7 is a power supply inlet energy storage capacitor, the L1 is a filter inductor, the D3 is connected in series in the circuit, the D3 is a freewheeling diode, and the negative electrode of the D3 is connected with the 45 pin and the 44 pin of the U1 to supply power to the chip U1; the capacitor E2 is a front-section energy storage capacitor of the BUCK circuit; the capacitor C6 functions as a power supply filter. The resistor R6 is a current-limiting resistor and the LED1 is a power indicator of the power source VS; the field effect transistor Q1 and the resistors RSen1, RSen2 constitute a current detection circuit for detecting the rear-end PREREG circuit current. If V _ PREREG is not used, then no welding of Q1, RSen1, RSen2 is required. The P46 pin of U1 is suspended, P47 is connected with GND, P1 and P48 are connected with GND; the P2 of U1 is connected with P44 to supply power to the chip; p3 of U1 is an enable signal pin, and the high level is effective; p4 of U1 is the wake-up pin, high level is active; p17 of U1 is a reset signal pin, and the reset is effective when the level is low; the P18 of U1 is the interrupt signal pin, the low pulse signal interrupt signal is valid; p15 of U1 is a chip selection signal of SPI, and a pull-up resistor R13 is required to be connected in series to a 5V power supply; p14 of U1 is a clock signal of SPI; p12 of U1 is a data input pin of SPI, and a pull-up resistor R17 is required to be connected in series to a 5V power supply; p13 of U1 is an SPI data output pin and needs to be connected with a pull-up resistor R19 to a 5V power supply in series; the P16 of U1 is a watchdog input trigger signal, inputs the trigger signal, connects the trigger signal output pin of the main control microprocessor, if not used, it is suspended;
p20 of U1 is a fault input pin, which connects the "error signal output" microprocessor from the master microprocessor security management unit (SMU, internal input error signal microprocessor fault detection) to P20; p10 of U1 is safety state output signal 2, setting the application to a safety state. If the signal is delayed for SS1, the delay may be adjusted by the SPI command. The resistor R22 is a current-limiting resistor, and the LED2 is a safety state indicator light; p11 of U1 is a safe state output signal 1, through which the state of the pin can set the application to a safe state. The resistor R23 is a current-limiting protection resistor, the shop owner R94 is a pin pair pull-down resistor, the level state of P11 can be ensured, and the system is in a stable working state; p8 and P9 of U1 are analog ground pins of U1 and are connected with GND; the P27 non-customer-use pin of U1 is directly connected with GND; p22 of U1;
the device can be used for debugging and programming purposes of a single chip microcomputer, and R25 is a pin series resistor and is directly connected with GND; p6, P7, P28 and P29 of U1 are analog ground pins of U1 and are directly connected with an external board GND; p5 of U1 is a spare 5V LDO output pin; r1 is a 0R resistor and is connected in series in the output circuit, so that the debugging is convenient; capacitors C1, C2, FB1, C4 and C5 form a pi-type filter circuit, C3 is a filter capacitor, and E1 is an output energy storage capacitor; the P24 of U1 connects the pin to GND in the low frequency range, and the resistor R78 is 0R resistor, and is connected in series in the circuit for convenient debugging; if the pre-regulator is not used, the P25 of the U1 is directly connected to GND, and the resistor R83 is a 0R resistor and is connected in series in the circuit to facilitate debugging; the P42 of U1 is connected with P43 and is Buck switch output pin, L2 is Buck output energy storage inductor; r7 is a 0R resistor and is connected in series in the output circuit, so that the debugging is convenient; the capacitors C13, C11, FB2, C14 and C15 form a pi-type filter circuit; c12 is a filter capacitor; the electrolytic capacitor E14 is an output energy storage capacitor; p40 and P41 of U1 are directly connected with GND of a Bcuk output circuit; p34, P35, P36, P37 and P38 of U1 are connected with the anode of an electrolytic capacitor E4 and are output voltage feedback ends of Buck; p19 of U1 is a synchronous output signal, since no external voltage regulator is used, the pin is floating; p21 of U1 enables an external post regulator for the core supply, the pin is floating since no external voltage regulator is used; p23 of U1 is connected to GND through a series resistor R87; p26 of U1 is an input pin for selecting the output voltage of an external voltage regulator, which pin is floating because the external voltage regulator is not used; p30 of U1 is an LDO output pin for supplying power to the MCU; p31 of U1 is the LDO output pin that the communication unit powers; p32 and P33 of U1 are LDO output pins for supplying power to an external sensor; p19 of U1 is a reference voltage output pin;
A5V power supply circuit of a peripheral sensor is additionally designed in the power supply part, a British flying power chip TLS115 is adopted, load current up to 150mA can be achieved, 5.0V voltage output is achieved through a linear voltage stabilizer, and the external sensor can work. Through the design of the partial circuit, the heterogeneous redundancy design of the power supply part is realized.
BUCK _ OUT provides power supply for the power supply chip TLS115, and the input signal 5V0_ EN2 is an enable signal, so that high level enable is effective, and the power supply chip works stably. At a low level, the power supply chip cannot work; one end of a resistor R224 is a 0R resistor, is connected with VCC _5V0 to provide reference voltage for the chip, and the other end of the resistor R is connected with an ADJ pin of the IC 4; the P1 of the IC4 is an output pin of the power supply chip, and stable output of 150mA can be realized. C157 and C158 are filter capacitors at the output end of the chip; the diode VD10 is an anti-static diode, so that the output end of the power supply chip is guaranteed to be interfered by static electricity. The circuit of the department realizes the heterogeneous redundancy design of the power supply part and ensures the reliability of the power supply of the external sensor.
(3) An input signal processing module:
the input signals of the vehicle control unit comprise a switching signal, an analog signal and a pulse quantity signal. In order to protect the singlechip from being damaged by interference signals, a protection circuit and a filter circuit must be added to a conditioning circuit of an interface of analog quantity, switching signals and pulse quantity signals, and the functions of signal filtering and safety protection are effectively achieved.
The switching value signal comprises two types of high-side input effective and low-side input effective. The switch signals mainly come from fan feedback signals, dryer signals, air conditioner switch signals, PTC switch signals, hand brake signals, starting signals and ON gear awakening and charging signals. The digital quantity is collected through a special switching quantity collection chip, and the I/O collection of the TC275 of the single chip microcomputer is met; the digital quantity acquisition chip adopts an MCD1030 of Feichalcar. Digital quantity acquisition realizes that the high/low level of each path of acquisition circuit hardware can be configured, and the acquisition circuit has a filtering function and can shield high-frequency interference; the MCD1030 can also realize AD acquisition and can select through an internal channel, namely, the function multiplexing of an AD channel and a DI channel is realized; the DI collection wet current may be configured by software. The input analog quantity is conditioned to meet the requirement of the single chip microcomputer TC275 on the AD voltage conversion range;
the analog quantity acquisition realizes voltage type and resistance type acquisition, and the voltage type and resistance type acquisition can be configured through hardware; analog input signals in the whole vehicle controller mainly come from an accelerator pedal and a brake pedal; and analog voltage signals of peripheral sensors such as a gear shifting position and the like range from 0V to 5V. After the signal filtering, in order to increase the driving capability, a voltage follower is generally used to send the signal to an AD port of a singlechip for A/D conversion. The design of the invention uses an integrated operational amplifier OPA2348 (comprising two operational amplifiers) of an integrated high-end component, TI. An ESD protection diode is adopted at a port in the AD signal input circuit, so that the signals are ensured to resist electrostatic interference; the OPA2348 and the multiple resistors form a voltage follower, and the voltage signal is guaranteed to be stable.
The pulse quantity input signal adopts the following circuit diagram to realize pulse quantity acquisition, wherein the pulse quantity acquisition is a vehicle speed sensor signal.
The PWMIN4 pulse input signal is processed by magnetic bead FB16 and then is subjected to signal filtering. One end of a capacitor C185 is connected with a magnetic bead FB16, the other end of the capacitor C185 is connected with a shell ground EARTH, a resistor R282, a resistor R28, a triode Q34, a resistor R282, a triode Q36 and a resistor R283 form a constant current circuit, a diode D91 is an anti-reverse connection diode, a VD15 is an overvoltage protection diode, and the resistors R284 and R288 divide voltage to ensure that the triode is stably conducted; the resistor R281 is a current limiting resistor at the output end of the triode; PWMIN04 is input frequency pulse signal, and enters the main control microcontroller;
(4) output signal processing module
The output signal processing module mainly comprises a high-side drive output circuit, a low-side drive output circuit and a frequency output circuit.
What adopt in this design is 16 passageway low limit intelligence switch chips TLE6240G, realizes fan enable relay output, air conditioner enable output, brake lamp output. The main control MCU and the auxiliary MCU realize data connection through an SPI serial bus; the driving current output can reach 1A current, and if higher power output requirements exist, higher power output can be realized through parallel connection of pins; the high-side driving output chip adopts a double-chip 4-channel high-side intelligent switch chip BTS724G to realize PTC enabling output, reversing light control, high-pressure air pump oil pump control and battery motor power supply register control. The power driving output chip has the protection functions of over-temperature, over-voltage, short-circuit fault and the like.
The online diagnosis technology based on the hardware logic of the output module and the programmable control technology judges failure behavior by detecting the normal operation behavior of the operation part, reduces faults caused by random failure of hardware, reports the error state of the system, realizes safe parking under dangerous conditions, and ensures the integrity and the availability of data in the data processing process. The specific working mechanism is as follows: and the fault of each port transmits information to the double MCUs through the SPI, and the double MCUs store fault codes and respond simultaneously. The high-side driver generates a fault code to the double MCUs through a level and drives an alarm signal through the double MCUs; when the main control MCU and the auxiliary MCU detect that fault information occurs mutually, under the condition of ensuring the safety of the vehicle, the CAN transceiving bus of the MCU with the problem is closed to carry out communication under a safety state with each node of a whole vehicle CAN network, and the MCU with the problem is replaced to control the normal operation of relays such as a fan, a high-pressure air pump and an oil pump, so that the basic safe running function of the vehicle under the fault state is finally ensured. On the contrary, when the auxiliary MCU fails, the main controller completes the basic safe driving function of the vehicle.
The invention comprises a 4-path pulse quantity output circuit.
The PWM _ C1 signal input enters a base electrode of Q20 through a current limiting resistor R249, and a capacitor C175 plays a role in filtering; the resistor R252 ensures the Q20 to work stably, and the triode Q20, the Q22, the resistor R253 and the capacitor C176 form a constant current circuit; one end of the resistor R241 is connected with VCC _ ON, and the other end of the resistor R241 is connected with the anode of the diode D82, so that the current limiting function is realized; the diode D82 is a power supply anti-reverse diode; the resistor R246 is an output current limiting resistor; the capacitor C174 is a signal output port protection capacitor.
(5) Communication processing module
Because the main control MCU and the auxiliary MCU in the system are both provided with CAN controllers, each MCU respectively drives two paths of CAN interface chips, and the chips adopt TJA1051 of NXP. The communication module adopts an independent 5V power supply to supply power, so that the stability and the reliability of a power supply system are ensured, in order to enhance the anti-interference capability of the CAN bus node, the communication circuit is added with a common-mode inductor to remove common-mode interference, a filter capacitor to remove differential-mode interference, and ESD (electro-static discharge) anti-interference and clamping 5V voltage are increased. CAN communication data are distributed to the auxiliary MCU by the main control MCU, and high-speed operation of the CAN data is realized by arbitrating the communication data.
(6) Storage processing unit
The storage processing unit adopts an automobile-level storage chip M95M01-DWMN3TP, the chip can realize 1Mbit communication speed, communication is realized through the SPI and the MCU, and the MCU completes reading and writing with the storage unit through the SPI.
The P5 of the chip IC6 is connected to the power supply VDD _ IO through a pull-up resistor R184; the data input signal SPI0_ SIN is connected to P5 through a port protection resistor R191. A decoupling capacitor C189 is connected to the ground, so that a filtering effect is achieved; the P2 of the chip IC6 is connected to the power supply VDD _ IO through a pull-up resistor R192; the data output signal SPI0_ SOUT is connected to pin P2 of IC6 through a port protection resistor R192; the P6 of the chip IC6 is connected to a power supply VDD _ IO through a pull-up resistor R188, and is connected with a decoupling capacitor C160 to the ground to play a role in filtering; the P1 of the chip IC6 is connected to the power supply VDD _ IO through the pull-up resistor R186, and the chip selection signal SPI0_ CS0 is connected to the P1; the P3 of the chip IC6 is pulled down to GND through a resistor R195, and the effective level of a chip selection signal SPI0_ CS1 is ensured; p8 of the chip IC6 is a power supply pin of the chip and is connected to a power supply VDD _ IO; the P7 of the chip IC6 is connected to a power supply VDD _ IO, the high level is effective, and the capacitor C191 is a decoupling capacitor and is connected to GND; p4 of chip IC6 is the GND pin of the chip.
The main microcontroller of the whole vehicle controller adopts Tricore AURIXTMThe TC275 series of (a), fusing numerous security mechanisms against ISO 26262. The fusion of check core (checker core) or lockstep core (lockstep core) mechanism and SMU (Security management Unit) mechanism, HSM (hardware Security Module), ECC (error checking and correcting), etc. all improve AURIXTMThe security of (2) is an ASIL-D grade chip. Yingfei ling single-chip machine AURIXTMThe three-core system framework just forms a mutually redundant hardware system, so that the safety risk of complete failure of the single chip microcomputer is greatly reduced. AURIXTMThe large internal storage (4MB Flash) of the serial single-chip microcomputer also provides development conditions for the safety redundancy design of software.
The auxiliary MCU uses a low-cost MCU, and adopts a 16-bit MC9S12 series singlechip of NXP. The chip is widely used in automobiles and aeromodelling and has strong anti-electromagnetic interference capability; from the viewpoint of chip resources, the running requirement of a simple electric vehicle CAN be met, the internal memory is 384KB, the dominant frequency is 50Mhz at most, the CAN, the SPI, the I2C and the SCI communication interfaces are complete, the chip belongs to an ultrahigh-reliability automobile-grade chip, and the chip CAN run under severe conditions.
Description of the invention:
firstly, researching a function safety technology of the vehicle controller, and developing hardware and embedded software of the vehicle controller;
the development process of the vehicle controller follows an ISO26262 development process, a double-V-shaped process is realized on hardware and software, the hardware architecture meets the requirements of ASIL-D, and the software passes links such as module testing, system testing, hardware-in-the-loop testing and the like, so that the occurrence of logic faults and failure faults of products after mass production is avoided.
The whole vehicle controller adopts a model-based (MBD) development mode, the programming environment adopts MATLAB/Simulink, and the software development adopts a graphical and modular interface, so that developers can understand and modify the interface easily; the chip bottom layer driver library meets the requirements of MISRA-C safety standard, so that the risk in the product application process can be reduced, and the reliability is improved; product Simulink library reference Woodward Mototron and Dspace Targetlink; and connecting the codes generated by the Matlab/Embedded Coder with a Codewarrior compiling environment through a COM (component object model) interface, and automatically loading bottom layer and application layer C codes in the Codewarrior to realize one-key code generation.
CAN calibration function; the CCP function accords with an ASAP standard protocol CCP 2.1, a VECTOR CANape tool can be directly used for calibrating VCU products, and the basic instruction meets the following list;
TABLE 1 CANape base instruction List
| Basic commands | Extending optional commands |
| CONNECT | UNLOCK |
| GET_CCP_VERSION | DNLOAD_6 |
| EXCHANG_ID | SHORT UP |
| SET_MTA | SHORT_SELECT_CAL_PAGE |
| DNLOAD | GET_ACTIVE_CAL_PAGE |
| UPLOAD | SET_S_STATUS |
| GET_DAQ_SIZE | GET_S_STATUS |
| SET_DAQ_PTR | BUILD_CHKSUM |
| WRITE_DAQ | CLEAR_MEMORY |
| START_Stop | PROGRAM |
| DISCONNECT | PROGRAM_6 |
| DIAG SERVICE | |
| ACTION_SERVICE |
The CCP bottom layer driver is compiled by Matlab S-Function, and state and instruction management is carried out through Stateflow;
the A2L file is realized in the post-compiling process, the A2L file is generated for the first time in the code generating process of the EmbededdCoder, and after the Codewarrior compiles the complete project, the original A2L file is merged with the MAP file to generate the A2L file which can be called by the CANape.
UDS functionality complies with the definition of the unified diagnostic Specification in ISO14229 and ISO15765
The service is as follows, and the diagnostic service can be performed using LAUNCH or other general diagnostic equipment:
table 2 UDS function list
| Service ID | Description of the invention |
| 0x09 | Requesting vehicle information |
| 0x10 | Specific diagnostic service control |
| 0x11 | ECU reset |
| 0x14 | Clearing fault code |
| 0x19 | Reading fault code information |
| 0x22 | Reading information by ID |
| 0x28 | Communication control |
| 0x2E | Writing information according to ID |
| 0x2F | Controlling input and output according to ID |
| 0x3E | Diagnostic instrument connection |
The UDS product is developed by adopting Simulink/Stateflow, the basic framework of the diagnosis service is the same, and the UDS product can be adjusted according to the requirements of the diagnosis specification of the whole vehicle factory;
information such as DTC codes, Freeze frames and the like is stored in a special IC to ensure the reliability of data;
the entire vehicle VIN code is written through the EOL device, the VIN write session is initiated by the 0x10 service, then the product VIN code is written through the 0x2E service, and then the 0x22 service verifies that the writing is correct.
Researching a graphical programming method and developing programming tool software;
developing a graphical and modular programming environment: development of TriCore AURIX of England flying based on software platform of Matlab/SimulinkTMThe TC275 framework bottom layer drive of the multi-core safety chip, modules in the aspects of mathematical algorithm, logic, condition judgment and the like are developed by combining with a C language compiling environment specific to an EmbedModer, and a module library file specific to the whole vehicle controller is formed by combining with a bottom layer drive module, so that the C language is not used for programming in the product research and development process, a higher-level and more understandable graphical programming environment is adopted, and the development work is to convert ideas into various functional modules for connection so as to realize the required control logic and functions;
D2P development mode is realized: design To Product, Design thinking is directly converted into a mass production Product, in order To achieve the goal of D2P, the hardware Design of the vehicle controller Product needs To meet the high-reliability automobile level, a strict DVP test is formulated, and the Product passes through the harsh test requirement To meet the Product applicability under all-geography and all-weather conditions. The software design of the vehicle control unit product adopts a graphical model design language, automatically converts the graphical model design language into a C language code meeting the high-security-level MISRA C2012 standard in the compiling process, and generates a chip hardware executable code through a compiler meeting the ISO26262 requirement, thereby realizing the combination of software and hardware.
Researching a control algorithm of the whole vehicle controller and developing an algorithm library;
the method is characterized by researching a whole vehicle control strategy and developing a control algorithm with functions of constant-speed cruising, gear management, vehicle running mode control, vehicle drive control, vehicle crawling control, sliding energy recovery, braking energy recovery, high-voltage power-on and power-off control, charging control, torque coordination control, slope-sliding prevention control, DCDC control and the like.
The vehicle driving mode, the vehicle running mode and the whole vehicle control strategy of each type of new energy vehicle are analyzed, technical research is conducted from the aspects of rapid identification of control system parameters, accurate identification of complex working condition parameters and the like, and a typical control algorithm library of the whole vehicle controller is established.
Developing a platform integration technology and developing an integration toolkit;
the hardware platform integration technology of the vehicle control unit is developed according to similar subsystem functions, the same performance, the same communication interface and the same production process flow. The functions of different product lines, such as a transmission controller, a battery management system, an engine controller, a gateway, a motor controller and other products, are expanded, only a slave module of the same packaged chip needs to be replaced on hardware, a master control module and the slave module use a standard SPI (serial peripheral interface), and the whole vehicle controller can expand the functions of other multiple product lines on the premise of changing hardware and software a little, thereby realizing the development concept of chip-serialization, realizing the multiplexing of software and hardware, shortening the development period and reducing the development risk.
The integrated toolkit is developed, a code generating function is realized by one key, and the method can be realized by only pressing Ctrl + B one key from a graphical model design language to a chip recognizable machine code. The function of generating codes by one key needs to design a tool chain to automatically call functions in Matlab/Simulink to realize conversion from a model to C language, then connect corresponding library function files, optimize and check the C language, and call a compiler to compile through a COM interface, thereby realizing all software on the Matlab/Simulink integrated tool chain. The background calling mode avoids the error probability in the middle process and improves the working efficiency. During field debugging, the problem can be solved more timely and effectively.
Claims (6)
1. The utility model provides a accord with safe heterogeneous redundant vehicle control unit of function which characterized in that:
(1) heterogeneous redundancy design;
in order to reduce the common cause failure problem among multiple channels in a redundant structure, a heterogeneous design is adopted, and the physical independence and design diversity of different channels are ensured as much as possible; the diversity technology requires different methods to realize a required function, and different physical methods or different design approaches can be adopted; the heterogeneous redundancy design technology can ensure that the whole system has higher reliability as long as one subsystem runs reliably, the subsystem with high reliability can be intelligently selected to process tasks when the system runs safely, when the reliability of one subsystem is reduced sharply, the reliability of the whole system is not changed greatly, and the reliability of the system has certain stability;
(2) heterogeneous software and hardware safety design of the safety life cycle;
in the development of software and hardware of the finished automobile controller, independent safety design and verification work is carried out, and the safety and reliability of software and hardware of two sets of subsystems are ensured by using methods of interface analysis, traceability analysis and risk analysis;
(3) online diagnosis of hardware logic and programmable control techniques;
the failure behavior is judged by detecting the normal operation behavior of the operation component, so that the faults caused by the random failure of hardware are reduced, the error state of the system is reported, the safe parking under the dangerous condition is realized, and the data integrity and the usability in the data processing process are ensured.
2. The functionally-safe heterogeneous redundant vehicle control unit according to claim 1, wherein:
the whole vehicle controller is responsible for managing the whole power system and coordinating the work of a BMS, a motor controller and an AMT (automated mechanical transmission) plurality of parts; determining the on and off of the high-voltage contactor; the whole vehicle controller is used as a core control module of the power system, and the control of the whole vehicle mainly realizes the control of torque; the relative actions of starting, stopping, accelerating, decelerating, advancing and retreating are realized through torque control; the vehicle controller needs to calculate the torque required by the vehicle and control the vehicle to run according to the current state and efficiency of the parts;
the software of the vehicle control unit can distribute a multi-energy management strategy and an auxiliary function module according to the functional division; the core is that the multi-energy management strategy comprises a whole vehicle demand torque calculation part, a mode scheduling part and a torque distribution part; the auxiliary function module comprises a signal processing and driving module, a communication and calibration module, a fault diagnosis module, a high-voltage safety management module and a startup and shutdown module.
3. The functionally-safe heterogeneous redundant vehicle control unit according to claim 1, wherein:
the control strategy of the vehicle control unit mainly comprises low-voltage power management, high-voltage power management, fault diagnosis and failure control strategy, driving force and dynamic coordination control strategy, energy management and SOC balance control strategy, calibration strategy, power-on strategy and power-off strategy of each controller, low-voltage power diagnosis and charging management;
the high-voltage power supply management comprises fault diagnosis, power-on management and power-off management of a high-voltage power system on the whole vehicle level and a whole vehicle safety control strategy of the high-voltage power system;
the fault diagnosis and failure control strategy forms a complete fault diagnosis system by independent diagnosis and interactive diagnosis of information of each sensor, thereby not only preventing parts from being damaged, but also preventing the driving safety problem caused by faults;
the driving force and dynamic coordination control strategy calculates the driving force demand in real time according to the driving information, and meets the driving force demand of the vehicle under the steady-state and dynamic working conditions;
the energy management and SOC balance control strategy realizes the recovery of braking capacity;
the control strategy of the vehicle controller integrates the vehicle control function, which comprises a series of functions of vehicle awakening, driving drive control and brake control, vehicle cruise control, vehicle acceleration and deceleration control and vehicle overspeed limitation; the calibration strategy adopts CCP protocol to realize the dynamic calibration of the whole vehicle and provide the operation parameters of the controller and the operation parameters of each part of the vehicle and the power system, thus realizing the high-efficiency accurate optimization system.
4. The functionally-safe heterogeneous redundant vehicle control unit according to claim 1, wherein:
the method comprises the steps that a task scheduling model is designed through system software of the vehicle control unit, and the functions of a gearbox controller are divided into a time task scheduling module, a CAN receiving module, a10 millisecond cycle task, a 20 millisecond cycle task, a 50 millisecond cycle task, a 100 millisecond cycle task, a1 second cycle task, a CAN message communication interface variable name, a software function module framework and interface variables among all software modules;
the task scheduling module comprises a control strategy of the whole vehicle; the method comprises the following steps: the method comprises the steps of a whole vehicle power-on and power-off process, gear control, a charging process, a gear shifting strategy and a vehicle driving control strategy.
5. The functionally-safe heterogeneous redundant vehicle control unit according to claim 1, wherein:
the specific working process is as follows:
(1) a vehicle control unit power-on process;
after the Key door is screwed to Key On, the power supply On wakes up a power management chip of the whole vehicle controller so as to wake up a main chip and an IC chip, and the whole vehicle controller carries out power-On self-test;
after initialization and self-checking are finished, reporting to controllers such as a whole vehicle controller, a BMS (battery management system), an MCU (microprogrammed control unit) and the like through a CAN (controller area network) bus for power-on self-checking;
after a Key door is screwed to Key Start for 1 second, and under the condition that no charging interlocking signal exists and no fault exists in more than 2 levels in the BMS and the MCU, the whole vehicle controller enters a waiting high-voltage state, the whole vehicle controller sends a BMS high-voltage power-on instruction, the BMS closes a total negative relay and a pre-charging relay, and the BMS state is completed by detecting the pre-charging process within a specified time, the total positive relay is closed, and the pre-charging relay is opened;
(2) a power-off process of the whole vehicle controller;
after the Key door is closed by Key On, the vehicle control unit changes the output torque of the driving motor into 0Nm, and the vehicle control unit sends a BMS high-voltage power-down command;
after the BMS detects the power-off command, the BMS enters a power-off state, and a total positive relay and a total negative relay are disconnected to complete a power-off high-voltage process; after the high-voltage power-down process is finished, the vehicle control unit cuts off the main relay, and the BMS and other controllers enter the low-voltage power-down process; then, after delaying for 10s, the vehicle controller performs suicide power-off through an internal power management chip;
if the Key door is screwed to Key On in the low-voltage and delay waiting process, the vehicle controller considers that the driver expects to enter the power-On mode again, and the vehicle controller is matched with the BMS and the Inverter to complete the power-On process;
(3) an IO amount input interface module;
carrying out anti-shake processing on the digital signal to filter out noise in the signal;
when the digital signal has instantaneous faults, determining whether the signal has problems through multiple judgments, and after the digital signal faults are confirmed, processing the faults after the digital signal values after anti-shake processing are equal to default values; the digital input signal has a calibratable rewriting function so as to facilitate subsequent test verification;
(4) a CAN signal input interface module;
whether each frame of the received CAN message is valid or not and whether the frame is overtime or not needs to be judged, whether the frame contains a checksum or a rolling counter or not needs to be detected, and whether the checksum and the rolling counter are correct or not needs to be detected; converting the original value of the signal into engineering quantity with actual physical significance;
the CAN input signal needs anti-shake processing, and when the CAN input signal has instantaneous faults, whether the signal has problems is determined through multiple judgments; when the CAN input signal fault is confirmed, the CAN input signal value after anti-shake processing is equal to a default value, and then the fault is processed; the CAN input signal has a calibratable rewriting function so as to facilitate subsequent test verification;
(5) an accelerator pedal signal processing module;
an electronic accelerator pedal assembly is adopted; in order to prevent the interference of power supply fluctuation, two independent power supplies supply power;
the power supply voltage of an accelerator pedal is 5V, and the feedback voltage and the pedal angle are in a direct proportion relation according to the feedback voltage of two paths of accelerator pedal signals collected by the vehicle controller;
when the accelerator pedal feedback voltage is below 0.75V or above 3.84V, the pedal signal is considered invalid;
when the accelerator pedal feedback voltage II is below 0.35V or above 1.92V, the pedal signal is considered invalid;
after multiplying the accelerator pedal feedback voltage II by 2, carrying out safety check on the accelerator pedal feedback voltage II and the accelerator pedal feedback voltage I, and if the difference value is greater than a preset value, determining that the pedal signal is invalid;
in the D gear or the R gear, when a driver steps on an accelerator pedal, the vehicle control unit enables the motor to enter a torque control mode, and the torque output linearly changes along with the stepping on of the pedal;
(6) a brake pedal signal processing module;
an electronic brake pedal assembly is adopted; the brake pedal signal is an analog signal output by 0.5-4.5V;
the voltage of a signal collected by a brake pedal is too low and exceeds 3 s; when the voltage is less than 0.1V, the three-level fault analog quantity braking signal is over low, the output torque of the whole vehicle is set to 0, and the vehicle is stopped at a constant high voltage; the voltage of a signal collected by the brake pedal exceeds 3s, the voltage is greater than 4.8V, and the brake pedal value is over high when a first-level fault is reported;
the brake pedal value is too low, and the brake depth is 0; the brake pedal value is too high, and the brake depth is 100 percent;
the depth of the brake pedal is calibrated according to a voltage-depth characteristic curve of the brake pedal;
if the time that the accelerator and the brake have signals simultaneously is more than 1s, reporting that the brake pedal and the accelerator pedal have signals simultaneously when the first-level fault occurs, but not influencing the calculation of the pedal depth; the vehicle control unit judges that the effective initial value of the braking signal is set to 0.88V;
(7) a shift logic control strategy module;
the gear signal is judged through a digital input port of a VCU connector;
r, N, D, all three gears are digital input low and effective, a truth table is adopted for judgment, and except for D, R gears, other states are N gears through permutation and combination;
under the R gear, the working rotating speed of the motor is reversed, so that the reversing light can be driven;
in the N gear, slowly changing the target torque of the motor to 0 Nm;
under the D gear, the working rotating speed of the motor is made to be positive rotation;
(8) a vehicle drive control strategy module;
under the condition of a D gear or an R gear, a driver steps on an accelerator, and then the vehicle enters a vehicle driving mode;
in the driving mode, the torque output is mainly realized by a table look-up method;
under different pedal depths, the torque output is different, and a user can realize different driving feelings by adjusting the torque MAP;
the whole vehicle energy management is also realized mainly by optimally distributing the power or torque output of a main driving motor and a battery high-voltage component according to the information of BMS SOP in a vehicle driving mode on the premise of meeting the driving requirement, so as to realize the optimal management of energy, and when the total current of a battery pack is greater than a specified value in the SOP, limiting the torque output; in the case where the brake pedal and the accelerator pedal are simultaneously depressed, the torque calculated by the brake pedal is preferentially executed.
6. The functionally-safe heterogeneous redundant vehicle control unit according to claim 1, wherein:
the four main control units of the electric automobile control system are an electric automobile whole vehicle control system, a motor control system, a charger control system and a battery management system;
the whole electric vehicle control system consists of a whole vehicle controller, a communication system, a part controller and a driver operation system, and has the main functions of selecting a working mode and an energy distribution proportion which are optimized as much as possible on the premise of ensuring safety and dynamic property according to the operation of a driver and the current working conditions of the whole vehicle and parts so as to achieve the optimal economy, dynamic property and reliability;
the whole vehicle controller is a core component of a whole vehicle control system of the electric vehicle, collects signals of a motor control system, signals of an accelerator pedal, signals of a brake pedal and other component signals, comprehensively analyzes and makes corresponding judgment according to the driving intention of a driver, and then monitors the work of each unit of the whole vehicle; in the hardware design, the vehicle control unit is based on modularization as a design concept and mainly comprises a microcontroller unit, an advanced power management unit, an input signal processing unit, an output signal processing unit, a communication processing unit, a storage management power supply and a fault processing unit.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910619027.1A CN111007713A (en) | 2019-07-10 | 2019-07-10 | Heterogeneous redundant vehicle control unit conforming to functional safety |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910619027.1A CN111007713A (en) | 2019-07-10 | 2019-07-10 | Heterogeneous redundant vehicle control unit conforming to functional safety |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111007713A true CN111007713A (en) | 2020-04-14 |
Family
ID=70111468
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910619027.1A Pending CN111007713A (en) | 2019-07-10 | 2019-07-10 | Heterogeneous redundant vehicle control unit conforming to functional safety |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111007713A (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112099412A (en) * | 2020-09-22 | 2020-12-18 | 郑州嘉晨电器有限公司 | Safety redundancy architecture of micro control unit |
| CN112526961A (en) * | 2020-08-18 | 2021-03-19 | 中国汽车技术研究中心有限公司 | New energy automobile function fault tolerance testing device and testing method |
| CN112947043A (en) * | 2021-03-19 | 2021-06-11 | 恒大恒驰新能源汽车研究院(上海)有限公司 | Vehicle redundancy control system, control method thereof and vehicle |
| CN113282031A (en) * | 2021-05-10 | 2021-08-20 | 常州易控汽车电子股份有限公司 | Power input comprehensive processing circuit of automobile engine controller |
| CN113415166A (en) * | 2021-07-09 | 2021-09-21 | 山东元齐新动力科技有限公司 | Power-on and power-off control method and system for extended range hybrid electric vehicle |
| CN113511260A (en) * | 2021-07-06 | 2021-10-19 | 中汽创智科技有限公司 | Control circuit, control method and storage medium of electric control steering system |
| CN113541672A (en) * | 2021-07-02 | 2021-10-22 | 浙江中控技术股份有限公司 | Risk degradation device and risk degradation method |
| CN113799761A (en) * | 2020-06-15 | 2021-12-17 | 卓品智能科技无锡有限公司 | Extended-range type new energy coordination controller control system |
| CN113895451A (en) * | 2021-10-27 | 2022-01-07 | 东风汽车集团股份有限公司 | Safety redundancy and fault diagnosis system and method based on automatic driving system |
| CN114201332A (en) * | 2022-02-21 | 2022-03-18 | 岚图汽车科技有限公司 | Redundancy control method, device, chip and storage medium |
| CN117590789A (en) * | 2024-01-17 | 2024-02-23 | 合肥工业大学 | Three-layer monitoring architecture for whole vehicle controller |
| CN113541672B (en) * | 2021-07-02 | 2024-04-23 | 浙江中控技术股份有限公司 | Risk degradation device and risk degradation method |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101549707A (en) * | 2009-05-15 | 2009-10-07 | 奇瑞汽车股份有限公司 | Automobile steering-by-wire redundancy and fault tolerance system and control method |
| CN103010123A (en) * | 2012-12-10 | 2013-04-03 | 南昌大学 | Vehicle control unit for pure electric vehicle |
| GB201713458D0 (en) * | 2017-08-22 | 2017-10-04 | Daimler Ag | A modular safety software architecture for electrified-powertrain control systems |
| CN107992382A (en) * | 2017-10-24 | 2018-05-04 | 北京全路通信信号研究设计院集团有限公司 | A kind of computer interlock system and its redundancy switching method |
| CN108205279A (en) * | 2017-12-08 | 2018-06-26 | 联创汽车电子有限公司 | Isomery multi-chip intelligent driving controller |
| CN108920409A (en) * | 2018-06-22 | 2018-11-30 | 阜阳师范学院 | A kind of heterogeneous multi-nucleus processor institutional framework for realizing fault tolerance |
| CN109541987A (en) * | 2018-10-17 | 2019-03-29 | 同济大学 | A kind of plug and play type intelligent automobile domain controller and method with redundancy structure |
| CN109660462A (en) * | 2018-12-13 | 2019-04-19 | 中国北方车辆研究所 | Information self-adapting transmission method in vehicle isomery interference networks |
| CN109917779A (en) * | 2019-03-26 | 2019-06-21 | 中国第一汽车股份有限公司 | Redundancy control system towards L3 automatic Pilot |
| CN109910790A (en) * | 2019-03-05 | 2019-06-21 | 同济大学 | A kind of ADAS domain controller |
-
2019
- 2019-07-10 CN CN201910619027.1A patent/CN111007713A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101549707A (en) * | 2009-05-15 | 2009-10-07 | 奇瑞汽车股份有限公司 | Automobile steering-by-wire redundancy and fault tolerance system and control method |
| CN103010123A (en) * | 2012-12-10 | 2013-04-03 | 南昌大学 | Vehicle control unit for pure electric vehicle |
| GB201713458D0 (en) * | 2017-08-22 | 2017-10-04 | Daimler Ag | A modular safety software architecture for electrified-powertrain control systems |
| CN107992382A (en) * | 2017-10-24 | 2018-05-04 | 北京全路通信信号研究设计院集团有限公司 | A kind of computer interlock system and its redundancy switching method |
| CN108205279A (en) * | 2017-12-08 | 2018-06-26 | 联创汽车电子有限公司 | Isomery multi-chip intelligent driving controller |
| CN108920409A (en) * | 2018-06-22 | 2018-11-30 | 阜阳师范学院 | A kind of heterogeneous multi-nucleus processor institutional framework for realizing fault tolerance |
| CN109541987A (en) * | 2018-10-17 | 2019-03-29 | 同济大学 | A kind of plug and play type intelligent automobile domain controller and method with redundancy structure |
| CN109660462A (en) * | 2018-12-13 | 2019-04-19 | 中国北方车辆研究所 | Information self-adapting transmission method in vehicle isomery interference networks |
| CN109910790A (en) * | 2019-03-05 | 2019-06-21 | 同济大学 | A kind of ADAS domain controller |
| CN109917779A (en) * | 2019-03-26 | 2019-06-21 | 中国第一汽车股份有限公司 | Redundancy control system towards L3 automatic Pilot |
Non-Patent Citations (4)
| Title |
|---|
| 张戟 等: "整车控制器功能安全设计和研究" * |
| 戴能红 等: "纯电动客车整车控制策略设计与验证" * |
| 杜德清: "电动汽车VCU故障诊断系统开发与测试" * |
| 芦文峰: "满足ISO26262标准的EV整车控制单元开发研究" * |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113799761A (en) * | 2020-06-15 | 2021-12-17 | 卓品智能科技无锡有限公司 | Extended-range type new energy coordination controller control system |
| CN112526961B (en) * | 2020-08-18 | 2021-08-27 | 中国汽车技术研究中心有限公司 | New energy automobile function fault tolerance testing device and testing method |
| CN112526961A (en) * | 2020-08-18 | 2021-03-19 | 中国汽车技术研究中心有限公司 | New energy automobile function fault tolerance testing device and testing method |
| CN112099412A (en) * | 2020-09-22 | 2020-12-18 | 郑州嘉晨电器有限公司 | Safety redundancy architecture of micro control unit |
| CN112099412B (en) * | 2020-09-22 | 2022-02-25 | 河南嘉晨智能控制股份有限公司 | Safety redundancy architecture of micro control unit |
| CN112947043B (en) * | 2021-03-19 | 2023-09-08 | 恒大恒驰新能源汽车研究院(上海)有限公司 | Vehicle redundancy control system, control method thereof and vehicle |
| CN112947043A (en) * | 2021-03-19 | 2021-06-11 | 恒大恒驰新能源汽车研究院(上海)有限公司 | Vehicle redundancy control system, control method thereof and vehicle |
| CN113282031A (en) * | 2021-05-10 | 2021-08-20 | 常州易控汽车电子股份有限公司 | Power input comprehensive processing circuit of automobile engine controller |
| CN113282031B (en) * | 2021-05-10 | 2022-12-02 | 常州易控汽车电子股份有限公司 | Power input comprehensive processing circuit of automobile engine controller |
| CN113541672A (en) * | 2021-07-02 | 2021-10-22 | 浙江中控技术股份有限公司 | Risk degradation device and risk degradation method |
| CN113541672B (en) * | 2021-07-02 | 2024-04-23 | 浙江中控技术股份有限公司 | Risk degradation device and risk degradation method |
| CN113511260A (en) * | 2021-07-06 | 2021-10-19 | 中汽创智科技有限公司 | Control circuit, control method and storage medium of electric control steering system |
| CN113415166A (en) * | 2021-07-09 | 2021-09-21 | 山东元齐新动力科技有限公司 | Power-on and power-off control method and system for extended range hybrid electric vehicle |
| CN113895451A (en) * | 2021-10-27 | 2022-01-07 | 东风汽车集团股份有限公司 | Safety redundancy and fault diagnosis system and method based on automatic driving system |
| CN113895451B (en) * | 2021-10-27 | 2023-07-18 | 东风汽车集团股份有限公司 | Safety redundancy and fault diagnosis system and method based on automatic driving system |
| CN114201332A (en) * | 2022-02-21 | 2022-03-18 | 岚图汽车科技有限公司 | Redundancy control method, device, chip and storage medium |
| CN117590789A (en) * | 2024-01-17 | 2024-02-23 | 合肥工业大学 | Three-layer monitoring architecture for whole vehicle controller |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111007713A (en) | Heterogeneous redundant vehicle control unit conforming to functional safety | |
| CN100570519C (en) | Safety cut-off method of exporting in the three-mould redundancy safety computer and device | |
| CN104512422B (en) | Hybrid electric vehicle fault handling method and its fault processing system | |
| CN105242608B (en) | Entire car controller and its control method | |
| CN109696903B (en) | Functional safety circuit for automobile controller | |
| CN105711520A (en) | Power management circuit of vehicle control unit and control method thereof | |
| CN109541457A (en) | Power battery high-voltage relay control circuit and method for diagnosing faults | |
| CN104423374B (en) | Controller for automobile and the automobile with it, monitoring method | |
| CN108255123A (en) | Train LCU control devices based on the voting of two from three software and hardware | |
| CN207780132U (en) | A kind of signal processing module of intelligent network connection automobile | |
| CN214450872U (en) | Redundant braking system, automatic driving system and vehicle | |
| CN113253700A (en) | Hardware-in-loop closed-loop test method and system for battery management system | |
| CN116788173A (en) | Service type regional controller for vehicle | |
| CN203224778U (en) | High-safety-performance ECU architecture for electric car | |
| CN112648084B (en) | Dual-fuel engine controller based on function safety | |
| CN216134479U (en) | Communication sharing device based on RS485 | |
| KR20150046652A (en) | Method and apparatus for supplying electricity power for load of vehicle | |
| CN211335593U (en) | High-voltage interlocking detection circuit of motor controller | |
| CN219904274U (en) | Intelligent power distribution unit of automobile | |
| CN112653321A (en) | Cross overvoltage comparison circuit and EPS power module | |
| Grießnig et al. | A CPLD-based safety concept for industrial applications | |
| CN103427606B (en) | The distributed control means of multi-channel switch power phase cross-over parallel connection and method | |
| CN105298665B (en) | Aviation piston type engine redundance type ECU | |
| CN109324596A (en) | A kind of electric machine controller high-voltage interlocking detection circuit and detection method | |
| Liu et al. | Functional Safety Development of Bi-Directional On-Board Charger for New Energy Vehicles |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20200414 |