CN116382060A - CAN communication vehicle-mounted domain controller system with uninterrupted faults - Google Patents
CAN communication vehicle-mounted domain controller system with uninterrupted faults Download PDFInfo
- Publication number
- CN116382060A CN116382060A CN202310103023.4A CN202310103023A CN116382060A CN 116382060 A CN116382060 A CN 116382060A CN 202310103023 A CN202310103023 A CN 202310103023A CN 116382060 A CN116382060 A CN 116382060A
- Authority
- CN
- China
- Prior art keywords
- communication
- control chip
- signal
- monitoring
- path
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004891 communication Methods 0.000 title claims abstract description 243
- 238000012544 monitoring process Methods 0.000 claims abstract description 73
- 230000005540 biological transmission Effects 0.000 claims abstract description 10
- 230000001360 synchronised effect Effects 0.000 claims description 19
- 230000006870 function Effects 0.000 claims description 18
- 238000000034 method Methods 0.000 claims description 11
- 238000004364 calculation method Methods 0.000 claims description 8
- 230000008569 process Effects 0.000 claims description 8
- 230000001427 coherent effect Effects 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 12
- 238000011084 recovery Methods 0.000 description 7
- 238000013461 design Methods 0.000 description 5
- 125000004122 cyclic group Chemical group 0.000 description 3
- 230000007257 malfunction Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 238000002360 preparation method Methods 0.000 description 3
- 238000007792 addition Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 239000000470 constituent Substances 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000001939 inductive effect Effects 0.000 description 1
- 239000003999 initiator Substances 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000010076 replication Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B9/00—Safety arrangements
- G05B9/02—Safety arrangements electric
- G05B9/03—Safety arrangements electric with multiple-channel loop, i.e. redundant control systems
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Hardware Redundancy (AREA)
Abstract
The invention relates to a fault uninterrupted CAN communication vehicle-mounted domain controller system, which comprises a main control chip, a monitoring and backup control chip, an A-path CAN communication channel and a B-path CAN communication channel; the main control chip and the monitoring and backup control chip execute the same task software program, and the monitoring and backup control chip additionally executes a system monitoring software program, wherein the system monitoring software program is used for monitoring the faults of the main control chip, controlling the switching of CAN communication command signals, monitoring the faults of the A-path CAN communication channel, the faults of the B-path CAN communication channel and controlling the switching of the CAN communication channel; the main control chip and the monitoring and backup control chip send messages to each other through inter-core information synchronization and CAN (controller area network) transmission, so that the task software program CAN continuously and uninterruptedly communicate with the external CAN under the condition of any control chip or any CAN communication channel fault. The system has the advantages of coherent external control communication, no control blank, inconsistent control instruction, strong robustness and high reliability.
Description
[ field of technology ]
The invention relates to the technical field of automobile electronics, in particular to a fault uninterrupted CAN communication vehicle-mounted domain controller system.
[ background Art ]
The invention aims at the failure application occasions of the vehicle-mounted controller, in particular to the controller and the communication transceiver chip; it is desirable to achieve uninterrupted CAN communication, i.e., to achieve very low latency, sensorless switching, improved reliability, reduced failure interruption time of control, etc.
Three-electrochemical and networking, especially automatic driving, of automobiles drive more and more electronic controller ECU to get on the automobiles, and meanwhile, the communication connection between the controllers is also increasingly developed towards high reliability and high robustness. The communication between electronic controllers of the automobile, which is highly reliable and meets the standard requirements of functional safety ISO26262 (international standard for road vehicle functional safety), becomes a strong technical requirement, and needs to be implemented into the design.
FIG. 1 is a structural frame diagram of a typical automotive control system. As shown in fig. 1, for this purpose, a typical vehicle domain controller (typically, an autopilot domain controller, a power domain controller, a chassis domain controller, a body domain controller, an intelligent cockpit domain controller, etc.) performs its control function, and the control command output portion is usually implemented by using a CAN (Control Area Network) communication network. CAN is an abbreviation of Controller Area Network (hereinafter referred to as CAN), and is an ISO internationally standardized serial communication protocol. In the current automotive industry, various electronic control systems have been developed for safety, comfort, convenience, low pollution, and low cost. The automobile-oriented CAN communication protocol was developed by german electric Shang Boshi company in 1986. After this, CAN is standardized by ISO11898 and ISO11519, which are now standard protocols for automotive networks in europe.
Fig. 2 is a schematic diagram of a typical SoC system-on-chip based CAN communication controller architecture. As shown in fig. 2, the system on chip SoC is mainly represented by an abstract view of a CAN communication control system, and the microcontroller part usually adopts a system on chip (SoC) or a Microcontroller Chip (MCU), which is herein abbreviated as SoC chip.
The controller itself processes the input signal flow of external sensor, etc. in real time, outputs real-time control command through control algorithm, and sends it to the executor unit in real time at fixed period through CAN communication interface. The SoC chip or the CAN communication interface inside the controller may have random failure of hardware or may be interfered by external signals to cause malfunction, so that the function of the controller may not be maintained.
In order to realize a controller system with higher reliability, that is, a system with faults such as an SoC control chip or a CAN communication interface CAN realize the duration of a control function, a brand new design scheme is needed. However, the following high-reliability noninductive control requirements are difficult to achieve in the existing controller system design scheme:
1) The system needs to realize high reliability on hardware, and can cope with random faults (SoC or communication interface faults) of the hardware;
2) When the key control of the system or the hardware fault of the communication interface occurs, the external CAN communication control of the system CAN be maintained.
3) The consistency and consistency of the control instructions sent to the outside can be ensured.
The invention improves the CAN communication system of the vehicle-mounted domain controller.
[ invention ]
The invention aims to provide a CAN communication vehicle-mounted domain controller system which has the advantages of coherent external control communication, no control blank, inconsistent control instructions, strong robustness and high reliability.
In order to achieve the purpose, the technical scheme adopted by the invention is that the fault uninterrupted CAN communication vehicle-mounted domain controller system comprises a main control chip, a monitoring and backup control chip, an A-path CAN communication channel and a B-path CAN communication channel; the main control chip and the monitoring and backup control chip execute the same task software program, and the monitoring and backup control chip additionally executes a system monitoring software program, wherein the system monitoring software program is used for monitoring the faults of the main control chip, controlling the switching of CAN communication command signals, monitoring the faults of the A-path CAN communication channel, the faults of the B-path CAN communication channel and controlling the switching of the CAN communication channel; the main control chip and the monitoring and backup control chip send messages to each other through inter-core information synchronization and CAN (controller area network) transmission, so that the task software program CAN continuously and uninterruptedly communicate with the external CAN under the condition of any control chip or any CAN communication channel fault.
Preferably, the fault uninterrupted CAN communication vehicle-mounted domain controller system further comprises an input signal interface and a signal copying module; the input signal interface is used for receiving an input signal for system control, and the signal copying module is used for carrying out parallel copying and synchronous transmission on the input signal for system control to the main control chip and the monitoring and backup control chip; the main control chip receives an input signal for system control, executes a task software program to realize control logic with complete functions, and externally outputs a main CAN communication command signal; the monitoring and backup control chip receives an input signal for system control, executes a task software program to realize control logic of a complete function, and externally outputs a backup CAN communication command signal; the A-path CAN communication channel comprises a signal selection module and an A-path CAN communication transceiver, wherein the signal selection module is used for selecting a main CAN communication instruction signal or a backup CAN communication instruction signal according to a channel selection signal sent by a monitoring software program of a monitoring and backup control chip execution system and outputting the signal selection signal or the backup CAN communication instruction signal to the A-path CAN communication transceiver, and the A-path CAN communication transceiver is connected with a CAN communication bus; the B-path CAN communication channel comprises a B-path CAN communication transceiver, the backup CAN communication command signal is output to the B-path CAN communication transceiver, and the B-path CAN communication transceiver is connected with a CAN communication bus.
Preferably, the main control chip and the monitoring and backup control chip realize the inter-core information synchronization through inter-chip communication signals, heartbeat signals and synchronization signals; the inter-chip communication signal is used for bidirectionally transmitting an inter-chip communication data packet between two control chips, and the inter-chip communication data packet comprises a current task number, a next task number and current task CAN communication instruction data; the heartbeat signal is a square wave pulse signal which is periodically sent to the monitoring and backup control chip by the main control chip and used for prompting the main control chip to work normally, and the synchronous signal is a square wave pulse signal which is sent to the main control chip by the monitoring and backup control chip and used for synchronizing calculation and operation between the two control chips.
Preferably, the heartbeat signal is a 1KHz, 50% duty cycle square wave; the synchronization signal starts from a low level, rises for a certain time, then falls back to the low level, the main control chip can interrupt capturing the synchronization signal, and the duration of the synchronization signal is as short as possible, so that the time overhead caused by interrupt capturing of the synchronization signal of the main control chip is reduced.
Preferably, the monitoring and backup control chip controls the switching of the A-path CAN communication channel through a channel selection signal acting on the signal selection module and an A-path CAN communication transceiver enabling signal acting on the A-path CAN communication transceiver; the monitoring and backup control chip controls the switching of the B-path CAN communication channel through a B-path CAN communication transceiver enabling signal acting on the B-path CAN communication transceiver.
Preferably, when the channel selection signal is at a low level, the signal selection module selects a main CAN communication command signal as output, and when the channel selection signal is at a high level, the signal selection module selects a backup CAN communication command signal as output; the A-path CAN communication transceiver enables signals or the B-path CAN communication transceiver enables signals to be in low level, the A-path CAN communication transceiver or the B-path CAN communication transceiver does not work, and the A-path CAN communication transceiver enables signals or the B-path CAN communication transceiver enables signals to be in high level, and the A-path CAN communication transceiver or the B-path CAN communication transceiver works normally.
Preferably, the preparation process after the system is powered up is as follows:
z1, the main control chip and the monitoring and backup control chip are powered on for self-checking, and the A-path CAN communication transceiver and the B-path CAN communication transceiver do not work;
z2, the main control chip prepares a heartbeat signal, sends the heartbeat signal to the monitoring and backup control chip and keeps the heartbeat signal all the time;
z3, the input signals for system control are copied in real time and transmitted to the main control chip and the monitoring and backup control chip, so that the input information of the two control chips is consistent;
z4, the monitoring and backup control chip sends a synchronous signal to the main control chip so as to drive the two micro control chips to run task software programs to execute preset numbering tasks together;
z5, after receiving the synchronous signal, the main control chip executes a first numbering task, and at the same time, the monitoring and backup control chip executes the first numbering task, the main control chip sends an inter-chip communication data packet to the monitoring and backup control chip, and the monitoring and backup control chip receives and compares the inter-chip communication data packet;
and Z6, the monitoring and backup control chip controls the main CAN communication command signal to be output to the CAN communication bus through the A-path CAN communication channel.
Preferably, the task execution flow in the normal working mode of the system is as follows:
c1, the main control chip sends a heartbeat signal to a monitoring and backup control chip and keeps prompting that the main control chip is in a normal working state all the time;
the monitoring and backup control chip is in a normal working state and sends a synchronous signal to the main control chip to inform the main control chip of executing the task of the next task number of the inter-chip communication data packet, and meanwhile, the monitoring and backup control chip executes the tasks with the same number;
and C3, driving the main control chip and the monitoring and backup control chip by the inter-chip communication data packet transmitted by the synchronous signal and the inter-chip communication signal, sequentially and synchronously executing the tasks with the same number and comparing the inter-chip communication data packet.
Preferably, the system mainly controls the fault non-sensing switching process of the chip as follows:
q1, the monitoring and backup control chip monitors that the heartbeat signal sent by the main control chip does not accord with the expected period or waveform, or compares communication data packets among chips to find errors, and determines that the main controller chip has faults;
q2, the monitoring and backup control chip outputs a backup CAN communication instruction signal through a channel selection signal control signal selection module;
q3, the monitoring and backup control chip resets the main control chip, the main control chip resumes sending heartbeat signals after reset, and the monitoring and backup control chip informs the main control chip of the current system state and task number through an inter-chip communication data packet, and the main control chip resumes executing tasks.
Preferably, the failure of the system A-path CAN communication transceiver or the failure non-inductive switching process of the system B-path CAN communication transceiver is as follows:
j1, the monitoring and backup control chip monitors the faults of the A-path CAN communication transceiver or the B-path CAN communication transceiver;
and J2, the monitoring and backup control chip controls the B-path CAN communication transceiver or the A-path CAN communication transceiver to output CAN communication signals to the CAN communication bus through the A-path CAN communication transceiver enabling signals and the B-path CAN communication transceiver enabling signals.
The CAN communication vehicle-mounted domain controller system without fault interruption has the following beneficial effects: 1. a set of control system schemes with high robustness is established, real-time backup switching CAN be carried out on faults such as any micro controller chip or CAN communication interface chip, thermal recovery or restarting recovery CAN be implemented on a fault device, and the usability of the control system is greatly improved; 2. the system control chip can be switched to the backup control chip or the communication chip in real time, the switching process can realize no control signal interruption, and the synchronous operation is controlled, so that the output of external control instructions of the controller can be kept consistent and consistent during the fault switching; 3. the task execution of the two controllers and the control CAN message output are synchronized in real time through signal synchronization operation, and the integrity check calculation is carried out on the sent message, so that the reliability of the control instruction is greatly improved through the real-time comparison of the double-microcontroller output instruction, and the high-reliability system control is realized.
[ description of the drawings ]
FIG. 1 is a structural frame diagram of a typical automotive control system.
Fig. 2 is a schematic diagram of a typical SoC system-on-chip based CAN communication controller architecture.
Fig. 3 is a schematic structural diagram of a fault-free and discontinuous CAN communication vehicle-mounted domain controller system.
Fig. 4 is a schematic diagram of a fault uninterrupted CAN communication vehicle-mounted domain controller system IPC data packet task output data storage format.
Fig. 5 is a schematic diagram of a fault uninterrupted CAN communication vehicle-mounted domain controller system uc_a periodically sending HBS signals.
Fig. 6 is a schematic diagram of task control timing between uc_a and uc_b in a normal operation mode of a fault-free CAN communication vehicle-mounted domain controller system.
[ detailed description ] of the invention
Features and exemplary embodiments of various aspects of the invention are described in detail below. In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the invention. It will be apparent, however, to one skilled in the art that the present invention may be practiced without some of these specific details. The following description of the embodiments is merely intended to provide a better understanding of the invention by showing examples of the invention. The present invention is in no way limited to any particular configuration and algorithm set forth below, but covers any modification, substitution, and improvement of elements, components, and algorithms without departing from the spirit of the invention. In the drawings and the following description, well-known structures and techniques have not been shown in order to avoid unnecessarily obscuring the present invention.
Examples
The embodiment realizes a fault uninterrupted CAN communication vehicle-mounted domain controller system and a method thereof, relates to seamless switching of a microcontroller or a main control system, and is suitable for application scenes such as the requirement of high reliability in each main domain controller of an automobile and the desire of realizing the noninductive fault processing capability under the fault condition.
The implementation mainly realizes high-reliability, interruption-free and CAN communication under the fault condition of a main control microprocessor chip or a CAN communication transceiver chip in the vehicle-mounted domain controller; the embodiment mainly aims at the following technical problems:
1. aiming at a control system based on the communication of a microcontroller chip and a CAN, the uninterrupted heat switching of control instruction communication signals is ensured, and the communication continuity is kept;
2. the control signal interruption (control signal interruption) caused by the control signal is avoided, or the control instruction inconsistency caused by the redundancy and backup channel starting is avoided;
3. the system has strong robustness, CAN perform heat recovery and restarting to faults such as any microcontroller chip or CAN communication interface chip, realizes noninductive recovery, and greatly improves the control usability;
4. and through signal synchronization operation, the task execution of the two controllers and the control of CAN message output are synchronized, the integrity check calculation is carried out on the sent message, and the real-time comparison of the double-microcontroller output instructions is realized, so that a high-reliability control system is realized.
According to the embodiment, by designing the double-master control micro controller (typically an MCU/SoC chip), the double-channel CAN communication channel and the synchronization of information between cores (which is a controller) and the CAN transmission message mutual detection mechanism, the continuous and uninterrupted external control CAN be realized under the fault of any micro controller or CAN communication channel, so that the high-reliability and high-availability system control and CAN communication functions are realized.
1. System architecture design of the present embodiment
Fig. 3 is a schematic structural diagram of a fault-free and uninterrupted CAN communication vehicle-mounted domain controller system, and as shown in fig. 3, the system of the embodiment comprises the following main constituent units:
(1) input signal interface
The input signal interface is used for receiving input signals for system control, such as sensor input, communication interface input and the like.
(2) Signal replication module
The module is used for copying the control input signal flow in parallel and synchronously transmitting the control input signal flow to the microcontroller chip uC_A and the microcontroller chip uC_B.
(3) Microcontroller chip uC_A
A microcontroller chip, commonly used in vehicle controller systems, includes an MCU or SoC chip. The chip is used for receiving system input signals, realizing control logic with complete functions and outputting external control instructions through the CAN communication interface.
The default master control output of the system of this embodiment is performed using the (uC_A) microcontroller chip.
(4) Microcontroller chip uC_B
A microcontroller chip, commonly used in vehicle controller systems, includes an MCU or SoC chip. The chip is used for receiving system input signals, realizing control logic with complete functions and outputting external control instructions through the CAN communication interface.
In the system of this embodiment, the (uc_b) microcontroller chip performs functions of fault management and communication switching control of the system, in addition to the above basic control functions, which will be described in detail later.
(5) Signal selection module
The module is used for selecting whether the control instruction of uC_A or uC_B is output to the CAN communication transceiver CAN_A according to the channel selection instruction of the microcontroller chip uC_B.
(6) CAN communication transceiver CAN_A
The module is a physical CAN transceiver PHY chip and has the function of converting CAN messages from the microcontroller chip into differential voltage signals on a CAN communication harness, and CAN also convert the received differential voltage signals into CAN message digital signals which CAN be identified by the microcontroller chip.
(7) CAN communication transceiver CAN_B
The module is the same as CAN communication transceiver can_a (is a physical CAN transceiver PHY chip, and has the function of converting CAN messages from a microcontroller chip into differential voltage signals on a CAN communication harness, and CAN also convert the received differential voltage signals into CAN message digital signals recognizable by the microcontroller chip).
2. Description of the main control signals of the system of the embodiment
As indicated by the dashed line in fig. 3, the main control signals in the system of this embodiment are as follows:
1) CAN communication signal of uc_a: the communication signal generated by the microcontroller chip uC_A and sent to the CAN communication; the signal is a digital square wave signal, meets the signal requirement of the corresponding CAN international standard, and is sent to a CAN transceiver by a controller so as to be converted into a differential voltage signal of CAN communication on a wire harness.
2) CAN communication signal of uc_b: the communication signal generated by the microcontroller chip uC_B and sent to the CAN communication; the signal is a digital square wave signal, meets the signal requirement of the corresponding CAN international standard, and is sent to a CAN transceiver by a controller so as to be converted into a differential voltage signal of CAN communication on a wire harness.
3) Inter-chip communication (IPC-inter processor communication) signal: for transferring information between the two microcontroller chips.
4) Heartbeat signal (HBS-heart beat signal): the microcontroller uC_A periodically sends a square wave pulse signal to uC_B to prompt the normal operation of uC_A.
5) Synchronization signal (SyncS-synchronous signal): the square wave pulse signal sent to uc_a by microcontroller uc_b is used to synchronize the computation and operation between the two microcontrols.
6) Channel selection instruction (SSC-signal selection command): the control signal sent by the microcontroller uC_B acts on the signal selection module (5) and is used for selecting whether the CAN communication signal of uC_A or the CAN communication signal of uC_B is externally connected to the CAN bus through the module 6 and is sent out.
The channel selection instruction is simpler, like a check switch, when the default SSC signal is at a low level (0 b), the CAN communication signal of uC_A is selected as output; if SSC signal is high level (1B), CAN communication signal of uC_B is selected as output.
7) CAN transceiver enable instruction a (ce_a): a control signal sent by the microcontroller uC_B and used for controlling the enabling or disabling of the CAN transceiver chip A;
the CAN transceiver enables the signal, when the low level (0 b) is low, the corresponding transceiver chip is not enabled, and the transceiver does not work and CAN not transmit and receive CAN messages to the bus; if the signal is at the high level (1 b), the transceiver can work normally.
8) CAN transceiver enable instruction B (ce_b): a control signal sent by the microcontroller uC_B and used for controlling the enabling or disabling of the CAN transceiver chip B;
enabling a signal of the CAN transceiver, and when the signal is in a high level (0 b), not enabling a corresponding transceiver chip, enabling the transceiver to work, and not receiving and transmitting CAN messages to a bus; if the signal is at the high level (1 b), the transceiver can work normally.
3. Working principle of the system of the embodiment
Software setting of the application layer of the system of the embodiment:
1) The application tasks of the whole control system are numbered and grouped in the program in advance, and each Task is provided with a unique task_ID, and the number is exemplified by: from 001 to 255;
2) uC_A and uC_B store the same task software and have the same task number design;
3) The uC_B has additional control system monitoring and dynamic switching of the function software of the uC_A, CAN transceivers A and B.
The content of one communication record of the inter-chip communication (IPC) signal in this embodiment is as follows:
the cyclic counter ID occupies 1 byte, and the numerical value is cyclically reciprocated from 0 to 255, and is used for identifying the number of the current IPC communication item so as to check the communication.
The data length (without CRC) is the number of bytes of valid data (including cycle counter ID, data length, current and next task ID, current task output data segment) of the IPC single communication record, and the value is from 5-65535.
The current task ID refers to a task ID corresponding to task output data of the IPC communication interaction.
The next task ID refers to the task ID number to which the next task jumps, and will exist as the current task ID at the time of the next IPC communication.
Regarding inter-chip communication: inter-chip communication refers to direct communication between SoC chips, and adopts a form of fixed-format data packets. The inter-chip communication data packet format is unique.
The inter-chip communication is bi-directional, and both SoC chips can send and receive. In practice, the communication between the chips is only different from the initiator, and the active sender is divided into two cases:
1) The normal operation is sent by uC_A to uC_B for uC_B monitoring use.
2) When uC_A fails to reset, uC_B is required to be sent to a communication data packet among uC_A slices, information such as which task the current system performs is contained in the communication data packet, and the format of the communication data packet is consistent with that of the data packet 1) so as to help uC_A resume execution.
Fig. 4 is a schematic diagram of a fault uninterrupted CAN communication vehicle-mounted domain controller system IPC data packet task output data storage format. As shown in fig. 4, the current task output data field is used for storing output data of the task according to bytes, storing less than one byte according to the sequence of variables finally output by the task, and storing a plurality of bytes according to the sequence.
Where the CRC is known as Cyclic Redundancy Check, also called cyclic redundancy check. CRC is the oldest checking algorithm in current use, and is proposed by W.Wesley Peterson in 1961, CRC is a HASH function (HASH, which converts any length of input into a fixed length of digest output through a HASH algorithm, and the result is a HASH value, which has unidirectionality and irreversibility according to the HASH algorithm) for mainly detecting or checking errors possibly occurring after data transmission or storage. The generated numbers are calculated before transmission or storage and appended to the data, and then the recipient checks to determine if the data has changed.
The last CRC32 check code in the IPC communication is a calculated value of the checksum of the output data from the loop Counter ID to the current task, and the adopted algorithm is CRC32. The corresponding polynomials are:
X 32 +X 26 +X 23 +X 22 +X 16 +X 12 +X 11 +X 10 +X 8 +X 7 +X 5 +X 4 +X 2 +X+1
the representation method is as follows: 0x04C11DB7.
3.2 after the system is powered on, the preparation process
After the system is powered on, the microcontroller chip uC_A is taken as a main control chip by default, and uC_B is taken as a monitoring and backup control chip. The system preparation steps after power-on are as follows:
1) After power-up, uC_A and uC_B are self-checked in power-up, and CE_A and CE_B are in a disabled state by default, so that no control instruction is sent before the system is not ready.
2) The uc_a is ready for the heartbeat signal, starts to send to uc_b with a square wave of some fixed frequency (typically a 50% duty cycle square wave of 1 khz), and then the HBS signal remains on during the system's run (unless the uc_a malfunctions causing the signal to malfunction).
3) The signals of the external input interface are duplicated in real time and transmitted to the two microcontrollers uC_A and uC_B, so that the input information of the two microcontrollers is consistent.
4) uC_B sends a synchronization signal SyncS to uC_A, which is a typical pulse by which a synchronization point is sent to uC_A to drive 2 microcontrollers together to perform a preset number of tasks. A typical one pulse synchronization signal is as follows, the signal starts at a low level, rises for a certain time and then falls back to the low level. The pulse signal needs to meet the requirement that the interface of uC_A can realize interrupt capture and the duration is as short as possible, so as to reduce the time overhead caused by capturing the synchronous signal.
5) After receiving the synchronization signal, uC_A executes the first numbered task, task ID 001, according to the control program in advance. At the same time uC_B also starts to perform the same program task. After the uC_A completes the current task, preparing an IPC data transmission packet, and sending the result of the current task execution to the uC_B according to an IPC data packet format through the IPC. After receiving the IPC packet, uC_B checks the calculation task and result, and compares the calculation result of the same task of uC_B. So far, the two microcontrollers are driven by the synchronous signals, and the functions of executing the same task and comparing the calculation results are sequentially and synchronously implemented.
6) CAN message transceiver chips can_a and can_b, by default enable can_a chip and can_b chip disable. Namely, the control system is externally connected with the CAN bus through the CAN_A chip to receive and transmit data.
3.2 task execution flow under normal working mode
Fig. 5 is a schematic diagram of a fault uninterrupted CAN communication vehicle-mounted domain controller system c_a periodically sending HBS signals. As shown in fig. 5, in the normal operation mode of the system of this embodiment, the uc_a continuously and periodically transmits the HBS signal to prompt its own normal operation state.
Meanwhile, after the uC_B normally receives the HBS signal sent by the uC_A, judging whether the state of the system is ready to be completed, and entering a task execution state when the uC_A and the system are normal after the state is ready to be completed, wherein the uC_B sends a first SyncS signal to inform the uC_A to start to circularly execute task according to a task list, and simultaneously the uC_B also starts to synchronously execute the same task. After uC_A completes the task, a first information packet of a task result IPC is sent to uC_B. uC_B compares the current task ID sent by uC_A, the next task ID to be executed, and the current task execution result data and the CRC result thereof comprehensively judge whether the task ID is correct.
Fig. 6 is a schematic diagram of task control timing between uc_a and uc_b in a normal operation mode of a fault-free CAN communication vehicle-mounted domain controller system. As shown in fig. 6, if the result meets the expectation, the uc_b determines that the system is normal, then sends the next synchronization signal SyncS to the uc_a, and after receiving the synchronization signal, the uc_a continues to execute the next task according to the task list, the uc_b also starts to execute the same task, and after completing, the uc_a sends the second packet IPC data result to the uc_b for checking and judging the system status, and the process is repeated in this way, and the task is executed sequentially.
3.3 Fault State noninductive switching
1) uC_A controller chip failure
If the HBS signal sent by the uC_A does not conform to the expected period and waveform, or the IPC packet data result fed back by the uC_A after the task is executed is checked by the uC_B to find errors more than 2 times, the uC_A controller chip is considered to be faulty.
Fault handling operations:
uC_B sends a channel selection instruction SSC, and the CAN control message output channel is switched to the output of uC_B, so that the external output of uC_A is cut off. I.e. the system switches to uc_b to assume the system control tasks.
By resetting uC_A, an attempted recovery is performed. After uC_A is reset, the transmission of the HBS signal is resumed, and the current system state and task ID of uC_A are informed by uC_B through IPC packets, so that uC_A can resume executing tasks.
2) CAN transceiver a failure or CAN transceiver B failure
uC_B selectively enables CE_A or CE_B depending on whether the A or B transceiver is malfunctioning. I.e. to ensure that at a certain moment one normal CAN transceiver is enabled and the other remains disabled, so that a node on the CAN bus remains connected to the bus on behalf of the controller.
Through the fault switching operation, the system can be ensured to keep the external control function uninterrupted, and the controlled object can be subjected to fault processing in a nearly noninductive manner.
The beneficial effects of the system of the embodiment are that:
1) A set of control system schemes with high robustness is established, real-time backup switching CAN be carried out on faults such as any micro controller chip or CAN communication interface chip, thermal recovery or restarting recovery CAN be implemented on a fault device, and the usability of the control system is greatly improved;
2) The system control chip can be switched to the backup control chip or the communication chip in real time, the switching process can realize no control signal interruption, and the synchronous operation is controlled, so that the output of external control instructions of the controller can be kept consistent and consistent during the fault switching;
3) The task execution of the two controllers and the control CAN message output are synchronized in real time through signal synchronization operation, and the integrity check calculation is carried out on the sent message, so that the reliability of the control instruction is greatly improved through the real-time comparison of the double-microcontroller output instruction, and the high-reliability system control is realized.
It will be appreciated by those of ordinary skill in the art that all or part of the steps of implementing the above embodiments may be implemented by hardware, or may be implemented by a program to instruct related hardware, where the program may be stored in a computer readable storage medium, where the storage medium may be a magnetic disk, an optical disc, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), or the like.
The foregoing is merely a preferred embodiment of the present invention and it should be noted that modifications and additions to the present invention may be made by those skilled in the art without departing from the principles of the present invention and such modifications and additions are to be considered as well as within the scope of the present invention.
Claims (10)
1. A fault uninterrupted CAN communication vehicle-mounted domain controller system is characterized in that: the system comprises a main control chip, a monitoring and backup control chip, an A-path CAN communication channel and a B-path CAN communication channel; the main control chip and the monitoring and backup control chip execute the same task software program, and the monitoring and backup control chip additionally executes a system monitoring software program, wherein the system monitoring software program is used for monitoring the faults of the main control chip, controlling the switching of CAN communication command signals, monitoring the faults of the A-path CAN communication channel, the faults of the B-path CAN communication channel and controlling the switching of the CAN communication channel; the main control chip and the monitoring and backup control chip send messages to each other through inter-core information synchronization and CAN (controller area network) transmission, so that the task software program CAN continuously and uninterruptedly communicate with the external CAN under the condition of any control chip or any CAN communication channel fault.
2. The fault-free, uninterrupted CAN communication vehicle-mounted domain controller system of claim 1, wherein: the system also comprises an input signal interface and a signal copying module; the input signal interface is used for receiving an input signal for system control, and the signal copying module is used for carrying out parallel copying and synchronous transmission on the input signal for system control to the main control chip and the monitoring and backup control chip; the main control chip receives an input signal for system control, executes a task software program to realize control logic with complete functions, and externally outputs a main CAN communication command signal; the monitoring and backup control chip receives an input signal for system control, executes a task software program to realize control logic of a complete function, and externally outputs a backup CAN communication command signal; the A-path CAN communication channel comprises a signal selection module and an A-path CAN communication transceiver, wherein the signal selection module is used for selecting a main CAN communication instruction signal or a backup CAN communication instruction signal according to a channel selection signal sent by a monitoring software program of a monitoring and backup control chip execution system and outputting the signal selection signal or the backup CAN communication instruction signal to the A-path CAN communication transceiver, and the A-path CAN communication transceiver is connected with a CAN communication bus; the B-path CAN communication channel comprises a B-path CAN communication transceiver, the backup CAN communication command signal is output to the B-path CAN communication transceiver, and the B-path CAN communication transceiver is connected with a CAN communication bus.
3. The fault-free, uninterrupted CAN communication vehicle-mounted domain controller system of claim 2, wherein: the main control chip and the monitoring and backup control chip realize the inter-core information synchronization through inter-chip communication signals, heartbeat signals and synchronization signals; the inter-chip communication signal is used for bidirectionally transmitting an inter-chip communication data packet between two control chips, and the inter-chip communication data packet comprises a current task number, a next task number and current task CAN communication instruction data; the heartbeat signal is a square wave pulse signal which is periodically sent to the monitoring and backup control chip by the main control chip and used for prompting the main control chip to work normally, and the synchronous signal is a square wave pulse signal which is sent to the main control chip by the monitoring and backup control chip and used for synchronizing calculation and operation between the two control chips.
4. A fault-free, CAN-communications on-board domain controller system according to claim 3, wherein: the heartbeat signal is a 1KHz 50% duty cycle square wave; the synchronization signal starts from a low level, rises for a certain time, then falls back to the low level, the main control chip can interrupt capturing the synchronization signal, and the duration of the synchronization signal is as short as possible, so that the time overhead caused by interrupt capturing of the synchronization signal of the main control chip is reduced.
5. A fault-free, CAN-communications on-board domain controller system according to claim 3, wherein: the monitoring and backup control chip controls the switching of the A-path CAN communication channel through a channel selection signal acting on the signal selection module and an A-path CAN communication transceiver enabling signal acting on the A-path CAN communication transceiver; the monitoring and backup control chip controls the switching of the B-path CAN communication channel through a B-path CAN communication transceiver enabling signal acting on the B-path CAN communication transceiver.
6. The fault-free, uninterrupted CAN communication vehicle-mounted domain controller system of claim 5, wherein: when the channel selection signal is at a low level, the signal selection module selects a main CAN communication command signal as output, and when the channel selection signal is at a high level, the signal selection module selects a backup CAN communication command signal as output; the A-path CAN communication transceiver enables signals or the B-path CAN communication transceiver enables signals to be in low level, the A-path CAN communication transceiver or the B-path CAN communication transceiver does not work, and the A-path CAN communication transceiver enables signals or the B-path CAN communication transceiver enables signals to be in high level, and the A-path CAN communication transceiver or the B-path CAN communication transceiver works normally.
7. The fault uninterrupted CAN communication vehicle-mounted domain controller system of claim 5, wherein the system is ready for power-up as follows:
z1, the main control chip and the monitoring and backup control chip are powered on for self-checking, and the A-path CAN communication transceiver and the B-path CAN communication transceiver do not work;
z2, the main control chip prepares a heartbeat signal, sends the heartbeat signal to the monitoring and backup control chip and keeps the heartbeat signal all the time;
z3, the input signals for system control are copied in real time and transmitted to the main control chip and the monitoring and backup control chip, so that the input information of the two control chips is consistent;
z4, the monitoring and backup control chip sends a synchronous signal to the main control chip so as to drive the two micro control chips to run task software programs to execute preset numbering tasks together;
z5, after receiving the synchronous signal, the main control chip executes a first numbering task, and at the same time, the monitoring and backup control chip executes the first numbering task, the main control chip sends an inter-chip communication data packet to the monitoring and backup control chip, and the monitoring and backup control chip receives and compares the inter-chip communication data packet;
and Z6, the monitoring and backup control chip controls the main CAN communication command signal to be output to the CAN communication bus through the A-path CAN communication channel.
8. The fault uninterrupted CAN communication vehicle-mounted domain controller system of claim 7, wherein the task execution flow in the normal operation mode of the system is as follows:
c1, the main control chip sends a heartbeat signal to a monitoring and backup control chip and keeps prompting that the main control chip is in a normal working state all the time;
the monitoring and backup control chip is in a normal working state and sends a synchronous signal to the main control chip to inform the main control chip of executing the task of the next task number of the inter-chip communication data packet, and meanwhile, the monitoring and backup control chip executes the tasks with the same number;
and C3, driving the main control chip and the monitoring and backup control chip by the inter-chip communication data packet transmitted by the synchronous signal and the inter-chip communication signal, sequentially and synchronously executing the tasks with the same number and comparing the inter-chip communication data packet.
9. The fault uninterrupted CAN communication vehicle-mounted domain controller system of claim 8, wherein the system main control chip fault noninductive switching process is as follows:
q1, the monitoring and backup control chip monitors that the heartbeat signal sent by the main control chip does not accord with the expected period or waveform, or compares communication data packets among chips to find errors, and determines that the main controller chip has faults;
q2, the monitoring and backup control chip outputs a backup CAN communication instruction signal through a channel selection signal control signal selection module;
q3, the monitoring and backup control chip resets the main control chip, the main control chip resumes sending heartbeat signals after reset, and the monitoring and backup control chip informs the main control chip of the current system state and task number through an inter-chip communication data packet, and the main control chip resumes executing tasks.
10. The fault uninterrupted CAN communication vehicle-mounted domain controller system according to claim 9, wherein the system a-way CAN communication transceiver fault or B-way CAN communication transceiver fault-free switching process is as follows:
j1, the monitoring and backup control chip monitors the faults of the A-path CAN communication transceiver or the B-path CAN communication transceiver;
and J2, the monitoring and backup control chip controls the B-path CAN communication transceiver or the A-path CAN communication transceiver to output CAN communication signals to the CAN communication bus through the A-path CAN communication transceiver enabling signals and the B-path CAN communication transceiver enabling signals.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310103023.4A CN116382060A (en) | 2023-02-13 | 2023-02-13 | CAN communication vehicle-mounted domain controller system with uninterrupted faults |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310103023.4A CN116382060A (en) | 2023-02-13 | 2023-02-13 | CAN communication vehicle-mounted domain controller system with uninterrupted faults |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116382060A true CN116382060A (en) | 2023-07-04 |
Family
ID=86960475
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310103023.4A Pending CN116382060A (en) | 2023-02-13 | 2023-02-13 | CAN communication vehicle-mounted domain controller system with uninterrupted faults |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116382060A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117274027A (en) * | 2023-08-22 | 2023-12-22 | 北京辉羲智能科技有限公司 | Image processing chip with hardware safety redundancy |
-
2023
- 2023-02-13 CN CN202310103023.4A patent/CN116382060A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117274027A (en) * | 2023-08-22 | 2023-12-22 | 北京辉羲智能科技有限公司 | Image processing chip with hardware safety redundancy |
| CN117274027B (en) * | 2023-08-22 | 2024-05-24 | 北京辉羲智能科技有限公司 | Image processing chip with hardware safety redundancy |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10754411B2 (en) | Method for transmitting and receiving wake-up signal in vehicle network | |
| US11336470B2 (en) | Method and apparatus for transmitting and receiving wake-up signal in vehicle network | |
| US10630538B2 (en) | Software update method and apparatus for vehicle | |
| CN110750480B (en) | Dual-computer hot standby system | |
| US10177966B2 (en) | Vehicle control system, motor drive controller, and management controller | |
| CN107534592B (en) | Method for protecting configuration data of a data bus transceiver, data bus transceiver and data bus system | |
| KR102286050B1 (en) | Method for preventing diagnostic errors in vehicle network and apparatus for the same | |
| CN110488597B (en) | Dual-redundancy control method for main processing unit of locomotive | |
| JP3953952B2 (en) | Error handling in an error-tolerant distributed computer system. | |
| CN112492046B (en) | Train distributed TCMS (train control system) main-standby redundancy management method and system | |
| CN116382060A (en) | CAN communication vehicle-mounted domain controller system with uninterrupted faults | |
| JP2020195035A (en) | Communication system and communication control method | |
| CN114326371A (en) | Method for redundant communication between MCU (microprogrammed control Unit) chips of EPS (electric Power storage) system | |
| CN112639631B (en) | Control method and device | |
| JP2002325085A (en) | Communication control method | |
| JPH08163151A (en) | Serial communication device | |
| EP0507299B1 (en) | Loosely coupled multiplexing control apparatus | |
| US20190057002A1 (en) | Control apparatus and recovery processing method for control apparatus | |
| JP4019840B2 (en) | Network communication system and control processing system using the network communication system | |
| CN112463666A (en) | Master-slave distribution method and device for controller | |
| KR102313599B1 (en) | Method for software update of vehicle and device for the same | |
| CN114679374A (en) | Reset control method and device and electronic equipment | |
| KR20040013710A (en) | Method for dissolving fail safe of multi-funtion switch in vehicle | |
| JPH06290160A (en) | Data communication method between microcomputers and multi-microcomputer system | |
| CN118331026A (en) | Dual-computer redundancy communication method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |