CN116700224A - Method and device for detecting faults of functional safety mechanism of vehicle - Google Patents

Method and device for detecting faults of functional safety mechanism of vehicle Download PDF

Info

Publication number
CN116700224A
CN116700224A CN202310881009.7A CN202310881009A CN116700224A CN 116700224 A CN116700224 A CN 116700224A CN 202310881009 A CN202310881009 A CN 202310881009A CN 116700224 A CN116700224 A CN 116700224A
Authority
CN
China
Prior art keywords
microprocessor
failure
fault
current
preset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310881009.7A
Other languages
Chinese (zh)
Inventor
陈苏敏
盛旺
高天龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Blue Automobile Nanjing Research Institute Co ltd
Original Assignee
Shenzhen Blue Automobile Nanjing Research Institute Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Blue Automobile Nanjing Research Institute Co ltd filed Critical Shenzhen Blue Automobile Nanjing Research Institute Co ltd
Priority to CN202310881009.7A priority Critical patent/CN116700224A/en
Publication of CN116700224A publication Critical patent/CN116700224A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B23/00Testing or monitoring of control systems or parts thereof
    • G05B23/02Electric testing or monitoring
    • G05B23/0205Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
    • G05B23/0208Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterized by the configuration of the monitoring system
    • G05B23/0213Modular or universal configuration of the monitoring system, e.g. monitoring system having modules that may be combined to build monitoring program; monitoring system that can be applied to legacy systems; adaptable monitoring system; using different communication protocols
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/24Pc safety
    • G05B2219/24065Real time diagnostics

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The application relates to a method and a device for detecting a functional safety mechanism fault of a vehicle, wherein the method comprises the following steps: detecting the current running stage of the microprocessor; if the current running stage is an initialization monitoring stage, performing BIST (built-in test) verification on the microprocessor, and when the verification result is that the microprocessor fails, verifying the verification result by using a preset failure reconfirming strategy, and obtaining fault information of the microprocessor based on the verification result; interrupting the current running process of the microprocessor based on the fault information, identifying the current fault type of the microprocessor, and matching the corresponding fault processing strategy based on the current fault type so as to execute the fault processing strategy on the microprocessor. The embodiment of the application can monitor the difference of the running stages of the microprocessor and match with corresponding fault processing strategies so as to reduce the risk of power interruption in the running process of the vehicle and improve the running safety of the vehicle.

Description

Method and device for detecting faults of functional safety mechanism of vehicle
Technical Field
The application relates to the technical field of vehicles, in particular to a method and a device for detecting faults of a functional safety mechanism of a vehicle.
Background
The functional safety fault diagnosis of the controller can be simply divided into two categories: and the first class of controller level fault diagnosis and the second class of microprocessor level fault diagnosis. The controller level fault diagnosis can be simply summarized as functional level diagnosis, the detection and management of the faults are well established at present, and the DEM module in the AUTOSAR model has detailed and specific definition on the operation of the part. The second type of microprocessor-level fault diagnosis mainly refers to latent fault detection of microprocessor hardware, including common CPU (Central-Processing-Unit) core lock step monitoring, BIST (Built-in Self Test) Self-checking, ECC (Error Checking and Correcting, error checking and correction) checking, clock monitoring, and the like.
In the related art, as in CN113043969a, a method and a system for monitoring safety of vehicle functions, the running state of the vehicle functions can be monitored, and a fault notification is reported to a fault debounce module when a fault occurs; the fault de-jittering module confirms the fault type; the fault management module starts a timeout timer to track a fault processing flow, and notifies a corresponding application software layer to perform fault preprocessing according to the corresponding information of the fault table; after the pretreatment is finished, the fault management module closes the overtime timer, triggers the fault state notification module to notify the corresponding module of the fault treatment, and carries out the flow of the functional safety treatment.
However, the related art only involves controller level fault diagnosis, but involves fewer faults diagnosis and processing for the microprocessor level, and there is a certain safety hazard in fault processing, for example, there is an interruption risk in resetting the microprocessor, so that improvement is needed.
Disclosure of Invention
The application provides a method and a device for detecting faults of a functional safety mechanism of a vehicle, which are used for solving the technical problems that in the related art, fewer faults are involved in diagnosis and treatment of a microprocessor level, certain potential safety hazards exist during fault treatment, and the running safety of the vehicle is not guaranteed.
An embodiment of a first aspect of the present application provides a method for detecting a failure of a functional safety mechanism of a vehicle, including the steps of: detecting the current running stage of the microprocessor; if the current running stage is an initialization monitoring stage, performing built-in self-test (BIST) verification on the microprocessor, and when the verification result is that the microprocessor fails, verifying the verification result by using a preset failure reconfirmation strategy, and obtaining fault information of the microprocessor based on the verification result; interrupting the current running process of the microprocessor based on the fault information, identifying the current fault type of the microprocessor, and matching a corresponding fault processing strategy based on the current fault type so as to execute the fault processing strategy on the microprocessor.
According to the technical means, the embodiment of the application can carry out differential monitoring aiming at the initialization monitoring stage of the microprocessor and match with the corresponding fault processing strategy so as to reduce the risk of power interruption in the running process of the vehicle and improve the running safety of the vehicle.
Optionally, in one embodiment of the present application, the verifying the verification result using a preset failure reconfirmation policy includes: determining the failure type of the microprocessor according to the verification result; under the condition that the failure type is a logic self-test failure type, injecting a preset fault into the microprocessor, and obtaining an injection result of the preset fault according to the state of the register after injection; and under the condition that the failure type is a memory self-test failure type, reading a failure memory block corresponding to the built-in self-test BIST, determining whether the failure of the failure memory block is a permanent failure, and recording failure data of the failure memory block when the failure of the failure memory block is the permanent failure.
According to the technical means, the embodiment of the application can ensure the accuracy of the verification result through failure reconfirmation.
Optionally, in one embodiment of the present application, after acquiring the current running phase of the microprocessor, the method further includes: if the current running stage is an execution monitoring stage, detecting whether the microprocessor meets a preset random hardware failure condition and/or a preset systematic software failure condition; and if the microprocessor meets the preset random hardware failure condition and/or the preset systematic software failure condition, generating failure information corresponding to the microprocessor so as to interrupt the current running process of the microprocessor based on the failure information.
According to the technical means, the embodiment of the application can carry out differential monitoring aiming at the execution monitoring stage of the microprocessor and match with the corresponding fault processing strategy so as to reduce the risk of power interruption in the running process of the vehicle and improve the running safety of the vehicle.
Optionally, in one embodiment of the present application, after acquiring the current running phase of the microprocessor, the method further includes: and if the current running stage is a power-down monitoring stage, closing a timer of the microprocessor so as to inhibit interrupting the data storage action of the microprocessor in the power-down monitoring stage.
According to the technical means, the embodiment of the application can close the timer aiming at the power-down monitoring stage, avoid unexpected timer faults caused by the data storage process, and ensure the normal execution of the program.
Optionally, in one embodiment of the present application, the obtaining, while interrupting the current running process of the microprocessor based on the fault information, the current fault type of the microprocessor includes: and based on the interrupt time of the microprocessor and the fault information, obtaining a frozen frame and a corresponding fault code when the microprocessor is interrupted, and storing the frozen frame and the fault code to generate a fault record table.
According to the technical means, the embodiment of the application can store the frozen frame and the fault code to generate the fault record table so as to enable technicians to quickly locate the fault cause.
Optionally, in one embodiment of the present application, the matching the corresponding fault handling policy based on the current fault type includes: pushing a risk early warning signal to a driver under the condition that the current fault type meets a preset reminding condition; and under the condition that the current fault type does not meet the preset reminding condition, sending a take-over signal to an auxiliary microprocessor so as to control the vehicle to execute a preset safety strategy by using the auxiliary microprocessor to replace the microprocessor.
According to the technical means, different fault treatment strategies can be determined based on different fault risks, so that the power interruption probability is reduced, and the normal running of the vehicle is ensured.
An embodiment of a second aspect of the present application provides a device for detecting a malfunction of a functional safety mechanism of a vehicle, including: the detection module is used for detecting the current running stage of the microprocessor; the verification module is used for carrying out built-in self-test (BIST) verification on the microprocessor when the current operation stage is an initialization monitoring stage, verifying the verification result by utilizing a preset failure reconfirmation strategy when the verification result is that the microprocessor fails, and obtaining fault information of the microprocessor based on the verification result; the processing module is used for interrupting the current running process of the microprocessor based on the fault information, identifying the current fault type of the microprocessor, and matching the corresponding fault processing strategy based on the current fault type so as to execute the fault processing strategy on the microprocessor.
Optionally, in one embodiment of the present application, the verification module includes: the determining unit is used for determining the failure type of the microprocessor according to the verification result; the injection unit is used for injecting a preset fault into the microprocessor under the condition that the failure type is a logic self-test failure type, and obtaining an injection result of the preset fault according to the state of the register after the injection; the recording unit is used for reading the failure memory block corresponding to the built-in self-test BIST under the condition that the failure type is the memory self-test failure type, determining whether the failure of the failure memory block is a permanent failure or not, and recording the failure data of the failure memory block when the failure of the failure memory block is the permanent failure.
Optionally, in one embodiment of the present application, further includes: the second detection module is used for detecting whether the microprocessor meets a preset random hardware failure condition and/or a preset systematic software failure condition when the current operation stage is a monitoring execution stage; and the generating module is used for generating fault information corresponding to the microprocessor when the microprocessor meets the preset random hardware failure condition and/or the preset systematic software fault condition so as to interrupt the current running process of the microprocessor based on the fault information.
Optionally, in one embodiment of the present application, further includes: and the closing module is used for closing the timer of the microprocessor when the current running stage is the power-down monitoring stage so as to inhibit breaking the data storage action of the microprocessor in the power-down monitoring stage.
Optionally, in one embodiment of the present application, the processing module includes: and the storage unit is used for obtaining a frozen frame and a corresponding fault code when the microprocessor is interrupted based on the interruption time of the microprocessor and the fault information, and storing the frozen frame and the fault code to generate a fault record table.
Optionally, in one embodiment of the present application, the processing module includes: the reminding unit is used for pushing a risk early warning signal to a driver under the condition that the current fault type meets the preset reminding condition; and the auxiliary unit is used for sending a take-over signal to an auxiliary microprocessor under the condition that the current fault type does not meet the preset reminding condition so as to control the vehicle to execute the preset safety strategy by using the auxiliary microprocessor to replace the microprocessor.
An embodiment of a third aspect of the present application provides a vehicle including: the system comprises a memory, a processor and a computer program stored in the memory and capable of running on the processor, wherein the processor executes the program to realize the detection method of the failure of the functional safety mechanism of the vehicle according to the embodiment.
A fourth aspect of the present application provides a computer-readable storage medium storing a computer program which, when executed by a processor, implements the method of detecting a malfunction of a functional safety mechanism of a vehicle as above.
The embodiment of the application has the beneficial effects that:
(1) The embodiment of the application can monitor the difference of the running phases of the microprocessor, and can ensure the monitoring range without influencing the normal running of the program.
(2) The embodiment of the application can generate the fault record table by utilizing the frozen frame and the fault code, so that technicians can quickly locate the fault cause.
(3) According to the embodiment of the application, different fault treatment strategies can be determined based on different fault risks, so that the power interruption probability is reduced, the normal running of the vehicle is ensured, and dangerous situations such as power interruption and the like caused by resetting are avoided through the added auxiliary microprocessor.
Additional aspects and advantages of the application will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the application.
Drawings
The foregoing and/or additional aspects and advantages of the application will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings, in which:
Fig. 1 is a flowchart of a method for detecting a failure of a functional safety mechanism of a vehicle according to an embodiment of the present application;
FIG. 2 is a schematic diagram of a method for detecting a malfunction of a functional safety mechanism of a vehicle according to one embodiment of the present application;
FIG. 3 is a schematic diagram of a method for detecting a malfunction of a functional safety mechanism of a vehicle according to another embodiment of the present application;
FIG. 4 is a schematic diagram of a method for detecting a malfunction of a functional safety mechanism of a vehicle according to still another embodiment of the present application;
fig. 5 is a schematic structural diagram of a device for detecting a failure of a functional safety mechanism of a vehicle according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a vehicle according to an embodiment of the present application.
The system comprises a detection device, a 100-detection module, a 200-verification module and a 300-processing module, wherein the detection device, the 100-detection module, the 200-verification module and the 300-processing module of the functional safety mechanism of the 10-vehicle are failed; 601-memory, 602-processor and 603-communication interface.
Detailed Description
Embodiments of the present application are described in detail below, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to like or similar elements or elements having like or similar functions throughout. The embodiments described below by referring to the drawings are illustrative and intended to explain the present application and should not be construed as limiting the application.
The following describes a method and an apparatus for detecting a malfunction of a functional safety mechanism of a vehicle according to embodiments of the present application with reference to the accompanying drawings. Aiming at the technical problems that the related technology mentioned in the background art relates to fewer microprocessor-level fault diagnosis and treatment, and certain potential safety hazards exist during fault treatment, and the running safety of a vehicle is not guaranteed, the application provides a method for detecting the fault of a functional safety mechanism of the vehicle. Therefore, the technical problems that in the related technology, fewer faults are involved in diagnosis and treatment of a microprocessor level, certain potential safety hazards exist during fault treatment, and driving safety of a vehicle is not guaranteed are solved.
Specifically, fig. 1 is a flow chart of a method for detecting a failure of a functional safety mechanism of a vehicle according to an embodiment of the present application.
As shown in fig. 1, the method for detecting the failure of the functional safety mechanism of the vehicle is applied to a model construction stage, wherein the method comprises the following steps:
in step S101, the current operating phase of the microprocessor is detected.
In the actual execution process, the embodiment of the application can detect the current operation stage of the microprocessor, so that differential monitoring is carried out according to different operation stages, the monitoring range is ensured, and the normal operation of a program is not influenced, wherein the current operation stage of the microprocessor can comprise an initialization monitoring stage, an execution monitoring stage and a power-down monitoring stage.
In step S102, if the current operation stage is the initialization monitoring stage, the built-in self-test BIST is performed on the microprocessor, and when the verification result is that the microprocessor fails, the verification result is verified by using the preset failure reconfirming strategy, and the fault information of the microprocessor is obtained based on the verification result.
As a possible implementation manner, when the current running stage of the microprocessor is the initialized monitoring stage, the embodiment of the application can utilize the BIST module of the microprocessor to complete the preliminary monitoring and diagnosis of the microprocessor, after the verification is completed, the BIST register can be used for judging the verification result, if the verification result is normal, the failure reconfirming step is skipped, otherwise, the failure reconfirming step is needed to be entered, so that the functional safety corresponding mechanism, the memory accuracy and the reliability are reconfirmed.
It should be noted that, because part of functions of the microprocessor may affect program execution during testing, in this stage, the embodiment of the present application may test part of the functional modules, such as watchdog monitoring test, and test part of memory storage areas such as flash, ram, etc., so as to avoid potential faults.
Optionally, in one embodiment of the present application, verifying the verification result using the preset failure reconfirmation policy includes: determining the failure type of the microprocessor according to the verification result; under the condition that the failure type is a logic self-test failure type, injecting a preset fault into the microprocessor, and obtaining an injection result of the preset fault according to the state of the register after the injection; and under the condition that the failure type is the self-test failure type of the memory, reading the failure memory block corresponding to the built-in self-test BIST, determining whether the failure of the failure memory block is a permanent failure, and recording the failure data of the failure memory block when the failure of the failure memory block is the permanent failure.
It will be appreciated that BISTs including LBIST (Logic BIST) and MBIST (Memory BIST) allow for systematic, more complete verification of functional security mechanism blocks in the microprocessor.
As shown in fig. 2, the embodiment of the present application may determine whether the failure is LBIST or MBIST according to the BIST check result register, if the failure is LBIST, it indicates that the security mechanism detects a fault, and it needs to pass fault injection (typically including watchdog fault injection, etc.), and then determine whether the fault injection result is successful according to the register state after the fault injection, if all the security mechanisms detect passing, it indicates that the security mechanism is reliable, and then it may enter the next step;
if the failure is MBIST, the memory block detection error exists, the corresponding failed memory block of the BIST is read, whether the failed memory block has a temporary failure or a permanent failure is confirmed, and if the failure is confirmed, the failure is recorded.
Optionally, in one embodiment of the present application, after acquiring the current running phase of the microprocessor, the method further includes: if the current running stage is an execution monitoring stage, detecting whether the microprocessor meets a preset random hardware failure condition and/or a preset systematic software failure condition; if the microprocessor meets the preset random hardware failure condition and/or the preset systematic software failure condition, generating failure information corresponding to the microprocessor so as to interrupt the current running process of the microprocessor based on the failure information.
In some embodiments, when the monitoring stage is executed, whether the microprocessor has random hardware failure and systematic software failure is mainly monitored, and in implementation, the embodiment of the application can perform real-time monitoring through mechanisms such as starting lock step kernel verification, clock verification, power supply monitoring, memory ECC verification, interrupt protection, software and hardware watchdog and the like, and associate a monitoring result to an ECM module (failure control module), and for a part of modules which are not associated with the ECM, periodic readback monitoring is adopted, so that the real-time monitoring is ensured.
Further, the embodiment of the application can detect whether the microprocessor meets the preset random hardware failure condition and/or the preset systematic software failure condition and determine whether the random hardware failure and the systematic software failure occur or not when monitoring, thereby generating corresponding failure information when determining that the random hardware failure and the systematic software failure occur and interrupting the current running process of the microprocessor after confirming the failure.
The preset random hardware failure condition and/or the preset systematic software failure condition may be set by those skilled in the art according to actual situations, which is not limited herein.
Optionally, in one embodiment of the present application, after acquiring the current running phase of the microprocessor, the method further includes: if the current running stage is the power-down monitoring stage, the timer of the microprocessor is closed to prohibit interrupting the data storage action of the microprocessor in the power-down monitoring stage.
In other embodiments, during the power-down monitoring phase, to avoid unexpected timers, such as software and hardware watchdog faults, generated during the data storage process, the timers are turned off during the data storage process, so as to ensure normal execution of the program.
In step S103, the current running process of the microprocessor is interrupted based on the fault information, the current fault type of the microprocessor is identified, and the corresponding fault handling policy is matched based on the current fault type to execute the fault handling policy on the microprocessor.
In the actual execution process, the embodiment of the application can interrupt the current running process of the microprocessor based on the fault information, so that the fault is triggered and recorded through the interruption, partial faults can be subjected to auxiliary processing through periodical judgment, and all modules which can be related to an ECM (fault control module), namely after the fault occurs, the modules enter the interruption processing uniformly, and the faults are confirmed and recorded in the interruption; for some modules that are not associated with ECMs, periodic decisions are used to confirm and record.
The embodiment of the application can also identify the current fault type and determine the severity of the fault, so that the corresponding fault processing strategy is matched based on the current fault type.
Optionally, in one embodiment of the present application, obtaining the current fault type of the microprocessor while interrupting the current running process of the microprocessor based on the fault information includes: based on the interrupt time and fault information of the microprocessor, a frozen frame and a corresponding fault code when the microprocessor is interrupted are obtained, and the frozen frame and the fault code are stored to generate a fault record table.
For example, the design of fault codes in embodiments of the present application refers to the 14229-1 format, and the storage and clearing of faults follow the relevant specifications of UDS and OBD (On-Board Diagnostics ).
In the design of the frozen frame, the embodiment of the application can be designed according to different fault classifications, for example, faults related to the ECC of the memory, the frozen frame needs to comprise a specific error address when ECC errors occur, the task overtime faults, the frozen frame needs to comprise the task name of the overtime task, and the like, and the frozen frame is designed according to different fault classifications, so that personnel can be helped to quickly locate the cause of the problem when the errors occur.
In addition, in order to conveniently locate the cause of the problem, besides the storage of the fault codes and the frozen frames, an attached table of the fault codes is added, the fault records in the attached table are recorded according to the occurrence sequence, and the system time of each fault is recorded.
Optionally, in one embodiment of the present application, matching the corresponding fault handling policy based on the current fault type includes: pushing a risk early warning signal to a driver under the condition that the current fault type meets the preset reminding condition; and under the condition that the current fault type does not meet the preset reminding condition, sending a take-over signal to the auxiliary microprocessor so as to control the vehicle to execute the preset safety strategy by using the auxiliary microprocessor instead of the microprocessor.
As a possible implementation manner, the embodiment of the present application may determine the current fault type, where the current fault type may be classified into a severe fault type, a general fault type and a slight fault type according to severity, where the severe fault is that the microprocessor is in a state of not being able to work normally, and situations such as reset may occur; the general fault is a fault which is prompted to have a certain risk, but the microprocessor can also maintain basic work; a slight malfunction is a possible normal operation of the microprocessor, but the malfunction of the reminder is at a risk.
When the current fault type is a general fault type or a slight fault type, the embodiment of the application can judge that the current fault type meets the preset reminding condition, so that a risk early warning signal is sent to a driver to remind the driver to carry out risk treatment.
When the current fault type is a serious fault type, the embodiment of the application can judge that the current fault type does not meet the preset reminding condition, so that the principle of cross processing among important fault cores is maintained for enhancing the reliability and the robustness of the reported fault, namely, the fault is processed by the core 1 (CPU 1) at the moment, the fault is processed by the core 0 (CPU 0) at the moment, and the fault is processed by the core 1 (CPU 1) at the moment. The embodiment of the application CAN be as shown in fig. 3, and in the hardware design, a microprocessor redundancy design is performed, a low-cost auxiliary microprocessor is added besides a main microprocessor, the auxiliary microprocessor and the main microprocessor are communicated with each other through CAN (Controller Area Network, controller area network bus) to perform real-time information interaction, and the functional safety output pin of the main microprocessor is connected to the auxiliary microprocessor.
Therefore, when serious faults occur, in order to avoid the situation that the controller is unexpected, the auxiliary microprocessor takes over the main work of the main microprocessor at the moment, ensures the basic functions, and when general faults and slight faults occur, the main work is reported to the application layer, and the application layer uniformly performs fault power reduction control.
The working principle of the method for detecting a malfunction of a functional safety mechanism of a vehicle according to an embodiment of the present application will be described in detail with reference to fig. 2 to 4.
The embodiment of the application can comprise a microprocessor monitoring part and a fault processing part in the actual execution process.
1. In the monitoring part of the microprocessor, the embodiment of the application can carry out differential monitoring on faults according to different stages:
1. in the initialization monitoring stage, whether the microprocessor has random hardware failure and whether a functional safety mechanism is reliable is mainly monitored, on the one hand, the microprocessor is utilized to finish preliminary monitoring and diagnosis by a built-in self-test (BIST) module of the microprocessor, and on the other hand, at the stage, modules which possibly influence program execution during testing are tested, so that potential faults, such as watchdog monitoring tests, partial flash, ram and other memory storage area tests, are avoided.
As shown in fig. 2, the following steps may be included:
step S201: BIST (built-in self test) verification is performed after power-on reset of the microprocessor, the BIST comprises LBIST (logic BIST) and MBIST (memory BIST), and functional safety mechanism modules in the microprocessor can be systematically and completely verified.
Step S202: after the verification is completed, the BIST register can be used for judging the verification result, if the verification result is normal, the failure reconfirming step is skipped, and otherwise, the failure reconfirming step is needed to be entered.
Step S203: the step of failure reconfirming mainly reconfirms the accuracy and the credibility of the corresponding mechanism and the memory of the functional safety.
Step S204: based on the BIST check result register, it is confirmed whether LBIST (logic BIST) or MBIST (memory BIST) is failed.
Step S205: if it is LBIST that fails, it indicates that a fault is detected in the security mechanism, and a fault injection (typically including a watchdog fault injection, etc.) is required.
Step S206: and judging whether the injection fault result is successful or not according to the register state after the injection fault, if all the safety mechanisms pass the detection, indicating that the safety mechanisms are reliable, and entering the next step.
Step S207: if MBIST fails, it indicates that there is a memory block detection error.
Step S208: and reading the failed memory block corresponding to the BIST, confirming whether the failed memory block has a temporary fault or a permanent fault, and recording the fault if the failed memory block has the permanent fault.
Step S209: fault recording and processing.
2. And in the implementation, the monitoring stage is implemented to monitor whether the microprocessor has random hardware failure and systematic software failure, and in the implementation, the monitoring is carried out in real time by starting the mechanisms of lock step check, clock check, power supply monitoring, memory ECC check, interrupt protection, software and hardware watchdog and the like, and the monitoring result is related to an ECM (fault control module), and for a part of modules which are not related to the ECM, periodic readback monitoring is adopted to ensure the real-time performance of monitoring.
3. In the power-down monitoring stage, in order to avoid unexpected timers, such as software and hardware watchdog faults, generated in the data storage process, the software and hardware watchdog is closed in the data storage process, so that normal execution of the program is ensured.
2. In the failure handling section, as shown in fig. 4, the following steps may be included:
step S401: whether the fault is associated with the ECM. For fault confirmation and recording, the embodiment of the application can trigger recording faults through interruption, and part of faults are subjected to auxiliary processing through periodic judgment.
Step S402: after the fault occurs, all modules which can be associated with an ECM (fault control module) are uniformly subjected to interrupt processing, and the fault is confirmed and recorded in the interrupt.
Step S403: for some modules that are not associated with ECMs, periodic decisions are used to confirm and record.
Step S404: and (5) fault recording. The frozen frame is designed according to different fault classifications, for example, faults related to memory ECC, the frozen frame needs to comprise a specific error address when ECC errors occur, the task overtime faults, the frozen frame needs to comprise task names of overtime tasks, and the like, and the frozen frame is designed according to different fault classifications, so that personnel can be helped to quickly locate the cause of the problems when the errors occur.
In addition, in order to conveniently locate the cause of the problem, besides the storage of the fault codes and the frozen frames, an attached table of the fault codes is added, the fault records in the attached table are recorded according to the occurrence sequence, and the system time of each fault is recorded.
Step S405: and judging the current fault type, namely confirming whether the fault is serious. The embodiment of the application can determine the current fault type, wherein the current fault type can be divided into a serious fault type, a general fault type and a slight fault type according to the severity, and the serious fault is that a microprocessor is in a state of not normally working, and the situations such as reset and the like can possibly occur; the general fault is a fault which is prompted to have a certain risk, but the microprocessor can also maintain basic work; a slight malfunction is a possible normal operation of the microprocessor, but the malfunction of the reminder is at a risk.
Step S406: when the current fault type is a serious fault type, the embodiment of the application can judge that the current fault type does not meet the preset reminding condition, so that the principle of cross processing among important fault cores is maintained for enhancing the reliability and the robustness of the reported fault, namely, the fault is processed by the core 1 (CPU 1) at the moment, the fault is processed by the core 0 (CPU 0) at the moment, and the fault is processed by the core 1 (CPU 1) at the moment. The embodiment of the application CAN be as shown in fig. 3, and in the hardware design, a microprocessor redundancy design is performed, a low-cost auxiliary microprocessor is added besides a main microprocessor, the auxiliary microprocessor and the main microprocessor perform real-time information interaction through CAN communication, and a functional safety output pin of the main microprocessor is connected to the auxiliary microprocessor.
Therefore, when serious faults occur, in order to avoid the situation that the controller is unexpected, the auxiliary microprocessor takes over the main work of the main microprocessor at the moment, ensures the basic functions, and when general faults and slight faults occur, the main work is reported to the application layer, and the application layer uniformly performs fault power reduction control.
Step S407: pushing prompt information to the driver to prompt the driver to stop the vehicle immediately.
Step S408: when the current fault type is a general fault type or a slight fault type, the embodiment of the application can judge that the current fault type meets the preset reminding condition, so that a risk early warning signal is sent to a driver to remind the driver to carry out risk treatment.
Step S409: a reduced power limp mode is entered.
According to the method for detecting the fault of the functional safety mechanism of the vehicle, which is provided by the embodiment of the application, corresponding functional safety mechanism monitoring can be performed according to the current running stage of the microprocessor, when the current running stage of the microprocessor is an initialization monitoring stage, the microprocessor is subjected to BIST verification, and the verification result is verified through the preset failure reconfirmation strategy, so that the fault information of the microprocessor is obtained, the current running process of the microprocessor is interrupted according to the fault information, the corresponding fault processing strategy is matched according to the current fault type of the microprocessor, the fault processing is performed more specifically, the power of the vehicle is prevented from being interrupted when the microprocessor is subjected to fault processing, the differential monitoring is performed aiming at the running stage of the microprocessor, the corresponding fault processing strategy is matched, and the driving safety of the vehicle is improved. Therefore, the technical problems that in the related technology, fewer faults are involved in diagnosis and treatment of a microprocessor level, certain potential safety hazards exist during fault treatment, and driving safety of a vehicle is not guaranteed are solved.
Next, a detection device for a malfunction of a functional safety mechanism of a vehicle according to an embodiment of the present application will be described with reference to the accompanying drawings.
Fig. 5 is a block schematic diagram of a detection device for malfunction of a functional safety mechanism of a vehicle according to an embodiment of the present application.
As shown in fig. 5, the detection device 10 for a malfunction of a functional safety mechanism of a vehicle includes: the device comprises a detection module 100, a verification module 200 and a processing module 300.
Specifically, the detection module 100 is configured to detect a current operation stage of the microprocessor.
And the verification module 200 is used for performing built-in self-test (BIST) verification on the microprocessor when the current operation stage is an initialization monitoring stage, verifying the verification result by using a preset failure reconfirmation strategy when the verification result is that the microprocessor fails, and obtaining fault information of the microprocessor based on the verification result.
The processing module 300 is configured to interrupt a current running process of the microprocessor based on the fault information, identify a current fault type of the microprocessor, and match a corresponding fault handling policy based on the current fault type to execute the fault handling policy on the microprocessor.
Optionally, in one embodiment of the present application, the verification module 200 includes: a determination unit, an injection unit and a recording unit.
And the determining unit is used for determining the failure type of the microprocessor according to the verification result.
And the injection unit is used for injecting a preset fault into the microprocessor under the condition that the failure type is the logic self-test failure type, and obtaining an injection result of the preset fault according to the state of the register after the injection.
The recording unit is used for reading the failure memory block corresponding to the built-in self-test BIST under the condition that the failure type is the memory self-test failure type, determining whether the failure of the failure memory block is a permanent failure or not, and recording the failure data of the failure memory block when the failure of the failure memory block is the permanent failure.
Optionally, in one embodiment of the present application, the detecting device 10 for a malfunction of a functional safety mechanism of a vehicle further includes: the second detection module and the generation module.
The second detection module is used for detecting whether the microprocessor meets the preset random hardware failure condition and/or the preset systematic software failure condition when the current operation stage is the execution monitoring stage.
And the generating module is used for generating fault information corresponding to the microprocessor when the microprocessor meets the preset random hardware failure condition and/or the preset systematic software fault condition so as to interrupt the current running process of the microprocessor based on the fault information.
Optionally, in one embodiment of the present application, the detecting device 10 for a malfunction of a functional safety mechanism of a vehicle further includes: the module is closed.
And the closing module is used for closing the timer of the microprocessor when the current running stage is the power-down monitoring stage so as to inhibit breaking the data storage action of the microprocessor in the power-down monitoring stage.
Optionally, in one embodiment of the present application, the processing module 300 includes: and a memory cell.
The storage unit is used for obtaining a frozen frame and a corresponding fault code when the microprocessor is interrupted based on the interruption time and fault information of the microprocessor, and storing the frozen frame and the fault code to generate a fault record table.
Optionally, in one embodiment of the present application, the processing module 300 includes: a reminding unit and an auxiliary unit.
The reminding unit is used for pushing the risk early warning signal to the driver under the condition that the current fault type meets the preset reminding condition.
And the auxiliary unit is used for sending a take-over signal to the auxiliary microprocessor under the condition that the current fault type does not meet the preset reminding condition so as to control the vehicle to execute the preset safety strategy by using the auxiliary microprocessor instead of the microprocessor.
It should be noted that the explanation of the foregoing embodiment of the method for detecting a failure of a functional safety mechanism of a vehicle is also applicable to the device for detecting a failure of a functional safety mechanism of a vehicle in this embodiment, and will not be repeated here.
According to the detection device for the fault of the functional safety mechanism of the vehicle, which is provided by the embodiment of the application, corresponding functional safety mechanism monitoring can be performed according to the current operation stage of the microprocessor, when the current operation stage of the microprocessor is the initialization monitoring stage, the microprocessor is subjected to BIST verification, and the verification result is verified through the preset failure reconfirmation strategy, so that the fault information of the microprocessor is obtained, the current operation process of the microprocessor is interrupted according to the fault information, the corresponding fault processing strategy is matched according to the current fault type of the microprocessor, the fault processing is performed more specifically, the power of the vehicle is prevented from being interrupted when the microprocessor is subjected to fault processing, the differential monitoring is performed aiming at the operation stage of the microprocessor, the corresponding fault processing strategy is matched, and the driving safety of the vehicle is improved. Therefore, the technical problems that in the related technology, fewer faults are involved in diagnosis and treatment of a microprocessor level, certain potential safety hazards exist during fault treatment, and driving safety of a vehicle is not guaranteed are solved.
Fig. 6 is a schematic structural diagram of a vehicle according to an embodiment of the present application. The vehicle may include:
a memory 601, a processor 602, and a computer program stored on the memory 601 and executable on the processor 602.
The processor 602 implements the method for detecting a malfunction of the functional safety mechanism of the vehicle provided in the above-described embodiment when executing the program.
Further, the vehicle further includes:
a communication interface 603 for communication between the memory 601 and the processor 602.
A memory 601 for storing a computer program executable on the processor 602.
The memory 601 may comprise a high-speed RAM memory or may further comprise a non-volatile memory (non-volatile memory), such as at least one disk memory.
If the memory 601, the processor 602, and the communication interface 603 are implemented independently, the communication interface 603, the memory 601, and the processor 602 may be connected to each other through a bus and perform communication with each other. The bus may be an industry standard architecture (Industry Standard Architecture, abbreviated ISA) bus, an external device interconnect (Peripheral Component, abbreviated PCI) bus, or an extended industry standard architecture (Extended Industry Standard Architecture, abbreviated EISA) bus, among others. The buses may be divided into address buses, data buses, control buses, etc. For ease of illustration, only one thick line is shown in fig. 6, but not only one bus or one type of bus.
Alternatively, in a specific implementation, if the memory 601, the processor 602, and the communication interface 603 are integrated on a chip, the memory 601, the processor 602, and the communication interface 603 may perform communication with each other through internal interfaces.
The processor 602 may be a central processing unit (Central Processing Unit, abbreviated as CPU) or an application specific integrated circuit (Application Specific Integrated Circuit, abbreviated as ASIC) or one or more integrated circuits configured to implement embodiments of the present application.
The present embodiment also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method of detecting a malfunction of a functional safety mechanism of a vehicle as described above.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present application. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or N embodiments or examples. Furthermore, the different embodiments or examples described in this specification and the features of the different embodiments or examples may be combined and combined by those skilled in the art without contradiction.
Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In the description of the present application, "N" means at least two, for example, two, three, etc., unless specifically defined otherwise.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and additional implementations are included within the scope of the preferred embodiment of the present application in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order from that shown or discussed, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the embodiments of the present application.
Logic and/or steps represented in the flowcharts or otherwise described herein, e.g., a ordered listing of executable instructions for implementing logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or N wires, a portable computer cartridge (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). In addition, the computer readable medium may even be paper or other suitable medium on which the program is printed, as the program may be electronically captured, via optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner if necessary, and then stored in a computer memory.
It is to be understood that portions of the present application may be implemented in hardware, software, firmware, or a combination thereof. In the above-described embodiments, the N steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. As with the other embodiments, if implemented in hardware, may be implemented using any one or combination of the following techniques, as is well known in the art: discrete logic circuits having logic gates for implementing logic functions on data signals, application specific integrated circuits having suitable combinational logic gates, programmable Gate Arrays (PGAs), field Programmable Gate Arrays (FPGAs), and the like.
Those of ordinary skill in the art will appreciate that all or a portion of the steps carried out in the method of the above-described embodiments may be implemented by a program to instruct related hardware, where the program may be stored in a computer readable storage medium, and where the program, when executed, includes one or a combination of the steps of the method embodiments.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing module, or each unit may exist alone physically, or two or more units may be integrated in one module. The integrated modules may be implemented in hardware or in software functional modules. The integrated modules may also be stored in a computer readable storage medium if implemented in the form of software functional modules and sold or used as a stand-alone product.
The above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, or the like. While embodiments of the present application have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the application, and that variations, modifications, alternatives and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the application.

Claims (10)

1. A method for detecting a malfunction of a functional safety mechanism of a vehicle, comprising the steps of:
detecting the current running stage of the microprocessor;
if the current running stage is an initialization monitoring stage, performing built-in self-test (BIST) verification on the microprocessor, and when the verification result is that the microprocessor fails, verifying the verification result by using a preset failure reconfirmation strategy, and obtaining fault information of the microprocessor based on the verification result;
interrupting the current running process of the microprocessor based on the fault information, identifying the current fault type of the microprocessor, and matching a corresponding fault processing strategy based on the current fault type so as to execute the fault processing strategy on the microprocessor.
2. The method of claim 1, wherein validating the verification result using a preset fail-over policy comprises:
determining the failure type of the microprocessor according to the verification result;
under the condition that the failure type is a logic self-test failure type, injecting a preset fault into the microprocessor, and obtaining an injection result of the preset fault according to the state of the register after injection;
and under the condition that the failure type is a memory self-test failure type, reading a failure memory block corresponding to the built-in self-test BIST, determining whether the failure of the failure memory block is a permanent failure, and recording failure data of the failure memory block when the failure of the failure memory block is the permanent failure.
3. The method of claim 1, further comprising, after the current run phase of the microprocessor is acquired:
if the current running stage is an execution monitoring stage, detecting whether the microprocessor meets a preset random hardware failure condition and/or a preset systematic software failure condition;
and if the microprocessor meets the preset random hardware failure condition and/or the preset systematic software failure condition, generating failure information corresponding to the microprocessor so as to interrupt the current running process of the microprocessor based on the failure information.
4. The method of claim 1, further comprising, after the current run phase of the microprocessor is acquired:
and if the current running stage is a power-down monitoring stage, closing a timer of the microprocessor so as to inhibit interrupting the data storage action of the microprocessor in the power-down monitoring stage.
5. The method of claim 1, wherein obtaining the current fault type of the microprocessor while interrupting the current running process of the microprocessor based on the fault information comprises:
and based on the interrupt time of the microprocessor and the fault information, obtaining a frozen frame and a corresponding fault code when the microprocessor is interrupted, and storing the frozen frame and the fault code to generate a fault record table.
6. The method of claim 1, wherein the matching the corresponding fault handling policy based on the current fault type comprises:
pushing a risk early warning signal to a driver under the condition that the current fault type meets a preset reminding condition;
and under the condition that the current fault type does not meet the preset reminding condition, sending a take-over signal to an auxiliary microprocessor so as to control the vehicle to execute a preset safety strategy by using the auxiliary microprocessor to replace the microprocessor.
7. A detection apparatus for a malfunction of a functional safety mechanism of a vehicle, comprising:
the detection module is used for detecting the current running stage of the microprocessor;
the verification module is used for carrying out built-in self-test (BIST) verification on the microprocessor when the current operation stage is an initialization monitoring stage, verifying the verification result by utilizing a preset failure reconfirmation strategy when the verification result is that the microprocessor fails, and obtaining fault information of the microprocessor based on the verification result;
the processing module is used for interrupting the current running process of the microprocessor based on the fault information, identifying the current fault type of the microprocessor, and matching the corresponding fault processing strategy based on the current fault type so as to execute the fault processing strategy on the microprocessor.
8. The apparatus of claim 7, wherein the verification module comprises:
the determining unit is used for determining the failure type of the microprocessor according to the verification result;
the injection unit is used for injecting a preset fault into the microprocessor under the condition that the failure type is a logic self-test failure type, and obtaining an injection result of the preset fault according to the state of the register after the injection;
The recording unit is used for reading the failure memory block corresponding to the built-in self-test BIST under the condition that the failure type is the memory self-test failure type, determining whether the failure of the failure memory block is a permanent failure or not, and recording the failure data of the failure memory block when the failure of the failure memory block is the permanent failure.
9. A vehicle, characterized by comprising: a memory, a processor and a computer program stored on the memory and executable on the processor, the processor executing the program to implement the method of detecting a functional safety mechanism failure of a vehicle as claimed in any one of claims 1 to 6.
10. A computer-readable storage medium, on which a computer program is stored, characterized in that the program is executed by a processor for implementing a method of detecting a malfunction of a functional safety mechanism of a vehicle according to any one of claims 1 to 6.
CN202310881009.7A 2023-07-18 2023-07-18 Method and device for detecting faults of functional safety mechanism of vehicle Pending CN116700224A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310881009.7A CN116700224A (en) 2023-07-18 2023-07-18 Method and device for detecting faults of functional safety mechanism of vehicle

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310881009.7A CN116700224A (en) 2023-07-18 2023-07-18 Method and device for detecting faults of functional safety mechanism of vehicle

Publications (1)

Publication Number Publication Date
CN116700224A true CN116700224A (en) 2023-09-05

Family

ID=87824098

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310881009.7A Pending CN116700224A (en) 2023-07-18 2023-07-18 Method and device for detecting faults of functional safety mechanism of vehicle

Country Status (1)

Country Link
CN (1) CN116700224A (en)

Similar Documents

Publication Publication Date Title
CN102822807B (en) Computer for controlling system and control method thereof and use
CN110650878B (en) Abnormality determination device, abnormality determination method, and computer-readable storage medium
CN111527477B (en) Determining reliability of vehicle control commands using voting mechanisms
KR101744226B1 (en) System and method for providing diagnostic fault information
US9728276B2 (en) Integrated circuits with built-in self test mechanism
TW201015293A (en) Micro controller unit including an error indicator module
CN101349905A (en) Dual core architecture of a control module of an engine
JPH09230929A (en) Method and device for diagnosing fault of on-vehicle controller
GB2497636A (en) Vehicle fault diagnosis system
CN113917385A (en) Self-detection method and system for electric energy meter
CN116700224A (en) Method and device for detecting faults of functional safety mechanism of vehicle
US20230177894A1 (en) Information processing apparatus and information processing method
US11726853B2 (en) Electronic control device
JP2019168835A (en) Electronic control device
JP4041216B2 (en) Abnormality detection method and abnormality detection device
Beckschulze et al. Fault handling approaches on dual-core microcontrollers in safety-critical automotive applications
CN105335177A (en) Test method, test device and test system of embedded system
EP0811194B1 (en) Diagnostic method and apparatus with pre-assembly fault recording lock-out
JP2002047998A (en) Controller for vehicle
JP2009282849A (en) Microcomputer
EP2273329A1 (en) Microcontroller protection method and apparatus comprising an on-circuit debugging module
JP2001243082A (en) Electronic controller and recording medium
US8108740B2 (en) Method for operating a memory device
JP4639920B2 (en) Electronic control unit
CN116394959A (en) Automobile body control domain and control method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination