CN117008575A - Redundant control system diagnosis information control method and system and electronic parking brake system - Google Patents

Redundant control system diagnosis information control method and system and electronic parking brake system Download PDF

Info

Publication number
CN117008575A
CN117008575A CN202310960424.1A CN202310960424A CN117008575A CN 117008575 A CN117008575 A CN 117008575A CN 202310960424 A CN202310960424 A CN 202310960424A CN 117008575 A CN117008575 A CN 117008575A
Authority
CN
China
Prior art keywords
main chip
control
control main
chip
main
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310960424.1A
Other languages
Chinese (zh)
Inventor
陈箭
祁富伟
常城
朱鹏昊
陈学涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Sake Automobile Technology Co ltd
Original Assignee
Suzhou Sake Automobile Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Sake Automobile Technology Co ltd filed Critical Suzhou Sake Automobile Technology Co ltd
Priority to CN202310960424.1A priority Critical patent/CN117008575A/en
Publication of CN117008575A publication Critical patent/CN117008575A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B23/00Testing or monitoring of control systems or parts thereof
    • G05B23/02Electric testing or monitoring
    • G05B23/0205Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
    • G05B23/0208Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterized by the configuration of the monitoring system
    • G05B23/0213Modular or universal configuration of the monitoring system, e.g. monitoring system having modules that may be combined to build monitoring program; monitoring system that can be applied to legacy systems; adaptable monitoring system; using different communication protocols
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60TVEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
    • B60T13/00Transmitting braking action from initiating means to ultimate brake actuator with power assistance or drive; Brake systems incorporating such transmitting means, e.g. air-pressure brake systems
    • B60T13/74Transmitting braking action from initiating means to ultimate brake actuator with power assistance or drive; Brake systems incorporating such transmitting means, e.g. air-pressure brake systems with electrical assistance or drive
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Transportation (AREA)
  • Mechanical Engineering (AREA)
  • Hardware Redundancy (AREA)

Abstract

The application discloses a method and a system for controlling diagnosis information of a redundant control system and an electronic parking brake system, wherein the method for controlling diagnosis information of the redundant control system is applied to the redundant control system with a completely equivalent main control unit and an auxiliary control unit, wherein the main control unit is internally provided with a main control main chip, and the auxiliary control unit is internally provided with an auxiliary control main chip. The scheme adopts one diagnosis ID to receive and respond the diagnosis instructions of two main chips in the control system, shortens the taking over and responding time, presets the replacement period, and reduces the maintenance and replacement frequency.

Description

Redundant control system diagnosis information control method and system and electronic parking brake system
Technical Field
The application relates to the field of automobile control systems, in particular to a redundant control system diagnosis information control method and system and an electronic parking brake system.
Background
The global automobile industry is moving towards the transformation and upgrading of the deep integration of electric, intelligent, networking and sharing, intelligent driving, intelligent cabins, domain control and other technologies, automobiles are changing from traditional mechanical products to intelligent mobile terminals, driving experience and function implementation are becoming more and more diversified, and meanwhile, safety requirements on the automobiles are also becoming higher and higher, especially for the automatic driving automobiles of the level L3 and above, driving subjects are even changing from drivers to vehicle systems, so that redundant technologies are becoming more and more essential in order to ensure the safety state of the automobiles and meet the increasingly strict regulatory requirements. The redundancy technology is as the name implies, and a set of spare working elements or system components capable of realizing the same function are added to the parts of the system which play a key role in realizing the function, so that when a main working unit fails and cannot work normally, the spare unit can immediately take over and ensure that the system can still work in an acceptable range, thereby improving the overall reliability and safety of the system.
Currently, the high-level autopilot redundancy range mainly comprises sensing redundancy, actuator redundancy, communication redundancy, power redundancy and control system redundancy for monitoring environments, wherein a control system can be called a 'brain' of each functional component of an automobile, and a main chip can be called a 'brain' of the control system, so that redundancy design is important. The common redundancy scheme is that a control unit comprises two main chips MCU_A and MCU_B, the circuits of the two main chips MCU_A and MCU_B are completely equivalent, the two main chips MCU_A and MCU_B are divided into a main control mode and an auxiliary control mode, the main chip MCU_A is in a working state at the moment, the MCU_B is in a monitoring waiting state, when the main chip MCU_A breaks down, the MCU_B immediately takes over the work, at the moment, the control unit can control corresponding systems and meet the function requirements in the two working modes.
However, this solution faces the problem of diagnosing two main chips, that is, the system adopts two identical main chips to be backed up, each main chip has its own independent monitoring and diagnosis logic, so theoretically two diagnosis IDs are required, which would lead to two operations at the time of diagnosis and increase the difficulty of developing peripheral diagnosis devices, but for an electronic control unit, only one diagnosis ID is required at the time of actual diagnosis although two main chips are used, and the response to the outside should meet the ISO 14229 standard at the time of each diagnosis, which is consistent with the non-redundant system.
In the existing safety redundant system, in normal operation, only one main chip is usually communicated with an external diagnostic instrument, when the main chip fails, the response process that the other main chip takes over control rights and communicates with the external diagnostic instrument is longer, especially in some control systems related to driving safety, such as an electronic parking brake system, the failure taking over process needs to be controlled in a shorter time,
disclosure of Invention
Therefore, in order to solve the above problems, the present application provides a redundant control system diagnostic information control method, system and electronic parking brake system.
The application is realized by the following technical scheme:
the diagnosis information control method of the redundant control system is applied to the redundant control system with a completely equivalent main control unit and auxiliary control units, wherein the main control unit is internally provided with a main control main chip, and the auxiliary control unit is internally provided with an auxiliary control main chip, and comprises the following steps:
the main control main chip and the auxiliary control main chip simultaneously receive a diagnosis instruction sent by an external diagnosis instrument;
the main control main chip and the auxiliary control main chip judge whether the main control main chip has faults or not at the same time;
when the main control main chip and the auxiliary control main chip have no faults, the main control main chip responds to an external diagnostic instrument through external communication, and meanwhile, corresponding fault state position information is transmitted to the auxiliary control main chip through internal communication, and the auxiliary control main chip sets the corresponding fault state position;
when the main control main chip fails, the auxiliary control main chip takes over control rights and responds to an external diagnostic instrument through external communication, and the auxiliary control main chip generates main control main chip failure information according to the main control main chip failure state;
when the auxiliary control main chip fails, the main control main chip still responds to the external diagnostic instrument through external communication, and the main control main chip generates auxiliary control main chip failure information according to the auxiliary control main chip failure state.
Preferably, the "when the master control main chip fails, the slave control main chip takes over the control right and responds to the external diagnostic apparatus through external communication, and the slave control main chip generates master control main chip failure information according to the master control main chip failure state" includes:
when the main control main chip fails and still can communicate, the main control main chip sends a control right enabling signal and a main control main chip failure signal to the auxiliary control main chip through internal communication, and the auxiliary control main chip directly takes over the system and responds to an external diagnostic instrument through external communication, and meanwhile generates main control main chip failure information;
when the main control main chip is completely paralyzed, the auxiliary control main chip automatically enables the control right signal and the parallel connection system after monitoring that the main control heartbeat signal stops according to the internal communication, responds to the external diagnostic instrument through the external communication and generates fault information of the main control main chip.
Preferably, the "when the auxiliary control main chip fails, the main control main chip still responds to the external diagnostic apparatus through external communication, and the main control main chip generates the auxiliary control main chip failure information according to the auxiliary control main chip failure state" includes:
when the auxiliary control main chip still can communicate, the main control main chip responds to the external diagnostic instrument through external communication, meanwhile, the auxiliary control main chip feeds back an auxiliary control main chip fault signal to the main control main chip through internal communication, and the main control main chip generates auxiliary control main chip fault information according to the received auxiliary control main chip fault signal;
when the auxiliary control main chip is completely paralyzed, the main control main chip responds to the external diagnostic instrument through external communication, and simultaneously the main control main chip monitors the heartbeat signal of the auxiliary control main chip to stop through internal communication, and automatically generates fault information of the auxiliary control main chip.
Preferably, the diagnostic instruction sent by the external diagnostic apparatus further includes a special diagnostic instruction, where the special diagnostic instruction includes a security access instruction, and if the main control main chip and the auxiliary control main chip have no faults, the external diagnostic apparatus sends the security access instruction, including the following steps:
the main control main chip and the auxiliary control main chip both receive a seed requesting instruction sent by an external diagnostic instrument;
the auxiliary control main chip keeps silent, the main control main chip generates seeds, and then the seeds are responded to the external diagnostic instrument through external communication;
the external diagnostic instrument calculates a secret key after receiving the seeds and sends the secret key to the main control main chip through external communication;
the master control main chip verifies the secret key, if the verification is successful, the external diagnostic instrument is actively responded through external communication, the active state is transmitted to the auxiliary control through internal communication, and if the master control main chip fails to verify the secret key, the diagnostic instrument is negatively responded through external communication, and the passive state is transmitted to the auxiliary control main chip through internal communication;
the auxiliary control main chip sets the safety check mark according to the state transmitted by the communication in the main control main chip, if the main control main chip is in a positive state, the auxiliary control main chip is set to be 1 to pass the safety check, if the auxiliary control main chip is in a negative state, the auxiliary control main chip is set to be 0 to pass the safety check, and the initial value is 0.
Preferably, the diagnostic instruction sent by the external diagnostic apparatus further includes a special diagnostic instruction, where the special diagnostic instruction includes a routine control instruction, and if the main control chip and the auxiliary control chip are both fault-free, the external diagnostic apparatus sends the routine control instruction, including the following steps:
the main control main chip and the auxiliary control main chip both receive routine control requests sent by an external diagnostic instrument;
the main control main chip independently outputs a control instruction to the peripheral circuit;
the peripheral circuit receives the control instruction and responds, and the main control main chip monitors the response state and whether routine control is completed;
and the main control main chip responds to the external diagnostic instrument after receiving the peripheral control result.
Preferably, the diagnostic instruction sent by the external diagnostic apparatus further includes a special diagnostic instruction, where the special diagnostic instruction includes a control unit writing information instruction, and if the main control chip and the auxiliary control chip are both fault-free, the external diagnostic apparatus sends the control unit writing information instruction, and the method includes the following steps:
the main control main chip and the auxiliary control main chip both receive a request for writing information into a control unit sent by an external diagnostic instrument;
the main control main chip and the auxiliary control main chip are both written with data sent by the diagnostic instrument;
after the writing is finished, the auxiliary control main chip feeds back the writing state to the main control main chip through internal communication, the main control main chip combines the self state to verify, if the main control main chip and the auxiliary control main chip are successfully written, the external diagnostic instrument is positively responded through external communication, and otherwise, the external diagnostic instrument is negatively responded.
Preferably, the diagnostic instructions sent by the external diagnostic apparatus further include special diagnostic instructions, the special diagnostic instructions include a control unit software download instruction, and if the main control chip and the auxiliary control chip are fault-free, the external diagnostic apparatus sends the control unit software download instruction, including the following steps:
the main control main chip and the auxiliary control main chip both receive a control unit software downloading request sent by an external diagnostic instrument;
the main control main chip and the auxiliary control main chip both download the program transmitted by the diagnostic instrument;
after the downloading is finished, the auxiliary control main chip feeds back the state to the main control main chip through internal communication, the main control main chip combines the state of the main control main chip to verify, if the main control main chip and the auxiliary control main chip are downloaded successfully, the external diagnostic instrument is positively responded through external communication, and otherwise, the external diagnostic instrument is negatively responded.
Preferably, the diagnostic instruction sent by the external diagnostic apparatus further includes a special diagnostic instruction, where the special diagnostic instruction includes a fault code reading instruction, and if the main control chip and the auxiliary control chip are both fault-free, the external diagnostic apparatus sends out a fault code reading instruction, including the following steps:
the main control main chip and the auxiliary control main chip both receive a fault code reading request sent by an external diagnostic instrument;
the auxiliary control main chip sends the fault code and the fault state information of the auxiliary control unit to the main control main chip through internal communication;
the main control main chip receives fault codes sent by the auxiliary control main chip and fault state information of the auxiliary control unit, compares the fault state information of the auxiliary control unit with the fault state information of the main control unit, uniformly reports all fault information to an external diagnostic instrument through external communication if faults are not coincident, accumulates the occurrence times of the faults if the faults are coincident, and uniformly reports the fault information to the external diagnostic instrument through the external communication.
The redundant control system applies the diagnostic information control method of the redundant control system as described above.
The electronic parking brake system applies the redundant control system diagnosis information control method.
The technical scheme of the application has the beneficial effects that:
1. aiming at a redundant control system with double main chips, the diagnosis instruction receiving and responding work of the two main chips in the control system can be carried out by adopting one diagnosis ID, so that the problems of complex operation and high development difficulty of external diagnosis equipment caused by adopting the two diagnosis IDs to respectively control the two main chips are avoided, and meanwhile, the development workload of other systems and the development workload of diagnosis modules of the whole vehicle are reduced.
2. Aiming at the redundant control system with double main chips, the external response requirement of each diagnosis meets the ISO 14229 standard and the demand consistent with the non-redundant system, and certain special diagnosis instructions input to the two internal main chips by an external diagnostic instrument are provided with different internal processing modes, so that the external diagnosis response of the control unit can meet the standard requirement.
3. The two main chips simultaneously receive the diagnosis instruction sent by the external diagnostic instrument, when one main chip fails, the other main chip can stand the control right of the horse to take over and receive the failure information of the failed main chip, so that the taking over and the response time are shortened, and particularly, the safety can be improved aiming at the electronic parking brake system related to driving safety, and traffic accidents caused by untimely response are avoided.
Drawings
FIG. 1 is a schematic diagram of a control state of diagnostic information when there is no failure in both a master control master chip and a slave control master chip in a redundant control system;
FIG. 2 is a schematic diagram of the information control state under a secure access command in a redundant control system;
FIG. 3 is a schematic diagram of information control states under routine control instructions in a redundant control system;
FIG. 4 is a schematic diagram of the information control state in the redundant control system under the instruction of writing information to the control unit;
FIG. 5 is a schematic diagram of the information control state under the control unit software download instruction in the redundant control system;
FIG. 6 is a schematic diagram of the information control state under the diagnostic command 19 in the redundant control system;
FIG. 7 is a flow chart of a method for processing a redundant control system diagnostic information control method at a master failure;
FIG. 8 is a flow chart of a method for processing a redundant control system diagnostic information control method at the time of a secondary control failure.
Detailed Description
So that the objects, advantages and features of the present application can be more clearly and specifically set forth, a more particular description of the preferred embodiments will be rendered by the following non-limiting description thereof. The embodiment is only a typical example of the technical scheme of the application, and all technical schemes formed by adopting equivalent substitution or equivalent transformation fall within the scope of the application.
It is also stated that, in the description of the aspects, it should be noted that the directions or positional relationships indicated by the terms "center", "upper", "lower", "left", "right", "front", "rear", "inner", "outer", etc. are based on the directions or positional relationships shown in the drawings, are merely for convenience of description and simplification of description, and do not indicate or imply that the devices or elements referred to must have a specific orientation, be configured and operated in a specific orientation, and thus should not be construed as limiting the present application.
Furthermore, the terms "first," "second," and the like in this description are used for descriptive purposes only and are not to be construed as indicating or implying a ranking of importance, or as implicitly indicating the number of technical features shown. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature. In the present application, the meaning of "plurality" means two or more, unless specifically defined otherwise.
The application discloses a diagnosis information control method of a redundant control system, which is applied to the redundant control system with a completely equivalent main control unit and auxiliary control units as shown in fig. 1, 7 and 8, wherein the main control unit is internally provided with a main control main chip, and the auxiliary control unit is internally provided with an auxiliary control main chip, and the diagnosis information control method comprises the following steps:
the main control main chip and the auxiliary control main chip simultaneously receive a diagnosis instruction sent by an external diagnosis instrument;
the main control main chip and the auxiliary control main chip judge whether the main control main chip has faults or not at the same time;
when the main control main chip and the auxiliary control main chip have no faults, the main control main chip responds to an external diagnostic instrument through external communication, and meanwhile, corresponding fault state position information is transmitted to the auxiliary control main chip through internal communication, and the auxiliary control main chip sets the corresponding fault state position;
when the main control main chip fails, the auxiliary control main chip takes over control rights and responds to an external diagnostic instrument through external communication, and the auxiliary control main chip generates main control main chip failure information according to the main control main chip failure state;
when the auxiliary control main chip fails, the main control main chip still responds to the external diagnostic instrument through external communication, and the main control main chip generates auxiliary control main chip failure information according to the auxiliary control main chip failure state.
Wherein, the external communication between the external diagnostic apparatus and the master control main chip/auxiliary control main chip and the internal communication between the master control main chip and auxiliary control main chip inside the control system all use the CAN communication protocol, in some embodiments, the CAN communication protocol may include but is not limited to: CAN2.0A, CAN2.0B, CAN-FD (CAN flexible data-rate), for control units with higher transmission rate requirements, may also communicate using other different communication networks, including but not limited to: flexRay, ethernet (Ethernet), radio access network (radio access technology, RAN), wireless local area network (wireless local area networks, WLAN), etc., it should be noted that any communication protocol is a communication carrier implementing the dual-master chip diagnostic mechanism of the present application, and has no influence on the core content of the diagnostic mechanism, so that any person skilled in the art can implement the functions of the present application by adopting different communication protocols without departing from the spirit and scope of the present application, but it is still covered by the claims of the present application, and the principles and formats of the different communication protocols belong to the standardized content of the automotive industry, and the present application is not tired.
In some embodiments, the "when the master main chip fails, the slave main chip takes over the control right and responds to the external diagnostic apparatus through external communication, and the slave main chip generates master main chip failure information according to the master main chip failure state" includes:
when the main control main chip fails and still can communicate, the main control main chip sends a control right enabling signal and a main control main chip failure signal to the auxiliary control main chip through internal communication, and the auxiliary control main chip directly takes over the system and responds to an external diagnostic instrument through external communication, and meanwhile generates main control main chip failure information;
when the main control main chip is completely paralyzed, the auxiliary control main chip automatically enables the control right signal and the parallel connection system after monitoring that the main control heartbeat signal stops according to the internal communication, responds to the external diagnostic instrument through the external communication and generates fault information of the main control main chip.
In some embodiments, the "when the auxiliary control main chip fails, the main control main chip still responds to the external diagnostic apparatus through external communication, and the main control main chip generates the auxiliary control main chip failure information according to the auxiliary control main chip failure state" includes:
when the auxiliary control main chip still can communicate, the main control main chip responds to the external diagnostic instrument through external communication, meanwhile, the auxiliary control main chip feeds back an auxiliary control main chip fault signal to the main control main chip through internal communication, and the main control main chip generates auxiliary control main chip fault information according to the received auxiliary control main chip fault signal;
when the auxiliary control main chip is completely paralyzed, the main control main chip responds to the external diagnostic instrument through external communication, and simultaneously the main control main chip monitors the heartbeat signal of the auxiliary control main chip to stop through internal communication, and automatically generates fault information of the auxiliary control main chip.
In some embodiments, the "diagnostic instructions issued by the external diagnostic apparatus" further includes special diagnostic instructions including the following embodiments:
example 1:
as shown in fig. 2, the special diagnostic instruction includes a security access instruction, and if the main control chip and the auxiliary control chip have no fault, the external diagnostic apparatus issues the security access instruction, including the following steps:
the main control main chip and the auxiliary control main chip both receive a seed requesting instruction sent by an external diagnostic instrument;
the auxiliary control main chip keeps silent, the main control main chip generates seeds, and then the seeds are responded to the external diagnostic instrument through external communication;
the external diagnostic instrument calculates a secret key after receiving the seeds and sends the secret key to the main control main chip through external communication;
the master control main chip verifies the secret key, if the verification is successful, the external diagnostic instrument is actively responded through external communication, the active state is transmitted to the auxiliary control through internal communication, and if the master control main chip fails to verify the secret key, the diagnostic instrument is negatively responded through external communication, and the passive state is transmitted to the auxiliary control main chip through internal communication;
the auxiliary control main chip sets the safety check mark according to the state transmitted by the communication in the main control main chip, if the main control main chip is in a positive state, the auxiliary control main chip is set to be 1 to pass the safety check, if the auxiliary control main chip is in a negative state, the auxiliary control main chip is set to be 0 to pass the safety check, and the initial value is 0.
In some embodiments, the diagnosis of the secure access instruction when the master chip fails comprises the steps of:
when the main control main chip fails and still can communicate:
the main control main chip and the auxiliary control main chip simultaneously receive a seed requesting instruction sent by an external diagnostic instrument;
the master control main chip sends a control right enabling signal and a master control main chip fault signal to the auxiliary control main chip through internal communication, and the auxiliary control main chip receives the control right enabling signal and the master control main chip fault signal and takes over the control right to generate master control main chip fault information;
the auxiliary control main chip generates seeds and then responds to an external diagnostic instrument through external communication;
the external diagnostic instrument calculates a secret key after receiving the seeds and sends the secret key to the auxiliary control main chip through external communication;
the auxiliary control main chip verifies the secret key, if verification is successful, the external diagnostic instrument is actively responded through external communication, the positive state is transmitted to the main control main chip through internal communication, and if the auxiliary control main chip fails to verify the secret key, the diagnostic instrument is negatively responded through external communication, and the negative state is transmitted to the main control main chip through internal communication;
the auxiliary control main chip sets the safety check mark according to the state transmitted by the communication in the main control main chip, if the main control main chip is in a positive state, the auxiliary control main chip is set to be 1 to pass the safety check, if the auxiliary control main chip is in a negative state, the auxiliary control main chip is set to be 0 to pass the safety check, and the initial value is 0.
When the main control main chip is completely paralyzed:
the auxiliary control main chip receives a seed requesting instruction sent by an external diagnostic instrument;
the auxiliary control main chip monitors the main control heartbeat signal to stop, the auxiliary control main chip automatically enables the control right signal, and meanwhile takes over the system and generates fault information of the main control main chip;
the auxiliary control main chip generates seeds and then responds to an external diagnostic instrument through external communication;
the external diagnostic instrument calculates a secret key after receiving the seeds and sends the secret key to the auxiliary control main chip through external communication;
and if the auxiliary control main chip verification key fails, the external communication is used for carrying out negative response on the diagnostic instrument.
In some embodiments, the diagnosis of the security access instruction when the secondary control primary chip fails comprises the steps of:
when the auxiliary control main chip fails and still can communicate:
the procedure was as in example 1 above.
When the auxiliary control main chip is completely paralyzed:
the main control main chip receives a seed-requesting instruction sent by an external diagnostic instrument;
the main control main chip monitors the heartbeat signal of the auxiliary control main chip to stop;
the master control main chip generates seeds and then responds to an external diagnostic instrument through external communication;
the external diagnostic instrument calculates a secret key after receiving the seeds and sends the secret key to the main control main chip through external communication;
and the master control main chip verifies the secret key, if the verification is successful, the external diagnostic instrument is positively responded through external communication, and if the master control main chip fails to verify the secret key, the diagnostic instrument is negatively responded through external communication.
Example 2:
as shown in fig. 3, the special diagnostic instruction includes a routine control instruction, and if the main control chip and the auxiliary control chip have no fault, the external diagnostic apparatus sends the routine control instruction, including the following steps:
the main control main chip and the auxiliary control main chip both receive routine control requests sent by an external diagnostic instrument;
the main control main chip independently outputs a control instruction to the peripheral circuit;
the peripheral circuit receives the control instruction and responds, and the main control main chip monitors the response state and whether routine control is completed;
and the main control main chip responds to the external diagnostic instrument after receiving the peripheral control result.
In some embodiments, when the master chip fails, the diagnosis of the routine control instructions includes the steps of:
when the main control main chip fails and still can communicate:
the main control main chip and the auxiliary control main chip both receive routine control requests sent by an external diagnostic instrument;
the master control main chip feeds back a control right enabling signal and a master control main chip fault signal to the auxiliary control main chip through internal communication, and the auxiliary control main chip takes over the control right and generates master control main chip fault information after receiving the control right enabling signal and the master control main chip fault signal;
the auxiliary control main chip independently outputs a control instruction to the peripheral circuit;
the peripheral circuit receives the control instruction and responds, and the auxiliary control main chip monitors the response state and whether routine control is completed;
and the auxiliary control main chip responds to the external diagnostic instrument after receiving the peripheral control result.
When the main control main chip is completely paralyzed:
the auxiliary control main chip receives a routine control request sent by an external diagnostic instrument;
the auxiliary control main chip monitors the main control heartbeat signal to stop, the auxiliary control main chip automatically enables the control right signal and is connected with the system, and meanwhile, fault information of the main control main chip is generated;
the auxiliary control main chip independently outputs a control instruction to the peripheral circuit;
the peripheral circuit receives the control instruction and responds, and the auxiliary control main chip monitors the response state and whether routine control is completed;
and the auxiliary control main chip responds to the external diagnostic instrument after receiving the peripheral control result.
In other embodiments, the diagnostic steps of the routine control instructions are the same as those described above in embodiment 2 when the secondary control primary chip fails.
Example 3:
as shown in fig. 4, the special diagnostic instruction includes a control unit writing information instruction, which is written into a data service through a data identifier DID, and if the main control chip and the auxiliary control chip are both fault-free, the external diagnostic apparatus issues the control unit writing information instruction, which includes the following steps:
the main control main chip and the auxiliary control main chip both receive a request for writing information into a control unit sent by an external diagnostic instrument;
the main control main chip and the auxiliary control main chip are both written with data sent by the diagnostic instrument;
after the writing is finished, the auxiliary control main chip feeds back the writing state to the main control main chip through internal communication, the main control main chip combines the self state to verify, if the main control main chip and the auxiliary control main chip are successfully written, the external diagnostic instrument is positively responded through external communication, and otherwise, the external diagnostic instrument is negatively responded.
In other embodiments, when the master/slave master fails, a negative response is made if one of the master fails to write.
Example 4:
as shown in fig. 5, the special diagnostic instruction includes a control unit software download instruction, and if the main control chip and the auxiliary control chip are both fault-free, the external diagnostic apparatus sends the control unit software download instruction, which includes the following steps:
the main control main chip and the auxiliary control main chip both receive a control unit software downloading request sent by an external diagnostic instrument;
the main control main chip and the auxiliary control main chip both download the program transmitted by the diagnostic instrument;
after the downloading is finished, the auxiliary control main chip feeds back the state to the main control main chip through internal communication, the main control main chip combines the state of the main control main chip to verify, if the main control main chip and the auxiliary control main chip are downloaded successfully, the external diagnostic instrument is positively responded through external communication, and otherwise, the external diagnostic instrument is negatively responded.
In other embodiments, when the master/slave master fails, a negative response is made if one of the master chips fails to download.
Example 5:
as shown in fig. 6, the special diagnostic instruction includes a fault code reading instruction, and if the main control chip and the auxiliary control chip have no fault, the external diagnostic apparatus sends out the fault code reading instruction, including the following steps:
the main control main chip and the auxiliary control main chip both receive a fault code reading request sent by an external diagnostic instrument;
the auxiliary control main chip sends the fault code of the auxiliary control unit and the fault state information of the auxiliary control unit to the main control main chip through internal communication;
the main control main chip receives the fault code of the auxiliary control unit and the fault state information of the auxiliary control unit, which are sent by the auxiliary control main chip, compares the fault state information of the auxiliary control unit with the fault state information of the main control unit, uniformly reports all fault information to an external diagnostic instrument through external communication if the faults are not coincident, accumulates the occurrence times of the faults if the faults are coincident, and uniformly reports the fault information to the external diagnostic instrument through the external communication.
In some embodiments, when the master main chip fails, the method comprises the following steps:
when the master control main chip can still communicate:
the main control main chip and the auxiliary control main chip both receive a fault code reading request sent by an external diagnostic instrument;
the main control main chip sends a main control unit fault code, a control right enabling signal, a main control main chip fault signal and main control unit fault state information to the auxiliary control main chip through internal communication, and the auxiliary control main chip receives the main control unit fault code, the main control unit fault state information and generates main control main chip fault information;
the auxiliary control main chip compares the fault state information of the main control unit with the fault state information of the auxiliary control unit, if the faults are not coincident, all the fault information is uniformly reported to the external diagnostic apparatus through external communication, if the faults are coincident, the occurrence times of the faults are accumulated, and then the faults are uniformly reported to the external diagnostic apparatus through external communication.
When the main control main chip is completely paralyzed:
the auxiliary control main chip receives a fault code reading request sent by an external diagnostic instrument;
the auxiliary control main chip monitors the main control heartbeat signal to stop, the auxiliary control main chip automatically enables the control right signal and is connected with the system, and meanwhile, fault information of the main control main chip is generated;
the auxiliary control main chip directly reports the fault state information of the auxiliary control unit and the generated fault information of the main control main chip to the external diagnostic instrument in a unified way through external communication, and reads the fault state information of the main control unit sent by the external diagnostic instrument through the external communication.
In other embodiments, when the secondary control fails, the method comprises the steps of:
when the auxiliary control main chip can still communicate:
the procedure was as in example 1 above.
When the auxiliary control main chip is completely paralyzed:
the main control main chip receives a fault code reading request sent by an external diagnostic instrument;
the main control main chip monitors that the heartbeat signal of the auxiliary control main chip stops and automatically generates fault information of the auxiliary control main chip;
the main control main chip uniformly reports the automatically generated fault information of the auxiliary control main chip and the fault state information of the main control unit to the external diagnostic instrument through external communication, and reads the fault state information of the auxiliary control unit sent by the external diagnostic instrument through external communication.
The application also discloses a redundant control system, and the diagnostic information control method of the redundant control system is applied.
The application also discloses an electronic parking brake system, and the redundant control system diagnosis information control method is applied.
In some embodiments, the electronic parking brake system includes a first control unit and a completely equivalent second control unit, where the first control unit includes a main control main chip, the second control unit includes an auxiliary control main chip, the first control unit is electrically connected to the first parking actuator so as to implement parking, the second control unit is electrically connected to the second parking actuator so as to implement parking, the second control unit is used as a standby control unit of the first control unit, the second parking actuator is used as a standby parking actuator of the first parking actuator, and the control system diagnostic information control method of the electronic parking brake system is as described above, in other embodiments, the first control unit and the second control unit may also control a plurality of parking actuators respectively, and the parking actuators controlled by the first control unit and the second control unit are different, so as to ensure that when one control unit or the parking actuator connected by the control unit fails, the other control unit and the parking actuator controlled by the other control unit can complete parking brake.
The application has various embodiments, and all technical schemes formed by equivalent transformation or equivalent transformation fall within the protection scope of the application.

Claims (10)

1. The diagnosis information control method of the redundant control system is applied to the redundant control system with a completely equivalent main control unit and auxiliary control units, wherein the main control unit is internally provided with a main control main chip, and the auxiliary control unit is internally provided with an auxiliary control main chip, and is characterized in that: the method comprises the following steps:
the main control main chip and the auxiliary control main chip simultaneously receive a diagnosis instruction sent by an external diagnosis instrument;
the main control main chip and the auxiliary control main chip judge whether the main control main chip has faults or not at the same time;
when the main control main chip and the auxiliary control main chip have no faults, the main control main chip responds to an external diagnostic instrument through external communication, and meanwhile, corresponding fault state position information is transmitted to the auxiliary control main chip through internal communication, and the auxiliary control main chip sets the corresponding fault state position;
when the main control main chip fails, the auxiliary control main chip takes over control rights and responds to an external diagnostic instrument through external communication, and the auxiliary control main chip generates main control main chip failure information according to the main control main chip failure state;
when the auxiliary control main chip fails, the main control main chip still responds to the external diagnostic instrument through external communication, and the main control main chip generates auxiliary control main chip failure information according to the auxiliary control main chip failure state.
2. The redundant control system diagnostic information control method according to claim 1, wherein: the "when the main control main chip fails, the auxiliary control main chip takes over the control right and responds to the external diagnostic instrument through external communication, and the auxiliary control main chip generates main control main chip failure information according to the main control main chip failure state" includes:
when the main control main chip fails and still can communicate, the main control main chip sends a control right enabling signal and a main control main chip failure signal to the auxiliary control main chip through internal communication, and the auxiliary control main chip directly takes over the system and responds to an external diagnostic instrument through external communication, and meanwhile generates main control main chip failure information;
when the main control main chip is completely paralyzed, the auxiliary control main chip automatically enables the control right signal and the parallel connection system after monitoring that the main control heartbeat signal stops according to the internal communication, responds to the external diagnostic instrument through the external communication and generates fault information of the main control main chip.
3. The redundant control system diagnostic information control method according to claim 1, wherein: when the auxiliary control main chip fails, the main control main chip still responds to the external diagnostic instrument through external communication, and generates auxiliary control main chip failure information according to the auxiliary control main chip failure state, and the method comprises the following steps:
when the auxiliary control main chip still can communicate, the main control main chip responds to the external diagnostic instrument through external communication, meanwhile, the auxiliary control main chip feeds back an auxiliary control main chip fault signal to the main control main chip through internal communication, and the main control main chip generates auxiliary control main chip fault information according to the received auxiliary control main chip fault signal;
when the auxiliary control main chip is completely paralyzed, the main control main chip responds to the external diagnostic instrument through external communication, and simultaneously the main control main chip monitors the heartbeat signal of the auxiliary control main chip to stop through internal communication, and automatically generates fault information of the auxiliary control main chip.
4. The redundant control system diagnostic information control method according to claim 1, wherein: the diagnosis instruction sent by the external diagnosis instrument also comprises a special diagnosis instruction, wherein the special diagnosis instruction comprises a safety access instruction, and if the main control main chip and the auxiliary control main chip have no faults, the external diagnosis instrument sends the safety access instruction and comprises the following steps:
the main control main chip and the auxiliary control main chip both receive a seed requesting instruction sent by an external diagnostic instrument;
the auxiliary control main chip keeps silent, the main control main chip generates seeds, and then the seeds are responded to the external diagnostic instrument through external communication;
the external diagnostic instrument calculates a secret key after receiving the seeds and sends the secret key to the main control main chip through external communication;
the master control main chip verifies the secret key, if the verification is successful, the external diagnostic instrument is actively responded through external communication, the active state is transmitted to the auxiliary control through internal communication, and if the master control main chip fails to verify the secret key, the diagnostic instrument is negatively responded through external communication, and the passive state is transmitted to the auxiliary control main chip through internal communication;
the auxiliary control main chip sets the safety check mark according to the state transmitted by the communication in the main control main chip, if the main control main chip is in a positive state, the auxiliary control main chip is set to be 1 to pass the safety check, if the auxiliary control main chip is in a negative state, the auxiliary control main chip is set to be 0 to pass the safety check, and the initial value is 0.
5. The redundant control system diagnostic information control method according to claim 1, wherein: the diagnostic instructions sent by the external diagnostic instrument also comprise special diagnostic instructions, wherein the special diagnostic instructions comprise routine control instructions, and if the main control chip and the auxiliary control chip have no faults, the external diagnostic instrument sends the routine control instructions and comprises the following steps:
the main control main chip and the auxiliary control main chip both receive routine control requests sent by an external diagnostic instrument;
the main control main chip independently outputs a control instruction to the peripheral circuit;
the peripheral circuit receives the control instruction and responds, and the main control main chip monitors the response state and whether routine control is completed;
and the main control main chip responds to the external diagnostic instrument after receiving the peripheral control result.
6. The redundant control system diagnostic information control method according to claim 1, wherein: the diagnosis instruction sent by the external diagnosis instrument also comprises a special diagnosis instruction, wherein the special diagnosis instruction comprises an information writing instruction of the control unit, and if the main control chip and the auxiliary control chip have no faults, the external diagnosis instrument sends the information writing instruction of the control unit and comprises the following steps:
the main control main chip and the auxiliary control main chip both receive a request for writing information into a control unit sent by an external diagnostic instrument;
the main control main chip and the auxiliary control main chip are both written with data sent by the diagnostic instrument;
after the writing is finished, the auxiliary control main chip feeds back the writing state to the main control main chip through internal communication, the main control main chip combines the self state to verify, if the main control main chip and the auxiliary control main chip are successfully written, the external diagnostic instrument is positively responded through external communication, and otherwise, the external diagnostic instrument is negatively responded.
7. The redundant control system diagnostic information control method according to claim 1, wherein: the diagnosis instruction sent by the external diagnosis instrument also comprises a special diagnosis instruction, wherein the special diagnosis instruction comprises a control unit software downloading instruction, and if the main control chip and the auxiliary control chip have no faults, the external diagnosis instrument sends the control unit software downloading instruction and comprises the following steps:
the main control main chip and the auxiliary control main chip both receive a control unit software downloading request sent by an external diagnostic instrument;
the main control main chip and the auxiliary control main chip both download the program transmitted by the diagnostic instrument;
after the downloading is finished, the auxiliary control main chip feeds back the state to the main control main chip through internal communication, the main control main chip combines the state of the main control main chip to verify, if the main control main chip and the auxiliary control main chip are downloaded successfully, the external diagnostic instrument is positively responded through external communication, and otherwise, the external diagnostic instrument is negatively responded.
8. The redundant control system diagnostic information control method according to claim 1, wherein: the diagnostic instructions sent by the external diagnostic instrument also comprise special diagnostic instructions, wherein the special diagnostic instructions comprise instructions for reading fault codes, and if the main control main chip and the auxiliary control main chip have no faults, the external diagnostic instrument sends out the instructions for reading the fault codes and comprises the following steps:
the main control main chip and the auxiliary control main chip both receive a fault code reading request sent by an external diagnostic instrument;
the auxiliary control main chip sends the fault code and the fault state information of the auxiliary control unit to the main control main chip through internal communication;
the main control main chip receives fault codes sent by the auxiliary control main chip and fault state information of the auxiliary control unit, compares the fault state information of the auxiliary control unit with the fault state information of the main control unit, uniformly reports all fault information to an external diagnostic instrument through external communication if faults are not coincident, accumulates the occurrence times of the faults if the faults are coincident, and uniformly reports the fault information to the external diagnostic instrument through the external communication.
9. The redundant control system is characterized in that: use of a redundant control system diagnostic information control method according to any one of claims 1-8.
10. The electronic parking braking system is characterized in that: use of a redundant control system diagnostic information control method according to any one of claims 1-8.
CN202310960424.1A 2023-08-01 2023-08-01 Redundant control system diagnosis information control method and system and electronic parking brake system Pending CN117008575A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310960424.1A CN117008575A (en) 2023-08-01 2023-08-01 Redundant control system diagnosis information control method and system and electronic parking brake system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310960424.1A CN117008575A (en) 2023-08-01 2023-08-01 Redundant control system diagnosis information control method and system and electronic parking brake system

Publications (1)

Publication Number Publication Date
CN117008575A true CN117008575A (en) 2023-11-07

Family

ID=88564961

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310960424.1A Pending CN117008575A (en) 2023-08-01 2023-08-01 Redundant control system diagnosis information control method and system and electronic parking brake system

Country Status (1)

Country Link
CN (1) CN117008575A (en)

Similar Documents

Publication Publication Date Title
US10630538B2 (en) Software update method and apparatus for vehicle
EP1784693B1 (en) Method for providing a rapid response to queries on a vehicle bus
US5404465A (en) Method and apparatus for monitoring and switching over to a back-up bus in a redundant trainline monitor system
JP2003502770A (en) Control systems for controlling safety-critical processes
US20020156564A1 (en) Open communication system for real-time multiprocessor applications
US11474859B2 (en) Method, device, and real-time network for highly integrated automotive systems
US10594587B2 (en) Operation method of communication node for diagnosing vehicle network
JPH09229983A (en) Failure diagnostic device for electronic control apparatus for vehicle
US20180103121A1 (en) Operation method of communication node for selective wake-up in vehicle network
CN112235127A (en) Node fault reporting method and device, terminal equipment and storage medium
US9824052B2 (en) Backplane bus structure of communication system and board recognition method using same
CN111884898B (en) Train network control system and fusion method based on software and hardware fusion
CN111505977B (en) Function auxiliary debugging method, device, system and medium
CN117008575A (en) Redundant control system diagnosis information control method and system and electronic parking brake system
US20110222433A1 (en) Automatic address configuration of vehicle network devices during installation
US9002480B2 (en) Method for operation of a control network, and a control network
US20190305983A1 (en) Method and apparatus for configuring backup path in vehicle network
CN113859321A (en) Train communication-based train automatic control system based on cloud computing
US11764995B2 (en) Transceiver device
CN108616591A (en) Interface device and method for data exchange
US20240054093A1 (en) Method for performing data transmission
CN115224685B (en) Power distribution management method, device, vehicle and storage medium
US11855942B2 (en) Activation system, control module, and method for operating
WO2022242314A1 (en) Can communication redundancy method and communication apparatus
CN218728685U (en) Double-core domain controller

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination