CN117724434A - Vehicle touch key system based on functional safety - Google Patents
Vehicle touch key system based on functional safety Download PDFInfo
- Publication number
- CN117724434A CN117724434A CN202311241794.6A CN202311241794A CN117724434A CN 117724434 A CN117724434 A CN 117724434A CN 202311241794 A CN202311241794 A CN 202311241794A CN 117724434 A CN117724434 A CN 117724434A
- Authority
- CN
- China
- Prior art keywords
- mcu
- data
- touch
- soc
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003745 diagnosis Methods 0.000 claims abstract description 6
- 238000005096 rolling process Methods 0.000 claims description 20
- 230000002159 abnormal effect Effects 0.000 claims description 10
- 238000004891 communication Methods 0.000 claims description 10
- 241000282472 Canis lupus familiaris Species 0.000 claims description 8
- 238000005070 sampling Methods 0.000 claims description 8
- 238000000034 method Methods 0.000 claims description 5
- 230000008569 process Effects 0.000 claims description 5
- 238000013461 design Methods 0.000 claims description 4
- 238000012790 confirmation Methods 0.000 claims description 3
- 230000006870 function Effects 0.000 description 15
- 230000006872 improvement Effects 0.000 description 10
- 238000001514 detection method Methods 0.000 description 9
- 230000005856 abnormality Effects 0.000 description 6
- 238000012795 verification Methods 0.000 description 6
- 238000013524 data verification Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 4
- 238000012360 testing method Methods 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 238000004378 air conditioning Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000008054 signal transmission Effects 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Lock And Its Accessories (AREA)
Abstract
The invention discloses a vehicle touch key system based on functional safety, which relates to the technical field of vehicles and comprises a display screen module and a cabin domain controller module, wherein a deserializer and a display and touch module in the display module diagnose that self faults are sent to a first MCU through an IIC bus and send corresponding signals to a cabin domain controller host according to diagnosis results, a serializer in the cabin domain controller module diagnose that the faults are sent to an SOC through the IIC bus, the SOC sends the faults to a second MCU through an SPI, and the second MCU responds to the faults and sends corresponding CAN signals to a BCM or other ECUs.
Description
Technical Field
The invention belongs to the technical field of vehicles, and particularly relates to a vehicle touch key system based on functional safety.
Background
Some keys or switches for setting vehicle functions, such as air conditioning control, wiper control and vehicle light control keys, are all physical keys or switch control. The distributed arrangement of the physical switches increases the cost and weight of the whole vehicle key/switch and the cost and weight of the whole vehicle wire harness.
With the increasing development of automobile intellectualization in recent years, some vehicles begin to adopt a central control large screen touch key to perform some key control on vehicle settings, but some keys (such as a dipped headlight switch key) in the vehicle settings relate to road vehicle function safety (ISO 26262), and currently, switches of the vehicle settings in the vehicle touch screen system are generally not designed in consideration of road vehicle function safety.
Disclosure of Invention
In order to achieve the above purpose, the technical scheme of the invention is as follows: the utility model provides a vehicle touch key system based on functional safety, key system includes display screen module and cabin area controller module, and the deserializer in the display module and display and touch module diagnose self trouble and send to first MCU through the IIC bus to send corresponding signal to cabin area controller host computer according to the diagnosis result, the trouble that the serializer in the cabin area controller module diagnosed sends to the SOC through the IIC bus, and the SOC sends the trouble to second MCU through SPI, and second MCU responds to the trouble and sends corresponding CAN signal to BCM or other ECUs.
Based on the technical scheme, the touch chip fault comprises touch sensor short circuit, touch sensor open circuit, touch sensor noise test and power on self-test, the serial deserializer fault detection comprises data ECC check, IIC access fault or bus busy detection, double IIC redundancy, one IIC fault uses the other IIC to transmit data, and the MCU fault detection comprises MPU protection memory, data ECC check, flash data CRC integrity check, power-on latent fault self-test, watchdog clock detection and power abnormality detection.
As an improvement of the invention, the display screen module comprises a first power supply module, a display and touch module, a first MCU, a first watchdog chip and a deserializer, wherein the first MCU is monitored by an external independent clock, if the first MCU cannot feed dogs in a specified time window, the first MCU is restarted to diagnose MCU clock failure, and a plurality of power supply chips are adopted to respectively supply power to the watchdog, the first MCU, the touch chip and the deserializer.
Based on the technical scheme, a plurality of power supply chips are adopted to respectively supply power to the first watchdog, the first MCU, the touch chip and the deserializer so as to avoid relevance failure; the power output end for supplying power to the watchdog, the touch chip and the deserializer is monitored by the MCU through AD sampling, and the first MCU self-safety mechanism can monitor and respond to the input power supply abnormality.
As an improvement of the invention, the cabin domain controller module comprises a second power module, an SOC, a second MCU, a second watchdog chip, a serializer and a CAN transceiver, wherein the second MCU is monitored by the second watchdog chip through an independent clock, and if the second MCU cannot feed dogs in a specified time window, the second MCU is restarted to diagnose MCU clock failure, and a plurality of power chips are sampled to respectively supply power to the second watchdog, the second MCU, the SOC, the serializer and the CAN transceiver.
Based on the technical scheme, the relevance failure is avoided; the power output end for supplying power to the second watchdog, the second MCU, the SOC, the serializer and the CAN transceiver is monitored by the second MCU through AD sampling, and the second MCU self-safety mechanism CAN monitor and respond to the input power supply abnormality.
As an improvement of the invention, the display and touch module is used for collecting touch original data, adding a Checksum and a rolling counter to the original data, the data packet is transmitted through the deserializer and the serializer, the Checksum and the rolling counter are analyzed and checked by the SOC, the frame data is discarded, if the continuous frame data is wrong, the second MCU sends a safety state CAN signal to the external ECU, and the external ECU brings the whole system into a safety state.
Based on the above technical solution, the cabin domain controller MCU entering the safety state means that the CAN signal of the safety state flag is sent to the BCM or other ECU, and the BCM or other ECU will enter the safety state, for example, the dipped headlight is always on until the fault is relieved. E2E protection needs to be added between the CAN signal and other ECUs, E2E verification is carried out by BCM or other ECUs when receiving, if the verification is not passed, the safety state CAN be entered. The GPU in the SOC can render a key image, and the CPU is used as an operation processing unit to judge whether a key is pressed or released by combining the received contact data. And a program related to the key in the SOC runs in the QNX operating system, so that the functional safety level of the software is ensured.
As an improvement of the invention, the SOC receives and adopts effective touch data, responds to expected functional operation through calculation, carries out redundancy confirmation design on keys with functional safety requirements, responds to the functions of the touch key operation, sends data related to the functions of the safety keys to the second MCU through SPI communication, adds a Checksum and a rolling counter, and checks the Checksum and the rolling counter by the MCU, wherein the second MCU requests the SOC to resend the frame data, and if continuous N frame data is wrong, the second MCU sends a safety state CAN signal to an external ECU, and the external ECU brings the whole system into a safety state.
Based on the technical scheme, the SPI communication between the MCU and the SOC requires heartbeat monitoring, and if the SOC runs abnormally, the MCU can bring the system into a safe state.
As an improvement of the invention, the second MCU receives the correct safety key function, sends data related to the safety key to other ECUs of the whole vehicle through CAN communication, adds a Checksum and a rolling counter, and checks the Checksum and the rolling counter when the other ECUs of the whole vehicle receive the data, so that the ECU requires the second MCU to resend the frame data, and if the continuous N frame data are wrong, the ECU brings the whole system into a safe state.
As an improvement of the invention, the CAN signal adopts E2E protection, other ECUs perform E2E verification, if the CAN data verification is not passed, the cabin domain controller host is requested to resend the data, the system enters a safe state if the continuous N frame data verification fails, the CAN is lost to be connected, and the ECU brings the system into the safe state.
As an improvement of the invention, when the display and touch module is in operation, the sensor short circuit, the open circuit and the sensor noise are monitored in real time, if the short circuit, the open circuit fault and the noise exceed the threshold values, signals are sent to the cabin controller host, the cabin controller host sends a safety state CAN signal to the external ECU, and the external ECU brings the whole system into a safety state.
As an improvement of the invention, the first MCU and the second MCU are electrified for latent fault self-checking, if latent faults exist, fault codes are sent to the host computer of the cabin domain controller, the host computer displays images to prompt the client machine to have faults, the first MCU and the second MCU are monitored by adopting the external first watchdog and the first watchdog of independent clock independent power supply, the first MCU or the second MCU CAN not feed dogs to the first MCU and the second MCU within 100ms when abnormal operation of the first MCU or the second MCU occurs, the first MCU or the first watchdog CAN restart the first MCU or the second MCU, the first MCU and the second MCU CAN monitor the power supply, if abnormal operation occurs, the first MCU or the second MCU CAN restart the first MCU, the second MCU CAN ensure CAN data to stop sending, and the external ECU CAN not receive the CAN data sent by the cabin domain controller in time when the system is in an operation state, and the system is brought into a safe state.
As an improvement of the invention, the power module is adopted to supply power to the SOC, the watchdog, the serializer and the CAN transceiver, the power output end of the power supply is input to the MCU through AD sampling, the second MCU is used for monitoring the power module, if the power supply is abnormal, the power supply is restarted, a safety state CAN signal is sent to the external ECU, the external ECU brings the whole system into the safety state, the SOC is monitored by the second MCU, the SOC sends heartbeat data to the second MCU every 10ms, heartbeat data is continuously lost for M times, the second MCU restarts the system, the first MCU or the second MCU ensures that the CAN data stops sending in the restarting process, and the external ECU cannot receive the CAN data sent by the cabin domain controller on time in the running state, and brings the system into the safety state.
Compared with the prior art, the invention has the beneficial effects that:
the invention discloses a vehicle touch key system meeting the functional safety requirements of a road vehicle. The problem that the touch keys in the existing vehicle do not accord with the safety of the road vehicle functions is solved. The invention uses chip and circuit fault monitoring, signal transmission integrity measures, software fault response, fault tolerance design and the like to ensure that the touch keys meet the requirements of functional safety. The automobile key can safely replace the original physical key/switch of the automobile, and effectively reduces the cost and weight of the automobile key/switch, the wire harness and the like.
The invention provides a safer vehicle-mounted touch key system, which ensures that the safety-related function can enter a safety state under the condition that the touch system is displayed to have faults, reduces the weight and the cost of the whole vehicle while increasing the technological sense of the vehicle, and can meet the requirement of the safety of the road vehicle function at the same time, so that the vehicle is safer.
Drawings
FIG. 1 is a schematic block diagram of a touch key system according to the functional safety requirements of the present invention;
FIG. 2 is a schematic diagram of the SOC of the present invention;
FIG. 3 is a flow chart of the present invention for preventing user mishandling or some phantom operations;
FIG. 4 is a schematic diagram of the touch data signal and the functional signal according to the present invention;
fig. 5 is a diagram of a signal integrity data check link in accordance with the present invention.
List of drawing identifiers: 1-display and touch module, 2-first power module, 3-first watchdog, 4-first MCU, 5-deserializer, 6-SOC, 7-serializer, 8-second power module, 9-second watchdog, 10-second MCU, 11-CAN transceiver, 12-external ECU, 13-cabin controller, 14-display screen.
Description of the embodiments
The present invention is further illustrated in the following drawings and detailed description, which are to be understood as being merely illustrative of the invention and not limiting the scope of the invention.
Example 1: as shown in fig. 1, the display screen mainly comprises a first power module, a display and touch module, a first MCU, a first watchdog chip and a deserializer.
The deserializer and the display and touch module have fault diagnosis functions, diagnose self faults, send the self faults to the MCU through the IIC bus, and send corresponding signals to the cabin domain controller host according to diagnosis results. The touch chip failure includes: the touch sensor is short-circuited; a touch sensor open circuit; testing the noise of the touch sensor; and (5) power supply on self-checking. The serial deserializer fault detection includes: checking data ECC; IIC access failure or bus busy detection; double IIC redundancy, wherein one IIC fails, and the other IIC is used for transmitting data; the first MCU fault detection comprises: MPU protects the memory; checking data ECC; performing CRC integrity check on Flash data; self-checking power-on latent faults; detecting a watchdog clock; and detecting power supply abnormality.
The first watchdog chip of the external independent clock monitors the first MCU, and if the first MCU cannot feed dogs in a specified time window, the first MCU is restarted to diagnose the failure of the MCU clock.
A plurality of power supply chips are adopted to respectively supply power to the first watchdog, the first MCU, the touch chip and the deserializer so as to avoid relevance failure; the power output end for supplying power to the first watchdog, the touch chip and the deserializer is monitored by the first MCU through AD sampling, and the first MCU self-safety mechanism can monitor and respond to the input power supply abnormality.
The cabin domain controller chip mainly comprises a second power module, an SOC, a second MCU, a second watchdog chip, a serializer and a CAN transceiver.
The serializer has a fault diagnosis function, the diagnosed faults are sent to the SOC through the IIC bus, the SOC sends the faults to the second MCU through the SPI, and the second MCU responds to the faults and sends corresponding CAN signals to the BCM or other ECUs.
The second watchdog chip monitors the second MCU, and if the second MCU cannot feed dogs in a specified time window, the second MCU is restarted to diagnose the MCU clock failure.
Sampling a plurality of power chips to respectively supply power to a second watchdog, a second MCU, an SOC, a serializer and a CAN transceiver so as to avoid relevance failure; the power output end for supplying power to the second watchdog, the second MCU, the SOC, the serializer and the CAN transceiver is monitored by the second MCU through AD sampling, and the second MCU self-safety mechanism CAN monitor and respond to the input power supply abnormality.
SPI communication between the second MCU and the SOC requires heartbeat monitoring, and if the SOC is abnormal in operation, the system can be brought into a safe state by the second MCU.
Touch signal security link: the display and touch module has the function of receiving contact information, and can add a checksum and a rolling counter to the contact coordinate original data, the serial deserializer only carries out transparent transmission on electric shock data, the SOC checks the received contact information, corresponding data can be adopted after the check is passed, if the check is not passed, the frame data are discarded and counted, if the continuous count exceeds 3 times, the touch data are considered to be faulty, and the second MCU is informed of the need of entering a safe state.
The second MCU of the cabin domain controller entering the safe state means that a CAN signal of the safe state flag is sent to the BCM or other ECU, and the BCM or other ECU will enter the safe state, for example, make the dipped headlight always light until the failure is relieved.
E2E protection needs to be added between the CAN signal and other ECUs, E2E verification is carried out by BCM or other ECUs when receiving, if the verification is not passed, the safety state CAN be entered.
Touch key principle: the GPU in the SOC can render the key image, and the CPU is used as an operation processing unit to determine whether the key is pressed or released in combination with the received contact data, as shown in fig. 2. And a program related to the key in the SOC runs in the QNX operating system, so that the functional safety level of the software is ensured.
Example 2: the embodiment is a vehicle touch key system based on functional safety, and the system comprises a display screen and a cabin controller, wherein in the system, a switch/key is used for rendering an image by an SOC, transmitting the image to a display screen video driving chip through a serial deserializer and displaying the image on a TFT.
And the Hypervisor virtual machine is operated on the SOC of the cabin domain controller, the Android and QNX operating systems are operated on the virtual machine, and the touch switch/key is operated in the QNX operating system meeting the functional safety requirement.
The display and touch module is used for collecting touch original data, adding a Checksum and a rolling counter to the original data, the data packet is transmitted through the deserializer and the serializer, the SOC analyzes and checks the Checksum and the rolling counter, the frame data is discarded, if the continuous 3 frames of data are wrong, the second MCU sends a safety state CAN signal to an external ECU (BCM), and the external ECU (BCM) brings the whole system into a safety state. The combination of the checksum and the rolling counter can meet high requirements on the diagnostic coverage rate of the communication data.
The SOC receives and adopts effective touch data, responds to expected functional operation through calculation, and makes redundant confirmation design for keys with functional safety requirements, so as to avoid misoperation or some phantom operations of a user, such as key operation for closing a dipped headlight as follows. As shown in fig. 3, the turning off of the low beam may cause a dangerous event, so that two consecutive correct touch operations are required to turn off the low beam.
The SOC responds to the function of touch key operation, data related to the safety key function is sent to the second MCU through SPI communication, the second MCU checks the error of the Checksum and the rolling counter, the second MCU requests the SOC to resend the frame data, if the continuous 3 frames of data are wrong, the second MCU sends a safety state CAN signal to an external ECU (BCM), and the external ECU (BCM) brings the whole system into a safety state.
The second MCU receives the correct safety key function, sends data related to the safety key to other ECUs (BCM) of the whole vehicle through CAN communication and adds a Checksum and a rolling counter, and the other ECUs (BCM) of the whole vehicle check the Checksum and the rolling counter when receiving, and if the Checksum and the rolling counter are wrong, the ECUs (BCM) require the second MCU to resend the frame data, and if the continuous 3 frame data are wrong, the ECU (BCM) 12 brings the whole system into a safe state.
SPI communication is adopted between a second MCU of the cabin domain controller host and the SOC, the state of a switch/key is calculated by the SOC through combining touch coordinate data information, the state is sent to the second MCU through the SPI, and the second MCU is sent to other ECUs (BCM) through CAN signals.
E2E protection is adopted for CAN signals, E2E verification is carried out by other ECUs (BCMs), if the CAN data verification is not passed, the cabin domain controller host is requested to resend the data, and if the continuous 3-frame data verification fails, the system enters a safe state; CAN loses connection and ECU (BCM) brings the system into a safe state.
The touch data signal and the functional signal flow are shown in the fourth figure;
the signal integrity data check link is shown in figure five;
the display and touch module adopts HX83192 of HiMax, performs self-checking when power is on each time, and sends a fault code to the cabin controller host when a latent fault exists, and the cabin controller host drives a display screen to display images or characters to prompt a client machine to have the fault.
When the display and touch module is in operation, sensor short circuit, open circuit and sensor noise are monitored in real time, if short circuit, open circuit fault and noise exceed threshold values, signals are sent to a cabin domain controller host, the cabin domain controller host sends a safety state CAN signal to an external ECU (BCM), and the whole system is brought into a safety state by the external ECU (BCM).
The serializer adopts DS90UH981Q1 of TI, the deserializer adopts DS90UH984B-Q1 of TI, has data ECC checking 1 or 2bit data checking and error correcting capability, and can correct IIC data; IIC access failure or bus busy detection is matched with double IIC redundancy, one IIC failure is matched with the double IIC redundancy, and the other IIC is used for transmitting data.
The first MCU and the second MCU adopt Infineon Traveo II, each time power is applied to carry out latent fault self-checking, if latent faults exist, a fault code is sent to a cabin controller host, and the host displays images to prompt a client machine to have faults; protecting the security-related code data from being destroyed using the MPU; the first MCU and the second MCU are monitored by adopting an external first watchdog and a second watchdog of independent clock independent power supplies, and if the first MCU or the second MCU cannot feed dogs to the first MCU or the second MCU within 100ms due to abnormal operation, the first watchdog or the second watchdog can restart the first MCU or the second MCU; the first MCU and the second MCU monitor the power supply, if the power supply is abnormal, the first MCU or the second MCU is restarted, the first MCU or the second MCU ensures that CAN data stops transmitting in the restarting process, and when the power supply is in an operating state, an external ECU (BCM) cannot receive the CAN data transmitted by the cabin domain controller on time, and the system is brought into a safe state.
The display and touch module, the first watchdog and the deserializer are powered by the first power module, the power output end of the power supply is input to the first MCU through AD, the first MCU monitors the first power module, if the power supply is abnormal, the power supply is restarted, and the system is brought into a safe state.
And the second power supply module is adopted to supply power to the SOC, the second watchdog, the serializer and the CAN transceiver, the power output end of the power supply is input to the second MCU through AD sampling, the second MCU monitors the second power supply module, if the power supply is abnormal, the power supply is restarted, a safety state CAN signal is sent to an external ECU (BCM), and the whole system is brought into a safety state by the external ECU (BCM).
The state of the SOC is monitored by the second MCU, the SOC transmits heartbeat data to the second MCU every 10ms, the heartbeat data is continuously lost for 10 times, the second MCU restarts the system, the first MCU or the second MCU ensures that CAN data stops transmitting in the restarting process, and when the state of operation is in a running state, an external ECU (BCM) cannot receive the CAN data transmitted by the cabin domain controller on time, and the system is brought into a safe state.
It should be noted that the foregoing merely illustrates the technical idea of the present invention and is not intended to limit the scope of the present invention, and that a person skilled in the art may make several improvements and modifications without departing from the principles of the present invention, which fall within the scope of the claims of the present invention.
Claims (10)
1. The vehicle touch key system based on functional safety is characterized in that the key system comprises a display screen module and a cabin domain controller module, a deserializer and a display and touch module in the display module diagnose that the self fault is sent to a first MCU through an IIC bus, and send corresponding signals to a cabin domain controller host according to diagnosis results, a serializer in the cabin domain controller module diagnose that the fault is sent to an SOC through the IIC bus, the SOC sends the fault to a second MCU through an SPI, and the second MCU responds to the fault and sends corresponding CAN signals to a BCM or other ECUs.
2. The vehicle touch key system based on functional safety according to claim 1, wherein the display screen module comprises a first power module, a display and touch module, a first MCU, a first watchdog chip and a deserializer, wherein the first MCU is monitored by an external independent clock, and if the first MCU cannot feed dogs in a specified time window, the first MCU is restarted to diagnose MCU clock failure, and a plurality of power chips are used for respectively supplying power to the watchdog, the first MCU, the touch chip and the deserializer.
3. The vehicle touch key system based on functional safety of claim 2, wherein the cabin domain controller module comprises a second power module, an SOC, a second MCU, a second watchdog chip, a serializer and a CAN transceiver, the second MCU is monitored by the independent clock watchdog chip, if the second MCU cannot feed dogs within a specified time window, the second MCU will restart to diagnose the MCU clock failure, and the second watchdog, the second MCU, the SOC, the serializer and the CAN transceiver are powered by the plurality of power chips.
4. The touch key system of claim 1, wherein the display and touch module is configured to collect touch raw data, add a checksum and a rolling counter to the raw data, parse and check the checksum and the rolling counter by the SOC, discard the frame data if the succession of frame data is wrong, and send a security state CAN signal to the external ECU, and bring the whole system into a security state by the external ECU.
5. The touch key system of claim 4, wherein the SOC receives and uses valid touch data, responds to an expected functional operation by calculating, performs redundancy confirmation design for keys with functional safety requirements, responds to the function of the touch key operation, sends data related to the safety key function to the second MCU through SPI communication, adds a Checksum and a rolling counter, checks the Checksum and the rolling counter by the MCU, and requests the second MCU to resend the frame data, and if the continuous N frame data is wrong, the second MCU sends a safety state CAN signal to the external ECU, and the external ECU brings the whole system into a safety state.
6. The touch key system of claim 5, wherein the second MCU receives the correct key function, sends data related to the key function to other ECU of the whole vehicle through CAN communication and adds a Checksum and a rolling counter, and the other ECU of the whole vehicle checks the Checksum and the rolling counter when receiving the data, and the ECU requests the second MCU to resend the frame data, and if the continuous N frame data is wrong, the ECU brings the whole system into a safe state.
7. The touch key system of claim 1, wherein the CAN signal is protected by E2E, the other ECU performs E2E check, if the CAN data check is not passed, the cabin controller host is requested to resend the data, if the continuous N frame data check fails, the system is put into a safe state, the CAN is lost, and the ECU brings the system into a safe state.
8. The touch key system of claim 1, wherein the display and touch module monitors the sensor for short and open circuits and sensor noise in real time while operating, and if there is a short circuit, open circuit failure and noise exceeding a threshold, sends a signal to the cabin controller host, which sends a safety state CAN signal to the external ECU, which brings the entire system into a safety state.
9. The touch key system of a vehicle based on functional safety according to claim 3, wherein the first MCU and the second MCU are powered on each time to perform latent fault self-checking, if a latent fault exists, a fault code is sent to a cabin domain controller host, the host displays images to prompt a client machine to have faults, an external first watchdog and a first watchdog of independent clocks and independent power supplies are adopted to monitor the first MCU and the second MCU, the first MCU or the second MCU cannot feed the first MCU and the second MCU within a specified time due to abnormal operation, the first MCU or the first watchdog CAN restart the first MCU or the second MCU, the first MCU and the second MCU CAN monitor the power supply, if the first MCU or the second MCU is abnormally restarted, the first MCU or the second MCU guarantees that CAN data stops sending in the restarting process, and when the system is in an operation state, the external ECU cannot receive the CAN data sent by the cabin domain controller in time, and the system is brought into a safe state.
10. The vehicle touch key system based on functional safety according to claim 1, wherein the SOC, the watchdog, the serializer and the CAN transceiver are powered by a power module, a power output end of the power supply is input to the MCU through AD sampling, the power module is monitored by the second MCU, if the power supply is abnormal, the power is restarted, a safety state CAN signal is sent to the external ECU, the external ECU brings the whole system into the safety state, the SOC is monitored by the second MCU, the SOC sends heartbeat data to the second MCU at regular time, the second MCU restarts the system for M times, the first MCU or the second MCU guarantees that the CAN data stops being sent in the restarting process, and in the running state, the external ECU cannot receive the CAN data sent by the cabin domain controller on time, and the system is brought into the safety state.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311241794.6A CN117724434A (en) | 2023-09-25 | 2023-09-25 | Vehicle touch key system based on functional safety |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311241794.6A CN117724434A (en) | 2023-09-25 | 2023-09-25 | Vehicle touch key system based on functional safety |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117724434A true CN117724434A (en) | 2024-03-19 |
Family
ID=90198577
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311241794.6A Pending CN117724434A (en) | 2023-09-25 | 2023-09-25 | Vehicle touch key system based on functional safety |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117724434A (en) |
-
2023
- 2023-09-25 CN CN202311241794.6A patent/CN117724434A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6883123B2 (en) | Microprocessor runaway monitoring control circuit | |
| US9031740B2 (en) | Vehicle control device capable of controller area network communication and diagnostic method therefor | |
| CN113400937B (en) | Vehicle entertainment information display system and vehicle | |
| WO2023246265A1 (en) | Vehicle fault alarm method and system for liquid crystal instrument system | |
| CN109747480B (en) | Multi-safety-mode battery management system and design method thereof | |
| CN114170705A (en) | Vehicle data uploading method, device and equipment | |
| CN112099412B (en) | Safety redundancy architecture of micro control unit | |
| CN111614531B (en) | Method, medium, and monitoring device for monitoring a LIN node | |
| BRPI1014945B1 (en) | METHOD FOR DETECTING HYBRID MOTOR VEHICLE CAN BUS | |
| CN117724434A (en) | Vehicle touch key system based on functional safety | |
| CN114132175B (en) | Automobile virtual instrument emergency treatment system and method | |
| JP2925437B2 (en) | Vehicle control computer system with self-diagnosis function | |
| CN113624321A (en) | Real-time online protection system and method based on vibration monitoring | |
| US11726853B2 (en) | Electronic control device | |
| CN114124745A (en) | Method and system for diagnosing MVB communication fault | |
| JP2005143015A (en) | Remote input/output device | |
| CN110781019A (en) | Automobile instrument design method based on functional safety | |
| CN116409265A (en) | Vehicle safety state transmission method and system | |
| KR102411196B1 (en) | Self-diagnostic Ambulance System | |
| CN117508056A (en) | Intelligent cabin system | |
| CN118003882A (en) | Control method and system for vehicle instrument system, electronic equipment and storage medium | |
| WO2023223940A1 (en) | In-vehicle device, program, and information processing method | |
| CN117929887A (en) | Fault detection method and device, storage medium and vehicle | |
| Rush | Virtual Switches and Indicators in Automotive Displays | |
| CN117395133A (en) | Screen self-repairing system, method, medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |