DE102018207542B4 - Method and device for controlling a safety-relevant process and vehicle - Google Patents

Abstract

Method for controlling a safety-related process, wherein at least two microcontrollers (256, 356) are used for the control, each of the at least two microcontrollers (256, 356) being designed for controlling the safety-related process, the at least two microcontrollers (256 , 356) each have at least two computing cores (252, 254, 352, 354) in which the same algorithm is calculated, characterized in that at least certain processing results, hereinafter referred to as computing results, of the computing cores (252, 254, 352, 354) in Decision modules (261, 262, 361, 362) distributed over the computing cores (252, 254, 352, 354) are checked, the calculation results under the at least four computing cores (252, 254, 352, 354) of the at least two microcontrollers ( 256, 356) are exchanged and compared with one another in at least four comparators (251, 255, 351, 355), and when one is detected Deviation, a majority decision is made over at least three of the decision modules (261, 262, 361, 362) distributed among the computing cores (252, 254, 352, 354), with the at least three decision modules (261, 262, 361, 362) each showing the deviation results the other two decision modules are made available, the type that the control of the security-relevant process by the microcontroller (256, 356) of a control string in which the computing kernel (252, 254, 352, 354) is located, whose computation result depends on the Calculation results in at least two other computing cores (252, 254, 352, 354) deviate, is prevented when the deviation is confirmed in at least two of the distributed decision modules (261, 262, 361, 362).

Description

The present invention relates to a method for controlling a safety-related process according to the features of the preamble of claim 1, a device for controlling a safety-related process according to the features of the preamble of claim 7 and a vehicle that has such a device.

In today's vehicles, mostly electromechanical steering systems ( 1 ) used. If errors occur in the electronics of these steering systems during operation, the steering assistance is switched off or reduced. The driver then steers the vehicle with increased effort.

The generic DE 10 2011 084 534 A1 shows a method and a device of the generic type.

From the DE 10 2013 203 978 A1 a vehicle is known that has such a device.

In the near future, autonomous driving systems will be used in vehicles, which will enable the driver to no longer be permanently occupied with the driving task and to perform secondary activities (reading, sleeping, writing messages ...) when the driving system is active. The driver is therefore no longer available to the steering system as a fallback level in the event of a fault. Accordingly, the steering system used in conjunction with an autonomous driving system must still be able to guide the vehicle and adjust a movement on the rack even after a fault.

• • Level 0: „Driver only“, der Fahrer fährt selbst, lenkt, gibt Gas, bremst etc.
• • Level 1: Bestimmte Assistenzsysteme helfen bei der Fahrzeugbedienung (u.a. ein Abstandsregelsystem - Automatic Cruise Control ACC).
• • Level 2: Teilautomatisierung. U.a. automatisches Einparken, Spurhaltefunktion, allgemeine Längsführung, Beschleunigen, Abbremsen etc. werden von den Assistenzsystemen übernommen (u.a. Stauassistent).
• • Level 3: Hochautomatisierung. Der Fahrer muss das System nicht dauernd überwachen. Das Fahrzeug führt selbstständig Funktionen wie das Auslösen des Blinkers, Spurwechsel und Spurhalten durch. Der Fahrer kann sich anderen Dingen zuwenden, wird aber bei Bedarf innerhalb einer Vorwarnzeit vom System aufgefordert, die Führung zu übernehmen. Diese Form der Autonomie ist auf Autobahnen technisch machbar. Der Gesetzgeber arbeitet darauf hin, Level 3-Fahrzeuge zuzulassen. Die gesetzlichen Rahmenbedingungen wurden dafür bereits geschaffen.
• • Level 4: Vollautomatisierung. Die Führung des Fahrzeugs wird dauerhaft vom System übernommen. Werden die Fahraufgaben vom System nicht mehr bewältigt, kann der Fahrer aufgefordert werden, die Führung zu übernehmen.
• • Level 5: Kein Fahrer erforderlich. Außer dem Festlegen des Ziels und dem Starten des Systems ist kein menschliches Eingreifen erforderlich.

Autonomous driving (sometimes also called automatic driving, automated driving or piloted driving) means the locomotion of vehicles, mobile robots and driverless transport systems that are largely autonomous. There are different grades of the term autonomous driving. At certain levels, autonomous driving is also used when there is still a driver in the vehicle who may only be responsible for monitoring the automatic driving process. In Europe the various transport ministries (in Germany the Federal Highway Research Institute was involved) worked together and defined the following levels of autonomy.

• • Level 0: "Driver only", the driver drives himself, steers, accelerates, brakes etc.
• • Level 1: Certain assistance systems help to operate the vehicle (including a distance control system - Automatic Cruise Control ACC).
• • Level 2: partial automation. Automatic parking, lane keeping function, general longitudinal guidance, acceleration, braking, etc. are taken over by the assistance systems (including traffic jam assistant).
• • Level 3: high automation. The driver does not have to constantly monitor the system. The vehicle independently performs functions such as activating the indicator, changing lanes and keeping in lane. The driver can do other things, but if necessary, the system prompts them to take the lead within a warning period. This form of autonomy is technically feasible on motorways. Legislators are working to allow Level 3 vehicles. The legal framework for this has already been created.
• • Level 4: full automation. The system is permanently in charge of the vehicle. If the system can no longer handle the driving tasks, the driver can be asked to take the lead.
• • Level 5: No driver required. No human intervention is required other than setting the destination and starting the system.

Automated driving functions from level 3 relieve the driver of the responsibility for controlling the vehicle. A steering system involved in this, which can fail due to a single fault, therefore needs a suitable fallback level in order to be able to keep the vehicle always in a safe condition in terms of driving dynamics until the driver can intervene again, or even with a higher level of autonomy, until the vehicle stops without the driver's support Standstill comes. The safety-relevant systems such as braking systems, driving dynamics systems, steering systems, etc. for this type of vehicle, which offer automated driving from level 3, are always designed redundantly. They then consist of control lines, both of which can carry out the control process, so that a component can fail without endangering driving stability.

The double redundant design of the steering system electronics is known. The input signals are already made available twice in the power steering control unit. The logic part is also implemented twice, where parallel, independent signal processing takes place. This also applies to the power section, which is also designed twice and controls one or more suitable electric motors (eg 6-phase or 12-phase motor). If an error occurs in one of the two sub-systems, the other sub-system is basically able to provide at least a reduced steering assistance for generating a rack movement.

One challenge with this structure is that a recognized error must also be identified as such with quantifiable certainty. In order to meet the safety requirements and to avoid unjustified power reductions and shutdowns, it is necessary that the error must be confirmed by a separate entity.

The other tax line alone is not considered here, however, since in the event of a contrary decision, the probability that this test has delivered an incorrect result is just as high as the probability that the error detected by the other control line was recognized as faulty.

A third instance is therefore necessary, which in this case decides whether the error is confirmed as such or not (2 out of 3 decision). One possible solution is to use a third, independent microprocessor (state of the art in aerospace). However, since this solution entails additional hardware expenditure with additional space requirements and increased costs, it has some disadvantages.

From the EP 2 450 261 A2 a device for controlling an electric motor for power steering is known. A main computer receives the signals from sensors, processes them and outputs control signals. In addition, a monitoring computer is provided, which also receives the signals from the sensors and is able to take its place in the event of a failure or defect in the main computer.

From the DE 10 2016 203 090 A1 a control device with at least two microcontrollers is known, the at least two microcontrollers being in communication with one another via at least one Ethernet connection and being set up to exchange data via them. In particular, this ensures that the individual microcontrollers can also communicate with one another in the event of a fault, for example if one of the microcontrollers has a defect or if one of the Ethernet connections fails due to a line break. In one example, the control device has four microcontrollers, each with two processor cores, which are connected to one another in a ring.

From the DE 10 2016 205 109 A1 a microprocessor with at least two processor cores is known, a first processor core being set up to execute the functions implemented in hardware by specially configured hardware, and a second processor core being set up to execute the functions in software implementation by executing software. The first processor core is set up to monitor and / or safeguard a function performed by the second processor core. The monitoring is based on the use of redundant hardware.

In the context of the invention, it was recognized that the security requirement that an error must be confirmed by a separate entity cannot easily be implemented without additional hardware expenditure.

The object of the invention is to find a solution as to how a further independent entity can be implemented without having to use an additional processor.

This object is achieved by a method for controlling a safety-relevant process according to claim 1, a device for controlling a safety-relevant process according to claim 7 and a motor vehicle according to claim 11

The dependent claims contain advantageous developments and improvements of the invention according to the following description of these measures.

The invention relies on a special hardware architecture. At least two microcontrollers are used to control a safety-relevant process, each of the at least two Microcontroller is designed to control the safety-relevant process. So it is a redundant system. The two microcontrollers are each equipped with at least two computing cores in which the same algorithm is calculated. The method according to the invention for controlling the security-relevant process is characterized in that at least certain computation results of the computation cores are checked in decision modules distributed over the computation kernels, with the computation results being exchanged among the computation cores and compared with one another for verification. When a discrepancy is detected, a majority decision is made over at least three of the distributed decision-making modules. This then has the effect that the control of the security-relevant process by the microcontroller of the control line in which the calculation kernel is located, the calculation result of which deviates from the calculation results in at least two other calculation kernels, is prevented if the deviation is confirmed in at least two of the distributed decision-making modules. The third instance is implemented by distributing the decision-making modules over the computing cores, which all check the computation results, and forming a majority, and another microcontroller can be saved.

The decision-making modules are implemented as “virtual” or “logical” decision-makers, so they are not physically present in a component, but are distributed as software modules in the computing cores of the two microcontrollers.

The control of the safety-relevant process can be prevented in an advantageous manner by switching off or partial disabling of the control of the safety-relevant process by the microcontroller itself, in which the computation kernel is located, in whose computation result the discrepancy was determined. This corresponds to a variant that is easy to implement. In another embodiment, the design can also be such that a computing core in the other microcontroller performs the shutdown.

It is particularly advantageous for the implementation if the control process is divided into function groups and a check of a calculation result is provided for each function group, a decision module of the same type being provided for each function group and the result of the check being passed on to the next function group by a decision module . This modular structure of the control software greatly simplifies the development process. In addition to the necessary function, the blocks for comparing results and making decisions are always implemented in the same way. In the software in particular, it is possible to use a structure that has been developed, tested and approved several times, which significantly reduces the development effort. The exact number of function groups can advantageously be determined on the basis of the safety requirements with regard to fault coverage.

The proposal can be used in particular for the application of controlling a steering process in a vehicle. A meaningful division into function groups consists in the division into the function groups: processing of the input signals, calculation of the tie rod position or the target motor torque for setting the steering angle, acquisition of the actual control signal emitted by the microcontroller or acquisition of the actual control signal emitted by a converter unit.

In the steering system, the control process consists in that certain phases of a polyphase electric motor for the steering process are controlled by each of the at least two microcontrollers in order to bring about a rack movement in accordance with the steering command. In the event of a fault, the steering process is prevented from being controlled by disconnecting the connection between the microcontroller, in which the arithmetic core identified as faulty, and the associated phases of the polyphase electric motor. A phase separator can be used for this.

The corresponding measures are advantageous for a corresponding device for controlling a safety-relevant process. The device is constructed redundantly with at least two microcontrollers, and each of the at least two microcontrollers is designed to control the safety-relevant process. According to the proposal, it is advantageous if the two microcontrollers each have at least two computing cores on which the same control functions are calculated. According to the invention, each computing core has a comparator in which the calculation results exchanged among the computing cores are compared. Furthermore, each computing kernel has a decision module in which a majority decision is formed with the checking results of at least three of the computing kernels. A majority decision confirms that an error has occurred in one of the Calculation kernels are present, and the control of the safety-relevant process is prevented by the microcontroller of the control line in which the calculation kernel is located in which the error was detected.

At least one communication bus, which connects the at least two microcontrollers to one another, is provided for the exchange of data. This can advantageously be designed in the form of an Ethernet communication bus, FlexRay communication bus or CAN (-FD) communication bus. CAN-FD stands for the Controller Area Network-Flexible Data Rate.

A further advantageous measure consists in equipping at least one of the computing cores of the microcontrollers with a lockstep core, which is thus able to detect its own random calculation errors. The result of this core can therefore be regarded as reliable.

The device can advantageously be used to control a steering process in a vehicle.

The invention can be used in all vehicles with an automated driving function from level 3 (according to VDA).

An embodiment of the invention is shown in the drawings and is explained in more detail below with reference to the figures.

• 1 das typische Cockpit eines Fahrzeuges;
• 2 eine Gesamtansicht eines typischen Lenksystems für ein Fahrzeug;
• 3 ein Blockschaltbild der Kfz-Elektronik des Fahrzeuges;
• 4 ein Blockschaltbild des Lenkhilfe-Steuergerätes;
• 5 ein erstes Blockschaltbild der beiden Microcontroller in dem Lenkhilfe-Steuergerät;
• 6 ein zweites Blockschaltbild der beiden Microcontroller in dem Lenkhilfe-Steuergerät mit einer Ansicht der logischen Entscheiderstufe;
• 7 ein drittes Blockschaltbild der beiden Microcontroller in dem Lenkhilfe-Steuergerät mit einer Abfolge einer Fehlerüberprüfung; und
• 8 ein Prinzipbild für die Aufteilung der Steuerungsfunktion in Funktionsgruppen.

Show it:

• 1 the typical cockpit of a vehicle;
• 2 an overall view of a typical steering system for a vehicle;
• 3 a block diagram of the vehicle electronics;
• 4th a block diagram of the power steering control unit;
• 5 a first block diagram of the two microcontrollers in the power steering control device;
• 6th a second block diagram of the two microcontrollers in the power steering control device with a view of the logic decision-maker stage;
• 7th a third block diagram of the two microcontrollers in the power steering control device with a sequence of error checking; and
• 8th a principle diagram for the division of the control function into function groups.

The present description illustrates the principles of the disclosure of the invention. It is therefore understood that those skilled in the art will be able to design various arrangements which, although not explicitly described here, embody principles of the disclosure according to the invention and are also intended to be protected in their scope.

1 shows the typical cockpit of a vehicle 10 . A passenger car is shown. As a vehicle 10 However, any other vehicles could also be considered. Examples of further vehicles are: buses, utility vehicles, in particular trucks, trucks, agricultural machines, construction machines, rail vehicles, etc. The use of the invention would generally be possible in land vehicles, rail vehicles, water vehicles and aircraft.

The essential component for the invention in the vehicle 10 is the steering system from which the steering wheel in the cockpit 12 can be seen with parts of the steering column. Next is in 1 a display unit of an infotainment system highlighted with reference numerals. It is a touch sensitive screen 20th located in the center console.

The touch-sensitive screen 20th is used in particular to operate functions of the vehicle 10 . For example, a radio, a navigation system, a playback of stored pieces of music and / or an air conditioning system, other electronic devices or other comfort functions or applications of the vehicle can be used 10 to be controlled. In summary, one often speaks of an "infotainment system". In motor vehicles, especially cars, an infotainment system refers to the combination of car radio, navigation system, hands-free system, driver assistance systems and other functions in a central operating unit. The term infotainment is a suitcase word composed of the words information and entertainment (entertainment). The touch-sensitive screen is mainly used to operate the infotainment system 20th ("Touchscreen") is used, this screen 20th in particular by a driver of the vehicle 10 , but also from a passenger in the vehicle 10 can be easily viewed and operated. Below the screen 20th In addition, mechanical control elements, for example buttons, rotary controls or combinations thereof, such as rotary push-buttons, can be used in an input unit 50 be arranged. Typically, parts of the infotainment system can also be operated using the steering wheel. For this purpose, the vehicles are equipped with a so-called multifunction steering wheel control. This unit is not shown separately, but is part of the input unit 50 considered.

Back to the vehicle's steering system 10 . An overall view of the steering system shows 2 . The main components are the steering wheel 12 , the steering column 14th , the torque sensor 15th , the electric motor 16 who have favourited rack 18th and the power steering control unit 186 .

3 shows schematically a block diagram of the automotive electronics and, by way of example, some subsystems or applications of the infotainment system. The infotainment system comprises: the touch-sensitive display unit 20th , a computing device 40 , an input unit 50 and a memory 60 . The display unit 20th comprises both a display area for displaying variable graphic information and a user interface (touch-sensitive layer) arranged above the display area for the input of commands by a user.

The display unit 20th is via a data line 70 with the computing device 40 connected. The data line can be designed according to the LVDS standard, corresponding to low voltage differential signaling. Via the data line 70 receives the display unit 20th Control data for controlling the display area of the touch screen 20th from the computing device 40 . Via the data line 70 are also control data of the commands entered from the touchscreen 20th to the computing device 40 transfer. With the reference number 50 the input unit is designated. It includes the control elements already mentioned, such as buttons, rotary controls, slide controls or rotary push-button controls, with the help of which the operator can make entries via the menu navigation. Input is generally understood to mean the selection of a selected menu option, as well as changing a parameter, switching a function on and off, etc.

The storage device 60 is via a data line 80 with the computing device 40 connected. In the memory 60 a list of pictograms and / or symbols is stored with the pictograms and / or symbols for possible insertion of additional information.

The other parts of the infotainment system camera 150 , Radio 140 , Navigation device 130 , Phone 120 and instrument cluster 110 are via the data bus 100 connected to the device for operating the infotainment system. As a data bus 100 The high-speed variant of the CAN bus according to ISO Standard 11898-2 comes into consideration. Alternatively, a bus system based on Ethernet technology such as IEEE 802.03cg could also be used. Bus systems in which data is transmitted via fiber optics can also be used. Examples are the MOST bus (Media Oriented System Transport) or the D2B bus (Domestic Digital Bus). The vehicle is responsible for wireless internal and external communication 10 with a communication module 160 fitted. This module is often referred to as an on-board unit. It can be designed for cellular communication, for example according to the LTE standard, corresponding to Long Term Evolution. It can also be designed for WLAN communication, corresponding to wireless LAN, be it for communication with devices of the occupants in the vehicle or for vehicle-to-vehicle communication, etc.

The communication bus 100 the infotainment system is with a gateway 30th connected. The other parts of the vehicle electronics are also connected to it. On the one hand the communication bus 104 of the drive train, which is typically implemented in the form of the CAN bus. The control units of the powertrain are engine control units as examples 172 , ESP control unit 174 and gearbox control unit 176 named and shown. Next the communication bus 102 for driver assistance systems, which can be designed in the form of the FlexRay bus. Three driver assistance systems are shown: a driver assistance system 182 for automatic distance control ACC in accordance with Adaptive Cruise Control, a DCC driver assistance system for adaptive chassis control 184 , corresponding to Dynamic Chassis Control and a power steering system 186 . There is also a communication bus 106 to the gateway 30th connected. This connects the gateway 30th with an on-board diagnostic interface 190 . The task of the gateway 30th consists of the format conversions for the various communication systems 100 , 102 , 104 , 106 to make so that data can be exchanged among each other.

The following is a more detailed look at the power steering control unit 186 received.

As already mentioned, it has a redundant structure for security reasons. The steering process is controlled by two parallel lines. The parts are input electronics 220 , 320 , Logic part 250 , 350 and power unit 270 , 370 each available twice. The multi-phase electric motor is also shown 410 from the power steering control unit 186 is controlled. The multi-phase electric motor is activated by both lines for full steering assistance. If an error should occur in one of the two lines, the control is prevented by this line for safety's sake. As a result, the driver no longer receives full steering assistance, but the steering function is still guaranteed to the extent that the vehicle is controlled by the control of the other line 10 can still be safely steered to the side of the road or into an emergency stop or parking lot. The system is designed in such a way that the driver does not have to intervene. The steering system can still carry out the steering process automatically. After this emergency stop, you can continue driving with manual operation of the steering.

A realization could also be designed in such a way that both control lines can each individually provide full steering support.

This would also make it possible for the vehicle to automatically end its journey until "ignition off" with the remaining functional line after a fault has occurred in a line. To be on the safe side, repeated activation of the automatic driving function would then be blocked.

In the entrance electrical parts 220 and 320 there is one filter unit each 228 and 328 , in which, for example, the chokes and filters are arranged to compensate for disturbances in the supply voltage. The supply voltage is at the power connection 222 at. The contact 226 serves to connect to the torque sensor 15th the steering system. This is on the steering column 14th attached and is read in directly. Such a sensor could be omitted in the future. Steerby-wire steering systems are already being developed that do not require a mechanical steering column. This then sends the information to the power steering control unit 186 which forces act on the steering. With the torque sensor 15th the required data on angle of rotation, direction of rotation and torque are typically recorded electronically. This is important in order to be able to determine the power of the polyphase electric motor 410 must raise in order to be able to support the steering process. It should be noted that the steering process must be controlled very sensitively. Further information plays an important role, e.g. the speed of the vehicle. This input signal from the torque sensor is sent internally to both logic parts 250 and 350 forwarded. Furthermore, every logic part is 250 , 350 separately to the communication bus 102 connected. The power steering control unit 186 therefore has two connections for the vehicle bus. In this way, the steering function is guaranteed even if there is a defect in one of the bus connections or the supply lines. The logic parts 250 and 350 of the power steering control unit 186 each essentially contain one of the two microcontrollers 256 and 356 . The microcontroller 256 contains the two cores 252 and 254 . The microcontroller 356 contains the two cores 352 and 354 . The processing cores of a microcontroller are interconnected so that they can exchange data, especially calculation results. A parallel bus is typically used for this. Between all four cores 252 , 254 , 352 , 354 the microcontroller 256 , 356 data can also be exchanged with one another. This is also necessary with the security concept presented here, so that the data on the basis of which the decision is to be made are of the same type on all four computing cores 252 , 254 , 352 , 354 exist. In one embodiment of the invention, the communication bus is 259 between the two microcontrollers 256 , 356 designed as an Ethernet bus. In another embodiment, it can also be designed as a FlexRay or CAN FD communication bus. In 4th it is shown that each computing core has two Ethernet ports, via which it is connected to the two computing cores of the other microcontroller. Another special feature is that the computing cores 252 and 352 with so-called lockstep computing cores 253 and 353 are equipped. These correspond to parallel computers that process exactly the same program. The parallel connection is not used to increase performance, but for control. The results of the individual computing cores are compared, which takes place in individual, time-tight and non-interruptible steps. The redundancy achieved in this way enables hardware failures in one of the computing cores to be detected and responded to, as is the case with a dual core in lockstep mode.

Also the power part of the power steering control unit 186 is set up in parallel. The control signal for controlling the multiphase electric motor 410 is from the respective microcontroller 256 , 356 in the form of PWM signals, corresponding to "pulse width modulation". These are in the power section 270 and 370 in corresponding converter units 272 , 274 and 372 , 374 implemented. In 4th is the multi-phase electric motor 410 shown as a 12 phase motor. Depending on which phases are controlled, so transfer more or less force to the rack. When all phases are controlled, the greatest force is applied. In order to be able to control this sensitively, per microcontroller 256 , 356 two converter units 272 , 274 or. 372 , 374 intended. These are so-called Gate Drive Units GDU, which convert the PWM signal into corresponding signals for controlling an amplifier (Power MOSFET). Before the control signals to the polyphase electric motor 410 arrive, they pass a phase separation circuit 276 , 278 or. 376 , 378 . The activation of the polyphase electric motor can be switched off via the phase separation circuits 410 in the appropriate path. According to the connections drawn between microcontrollers and phase separation circuits, activation can only be switched off by the microcontroller of the respective control line.

In the following figures, the same reference numerals denote the same components as in FIG 4th . The 5 illustrates the process of mutual data exchange between the computing cores in a step of checking the computation results after a so-called data event. The control process consists of different phases. This includes the acquisition and processing of the input signals, the calculation of the target engine torque by the steering functions and the generation of the control signals by the engine controller. After each stage, the processing or calculation results can be checked. Further reviews could be carried out with interim results. After each intermediate result or when one of the stages mentioned is completed, a data event is generated in the comparator in each calculation kernel 251 , 351 , 255 , 355 triggered. The occurrence of a data event then triggers the exchange of the predetermined processing or calculation results among the computing cores. The results are compared. If there are discrepancies, there must be an error in one of the cores. How it is decided in which strand the fault is present is the subject of the following considerations. Also in 5 is shown that a mutual program flow control 264 takes place between two computing cores. This can be implemented with appropriately designed watchdog circuits.

6th shows the use of a logical decision maker 260 , which serves as a third instance, so to speak, with the purpose of deciding on which microcontroller 256 , 356 the error occurred. However, the logical decision maker is not an additional hardware component. Rather, it is a decision maker that is implemented with software. Part of the software for the decision maker is installed on each computer core. The relevant parts are in the 6th with the reference numerals 261 , 262 , 361 , 362 designated.

In 7th the verification process is shown. After the data event occurs, the calculation results are exchanged with one another. When comparing the calculation results, the calculation kernel 252 detected a discrepancy, see the step ED . In the logical decision maker 260 The results of the comparisons in the computing cores are also displayed 352 and 254 considered. The logical decision maker 260 forms a majority decision. It does this as follows. Each calculation kernel compares which calculation result differs, see the steps EC1 and EC2 . The following tables illustrate the process: Comparison in µCA RK1 µCA RK2 µCB RK1 deviation in percent µCA RK1 µCA RK1 µCA RK1

During the comparisons in all computing cores, it was found that the result in computing core 252 of the results in the computing kernels 352 and 254 deviates. This is done by the decision makers 261 , 262 , 361 recognized. So there is a clear majority in favor of the calculation kernel 252 has a defect, and the decision maker 262 then takes care of the crotch EH that the control of the multi-phase electric motor 410 by the microcontroller 256 is prevented. This is done with the phase separation circuits 276 , 278 .

In the further case considered, the results of the comparisons are as follows: Comparison in µCA RK1 µCA RK2 µCB RK1 deviation in percent none µCA RK1 µCA RK1

Here was the comparison in the calculation kernel 252 No discrepancy was found, however, when comparing the computing cores 258 and 352 it was found that a deviation in the calculation result of the calculation kernel 252 present. In the decision-making modules ( 261 , 262 , 361 ) will again be a majority decision with that of the other decision-making modules ( 261 , 262 , 361 ) delivered results. This gives a 2: 1 majority and it becomes the microcontroller again 256 from the polyphase electric motor 410 Cut.

Other constellations are possible, but they do not have to be considered in detail here. Because three decision-making modules are always involved, there is always unanimity if everything is ok, or a 2/3 majority if one of the cores is affected by a defect. If no discrepancy is found, everything is fine and no shutdown is required. The comparison results in three computing cores are always used to check the plausibility of a detected deviation. Because the decision-making modules ( 261 , 262 , 361 , 362 ) via the cores ( 252 , 254 , 352 , 354 ) are distributed, in which the comparison results are analyzed, a functioning decision module of a microcontroller is always active in order to switch off the line where the deviation occurs.

A particularly advantageous modular structure of the control software is presented below. The comparison process and the decision-maker module are also taken into account. The modular structure is in 8th shown. The control process is divided into functional groups. The function groups can correspond to the above-mentioned phases of the control process, i.e. the acquisition and processing of the input signals, the calculation of the target engine torque by the steering functions and the generation of the control signals by the engine controller. Two functional groups FG1 and FG2 are shown as an example. The function group is checked by the data event FG1 caused. The mentioned comparison of the calculation results takes place in the comparator FG1V instead of. To do this, the calculation results from the other two cores must be sent to the comparator FG1V be transmitted. The comparison results are in the decision module FG1E evaluated. The majority decision described is formed in this. At the same time, the decision maker module FG1E also the feedback from the other two decision-making modules in the form of whether they recognized an error or not. You will then receive confirmation of your own majority decision. A further majority decision is thus formed therein, namely about whether the error was also determined by at least one further decision module. This ensures the function of the decision-maker module. For this purpose, the results of the other decision-making modules are sent to the decision-making module FG1E reported back. If no deviation was found and no error detection is reported by the other decision-maker modules either, the output of the decision-maker module is activated FG1E set to zero, which means that the test did not detect any malfunction. Otherwise the output is set to one, which means that a malfunction has been detected. Forwarding the information to the following function group FG2 ensures that the error is also output there. At the end of the control process, the error also appears and the decision module of the last function group of the control process will eventually cause the control to be switched off by the faulty strand.

• - Positive Logik: eine logische 1 bedeutet alles ist in Ordnung, dann besteht der Vergleicher aus logischen UND Gattern
• - Negative Logik: eine logische 0 bedeutet alles ist in Ordnung, dann besteht der Vergleicher aus logischen ODER Gattern. Beide Varianten haben Vor- und Nachteile und es wird nach Bedarf entschieden, welche Logik für das jeweilige Projekt geeignet ist.

In order to implement the decision-making structure in this way, the software and electronics are divided into function groups, in which, in addition to the necessary function, the blocks, which are always identical, are implemented for comparing results and making decisions. The result of the decision maker can follow positive or negative logic. Mean:

• - Positive logic: a logical 1 means everything is OK, then the comparator consists of logical AND gates
• - Negative logic: a logical 0 means everything is OK, then the comparator consists of logical OR gates. Both variants have advantages and disadvantages and a decision is made as required which logic is suitable for the respective project.

In the software in particular, it is possible to use a structure that has been developed, tested and approved several times, which significantly reduces the development effort.

All examples mentioned herein as well as conditional formulations are to be understood without restriction to such specifically cited examples. For example, it will be appreciated by those skilled in the art that the block diagram presented herein is a conceptual view of exemplary circuitry. In a similar way, it can be seen that a depicted flowchart, state transition diagram, pseudocode and the like represent different variants for the representation of processes that can essentially be stored in computer-readable media and thus executed by a computer or processor.

It should be understood that the proposed method and associated devices may come in various forms of hardware, software, firmware, special purpose processors, or a combination of which can be implemented. Specialty processors can include application-specific integrated circuits (ASICs), reduced instruction set computers (RISC), and / or field programmable gate arrays (FPGAs). The proposed method and the device are preferably implemented as a combination of hardware and software. The software is preferably installed as an application program on a program storage device. Typically, it is a computer platform-based machine that includes hardware such as one or more central processing units (CPU), random access memory (RAM), and one or more input / output (I / O) interfaces. An operating system is also typically installed on the computer platform. The various processes and functions described here can be part of the application program or a part that is executed by the operating system.

The disclosure is not restricted to the exemplary embodiments described here. There is scope for various adaptations and modifications within the scope of the claims, which the person skilled in the art would consider based on his specialist knowledge and also belonging to the disclosure.

List of reference symbols

10

vehicle

12

steering wheel

14th

Steering column

15th

Torque sensor

16

Electric motor

18th

Rack

20th

touch-sensitive display unit

30th

Gateway

40

Arithmetic unit

50

Input unit

60

Storage unit

70

Data line to the display unit

80

Data line to the storage unit

90

Data line to the input unit

100

1. Data bus

102

2. Data bus

104

3. Data bus

106

4. Data bus

110

Instrument cluster

120

phone

130

navigation device

140

radio

150

camera

160

Communication module

172

Engine control unit

174

ESP control unit

176

Transmission control unit

182

Distance control control unit

184

Landing gear control unit

186

Power steering control unit

190

On-board diagnostic connector

220

Input electronics

222

Power connection

224

DME

226

Communication bus connection

228

Filter stage

250

Logic part

251

Comparator

252

Calculation kernel 1

253

Lockstep unit

254

Calculation kernel 2

255

Comparator

256

Microcontroller 1

257

Operating system core 1

258

Operating system core 2

259

Communication bus

260

Logical decision-maker level

261

Decision-maker module E1

262

Decision-maker module E2

264

Program sequence control 1

270

Power section

272

Converter unit 1

274

Converter unit 2

276

Phase separator 1

278

Phase separator 2

320

Input electronics

322

Power connection

326

Communication bus connection

328

Filter stage

350

Logic part

351

Comparator

352

Calculation kernel 1

353

Lockstep unit

354

Calculation kernel 2

355

Comparator

356

Microcontroller 2

361

Decision-making module E3

362

Decision maker module E4

364

Program sequence control 2

370

Power section

372

Converter unit 1

374

Converter unit 2

376

Phase separator 1

378

Phase separator 2

410

Polyphase electric motor

ED

Error detection event

EC1

Error checking in decision module E2

EC2

Error checking in decision module E3

EH

Error handling

FG1

1. Functional group

FG2

2. Function group

FG1V

Comparator function group 1

FG2V

Comparator function group 2

FG1F

Function 1

FG2F

Function 2

FG1E

Decision module function group 1

FG2E

Decision-making module function group 2

FG1M

Majority images function group 1

FG2M

Majority images function group 2

FG1W

Forwarding of results to function group 1

FG2W

Forwarding of results to function group 2

Claims (11)

Method for controlling a safety-related process, wherein at least two microcontrollers (256, 356) are used for the control, each of the at least two microcontrollers (256, 356) being designed for controlling the safety-related process, the at least two microcontrollers (256 , 356) each have at least two computing cores (252, 254, 352, 354) in which the same algorithm is calculated, characterized in that at least certain processing results, hereinafter referred to as computing results, of the computing cores (252, 254, 352, 354) in Decision modules (261, 262, 361, 362) distributed over the computing cores (252, 254, 352, 354) are checked, the calculation results under the at least four computing cores (252, 254, 352, 354) of the at least two microcontrollers ( 256, 356) are exchanged and compared with one another in at least four comparators (251, 255, 351, 355), and when one is detected Deviation, a majority decision is made over at least three of the decision modules (261, 262, 361, 362) distributed among the computing cores (252, 254, 352, 354), with the at least three decision modules (261, 262, 361, 362) each showing the deviation results the other two decision modules are made available, the type that the control of the security-relevant process by the microcontroller (256, 356) of a control string in which the computing kernel (252, 254, 352, 354) is located, whose computation result depends on the Calculation results in at least two other computing cores (252, 254, 352, 354) deviate, is prevented when the deviation is confirmed in at least two of the distributed decision modules (261, 262, 361, 362). Procedure according to Claim 1 , whereby a decision module (261, 262, 361, 362) is installed on each of the computing cores (252, 254, 352, 354) by software. Procedure according to Claim 1 or 2 , whereby the control of the safety-relevant process is prevented by switching off or partial disconnection of the control of the safety-relevant process by the microcontroller (256, 356) in which the computation kernel (252, 254, 352, 354) is located, the computation result of which is different . Method according to one of the preceding claims, wherein a control process is divided into function groups (FG1, FG2), and a check of a calculation result is provided for each function group (FG1, FG2), with a similar decision module (FG1E) for each function group (FG1, FG2) , FG2E) is provided and the result of the check is passed on by a decision module (FG1E, FG2E) to the next function group (FG1, FG2). Procedure according to Claim 4 , whereby the safety-relevant process is a steering process for a vehicle (10) and at least one or more of the following functional groups (FG1, FG2) are formed: processing of input signals, calculation of a tie rod position or a target engine torque for setting a steering angle, detection of an actual one control signal output by the microcontroller (256) or detection of the actual control signal output by a converter unit (272, 274, 372, 374). Procedure according to Claim 5 , wherein certain phases of a polyphase electric motor (410) for the steering process are controlled by each of the at least two microcontrollers (256, 356) and the steering process is controlled by disconnecting the connection between the microcontroller (256, 356) in which the computing core ( 252, 254, 352, 354) is localized, the calculation result of which differs from the calculation results in at least two other cores (252, 254, 352, 354) and the associated phases of the polyphase electric motor (410) is prevented. Device for controlling a safety-related process, the device having at least two microcontrollers (256, 356) having a redundant structure so that each of the at least two microcontrollers (256, 356) is designed to control the safety-related process, the two microcontrollers (256 , 356) each have at least two computing cores (252, 254, 352, 354), characterized in that each computing core (252, 254, 352, 354) has a comparator (251, 255, 351, 355) in which the below the computation cores (252, 254, 352, 354) exchanged computation results are compared, each computation kernel (252, 254, 352, 354) further having a decision module (261, 262, 361, 362) for forming a majority decision with the verification results of the decision modules (261, 262, 361, 362) of at least three of the computing cores (252, 254, 352, 354) and that the control of the safety-relevant process is prevented by the microcontrol ler (256, 356) of a control line in which the computation kernel (252, 254, 352, 354) is located, in which the deviation was recognized and confirmed by majority decision in the decision module (261, 262, 361, 362) available there , he follows. Device according to Claim 7 , at least one communication bus (259) being provided which connects the at least two microcontrollers (256, 356) to one another for data exchange, Device according to Claim 7 or 8th , wherein at least one of the computing cores (252, 254, 352, 354) of the microcontrollers (256, 356) is equipped with a lockstep core. Device according to one of the Claims 7 to 9 , wherein the safety-relevant process is a steering process of a vehicle (10) and the device is installed in a vehicle (10). Vehicle, characterized in that the vehicle (10) has a device according to one of the Claims 7 to 10 having.

Images