EP1370914A1 - Procede de fonctionnement d'un systeme de securite distribue - Google Patents

Procede de fonctionnement d'un systeme de securite distribue

Info

Publication number
EP1370914A1
EP1370914A1 EP02726060A EP02726060A EP1370914A1 EP 1370914 A1 EP1370914 A1 EP 1370914A1 EP 02726060 A EP02726060 A EP 02726060A EP 02726060 A EP02726060 A EP 02726060A EP 1370914 A1 EP1370914 A1 EP 1370914A1
Authority
EP
European Patent Office
Prior art keywords
pro
process computer
communication
communication system
faulty
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP02726060A
Other languages
German (de)
English (en)
Inventor
Thomas Fuehrer
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Robert Bosch GmbH
Original Assignee
Robert Bosch GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Robert Bosch GmbH filed Critical Robert Bosch GmbH
Publication of EP1370914A1 publication Critical patent/EP1370914A1/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60GVEHICLE SUSPENSION ARRANGEMENTS
    • B60G17/00Resilient suspensions having means for adjusting the spring or vibration-damper characteristics, for regulating the distance between a supporting surface and a sprung part of vehicle or for locking suspension during use to meet varying vehicular or surface conditions, e.g. due to speed or load
    • B60G17/015Resilient suspensions having means for adjusting the spring or vibration-damper characteristics, for regulating the distance between a supporting surface and a sprung part of vehicle or for locking suspension during use to meet varying vehicular or surface conditions, e.g. due to speed or load the regulating means comprising electric or electronic elements
    • B60G17/0195Resilient suspensions having means for adjusting the spring or vibration-damper characteristics, for regulating the distance between a supporting surface and a sprung part of vehicle or for locking suspension during use to meet varying vehicular or surface conditions, e.g. due to speed or load the regulating means comprising electric or electronic elements characterised by the regulation being combined with other vehicle control systems
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60TVEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
    • B60T13/00Transmitting braking action from initiating means to ultimate brake actuator with power assistance or drive; Brake systems incorporating such transmitting means, e.g. air-pressure brake systems
    • B60T13/74Transmitting braking action from initiating means to ultimate brake actuator with power assistance or drive; Brake systems incorporating such transmitting means, e.g. air-pressure brake systems with electrical assistance or drive
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B9/00Safety arrangements
    • G05B9/02Safety arrangements electric
    • G05B9/03Safety arrangements electric with multiple-channel loop, i.e. redundant control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1629Error detection by comparing the output of redundant processing systems
    • G06F11/1641Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60GVEHICLE SUSPENSION ARRANGEMENTS
    • B60G2600/00Indexing codes relating to particular elements, systems or processes used on suspension systems or suspension control systems
    • B60G2600/08Failure or malfunction detecting means
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60GVEHICLE SUSPENSION ARRANGEMENTS
    • B60G2600/00Indexing codes relating to particular elements, systems or processes used on suspension systems or suspension control systems
    • B60G2600/70Computer memory; Data storage, e.g. maps for adaptive control
    • B60G2600/702Parallel processing
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60GVEHICLE SUSPENSION ARRANGEMENTS
    • B60G2800/00Indexing codes relating to the type of movement or to the condition of the vehicle and to the end result to be achieved by the control action
    • B60G2800/80Detection or control after a system or component failure
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W2050/0001Details of the control system
    • B60W2050/0043Signal treatments, identification of variables or parameters, parameter estimation or state estimation
    • B60W2050/0044In digital systems
    • B60W2050/0045In digital systems using databus protocols
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/02Ensuring safety in case of control system failures, e.g. by diagnosing, circumventing or fixing failures
    • B60W50/0205Diagnosing or detecting failures; Failure detection models
    • B60W2050/021Means for detecting failure or malfunction
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/04Monitoring the functioning of the control system
    • B60W2050/041Built in Test Equipment [BITE]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/18Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/18Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits
    • G06F11/181Eliminating the failing redundant component
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/18Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits
    • G06F11/182Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits based on mutual exchange of the output between redundant processing components

Definitions

  • the present invention relates to a method for operating a distributed safety-relevant system, in particular an X-by-wire system in a motor vehicle.
  • the distributed system comprises at least one first process computer for controlling one
  • Component of the system and at least one further process computer each being connected to a communication system via a communication controller.
  • the functionality of the at least one first process computer is checked by the at least one further process computer.
  • the invention also relates to a distributed security-relevant system, in particular an X-by-wire system in a motor vehicle.
  • the distributed system comprises at least a first process computer for controlling a component of the system and at least one further process computer, the process computers each being connected to a communication system via a communication controller. Monitoring the functionality the at least one first process computer is carried out by the at least one further process computer.
  • the present invention relates to a communication controller for connecting at least one first process computer and at least one further process computer to a communication system of a distributed safety-relevant system, in particular an X-by-wire system in a motor vehicle.
  • the at least one first process computer is used to control a component of the distributed system.
  • a communication protocol runs on the communication controller to implement data transmission between the process computers and the • communication system.
  • the invention also relates to a communication protocol for a communication system of a distributed security-relevant system, in particular an X-by-wire system in a motor vehicle.
  • the 'distributed system comprising at least a first
  • Process computer for controlling a component of the distributed system and at least one further process computer.
  • the process computers are each connected to the communication system via a communication controller.
  • the communication protocol runs to implement data transmission between the process computers and the communication system on the communication controllers.
  • X-by-wire systems are a special implementation of such distributed systems.
  • An X-by-Wire system is one
  • An X-by-Wire system is a system with high security requirements, i.e. a complete failure of this system generates an error of the highest security level possible in the vehicle. Three classes of such systems are considered.
  • Water X-by-Wire systems are systems with a hydraulic (mechanical) fallback level that improve the basic functionality even without electrical power supply (e.g. after a failure of the
  • Basic braking function the braking function without an electronic control system that could generate a variable braking force distribution.
  • the basic braking function then specifies (depending on the system) that, for example, 65% of the braking force is applied to the front axle and 35% to the rear axle.
  • Anti-lock braking system (ABS), anti-slip control (ASR) and vehicle dynamics control (FDR) are not part of the basic brake function.
  • Dry X-by-Wire systems are such systems without a mechanical / hydraulic fallback level. The implementation is based exclusively on electromechanical components.
  • Semi-dry X-by-Wire systems are systems that have a hydraulic actuator but have a "dry interface". In terms of communication requirements, these systems should therefore be treated in the same way as dry X-by-Wire Systems.
  • X-by-wire systems are steer-by- wire and brake-by-wire systems (electronic steering and electronic brakes).
  • a method of the type mentioned is known, for example, from DE 198 26 131 AI.
  • the distributed safety-related system is described as an electrical braking system of a motor vehicle.
  • the components are designed as the brakes of the motor vehicle or more precisely as actuators for controlling the brakes.
  • Such a system is to a high degree relevant to safety, since faulty control of the components, in particular faulty actuation of the brakes, can lead to an unforeseeable safety risk. For this reason, incorrect control of the components must be ruled out with certainty become.
  • Essential features of the known brake system are a pedal module for central driver request recording, four wheel modules for wheel-specific regulation of the brake actuators and a processing module for calculating higher-level brake functions.
  • the individual modules can communicate with one another using one or more communication systems.
  • FIG. 2 of the present patent application the internal structure of a wheel module with different logic levels is shown as an example.
  • the logical level L1 comprises at least the calculation of the control and regulating functions for the wheel brakes, while the logical levels L2 to L4 contain various functions for computer monitoring and functional testing of Ll.
  • the control of the brakes or the electric motors for actuating the brake shoes comprises the following steps for each wheel module:
  • the input signals are made available to the microcomputer system (R_1A) via a communication system (K_l), for example a bus system.
  • e_lH Determining at least one logical control signal (e_lH).
  • the logic control signal (e_lH) is at least partially dependent on a monitoring unit (R_1B) which is independent of the first microcomputer system (R_1A) determined at least one input signal.
  • the monitoring unit (R_1B) is used in particular to identify systematic (so-called common mode) errors. Faults in the power supply are an example of such faults.
  • the monitoring unit (R_1B) is designed as an independent microcomputer system. Alternatively, the monitoring unit (R_1B) can also be used as a
  • Hardware module can be designed without its own processor, which, however, can perform specific logical functions or, if it has a register, even switching functions.
  • An example of such a hardware module is, for example, an ASIC (Applied Specific Integrated Circuit), an FPGA (Field-Programmable Gate Array) or a monitoring circuit (so-called watchdog).
  • the control device (micro-computer system or process computer) that is used to control the component (actuators) is responsible, is monitored and switched off by the monitoring unit in the event of a fault. Monitoring is based on question-answer communication, which must follow a specified protocol.
  • the actuators (LE2R) are only released if the microcomputer system (R_l ⁇ ) and the independent monitoring unit (R_1B) agree (question-answer communication works as specified).
  • the principle of this release is based on an electrical release circuit (AND link), which is implemented between the process computer and the monitoring unit. This means that both units have one for the normal function of the actuators . have to create a logical "one" on the release circuit.
  • the actuators are switched off as soon as a process in the microcomputer system (R_1A) gives the signal to switch off.
  • the monitoring component (R_1B) will only give the signal to switch off if the monitored unit (microcomputer system R__1A) has been identified as faulty.
  • the use of communication systems in the automotive sector has become the standard for almost all manufacturers.
  • the Society for Automotive Engineering (SAE) has defined three different classes of requirements for communication: Classes A, B and C. These classes differ in the amount of information that is exchanged down to the different real-time requirements and areas of application.
  • the protocol class _ with the highest requirements is class C.
  • a specification of the SAE "Communication protocols for class C applications", SAE J2056 / 1, June 1993 is available.
  • This class C is the class responsible for X-by-wire systems.
  • TTCAN Time Triggered CAN
  • TTP / C or FlexRay protocol An important service for the present invention in such protocols is the subscriber service (so-called membership service).
  • the membership / activity of a communication subscriber is determined by a mechanism of the message confirmation in a decision-making process of all active communication subscribers.
  • the information about the affiliation / activity of the communication participants is provided as a so-called membership
  • the membership information is stable, ie recognized by all participants as valid. If a participant is designated as inactive by this decision, this node may no longer be active in the communication take part.
  • the process computer responsible for this node recognizes the inactive state and must take measures to switch its communication controller active again (restart and resynchronization).
  • the 'ECHANISM for the determination of the participants is performed continuously and is part of the actual communication protocol.
  • a disadvantage of the state of the art resulting from DE 198 26 131 AI is that the logic level L4 is always implemented in a separate component which, for example in wheel modules of an electrical braking system, is also provided several times within the distributed safety-related system got to.
  • the object of the present invention is to provide possibilities in such a distributed monitoring concept by means of which the basic functionality of a
  • Communication systems or a communication protocol namely secure message transmission, sending messages that are simultaneously directed to several destinations in the communication system (so-called multicasting), message confirmation and - for example in the case of TTP / C (Time Triggered Protocol for Class C) or CAN ( Controller Area Network) - the subscriber service is expanded to include a mechanism for secure shutdown of process computers via the communication system.
  • the present invention based on the method of the type mentioned at the beginning, proposes a method with the following steps: at least one of the further process computers which has an error in at least one of the first
  • Process computer has determined, transmits a control message via the communication system to control the faulty first process computer or the component controlled by it; - It is checked whether the sender of the
  • Control message is authorized to control the faulty first process computer; it is checked whether the sender of the control message is connected to the communication system and is actively involved in communication via the communication system; depending on the content of control messages from those senders who are authorized to control the faulty first process computer and who are connected to the communication system and actively involved in the communication via the
  • Communication system are involved, it is decided according to a predeterminable decision algorithm how the faulty first process computer and / or the component are to be controlled; and the faulty first process computer and / or the component are controlled accordingly.
  • Monitoring concept can be achieved within the communication system.
  • This information concerns for the first process computer each has a local list in which those further process computers are listed which may control (eg switch off) the respective first process computer in the event of an error.
  • the information relates to a global list, which lists those process computer connected to the communication system and actively involved in communication via the 'communication system. For example, the membership information of the subscriber service can be used for this list.
  • the information relates to a globally available list for each additional process computer, in which those first process computers are listed which the respective further process computer has identified as faulty and which it therefore wishes to control (eg switch off).
  • the present invention is based on one
  • Process computers are divided into two groups, namely first process computers that are monitored and other process computers that monitor. Which of the process computers of the distributed system belongs to the first and which to the second group is a question of definition. It is quite conceivable that one and the same process computer belongs on the one hand to the first group because it is monitored by one or more of the other process computers, but on the other hand also belongs to the second group because it monitors one or more other (first) process computers.
  • the present invention provides the basic functionality of a communication system or communication protocol, namely secure message transmission, multicasting, message confirmation and subscriber service Mechanism for secure shutdown of process computers via the communication system expanded.
  • the communication system replaces the switch-off paths implemented in the prior art in hardware (by cabling) (for example monitoring unit with star-shaped cabling to wheel computers in a brake-by ⁇ wire system).
  • the communication system enables an intelligent watchdog implemented locally according to the prior art (often in the form of simple hardware circuits) on the process computer of the control unit to be shifted to any selected process computer in the communication system.
  • a control unit with its process computer that is already present in the distributed system is preferably used.
  • An extended watchdog functionality such as a plausibility check
  • the additional mechanism for secure shutdown in the communication system also enables a distributed monitoring concept. This means that not only a process computer takes over the function of the intelligent watchdog, but that several control units with their process computers can trigger or switch off via the communication system.
  • a communication system that is already standardized in today's motor vehicles and an associated bus cabling (single-wire or two-wire line) is used as the switch-off path. There is no explicit wiring for the shutdown path between the units of the
  • the communication system executes a control or shutdown protocol which is built into the normal protocol sequence (actual sending and receiving of messages, message confirmation and subscriber service). This creates a small one Increased load on the communication controller, but a significant improvement in the use of existing control devices (processor computers). Furthermore, the communication system provides software and hardware interfaces to the process computer in order to initiate or implement the control or switch-off protocol.
  • An enable circuit via which a component (the actuators) of a distributed safety-relevant system is controlled according to the method according to the invention, is operated by a process computer on the one hand and by a communication controller on the other hand.
  • a process computer itself can also be coupled to the communication controller, so that the process computer which controls the component can itself be controlled or switched off, e.g. by connecting the communication controller to a reset line of the process computer.
  • control message shuts down the faulty first process computer and / or the component controlled by it.
  • a local authorization list is provided to the process computer, on the basis of which it is checked whether the sender of the control message is authorized to control the faulty first process computer by identifying the sender of the control message with the content of the control message Authorization list is compared.
  • a global subscriber list is provided in the communication system, on the basis of which it is checked whether the sender of the control message is connected to the communication system and is actively involved in the communication via the communication system by an identifier of the sender of the control message is compared with the content of the participant list.
  • a successful activation of the defective first process computer and / or the component is advantageously communicated to at least one sender of the activation message.
  • the successful activation of the faulty first process computer and / or the component is preferably communicated to all process computers by deleting the faulty first process computer from a global participant list provided in the communication system, the participant list listing those process computers which are connected to the communication system and are active are involved in communication via the communication system.
  • At least one of the further process computers has means for determining an error of at least one of the first process computers and means for, if the at least one faulty the first process computer has an error in transmitting a control message for controlling the faulty first process computer and / or the component controlled by it via the communication system;
  • the communication controller of the faulty first process computer has information available as to whether the sender of the control message is authorized to control the faulty first process computer;
  • the communication controller of the faulty first process computer has information available as to whether the sender of the control message is connected to the communication system and is active on the
  • the communication controller of the faulty first process computer has means for deciding according to a predeterminable decision algorithm, such as the faulty first process computer and / or the component, depending on the content of control messages from the senders who are authorized to control the faulty first process computer, and to the
  • Communication system connected and actively involved in communication via the communication system are to be controlled; and the communication controller of the faulty first process computer means for corresponding control of the faulty first process computer and / or the component.
  • the information as to whether the sender of the control message is authorized to control the faulty first process computer is available in the form of a local authorization list provided in the communication controller of the at least one first process computer.
  • Communication via the communication system is involved in the form of a global subscriber list provided in the communication system.
  • the communication protocol is supplemented by mechanisms which enable the communication controller to check whether one of the further process computers which have a trigger message for triggering at least one first faulty process computer and / or the component controlled by it is transmitted via the communication system, connected to the communication system and active on the
  • Communication via the communication system is involved; to check whether the sender of the control message is authorized to control the faulty first process computer; , to decide according to a predeterminable decision algorithm, such as the first process computer and / or the component, depending on the content of control messages of the senders who are authorized, the faulty first one
  • Control process computers and which are connected to the communication system and are actively involved in communication via the communication system are to be controlled; and - to control the first process computer and / or the component accordingly.
  • the communication protocol be supplemented by mechanisms for executing the method according to the invention.
  • Communication via the communication system are involved, are to be controlled; and the first process computer and / or the component.
  • Communication protocol is supplemented by mechanisms for executing the method according to the invention.
  • FIG. 1 shows a distributed safety-relevant system according to the invention in a cutout according to a preferred embodiment
  • FIG. 2 shows a control module of a distributed safety-relevant system known from the prior art
  • FIG. 3 enable signals within a control module from FIG. 1;
  • Figure 4 shows a shutdown protocol according to a first preferred embodiment of the invention
  • Figure 5 shows a shutdown protocol according to a second preferred embodiment of the method according to the invention.
  • the present invention is explained in more detail below on the basis of an electrical braking system.
  • the invention is not limited to electrical braking systems, but rather can be used for any distributed safety-related systems.
  • the present invention allows components Akt_l of the safety-relevant system to be safely released without the use of additional monitoring units.
  • the tasks of the monitoring units are rather taken over by further process computers P-m of the distributed system, which are present in the system anyway and have been expanded by a corresponding functionality.
  • the braking system comprises a wheel module R__l, R_m for each vehicle wheel to be braked.
  • Each wheel module R_l, R_m. comprises a microcomputer system P_l, P_m and an enabling circuit FS_1, FS_m.
  • the microcomputer systems P_l, P_m each include a process computer Pro_l, Pro_m and an intelligent communication controller S_l, S_m. The process computer Pro_l, Pro_m and the
  • Communication controllers S_l, S__m of a microcomputer system P_l f P can be on a semiconductor module (so-called chip) be summarized; however, they are always designed as independent, separate units.
  • Each wheel module R_l, R__m is connected via a communication controller S_l, S_m to a communication system K_l in the form of a physical data bus. Data is transmitted via the data bus, e.g. according to the CAN (Controller Area Network), TTCAN (Time Triggered CAN), TTP / C (Time Triggered Protocol for Class C) or FlexRay protocol.
  • Wheel modules R_l, R_m each control a component in the form of an actuator Akt_l, Akt_m, which are designed, for example, as electric motors for actuating or releasing wheel brakes.
  • FIG. 1 shows the internal structure of two wheel modules and the signal flow running therein in one possible embodiment of the distributed monitoring concept.
  • the task of the wheel module R_l (more precisely, the process computer Pro_l) is to control the actuators Akt_l of the electric braking system.
  • the actuator Akt_l When activating the actuator Akt_l, it is important to prevent the actuator Akt_l from being actuated by a faulty actuation signal A_ll of the microcomputer system P_l. This means that the control signal A_ll should only be passed on to the actuator Akt_l if it is determined with a sufficiently high probability that it is error-free.
  • Actuator Akt_l therefore essentially comprises the following steps:
  • the processor Pro_l of the microcomputer system P_l determines by executing a program code as a function of at least one input signal at least one control signal A_ll for the actuator system Akt_l.
  • the input signals contain information about the actual state of the brake system and the motor vehicle and are sent to the via the data bus K_l first wheel module R_l transmitted.
  • Processor Pro_l must be available. In the present example with a plurality of similar wheel modules R_l, R_m, this means no or only minimal additional effort, since the program codes running on the processors Pro_l, Pro_m are essentially the same. Thus, the program code, which is available in the processors Pro_m anyway, can be processed with the input signals of the first wheel module R_l in order to obtain the logical control signals A_lm. This simplification applies to all distributed systems with identical control modules. The input signals can be transmitted to the microcomputer systems P__m via the data bus K_l. If the process computers Pro_l, Pro_m are functioning correctly, the control signals are
  • the control signal A_ll is compared in the process computers Pro_m of the further microcomputer systems P_m with the control signal A_ll previously determined in the process computer Pro__l. For this purpose, the control signal A_ll must be transmitted to the further microcomputer systems P_m via the data bus K_l.
  • the other microprocessor systems P_m generate status information which is sent to the data bus K 1 Communication controller S_l of the first microcomputer system P_l are transmitted.
  • the information that has to be transmitted via the communication system K_1 in order to implement the distributed monitoring concept consists, for example, of one or more bits. It is conceivable to include the information for transmission in the communication protocol of the data bus K_l.
  • Microcomputer system P__l evaluates the incoming status information and generates an enable signal F_l in the event of a corresponding status (i.e. when the correct functioning of the process computer Pro_l is signaled). Evaluating the
  • Status information can be done in different ways. For example, it can be a comparison, a logical (preferably an AND) link or a majority decision of the status information SF_lm.
  • the at least one control signal A_ll or at least one signal dependent thereon is forwarded to the actuator Akt__l if the at least one enable signal F_l has a predeterminable value.
  • an AND operation of the control signal A_ll with the enable signal F_l is carried out in the enable circuit FS_1. If the enable signal F_l is logic one, the control signal A__ll is forwarded to the actuator Akt_l. However, if the enable signal F_l is logic zero, the control signal A_ll is not passed on to the actuator Akt__l.
  • the described method can Functionality of the processor Pro_l des
  • Microcomputer system P_l checked and a safe release of Aktorik Akt_l can be achieved.
  • the Pro_m processors of the other microcomputer systems P_m are mainly used to check the Pro__l processor.
  • the method according to the invention can also be used to check the functionality of the processors Pro_m of the further microcomputer systems P_m and to safely release the actuators Akt__m. Then the other processors Pro_m (without the processor to be checked) and the processor Pro_l of the first microcomputer system P_l are used for the check.
  • Each individual microcomputer system P_l, P_m within the safety-relevant distributed braking system therefore has on the one hand the primary task, to determine the control signals A_ll, A_ml for the actuators Akt_l, Akt_m assigned to it, and on the other hand the secondary task, the function of the other processors in fulfilling them Control primary tasks.
  • the described distributed monitoring concept thus creates the possibility of a safe and even redundantly effective release of the actuators Akt__l, Akt_m.
  • the wheel module R_1 is shown in detail in FIG.
  • Software interfaces SS__1 are provided between the communication controller S_l and the process computer Pro_l to implement a secure shutdown path via the communication system K_l.
  • the interfaces SS_1 are used to set a control message in the form of a
  • a hardware interface is also required, which is brought up to the release circuit FS_1 by the communication controller S_l.
  • the hardware interface is used in particular in the event of error situations in which the 5 process computer Pro__l can no longer reliably read the current shutdown vector and the actuator Akt_l can be switched off by the communication controller 'S_l.
  • a connection pin F_l is provided which is connected to the
  • a communication system K__l already standardized in today's motor vehicles and the associated one
  • an enable circuit FS_1 is therefore operated by the process computer Pro_l on the one hand and by the communication controller S_l on the other. It is thus possible to switch off the actuator Akt__l using the switch-off mechanism described in this patent application via the communication system K_l.
  • the process computer Pro_l itself can also use the
  • ⁇ Communication controller S_l are coupled so that the process computer Pro_l can also be switched off, eg. B. by coupling to a Res ' et line B of the process computer Pro_l.
  • the realization of the secured shutdown path via the communication system K_l is possible with almost every control device Pro_l, Pro_m which is connected to a data bus K_l with its communication controller S_l, S_m.
  • the communication controller S_l, S_m must implement the shutdown protocol in the communication protocol.
  • the shutdown protocol and the necessary configuration data or interfaces SS_1, F_l are described below.
  • a static information is stored about which microcomputer system has P_m or which process computer Pro_m permission 'to disable the communications controller S_L associated process computer Pro_l.
  • the static information is stored, for example, on a flash EPROM (Erasable and Programmable Read Only Memory) in the communication controllers S_l.
  • This static information can be composed of the following contents: e An identifier of the local communication controller S_l. For some protocols, e.g. B. TTP / C, already exists. ⁇ A local (individual) list, in which identifiers of communication controllers S_m are listed, whose switch-off message for switching off the local process computer Pro_l or the actuators Akt_l controlled by it via the
  • Communication controller S_l may lead.
  • the list is preferably based on the number of authorized communication controllers, e.g. B. limited to three entries.
  • the shutdown vector is a bit vector and represents the m participants in the entire distributed safety-relevant system.
  • a certain bit position is an identifier of a certain one
  • Shutdown vector can have two states per control unit .P_l,
  • the shutdown vector can be shortened for reasons of limited bandwidth or a limited number of protocol data (control data for the protocol sequence, which are sent together with the user data in a message packet via the communication system K_l). Only selected control devices P 1, P m are then shown in the shutdown vector.
  • information is also accessed as to whether the sender of a shutdown vector is connected to the communication system K_l and is actively involved in communication via the communication system K_l.
  • Some communication protocols provide this information as standard. This functionality is also referred to in the communication protocols as a subscriber service or membership service. Then these are
  • control device P_l, P_m If a control device P_l, P_m is designated as inactive by this decision, this control device may no longer actively participate in the communication.
  • the responsible process computer Pro_l, Pro_m recognizes this state and must take measures to correct the one assigned to it Switch communication controller S_l, S_m active again (restart and resynchronization).
  • the mechanism for determining the active participants (membership) is carried out continuously and is part of the actual communication protocol.
  • the leadership information is available in the communication system K_l in the form of a membership vector Me.
  • the starting situation for carrying out the method according to the invention is an active distributed system with functioning participants
  • FIGS. 4 and 5 Communication controllers S_l, ' S_m and their control devices P_l, P_m or process computers Pro ⁇ l, Pro_m).
  • the membrane information Me is therefore "1" for each subscriber, and there is no requirement for a shutdown (shutdown vector Ab).
  • This starting situation is in step 1) of FIGS. 4 and 5 for a distributed system with four subscribers A, B, C, D.
  • Figure 4 relates to a switch-off protocol with only one authorized user (subscriber A may only be switched off by user D)
  • Figure 5 relates to a switch-off protocol with three authorized users and an absolute majority (user A is switched off if at least two of the three other participants B, C, D advocate switching off participant A).
  • the shutdown vector Ab represents a shutdown command from an authorized control device P_m for a specific control device P_l as soon as the bit position for this control device P_l is set to "1".
  • the shutdown vector is used by the communication protocol at the sender P_m with the other control data a message coded and sent (see step 2) in Figures 4 and 5).
  • the communication system K_l is based on multicast messages. It can be assumed that each active control unit P_l, P_rn receives all messages sent and recognized as error-free and then starts local protocol mechanisms. Special cases in which the correctness of a message is only decided after a certain number of further transmission processes (e.g. with TTP / C) must be treated separately. This special case means that the received shutdown vector is to be regarded as invalid until this final decision.
  • the communication controller S_l takes the information from the shutdown vector Ab from the received protocol data.
  • the authorization S can be checked at the recipient S__l.
  • the recipient S_l knows the identifier of the sender P__m of the message from the connection between the time of transmission, message identifier and static information on the deactivation authorization If the identity of the sender P_m is not clearly defined, the identifier of the sender P_m must also be transmitted in addition to the shutdown vector Ab.
  • a bit position is set in the shutdown vector Ab of subscriber D that corresponds to the identifier of subscriber A.
  • subscriber D is entered as the authorized person to switch off. For this reason, in step 3) the process computer and / or the actuator system of subscriber A controlled by the process computer is switched off.
  • the communication controller S_l sets the status of the shutdown vector Ab in the software interface SS_1 to the current status (cf. step 3) in FIG. 4 and SS_1 in FIG. 3).
  • the communication controller S 1 sets the level for switching off at the connection pin provided on the hardware interface in order to initiate the switching off of the actuators via the enable circuit FS_1 (cf. step 3) in FIG. 4 'and signal F_1 and signal B in FIG. 3).
  • the communication controller S_l changes to a passive state, ie it no longer takes part in the communication via the communication system K_l. This measure signals to the other participants B, C, D that the entire node (including the control unit, the actuators, the sensors and the communication controller of the participant A) is no longer available.
  • subscriber A is only shutdown if, on the one hand, the bit position set in the shutdown vector Ab matches the identifier of subscriber A and, on the other hand, there is a match between the authorized subscribers B, C, D Subscriber A is switched off, with all three subscribers B, C, D being entered in the local authorization list as authorized to switch off subscriber A.
  • the shutdown vectors Ab of the different participants B, C, D must be collected.
  • the Shutdown vector From a certain participant B, C or D may only be collected if the participant B, C or D in the membership vector Me des
  • Communication protocol is marked as active (see steps 3 to 5 in Figure 5). This prevents a situation from occurring in which a shutdown of subscriber A would be necessary but one of the subscribers B, C, D itself is not active and thus can prevent the shutdown of subscriber A, since the shutdown command of the inactive subscriber B, C or D.
  • the voting process is initiated according to a predeterminable decision algorithm.
  • the absolute majority of active authorized participants B, C, D is chosen for the vote.
  • Another decision algorithm such as B. a two out of three selection can also be implemented.
  • the choice of the decision algorithm to be used can be set with the configuration in the communication controller S_l, e.g. B. a choice of an absolute majority, a two- from three-choice or a at least one (at least one) semantics.
  • B a choice of an absolute majority, a two- from three-choice or a at least one (at least one) semantics.
  • the communication controller S_l has the status of the shutdown vector Ab in the software interface to the current status (cf. step 5) in FIG. 5 and SS__1 in FIG. 3).
  • the communication controller S_l sets the level for switching off at the connection pin provided in the hardware interface in order to initiate the switching off via the enable circuit FS_1 (Step 5) in Figure 5 and signal F_l and signal B in Figure 3).
  • the communication controller S_l changes to a passive state, ie it no longer takes part in the communication.
  • This measure signals to the other participants B, C, D that the entire node comprising the control unit, the actuators, the sensors and the communication controller is no longer available.
  • This causes the deletion of subscriber A in the membership vector Me of the other subscribers B, C, D in the distributed system (cf. step 6) in FIG. 5).
  • the senders (subscribers B, C, D) of the shutdown vector Ab receive confirmation of the success of the shutdown command.
  • Repeated setting of the bit position in the shutdown vector Ab which corresponds to subscriber A is no longer necessary (cf. step 7) in FIG. 5).
  • Each sender Pro_m a shut-vector from sets the corresponding subscriber A bit position in its shut-vector from so long, transmitted to the confirmation of successful disconnection of the disconnected subscriber A by an absence 'of the corresponding subscriber A in the membership vector Me becomes.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Theoretical Computer Science (AREA)
  • Mechanical Engineering (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Medical Informatics (AREA)
  • General Health & Medical Sciences (AREA)
  • Signal Processing (AREA)
  • Transportation (AREA)
  • Computing Systems (AREA)
  • Quality & Reliability (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Safety Devices In Control Systems (AREA)
  • Hardware Redundancy (AREA)
  • Programmable Controllers (AREA)

Abstract

La présente invention concerne un procédé servant à faire fonctionner un système de sécurité distribué, notamment un système X-by-Wire dans un véhicule automobile. Le système distribué comprend au moins un premier ordinateur de commande de processus (Pro_1) servant à commander un composant (Akt_1) du système, et au moins un autre ordinateur de commande de processus (Pro_m). Les ordinateurs de commande de processus (Pro_1, Pro_m) sont reliés à un système de communication (K_1) respectivement par l'intermédiaire d'un dispositif de commande de communication (S_1, S_m). La capacité de fonctionnement du/des premier(s) ordinateur(s) de commande de processus (Pro_1) est vérifiée par le(s) autre(s) ordinateur(s) de commande de processus (Pro_m). Ce procédé correspond également à un concept de surveillance distribué. Selon l'invention, un mécanisme permet la mise hors circuit de sécurité d'au moins un premier ordinateur de commande de processus (Pro_1) défaillant, par l'intermédiaire d'au moins l'un des autres ordinateurs de commande de processus (Pro_m), ce qui permet d'améliorer le protocole de communication du système de communication (K_1) et ainsi de mettre en place un concept de surveillance distribué.
EP02726060A 2001-03-15 2002-03-14 Procede de fonctionnement d'un systeme de securite distribue Withdrawn EP1370914A1 (fr)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
DE10112911 2001-03-15
DE10112911 2001-03-15
PCT/DE2002/000915 WO2002075464A1 (fr) 2001-03-15 2002-03-14 Procede de fonctionnement d'un systeme de securite distribue

Publications (1)

Publication Number Publication Date
EP1370914A1 true EP1370914A1 (fr) 2003-12-17

Family

ID=7677840

Family Applications (1)

Application Number Title Priority Date Filing Date
EP02726060A Withdrawn EP1370914A1 (fr) 2001-03-15 2002-03-14 Procede de fonctionnement d'un systeme de securite distribue

Country Status (5)

Country Link
US (1) US20030184158A1 (fr)
EP (1) EP1370914A1 (fr)
JP (1) JP2004519060A (fr)
DE (2) DE10211279A1 (fr)
WO (1) WO2002075464A1 (fr)

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE10248456A1 (de) * 2001-10-19 2003-06-18 Denso Corp Fahrzeugkommunikationssystem
DE10235527C1 (de) * 2002-08-03 2003-10-09 Daimler Chrysler Ag Vorrichtung und Verfahren zur redundanten Spannungsversorgung sicherheitsrelevanter Systeme
WO2005053223A2 (fr) * 2003-11-19 2005-06-09 Honeywell International Inc. Unite d'interface anneau
DE102005018837A1 (de) * 2005-04-22 2006-10-26 Robert Bosch Gmbh Verfahren und Vorrichtung zur Synchronisation zweier Bussysteme sowie Anordnung aus zwei Bussystemen
DE102009005266A1 (de) 2009-01-20 2010-07-22 Continental Teves Ag & Co. Ohg Anbindung eines Kommunikationscontrollers in Sicherheitsarchitekturen
FR2944612A3 (fr) * 2009-04-15 2010-10-22 Renault Sas Architecture de commande electronique d'un vehicule automobile.
DE102010054188A1 (de) 2010-07-27 2012-02-02 Volkswagen Aktiengesellschaft Verfahren und Rechnerverbund zur Steuerung eines Elektromotors
DE102010039858A1 (de) 2010-08-27 2011-09-15 Robert Bosch Gmbh Watchdog-Funktion
DE102010039860A1 (de) 2010-08-27 2012-03-01 Robert Bosch Gmbh Komponentenüberwachung in einem elektrisch betriebenen Fahrzeug
DE102011118172A1 (de) 2011-11-10 2013-05-16 Volkswagen Aktiengesellschaft Notlaufbetrieb eines Elektromotors
US10112606B2 (en) 2016-01-22 2018-10-30 International Business Machines Corporation Scalable sensor fusion and autonomous x-by-wire control
US10269192B2 (en) 2017-04-07 2019-04-23 Airbiquity Inc. Technologies for verifying control system operation
EP3492999A1 (fr) * 2017-11-30 2019-06-05 Siemens Aktiengesellschaft Procédé destiné au fonctionnement d'un système de communication, système de communication et dispositif de communication
DE102019207809A1 (de) * 2019-05-28 2020-12-03 Siemens Mobility GmbH Steueranlage und Verfahren zum Betreiben einer Steueranlage

Family Cites Families (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE4022671A1 (de) * 1990-07-17 1992-01-23 Wabco Westinghouse Fahrzeug Elektronisches bremssystem fuer stassenfahrzeuge
DE4339570B4 (de) * 1993-11-19 2004-03-04 Robert Bosch Gmbh Elektronisches Bremssystem
DE19510525A1 (de) * 1995-03-23 1996-09-26 Bosch Gmbh Robert Verfahren und Vorrichtung zur Steuerung bzw. Regelung der Bremsanlage eines Fahrzeugs
US5924774A (en) * 1995-11-30 1999-07-20 Zeftron, Inc. Electronic pneumatic brake system
DE19742988C1 (de) * 1997-09-29 1999-01-28 Siemens Ag Bremsanlage für ein Kraftfahrzeug
US6002970A (en) * 1997-10-15 1999-12-14 International Business Machines Corp. Method and apparatus for interface dual modular redundancy
US6748438B2 (en) * 1997-11-17 2004-06-08 International Business Machines Corporation Method and apparatus for accessing shared resources with asymmetric safety in a multiprocessing system
DE19800311A1 (de) * 1998-01-07 1999-07-08 Itt Mfg Enterprises Inc Elektronische, digitale Einrichtung
DE19826131A1 (de) * 1998-06-12 1999-12-16 Bosch Gmbh Robert Elektrisches Bremssystem für ein Kraftfahrzeug
GB2339869B (en) * 1998-07-20 2002-05-15 Motorola Ltd Fault-tolerant electronic braking system
DE19840484A1 (de) * 1998-09-04 2000-03-09 Bosch Gmbh Robert Fahrzeugrechneranordnung
GB2345161A (en) * 1998-12-23 2000-06-28 Motorola Ltd Microprocessor module and method
US6212457B1 (en) * 1999-08-05 2001-04-03 Trw Inc. Mixed parallel and daisy chain bus architecture in a vehicle safety system
DE19937156A1 (de) * 1999-08-06 2001-02-08 Bosch Gmbh Robert Elektrisch gesteuertes, dezentrales Steuersystem in einem Fahrzeug
DE19939567B4 (de) * 1999-08-20 2007-07-19 Pilz Gmbh & Co. Kg Vorrichtung zum Steuern von sicherheitskritischen Prozessen
DE60011583T2 (de) * 1999-12-15 2004-11-04 Delphi Technologies, Inc., Troy Hardwaretopologien für elektrisch betätigte Bremssättel und Lenkmotor eines Sicherheitssystems
EP1257903A4 (fr) * 2000-02-01 2004-10-13 Delphi Tech Inc Architecture de commande par transmission electrique a modules multiples
JP4727896B2 (ja) * 2001-06-27 2011-07-20 ローベルト ボッシュ ゲゼルシャフト ミット ベシュレンクテル ハフツング システムの機能性の監視方法,その監視装置,メモリ素子,コンピュータプログラム

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO02075464A1 *

Also Published As

Publication number Publication date
US20030184158A1 (en) 2003-10-02
WO2002075464A1 (fr) 2002-09-26
DE10291113D2 (de) 2004-04-15
JP2004519060A (ja) 2004-06-24
DE10211279A1 (de) 2002-09-26

Similar Documents

Publication Publication Date Title
DE102017209721B4 (de) Vorrichtung für die Steuerung eines sicherheitsrelevanten Vorganges, Verfahren zum Testen der Funktionsfähigkeit der Vorrichtung, sowie Kraftfahrzeug mit der Vorrichtung
EP0925674B1 (fr) Procede de controle des liaisons d'un systeme de transmission et composants correspondants
DE19634567B4 (de) Elektrisches Bremssystem
EP0979189B1 (fr) Dispositif de commutation pour systeme de regulation pour vehicule a moteur
EP1763454B1 (fr) Systeme redondant de bus de donnees
EP1370914A1 (fr) Procede de fonctionnement d'un systeme de securite distribue
DE102007036259A1 (de) Bremssystem für ein Fahrzeug und ein Verfahren zum Betreiben eines Bremssystems für ein Fahrzeug
EP1533673A2 (fr) système de commande
EP2176106A1 (fr) Système de freinage pour véhicule et procédé d'exploitation d'un système de freinage pour véhicule
EP3385934B1 (fr) Dispositif de commande d'un processus relatif à la sécurité, procédé d'essai de la capacité de fonctionnement dudit dispositif ainsi que véhicule doté dudit dispositif
EP1615811B1 (fr) Systeme de freinage electrique decentralise pour un vehicule
DE10152235A1 (de) Verfahren zum Erkennen von Fehlern bei der Datenübertragung innerhalb eines CAN-Controllers und ein CAN-Controller zur Durchführung dieses Verfahrens
EP1401690A1 (fr) Procede pour amorcer le composant d'un systeme reparti de securite
EP1814765B1 (fr) Procede et dispositif de verrouillage d'une colonne de direction
DE10236080A1 (de) Verfahren und Vorrichtung zur Steuerung von Betriebsabläufen, insbesondere in einem Fahrzeug
WO2011048145A1 (fr) Système d'automatisation et procédé pour faire fonctionner un système d'automatisation
DE102008029948B4 (de) Überwachungssystem
EP1962193B1 (fr) Dispositif de circuit pour la commande d'une charge et procédé correspondant
EP3871393B1 (fr) Procédé de surveillance d'un système de transmission de données, système de transmission de données et véhicule à moteur
WO2006024447A1 (fr) Gestion d'energie basee sur un anneau logique
EP3096970B1 (fr) Procédé de fonctionnement d'un réseau haute tension d'un véhicule à moteur et véhicule à moteur
EP1447830B1 (fr) Dispositif de commutation pour le codage de différents états
DE102021127310B4 (de) System und Verfahren zur Datenübertragung
EP4187858A1 (fr) Unité de commande secondaire pour un véhicule doté d'une unité de commande primaire et d'un chemin de transmission de données
WO2024061559A1 (fr) Système de réseau de remorque pour une communication de données dans une remorque, remorque le comprenant, et procédé associé

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20031015

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR

AX Request for extension of the european patent

Extension state: AL LT LV MK RO SI

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20081001