EP1401690A1 - Method for actuating a component of a distributed security system - Google Patents

Method for actuating a component of a distributed security system

Info

Publication number
EP1401690A1
EP1401690A1 EP02729790A EP02729790A EP1401690A1 EP 1401690 A1 EP1401690 A1 EP 1401690A1 EP 02729790 A EP02729790 A EP 02729790A EP 02729790 A EP02729790 A EP 02729790A EP 1401690 A1 EP1401690 A1 EP 1401690A1
Authority
EP
European Patent Office
Prior art keywords
microcomputer
component
akt
signal
control signal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP02729790A
Other languages
German (de)
French (fr)
Inventor
Hans Heckmann
Reinhard Weiberle
Bernd Kesch
Peter Blessing
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Robert Bosch GmbH
Original Assignee
Robert Bosch GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Robert Bosch GmbH filed Critical Robert Bosch GmbH
Publication of EP1401690A1 publication Critical patent/EP1401690A1/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1629Error detection by comparing the output of redundant processing systems
    • G06F11/1637Error detection by comparing the output of redundant processing systems using additional compare functionality in one or some but not all of the redundant processing components
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60TVEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
    • B60T13/00Transmitting braking action from initiating means to ultimate brake actuator with power assistance or drive; Brake systems incorporating such transmitting means, e.g. air-pressure brake systems
    • B60T13/74Transmitting braking action from initiating means to ultimate brake actuator with power assistance or drive; Brake systems incorporating such transmitting means, e.g. air-pressure brake systems with electrical assistance or drive
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60TVEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
    • B60T13/00Transmitting braking action from initiating means to ultimate brake actuator with power assistance or drive; Brake systems incorporating such transmitting means, e.g. air-pressure brake systems
    • B60T13/74Transmitting braking action from initiating means to ultimate brake actuator with power assistance or drive; Brake systems incorporating such transmitting means, e.g. air-pressure brake systems with electrical assistance or drive
    • B60T13/741Transmitting braking action from initiating means to ultimate brake actuator with power assistance or drive; Brake systems incorporating such transmitting means, e.g. air-pressure brake systems with electrical assistance or drive acting on an ultimate actuator
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60TVEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
    • B60T7/00Brake-action initiating means
    • B60T7/02Brake-action initiating means for personal initiation
    • B60T7/04Brake-action initiating means for personal initiation foot actuated
    • B60T7/042Brake-action initiating means for personal initiation foot actuated by electrical means, e.g. using travel or force sensors
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60TVEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
    • B60T8/00Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force
    • B60T8/32Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force responsive to a speed condition, e.g. acceleration or deceleration
    • B60T8/88Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force responsive to a speed condition, e.g. acceleration or deceleration with failure responsive means, i.e. means for detecting and indicating faulty operation of the speed responsive control means
    • B60T8/885Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force responsive to a speed condition, e.g. acceleration or deceleration with failure responsive means, i.e. means for detecting and indicating faulty operation of the speed responsive control means using electrical circuitry
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B9/00Safety arrangements
    • G05B9/02Safety arrangements electric
    • G05B9/03Safety arrangements electric with multiple-channel loop, i.e. redundant control systems
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60GVEHICLE SUSPENSION ARRANGEMENTS
    • B60G2600/00Indexing codes relating to particular elements, systems or processes used on suspension systems or suspension control systems
    • B60G2600/04Means for informing, instructing or displaying
    • B60G2600/042Monitoring means
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60GVEHICLE SUSPENSION ARRANGEMENTS
    • B60G2600/00Indexing codes relating to particular elements, systems or processes used on suspension systems or suspension control systems
    • B60G2600/08Failure or malfunction detecting means
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60GVEHICLE SUSPENSION ARRANGEMENTS
    • B60G2800/00Indexing codes relating to the type of movement or to the condition of the vehicle and to the end result to be achieved by the control action
    • B60G2800/80Detection or control after a system or component failure
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60TVEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
    • B60T2270/00Further aspects of brake control systems not otherwise provided for
    • B60T2270/40Failsafe aspects of brake control systems
    • B60T2270/404Brake-by-wire or X-by-wire failsafe
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60TVEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
    • B60T2270/00Further aspects of brake control systems not otherwise provided for
    • B60T2270/82Brake-by-Wire, EHB
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W2050/0001Details of the control system
    • B60W2050/0002Automatic control, details of type of controller or control system architecture
    • B60W2050/0004In digital systems, e.g. discrete-time systems involving sampling
    • B60W2050/0005Processor details or data handling, e.g. memory registers or chip architecture
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W2050/0001Details of the control system
    • B60W2050/0043Signal treatments, identification of variables or parameters, parameter estimation or state estimation
    • B60W2050/0044In digital systems
    • B60W2050/0045In digital systems using databus protocols
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/02Ensuring safety in case of control system failures, e.g. by diagnosing, circumventing or fixing failures
    • B60W50/0205Diagnosing or detecting failures; Failure detection models
    • B60W2050/021Means for detecting failure or malfunction
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/02Ensuring safety in case of control system failures, e.g. by diagnosing, circumventing or fixing failures
    • B60W50/029Adapting to failures or work around with other constraints, e.g. circumvention by avoiding use of failed parts
    • B60W2050/0292Fail-safe or redundant systems, e.g. limp-home or backup systems
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/04Monitoring the functioning of the control system
    • B60W2050/041Built in Test Equipment [BITE]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/18Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/18Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits
    • G06F11/182Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits based on mutual exchange of the output between redundant processing components

Definitions

  • the present invention relates to a method for only controlling a component of a distributed safety-relevant system, in particular a component of an X-by-wire system in a motor vehicle.
  • the component is provided by at least one first control module assigned to the component
  • Microcomputer system controlled The control of the component comprises the following steps:
  • Monitoring unit independent of the microcomputer system is determined as a function of the at least one input signal; 'C) comparing the at least one drive signal to the at least one logical drive signal;
  • the invention also relates to a computer program that can run on a microcomputer system of a control module.
  • the control module is provided for controlling a component of a distributed security-relevant system, in particular a component of an X-by-wire system in a motor vehicle.
  • a method of the type mentioned is known, for example, from DE 198 26 131 AI.
  • the distributed safety-related system is described as an electrical braking system of a motor vehicle.
  • the components are designed as the brakes of the motor vehicle or more precisely as actuators for controlling the brakes.
  • Such a system is to a high degree relevant to safety, since faulty control of the components, in particular faulty actuation of the brakes, can lead to an unforeseeable safety risk. For this reason, incorrect control of the components must be excluded with certainty.
  • Essential features of the known brake system are a pedal module for the central driver request recording, four Wheel modules for wheel-specific control of the brake actuators and a processing module for calculating higher-level brake functions. Communication between the individual modules can be achieved through one or more communication systems.
  • FIG. 2 of the present patent application the internal structure of a thread module with various logical levels is shown as an example.
  • the logical level Ll includes at least the calculation of the control functions for the wheel brakes, while the logical levels L2 to L4 contain various functions for computer monitoring and function checking of Ll.
  • the control of the brakes or the electric motors for actuating the brake shoes comprises the following steps equally for each wheel module
  • the input signals are made available to the microcomputer system (R_1A) via a communication system (K_l), for example a bus system.
  • e_lH logical control signal W. ⁇ d at least partially determined by a monitoring device (R_1B) which is independent of the first microcomputer system (R_1A) as a function of the at least one input signal.
  • the monitoring unit (R_1B) is used in particular to detect systematic (so-called common mode) errors. Faults in the power supply are an example of such faults.
  • the monitoring unit (R_lBj is an independent one
  • the monitoring unit (R_1B) can also be designed as a hardware module without its own processor, which, however, can perform specific logic functions or, if it has a register, even switching functions.
  • a hardware module is, for example, an ASIC (Applied Specific Integrate Circuit), an FPGA (Field-Programmable Gate Array) or a monitoring circuit (so-called watchdog).
  • a disadvantage of the prior art is that the logic level L4 is always implemented in a separate component, which — for example in wheel modules of an electrical braking system — within the distributed safety-relevant system must also be provided several times.
  • the present invention is based on the object of simplifying the structure of a distributed safety-relevant system and at the same time at least maintaining the achievable safety when the components are released.
  • the invention proposes, based on the method of the type mentioned at the outset, that the security-relevant system has, in addition to the first microcomputer system, at least one further microcomputer system which is connected to the first microcomputer system for the purpose of data transmission, at least one of steps b ) to d) m at least one of the other microcomputer systems is executed.
  • a program code is processed on the microprocessor of the first microcomputer system in order to make the control signal for the component n dependent on the input signals determine.
  • the program code is also processed on at least one of the other microcomputer systems in order to determine the logical control signal for the component as a function of the same input signals. The processing of the program code on the other
  • Microcomputer systems can be e.g. on the microprocessor or other suitable units (e.g.
  • the input signals are made available to the further microcomputer systems, for example via a data bus, via which the microcomputer systems are connected to one another for the purpose of data transmission.
  • the control signal determined by the first microcomputer system is compared with the logic control signals in order to determine whether the control signal is faulty or not. If all microcomputer systems have matching control signals or local signals
  • the safety-relevant system have at least one further control module in addition to the first control module, the at least one further microcomputer system is part of the at least one further control module.
  • the distributed safety-relevant system thus comprises a plurality of similar control modules in which the first microcomputer system and the further microcomputer systems are arranged.
  • the control modules generally have similar tasks (for example, activating and releasing a wheel brake depending on the best input signals ) and the program code for calculating the control signals in the
  • Microcomputer systems largely coincide So if the other microcomputer systems of the other control modules take over the tasks of the monitoring unit, they do not have to have a separate program code available and, if necessary, executed to determine the logical control signals. Rather, the program code already available to the other microcomputer systems can be executed, albeit with the input signals of the first microcomputer system.
  • An example of a distributed system on which the process according to this development can be realized is an electrical braking system which has almost identical wheel modules for all wheels of a motor vehicle. In this development, the redundancy that is often contained in distributed systems is used to reduce the effort required to safely control the components.
  • step b) and step c) be carried out in at least one of the further microcomputer systems.
  • the comparison between the control signal and the logical control signals is carried out in the at least one other microcomputer system run out.
  • the control signal determined by the first microcomputer system must be transmitted to the at least one further microcomputer system, for example via a data bus that connects the two to one another.
  • the first microcomputer system is advantageously connected to a physical bus system via a first communication controller, step b) of at least one of the further microcomputer systems and step c; is executed in the first communication controller.
  • the comparison between the control signal and the logical control signals is carried out in the first communication controller, via which the first microcomputer system is connected to the bus system.
  • Communication controllers from newer bus systems such as TTCAN (Time Triggered Controller Area Network), TTP / C (Time Triggered Protocol Class C according to SAE) or FlexRay, do not simply serve as a "stupid" interface between the microcomputer system and the data bus, but run one own, sometimes quite complex processing of the data to be transmitted.
  • the at least one logic control signal must be transmitted from the at least one further microcomputer system to the communication controller, for example via a data bus that connects the two to one another.
  • the step d) n at least one of the further microcomputer systems is executed.
  • at least one enable signal m is determined in the further microcomputer systems as a function of the result of the comparison of the control signal and the logical control signal.
  • the control signal determined in the first microcomputer system must be transmitted to the other microcomputer systems, for example via a data bus. It is then compared in the other microcomputer systems with the logical control signals determined there. The release signal is in turn transmitted to the first microcomputer system, for example via a data bus.
  • the at least one control signal or at least one signal dependent thereon is then forwarded to the component to be controlled if the m the further
  • Microcomputer systems determined release signals have predeterminable values. For example, a simple comparison of the release signals or a majority decision can be made.
  • Communication controller is running. This means that the logical control signals determined in the further microcomputer systems must be transmitted to the first communication controller, for example via a data bus.
  • the implementation of the method according to the invention in the form of a computer program which is based on a microcomputer system Control module for controlling a component of a distributed safety-relevant system is capable of being ablau.
  • the computer program is executable on a microprocessor of the microcomputer system and is suitable for executing the method according to the invention.
  • the invention was thus implemented by a computer program, so that the computer program m represents the invention in the same way as the method for the execution of which the computer program is suitable.
  • the computer program be stored on a memory element, in particular on a flash memory.
  • the computer program is transferred to the processor as a command or as a whole.
  • the computer program in particular coordinates the data transmission between the various units of the distributed system in such a way that the method according to the invention can be implemented. Which data must be transmitted to which units depends in particular on which units steps b) to d) are carried out. However, the computer program also ensures in the various system units that the control signals and the logic control signals are determined and / or compared with one another.
  • FIG. 1 shows a distributed security-relevant system in the cutout for realizing an inventive method according to a first preferred embodiment
  • FIG. 2 shows a control module of a distributed safety-relevant system known from the prior art
  • FIG. 3 shows a distributed security-relevant system in the cutout for realizing an inventive method according to a second preferred embodiment
  • Figure 4 shows a distributed security-relevant system in the cutout to implement an inventive method according to a third preferred embodiment.
  • the method according to the invention is explained in more detail below using an electrical braking system.
  • the present invention is not limited to electrical braking systems, but rather can be used for any distributed safety-related systems.
  • the present invention permits secure release of components of the security-relevant system without the use of additional monitoring units. Rather, the tasks of the monitoring units are taken over by units of the security-relevant system, which are anyway present in the system.
  • the braking system comprises a wheel module R_l, R_m for each vehicle wheel to be braked.
  • Each wheel module R_l, R_m comprises a microcomputer system P_l, P_rc ⁇ and an enabling circuit FS_1, FS_m.
  • the microcomputer systems P_l, P_m each include a microprocessor Pro_l, Pro_m and an intelligent communication controller S_l, S_m.
  • the microprocessor Pro_l, Pro_m and the communication controller S_l, S_m of a microcomputer system P__l, P_m can be combined on a semiconductor module (so-called chip); however, they are always designed as separate, independent units.
  • JPCIPS wheel module R_l, R_m is connected to a physical data bus K_l via a communication controller e ⁇ ⁇ S_l- S_m. Data are transmitted via the data bus, for example according to the TTCAN, TTP / C or FlexRay protocol.
  • the wheel modules R__l, R_m each control an actuator Akt_l, Akt_m, which are designed, for example, as electric motors for actuating or releasing the wheel brakes.
  • FIG. 1 shows the internal structure of two wheel modules and the signal flow running therein of a method according to the invention in accordance with a first preferred embodiment c > f ⁇ - ⁇ rm.
  • the Ve, driving is used to control the actuators Akt_l of the electric braking system by the wheel module R__l or by the microcomputer yste P_l. It is important to control the actuator Akt_l to prevent the actuator Akt 1 from being faulty Control signal of the microcomputer system P_l controlled: is. This means that the control signal should only be forwarded to the Akt__l actuator if it is sufficiently likely that it is error-free.
  • Actuator Akt_l therefore essentially comprises the following steps:
  • the processor Pro_l of the microcomputer system P_l determines by executing a program des C_l as a function of at least one input signal F_l at least one control signal A_ll for the actuator Akt_l.
  • the input signals E_l contain information about the actual state of the brake system and the motor vehicle and are transmitted to the first wheel module R_l via the data bus K_l.
  • A__lm This presupposes that in addition to a program code C_m for determining the control signals A_ml for the actuators Akt_m, the process code C_l must also be available to the processors Pro_m. In the present example with several identical wheel modules R_l, R_m, this means no or only minimal additional effort, since the program codes C_l, C_m running on the processors Pro__l, Pro_m are essentially the same. So it can be used in the Pro_m processors anyway
  • Available program code C_m can be processed with the input signals E_l in order to receive the logical control signals A_lm. This simplification applies to all distributed systems similar control modules.
  • the input signals E__i can be transmitted to the microcomputer systems P_m via the data bus K_l. If the microprocessors Pro_l, Pro_m are functioning correctly, the control signals A_ll and the logical control signals A_lm must be identical.
  • the control signal A_ll is compared in the microprocessors Pro__m with the logical control signals A__lm previously determined there. For this purpose, the control signal A_ll must be transmitted to the microcomputer systems P_m via the data bus K__l.
  • the microprocessors Pro_m generate status information SF_lm, which in turn is transmitted again to the first microcomputer system P__l via the data bus K_l.
  • the status information consists, for example, of one or more bits. It is conceivable to include the status information SF_lm in the protocol of the data bus for transmission to the first microcomputer system P__l.
  • the communication controller S__l of the first microcomputer system ems P_l evaluates the incoming status information SF_lm and generates an enable signal F__l in the event of a corresponding status (i.e. when the correct functioning of the microprocessor Pro_l is signaled).
  • the status information SF_lm can be evaluated in different ways. For example, it can be a comparison, a logical (preferably an AND) link or a majority decision of the status information SF_lm.
  • the at least one Ans euersignal A_ll or at least one signal dependent on it the actuator Akt_l is forwarded if the at least one enable signal F_l has a predeterminable value.
  • the enable circuit FS_1 is AND-linked to the control signal A_ll. If that
  • the functionality of the processor Pro__l of the microcomputer system P_l can be checked and a safe release of the actuators Akt_l can be achieved.
  • Processors Pro_l mainly use the processors Pro_m of the other microcomputer systems P_m. In the same way, however, the method according to the invention can also be used to check the functionality of the processors Pro_m of the further microcomputer systems P_l and to safely release the actuators Akt_m. Then the other processors Pro_m (without the processor to be checked) and the processor Pro_l of the first microcomputer system P__l are used for the check.
  • FIG. 3 shows the internal structure of two wheel modules and the signal flow running therein of a method according to the invention in accordance with a second preferred embodiment. This method differs from the method shown in FIG. 1 in particular in that step c) is carried out in the communication controller S_l of the first microcomputer system P_l.
  • the logical control signals A_lm determined in the processors Pro__m of the further microcomputer systems P_m in step b) are transmitted to the first microcomputer system P__l via the data bus K_l. There, the logic control signals A_lm are then compared to the communication controller S_l of the first microcomputer system P__l with the at least one control signal A_ll (step c)). Depending on the result of the comparison, status information SI_lm is determined in the communication controller S_l, from which the release signal F_l is then determined, or else the release signal F__l is determined immediately (step d)).
  • FIG. 4 shows the internal structure of two wheel modules and the signal flow running therein of a method according to the invention in accordance with a third preferred embodiment. This method differs from the method shown in FIG. 1 and FIG. 3 in particular in that step d) is carried out in the release circuit FS_1 of the first wheel module R 1.
  • step c) a comparison is carried out in the microprocessors Pro_m of the further microcomputer systems R_m between the control signal A_ll and the logical control signals A_lm previously determined there.
  • the Microprocessors Pro__m generate status information SF__lm, which is transmitted via the data bus K_l to the first microcomputer system? __ 1 and from there to the release circuit FS__1. This evaluates the status information SF_lm, SF_lx coming from all other microcomputer systems P_m and ' forwards the at least one control signal A_ll or at least one signal dependent thereon to the actuator Akt__l if the status information SF_lm, SF_lx has a corresponding status.
  • status information SI_lm can first be determined in the enable circuit FS_1, from which the enable signal F_l is then determined.
  • a so-called voting mechanism is used to evaluate the status information SF_lm, SF_lx in the enable circuit FS__1. With only two control signals A 11, A_12, the voting mechanism is an AND operation of the two signals A_ll and SF_lm. If there are several control signals A_ll, ⁇ _lm, the voting mechanism can be a majority decision.

Abstract

The invention relates to a method for actuating a component (Akt 1) of a distributed security system, especially a component (Akt 1) of an X-by-wire system in a motor vehicle. Said component (Akt 1) is actuated by a first actuating module (R 1) associated with the component (Akt 1), using at least one first microcomputer system (P 1). A monitoring unit which is independent from the first microcomputer system (P 1) is provided for monitoring the same (P 1). According to the invention, the distributed security system comprises, along with the first microcomputer system (P 1), at least one other microcomputer system (P m) which is connected to said first microcomputer system (P 1), for example by means of a physical data bus (K l), for the transmission of data. The other microcomputer systems (P m) thus take on the tasks of the monitoring unit. A separate monitoring unit is therefore not required.

Description

Verfahren zur Ansteuerung einer Komponente eines verteilten sicherheitsrelevanten SystemsMethod for controlling a component of a distributed security-relevant system
Stand der TechnikState of the art
Die vorliegende Erfindung betrifft ein Verfahren nur Ansteuerung einer Komponente eines verteilten sicherheitsrelevanten Systems, insbesondere einer Komponente eines X-by-Wire-Systems in einem Kraftfahrzeug. Die Komponente wird von einem der Komponente zugeordneten ersten Ansteuermodul mit mindestens einem erstenThe present invention relates to a method for only controlling a component of a distributed safety-relevant system, in particular a component of an X-by-wire system in a motor vehicle. The component is provided by at least one first control module assigned to the component
Mikrorechnersystem angesteuert. Die Ansteuerung der Komponente umfasst die nachfolgenden Schritte:Microcomputer system controlled. The control of the component comprises the following steps:
a) Ermitteln mindestens eines Ansteuersignais für die Komponente durch das erste Mikrorechnersystem ina) determining at least one control signal for the component by the first microcomputer system in
Abhängigkeit von mindestens einem Eingangssignal;Dependence on at least one input signal;
b) Ermitteln mindestens eines logischen Ansteuersignais, wobei das mindestens eine logische Ansteuersignal zumindest teilweise von einer von dem erstenb) determining at least one logic control signal, the at least one logic control signal being at least partially derived from one of the first
Mikrorechnersystem unabhängigen Uberwachungseinheit m Abhängigkeit von dem mindestens einen Eingangssignal ermittelt wird; ' c) Vergleichen des mindestens einen Ansteuersignais mit dem mindestens einen logischen Ansteuersignal;Monitoring unit independent of the microcomputer system is determined as a function of the at least one input signal; 'C) comparing the at least one drive signal to the at least one logical drive signal;
d) Ermitteln mindestens eines Freigabesignals in Abhängigkeit von dem Ergebnis des Vergleichs; undd) determining at least one release signal as a function of the result of the comparison; and
e) Weiterleiten des mindestens einen Ansteuersignais ode_ mindestens eines davon abhängigen Signals an die Komponente, falls das mindestens eine Freigabesignal einen vorgebbaren Wert aufweist.e) forwarding the at least one control signal or at least one signal dependent thereon to the component if the at least one enable signal has a predeterminable value.
Die Erfindung betrifft außerdem ein Computerprogramm, das auf einem Mikrorechnersystem eines Ansteuermoduls ablauffähig ist. Das Ansteuermodul ist zur Ansteuerung einer Komponente eines verteilten sicherheitsrelevanten Systems, insbesondere einer Komponente eines X-by-Wire- Systems in einem Kraftfahrzeug, vorgesehen.The invention also relates to a computer program that can run on a microcomputer system of a control module. The control module is provided for controlling a component of a distributed security-relevant system, in particular a component of an X-by-wire system in a motor vehicle.
Ein Verfahren der eingangs genannten Art ist bspw. aus der DE 198 26 131 AI bekannt. In dieser Druckschrift ist das verteilte sicherheitsrelevante System als ein elektrisches Bremssystem eines Kraftfahrzeugs beschrieben. Die Komponenten sind als die Bremsen des Kraftfahrzeugs bzw. genauer gesagt als Aktoren zur Ansteuerung der Bremsen ausgebildet. Ein solches System ist in hohem Maße sicherheitsrelevant, da eine fehlerhafte Ansteuerung der Komponenten, insbesondere ein fehlerhaftes Betätigen der Bremsen, zu einem nicht vorhersehbaren Sicherheitsrisiko führen kann. Aus diesem Grund muss eine fehlerhafte Ansteuerung der Komponenten mit Sicherheit ausgeschlossen werden.A method of the type mentioned is known, for example, from DE 198 26 131 AI. In this document, the distributed safety-related system is described as an electrical braking system of a motor vehicle. The components are designed as the brakes of the motor vehicle or more precisely as actuators for controlling the brakes. Such a system is to a high degree relevant to safety, since faulty control of the components, in particular faulty actuation of the brakes, can lead to an unforeseeable safety risk. For this reason, incorrect control of the components must be excluded with certainty.
Wesentliche Merkmale des bekannten Bremssystems sind ein Pedalmodul zur zentralen Fahrerwunscherfassung, vier Radmodule zur radmdividuellen Regelung der Bremsaktuatoren und ein Verarbeitungsmodul zur Berechnung übergeordne er Bremsfunktionen. Die Kommunikation der emzelrer Module untereinander kann durcr ein oder mehrere Kommunikationssysteme erro gen. In Figur 2 der orliegen er Patentanmeldung ist die interne Struktur eines Fadmoduls mit verschiedenen logischen Ebenen beispielhaft dargestellt. Die logische Ebene Ll umfasst dabei mindestens die Berechnung der Steuer- und Regelfunktionen für die Radbremsen, wahrend die logischen Ebenen L2 bis L4 verschiedene Funktionen zur Rechneruberwachung und Funkt lonsuberprufung von Ll beinhalten.Essential features of the known brake system are a pedal module for the central driver request recording, four Wheel modules for wheel-specific control of the brake actuators and a processing module for calculating higher-level brake functions. Communication between the individual modules can be achieved through one or more communication systems. In FIG. 2 of the present patent application, the internal structure of a thread module with various logical levels is shown as an example. The logical level Ll includes at least the calculation of the control functions for the wheel brakes, while the logical levels L2 to L4 contain various functions for computer monitoring and function checking of Ll.
Die Ansteuerung der Bremsen, bzw. der Elektromotoren zur Betätigung der Bremsbacken, umfasst für jedes Radmodul gleichermaßen die nachfolgenden SchritteThe control of the brakes or the electric motors for actuating the brake shoes comprises the following steps equally for each wheel module
a) Ermitteln mindestens eines Ansteuersignais (f_l) für die Bremse durch ein erstes Mikrorechnersystem (R_1A) m Abhängigkeit von mindestens einem Eingangssignal (a_R2, a_R3, a_R4; a_V,ref; s_R2 , s_R3, s_R4 ;a) determining at least one control signal (f_l) for the brake by a first microcomputer system (R_1A) m as a function of at least one input signal (a_R2, a_R3, a_R4; a_V, ref; s_R2, s_R3, s_R4;
Δs_V,ref; v__F; n__l; F_lι; s_lH) . Die Eingangssignale werden dem Mikrorechnersystem (R_1A) über e n Kommunikationssystem (K_l), bspw. ein Bussystem, zur Verfugung gestellt.Δs_V, ref; v__F; n__l; F_lι; s_lH). The input signals are made available to the microcomputer system (R_1A) via a communication system (K_l), for example a bus system.
b) Ermitteln mindestens eines logischen Ansteuersignal (e_lH) . Das logische Ansteuersignal (e__lH) W.ιd zumindest teilweise von einer von dem ersten Mikrorechnersystem (R_1A) unabhängigen überwachungsemneit (R_1B) in Abhängigkeit von de mindestens einen Eingangssignal ermittelt.b) determining at least one logical control signal (e_lH). The logic control signal (e__lH) W.ιd at least partially determined by a monitoring device (R_1B) which is independent of the first microcomputer system (R_1A) as a function of the at least one input signal.
c) Vergleichen des mindestens einen Ansteuersignais ( f _] ) mit dem mindestens einen logischen Ansteuersignal (e_lH) m einer Leistungselektronik (LE_1K) .c) comparing the at least one control signal (f _]) with the at least one logic control signal (e_lH) m of power electronics (LE_1K).
d) Ermitteln mindestens eines Freigabesignais (innerhalb der Leistungselektroniken LE) m Abhanαιg eιt von d^md) determining at least one enable signal (within the power electronics LE) m Abhanαιg eιt from d ^ m
Ergebnis des Vergleichs des Ansteuersignais (f_l) unα des logischen Ansteuersignais (e_lH) ; undResult of the comparison of the control signal (f_l) and α of the logical control signal (e_lH); and
e) Weiterleiten des mindestens einen Ansteuersignais (f_l) oder eines von dem Ansteuersignal (f_l) abhangigen Signals (ι_lK) an die Bremse, bzw. an einen Aktuator Akt_l für die Bremsbacken, falls das mindestens eine Freigabesignal einen vorgebbaren Wert aufweist .e) forwarding the at least one control signal (f_l) or a signal (ι_lK) dependent on the control signal (f_l) to the brake, or to an actuator Akt_l for the brake shoes, if the at least one enable signal has a predefinable value.
Die Uberwachungseinheit (R_1B) dient insbesondere zur Erkennung systemati cher (sog. common mode) Fehler. Ein Beispiel für solche Fehler sind Fehler in der Spannungsversorgung. Bei dem bekannten Bremssystem ist die Uberwachungseinheit (R_lBj als ein selbständigesThe monitoring unit (R_1B) is used in particular to detect systematic (so-called common mode) errors. Faults in the power supply are an example of such faults. In the known brake system, the monitoring unit (R_lBj is an independent one
Mikrorechnersystem ausgebildet. Alternativ kann die Uberwachungseinheit (R_1B) jedoch auch als ein Hardwarebaustein ohne eigenen Prozessor ausgebildet sein, der jedoch konkrete logische Funktionen oder, falls er ein Register aufweist, sogar Schaltfunktionen ausfuhren kann. Ein Beispiel für einen solchen Hardwarebaustein ist bspw. ein ASIC (Applied Specific Integratecl Circuit), ein FPGA ( Field-Programmable Gate Array) oder eine Uberwachungsschaltung (sog. Watch-Dog) .Microcomputer system trained. Alternatively, the monitoring unit (R_1B) can also be designed as a hardware module without its own processor, which, however, can perform specific logic functions or, if it has a register, even switching functions. An example of such a hardware module is, for example, an ASIC (Applied Specific Integrate Circuit), an FPGA (Field-Programmable Gate Array) or a monitoring circuit (so-called watchdog).
Nachteilig beim Stand der Technik ist es, dass die logische Ebene L4 stets in einem gesonderten Bauteil reaJisiert I S T , das - bspw. in Radmodulen eines elektrischen Bremssystems - innerhalb des verteilten sicherheitsrelevanten Systems zudem mehrfach vorgesehen sein muss.A disadvantage of the prior art is that the logic level L4 is always implemented in a separate component, which — for example in wheel modules of an electrical braking system — within the distributed safety-relevant system must also be provided several times.
Der vorliegenden Erfindung liegt die Aufgabe zugrunde, den Aufbau eines verteilten sicherheitsrelevanten Systems zu vereinfachen und gleichzeitig die erzielbare Sicherheit bei der Freigabe der Komponenten zumindest beizubehalten.The present invention is based on the object of simplifying the structure of a distributed safety-relevant system and at the same time at least maintaining the achievable safety when the components are released.
Zur Losung dieser Aufgabe schlagt die Erfindung ausgehend von dem Verfahren der eingangs genannten Art vor, dass das sicherheitsrelevante System neben dem ersten Mikrorechnersystem mindestens ein weiteres Mikrorechnersystem aufweist, das zum Zwecke einer Datenübertragung mit dem ersten Mikrorechnersystem in Verbindung steht, wobei mindestens einer der Schritte b) bis d) m mindestens einem der weiteren Mikrorechnersysteme ausgeführt wird.To solve this problem, the invention proposes, based on the method of the type mentioned at the outset, that the security-relevant system has, in addition to the first microcomputer system, at least one further microcomputer system which is connected to the first microcomputer system for the purpose of data transmission, at least one of steps b ) to d) m at least one of the other microcomputer systems is executed.
Vorteile der ErfindungAdvantages of the invention
Erfmdungsgemaß wird also vorgeschlagen, auf eine gesonderte Uberwachungseinheit zu verzichten und die Aufgaben der Uberwachungseinheit statt dessen von solchen Einheiten des verteilten sicherheitsrelevanten Systems ausfuhren zu lassen, die sowieso in dem System vorgesehen sind. Diese Einheiten müssen über eine eigene Intelligenz verfugen, um zumindest in beschranktem Umfang eigene Berechnungen anstellen zu können. Solche System-Einheiten, welche erfmdungsgemaß die Aufgaben der Uberwachungseinheit übernehmen können, sind insbesondere die Mikroprozessoren einer oder mehrerer weiterer Mikrorechnersysteme .According to the invention, it is therefore proposed to dispense with a separate monitoring unit and instead to have the tasks of the monitoring unit carried out by those units of the distributed security-relevant system that are provided in the system anyway. These units must have their own intelligence in order to be able to make their own calculations, at least to a limited extent. Such system units, which, according to the invention, can take over the tasks of the monitoring unit, are in particular the microprocessors of one or more further microcomputer systems.
Auf dem Mikroprozessor des ersten Mikrorechnersystems w rd ein Programmcode abgearbeitet, um das Ansteuersignal für die Komponente n Abhängigkeit von den Eingangssignalen zu ermitteln. Der Programmcode wird außerdem auf mindestens einem der weiteren Mikrorechnersysteme abgearbeitet, um das logische Ansteuersignal für die Komponente in Abhängigkeit von den gleichen Eingangssignalen zu ermitteln. Die Abarbeitung des Programmcodes auf den weiterenA program code is processed on the microprocessor of the first microcomputer system in order to make the control signal for the component n dependent on the input signals determine. The program code is also processed on at least one of the other microcomputer systems in order to determine the logical control signal for the component as a function of the same input signals. The processing of the program code on the other
Mikrorechnersystemen kann bspw. auf dem Mikroprozessor oder anderen geeigneten Einheiten (z.B.Microcomputer systems can be e.g. on the microprocessor or other suitable units (e.g.
Kommumkat onscontroller) erfolgen, die über eine ausreichende Intelligenz zur Abarbeitung des Prograrrmcode i verfugen. Die Eingangssignale werden den weiteren Mikrorechnersystemen bspw. über einen Datenbus zur Verfugung gestellt, über den die Mikrorechnersysteme zum Zwecke der Datenübertragung miteinander in Verbindung stehen.Kommumkat onscontroller) that have sufficient intelligence to process the program code i. The input signals are made available to the further microcomputer systems, for example via a data bus, via which the microcomputer systems are connected to one another for the purpose of data transmission.
Das von dem ersten Mikrorechnersystem ermittelte Ansteuersignal wird mit den logischen Ansteuersignalen veiglichen, um festzustellen, ob das Ansteuersignal fehlerhaft ist oder nicht. Wenn alle Mikrorechnersysteme übereinstimmende Ansteuersignale bzw. locjischeThe control signal determined by the first microcomputer system is compared with the logic control signals in order to determine whether the control signal is faulty or not. If all microcomputer systems have matching control signals or local signals
Ansteuersignale ermitteln, kann davon ausgegangen werden, dass das ansteuersignal fehlerfrei ist. Es versteht sich, dass mit zunehmender Anzahl an weiteren Mikrorechnersystemen, die jeweils logische Ansteuersignale ermitteln, die Überprüfung der Funktionsfahigkeit des ersten Mikrorechnersystems zuverlässiger wird. Wenn sich mehrere Mikrorechnersysteme gegenseitig überwachen, ist u.U. sogar eine Identifikation bzw. Lokalisierung eines defekten Mikrorechnersystems möglich.Determine control signals, it can be assumed that the control signal is error-free. It goes without saying that with an increasing number of further microcomputer systems, each of which determines logical control signals, the checking of the functionality of the first microcomputer system becomes more reliable. If several microcomputer systems monitor each other, it may be even a defective microcomputer system can be identified or localized.
Gemäß einer vorteilhaften Weiterbildung der vorliegenden Erfindung wird vorgeschlagen, dass das sicherheitsrelevante System neben dem ersten Ansteuermodul mindestens ein weiteres Ansteuermodul aufweist, wobei das mindestens eine weitere Mikrorechnersystem Teil des mindestens einen weiteren Ansteuermoduls ist. Gemäß dieser Weiterbildung umfasst üas verteilte sicherheitsrelevante System also mehrere gleichartige Ansteuermodule, in denen das erste Mikrorechnersystem und die weiteren Mikrorechnersysteme angeordnet sind Der Vorteil dieser Weiterbildung bestent darin, dass die Ansteuermodule der Regel ahnlicne Aufgaben haben (z.B. Aktivieren und Losen einer Radbremse Abhängigkeit von best Eingangssignalen) und der Programmcode zur Berechnung der Ansteuersignale in denAccording to an advantageous development of the present invention, it is proposed that the safety-relevant system have at least one further control module in addition to the first control module, the at least one further microcomputer system is part of the at least one further control module. According to this further development, the distributed safety-relevant system thus comprises a plurality of similar control modules in which the first microcomputer system and the further microcomputer systems are arranged. The advantage of this further development is that the control modules generally have similar tasks (for example, activating and releasing a wheel brake depending on the best input signals ) and the program code for calculating the control signals in the
Mikrorechnersystemen zum großen Teil übereinstimmt Wenn also die weiteren Mikrorechnersysteme der weiteren Ansteuermodule die Aufgaben der Uberwachungseinheit übernehmen, muss ihnen nicht e n gesonderter Programmcode vorgehalten und bei Bedarf ausgeführt werden, um die logischen Ansteuersignale zu ermitteln. Es kann vielmehr der den weiteren Mikrorechnersystemen sowieso vorhandene Programmcode - allerdings mit den Eingangssignalen des ersten Mikrorechnersystems - ausgeführt werden. Ein Beispiel für ein verteiltes System, auf dem das Verfanren gemäß dieser Weiterbildung realisiert werden kann, ist ein elektrisches Bremssystem, das fui alle Rader eines Kraftfahrzeugs nahezu identische Radmodu] e aufweist. Bei dieser Weiterbildung wird also die in verteilten Systemen häufig enthaltene Redundanz dazu ausgenutzt, den Aufwand zur sicheren Ansteuerung der Komponenten zu reduzieren.Microcomputer systems largely coincide So if the other microcomputer systems of the other control modules take over the tasks of the monitoring unit, they do not have to have a separate program code available and, if necessary, executed to determine the logical control signals. Rather, the program code already available to the other microcomputer systems can be executed, albeit with the input signals of the first microcomputer system. An example of a distributed system on which the process according to this development can be realized is an electrical braking system which has almost identical wheel modules for all wheels of a motor vehicle. In this development, the redundancy that is often contained in distributed systems is used to reduce the effort required to safely control the components.
Gemäß einer vorteilhaften Ausfuhrungsform der vorliegenden Erfindung wird vorgeschlagen, dass der Schritt b) und der Schritt c) mindestens einem der weiteren Mikrorechnersysteme ausgeführt wird Gemäß dieser Ausfuhrungsform wird also der Vergleich zwischen dem Ansteuersignal und den logischen Ansteuers gnalen in dem mindestens einen weiteren Mikrorechnersystem ausgefunrt. Dazu muss das von dem ersten Mikrorechnersystem ermittelte Ansteuersignal an das mindestens eine weitere Mikrorechnersystem übermittelt werden, bspw. über einen Datenbus, der die beiden miteinander verbindet.According to an advantageous embodiment of the present invention, it is proposed that step b) and step c) be carried out in at least one of the further microcomputer systems. According to this embodiment, the comparison between the control signal and the logical control signals is carried out in the at least one other microcomputer system run out. For this purpose, the control signal determined by the first microcomputer system must be transmitted to the at least one further microcomputer system, for example via a data bus that connects the two to one another.
Vorteilhafterweise ist das erste Mikrorechnersystem ber einen ersten Kommunikationscontroller an ein physikalisches Bussystem angeschlossen, wobei der Schritt b) mindestens einem der weiteren Mikrorechnersysteme und der Schritt c; in dem ersten Kommunikationscontroller ausgeführt wird. Gemäß dieser Ausfuhrungsform wird also der Vergleich zwischen dem Ansteuersignal und den logischen Ansteuersignalen in dem ersten Kommunikationscontroller ausgeführt, über den das erste Mikrorechnersystem an das Bussystem angeschlossen ist. Kommunikationscontroller von neueren Bussystemen, wie bspw. TTCAN (Time Triggered Controller Area Network) , TTP/C (Time Triggered Protocol Class C nach SAE) oder FlexRay, dienen nicht einfach als „dumme" Schnittstelle zwischen dem Mikrorechnersystem und dem Datenbus, sondern fuhren eine eigene, z.T. recht komplexe Verarbeitung der zu übertragenden Daten durch . Dazu verfugen sie über eine eigene Intelligenz, die zumindest einfache Operationen, wie bspw. Vergleiche, u U. aber auch komplexere Berechnungen ausfuhren kann. Um den Vergleich dem ersten Kommunikationscontroller realisieren zu können, muss das mindestens eine logische Ansteuersignal von dem mindestens einen weiteren Mikrorechnersystem an den Kommunikationscontroller übermittelt werden, bspw. über einen Datenbus, der die beiden miteinander verbindet.The first microcomputer system is advantageously connected to a physical bus system via a first communication controller, step b) of at least one of the further microcomputer systems and step c; is executed in the first communication controller. According to this embodiment, the comparison between the control signal and the logical control signals is carried out in the first communication controller, via which the first microcomputer system is connected to the bus system. Communication controllers from newer bus systems, such as TTCAN (Time Triggered Controller Area Network), TTP / C (Time Triggered Protocol Class C according to SAE) or FlexRay, do not simply serve as a "stupid" interface between the microcomputer system and the data bus, but run one own, sometimes quite complex processing of the data to be transmitted. To do this, they have their own intelligence, which can perform at least simple operations, such as comparisons, but also possibly more complex calculations. In order to be able to carry out the comparison of the first communication controller, the at least one logic control signal must be transmitted from the at least one further microcomputer system to the communication controller, for example via a data bus that connects the two to one another.
Gemäß einer anderen bevorzugten Ausfuhrungsform der vorliegenden Erfindung wird vorgeschlagen, dass der Schritt d) n mindestens einem der weiteren Mikrorechnersysteme ausgeführt wird. Demnach wird also in den weiterer Mikrorechnersystemen mindestens ein Freigabesignal m Abhängigkeit von dem Ergebnis des Vergleichs von Ansteuersignal und logischem Ansteuersignal ermittelt. Dazu muss das in dem ersten Mikrorechnersystem ermittelte Ansteuersignal an die weiteren Mikrorechnersysteme übermittelt werden, bspw. über einen Datenbus. In den weiteren Mikrorechnersystemen wird es dann mit den dort jeweils ermittelten logischen Ansteuersignalen verglichen. Das Freigabesignal wird wiederum, bspw. über einen Datenbus, an das erste Mikrorechnersystem übermittelt. Das mindestens eine Ansteuersignal oder mindestens ein davon abhangiges Signal wird dann an die anzusteuernde Komponente weitergeleitet, falls die m den weiterenAccording to another preferred embodiment of the present invention, it is proposed that the step d) n at least one of the further microcomputer systems is executed. Accordingly, at least one enable signal m is determined in the further microcomputer systems as a function of the result of the comparison of the control signal and the logical control signal. For this purpose, the control signal determined in the first microcomputer system must be transmitted to the other microcomputer systems, for example via a data bus. It is then compared in the other microcomputer systems with the logical control signals determined there. The release signal is in turn transmitted to the first microcomputer system, for example via a data bus. The at least one control signal or at least one signal dependent thereon is then forwarded to the component to be controlled if the m the further
Mikrorechnersystemen ermittelten Freigabesignale vorgebbare Werte aufweisen. So kann bspw. ein einfacher Vergleich der Freigabesignale oder aber eine Mehrheitsentscheidung erfolgen.Microcomputer systems determined release signals have predeterminable values. For example, a simple comparison of the release signals or a majority decision can be made.
Gemäß einer alternativen Ausfuhrungsform der vorliegenden Erfindung w rd vorgeschlagen, dass das erste Mikrorechnersystem über einen ersten Kommunikationscontroller an <=m physikalisches Bus°γstem angeschlossen ist, wobei der Schritt d) dem erstenAccording to an alternative embodiment of the present invention, it is proposed that the first microcomputer system be connected via a first communication controller to <= m physical bus ° system, step d) being the first
Kommunikationscontroller ausgeführt wird. Das bedeutet, dass die n den weiteren Mikrorechnersystemen ermittelten logischen Ansteuersignale an den ersten Kommunikationscontroller übermittelt werden müssen, bspw. über einen Datenbus.Communication controller is running. This means that the logical control signals determined in the further microcomputer systems must be transmitted to the first communication controller, for example via a data bus.
Von besonderer Bedeutung ist die Realisierung des erfmdungsgemaßen Verfahrens m der Form eines Computerprogramms, das auf einem Mikrorechnersystem eines Ansteuermoduls zur Ansteuerung einer Komponente eines verteilten sicherheitsrelevanten Systems ablau fähig ist. Dabei ist das Computerprogramm auf einem Mikroprozessor des Mikrorechnersystems ablauffähig und zur Ausfuhrt ng des erfmdungsgemaßen Verfahrens geeignet. In diesem E'all wi also d e Erfindung durch ein Computerprogramm realisiert, so dass das Computerprogramm m gleicher Weise die Erfindung darstellt wie das Verfahren, zu dessen Ausfuhrung das Computerprogramm geeignet ist.Of particular importance is the implementation of the method according to the invention in the form of a computer program which is based on a microcomputer system Control module for controlling a component of a distributed safety-relevant system is capable of being ablau. The computer program is executable on a microprocessor of the microcomputer system and is suitable for executing the method according to the invention. In this case, the invention was thus implemented by a computer program, so that the computer program m represents the invention in the same way as the method for the execution of which the computer program is suitable.
Gemäß einer vorteilhaften Weiterbildung der vorliegenden Erfindung ward vorgeschlagen, dass das Computerprogramm auf einem Speicherelement, insbesondere auf einem Flash-Memory, abgespeichert ist. Zur Abarbeitung des Computeipr ogramms und zur Ausfuhrung des erf dungsgemaßen Verfahrens wird das Computerprogramm befehlsweise oder als ganzes dus dem Speicherelement in den Prozessor übertragen.According to an advantageous development of the present invention, it has been proposed that the computer program be stored on a memory element, in particular on a flash memory. In order to process the computer program and to carry out the method according to the invention, the computer program is transferred to the processor as a command or as a whole.
Das Computerprogramm koordiniert insbesondere die Datenübertragung zwischen den verschiedenen Einheiten des verteilten Systems derart, dass das erf dungsgemaße Verfahren realisiert werden kann. Welche Daten an welche Einheiten übertragen werden müssen, ist insbesondere davon abhangig, welchen Einheiten die Schritte b) bis d) ausgeführt werden. Das Computerprogramm sorgt aber auch in den verschiedenen System-Einheiten dafür, dass die Ansteuersignale und die logischen Ansteuer s Lgnale ermittelt und/oder miteinander verglichen werden.The computer program in particular coordinates the data transmission between the various units of the distributed system in such a way that the method according to the invention can be implemented. Which data must be transmitted to which units depends in particular on which units steps b) to d) are carried out. However, the computer program also ensures in the various system units that the control signals and the logic control signals are determined and / or compared with one another.
Zeichnungendrawings
Weitere Merkmale, Anwendungsmogl chkeiten und Vorteile der Erfindung ergeben sich aus der nachfolgenden Beschreibung von Ausfuhrungsbeispielen der Erfindung, die der Zeichnung dargestellt sind. Dabei bilden alle beschriebenen oder dargestellten Merkmale für sich oder in beliebiger Kombination den Gegenstand der Erfindung, unabnangig von ihrer Zusammenfassung in den Patentansprüchen ooet deren Ruckbeziehung sowie unabhängig von ihrer Formulierung bzw. Darstellung in der Beschreibung bzw. in der Zeichnung. Es zeigen :Further features, application possibilities and advantages of the invention result from the following description of exemplary embodiments of the invention, which Drawing are shown. All of the described or illustrated features, alone or in any combination, form the subject of the invention, regardless of their summary in the claims or their relationship, and regardless of their wording or representation in the description or in the drawing. Show it :
Figur 1 ein verteiltes sicherheitsrelevantes System im Ausschnitt zur Realisierung eines erf dungsgemaßen Verfahrens gemäß einer ersten bevorzugten Ausfuhrungsform;1 shows a distributed security-relevant system in the cutout for realizing an inventive method according to a first preferred embodiment;
Figur 2 ein aus dem Stand der Technik bekanntes Ansteuermodul eines verteilten sicherheitsrelevanten Systems ;FIG. 2 shows a control module of a distributed safety-relevant system known from the prior art;
Figur 3 ein verteiltes sicherhe tsrelevantes System im Ausschnitt zur Realisierung eines erfmdungsgemaßen Verfahrens gemäß einer zweiten bevorzugten Ausfuhrungsform; undFIG. 3 shows a distributed security-relevant system in the cutout for realizing an inventive method according to a second preferred embodiment; and
Figur 4 ein verteiltes sicherheitsrelevantes System im Ausschnitt zur Realisierung eines erfmdungsgemaßen Verfahrens gemäß einer dritten bevorzugten Ausfuhrungsform.Figure 4 shows a distributed security-relevant system in the cutout to implement an inventive method according to a third preferred embodiment.
Beschreibung der AusfuhrungsbeispieleDescription of the exemplary embodiments
Das erf dungsgemaße Verfahren wird nachfolgend anhand eines elektrischen Bremssystems naher erläutert. Die vorliegende Erfindung ist aber nicht auf elektrische Bremssysteme beschrankt, sondern vielmehr für beliebige verteilte sicherheitsrelevante Systeme einsetzbar. Die vorliegende Erfindung erlaubt eine sichere Freigabe von Komponenten des sicherheitsrelevanten Systems ohne den Einsatz zusätzlicher Uberwachungse heiten . Die Aufgaben der Uberwachungsemheiten werden vielmehr von Einheiten des sicherheitsrelevanten Sysrems übernommen, dj.e sowieso in dem System vorhanden sind.The method according to the invention is explained in more detail below using an electrical braking system. However, the present invention is not limited to electrical braking systems, but rather can be used for any distributed safety-related systems. The The present invention permits secure release of components of the security-relevant system without the use of additional monitoring units. Rather, the tasks of the monitoring units are taken over by units of the security-relevant system, which are anyway present in the system.
Das Bremssystem umfasst für jedes zu bremsende Fahrzeugrad ein Radmodul R_l, R_m. Jedes Radmodul R_l, R_m umfasst ein Mikrorechnersystem P_l, P_rcι und eine Freigabeschaltung FS_1, FS_m. Die Mikrorechnersysteme P_l , P_m umfassen jeweils einen Mikroprozessor Pro_l, Pro_m und einen intelligenten Kommunikationscontroller S_l, S_m. Der Mikroprozessor Pro_l, Pro_m und der Kommunikationscontroller S_l, S_m eines Mikrorechnersystems P__l, P_m können auf einem Halbleiterbauste (sog. Chip) zusammengefasst sein; sie s nd jedoch stets als voneinander unabhängige, gesonderte Einheiten ausgebildet. JPCIPS Radmodul R_l, R_m ist über einen Kommunikationsoontroll e <~ S_l- S_m an einen physikalischen Datenbus K_l angeschlossen. Über den Datenbus werden Daten bspw. nach dem TTCAN-, TTP/C- oder FlexRay-Protokoll übertragen. Die Radmodule R__l , R_m steuern jeweils eine Aktorik Akt_l, Akt_m an, die bspw. als Elektromotoren zur Betätigung oder zum Losen der Radbremsen ausgebildet sind.The braking system comprises a wheel module R_l, R_m for each vehicle wheel to be braked. Each wheel module R_l, R_m comprises a microcomputer system P_l, P_rcι and an enabling circuit FS_1, FS_m. The microcomputer systems P_l, P_m each include a microprocessor Pro_l, Pro_m and an intelligent communication controller S_l, S_m. The microprocessor Pro_l, Pro_m and the communication controller S_l, S_m of a microcomputer system P__l, P_m can be combined on a semiconductor module (so-called chip); however, they are always designed as separate, independent units. JPCIPS wheel module R_l, R_m is connected to a physical data bus K_l via a communication controller e < ~ S_l- S_m. Data are transmitted via the data bus, for example according to the TTCAN, TTP / C or FlexRay protocol. The wheel modules R__l, R_m each control an actuator Akt_l, Akt_m, which are designed, for example, as electric motors for actuating or releasing the wheel brakes.
In Figur 1 ist die interne Struktur von zwei Radmodulen und der darin ablaufende Signalfluss eines erf dungsgemaßen Verfahrens gemäß einer ersten bevorzugten usfuhrungc>f<-ιrm dargestellt. Das Ve, fahren dient zur Ansteuerung d^ Aktorik Akt_l des elektrischen Bremssystems durch das Radmodul R__l bzw. durch das Mikrorechners yste P_l . Wicht y be der Ansteuerung der Aktorik Akt_l ist es, zu verhindern, dass die Aktorik Akt 1 von einem fehlerhaften Ansteuersignal des Mikrorechnersystems P_l angesteuert: wird. Das bedeutet, dass das Ansteuersignal nur dann an die Aktorik Akt__l weitergeleitet werden sollte, wenn mit ausreichend hoher Wahrscheinlichkeit feststeht, dass es fehlerfrei ist. Die Ansteuerung der Aktorik Akt_l umfasst deshalb im wesentlichen die nachfolgenden Schritte:FIG. 1 shows the internal structure of two wheel modules and the signal flow running therein of a method according to the invention in accordance with a first preferred embodiment c > f <-ιrm. The Ve, driving is used to control the actuators Akt_l of the electric braking system by the wheel module R__l or by the microcomputer yste P_l. It is important to control the actuator Akt_l to prevent the actuator Akt 1 from being faulty Control signal of the microcomputer system P_l controlled: is. This means that the control signal should only be forwarded to the Akt__l actuator if it is sufficiently likely that it is error-free. Actuator Akt_l therefore essentially comprises the following steps:
a) Der Prozessor Pro_l des Mikrorechnersysr ems P_l ermittelt durch Abarbeiten eines Programme ödes C_l in Abhängigkeit von mindestens einem Eingangssignal F_l mindestens ein Ansteuersignal A_ll für die Aktorik Akt_l . Die Eingangssignale E_l enthalten Informationen über den Ist-Zustand des Bremssystems und des Kraftfahrzeugs und werden über den Datenbus K_l an das erste Radmodul R_l übermittelt.a) The processor Pro_l of the microcomputer system P_l determines by executing a program des C_l as a function of at least one input signal F_l at least one control signal A_ll for the actuator Akt_l. The input signals E_l contain information about the actual state of the brake system and the motor vehicle and are transmitted to the first wheel module R_l via the data bus K_l.
b) Die Prozessoren Pro_m (z.B. m = 2... 4)der weiteren Mikrorechnersysteme P_m ermitteln ebenfalls durch Abarbeiten des Programmcodes C_l m Abhängigkeit von den Eingangssignalen E_l ein logisches Ansteuersignalb) The processors Pro_m (e.g. m = 2 ... 4) of the further microcomputer systems P_m likewise determine a logical control signal by executing the program code C_l m as a function of the input signals E_l
A__lm. Das setzt voraus, dass m den Prozessoren Pro_m außer einem Programmcode C_m zur Ermittlung der Ansteuersignale A_ml für die Aktoren Akt_m zusatzlich noch der Programmcode C_l zur Verfugung stehen muss. In dem vorliegenden Beispiel mit mehreren gleichartigen Radmodulen R_l, R_m bedeutet dies keinen oder nur einen minimalen zusätzlichen Aufwand, da die auf den Prozessoren Pro__l, Pro_m ablaufenden Programmcodes C_l, C_m im wesentlichen gleich sind. So kann also der in den Prozessoren Pro_m sowieso zurA__lm. This presupposes that in addition to a program code C_m for determining the control signals A_ml for the actuators Akt_m, the process code C_l must also be available to the processors Pro_m. In the present example with several identical wheel modules R_l, R_m, this means no or only minimal additional effort, since the program codes C_l, C_m running on the processors Pro__l, Pro_m are essentially the same. So it can be used in the Pro_m processors anyway
Verfugung stehend Programmcode C_m mit den Eingangssignalen E_l abgearbeitet werden, um die logischen Ansteuersignale A_lm zu erhalten. Diese Vereinfachung gilt für alle verteilten Systeme mit gleichartigen Ansteuermodulen. Die Eingangssignale E__i können den Mikrorechnersystemen P_m über den Datenbus K_l übermittelt werden. Bei korrekter Funktion der Mikroprozessoren Pro_l, Pro_m müssen die Ansteuersignale A_ll und die logischen Ansteuersignale A_lm identisch sein.Available program code C_m can be processed with the input signals E_l in order to receive the logical control signals A_lm. This simplification applies to all distributed systems similar control modules. The input signals E__i can be transmitted to the microcomputer systems P_m via the data bus K_l. If the microprocessors Pro_l, Pro_m are functioning correctly, the control signals A_ll and the logical control signals A_lm must be identical.
c) Das Ansteuersignal A_ll wird in den Mikroprozessoren Pro__m mit den dort zuvor ermittelten logischen Ansteuersignalen A__lm verglichen. Dazu muss das Ansteuersignal A_ll über den Datenbus K__l an die Mikrorechnersysteme P_m übermittelt werden. Die Mikroprozessoren Pro_m erzeugen eine Statusinforma ion SF_lm, die ihrerseits wieder über den Datenbus K_l an das erste Mikrorechnersystem P__l übermittelt wird. Die Statusinformationen bestehen bspw. aus einem oder mehreren bits. Es ist denkbar, die Statusinformation SF_lm zur Übertragung an das erste Mikrorechnersystem P__l in das Protokoll des Datenbusses einzubinden.c) The control signal A_ll is compared in the microprocessors Pro__m with the logical control signals A__lm previously determined there. For this purpose, the control signal A_ll must be transmitted to the microcomputer systems P_m via the data bus K__l. The microprocessors Pro_m generate status information SF_lm, which in turn is transmitted again to the first microcomputer system P__l via the data bus K_l. The status information consists, for example, of one or more bits. It is conceivable to include the status information SF_lm in the protocol of the data bus for transmission to the first microcomputer system P__l.
d) Der Kommunikationscontroller S__l des ersten Mikrorechnersys ems P_l wertet die eingehenden Statusinformationen SF_lm aus und erzeugt im Falle eines entsprechenden Status (d.h. bei Signalisierung einer korrekten Funktionsweise des Mikroprozessors Pro_l) ein Freigabesignal F__l . Das Auswerten der Statusinformationen SF_lm kann auf unterschiedliche Weise erfolgen. Es kann bspw. ein Vergleich, eine logische (vorzugsweise eine UND-) Verknüpfung oder eine Mehrheitsentscheidung der Statusinformationen SF_lm sein.d) The communication controller S__l of the first microcomputer system ems P_l evaluates the incoming status information SF_lm and generates an enable signal F__l in the event of a corresponding status (i.e. when the correct functioning of the microprocessor Pro_l is signaled). The status information SF_lm can be evaluated in different ways. For example, it can be a comparison, a logical (preferably an AND) link or a majority decision of the status information SF_lm.
e) Schließlich wird das mindestens eine Ans euersignal A_ll oder mindestens ein davon abhangiges Signal an die Aktorik Akt_l weitergeleitet , falls das mindestens eine Freigabesignal F_l einen vorgebbaren Wert aufweist. Um dies zu prüfen, wird der Freigabeschaltung FS_1 eine UND-Verknupfung des Ansteuersignais A_ll ausgeführt. Falls dase) Finally, the at least one Ans euersignal A_ll or at least one signal dependent on it the actuator Akt_l is forwarded if the at least one enable signal F_l has a predeterminable value. To check this, the enable circuit FS_1 is AND-linked to the control signal A_ll. If that
Freigabesignal F_l logisch „1" ist, wird das Ansteuersignal A_ll an die Aktorik Akt_l weitergeleitet. Falls das Freigabesignal F__l jedoch logisch „0" ist, wird das Ansteuersignal A__ll nicht an die Aktorik Akt_l weitergeleitetIf the enable signal F_l is logic "1", the control signal A_ll is forwarded to the actuator Akt_l. If the enable signal F__l is logic "0", the control signal A__ll is not forwarded to the actuator Akt_l
Durch das beschriebene erf dungsgemaße Vei ahren kann die Funktionsfahigkeit des Prozessors Pro__l des Mikrorechnersystems P_l überprüft und eine sichere Freigaoe der Aktorik Akt_l erzielt werden. Zur Überprüfung desUsing the described method according to the invention, the functionality of the processor Pro__l of the microcomputer system P_l can be checked and a safe release of the actuators Akt_l can be achieved. To check the
Prozessors Pro_l werden hauptsächlich die Prozessoren Pro_m der weiteren Mikrorechnersysteme P_m eingesetzt. In gleicher Weise kann das erf dungsgemaße Verfahren jedoch auch zur Überprüfung der Funktionsfahigkeit dei Prozessoren Pro_m der weiteren Mikrorechnersysteme P_l und zur sicheren Freigabe der Aktorik Akt_m eingesetzt werden. Dann werden die übrigen Prozessoren Pro_m (ohne den zu überprüfenden Prozessor) und der Prozessor Pro_l des ersten Mikrorechnersystems P__l zur Überprüfung herangezogen. Jedes einzelne Mikrorechnersystem innerhalb des sicherheitsrelevanten verteilten Bremssystems hat also einerseits die Primaraufgabe, die Ansteuersignale A__ll, A_ml für die ihm zugeordnete Aktorik Akt__l, Akt__ m zu ermitteln, und andererseits die Sekundaraufgabe, die Funktion der übrigen Prozessoren bei der Erfüllung ihrer Primarauf aben zu kontrollieren. Ohne den Einsatz zusätzlicher Uberwachungsemheiten schafft die vorliegende Erfindung also die Möglichkeit einer sicheren und sogar redundant wirksamen Freigabe der Aktoren Akt 1, Akt m. In Figur 3 ist die interne Struktur von zwei Radmodulen und der darin ablaufende Signalfluss eines erfindungsgemaßen Verfahrens gemäß einer zweiten bevorzugten Ausfuhrungsform dargestellt. Dieses Verfahren unterscheidet sich von dem in Figur 1 dargestellten Verfahren insbesondere dadurch, dass der Schritt c) in dem Kommunikationscontroller S_l des ersten Mikrorechnersystems P_l ausgeführt wird.Processors Pro_l mainly use the processors Pro_m of the other microcomputer systems P_m. In the same way, however, the method according to the invention can also be used to check the functionality of the processors Pro_m of the further microcomputer systems P_l and to safely release the actuators Akt_m. Then the other processors Pro_m (without the processor to be checked) and the processor Pro_l of the first microcomputer system P__l are used for the check. Each individual microcomputer system within the safety-relevant distributed brake system therefore has on the one hand the primary task of determining the control signals A__ll, A_ml for the actuators Akt__l, Akt__ m assigned to it, and on the other hand the secondary task of checking the function of the other processors when fulfilling their primary tasks. Without the use of additional monitoring units, the present invention thus creates the possibility of a safe and even redundant release of the actuators Act 1, Act m. FIG. 3 shows the internal structure of two wheel modules and the signal flow running therein of a method according to the invention in accordance with a second preferred embodiment. This method differs from the method shown in FIG. 1 in particular in that step c) is carried out in the communication controller S_l of the first microcomputer system P_l.
Die in Schritt b) in den Prozessoren Pro__m der weiteren Mikrorechnersysterae P_m ermittelten logischen Ansteuersignale A_lm werden über den Datenbus K_l an das erste Mikrorechnersystem P__l übermittelt. Dort werden die logischen Ansteuersignale A_lm dann dem Kommunikationscontroller S_l des ersten Mikrorechnersystems P__l mit dem mindestens einen Ansteuersignal A_ll verglichen (Schritt c) ) . In Abhängigkeit von dem Ergebnis des Vergleichs werden in dem Kommunikationscontroller S_l Statusinformationen SI_lm ermittelt, aus denen dann das Freigabesignal F_l ermittelt wird, oder aber wird gleich das Freigabesignal F__l ermittelt (Schritt d) ) .The logical control signals A_lm determined in the processors Pro__m of the further microcomputer systems P_m in step b) are transmitted to the first microcomputer system P__l via the data bus K_l. There, the logic control signals A_lm are then compared to the communication controller S_l of the first microcomputer system P__l with the at least one control signal A_ll (step c)). Depending on the result of the comparison, status information SI_lm is determined in the communication controller S_l, from which the release signal F_l is then determined, or else the release signal F__l is determined immediately (step d)).
In Figur 4 ist die interne Struktur von zwei Radmodulen und der darin ablaufende Signalfluss eines erfindungsgemaßen Verfahrens gemäß einer dritten bevorzugten Ausfuhrungs orm, dargestellt. Dieses Verfahren unterscheidet sich von den Figur 1 und Figur 3 dargestellten Verfahren insbesondere dadurch, dass der Schritt d) in der Freigabeschaltung FS_1 des ersten Radmoduls R 1 ausgeführt wird.FIG. 4 shows the internal structure of two wheel modules and the signal flow running therein of a method according to the invention in accordance with a third preferred embodiment. This method differs from the method shown in FIG. 1 and FIG. 3 in particular in that step d) is carried out in the release circuit FS_1 of the first wheel module R 1.
Als Schritt c) wird in den Mikroprozessoren Pro_m der weiteren Mikrorechnersysteme R_m ein Vergleich zwischen dem Ansteuersignal A_ll und den dort zuvor ermittelten logischen Ansteuersignalen A_lm ausgeführt. Die Mikroprozessoren Pro__m erzeugen eine Statusinformation SF__lm, die über den Datenbus K_l an das erste Mikrorechnersystem ?__1 und von diesem weiter an die Freigabeschaltung FS__1 übermittelt wird. Diese wertet die von sämtlichen, weiteren Mikrorechnersystemen P_m eingehenden Statusin ormationen SF_lm, SF_lx aus und 'leitet das mindestens eine Ansteuersignal A_ll oder mindestens ein davon abhängiges Signal an die Aktorik Akt__l weiter, falls die Statusinformationen SF_lm, SF_lx einen entsprechenden Status aufweisen. Alternativ können in Abhängigkeit von dem Ergebnis des Vergleichs in der Freigabeschaltung FS_1 zunächst Statusinformationen SI_lm ermittelt werden, aus denen dann das Freigabesignal F_l ermittelt wird. Zum Auswerten der Statusinformationen SF_lm, SF_lx in der Freigabeschaltung FS__1 wird ein sog. Voting-Mechanismus eingesetzt Bei nur zwei Ansteuersignalen A 11, A_12 ist der Voting-Mechanismus eine UND-Verknüpfung der beiden Signale A_ll und SF_lm. Bei mehreren Ansteuersignale A_ll, Ä_lm kann der Voting-Mechanismus eine Mehrheitsentscheidung sein. As step c), a comparison is carried out in the microprocessors Pro_m of the further microcomputer systems R_m between the control signal A_ll and the logical control signals A_lm previously determined there. The Microprocessors Pro__m generate status information SF__lm, which is transmitted via the data bus K_l to the first microcomputer system? __ 1 and from there to the release circuit FS__1. This evaluates the status information SF_lm, SF_lx coming from all other microcomputer systems P_m and ' forwards the at least one control signal A_ll or at least one signal dependent thereon to the actuator Akt__l if the status information SF_lm, SF_lx has a corresponding status. Alternatively, depending on the result of the comparison, status information SI_lm can first be determined in the enable circuit FS_1, from which the enable signal F_l is then determined. A so-called voting mechanism is used to evaluate the status information SF_lm, SF_lx in the enable circuit FS__1. With only two control signals A 11, A_12, the voting mechanism is an AND operation of the two signals A_ll and SF_lm. If there are several control signals A_ll, Ä_lm, the voting mechanism can be a majority decision.

Claims

Ansprüche Expectations
1. Verfahren zur Ansteuerung einer Komponente (Akt_l) eines verteilten sicherheitsrelevanten Systems, insbesondere einer Komponente (Akt_l) eines X-by-Wire- Syste s in einem Kraftfahrzeug, wobei die Komponente (Akt__l) von einem der Komponente (Akt 1) zugeordneten ersten Ansteuermodul (R_l) mit mindestens einem ersten Mikrorecnnersystem (P_l) angesteuert wird, und die Ansteuerung der Komponente (Akt_l) die nachfolgenden Schritte umfasst:1. Method for controlling a component (Akt_l) of a distributed security-relevant system, in particular a component (Akt_l) of an X-by-wire system in a motor vehicle, the component (Akt__l) being assigned by a first one assigned to the component (Act 1) Control module (R_l) is controlled with at least one first micro-computer system (P_l), and the control of the component (Akt_l) comprises the following steps:
a) Ermitteln mindestens eines Ansteuersignais (A 11) für die Komponente (Akt_l) durch das erste Mikrorecnnersystem (P_l) in Abhängigkeit von mindestens einem Eingangssignal (E_l);a) determining at least one control signal (A 11) for the component (Akt_l) by the first micro-computer system (P_l) as a function of at least one input signal (E_l);
b) Ermitteln mindestens eines logischen Ans euersignais (A_lm) , wobei das mindestens eine logischeb) determining at least one logical Ans euersignais (A_lm), the at least one logical
Ansteuersignal (Ä_lm) zumindest teilweise von einer von dem ersten Mikrorechnersystem (P_l) unabhängigen Uberwachungseinheit n Abhängigkei von iern mindestens einen Eingangssignal (E_l) ermittelt wird;Control signal (Ä_lm) is at least partially determined by a monitoring unit n which is independent of the first microcomputer system (P_l) and is dependent on at least one input signal (E_l);
c) Vergleichen des mindestens einen Ansteuersignais (A_ll) mit dem mindestens einen logischen Ansteuersignal (A 12); d) Ermitteln mindestens eines Freigabesignals (F_l) m Abhängigkeit von dem Ergebnis des Vergleichs; undc) comparing the at least one control signal (A_ll) with the at least one logic control signal (A 12); d) determining at least one release signal (F_l) depending on the result of the comparison; and
e) Weiterleiten des mindestens einen Ansteuersignais (A_ll) oder mindestens eines davon abhängigen Signals an die Komponente (Äkt__l), falls das mindestens eine Freigabesignal (F_l) einen vorgebbaren Wert aufweist,e) forwarding the at least one control signal (A_ll) or at least one signal dependent thereon to the component (Äkt__l), if the at least one enable signal (F_l) has a predeterminable value,
dadurch gekennzeichnet, dass das sicherheitsrelevante System neben dem ersten Mikrorechnersystem (P_l) mindestens ein weiteres Mikrorechnersystem (P_m) aufweist, das zum Zwecke einer Datenübertragung mit dem erstencharacterized in that the security-relevant system has, in addition to the first microcomputer system (P_l), at least one further microcomputer system (P_m), which is used for data transmission with the first
Mikrorechnersystem (P_l) in Verbindung steht, wobei mindestens einer der Schritte b) bis d) in mindestens einem der weiteren Mikrorechnersysteme (P_m) ausgeführt wird.Microcomputer system (P_l) is connected, wherein at least one of steps b) to d) is carried out in at least one of the further microcomputer systems (P_m).
2. Verfahren nach Anspruch 1, dadurch gekennzeichnet, dass das sicherheitsrelevante System neben dem ersten2. The method according to claim 1, characterized in that the security-relevant system in addition to the first
Ansteuermodul (R_l) mindestens ein weiteres Ansteuermoclul (R_m) aufweist, wobei das mindestens eine weitere Mikrorechnersystem ( P__m) Teil des mindestens einen weiteren Ansteuermoduls (R__m) ist.Control module (R_l) has at least one further control module (R_m), the at least one further microcomputer system (P__m) being part of the at least one further control module (R__m).
3. Verfahren nach Anspruch 1 oder 2, dadurch gekennzeichnet, dass der Schritt b) und der Schritt c) in mindestens einem der weiteren Mikrorechnersysteme (P_m) ausgeführt wird.3. The method according to claim 1 or 2, characterized in that step b) and step c) is carried out in at least one of the further microcomputer systems (P_m).
4. Verfahren nach Anspruch 1 oder 2, dadurch gekennzeichnet, dass das erste Mikrorechnersystem (P_l) über einen ersten Kommunikationscontroller (S__l) an ein physikalisches Bussystem (K_l) angeschlossen ist, wobei d=r Schritt b) mindestens einem der weiteren Mikrorechnersysteme (P_m) und der Schritt c) in den' ersten Kommunikationscontroller (S 1) ausgeführt wnd. 4. The method according to claim 1 or 2, characterized in that the first microcomputer system (P_l) is connected via a first communication controller (S__l) to a physical bus system (K_l), wherein d = r step b) at least one of the further microcomputer systems (P_m ) and step c) is carried out in the first communication controller (S 1).
5. Verfahren nach einem der Ansprüche 1 bis 4, dadurch gekennzeichnet, dass der Schritt d) in mindestens einem der weiteren Mikrorechnersysteme (P_m) ausgeführt wird.5. The method according to any one of claims 1 to 4, characterized in that step d) is carried out in at least one of the further microcomputer systems (P_m).
6. Verfahren nach einem der Ansprüche 1 bis 4, dadurch gekennzeichnet, dass das erste Mikrorechnersystem (P_l) über einen ersten Kommunikationscontroller (S_l) an ein physikalisches Bussystem (K_l) angeschlossen ist, wobei der Schritt d) in dem ersten Kommunikationscontroller (Ξ_i) ausgeführt wird.6. The method according to any one of claims 1 to 4, characterized in that the first microcomputer system (P_l) via a first communication controller (S_l) is connected to a physical bus system (K_l), step d) in the first communication controller (Ξ_i) is performed.
7. Computerprogramm, das auf einem Mikrorechnersystem7. Computer program running on a microcomputer system
(P_l) eines Ansteuermoduls (R_l) ablauffähig ist, wobei das Ansteuermodul (R__l) zur Ansteuerung einer Komponente (Akt_l) eines verteilten sicherheitsrelevanten Systems, insbesondere einer Komponente eines X-by-Wire-Systems in einem Kraftfahrzeug, vorgesehen ist, dadurch gekennzeichnet, dass das Computerprogramm zur Ausführung eines Verfahrens nach einem der Ansprüche 1 bis 6 geeignet ist, wenn es auf dem Mikrorechnersystem (P_l) abläuft.(P_l) of an actuation module (R_l) is executable, the actuation module (R__l) being provided for actuating a component (Akt_l) of a distributed safety-relevant system, in particular a component of an X-by-wire system in a motor vehicle, characterized in that that the computer program is suitable for executing a method according to one of claims 1 to 6 when it runs on the microcomputer system (P_l).
8. Computerprogramm nach Anspruch 9, dadurch gekennzeichnet, dass das Computerprogramm auf einem8. Computer program according to claim 9, characterized in that the computer program on a
Speicherelement (SP_1, SP_m) , insbesondere auf einem Flash- Memory, abgespeichert ist. Storage element (SP_1, SP_m), in particular on a flash memory, is stored.
EP02729790A 2001-03-15 2002-03-14 Method for actuating a component of a distributed security system Withdrawn EP1401690A1 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
DE10112909 2001-03-15
DE10112909 2001-03-15
PCT/DE2002/000918 WO2002074596A1 (en) 2001-03-15 2002-03-14 Method for actuating a component of a distributed security system

Publications (1)

Publication Number Publication Date
EP1401690A1 true EP1401690A1 (en) 2004-03-31

Family

ID=7677839

Family Applications (1)

Application Number Title Priority Date Filing Date
EP02729790A Withdrawn EP1401690A1 (en) 2001-03-15 2002-03-14 Method for actuating a component of a distributed security system

Country Status (7)

Country Link
US (1) US20040011579A1 (en)
EP (1) EP1401690A1 (en)
JP (1) JP2004518578A (en)
CN (1) CN1253333C (en)
DE (2) DE10211278A1 (en)
RU (1) RU2284929C2 (en)
WO (1) WO2002074596A1 (en)

Families Citing this family (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE10235527C1 (en) * 2002-08-03 2003-10-09 Daimler Chrysler Ag Arrangement for redundant voltage supply for safety-relevant systems has drive devices connected to communications channel, devices for monitoring voltages on safety-relevant systems
US7350879B2 (en) * 2003-09-29 2008-04-01 Haldex Brake Products Ab Control network for brake system
ATE457909T1 (en) * 2005-07-15 2010-03-15 Siemens Ag CONTROL DEVICE FOR CONTROLLING AN ACTUATOR
US7933696B2 (en) 2006-08-31 2011-04-26 GM Global Technology Operations LLC Distributed arithmetic logic unit security check
DE102007029116A1 (en) * 2007-06-25 2009-01-02 Continental Automotive Gmbh Method for operating a microcontroller and an execution unit and a microcontroller and an execution unit
DE102010029839B4 (en) 2009-06-11 2014-08-28 Mitsubishi Electric Corporation control system
EP2513456B1 (en) * 2009-12-18 2015-02-25 Conti Temic microelectronic GmbH Monitoring computer in a control device
RU2585262C2 (en) * 2010-03-23 2016-05-27 Континенталь Тевес Аг Унд Ко. Охг Control computer system, method of controlling control computer system and use of control computer system
DE102011082943A1 (en) * 2011-09-19 2013-03-21 Siemens Aktiengesellschaft Network device and network arrangement
DE102011083816A1 (en) 2011-09-30 2013-04-04 Rohde & Schwarz Gmbh & Co. Kg Headend with redundancy and associated procedure
DE102014226856A1 (en) * 2014-12-22 2016-06-23 Robert Bosch Gmbh Method and device for operating a braking device, braking device
DE102015202326A1 (en) * 2015-02-10 2016-08-11 Robert Bosch Gmbh Method for operating a data processing unit of a driver assistance system and data processing unit
FR3049075B1 (en) * 2016-03-15 2018-03-09 Sagem Defense Securite ACTUATING DEVICE AND CONTROL CARD AND ASSOCIATED MONITORING
EP3379222B1 (en) 2017-03-22 2020-12-30 Methode Electronics Malta Ltd. Magnetoelastic based sensor assembly
US10670479B2 (en) 2018-02-27 2020-06-02 Methode Electronics, Inc. Towing systems and methods using magnetic field sensing
US11014417B2 (en) 2018-02-27 2021-05-25 Methode Electronics, Inc. Towing systems and methods using magnetic field sensing
US11135882B2 (en) 2018-02-27 2021-10-05 Methode Electronics, Inc. Towing systems and methods using magnetic field sensing
US11084342B2 (en) 2018-02-27 2021-08-10 Methode Electronics, Inc. Towing systems and methods using magnetic field sensing
US11491832B2 (en) 2018-02-27 2022-11-08 Methode Electronics, Inc. Towing systems and methods using magnetic field sensing
US11221262B2 (en) 2018-02-27 2022-01-11 Methode Electronics, Inc. Towing systems and methods using magnetic field sensing

Family Cites Families (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS59155262U (en) * 1983-04-05 1984-10-18 三菱自動車工業株式会社 4-wheel anti-skid brake device
US6125313A (en) * 1990-08-24 2000-09-26 Kanto Seiki Co., Ltd. Air-bag control circuit
US5995892A (en) * 1995-06-12 1999-11-30 Denso Corporation Triggering device for safety apparatus
DE19539070C2 (en) * 1995-10-20 2003-12-18 Bosch Gmbh Robert Arrangement for controlling a triggering device of a restraint system
US6243629B1 (en) * 1996-04-19 2001-06-05 Honda Giken Kogyo Kabushiki Kaisha Electronic control unit for automotive vehicles
DE19716197A1 (en) * 1997-04-18 1998-10-22 Itt Mfg Enterprises Inc Microprocessor system for safety-critical regulations
DE19717686A1 (en) * 1997-04-28 1998-10-29 Itt Mfg Enterprises Inc Circuit arrangement for a motor vehicle control system
DE19723831A1 (en) * 1997-06-06 1998-12-10 Eberspaecher J Gmbh & Co Diagnostic device for checking a subsystem of a motor vehicle
DE19742988C1 (en) * 1997-09-29 1999-01-28 Siemens Ag Braking system for motor vehicle
US6002970A (en) * 1997-10-15 1999-12-14 International Business Machines Corp. Method and apparatus for interface dual modular redundancy
JP2001523618A (en) * 1997-11-22 2001-11-27 コンティネンタル・テーベス・アクチエンゲゼルシヤフト・ウント・コンパニー・オッフェネ・ハンデルスゲゼルシヤフト Electromechanical brake device
DE19829126A1 (en) * 1997-11-22 1999-05-27 Itt Mfg Enterprises Inc Electromechanical braking system for cars
DE19800311A1 (en) * 1998-01-07 1999-07-08 Itt Mfg Enterprises Inc Electronic, digital device
DE19807124A1 (en) * 1998-02-20 1999-09-02 Bosch Gmbh Robert Method and device for triggering a restraint system
DE19813923A1 (en) * 1998-03-28 1999-10-14 Telefunken Microelectron Method for data transmission in a restraint system networked via a bus line
DE19826131A1 (en) * 1998-06-12 1999-12-16 Bosch Gmbh Robert Electrical braking system for a motor vehicle has optimised operating reliability and availability
DE69922239T2 (en) * 1998-10-21 2005-12-15 Deka Products Ltd. Partnership DEFECTIVE FURTHER FUNCTIONING CONTROL STRUCTURE FOR A WHEELCHAIR
DE19933086B4 (en) * 1999-07-15 2008-11-20 Robert Bosch Gmbh Method and device for mutual monitoring of control units
JP3804746B2 (en) * 1999-08-23 2006-08-02 アイシン・エィ・ダブリュ株式会社 NAVIGATION DEVICE AND STORAGE MEDIUM RECORDING THE PROGRAM
DE19946073A1 (en) * 1999-09-25 2001-05-10 Volkswagen Ag System for controlling vehicle components according to the "Drive By Wire" principle
JP4157677B2 (en) * 1999-10-06 2008-10-01 タカタ株式会社 Crew restraint protection device
WO2001044778A1 (en) * 1999-12-15 2001-06-21 Delphi Technologies, Inc. Electric caliper hardware topologies for a safety system
DE10000550B4 (en) * 2000-01-08 2005-09-15 Bayerische Motoren Werke Ag Device for detecting flashovers in a vehicle
US6302439B1 (en) * 2000-02-01 2001-10-16 Trw Inc. Distributed occupant protection system and method with cooperative central and distributed protection module actuation control
WO2001074625A1 (en) * 2000-04-03 2001-10-11 Siemens Vdo Automotive Corporation Safing method for a vehicle occupant protection safety system
US6687585B1 (en) * 2000-11-09 2004-02-03 The Ohio State University Fault detection and isolation system and method
US6559557B2 (en) * 2000-12-20 2003-05-06 Delphi Technologies, Inc. Error detection circuit for an airbag deployment control system
US6548969B2 (en) * 2000-12-29 2003-04-15 Delphi Technologies, Inc. Redundant steer-by-wire system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO02074596A1 *

Also Published As

Publication number Publication date
WO2002074596A1 (en) 2002-09-26
CN1253333C (en) 2006-04-26
RU2284929C2 (en) 2006-10-10
CN1458889A (en) 2003-11-26
US20040011579A1 (en) 2004-01-22
JP2004518578A (en) 2004-06-24
DE10291055D2 (en) 2004-04-15
DE10211278A1 (en) 2002-10-24

Similar Documents

Publication Publication Date Title
EP1401690A1 (en) Method for actuating a component of a distributed security system
EP2641176B1 (en) Microprocessorsystem with fault tolerant architecture
EP2630012B1 (en) Fault-secure parking brake for motor vehicles
EP2183136B1 (en) Brake system for a vehicle and a method for the operation of a brake system for a vehicle
WO2005036285A1 (en) Integrated microprocessor system for safety-critical regulations
DE19937159B4 (en) Electrically controlled braking system
DE102012101006A1 (en) Electromechanical power steering apparatus for motor car, has electrically driven actuator whose executing units are connected with power electronic units
WO2009013193A1 (en) Parking brake system and method for operating such a system
WO2021175385A1 (en) Braking system with redundant parking brake actuation
DE102008009652A1 (en) Monitoring device and monitoring method for a sensor, and sensor
EP1615087B1 (en) Control and regulation unit
DE3139067C2 (en) Electrical device for triggering switching functions in motor vehicles
WO2002075464A1 (en) Method for operating a distributed safety-relevant system
DE102004041672B4 (en) Emergency braking device and braking system for a rail vehicle and method for ensuring an emergency braking function in rail vehicles
DE102020205848A1 (en) Method and device for operating a parking brake system
DE102013021231A1 (en) Method for operating an assistance system of a vehicle and vehicle control unit
DE102011087063A1 (en) Control computer system for controlling e.g. brake system of motor vehicle, has switching-off signal masking module arranged in path between emergency module and module to mask switching-of signal and integrated into circuit on substrate
DE102007046731B4 (en) Method for controlling an actuator in a motor vehicle
DE102006045153A1 (en) System and method for distributing and executing program code in a controller network
EP1248965B1 (en) Method for preventing malfunctions in a signal processing system, and a processor system
DE102015119611B4 (en) Improving the diagnosability of fail-operational systems
DE102022203852A1 (en) Parking brake device for a motor vehicle
DE102018220059A1 (en) Sensor arrangement for a vehicle system, operating method for such a sensor arrangement and corresponding brake system for a vehicle
WO2022263416A1 (en) Control system for at least one receiving device in safety-critical applications
DE10023555A1 (en) Procedure for controlling electrically operable brake installation, especially handbrake installation, for cars has release signal monitored in such way that operation of brake device takes place only with release signal present

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20031015

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR

AX Request for extension of the european patent

Extension state: AL LT LV MK RO SI

17Q First examination report despatched

Effective date: 20090707

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20141001