EP1401690A1 - Verfahren zur ansteuerung einer komponente eines verteilten sicherheitsrelevanten systems - Google Patents
Verfahren zur ansteuerung einer komponente eines verteilten sicherheitsrelevanten systemsInfo
- Publication number
- EP1401690A1 EP1401690A1 EP02729790A EP02729790A EP1401690A1 EP 1401690 A1 EP1401690 A1 EP 1401690A1 EP 02729790 A EP02729790 A EP 02729790A EP 02729790 A EP02729790 A EP 02729790A EP 1401690 A1 EP1401690 A1 EP 1401690A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- microcomputer
- component
- akt
- signal
- control signal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 238000012544 monitoring process Methods 0.000 claims abstract description 18
- 230000005540 biological transmission Effects 0.000 claims abstract description 6
- 238000004891 communication Methods 0.000 claims description 23
- 230000006870 function Effects 0.000 claims description 16
- 238000004590 computer program Methods 0.000 claims description 15
- 230000001419 dependent effect Effects 0.000 claims description 8
- 101100322915 Caenorhabditis elegans akt-1 gene Proteins 0.000 abstract description 5
- 238000011161 development Methods 0.000 description 6
- 238000004364 calculation method Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000001960 triggered effect Effects 0.000 description 2
- 230000003213 activating effect Effects 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 238000012806 monitoring device Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000009897 systematic effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/1629—Error detection by comparing the output of redundant processing systems
- G06F11/1637—Error detection by comparing the output of redundant processing systems using additional compare functionality in one or some but not all of the redundant processing components
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60T—VEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
- B60T13/00—Transmitting braking action from initiating means to ultimate brake actuator with power assistance or drive; Brake systems incorporating such transmitting means, e.g. air-pressure brake systems
- B60T13/74—Transmitting braking action from initiating means to ultimate brake actuator with power assistance or drive; Brake systems incorporating such transmitting means, e.g. air-pressure brake systems with electrical assistance or drive
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60T—VEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
- B60T13/00—Transmitting braking action from initiating means to ultimate brake actuator with power assistance or drive; Brake systems incorporating such transmitting means, e.g. air-pressure brake systems
- B60T13/74—Transmitting braking action from initiating means to ultimate brake actuator with power assistance or drive; Brake systems incorporating such transmitting means, e.g. air-pressure brake systems with electrical assistance or drive
- B60T13/741—Transmitting braking action from initiating means to ultimate brake actuator with power assistance or drive; Brake systems incorporating such transmitting means, e.g. air-pressure brake systems with electrical assistance or drive acting on an ultimate actuator
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60T—VEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
- B60T7/00—Brake-action initiating means
- B60T7/02—Brake-action initiating means for personal initiation
- B60T7/04—Brake-action initiating means for personal initiation foot actuated
- B60T7/042—Brake-action initiating means for personal initiation foot actuated by electrical means, e.g. using travel or force sensors
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60T—VEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
- B60T8/00—Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force
- B60T8/32—Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force responsive to a speed condition, e.g. acceleration or deceleration
- B60T8/88—Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force responsive to a speed condition, e.g. acceleration or deceleration with failure responsive means, i.e. means for detecting and indicating faulty operation of the speed responsive control means
- B60T8/885—Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force responsive to a speed condition, e.g. acceleration or deceleration with failure responsive means, i.e. means for detecting and indicating faulty operation of the speed responsive control means using electrical circuitry
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B9/00—Safety arrangements
- G05B9/02—Safety arrangements electric
- G05B9/03—Safety arrangements electric with multiple-channel loop, i.e. redundant control systems
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60G—VEHICLE SUSPENSION ARRANGEMENTS
- B60G2600/00—Indexing codes relating to particular elements, systems or processes used on suspension systems or suspension control systems
- B60G2600/04—Means for informing, instructing or displaying
- B60G2600/042—Monitoring means
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60G—VEHICLE SUSPENSION ARRANGEMENTS
- B60G2600/00—Indexing codes relating to particular elements, systems or processes used on suspension systems or suspension control systems
- B60G2600/08—Failure or malfunction detecting means
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60G—VEHICLE SUSPENSION ARRANGEMENTS
- B60G2800/00—Indexing codes relating to the type of movement or to the condition of the vehicle and to the end result to be achieved by the control action
- B60G2800/80—Detection or control after a system or component failure
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60T—VEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
- B60T2270/00—Further aspects of brake control systems not otherwise provided for
- B60T2270/40—Failsafe aspects of brake control systems
- B60T2270/404—Brake-by-wire or X-by-wire failsafe
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60T—VEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
- B60T2270/00—Further aspects of brake control systems not otherwise provided for
- B60T2270/82—Brake-by-Wire, EHB
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60W—CONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
- B60W50/00—Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
- B60W2050/0001—Details of the control system
- B60W2050/0002—Automatic control, details of type of controller or control system architecture
- B60W2050/0004—In digital systems, e.g. discrete-time systems involving sampling
- B60W2050/0005—Processor details or data handling, e.g. memory registers or chip architecture
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60W—CONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
- B60W50/00—Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
- B60W2050/0001—Details of the control system
- B60W2050/0043—Signal treatments, identification of variables or parameters, parameter estimation or state estimation
- B60W2050/0044—In digital systems
- B60W2050/0045—In digital systems using databus protocols
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60W—CONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
- B60W50/00—Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
- B60W50/02—Ensuring safety in case of control system failures, e.g. by diagnosing, circumventing or fixing failures
- B60W50/0205—Diagnosing or detecting failures; Failure detection models
- B60W2050/021—Means for detecting failure or malfunction
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60W—CONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
- B60W50/00—Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
- B60W50/02—Ensuring safety in case of control system failures, e.g. by diagnosing, circumventing or fixing failures
- B60W50/029—Adapting to failures or work around with other constraints, e.g. circumvention by avoiding use of failed parts
- B60W2050/0292—Fail-safe or redundant systems, e.g. limp-home or backup systems
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60W—CONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
- B60W50/00—Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
- B60W50/04—Monitoring the functioning of the control system
- B60W2050/041—Built in Test Equipment [BITE]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/18—Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/18—Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits
- G06F11/182—Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits based on mutual exchange of the output between redundant processing components
Definitions
- the present invention relates to a method for only controlling a component of a distributed safety-relevant system, in particular a component of an X-by-wire system in a motor vehicle.
- the component is provided by at least one first control module assigned to the component
- Microcomputer system controlled The control of the component comprises the following steps:
- Monitoring unit independent of the microcomputer system is determined as a function of the at least one input signal; 'C) comparing the at least one drive signal to the at least one logical drive signal;
- the invention also relates to a computer program that can run on a microcomputer system of a control module.
- the control module is provided for controlling a component of a distributed security-relevant system, in particular a component of an X-by-wire system in a motor vehicle.
- a method of the type mentioned is known, for example, from DE 198 26 131 AI.
- the distributed safety-related system is described as an electrical braking system of a motor vehicle.
- the components are designed as the brakes of the motor vehicle or more precisely as actuators for controlling the brakes.
- Such a system is to a high degree relevant to safety, since faulty control of the components, in particular faulty actuation of the brakes, can lead to an unforeseeable safety risk. For this reason, incorrect control of the components must be excluded with certainty.
- Essential features of the known brake system are a pedal module for the central driver request recording, four Wheel modules for wheel-specific control of the brake actuators and a processing module for calculating higher-level brake functions. Communication between the individual modules can be achieved through one or more communication systems.
- FIG. 2 of the present patent application the internal structure of a thread module with various logical levels is shown as an example.
- the logical level Ll includes at least the calculation of the control functions for the wheel brakes, while the logical levels L2 to L4 contain various functions for computer monitoring and function checking of Ll.
- the control of the brakes or the electric motors for actuating the brake shoes comprises the following steps equally for each wheel module
- the input signals are made available to the microcomputer system (R_1A) via a communication system (K_l), for example a bus system.
- e_lH logical control signal W. ⁇ d at least partially determined by a monitoring device (R_1B) which is independent of the first microcomputer system (R_1A) as a function of the at least one input signal.
- the monitoring unit (R_1B) is used in particular to detect systematic (so-called common mode) errors. Faults in the power supply are an example of such faults.
- the monitoring unit (R_lBj is an independent one
- the monitoring unit (R_1B) can also be designed as a hardware module without its own processor, which, however, can perform specific logic functions or, if it has a register, even switching functions.
- a hardware module is, for example, an ASIC (Applied Specific Integrate Circuit), an FPGA (Field-Programmable Gate Array) or a monitoring circuit (so-called watchdog).
- a disadvantage of the prior art is that the logic level L4 is always implemented in a separate component, which — for example in wheel modules of an electrical braking system — within the distributed safety-relevant system must also be provided several times.
- the present invention is based on the object of simplifying the structure of a distributed safety-relevant system and at the same time at least maintaining the achievable safety when the components are released.
- the invention proposes, based on the method of the type mentioned at the outset, that the security-relevant system has, in addition to the first microcomputer system, at least one further microcomputer system which is connected to the first microcomputer system for the purpose of data transmission, at least one of steps b ) to d) m at least one of the other microcomputer systems is executed.
- a program code is processed on the microprocessor of the first microcomputer system in order to make the control signal for the component n dependent on the input signals determine.
- the program code is also processed on at least one of the other microcomputer systems in order to determine the logical control signal for the component as a function of the same input signals. The processing of the program code on the other
- Microcomputer systems can be e.g. on the microprocessor or other suitable units (e.g.
- the input signals are made available to the further microcomputer systems, for example via a data bus, via which the microcomputer systems are connected to one another for the purpose of data transmission.
- the control signal determined by the first microcomputer system is compared with the logic control signals in order to determine whether the control signal is faulty or not. If all microcomputer systems have matching control signals or local signals
- the safety-relevant system have at least one further control module in addition to the first control module, the at least one further microcomputer system is part of the at least one further control module.
- the distributed safety-relevant system thus comprises a plurality of similar control modules in which the first microcomputer system and the further microcomputer systems are arranged.
- the control modules generally have similar tasks (for example, activating and releasing a wheel brake depending on the best input signals ) and the program code for calculating the control signals in the
- Microcomputer systems largely coincide So if the other microcomputer systems of the other control modules take over the tasks of the monitoring unit, they do not have to have a separate program code available and, if necessary, executed to determine the logical control signals. Rather, the program code already available to the other microcomputer systems can be executed, albeit with the input signals of the first microcomputer system.
- An example of a distributed system on which the process according to this development can be realized is an electrical braking system which has almost identical wheel modules for all wheels of a motor vehicle. In this development, the redundancy that is often contained in distributed systems is used to reduce the effort required to safely control the components.
- step b) and step c) be carried out in at least one of the further microcomputer systems.
- the comparison between the control signal and the logical control signals is carried out in the at least one other microcomputer system run out.
- the control signal determined by the first microcomputer system must be transmitted to the at least one further microcomputer system, for example via a data bus that connects the two to one another.
- the first microcomputer system is advantageously connected to a physical bus system via a first communication controller, step b) of at least one of the further microcomputer systems and step c; is executed in the first communication controller.
- the comparison between the control signal and the logical control signals is carried out in the first communication controller, via which the first microcomputer system is connected to the bus system.
- Communication controllers from newer bus systems such as TTCAN (Time Triggered Controller Area Network), TTP / C (Time Triggered Protocol Class C according to SAE) or FlexRay, do not simply serve as a "stupid" interface between the microcomputer system and the data bus, but run one own, sometimes quite complex processing of the data to be transmitted.
- the at least one logic control signal must be transmitted from the at least one further microcomputer system to the communication controller, for example via a data bus that connects the two to one another.
- the step d) n at least one of the further microcomputer systems is executed.
- at least one enable signal m is determined in the further microcomputer systems as a function of the result of the comparison of the control signal and the logical control signal.
- the control signal determined in the first microcomputer system must be transmitted to the other microcomputer systems, for example via a data bus. It is then compared in the other microcomputer systems with the logical control signals determined there. The release signal is in turn transmitted to the first microcomputer system, for example via a data bus.
- the at least one control signal or at least one signal dependent thereon is then forwarded to the component to be controlled if the m the further
- Microcomputer systems determined release signals have predeterminable values. For example, a simple comparison of the release signals or a majority decision can be made.
- Communication controller is running. This means that the logical control signals determined in the further microcomputer systems must be transmitted to the first communication controller, for example via a data bus.
- the implementation of the method according to the invention in the form of a computer program which is based on a microcomputer system Control module for controlling a component of a distributed safety-relevant system is capable of being ablau.
- the computer program is executable on a microprocessor of the microcomputer system and is suitable for executing the method according to the invention.
- the invention was thus implemented by a computer program, so that the computer program m represents the invention in the same way as the method for the execution of which the computer program is suitable.
- the computer program be stored on a memory element, in particular on a flash memory.
- the computer program is transferred to the processor as a command or as a whole.
- the computer program in particular coordinates the data transmission between the various units of the distributed system in such a way that the method according to the invention can be implemented. Which data must be transmitted to which units depends in particular on which units steps b) to d) are carried out. However, the computer program also ensures in the various system units that the control signals and the logic control signals are determined and / or compared with one another.
- FIG. 1 shows a distributed security-relevant system in the cutout for realizing an inventive method according to a first preferred embodiment
- FIG. 2 shows a control module of a distributed safety-relevant system known from the prior art
- FIG. 3 shows a distributed security-relevant system in the cutout for realizing an inventive method according to a second preferred embodiment
- Figure 4 shows a distributed security-relevant system in the cutout to implement an inventive method according to a third preferred embodiment.
- the method according to the invention is explained in more detail below using an electrical braking system.
- the present invention is not limited to electrical braking systems, but rather can be used for any distributed safety-related systems.
- the present invention permits secure release of components of the security-relevant system without the use of additional monitoring units. Rather, the tasks of the monitoring units are taken over by units of the security-relevant system, which are anyway present in the system.
- the braking system comprises a wheel module R_l, R_m for each vehicle wheel to be braked.
- Each wheel module R_l, R_m comprises a microcomputer system P_l, P_rc ⁇ and an enabling circuit FS_1, FS_m.
- the microcomputer systems P_l, P_m each include a microprocessor Pro_l, Pro_m and an intelligent communication controller S_l, S_m.
- the microprocessor Pro_l, Pro_m and the communication controller S_l, S_m of a microcomputer system P__l, P_m can be combined on a semiconductor module (so-called chip); however, they are always designed as separate, independent units.
- JPCIPS wheel module R_l, R_m is connected to a physical data bus K_l via a communication controller e ⁇ ⁇ S_l- S_m. Data are transmitted via the data bus, for example according to the TTCAN, TTP / C or FlexRay protocol.
- the wheel modules R__l, R_m each control an actuator Akt_l, Akt_m, which are designed, for example, as electric motors for actuating or releasing the wheel brakes.
- FIG. 1 shows the internal structure of two wheel modules and the signal flow running therein of a method according to the invention in accordance with a first preferred embodiment c > f ⁇ - ⁇ rm.
- the Ve, driving is used to control the actuators Akt_l of the electric braking system by the wheel module R__l or by the microcomputer yste P_l. It is important to control the actuator Akt_l to prevent the actuator Akt 1 from being faulty Control signal of the microcomputer system P_l controlled: is. This means that the control signal should only be forwarded to the Akt__l actuator if it is sufficiently likely that it is error-free.
- Actuator Akt_l therefore essentially comprises the following steps:
- the processor Pro_l of the microcomputer system P_l determines by executing a program des C_l as a function of at least one input signal F_l at least one control signal A_ll for the actuator Akt_l.
- the input signals E_l contain information about the actual state of the brake system and the motor vehicle and are transmitted to the first wheel module R_l via the data bus K_l.
- A__lm This presupposes that in addition to a program code C_m for determining the control signals A_ml for the actuators Akt_m, the process code C_l must also be available to the processors Pro_m. In the present example with several identical wheel modules R_l, R_m, this means no or only minimal additional effort, since the program codes C_l, C_m running on the processors Pro__l, Pro_m are essentially the same. So it can be used in the Pro_m processors anyway
- Available program code C_m can be processed with the input signals E_l in order to receive the logical control signals A_lm. This simplification applies to all distributed systems similar control modules.
- the input signals E__i can be transmitted to the microcomputer systems P_m via the data bus K_l. If the microprocessors Pro_l, Pro_m are functioning correctly, the control signals A_ll and the logical control signals A_lm must be identical.
- the control signal A_ll is compared in the microprocessors Pro__m with the logical control signals A__lm previously determined there. For this purpose, the control signal A_ll must be transmitted to the microcomputer systems P_m via the data bus K__l.
- the microprocessors Pro_m generate status information SF_lm, which in turn is transmitted again to the first microcomputer system P__l via the data bus K_l.
- the status information consists, for example, of one or more bits. It is conceivable to include the status information SF_lm in the protocol of the data bus for transmission to the first microcomputer system P__l.
- the communication controller S__l of the first microcomputer system ems P_l evaluates the incoming status information SF_lm and generates an enable signal F__l in the event of a corresponding status (i.e. when the correct functioning of the microprocessor Pro_l is signaled).
- the status information SF_lm can be evaluated in different ways. For example, it can be a comparison, a logical (preferably an AND) link or a majority decision of the status information SF_lm.
- the at least one Ans euersignal A_ll or at least one signal dependent on it the actuator Akt_l is forwarded if the at least one enable signal F_l has a predeterminable value.
- the enable circuit FS_1 is AND-linked to the control signal A_ll. If that
- the functionality of the processor Pro__l of the microcomputer system P_l can be checked and a safe release of the actuators Akt_l can be achieved.
- Processors Pro_l mainly use the processors Pro_m of the other microcomputer systems P_m. In the same way, however, the method according to the invention can also be used to check the functionality of the processors Pro_m of the further microcomputer systems P_l and to safely release the actuators Akt_m. Then the other processors Pro_m (without the processor to be checked) and the processor Pro_l of the first microcomputer system P__l are used for the check.
- FIG. 3 shows the internal structure of two wheel modules and the signal flow running therein of a method according to the invention in accordance with a second preferred embodiment. This method differs from the method shown in FIG. 1 in particular in that step c) is carried out in the communication controller S_l of the first microcomputer system P_l.
- the logical control signals A_lm determined in the processors Pro__m of the further microcomputer systems P_m in step b) are transmitted to the first microcomputer system P__l via the data bus K_l. There, the logic control signals A_lm are then compared to the communication controller S_l of the first microcomputer system P__l with the at least one control signal A_ll (step c)). Depending on the result of the comparison, status information SI_lm is determined in the communication controller S_l, from which the release signal F_l is then determined, or else the release signal F__l is determined immediately (step d)).
- FIG. 4 shows the internal structure of two wheel modules and the signal flow running therein of a method according to the invention in accordance with a third preferred embodiment. This method differs from the method shown in FIG. 1 and FIG. 3 in particular in that step d) is carried out in the release circuit FS_1 of the first wheel module R 1.
- step c) a comparison is carried out in the microprocessors Pro_m of the further microcomputer systems R_m between the control signal A_ll and the logical control signals A_lm previously determined there.
- the Microprocessors Pro__m generate status information SF__lm, which is transmitted via the data bus K_l to the first microcomputer system? __ 1 and from there to the release circuit FS__1. This evaluates the status information SF_lm, SF_lx coming from all other microcomputer systems P_m and ' forwards the at least one control signal A_ll or at least one signal dependent thereon to the actuator Akt__l if the status information SF_lm, SF_lx has a corresponding status.
- status information SI_lm can first be determined in the enable circuit FS_1, from which the enable signal F_l is then determined.
- a so-called voting mechanism is used to evaluate the status information SF_lm, SF_lx in the enable circuit FS__1. With only two control signals A 11, A_12, the voting mechanism is an AND operation of the two signals A_ll and SF_lm. If there are several control signals A_ll, ⁇ _lm, the voting mechanism can be a majority decision.
Landscapes
- Engineering & Computer Science (AREA)
- Transportation (AREA)
- Mechanical Engineering (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Quality & Reliability (AREA)
- General Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Regulating Braking Force (AREA)
- Hardware Redundancy (AREA)
- Safety Devices In Control Systems (AREA)
- Valves And Accessory Devices For Braking Systems (AREA)
- Braking Systems And Boosters (AREA)
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE10112909 | 2001-03-15 | ||
DE10112909 | 2001-03-15 | ||
PCT/DE2002/000918 WO2002074596A1 (de) | 2001-03-15 | 2002-03-14 | Verfahren zur ansteuerung einer komponente eines verteilten sicherheitsrelevanten systems |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1401690A1 true EP1401690A1 (de) | 2004-03-31 |
Family
ID=7677839
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP02729790A Withdrawn EP1401690A1 (de) | 2001-03-15 | 2002-03-14 | Verfahren zur ansteuerung einer komponente eines verteilten sicherheitsrelevanten systems |
Country Status (7)
Country | Link |
---|---|
US (1) | US20040011579A1 (ja) |
EP (1) | EP1401690A1 (ja) |
JP (1) | JP2004518578A (ja) |
CN (1) | CN1253333C (ja) |
DE (2) | DE10291055D2 (ja) |
RU (1) | RU2284929C2 (ja) |
WO (1) | WO2002074596A1 (ja) |
Families Citing this family (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE10235527C1 (de) * | 2002-08-03 | 2003-10-09 | Daimler Chrysler Ag | Vorrichtung und Verfahren zur redundanten Spannungsversorgung sicherheitsrelevanter Systeme |
US7350879B2 (en) * | 2003-09-29 | 2008-04-01 | Haldex Brake Products Ab | Control network for brake system |
DE502005009036D1 (de) * | 2005-07-15 | 2010-04-01 | Siemens Ag | Steuervorrichtung zum Ansteuern eines Stellantriebs |
US7933696B2 (en) | 2006-08-31 | 2011-04-26 | GM Global Technology Operations LLC | Distributed arithmetic logic unit security check |
DE102007029116A1 (de) * | 2007-06-25 | 2009-01-02 | Continental Automotive Gmbh | Verfahren zum Betreiben eines Mikrocontrollers und einer Ausführungseinheit sowie ein Mikrocontroller und eine Ausführungseinheit |
DE102010029839B4 (de) * | 2009-06-11 | 2014-08-28 | Mitsubishi Electric Corporation | Steuersystem |
JP5843786B2 (ja) * | 2009-12-18 | 2016-01-13 | コンティ テミック マイクロエレクトロニック ゲゼルシャフト ミットベシュレンクテル ハフツングConti Temic microelectronic GmbH | 制御装置にある監視計算機 |
KR101728581B1 (ko) * | 2010-03-23 | 2017-04-19 | 콘티넨탈 테베스 아게 운트 코. 오하게 | 제어 컴퓨터 시스템, 제어 컴퓨터 시스템을 제어하는 방법, 및 제어 컴퓨터 시스템의 이용 |
DE102011082943A1 (de) * | 2011-09-19 | 2013-03-21 | Siemens Aktiengesellschaft | Netzwerkeinrichtung und Netzwerkanordnung |
DE102011083816A1 (de) * | 2011-09-30 | 2013-04-04 | Rohde & Schwarz Gmbh & Co. Kg | Kopfstation mit Redundanz und zugehöriges Verfahren |
DE102014226856A1 (de) * | 2014-12-22 | 2016-06-23 | Robert Bosch Gmbh | Verfahren und Vorrichtung zum Betreiben einer Bremseinrichtung, Bremseinrichtung |
DE102015202326A1 (de) * | 2015-02-10 | 2016-08-11 | Robert Bosch Gmbh | Verfahren zum Betreiben einer Datenverarbeitungseinheit eines Fahrerassistenzsystems und Datenverarbeitungseinheit |
FR3049075B1 (fr) * | 2016-03-15 | 2018-03-09 | Sagem Defense Securite | Dispositif d'actionnement et carte de commande et de surveillance associee |
EP3379222B1 (en) | 2017-03-22 | 2020-12-30 | Methode Electronics Malta Ltd. | Magnetoelastic based sensor assembly |
US11084342B2 (en) | 2018-02-27 | 2021-08-10 | Methode Electronics, Inc. | Towing systems and methods using magnetic field sensing |
US11491832B2 (en) | 2018-02-27 | 2022-11-08 | Methode Electronics, Inc. | Towing systems and methods using magnetic field sensing |
WO2019168565A1 (en) | 2018-02-27 | 2019-09-06 | Methode Electronics,Inc. | Towing systems and methods using magnetic field sensing |
US11221262B2 (en) | 2018-02-27 | 2022-01-11 | Methode Electronics, Inc. | Towing systems and methods using magnetic field sensing |
US11014417B2 (en) | 2018-02-27 | 2021-05-25 | Methode Electronics, Inc. | Towing systems and methods using magnetic field sensing |
US11135882B2 (en) | 2018-02-27 | 2021-10-05 | Methode Electronics, Inc. | Towing systems and methods using magnetic field sensing |
Family Cites Families (28)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPS59155262U (ja) * | 1983-04-05 | 1984-10-18 | 三菱自動車工業株式会社 | 4輪アンチスキツドブレ−キ装置 |
US6125313A (en) * | 1990-08-24 | 2000-09-26 | Kanto Seiki Co., Ltd. | Air-bag control circuit |
US5995892A (en) * | 1995-06-12 | 1999-11-30 | Denso Corporation | Triggering device for safety apparatus |
DE19539070C2 (de) * | 1995-10-20 | 2003-12-18 | Bosch Gmbh Robert | Anordnung zum Ansteuern einer Auslösevorrichtung eines Rückhaltesystems |
US6243629B1 (en) * | 1996-04-19 | 2001-06-05 | Honda Giken Kogyo Kabushiki Kaisha | Electronic control unit for automotive vehicles |
DE19716197A1 (de) * | 1997-04-18 | 1998-10-22 | Itt Mfg Enterprises Inc | Mikroprozessorsystem für sicherheitskritische Regelungen |
DE19717686A1 (de) * | 1997-04-28 | 1998-10-29 | Itt Mfg Enterprises Inc | Schaltungsanordnung für ein Kraftfahrzeug-Regelungssystem |
DE19723831A1 (de) * | 1997-06-06 | 1998-12-10 | Eberspaecher J Gmbh & Co | Diagnose-Vorrichtung zum Überprüfen eines Teilsystems eines Kraftfahrzeuges |
DE19742988C1 (de) * | 1997-09-29 | 1999-01-28 | Siemens Ag | Bremsanlage für ein Kraftfahrzeug |
US6002970A (en) * | 1997-10-15 | 1999-12-14 | International Business Machines Corp. | Method and apparatus for interface dual modular redundancy |
DE19829126A1 (de) * | 1997-11-22 | 1999-05-27 | Itt Mfg Enterprises Inc | Elektromechanisches Bremssystem |
US6317675B1 (en) * | 1997-11-22 | 2001-11-13 | Continental Teves Ag & Co., Ohg | Electromechanical brake system |
DE19800311A1 (de) * | 1998-01-07 | 1999-07-08 | Itt Mfg Enterprises Inc | Elektronische, digitale Einrichtung |
DE19807124A1 (de) * | 1998-02-20 | 1999-09-02 | Bosch Gmbh Robert | Verfahren und Vorrichtung zum Auslösen eines Rückhaltesystems |
DE19813923A1 (de) * | 1998-03-28 | 1999-10-14 | Telefunken Microelectron | Verfahren zur Datenübertragung in einem über eine Busleitung vernetzten Rückhaltesystem |
DE19826131A1 (de) * | 1998-06-12 | 1999-12-16 | Bosch Gmbh Robert | Elektrisches Bremssystem für ein Kraftfahrzeug |
EP1123235B1 (en) * | 1998-10-21 | 2004-11-24 | Deka Products Limited Partnership | Fault tolerant architecture for a personal vehicle |
DE19933086B4 (de) * | 1999-07-15 | 2008-11-20 | Robert Bosch Gmbh | Verfahren und Vorrichtung zur gegenseitigen Überwachung von Steuereinheiten |
JP3804746B2 (ja) * | 1999-08-23 | 2006-08-02 | アイシン・エィ・ダブリュ株式会社 | ナビゲーション装置およびそのプログラムを記録した記憶媒体 |
DE19946073A1 (de) * | 1999-09-25 | 2001-05-10 | Volkswagen Ag | System zur Steuerung von Fahrzeugkomponenten nach dem "Drive By Wire"-Prinzip |
JP4157677B2 (ja) * | 1999-10-06 | 2008-10-01 | タカタ株式会社 | 乗員拘束保護装置 |
WO2001044778A1 (en) * | 1999-12-15 | 2001-06-21 | Delphi Technologies, Inc. | Electric caliper hardware topologies for a safety system |
DE10000550B4 (de) * | 2000-01-08 | 2005-09-15 | Bayerische Motoren Werke Ag | Vorrichtung zur Detektion von Überschlägen bei einem Fahrzeug |
US6302439B1 (en) * | 2000-02-01 | 2001-10-16 | Trw Inc. | Distributed occupant protection system and method with cooperative central and distributed protection module actuation control |
EP1268237A1 (en) * | 2000-04-03 | 2003-01-02 | Siemens VDO Automotive Corporation | Safing method for a vehicle occupant protection safety system |
US6687585B1 (en) * | 2000-11-09 | 2004-02-03 | The Ohio State University | Fault detection and isolation system and method |
US6559557B2 (en) * | 2000-12-20 | 2003-05-06 | Delphi Technologies, Inc. | Error detection circuit for an airbag deployment control system |
US6548969B2 (en) * | 2000-12-29 | 2003-04-15 | Delphi Technologies, Inc. | Redundant steer-by-wire system |
-
2002
- 2002-03-14 DE DE10291055T patent/DE10291055D2/de not_active Expired - Lifetime
- 2002-03-14 CN CNB028007069A patent/CN1253333C/zh not_active Expired - Fee Related
- 2002-03-14 US US10/276,285 patent/US20040011579A1/en not_active Abandoned
- 2002-03-14 WO PCT/DE2002/000918 patent/WO2002074596A1/de active Application Filing
- 2002-03-14 JP JP2002573277A patent/JP2004518578A/ja active Pending
- 2002-03-14 DE DE10211278A patent/DE10211278A1/de not_active Withdrawn
- 2002-03-14 EP EP02729790A patent/EP1401690A1/de not_active Withdrawn
- 2002-03-14 RU RU2002133095/11A patent/RU2284929C2/ru not_active IP Right Cessation
Non-Patent Citations (1)
Title |
---|
See references of WO02074596A1 * |
Also Published As
Publication number | Publication date |
---|---|
RU2284929C2 (ru) | 2006-10-10 |
DE10211278A1 (de) | 2002-10-24 |
WO2002074596A1 (de) | 2002-09-26 |
US20040011579A1 (en) | 2004-01-22 |
DE10291055D2 (de) | 2004-04-15 |
CN1458889A (zh) | 2003-11-26 |
CN1253333C (zh) | 2006-04-26 |
JP2004518578A (ja) | 2004-06-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP1401690A1 (de) | Verfahren zur ansteuerung einer komponente eines verteilten sicherheitsrelevanten systems | |
EP2641176B1 (de) | Mikroprozessorsystem mit fehlertoleranter architektur | |
EP2630012B1 (de) | Fehlersichere parkbremse für kraftfahrzeuge | |
EP2183136B1 (de) | Bremssystem für ein fahrzeug und ein verfahren zum betreiben eines bremssystems für ein fahrzeug | |
EP2550599B1 (de) | Kontrollrechnersystem, verfahren zur steuerung eines kontrollrechnersystems, sowie verwendung eines kontrollrechnersystems | |
WO2005036285A1 (de) | Integriertes mikroprozessorsystem für sicherheitskritische regelungen | |
DE19937159B4 (de) | Elektrisch gesteuertes Bremssystem | |
DE102012101006A1 (de) | Elektromechanische servolenkung geeignet für notlaufbetrieb | |
WO2009013193A1 (de) | Feststellbremsanlage und verfahren zum betreiben einer solchen | |
WO2021175385A1 (de) | Bremsanlage mit redundanter parkbremsenansteuerung | |
DE102008009652A1 (de) | Überwachungseinrichtung und Überwachungsverfahren für einen Sensor, sowie Sensor | |
EP1615087B1 (de) | Steuer- und Regeleinheit | |
DE3139067C2 (de) | Elektrische Einrichtung zum Auslösen von Schaltfunktionen in Kraftfahrzeugen | |
DE102012206969A1 (de) | Verfahren und Bedienschalter zur Steuerung einer Funktion einer Funktionseinheit eines Fahrzeuges | |
WO2002075464A1 (de) | Verfahren zum betreiben eines verteilten sicherheitsrelevanten systems | |
DE102004041672B4 (de) | Notbremseinrichtung und Bremssystem für ein Schienenfahrzeug sowie Verfahren zum Sicherstellen einer Notbremsfunktion bei Schienenfahrzeugen | |
DE102020205848A1 (de) | Verfahren und Vorrichtung zum Betreiben eines Feststellbremssystems | |
DE102013021231A1 (de) | Verfahren zum Betrieb eines Assistenzsystems eines Fahrzeugs und Fahrzeugsteuergerät | |
DE102011087063A1 (de) | Kontrollrechnersystem und Verfahren zur beschleunigten Initialisierung einzelner Module | |
DE102007046731B4 (de) | Verfahren zur Ansteuerung eines Aktuators in einem Kraftfahrzeug | |
DE102006045153A1 (de) | System und Verfahren zum Verteilen und Ausführen von Programmcode in einem Steuergerätenetzwerk | |
EP1248965B1 (de) | Verfahren zur verhinderung von fehlfunktionen in einem signalverarbeitenden system und prozessorsystem | |
DE102015119611B4 (de) | Verbesserung der Diagnostizierbarkeit von Fail-operational Systemen | |
DE102022203852A1 (de) | Feststellbremsvorrichtung für ein Kraftfahrzeug | |
DE102018220059A1 (de) | Sensoranordnung für ein Fahrzeugsystem, Betriebsverfahren für eine solche Sensoranordnung und korrespondierendes Bremssystem für ein Fahrzeug |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20031015 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR |
|
AX | Request for extension of the european patent |
Extension state: AL LT LV MK RO SI |
|
17Q | First examination report despatched |
Effective date: 20090707 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20141001 |