EP3571593A1 - Redundante prozessorarchitektur - Google Patents

Redundante prozessorarchitektur

Info

Publication number
EP3571593A1
EP3571593A1 EP17825518.8A EP17825518A EP3571593A1 EP 3571593 A1 EP3571593 A1 EP 3571593A1 EP 17825518 A EP17825518 A EP 17825518A EP 3571593 A1 EP3571593 A1 EP 3571593A1
Authority
EP
European Patent Office
Prior art keywords
core
processor
procedure
result
execution
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP17825518.8A
Other languages
German (de)
English (en)
French (fr)
Inventor
Bülent Sari
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZF Friedrichshafen AG
Original Assignee
ZF Friedrichshafen AG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZF Friedrichshafen AG filed Critical ZF Friedrichshafen AG
Publication of EP3571593A1 publication Critical patent/EP3571593A1/de
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1629Error detection by comparing the output of redundant processing systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/18Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits
    • G06F11/181Eliminating the failing redundant component
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0706Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment
    • G06F11/0721Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment within a central processing unit [CPU]
    • G06F11/0724Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment within a central processing unit [CPU] in a multiprocessor or a multi-core unit
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0751Error or fault detection not based on redundancy
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0793Remedial or corrective actions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1629Error detection by comparing the output of redundant processing systems
    • G06F11/1641Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1629Error detection by comparing the output of redundant processing systems
    • G06F11/165Error detection by comparing the output of redundant processing systems with continued operation after detection of the error
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/18Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits
    • G06F11/183Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits by voting, the voting not being performed by the redundant components
    • G06F11/184Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits by voting, the voting not being performed by the redundant components where the redundant components implement processing functionality

Definitions

  • the invention relates to an arrangement according to the preamble of claim 1 and a method according to claim 10.
  • Prior art multi-processor architectures are limited in their ability to meet future requirements imposed by autonomous vehicles. In particular, it is difficult to meet the requirements of the ISO 26262-1 standard if ASIL-D specifications are to be implemented.
  • the invention has for its object to provide a fault-tolerant system, bypassing the known from the prior art solutions inherent disadvantages. In particular, the availability of the system should be increased.
  • the arrangement comprises a first processor and a second processor.
  • a processor is an electronic circuit that is configured to read and execute one or more instructions - a procedure.
  • a processor may include portions that are capable of executing one or more instructions. These parts are called cores.
  • the first processor has a first core, a second core, and a second core
  • the second processor has a first core.
  • the first core and the second core of the first processor and the first core of the second processor are configured to execute a first procedure. This means that the first procedure can be performed in triplicate on the first core and the second core of the first processor as well as on the first core of the second processor.
  • a control entity may be formed as a separate core or implemented in one of said cores. It is defined as a means of performing steps to compare results.
  • control entity of the first processor is designed to carry out the following steps:
  • the deviation of the results of the execution of the first procedure on the first core and the second core of the first processor is determined by comparing the result of the first procedure. Result of the execution of the first procedure on the first core of the first processor with the result of the execution of the first procedure on the second core of the first processor detected.
  • the step of comparing the result of executing the first procedure on the first core of the first processor and the result of executing the first procedure on the second core of the first processor each implies the result of executing the first procedure on the first core of the second processor in that the first procedure is performed on the first core of the second processor.
  • the result of executing a procedure is generally any value that correlates with the execution of the procedure.
  • it may be the output value of a function if the procedure is a function.
  • the invention provides triple redundancy in the execution of the first procedure. If one of the three named cores executing the first procedure fails or is faulty, two further cores remain available for redundant execution. A shutdown of the entire system is not required.
  • the first core of the first processor is deactivated when the results of the execution of the first procedure on the first core and the second core of the first processor differ and the result of executing the first procedure on the second core of the first processor and match the result of the execution of the first procedure on the first core of the second processor.
  • the second core of the first processor is further deactivated when the results of the execution of the first procedure on the first core and the second core of the first processor differ and the result of the execution of the first procedure on the first core of the first processor and the result of Execution of the first procedure on the first core of the second processor match.
  • the deviation of the results of the execution of the first procedure on the first core and the second core of the first processor indicates that in the first core or the second core of the first processor has an error.
  • the defective core of the first processor can be identified and deactivated accordingly.
  • a second sensor is part of the arrangement in a preferred development. At least one signal from the first sensor is routed to both the first core of the first processor and the first core of the second processor. Accordingly, at least one signal of the second sensor is directed to the second core of the first processor and to the first core of the second processor.
  • the signals preferably serve as input data of the first procedure executed on the respective processor. If the first core of the first processor or the second core of the first processor is deactivated due to an error, the corresponding sensor signal is the further development of the first core of the second processor available. This allows the first core of the second processor to take over the tasks of the disabled processor core.
  • first sensor and the second sensor are redundant. This means that the first sensor and the second sensor are designed to measure the same physical quantity.
  • the arrangement is preferably developed symmetrically.
  • the first processor and the second processor have the same structure.
  • the first processor and the second processor each have a first core, a second core, a third core, and a control entity.
  • the second core and the third core of the second processor and the third core of the first processor are configured to execute a second procedure.
  • the control entity of the first processor is designed, analogously to the control entity of the second processor, to carry out the following steps:
  • the second core of the second processor is deactivated if the results of the execution of the second procedure on the second core and the third core of the second processor differ from each other and Result of execution of the second procedure on the third core of the second processor and the result of execution of the second procedure on the third core of the first processor match. If the results of the execution of the second procedure on the second core and the third core of the second processor differ and the result of the execution of the second procedure on the second core of the second processor and the result of the execution of the second procedure on the third core of the first one Processor match.
  • the second processor receives input signals from a third sensor and a fourth sensor. At least one signal from the third sensor is passed to the second core of the second processor and to the third core of the first processor. Accordingly, at least one signal of the fourth sensor is routed to the third core of the second processor and to the third core of the first processor.
  • the third sensor and the fourth sensor are designed to be redundant in a preferred embodiment.
  • the third sensor and the fourth sensor thus measure the same physical size according to further development.
  • the arrangement is preferably developed as part of a vehicle, for example a motor vehicle.
  • the first processor may be developed as part of a transmission control unit and the second processor for controlling power electronics.
  • a vehicle with the arrangement according to the invention enables a reliable implementation of functions for driver assistance systems or for autonomous driving.
  • a method according to the invention provides for the following steps to be carried out using the arrangement according to the invention or a preferred development:
  • This method is preferably developed further with method steps which, as described above, can be carried out by preferred developments of the arrangement according to the invention.
  • FIG. 1 is a processor architecture.
  • a multiprocessor system 101 according to FIG. 1 has a first processor 103 and a second processor 105. Both processors 103, 105 have multiple cores. Thus, the first processor 103 has a first core 107, a second core 109, a third core 1 1 1 and a control entity 1 13. Correspondingly, the second processor 105 has a first core 1 15, a second core 1 17, a third core 1 19 and a control entity 121.
  • a first sensor signal 123 is applied to the first core 107 of the first processor 103 and to the first core 1 15 of the second processor 105.
  • a second sensor signal 125 is applied to the second core 109 of the first processor 103 and to the first core 1 15 of the second processor 105.
  • the first sensor signal 123 and the second sensor signal 125 are based on a redundant measurement of a single physical quantity by means of two different sensors.
  • a third sensor signal 127 is applied analogously thereto to the second core 1 17 of the second processor and to the third core 1 1 1 of the first processor 103.
  • a fourth sensor signal 129 executed redundantly thereto is applied to the third core 1 19 of the second processor 105 and to the third core 1 1 1 of the first processor 103. Two redundant sensors measuring the same physical quantity provide the third sensor signal 127 and the fourth sensor signal 129.
  • the first core 107 and the second core 109 of the first processor and the first core 15 of the second processor 105 serve to execute a first procedure with triple redundancy.
  • the first processor controller 13 monitors the execution of the first procedure by the first core 107 and the second core 109 of the first processor 103 and compares their results.
  • control entity 1 13 of the first processor 103 adds the first core 1 15 of the second processor 105 to determine whether the first core 107 or the second core 109 of the first processor 103 malfunctions. The faulty core 107, 109 is deactivated. After that there is still a double redundancy to execute the first procedure.
  • the execution of the second procedure by the second core 1 17 and the third core 1 19 of the second processor 105 and by the third core 1 1 1 of the first processor 103 is analogous to the embodiment of the first procedure described above.
  • a first watchdog 131 is provided for monitoring the first processor 103. Accordingly, the second processor 105 is monitored by a second watchdog 133.
  • the watchdogs 131, 133 it is possible to intercept the total failure of a single processor 103, 105.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Hardware Redundancy (AREA)
EP17825518.8A 2017-01-23 2017-12-21 Redundante prozessorarchitektur Withdrawn EP3571593A1 (de)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102017201032.0A DE102017201032A1 (de) 2017-01-23 2017-01-23 Redundante Prozessorarchitektur
PCT/EP2017/083986 WO2018134023A1 (de) 2017-01-23 2017-12-21 Redundante prozessorarchitektur

Publications (1)

Publication Number Publication Date
EP3571593A1 true EP3571593A1 (de) 2019-11-27

Family

ID=60935841

Family Applications (1)

Application Number Title Priority Date Filing Date
EP17825518.8A Withdrawn EP3571593A1 (de) 2017-01-23 2017-12-21 Redundante prozessorarchitektur

Country Status (6)

Country Link
US (1) US11281547B2 (zh)
EP (1) EP3571593A1 (zh)
JP (1) JP2020506472A (zh)
CN (1) CN110192185B (zh)
DE (1) DE102017201032A1 (zh)
WO (1) WO2018134023A1 (zh)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102017201032A1 (de) 2017-01-23 2018-05-03 Zf Friedrichshafen Ag Redundante Prozessorarchitektur
US11106205B2 (en) * 2018-09-18 2021-08-31 Raytheon Technologies Corporation Vehicle control with functional redundancy
US11422962B2 (en) 2019-12-09 2022-08-23 Thales Canada Inc. Method and system for high integrity can bus traffic supervision in safety critical application
US11697433B2 (en) * 2020-03-31 2023-07-11 Uatc, Llc Autonomous vehicle computing system compute architecture for assured processing
CN114043997B (zh) * 2022-01-13 2022-04-12 禾美(浙江)汽车股份有限公司 一种基于高灵敏传感器自动驾驶智能决策方法

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19631309A1 (de) 1996-08-02 1998-02-05 Teves Gmbh Alfred Mikroprozessoranordnung für ein Fahrzeug-Regelungssystem
US6687791B2 (en) * 2002-01-07 2004-02-03 Sun Microsystems, Inc. Shared cache for data integrity operations
KR101017444B1 (ko) * 2004-10-25 2011-02-25 로베르트 보쉬 게엠베하 적어도 2개의 처리 유닛들을 갖는 컴퓨터 시스템에서 모드전환 및 신호 비교를 위한 방법 및 장치
US7953536B2 (en) * 2005-07-29 2011-05-31 GM Global Technology Operations LLC Inertial sensor software architecture security method
US7272681B2 (en) * 2005-08-05 2007-09-18 Raytheon Company System having parallel data processors which generate redundant effector date to detect errors
US7941698B1 (en) * 2008-04-30 2011-05-10 Hewlett-Packard Development Company, L.P. Selective availability in processor systems
JP4709268B2 (ja) * 2008-11-28 2011-06-22 日立オートモティブシステムズ株式会社 車両制御用マルチコアシステムまたは内燃機関の制御装置
US7877627B1 (en) * 2008-12-18 2011-01-25 Supercon, L.L.C. Multiple redundant computer system combining fault diagnostics and majority voting with dissimilar redundancy technology
DE102011086530A1 (de) * 2010-11-19 2012-05-24 Continental Teves Ag & Co. Ohg Mikroprozessorsystem mit fehlertoleranter Architektur
WO2014207893A1 (ja) * 2013-06-28 2014-12-31 株式会社日立製作所 演算回路及び計算機
DE102017201032A1 (de) 2017-01-23 2018-05-03 Zf Friedrichshafen Ag Redundante Prozessorarchitektur

Also Published As

Publication number Publication date
CN110192185B (zh) 2023-06-23
DE102017201032A1 (de) 2018-05-03
JP2020506472A (ja) 2020-02-27
US11281547B2 (en) 2022-03-22
US20190361764A1 (en) 2019-11-28
CN110192185A (zh) 2019-08-30
WO2018134023A1 (de) 2018-07-26

Similar Documents

Publication Publication Date Title
WO2018134023A1 (de) Redundante prozessorarchitektur
EP1092177B1 (de) Regler bzw. triebwerksregler, triebwerk und verfahren zum regeln eines stell- oder antriebssystems bzw. eines triebwerks
EP3642716A1 (de) Vorrichtung und verfahren zur ansteuerung eines fahrzeugmoduls in abhängigkeit eines zustandssignals
WO2011117155A1 (de) Redundante zwei-prozessor-steuerung und steuerungsverfahren
WO2011120490A1 (de) Computersystem und verfahren zum vergleichen von ausgangssignalen
DE102015110958A1 (de) Ausfallverwaltung in einem Fahrzeug
DE102016107015A1 (de) Architektur für eine skalierbare Störungstoleranz in Systemen mit integrierter Ruhigstellung bei Ausfall und Funktionsfähigkeit bei Ausfall
DE102013113296A1 (de) Redundante Rechenarchitektur
EP1615087A2 (de) Steuer- und Regeleinheit
EP2902905B1 (de) Verfahren zur Überprüfung der Abarbeitung von Software
DE102011007467A1 (de) Mehrkernige integrierte Mikroprozessorschaltung mit Prüfeinrichtung, Prüfverfahren und Verwendung
DE102013021231A1 (de) Verfahren zum Betrieb eines Assistenzsystems eines Fahrzeugs und Fahrzeugsteuergerät
EP3557356A1 (de) Verfahren und automatisierungssystem zum sicheren automatischen betrieb einer maschine oder eines fahrzeugs
EP2182331A1 (de) Auslagerung einer Komponente mit Auswirkung auf die Sicherheitsfunktion aus dem sicherheitsrelevanten Bereich
DE102019219870A1 (de) Integritätsüberwachung einer Recheneinheit
DE112019007286T5 (de) Fahrzeuginterne steuerungsvorrichtung und fahrzeuginternes steuerungssystem
WO2011113405A1 (de) Steuergeräteanordnung
DE102017110154B4 (de) Verfahren zur ISO 26262 konformen Überwachung der Versorgungsspannung VCC eines integrierten Sensorschaltkreises einer Fußgängeraufpralldämpfungsvorrichtung
DE102017110155B4 (de) Verfahren zur ISO 26262 konformen Überwachung der Versorgungsspannung VCC eines integrierten Sensorschaltkreises eines Sicherheitssystems
DE102019218074B4 (de) Steuerung eines Fahrerassistenzsystems eines Kraftfahrzeugs
DE10220811B4 (de) Verfahren und Vorrichtung zur Überwachung der Funktionsweise eines Systems
DE112017000868B4 (de) Elektronische Steuervorrichtung
DE102022207018A1 (de) Verfahren zum Fehlermanagement, Computerprogrammprodukt sowie Fahrzeug
DE102017110152B4 (de) Verfahren zur ISO 26262 konformen Überwachung der Versorgungsspannung VCC eines integrierten Sensorschaltkreises innerhalb eines Sensorsystems mit einem Mikrorechner
DE102015111430B4 (de) Handhabung gleichzeitiger Störmeldungen bei redundanten Servoantrieben

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: UNKNOWN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20190711

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20210701