FR3024625B1 - METHOD OF MANAGING A COOPERATING CONTROL DEVICE BY AN ETHERNET LINK WITH A DATA ENTRY UNIT - Google Patents

Abstract

A method of managing a control apparatus (11) connected via an Ethernet link (16) to at least one data acquisition unit. The control apparatus (11) exchanges data packets with a data acquisition unit by a transmitting component, and detecting an error initiating an error reaction for which all the packets of data in a memory of the transmitting component.

Description

Field of the invention

The present invention relates to a method of managing a control device communicating via an Ethernet link with a data acquisition unit. This method and the control device that it applies are used in particular in a motor vehicle.

State of the art

The control units are electronic units or modules used in technical installations to control or regulate the components and successions of operations in this technical installation. Controllers are used in many areas of motor vehicles. An example is the engine control or management device which controls and regulates the operation of the internal combustion engine providing the drive.

Characteristically, the control devices operate according to the reception-processing-transmission principle. Sensors or data entry facilities feed the reception. The emission resulting from the processing of the information or input data makes it possible to control the actuators.

For communications with sensors and actuators, it is necessary to communicate the control devices via connections such as for example bus connections to the sensors and actuators. An example of a bus link is the Ethernet bus link. Ethernet is a technique that defines programs and circuits for wired data networks.

Motor vehicles use Ethernet links to exchange data between control devices and sensors as well as actuators. These links, especially in security-critical applications must meet very strict requirements. Thus, it must be ensured that a vehicle control device with an Ethernet bus link for transmitting safety data is able to cut off this bus link if necessary and also to check the efficiency of the cutoff. of communication.

A vehicle control device with an Ethernet bus link for sending safety data must be able to switch off the communication as soon as possible in the event of a fault to go to the secure state called "degraded mode". A possible application of the control devices equipping the vehicles are the camera systems using the images of the external cameras for an autonomous vehicle, to calculate the steering movements and the moments. A variation of the image, for example produced by a person in front of the autonomous vehicle must be able to be detected correctly and the information must be able to be processed. If a calculation error should pass through the processing chain, the transmission of image data or other control signals relating to security must be interrupted. Only then can it be ensured that no erroneous, critical maneuver will be executed with fault signals.

The camera systems generally consist of several calculation units connected by a communication bus, for example an Ethernet-based bus with the vehicle, and this system must guarantee by technical means that the cutoff will be in the required reaction time. .

Description and advantages of the invention

In this context, the subject of the present invention is a method for managing a control device connected by an Ethernet link to at least one data acquisition unit, the control device exchanging data packets with an input unit. of data by a transmitting component, detecting an error initiating an error reaction for which first of all all the data packets which are in a memory of the transmitting component are erased.

It should be noted that for Ethernet-based communication, standard Ethernet components such as, for example, a switching component are often used to couple multiple participants or computing units. It has been found that a possibility to disconnect the Ethernet communication in the event of a fault is to put this switch in the reset state or to shut it down completely. This can be done very quickly but has the disadvantage of making impossible any communication, for example the reception of messages or the connection of a diagnostic tester.

A possible alternative is to reconfigure the switch to block only the sending of potentially erroneous information, but still allow the reception of data. However, this solution has the disadvantage that the reconfiguration related to the blocking of the inputs and outputs is longer and so it does not meet the requirement for the maximum fault response time.

The method according to the invention makes it possible to significantly shorten the error reaction time to block the outgoing messages and thus return more quickly to the secure state. For this purpose, it is planned to erase all the Ethernet packets which, at the moment when the fault reaction is launched and if necessary afterwards, are in the memory, for example in the output buffer of the transmitter component, by example a switch. As a memory in the transmitter component, for example a FIFO memory (first-in, first-out memory) is used.

Such erasure typically possible with a brief order can thus execute much faster than the transmission and activation of the new configuration. This results from the fact that the transmitter component is generally coupled by relatively slow service interfaces, for example the interface I2C or SPI with the central processing unit CPU for a configuration and that the processing and activation of a configuration in the same component, also requires more time. By deleting the Ethernet packets in the transmitter component, the transmission of the erroneous information is immediately canceled and for the duration of the reconfiguration and thus immediately reaches the secure state. At the same time, the drawbacks of a permanent complete disconnection of all communications, for example by the reset mode, are avoided.

There is thus a control apparatus for one or more computing units that perform security functions and communicate over a standard Ethernet communication bus. The secure state of degraded mode will be realized in it by the neutralization of the communication of one or more units in central position, for example the Ethernet switch.

The shutdown is usually done by a reconfiguration of the transmitter component. The reconfiguration can either completely shut off the direction of transmission to the outside, or selectively only select some ports to processor units (with default) by blocking them or selectively blocking only messages regarding the security of one or more units . The erasure of the output buffer is done in the event of a cut, for example by a separate order. Alternatively, the output buffer can also be "dumped" for example zeroed directly by changing the size of the buffer. Alternatively, changing the flow control rate when used in a refresh interval will completely empty the bucket memory to no longer allow data output.

Changing the rate of flow control is the ability to delay Ethernet packets to arrive at a certain traffic profile. In this way, the data rate is limited and the Ethernet packets are slowed down to arrive at coordination in the required time. The "pierced bucket" mode refers to an algorithm for adapting Ethernet packets to a data rate. In the case of a FIFO memory of size N and with a transmission rate R, it will be possible for example, by modifying the two parameters, to influence the data rate to send no packet, or to send it by delaying it strongly. Delaying the packets can also cause a time cut in the receiver.

Changing the flow regulation rate does not mean a correct erasure but a reduction in the transmission rate, which ultimately results in a time defect in the receiver. Thus, the rate is reduced to emit only very few packets, which produces the time cut in the receiver or reduces the size N of the FIFO memory so that it can receive very little information. The algorithm is such that anything that has been written beyond N will be rejected. This rejection corresponds to an erasure.

drawings

The present invention will be described in more detail below with the aid of examples of a management method of a control apparatus as well as a control apparatus thus managed shown in the accompanying drawings in which: FIG. 1 is the diagram of a device for the implementation of the method, Figure 2 shows an embodiment of an ethernet switching component, Figure 3 shows timing diagrams of the cut according to the state of the art, the figure 4 shows timing diagrams of the cut according to the method of the invention.

Description of Embodiments of the Invention

Figure 1 shows a device 10 having a controller 11 having a first computing unit 12 and a second computing unit 14 performing security functions. These units are connected by an Ethernet link 16, in this case by a standard Ethernet communication bus. The Ethernet link 16 and the control device 11 comprise a switch 18. The communication between the two calculation units 12 and 14 and the switch 18 is via an SPI interface 20 (Serial Peripheral Interface) and / or by an I2C interface 22. The method presented may in principle be executed by a device 10 comprising a single computing unit. The I2C interface is a two-wire serial bus with a transmission factor of up to 1 Mbit; it is for example used to configure integrated circuits (IC circuits). The SPI bus is a three-wire serial bus (clk, data, select) and a transmission rate of 25 Mbit; it is used for example to configure integrated circuits. The interfaces presented are just examples. They may be different depending on the control unit. The choice has in principle no influence on the process that will be described.

The device 10 further comprises a first camera 30, a second camera 32, a third camera 34 and a fourth camera 36 connected by the switch 18 in the Ethernet link 16 with the calculation units 12 and 14 of the control apparatus 11 to be ordered and read by them.

FIG. 2 shows an embodiment of a switch generally carrying the reference 50. It comprises an input line 52, a packet memory 54, an output line 56, a MAC medium access controller 58, four physical links 60, a central computing unit 62, an access register 64 and two SPI interfaces (serial peripheral interfaces) 66.

The MAC control is part of the data link layer it controls access to the physical environment to access a multiple access network.

FIG. 3 shows the chronograms represented in a coordinate system whose abscissa axis 70 represents the cutoff according to the state of the art. The first curve 72 indicates the number of packets in the buffer memory. The second curve 74 indicates whether a reconfiguration is active 76 or inactive 78. A third curve 80 indicates whether the secure state is activated 82 or inactivated 84.

According to the evolution in time, at a first moment 90 the reconfiguration is launched. At a second instant 92 the reconfiguration is stopped. The packet memory is emptied by no longer accepting packets. Then we reduce the packets as shown by the descent of the curve 72. When no more packet is transmitted, we arrive at the secure state at the third instant 94.

FIG. 4 also shows chronograms representing on the abscissa axis 100 the cleavage according to the method of the invention. The first curve 102 indicates the number of packets in the buffer. The second curve 104 indicates whether a reconfiguration is enabled 106 or is inactivated 108. A third curve 110 indicates whether the order "erase buffer" is activated 112 or inactivated 114. A fourth curve 116 indicates whether the secure state is activated 118 or inactivated 120.

According to this embodiment, first of all a first instant 122 erases the buffer memory. This corresponds to the transmission of the order "erase buffer" as the third curve 110 explains it. At a second instant 124 the order is canceled and shortly thereafter, at a third instant 126, the buffer memory is erased. and we start the reconfiguration. As soon as it is over, at a fourth instant 128, we arrive in the secure state. The immediate erasure of the buffer in this case at the first instant 122 makes it possible to reach the safe state much earlier than is currently possible with the known methods as has been described for example with the help of Figure 3.

NOMENCLATURE OF MAIN ELEMENTS 10 Device 11 Controller 12 First computing unit 14 Second computing unit 16 Ethernet link 18 Switch

20 SPI device serial interface

22 I2C Interface 30, 32, 34, 36 Camera 50 Switch 52 Input Line 54 Packet Memory 56 Output Line

58 MAC Control 60 Physical Connections 62 Central Processing Unit 64 Register Access 66 Serial Peripheral Interface 70 Coordinate Axis 72 First Curve 74 Second Curve 76 Reconfiguration On 78 Inactive Reconfiguration 80 Third Curve Indicating Safe State 82 Safe State Enabled 84 Idle Safe State 90 First start time of reconfiguration 92 Second instant end of reconfiguration 94 Third instant / Secure state 100 Abscisses 102 First curve indicating the number of packets in the buffer 104 Activation / inactivation curve 106 Active reconfiguration 108 Inactive reconfiguration 110 Third curve 112 buffer erase order on 114 buffer erase inactive order 116 fourth curve 118 active safe state 120 safe state inactive 122 first instant erase buffer 124 second instant order inactivated 126 third instant erase buffer and start reconfiguration 128 status secured

Claims (4)

CLAIMS 1 °) A method of managing a control device (11) connected by an Ethernet link (16) to at least one data acquisition unit, the control device (11) exchanging data packets with a unit of data input by a transmitter component for coupling several communication participants by Ethernet, according to which upon detection of an error, an error reaction is initiated by which the erasure of all the data packets in a memory of the transmitting component at the instant of the launching of the error reaction and, if necessary, thereafter, so as to neutralize the emission of erroneous information and thus immediately arrive at a secure state. Method according to Claim 1, characterized in that all data packets in the output buffer of the transmitting component are erased. 3 °) A method according to revendicafioxi 1 or 2, characterized in that after erasure, reconilguration of the transmitter component. Process according to one of Claims 1 to 3, characterized in that the erasure is initiated by a separate order. 5. A process according to any one of Claims 1 to 3, characterized in that triggers erasure by changing the size of the memory in the transmitting component. Method according to one of Claims 1 to 3, characterized in that the erasure is triggered by a modification of the flow regulation rate. 7) An operating device connected via an Ethernet link (16) to at least one data entry installation and allowing the implementation of a method according to one of claims 1 to 6, this control device being designed to exchange data packets with the data acquisition unit by a transmitter component for coupling several communication participants via Ethernet, the control unit (11) having detected a fault, initiates a fault reaction by which first all the data packets contained in the memory of the transmitting component are erased . 8 °) control device according to claim 7, characterized in that the transmitter component is a switch (18, 50). 9 °) Control device according to claims 7 and 8, characterized in that it comprises at least one camera (30, 32, 34, 36). 10 °) Control device according to any one of claims 7 to 9, characterized in that the memory is a FIFO memory.