GB2298932A - A fail-safe multiplex system - Google Patents

A fail-safe multiplex system Download PDF

Info

Publication number
GB2298932A
GB2298932A GB9505493A GB9505493A GB2298932A GB 2298932 A GB2298932 A GB 2298932A GB 9505493 A GB9505493 A GB 9505493A GB 9505493 A GB9505493 A GB 9505493A GB 2298932 A GB2298932 A GB 2298932A
Authority
GB
United Kingdom
Prior art keywords
controller
output
multiplex system
default
monitor
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB9505493A
Other versions
GB9505493D0 (en
Inventor
Jeremy John Greenwood
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
MG Rover Group Ltd
Original Assignee
MG Rover Group Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by MG Rover Group Ltd filed Critical MG Rover Group Ltd
Priority to GB9505493A priority Critical patent/GB2298932A/en
Publication of GB9505493D0 publication Critical patent/GB9505493D0/en
Publication of GB2298932A publication Critical patent/GB2298932A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B23/00Testing or monitoring of control systems or parts thereof
    • G05B23/02Electric testing or monitoring
    • G05B23/0205Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
    • G05B23/0259Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterized by the response to fault detection
    • G05B23/0286Modifications to the monitored process, e.g. stopping operation or adapting control
    • G05B23/0291Switching into safety or degraded mode, e.g. protection and supervision after failure
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R16/00Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for
    • B60R16/02Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements
    • B60R16/03Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements for supply of electrical power to vehicle subsystems or for
    • B60R16/0315Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements for supply of electrical power to vehicle subsystems or for using multiplexing techniques

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Hardware Redundancy (AREA)

Abstract

A fail-safe multiplex system comprises a central controller arranged to produce an output, a monitor for monitoring the controller in order to detect faults thereof, and a default controller arranged to produce a default output. In the case that the monitor detects a fault of the controller, the output is substituted by the default output.

Description

FAIL-SAFE MULTIPLEX SYSTEM The invention relates to a failure tolerant multiplex system, particularly a failure tolerant multiplex system for an electronic control unit (ECU) of a motor vehicle.
In a modern vehicle it is commonplace for many functions of the electrical system of the vehicle to be controlled by an electronic control unit (ECU) . Such an ECU commonly incorporates a microprocessor, and it has been found that a failure of the microprocessor can cause a significant loss of function of the vehicle electrical system. Therefore, the ECU is commonly divided into several devices, each performing a portion of the functions of the vehicle electrical system, in which case a failure of one of the devices will cause only that portion of the functions to be lost. In addition or as an alternative, the ECU may be assembled from high reliability parts and processors to reduce the probability of failure.In each of these cases, the cost of construction of the ECU is significantly increased, in the first case due to assembly costs for individual devices, and in the second case due to the use of costly high-grade components.
It is an object of the present invention to provide a system which reduces the impact of component failure and which meets production constraints.
According to the invention there is provided a fail-safe multiplex system comprising a central controller arranged to produce an output, a monitor for monitoring the controller in order to detect faults thereof, and a default controller arranged to produce a default output, in the case that the monitor detects a fault of the controller, the output being substituted by the default output.
The monitor may monitor the controller for a fault thereof by monitoring a repetitive operation of the controller.
The output of the controller may be defined as a function of an input of the controller. The monitor may monitor the controller by comparing the output from and the input to the central controller in order to monitor the function defining the output in terms of the input.
Preferably, the monitor operates as a combination of the two above described monitor functions.
The default controller may be arranged to produce the default output defined as a default function of the input.
The multiplex system may comprise an interface, the interface incorporating said monitor and said default controller. Preferably the interface is coupled to a bus associated with a function of the controller. The interface may include a register for storage of data received or to be transmitted on the bus.
When the default controller is arranged to produce the default output defined as a default function of the input, the function may be defined in programmable means.
The programmable means may comprise programmable read only memory such as EEPROM. The programmable means may also comprise FPGA. The interface may comprise an integrated circuit. The function may be defined in the integrated circuit.
The interface may comprise an auxiliary monitor arranged to monitor the monitor for faults thereof, the auxiliary monitor substituting the default output by an auxiliary default output in the case that a fault is detected of the monitor. Preferably, the monitor is arranged to monitor the auxiliary monitor.
According to a second aspect of the invention there is provided a method of backing up a central controller having an output comprising the steps of monitoring the output in order to detect a fault of the controller and if a fault exists then providing a default output instead of the output of the controller.
Preferably the step of providing the default output comprises processing an input according to a default function.
A preferred embodiment of the invention will now be described by way of example, with reference to the drawings in which: Figure 1 shows a schematic diagram of a multiplex system according to the invention and Figure 2 shows a schematic diagram of the internal architecture of an interface of the multiplex system shown in Figure 1.
Referring firstly to Figure 1, a multiplex system 10 of an electronic control system of a motor vehicle comprises an interface 12 receiving an input 13 from a switching unit 14. The switching unit 14 receives inputs 15, 16 from an ignition switch 17 and a headlight switch 18, and outputs a signal to the input 13 of the interface 12 according to the positions of the switches 17 and 18. The interface 12 has an output 19 which applies a signal to a headlight unit 20, which is connected to a headlight 22 of the motor vehicle.
It will be appreciated that the interface 12 may be adapted to receive several inputs and to comprise several outputs. Three further outputs 23a, 23b, 23c have been indicated by way of example, other inputs and outputs being omitted for simplicity and clarity of the drawings. The interface 12 is connected to a central processing unit (CPU) 25 (the central controller as mentioned above) via a bus 26.
Referring now to Figure 2, the internal architecture of a part of the interface is shown, it being understood that more complex architectures may be necessary for additional inputs and outputs thereof. A monitor in the form of a watchdog 27 is connected to bus 26. The watchdog module 27 is further connected to internal bus 30. Internal bus 30 is connected to first and second input registers 31, 33, first and second output registers 32, 34, and a default logic module 35. The default logic module 35 is further connected to an EEPROM 36. The first input register 31 and the first output register 32 are connected to the input 13, and the second input register 33 and the second output register 34 are connected to the output 19.It can be seen that input 13 and output 19 are thus not specifically unidirectional, but may be interchangeable as inputs or outputs depending on the particular requirements for implementation of the interface 12.
An enable line 28 extends between the watchdog 27 and the default logic module 35. During conventional operation of the interface, data from input 13 via first input register 31 is passed to the CPU 25 by means of internal bus 30, watchdog 27 and bus 26. The CPU 25 processes the data and transmits data to output 19 via bus 26, watchdog 27, internal bus 30 and second output register 34.
Watchdog 27 is situated so that all data entering or leaving the CPU 25 by bus 26 may be monitored. The watchdog 27 is adapted to check the data transmitted by the CPU 25 against the data passed to the CPU 25. In that way, the watchdog 27 may verify correct operation of the CPU 25.
If the watchdog 27 detects an inconsistency between the monitored input data and output data, then the watchdog 27 enables the default logic module 35 via the enable line 28.
The watchdog 27 isolates the CPU 25 from the interface 12, and the default logic module 35 produces data from input 13 and transmits to output 19 with reference to EEPROM 36.
EEPROM 36 contains process data which may be programmed either at the time of installation of the interface, or it may be a self-learning memory able to impersonate the CPU 25 to a certain degree. The EEPROM 36 provides a back-up to the CPU 25 and it is not necessary for EEPROM 36 to react exactly as CPU 25 would to a particular input, merely provide outputs which allow satisfactory operation of the electronic control unit.
It will be appreciated that the invention is not limited to a pure multiplex system where all operations are performed via the system but may be used in mixed or hybrid systems where some tasks are performed by direct power switching.

Claims (17)

1. A fail-safe multiplex system comprising a central controller arranged to produce an output, a monitor for monitoring the controller in order to detect faults thereof, and a default controller arranged to produce a default output, arranged such that if the monitor detects a fault of the controller, the output is substituted by the default output.
2. The multiplex system of claim 1 wherein the monitor monitors the controller for a fault thereof by monitoring a repetitive operation of the controller.
3. The multiplex system of claim 1 or claim 2 wherein the output of the central controller is defined as a function of an input of the controller.
4. The multiplex system of claim 3 wherein the monitor monitors the controller by comparing the output from and the input to the central controller in order to monitor the function defining the output in terms of the input.
5. The multiplex system of claim 3 or claim 4 wherein the default controller is arranged to produce the default output defined as a default function of the input.
6. The multiplex system of any preceding claim comprising an interface incorporating said monitor and said default controller.
7. The multiplex system of claim 6 wherein the interface receives a bus associated with a function of the controller.
8. The multiplex system of claim 7 including a register for storage of data received or to be transmitted on the bus.
9. The multiplex system of any one of classes 6-8 wherein the interface comprises an integrated circuit.
10.The multiplex system of claim 9 when appendant upon claim 5 wherein the default function is defined in the integrated circuit.
11.The multiplex system of claim 5 or any one of claims 6-9 when appendant upon claim 5 wherein the function is defined in programmable means.
12. The multiplex system of claim 11 wherein the programmable means comprises EEPROM.
13. The multiplex system of claim 11 wherein the programmable means comprises FPGA.
14. A method of backing up a central controller having an output comprising the steps of : monitoring the output in order to detect a fault of the controller and if a fault exists then providing a default output instead of the output of the controller.
15. The method of claim 16 wherein the step of providing the default output further comprises processing an input according to a default function.
16.A fail-safe multiplex system substantially as described herein with reference to the drawings.
17.A method of backing up a central controller substantially as described herein.
GB9505493A 1995-03-17 1995-03-17 A fail-safe multiplex system Withdrawn GB2298932A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB9505493A GB2298932A (en) 1995-03-17 1995-03-17 A fail-safe multiplex system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB9505493A GB2298932A (en) 1995-03-17 1995-03-17 A fail-safe multiplex system

Publications (2)

Publication Number Publication Date
GB9505493D0 GB9505493D0 (en) 1995-05-03
GB2298932A true GB2298932A (en) 1996-09-18

Family

ID=10771426

Family Applications (1)

Application Number Title Priority Date Filing Date
GB9505493A Withdrawn GB2298932A (en) 1995-03-17 1995-03-17 A fail-safe multiplex system

Country Status (1)

Country Link
GB (1) GB2298932A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000008533A1 (en) * 1998-08-05 2000-02-17 Siemens Aktiengesellschaft Method and device for commissioning installations of the primary industry
EP3178704A1 (en) * 2015-12-10 2017-06-14 Continental Automotive GmbH Terminal control device for interfacing a digital processing unit with electric output lines in a motor vehicle

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1985002042A1 (en) * 1983-10-27 1985-05-09 Sundstrand Corporation Fault tolerant controller
US4653445A (en) * 1986-03-25 1987-03-31 Book Anton M Engine protection system
US4748567A (en) * 1984-06-01 1988-05-31 Nissan Motor Co., Ltd. Method of performing a fail safe control for an engine and a fail safe control unit thereof
GB2256506A (en) * 1991-06-06 1992-12-09 Bosch Gmbh Robert Emergency ic engine control.
GB2265798A (en) * 1992-03-23 1993-10-06 Nissan Motor Vehicle data communication and control system including fail-safe function
EP0569227A1 (en) * 1992-05-08 1993-11-10 Zexel Corporation Fuel injection control system for internal combustion engine

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1985002042A1 (en) * 1983-10-27 1985-05-09 Sundstrand Corporation Fault tolerant controller
US4748567A (en) * 1984-06-01 1988-05-31 Nissan Motor Co., Ltd. Method of performing a fail safe control for an engine and a fail safe control unit thereof
US4653445A (en) * 1986-03-25 1987-03-31 Book Anton M Engine protection system
GB2256506A (en) * 1991-06-06 1992-12-09 Bosch Gmbh Robert Emergency ic engine control.
GB2265798A (en) * 1992-03-23 1993-10-06 Nissan Motor Vehicle data communication and control system including fail-safe function
EP0569227A1 (en) * 1992-05-08 1993-11-10 Zexel Corporation Fuel injection control system for internal combustion engine

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000008533A1 (en) * 1998-08-05 2000-02-17 Siemens Aktiengesellschaft Method and device for commissioning installations of the primary industry
EP3178704A1 (en) * 2015-12-10 2017-06-14 Continental Automotive GmbH Terminal control device for interfacing a digital processing unit with electric output lines in a motor vehicle
WO2017097822A1 (en) 2015-12-10 2017-06-15 Continental Automotive Gmbh Terminal control device for interfacing a digital processing unit with electric output lines in a motor vehicle

Also Published As

Publication number Publication date
GB9505493D0 (en) 1995-05-03

Similar Documents

Publication Publication Date Title
US6347252B1 (en) Control and data transmission installation and a process for the transmission of safety-related data
US4652853A (en) Multiple communication system for vehicular bodies
JP3965410B2 (en) Redundant vehicle control device
US10576990B2 (en) Method and device for handling safety critical errors
US6201997B1 (en) Microprocessor system for safety-critical control systems
US6704628B1 (en) Method for detecting errors of microprocessors in control devices of an automobile
EP0113478B1 (en) Fail safe system for information transmission systems
US6334194B1 (en) Fault tolerant computer employing double-redundant structure
JP2004518578A (en) How to drive distributed safety critical system components
KR20060067927A (en) Method for monitoring the execution of a program in a micro-computer
US20220009353A1 (en) Security system and method for operating a security system
US4465942A (en) Electrical installation for triggering switching functions in motor vehicles
US20040030969A1 (en) Communication control system and method for supervising a failure
GB2298932A (en) A fail-safe multiplex system
US20040199824A1 (en) Device for safety-critical applications and secure electronic architecture
KR950704142A (en) ANTI-LOCK CONTROLLER
KR20100115965A (en) Control system for fault diagnosis in vehicle
US7426430B2 (en) Control unit for activating an occupant protection means in a motor vehicle and method for monitoring the proper functioning of a control unit preferably of this type
JPH06274361A (en) Computer system for vehicle control
JPH06305376A (en) Control device for vehicle
JP2906789B2 (en) Runaway monitoring circuit of multiple microcomputers
CN117425881A (en) Zxfoom zxfoom zxfoom zxfoom device and method for controlling the same And to be used for A kind of electronic device with high-pressure air-conditioning system
JPS60135332A (en) Protecting device for automobile control system
JP2611549B2 (en) Elevator group control device
JPH06351077A (en) Multiplex transmitting device

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)