GB2345153A - Fault-tolerant microcontroller arrangement, eg for a vehicle braking system - Google Patents

Fault-tolerant microcontroller arrangement, eg for a vehicle braking system Download PDF

Info

Publication number
GB2345153A
GB2345153A GB9828534A GB9828534A GB2345153A GB 2345153 A GB2345153 A GB 2345153A GB 9828534 A GB9828534 A GB 9828534A GB 9828534 A GB9828534 A GB 9828534A GB 2345153 A GB2345153 A GB 2345153A
Authority
GB
United Kingdom
Prior art keywords
microcontroller
fault
node
arrangement
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB9828534A
Other versions
GB9828534D0 (en
Inventor
Mark John Jordan
Andreas Krueger
Mark Maiolani
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Motorola Solutions UK Ltd
Original Assignee
Motorola Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Motorola Ltd filed Critical Motorola Ltd
Priority to GB9828534A priority Critical patent/GB2345153A/en
Publication of GB9828534D0 publication Critical patent/GB9828534D0/en
Publication of GB2345153A publication Critical patent/GB2345153A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B9/00Safety arrangements
    • G05B9/02Safety arrangements electric
    • G05B9/03Safety arrangements electric with multiple-channel loop, i.e. redundant control systems
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R25/00Fittings or systems for preventing or indicating unauthorised use or theft of vehicles
    • B60R25/01Fittings or systems for preventing or indicating unauthorised use or theft of vehicles operating on vehicle systems or fittings, e.g. on doors, seats or windscreens
    • B60R25/08Fittings or systems for preventing or indicating unauthorised use or theft of vehicles operating on vehicle systems or fittings, e.g. on doors, seats or windscreens operating on brakes or brake systems

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Mechanical Engineering (AREA)
  • Regulating Braking Force (AREA)

Abstract

Microcontroller arrangement 5 controls a sensor (eg brake pedal) or actuator (eg wheel brake) node of a distributed communications network and has a first microcontroller 10 communicating with the network bus 7 and terminal 60 for the sensor/actuator, and a backup microcontroller 110 for monitoring the communication and for providing backup communication in the event of a fault in microcontroller 10. Microcontroller 110 is also directly coupled to provide internal diagnostic parameters to the first microcontroller, such that in the event of a fault occurring in the backup microcontroller, the first microcontroller provides a fault signal to the network. The first microcontroller may similarly provide internal diagnostic parameters.

Description

MICROCONTROLLER ARRANGEMENT AND METHOD Field of the Invention This invention relates to microcontroller arrangements and particularly but not exclusively to microcontroller arrangements in distributed fault-tolerant systems.
Background of the Invention In a distributed fault-tolerant system, such as is found in a modem automobile, a number of microcontrollers in different locations within the automobile may be coupled together via a bus in order to provide common distributed functions, such as a braking function.
In a braking system of a vehicle where microprocessors are used to control the system (a so-called brake-by-wire system), one processor is typically provided for each wheel (a wheel node), to control the application of the brake disc or drum for that wheel. A further microcontroller is provided at the brake pedal (pedal node), in order to interpret foot pressure on the pedal by the driver and to translate this pressure into data signals which are then transmitted via the bus to the wheel nodes, to control the brakes accordingly.
Typically in such systems the bus protocol is time triggered, such that each node has a time slot of the bus for transmission and reception of data signals. In order to use the available bandwidth of the bus as efficiently as possible, typically only one time slot is available for each node.
In order to achieve fault-tolerance in such a system, a shadow microcontroller may be provided at some or each of the nodes, in order to listen to the (primary) microcontroller of the node, and to take over the function of the node should a failure occur in the primary microcontroller.
A problem with this arrangement is that since the shadow microcontroller is only able to listen and not to transmit, should the shadow microcontroller fail before the primary microcontroller, this will not be detected until the primary microcontroller also fails, when functionality is completely lost at the node in question.
This invention seeks to provide a microcontroller arrangement and method which mitigates the above mentioned disadvantages.
Summary of the Invention According to a first aspect of the present invention there is provided a microcontroller arrangement for use within a node of a distributed communications network, the arrangement comprising: a first microcontroller arranged for exchanging data signals associated with the node over the communications network; and, a second microcontroller arranged for monitoring the exchanged data signals and for providing backup data signals associated with the node over the communications network in the event of a fault occurring in the first microcontroller; wherein the second microcontroller is further directly coupled to provide internal diagnostic parameters to the first microcontroller, such that in the event of a fault occurring in the second microcontroller, the first microcontroller provides a fault signal to the network, indicating that the fault has occurred.
Preferably the first and second microcontrollers are both directly coupled to exchange internal diagnostic parameters with each other, such that in the event of a fault occurring in either one of the first and second microcontrollers, the other microcontroller provides a fault signal to the network, indicating that the fault has occurred.
According to a second aspect of the invention there is provided a method for operating a microcontroller arrangement within a node of a distributed communications network, the method comprising the steps of : exchanging data signals associated with the node to and from the communications network using a first microcontroller; monitoring the exchanged data signals using a second microcontroller; providing, in the event of a fault occurring in the first microcontroller, the exchange of backup data signals associated with the node to and from the communications network using the second microcontroller; and, providing internal diagnostic parameters of the second microcontroller directly to the first microcontroller, wherein in the event of a fault occurring in the second microcontroller, a fault signal is provided to the network by the first microcontroller, indicating that the fault has occurred.
Preferably the method further comprises the step of providing internal diagnostic parameters of the first microcontroller directly to the second microcontroller, such that in the event of a fault occurring in the first microcontroller, a fault signal is provided to the network by the second microcontroller, indicating that the fault has occurred.
The distributed communications network is preferably an electronic vehicle braking system, and the node is a pedal node of the braking system. Preferably the distributed communications network is a time-triggered network.
In this way a microcontroller arrangement and method are provided in which faults in either microcontroller are identified and alerted across the network, while maintaining functionality of the node.
Brief Description of the Drawing An exemplary embodiment of the invention will now be described with reference to the single figure drawing which shows a preferred embodiment of a microcontroller arrangement in accordance with the invention.
Detailed Description of a Preferred Embodiment Referring to the single figure drawing, there is shown a microcontroller arrangement 5 arranged to be connected to a bus 7 of a distributed communications network forming a braking system of a vehicle (not shown). The bus 7 allows the microcontroller arrangement 5 (in the form of a brake pedal node) to be coupled to a number of wheel nodes (not shown), in order to provide a braking function for the vehicle using data signals. Typically the bus 7 has two lines, as shown, such that if one should fail, communication is still maintained by the other line.
The arrangement 5 has a first microcontroller 10 and a second microcontroller 110. The first microcontroller 10 has a network communications controller (NCC) 20, which is coupled to exchange network data signals with the bus 7. The NCC 20 is also coupled via an interface 30 to a Central Processing Unit (CPU) 40, which in turn is coupled to a serial communications controller (SCC) 50. The microcontroller 10 is also arranged to be coupled via a control terminal 60 to elements (not shown) of the node to which the arrangement 5 relates.
Similarly the second microcontroller l l 0 has a NCC 120, which is coupled to exchange network data signals with the bus 7. The NCC 120 is also coupled via an interface 130 to a CPU 140, which in turn is coupled to a SCC 150. The microcontroller 110 is also arranged to be coupled via a control terminal 160 to the node elements (not shown).
In the preferred embodiment, the arrangement 5 forms part of a brake pedal node, and the terminals 60 and 160 are arranged to be coupled to sensors of the brake pedal (not shown). Alternatively, if the arrangement 5 forms part of a wheel node, the terminals 60 and 160 will be coupled to brake actuating transducers (not shown).
The SCC's 50 and 150 are further coupled to exchange data with each other, to be further described below.
In operation, the CPU 40 controls the functions of the first microcontroller 10, including the activities of the NCC 20 and the SCC 50. The CPU 40 is also arranged to provide internal diagnostic signals of the first microcontroller 10 indicating its status (i. e. whether it is functioning correctly). The NCC 20 is arranged to communicate with the bus 7 at predetermined time slots, and to send data via the bus 7 to the wheel nodes (not shown).
The data indicates the state of the brake pedal, and in particular whether the brakes should be applied. In this way the first microcontroller controls the functions of the brake pedal node.
In a similar way the CPU 140 controls the functions of the second microcontroller 110, including the activities of the NCC 120 and the SCC 150. The CPU 140 is also arranged to provide internal diagnostic signals of the second microcontroller 110 indicating its status (i. e. whether it is functioning correctly). The NCC 120 is initially arranged only to listen to the bus 7 so that the second microcontroller 110 is able to monitor the signals on the bus 7 in order to determine whether the first microcontroller 10 is functioning properly. In the event that, for example, the first microcontroller 10 fails to transmit a data signal on the bus 7 during a brake node slot, the second microcontroller 110 takes over control of the brake pedal node functions, and the NCC 120 begins to transmit backup data signals to the bus 7 during the brake node slot in place of the data signals from the NCC 20.
In addition, the CPU 140 is further arranged to exchange its internal diagnostic signals, via the SCCs 150 and 50, to the CPU 40. In this way, the CPU 40 is able to monitor the state of the second microcontroller 110. In the event that a malfunction occurs in the second microcontroller 110, the CPU 40 is able to send a signal via the NCC 20 to the bus 7 alerting other nodes of the malfunction. Similarly, the CPU 40 may be further arranged to exchange its internal diagnostic signals, via the SCCs 50 and 150, to the CPU 140. In this way, the CPU 140 is able to monitor the state of the first microcontroller 110 directly, in addition to the monitoring of the bus 7. In the event that a malfunction occurs in the first microcontroller 110, the CPU 140 is able to take over control of the brake node, and to send a signal via the NCC 120 to the bus 7 alerting other nodes of the malfunction. In this way it may also be possible for the second microcontroller 110 to be notified of the malfunction and to take over at an earlier stage than it would have done by monitoring the bus 7 alone.
It will be appreciated that alternative embodiments to the one described above are possible. For example, the microcontroller arrangement 5 may be used for a wheel node or a node forming part of a distributed communications network having a purpose other than providing braking functions.
Furthermore, the number of microcontrollers could be greater than two. It is envisaged that an arrangement comprising three microcontrollers could be provided, in which the first microcontroller provides the primary control functions of the node, and second and third microcontrollers provide monitoring functions. In this way even further fault tolerance is provided, as functionality of the node may be maintained via one of the microcontrollers despite malfunctions in the other two microcontrollers.

Claims (9)

  1. Claims 1. A microcontroller arrangement for use within a node of a distributed communications network, the arrangement comprising: a first microcontroller arranged for exchanging data signals associated with the node over the communications network; and, a second microcontroller arranged for monitoring the exchanged data signals and for providing backup data signals associated with the node over the communications network in the event of a fault occurring in the first microcontroller; wherein the second microcontroller is further directly coupled to provide internal diagnostic parameters to the first microcontroller, such that in the event of a fault occurring in the second microcontroller, the first microcontroller provides a fault signal to the network, indicating that the fault has occurred.
  2. 2. The arrangement of claim 1 wherein the first and second microcontrollers are both directly coupled to exchange internal diagnostic parameters with each other, such that in the event of a fault occurring in either one of the first and second microcontrollers, the other microcontroller provides a fault signal to the network, indicating that the fault has occurred.
  3. 3. A method for operating a microcontroller arrangement within a node of a distributed communications network, the method comprising the steps of : exchanging data signals associated with the node to and from the communications network using a first microcontroller; monitoring the exchanged data signals using a second microcontroller; providing, in the event of a fault occurring in the first microcontroller, the exchange of backup data signals associated with the node to and from the communications network using the second microcontroller; and, providing internal diagnostic parameters of the second microcontroller directly to the first microcontroller, wherein in the event of a fault occurring in the second microcontroller, a fault signal is provided to the network by the first microcontroller, indicating that the fault has occurred.
  4. 4. The method of claim 3 further comprising the step of :- providing internal diagnostic parameters of the first microcontroller directly to the second microcontroller, such that in the event of a fault occurring in the first microcontroller, a fault signal is provided to the network by the second microcontroller, indicating that the fault has occurred
  5. 5. The arrangement or method of any preceding claim wherein the distributed communications network is an electronic vehicle braking system.
  6. 6. The arrangement or method of claim 5 wherein the node is a pedal node of the braking system.
  7. 7. The arrangement or method of any preceding claim wherein the distributed communications network is a time-triggered network.
  8. 8. A microcontroller arrangement substantially as hereinbefore described and with reference to the drawing.
  9. 9. A method substantially as hereinbefore described and with reference to the drawing.
GB9828534A 1998-12-23 1998-12-23 Fault-tolerant microcontroller arrangement, eg for a vehicle braking system Withdrawn GB2345153A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB9828534A GB2345153A (en) 1998-12-23 1998-12-23 Fault-tolerant microcontroller arrangement, eg for a vehicle braking system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB9828534A GB2345153A (en) 1998-12-23 1998-12-23 Fault-tolerant microcontroller arrangement, eg for a vehicle braking system

Publications (2)

Publication Number Publication Date
GB9828534D0 GB9828534D0 (en) 1999-02-17
GB2345153A true GB2345153A (en) 2000-06-28

Family

ID=10844963

Family Applications (1)

Application Number Title Priority Date Filing Date
GB9828534A Withdrawn GB2345153A (en) 1998-12-23 1998-12-23 Fault-tolerant microcontroller arrangement, eg for a vehicle braking system

Country Status (1)

Country Link
GB (1) GB2345153A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002035298A2 (en) * 2000-10-23 2002-05-02 Robert Bosch Gmbh System for controlling operational sequences
DE10303383A1 (en) * 2003-01-29 2004-08-05 Zf Lenksysteme Gmbh Fail safe monitoring system for control of functions in a road vehicle system has duplex units for information processing
WO2006002695A1 (en) * 2004-07-06 2006-01-12 Daimlerchrysler Ag Redundant data bus system
EP1632865A2 (en) * 2004-09-02 2006-03-08 Robert Bosch Gmbh Databus interface for a controller and controller with a databus interface
DE102009014642A1 (en) * 2009-03-24 2010-09-30 Valeo Schalter Und Sensoren Gmbh Arrangement for controlling vehicle assistance system, has control and regulating device, with which data obtained from sensor on device to be controlled on vehicle is evaluated
US10112606B2 (en) 2016-01-22 2018-10-30 International Business Machines Corporation Scalable sensor fusion and autonomous x-by-wire control
CN111366192A (en) * 2020-03-16 2020-07-03 华为技术有限公司 Information acquisition method and device
EP3740831B1 (en) * 2018-01-15 2024-03-13 Qualcomm Incorporated Managing limited safe mode operations of a robotic vehicle

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2104247A (en) * 1981-07-13 1983-03-02 Nissan Motor Automatic control of i c engines in vehicles
GB2191875A (en) * 1986-06-19 1987-12-23 Isuzu Motors Ltd Vehicle control system
GB2255422A (en) * 1991-04-29 1992-11-04 Kloeckner Humboldt Deutz Ag Monitoring device for an i.c. engine control system.
EP0518630A2 (en) * 1991-06-12 1992-12-16 Aeci Limited Redundant control system
GB2313678A (en) * 1996-05-27 1997-12-03 Mitsubishi Electric Corp Preventing discontinuities in electronically-interlocked parallel-multiplexed control system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2104247A (en) * 1981-07-13 1983-03-02 Nissan Motor Automatic control of i c engines in vehicles
GB2191875A (en) * 1986-06-19 1987-12-23 Isuzu Motors Ltd Vehicle control system
GB2255422A (en) * 1991-04-29 1992-11-04 Kloeckner Humboldt Deutz Ag Monitoring device for an i.c. engine control system.
EP0518630A2 (en) * 1991-06-12 1992-12-16 Aeci Limited Redundant control system
GB2313678A (en) * 1996-05-27 1997-12-03 Mitsubishi Electric Corp Preventing discontinuities in electronically-interlocked parallel-multiplexed control system

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002035298A2 (en) * 2000-10-23 2002-05-02 Robert Bosch Gmbh System for controlling operational sequences
WO2002035298A3 (en) * 2000-10-23 2003-03-27 Bosch Gmbh Robert System for controlling operational sequences
DE10303383A1 (en) * 2003-01-29 2004-08-05 Zf Lenksysteme Gmbh Fail safe monitoring system for control of functions in a road vehicle system has duplex units for information processing
WO2006002695A1 (en) * 2004-07-06 2006-01-12 Daimlerchrysler Ag Redundant data bus system
CN100538677C (en) * 2004-09-02 2009-09-09 罗伯特.博世有限公司 Control module
EP1632865A3 (en) * 2004-09-02 2008-02-20 Robert Bosch Gmbh Databus interface for a controller and controller with a databus interface
EP1632865A2 (en) * 2004-09-02 2006-03-08 Robert Bosch Gmbh Databus interface for a controller and controller with a databus interface
US7594054B2 (en) 2004-09-02 2009-09-22 Robert Bosch Gmbh Data bus interface for a control unit, and control unit having a data bus interface
DE102009014642A1 (en) * 2009-03-24 2010-09-30 Valeo Schalter Und Sensoren Gmbh Arrangement for controlling vehicle assistance system, has control and regulating device, with which data obtained from sensor on device to be controlled on vehicle is evaluated
US10112606B2 (en) 2016-01-22 2018-10-30 International Business Machines Corporation Scalable sensor fusion and autonomous x-by-wire control
EP3740831B1 (en) * 2018-01-15 2024-03-13 Qualcomm Incorporated Managing limited safe mode operations of a robotic vehicle
CN111366192A (en) * 2020-03-16 2020-07-03 华为技术有限公司 Information acquisition method and device
WO2021185024A1 (en) * 2020-03-16 2021-09-23 华为技术有限公司 Information obtaining method and apparatus

Also Published As

Publication number Publication date
GB9828534D0 (en) 1999-02-17

Similar Documents

Publication Publication Date Title
US7474015B2 (en) Method and supply line structure for transmitting data between electrical automotive components
US6213567B1 (en) Brake system for a motor vehicle and method for transmitting data in an electrically controlled brake system for a motor vehicle
US6918064B2 (en) Method and device for monitoring control units
US6540309B1 (en) Fault tolerant electronic braking system
KR100947791B1 (en) Multi-core redundant control computer system, computer network for applications that are critical with regard to safety in motor vehicles, and use thereof
US7023870B2 (en) Method for operating a distributed computer system
AU2002231167B2 (en) Method of "split-brain" prevention in computer cluster systems
US6029108A (en) Brake device for vehicles
US20090044041A1 (en) Redundant Data Bus System
JP2010254298A (en) Electrically-controlled brake system
US20050225165A1 (en) Brake by-wire control system
KR102533939B1 (en) vehicle control system
JPH03283845A (en) Multiplex transmission equipment for vehicle
GB2345153A (en) Fault-tolerant microcontroller arrangement, eg for a vehicle braking system
CN114348027B (en) Vehicle control method, device, platform and storage medium
US20030184158A1 (en) Method for operating a distributed safety-relevant system
US6446201B1 (en) Method and system of sending reset signals only to slaves requiring reinitialization by a bus master
EP1141833B1 (en) Microprocessor module with reset voting arrangement and method therefor
JP2008084315A (en) System and method distributing and executing program codes in controller network
JP3166127B2 (en) LAN switching system and power system monitoring and control system
JP2933972B2 (en) Multiplex transmission equipment for vehicles
GB2348782A (en) A fault location system and method
JP2885583B2 (en) Communication procedure control system
JP2024082459A (en) Vehicle control system and abnormality diagnosis method
JPH04122139A (en) Multiplex transmitter

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)