GB2357594A - Fault tolerant suspension system and fault tolerant steering system - Google Patents

Fault tolerant suspension system and fault tolerant steering system Download PDF

Info

Publication number
GB2357594A
GB2357594A GB9930121A GB9930121A GB2357594A GB 2357594 A GB2357594 A GB 2357594A GB 9930121 A GB9930121 A GB 9930121A GB 9930121 A GB9930121 A GB 9930121A GB 2357594 A GB2357594 A GB 2357594A
Authority
GB
United Kingdom
Prior art keywords
control means
input
signal
suspension
signals
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB9930121A
Other versions
GB2357594B (en
GB9930121D0 (en
Inventor
John Kennedy Dunlop
William Stewart Matthews
Mark John Jordan
Mark Maiolani
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Motorola Solutions UK Ltd
Original Assignee
Motorola Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Motorola Ltd filed Critical Motorola Ltd
Priority to GB9930121A priority Critical patent/GB2357594B/en
Publication of GB9930121D0 publication Critical patent/GB9930121D0/en
Priority to PCT/EP2000/013345 priority patent/WO2001045982A2/en
Priority to AT00987475T priority patent/ATE355998T1/en
Priority to DE60033853T priority patent/DE60033853T2/en
Priority to EP00987475A priority patent/EP1276637B1/en
Publication of GB2357594A publication Critical patent/GB2357594A/en
Application granted granted Critical
Publication of GB2357594B publication Critical patent/GB2357594B/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60GVEHICLE SUSPENSION ARRANGEMENTS
    • B60G17/00Resilient suspensions having means for adjusting the spring or vibration-damper characteristics, for regulating the distance between a supporting surface and a sprung part of vehicle or for locking suspension during use to meet varying vehicular or surface conditions, e.g. due to speed or load
    • B60G17/015Resilient suspensions having means for adjusting the spring or vibration-damper characteristics, for regulating the distance between a supporting surface and a sprung part of vehicle or for locking suspension during use to meet varying vehicular or surface conditions, e.g. due to speed or load the regulating means comprising electric or electronic elements
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60GVEHICLE SUSPENSION ARRANGEMENTS
    • B60G2600/00Indexing codes relating to particular elements, systems or processes used on suspension systems or suspension control systems
    • B60G2600/08Failure or malfunction detecting means

Landscapes

  • Engineering & Computer Science (AREA)
  • Mechanical Engineering (AREA)
  • Vehicle Body Suspensions (AREA)

Abstract

A fault tolerant suspension system for a vehicle comprises an input node for receiving an input signal and at least three suspension nodes coupled to the input node. Each suspension node has a control means 10, 20, 30, or 40 arranged for processing the input signal to provide a second signal for controlling at least one suspension actuator 15, 25, 35, 45, and to provide a plurality of third signals to the at least two other control means 10, 20, 30, or 40. The third signals are the expected second signal results of the at least two other control means. Each control means 10, 20, 30, or 40 is arranged to compare the second signal with the third signals received from the at least two other control means such that errors detected between the second and third signals indicate faults in the at least three control means. A fault tolerant steering system 105 utilising a similar generation and comparison of signals, is also disclosed.

Description

2357594 FAULT-TOLERANT SUSPENSION SYSTEM AND FAULT-TOLERANT STEERING
SYSTEM
Field of the Invention
This invention relates to fault-tolerant suspension systems and to faulttolerant steering systems.
Background of the Invention
In recent years, automobile manufacturers have sought to replace many expensive mechanical components with electronic components. Future automotive designs contemplate the removal of even more mechanical components, particularly in respect of control linkages to the engine, wheels, etc.., replacing them with 'by-wire' technology, partially derived from the 'flyby-wire' technology associated with the aircraft industry.
For example, the hydraulic or mechanical suspension system or the steering system of an automobile may be replaced by a microprocessor controlled system, having a sensors or switches which, upon actuation by the driver or due to certain road conditions, transmits electronic signals to actuators located in proximity to the wheels. In a suspension system, the actuators apply damping to the vehicle suspension in dependence on the electronic signals. In a steering system, the actuators are arranged to turn the wheels of the vehicle in order to change the direction in which the vehicle is travelling in dependence on the electronic signals.
In highly dependable applications, such as the suspension and steering systems described above, the system must be fault-tolerant, such that if a fault should occur, at least some functionality of the system will continue. Known arrangements to provide fault-tolerance include redundant systems having two or more microprocessors which operate independently of each other and cross-check each other to detect faults.
1 A problem with this arrangement is that the larger the number of processors, the more cost is added to the system, and the fewer the number of processors, the greater the chances of all processors in the system developing a fault.
This invention seeks to provide a fault-tolerant suspension system and a fault-tolerant steering system which mitigates the above mentioned disadvantages.
Summary of the Invention
According to a first aspect of the present invention there is provided a fault tolerant suspension system for a vehicle, comprising: an input node for receiving an input signal; and at least three suspension nodes coupled to the input node, each suspension node being arranged to control at least one suspension actuator, each suspension node having control means arranged for processing the input signal to provide a second signal for controlling the at least one suspension actuator, and to provide a plurality of third signals to the at least two other control means, the third signals being expected second signal results of the at least two other control means, wherein each control means is arranged to compare the second signal with the third signals received from the at least two other control means such that errors detected between the second and third signals indicate faults in the at least three control means.
Preferably upon detection of a fault, each control means uses a voting scheme to determine which of the second and third signals is to be used as a fourth signal to control each of the brake actuators.
Each control means is also preferably arranged to transmit the fourth signal to the at least two other control means, in order to verify whether the voting scheme has been used correctly.
The at least three suspension nodes are preferably distributed in mutually remote locations the vehicle. Preferably the input signal is adapted such that it is transmitted to the at least three suspension nodes in a synchronous manner.
-1 The input signal is Preferably re-transmitted by each of the control means, for further fault detection. Preferably the at least three suspension nodes comprise four suspension nodes, each arranged to control one of four suspension actuators.
In this way a fault-tolerant suspension system is provided which is cost effective, with improved fault-tolerance and enhanced fault-detection.
According to a second aspect of the present invention there is provided a fault tolerant steering system for a vehicle, comprising:
an user operated input unit arranged to provide an input signal in response to operation thereof; and at least two control means, each of the at least two control means being coupled to the user operated input unit and to an associated steering actuator, each control means being arranged for processing the input signal to provide a second signal for controlling the associated steering actuator, and to provide a plurality of third signals to the at least one other control means, the third signals being expected second signal results of the at least one other control means; wherein each control means is arranged to compare the second signal with the third signals received from the at least one other control means such that errors detected between the second and third signals indicate faults in the at least two control means.
Preferably, the system comprises a third control means coupled to the other two control means and to the user input unit. Upon detection of a fault, each control means uses a voting scheme to determine which of the second and third signals is to be used as a fourth signal to control each of the two steering actuators. Each control means is also preferably arranged to transmit the fourth signal to the at least two other control means, in order to verify whether the voting scheme has been used correctly.
The at least two control means are preferably distributed in mutually remote locations the vehicle. Preferably the input signal is adapted such that it is transmitted to the at least two control means in a synchronous manner.
4- In this way a fault-tolerant steering system is provided which is cost effective, with improved fault-tolerance and enhanced fault-detection.
Brief Description of the Drawings
A fault-tolerant suspension system and a fault-tolerant steering system in accordance with the present invention will now be described, by way of example only, with reference to the accompanying drawings in which:
FIG. 1 shows a block schematic diagram of a fault-tolerant suspension system in accordance with the present invention; and FIG. 2 shows a block schematic diagram of a fault-tolerant steering system in accordance with the present invention.
Detailed Description
Referring to FIG. 1, there is shown a fault-tolerant suspension system 5 for a vehicle (not shown), including first, second, third, and fourth suspension nodes having electronic control units (ECUs) 10, 20, 30 and 40, which are distributed in mutually remote locations the vehicle. Each of the first, second, third, and fourth ECUs 10, 20, 30 and 40, are coupled to associated first, second, third and fourth suspension actuators 15, 25, 34, 45 respectively.
The first, second, third, and fourth ECUs 10, 20, 30 and 40 respectively are also each coupled to first and second buses 7 and 8 respectively. An input node provides an input signal to the first 10, second 20, third 30 and fourth ECUs via the first 7 and second 8 buses. Preferably, there are at least two input nodes, the first input node being coupled to an user operated input unit and a second input node being coupled to a sensor. Each of the ECUs 10, 20, 30 and 40 receives an input signal from the input unit 50 andlor an input signal from the sensor. In the embodiment shown in FIG. 1, there are five input nodes: the first input node being coupled to the input unit 50, and second, third, fourth and fifth input nodes being coupled to sensors 65, 70, 80 and 90 respectively. Each of the ECUs 10, 20, 30 and 40 receives an input signal from the input unit 50 and/or an input signal from one or all of the sensors 65, 70, 80, and 90.
The first and second buses 7 and 8 respectively are substantially identical and are both arranged to provide synchronous signals according to a Time Division Multiple Access scheme (TDMA) or similar scheme.
High level functions of current suspension systems may be integrated into the system 5 via a (high level) ECU 60 coupled to the buses 7 and 8, or by a gateway to an ECU (not shown).
The input unit 50, which is preferably a switch or switches, is arranged to provide user input signals to the system. For example, the user input signals may indicate whether a sports or a more comfortable suspension setting is required.
The sensors 65, 70, 80 and 90, which in the preferred embodiment are shown as being coupled to the first 7 and second 8 buses, are arranged to detect variations in the motion of the vehicle with respect to it's position and attitude to the surface upon which its is travelling. The sensors 65, 70, 80 and 90 provide signals to the ECUs 10, 20, 30 and 40 in dependence on the information detected by the sensors. The sensors 65, 70, 80 and 90 may be arranged to pre-process the information supplied to the ECUs.
Each of the first, second, third, and fourth ECUs 10, 20, 30, 40, can operate independently from the other ECUs if required, and are able to provide a processed result signal to the associated suspension actuator 15, 25, 35 or 45 in response to the signals received from the input unit 50 andlor sensors 65, 70, 80 and 90. In this way a basic suspension function is achieved, which is the minimum required for safe operation, not necessarily including higher level functions such as vehicle stability management. The provision of first and second buses 7 and 8 provides fault-tolerance in the case of a problem occurring therein.
In addition, each of the first, second, third, and fourth 10, 20, 30, 40, ECUs, performs a similar algorithm using the same signals received from the input unit 50 andlor the sensors 65, 70, 80 and 90, and provides the received signals and the result signals to the other ECUs. In this way each of the first, second, third, and fourth ECUs 10, 20, 30, 40, can detect incorrect "6" operation by comparing its received signals and result signals with those received signals and result signals received from the other ECUs.
As four ECUs are available to cheek the same signals, it is possible to not only detect that there is a problem somewhere in the system 5, but also to identify the faulty ECU. A faulty EM can therefore be identified, either by itself, or by the majority of the ECUs in the system 5 via a voting procedure, whereby the EM having the most different results compared to the other ECUs is considered to be faulty.
After a fault has been identified, appropriate action can be taken, such as logging the fault, running diagnostics, or resetting or disabling the node. If an EM is disabled due to a fault, the system 5 can be arranged such that the main suspension function will be re-distributed across the operating ECUs.
As each EM cheeks its operation against the other ECUs, faults can be detected that may be undetectable by using a simpler self-test type of checking in isolation. For example, an EM may exhibit a fault where it decodes the received signals from the input unit 50 incorrectly, but the decoded value is still within the allowed range. The EM would pass a self-test, and act on the faulty data if no other tests were performed, but with the described checking against other ECUs, the incorrect data would be detected.
As each EM regularly re-transmits their received signals, the system 5 is able to survive faults that would otherwise cause it to be partially disabled. For example, if the first EM 10 cannot access the signals from the input unit 50 andlor sensors 65, 70, 80 and 90 directly due to a communications fault, it can use the electronic signals passed via the second, third or fourth ECUs 20, 30 and 40 respectively.
An advantage gained from this layout is that identical signals from the input unit 50 andlor sensors 65, 70, 80 and 90 are available to all parts of the system 5 at the same time. This simplifies the error-detection task, as when correctly operating, all ECUs can perform identical operations on identical signals, and any differences indicate a fault.
It will be appreciated that alternative embodiments to the one described above are possible. For example, a single rear suspension ECU could be used to replace the third and fourth ECUs 30 and 40, whereby the single rear suspension ECU would be coupled to the third and fourth suspension 5 actuators 35 and 45 respectively.
Referring now to FIG. 2, there is shown a fault-tolerant steering system 105 for a vehicle (not shown), including first, and second steering nodes having electronic control units (ECUs) 120, and 130, which are distributed in mutually remote locations the vehicle. Each of the first 120 and second 130 ECUs are coupled to associated first, and second steering actuators 125 and 135, respectively. Each steering actuator is arranged such that either can carry out the required actuation for the whole system in the event that the other fails.
The first 120 and second 130 ECUs are also each coupled to first and second buses 107 and 108, respectively. An user operated input unit 115 provides an input signal to the first 120, and second 130 ECUs via the first 107 and second 108 buses. The user operated input unit 115 preferably comprises a sensor 115, shown in FIG. 2 as a steering wheel sensor. Each of the ECUs 120, and 130 receives an input signal from the input unit 115.
The first and second buses 107 and 108 respectively are substantially identical and are both arranged to provide synchronous signals according to a Time Division Multiple Access scheme (TDMA) or similar.
High level fliddions of current steering systems may be integrated into the system 5 via a (high level) ECU 140 coupled to the buses 107 and 108, or by a gateway to an ECU (not shown).
The first 120 and second 130 ECUs can operate independently from each other if required, and are each able to provide a processed result signal to the associated steering actuator 125 and 135 in response to the input signals received from the input unit 115. In this way a basic steering function is achieved, which is the minimum required for safe operation, not necessarily including higher level functions such as vehicle stability management. The provision of first and second buses 107 and 108 provides fault-tolerance in the case of a problem occurring therein.
In addition, each of the first 120 and second 130 EM performs a similar algorithm using the same input signal received from the input unit 115, and provides the input and the result signals to the other ECU. In this way each of the first 120 and second 130 ECUs can detect incorrect operation by comparing its received input signals and result signals with the input and result signals received from the other ECU.
In the preferred embodiment, a third additional EM 110 is coupled between the input unit 115 and the first 107 and second buses 108. The third EM operates in a similar way to that of the first 120 and second 130 ECUs in that it performs a similar algorithm using the same input signal received from the input unit 115 to generate a result signal, and provides the input and the result signals to the other ECUs. In this way each of the first 120, second 130 and third 110 ECUs can detect incorrect operation by comparing its received input signals and result signals with the input and result signals received from the other ECU.
The third ECU 110 is arranged in such a way such that if it is faulty, the input signal from the input unit 115 can still be transmitted to the first 120 and second 130 ECUs.
In the preferred embodiment, as three ECUs are available to cheek the same signals, it is possible to not only detect that there is a problem somewhere in the system 105, but also to identify the faulty ECU. A faulty ECU can therefore be identified, either by itself, or by the majority of the ECUs in the system 105 via a voting procedure, whereby the EM having the most different results compared to the other ECUs is considered to be faulty.
After a fault has been identified, appropriate action can be taken, such as logging the fault, running diagnostics, or resetting or disabling the node. If an ECU is disabled due to a fault, the system 105 can be arranged such that the main steering function will be re-distributed across the operating ECUs.
"9 As each EM cheeks its operation against the other ECUs, faults can be detected that may be undetectable by using a simpler self-test type of checking in isolation. For example, an ECU may exhibit a fault where it decodes the input signals from the input unit 115 incorrectly, but the decoded value is still within the allowed range. The ECU would pass a self-test, and act on the faulty data if no other tests were performed, but with the described checking against other ECUs, the incorrect data would be detected.
An advantage gained from this layout is that identical signals from the input unit 115 are available to all parts of the system 105 at the same time. This simplifies the error-detection task, as when correctly operating, all ECUs can perform identical operations on identical signals, and any differences indicate a fault.
It will be appreciated that alternative embodiments to the one described above are possible.

Claims (17)

Claims
1. A fault tolerant suspension system for a vehicle, comprising:
an input node for receiving an input signal; and at least three suspension nodes coupled to the input node, each suspension node being arranged to control at least one suspension actuator, each suspension node having control means arranged for processing the input signal to provide a second signal for controlling the at least one suspension actuator, and to provide a plurality of third signals to the at least two other control means, the third signals being expected second signal results of the at least two other control means, wherein each control means is arranged to compare the second signal with the third signals received from the at least two other control means such that errors detected between the second and third signals indicate faults in the at least three control means.
2. The system of claim 1 wherein upon detection of a fault, each control means uses a voting scheme to determine which of the second and third signals is to be used as a fourth signal to control each of the suspension actuators.
3. The system of claim 2 wherein each control means is also arranged to transmit the fourth signal to the at least two other control means, in order to verify whether the voting scheme has been used correctly.
4. The system of any preceding claim wherein the at least three suspension nodes are distributed in mutually remote locations the vehicle.
5. The system of any preceding claim wherein the input signal is adapted such that it is transmitted to the at least three suspension nodes in a synchronous manner.
6. The system of any preceding claim wherein the input signal is retransmitted by each of the control means, for further fault detection.
7. The system of any preceding claim wherein the at least three suspension nodes comprise four suspension nodes, each arranged to control one of four suspension actuators.
8. The system of any preceding claim further comprising first and second input nodes, the first input node for receiving an input signal from an user operated input unit and the second input node for receiving an input signal from a sensor, wherein the control means of each suspension node is arranged to process the input signals received at the first and the second input nodes to provide the second signal.
9. The system of claim 8 further comprising third, fourth and fifth input nodes, the third, fourth and fifth input nodes for receiving input signals from second, third and fourth sensors respectively, the sensors being arranged to detect changes in motion of the vehicle, and wherein the control means of each suspension node is arranged to process the input signals received at the first, second, third, fourth and fifth input nodes to provide the second signal.
10. A fault-tolerant suspension system substantially as hereinbefore described and with reference to FIG. 1 of the accompanying drawings.
11. A fault tolerant steering system for a vehicle, comprising:
a user operated input unit arranged to provide an input signal in response to operation thereof; and at least two control means, each of the at least two control means being coupled to the user operated input unit and to an associated steering actuator, each control means being arranged for processing the input signal to provide a second signal for controlling the associated steering actuator, and to provide a plurality of third signals to the at least one other control means, the third signals being expected second signal results of the at least one other control means; wherein each control means is arranged to compare the second signal with the third signals received from the at least one other control means such that errors detected between the second and third signals indicate faults in the at least two control means.
12. The system of claim 11 comprising three control means, a first control means being coupled to a first steering actuator, a second control means being coupled to a second steering actuator and a third control means being coupled to the first and second control means and the user operated input unit, wherein upon detection of a fault, each of the control means uses a voting scheme to determine which of the second and third signals is to be used as a fourth signal to control each of the first and second steering actuators.
13. The system of claim 12 wherein each control means is also arranged to transmit the fourth signal to the at least two other control means, in order to verify whether the voting scheme has been used correctly.
14. The system of any preceding claim wherein the at least two control means are distributed in mutually remote locations the vehicle.
15. The system of any preceding claim wherein the input signal is adapted such that it is transmitted to the at least two control means in a synchronous manner.
16. The system of any preceding claim wherein the input signal is retransmitted by each of the control means, for further fault detection.
17. A fault-tolerant steering system substantially as hereinbefore described and with reference to FIG. 2 of the accompanying drawings.
GB9930121A 1999-12-21 1999-12-21 Fault-tolerant suspension system and fault-tolerant steering system Expired - Fee Related GB2357594B (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
GB9930121A GB2357594B (en) 1999-12-21 1999-12-21 Fault-tolerant suspension system and fault-tolerant steering system
PCT/EP2000/013345 WO2001045982A2 (en) 1999-12-21 2000-12-21 Fault-tolerant system
AT00987475T ATE355998T1 (en) 1999-12-21 2000-12-21 FAULT TOLERANT SYSTEM
DE60033853T DE60033853T2 (en) 1999-12-21 2000-12-21 ERROR TOLERANT SYSTEM
EP00987475A EP1276637B1 (en) 1999-12-21 2000-12-21 Fault-tolerant system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB9930121A GB2357594B (en) 1999-12-21 1999-12-21 Fault-tolerant suspension system and fault-tolerant steering system

Publications (3)

Publication Number Publication Date
GB9930121D0 GB9930121D0 (en) 2000-02-09
GB2357594A true GB2357594A (en) 2001-06-27
GB2357594B GB2357594B (en) 2002-03-13

Family

ID=10866687

Family Applications (1)

Application Number Title Priority Date Filing Date
GB9930121A Expired - Fee Related GB2357594B (en) 1999-12-21 1999-12-21 Fault-tolerant suspension system and fault-tolerant steering system

Country Status (1)

Country Link
GB (1) GB2357594B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2377024A (en) * 2001-06-29 2002-12-31 Motorola Inc Fault tolerant measurment data outputting system

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5107425A (en) * 1988-07-26 1992-04-21 Bayerische Motoren Werke Ag Control system for control devices of a motor vehicle

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5107425A (en) * 1988-07-26 1992-04-21 Bayerische Motoren Werke Ag Control system for control devices of a motor vehicle

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2377024A (en) * 2001-06-29 2002-12-31 Motorola Inc Fault tolerant measurment data outputting system

Also Published As

Publication number Publication date
GB2357594B (en) 2002-03-13
GB9930121D0 (en) 2000-02-09

Similar Documents

Publication Publication Date Title
EP1105306B8 (en) Fault-tolerant electronic braking system
US6201997B1 (en) Microprocessor system for safety-critical control systems
JP3965410B2 (en) Redundant vehicle control device
US7289889B2 (en) Vehicle control system and method
US7474015B2 (en) Method and supply line structure for transmitting data between electrical automotive components
US5895434A (en) Microprocessor arrangement for a vehicle control system
KR100947791B1 (en) Multi-core redundant control computer system, computer network for applications that are critical with regard to safety in motor vehicles, and use thereof
Heiner et al. Time-triggered architecture for safety-related distributed real-time systems in transportation systems
US20090044041A1 (en) Redundant Data Bus System
US6029108A (en) Brake device for vehicles
JP2010254298A (en) Electrically-controlled brake system
US20050225165A1 (en) Brake by-wire control system
CN113015666A (en) Control architecture for a vehicle
US7337020B2 (en) Open-loop and closed-loop control unit
Hammett et al. Achieving 10⁻ ⁹ Dependability with Drive-by-Wire Systems
EP1276637B1 (en) Fault-tolerant system
GB2357594A (en) Fault tolerant suspension system and fault tolerant steering system
US20220371565A1 (en) Switching device for a brake system for a vehicle, brake system with a switching device and method for operating a switching device
CN112739578B (en) Auxiliary power supply and method for providing auxiliary power
Zhang Vehicle health monitoring for AVCS malfunction management
GB2358715A (en) Fault-tolerant electronic combustion cylinder valve control system
GB2348782A (en) A fault location system and method
Paul Steer wireless
Ooka et al. Development of automatic driving system on rough road-fault tolerant structure for electronic controller
Guldner et al. Comparison of redundancy structures for safety relevant automotive control systems

Legal Events

Date Code Title Description
PCNP Patent ceased through non-payment of renewal fee

Effective date: 20071221