GB2594530A - An automobile control system - Google Patents

An automobile control system Download PDF

Info

Publication number
GB2594530A
GB2594530A GB2008727.6A GB202008727A GB2594530A GB 2594530 A GB2594530 A GB 2594530A GB 202008727 A GB202008727 A GB 202008727A GB 2594530 A GB2594530 A GB 2594530A
Authority
GB
United Kingdom
Prior art keywords
safety critical
function
core
critical function
control system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB2008727.6A
Other versions
GB202008727D0 (en
GB2594530B (en
Inventor
Lalwani Vishal
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ineos Automotive Ltd
Original Assignee
Ineos Automotive Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ineos Automotive Ltd filed Critical Ineos Automotive Ltd
Priority to GB2008727.6A priority Critical patent/GB2594530B/en
Publication of GB202008727D0 publication Critical patent/GB202008727D0/en
Priority to EP21734904.2A priority patent/EP4162155A2/en
Priority to CN202180046845.2A priority patent/CN115917138A/en
Priority to US18/009,190 priority patent/US20230256978A1/en
Priority to PCT/GB2021/051433 priority patent/WO2021250403A2/en
Publication of GB2594530A publication Critical patent/GB2594530A/en
Application granted granted Critical
Publication of GB2594530B publication Critical patent/GB2594530B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/0098Details of control systems ensuring comfort, safety or stability not otherwise provided for
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/02Ensuring safety in case of control system failures, e.g. by diagnosing, circumventing or fixing failures
    • B60W50/023Avoiding failures by using redundant parts
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/06Improving the dynamic response of the control system, e.g. improving the speed of regulation or avoiding hunting or overshoot
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/08Interaction between the driver and the control system
    • B60W50/14Means for informing the driver, warning the driver or prompting a driver intervention
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5027Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W2050/0001Details of the control system
    • B60W2050/0002Automatic control, details of type of controller or control system architecture
    • B60W2050/0004In digital systems, e.g. discrete-time systems involving sampling
    • B60W2050/0005Processor details or data handling, e.g. memory registers or chip architecture
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W2050/0001Details of the control system
    • B60W2050/0002Automatic control, details of type of controller or control system architecture
    • B60W2050/0004In digital systems, e.g. discrete-time systems involving sampling
    • B60W2050/0006Digital architecture hierarchy

Abstract

The disclosure relates to an automobile control system 202 and associated automobile, method and computer program. The automobile control system comprises: a multi-core processor 204 comprising a plurality of cores 206, 208, wherein: at least one core 206 of the plurality of cores is pre-allocated for use with at least one safety critical function 214 of an automobile, the at least one safety critical function configured to comply with an automotive safety integrity level, ASIL; at least one other core 208 of the of the plurality of cores is pre-allocated for use with at least one non-safety critical function 216 of the automobile, and the multi-core processor is configured to route a request from the at least one safety critical function to the at least one core that is pre-allocated for use with the at least one safety critical function.

Description

AN AUTOMOBILE CONTROL SYSTEM
The present disclosure relates to at least one of an automobile control system, an automobile comprising the automobile control system, a method and a computer program. In particular, the present disclosure relates to an automobile control system comprising a multi-core processor.
SUMMARY
According to a first aspect of the present disclosure, there is provided an automobile control system comprising: a multi-core processor comprising a plurality of cores, wherein: at least one core of the plurality of cores is pre-allocated for use with at least one safety critical function of an automobile, the at least one safety critical function configured to comply with an automotive safety integrity level, ASIL, at least one other core of the of the plurality of cores is pre-allocated for use with at least one non-safety critical function of the automobile, and the multi-core processor is configured to route a request from the at least one safety critical function to the at least one core that is pre-allocated for use with the at least one safety critical function.
Such an automobile control system can advantageously ensure that the multi-core processor has sufficient resource to service the at least one safety critical function in a quick and efficient manner.
In one or more embodiments the request may comprise a request identifier identifying the at least one safety critical function. The multi-core processor may be configured to route the request based on the request identifier.
In one or more embodiments the multi-core processor may be configured to determine which of the plurality of cores to route the request to by accessing a look-up table using the request identifier.
In one or more embodiments the multi-core processor may be configured to route a request from the at least one non-safety critical function to the at least one other core.
In one or more embodiments the multi-core processor may be configured to preclude routing of a request from the at least one non-safety critical function to the at least one core that is pre-allocated for use with the at least one safety critical function.
In one or more embodiments the ASIL of the function may be one of A, B, C or D as defined under ISO 26262.
In one or more embodiments each core of the multi-core processor may be physically distinct from each other core.
In one or more embodiments the at least one safety critical function may be selected from the group comprising: an airbag function, a brake function, an engine temperature warning function, a tyre pressure monitor, an engine warning function, a battery warning function, an oil level monitor, a coolant level monitor, an electronic stability control function, and an emergency telephony function.
In one or more embodiments the at least one non-safety critical function may be selected from the group comprising: a multi-media function, an AM/FM radio, a digital radio, a global navigation satellite receiver, a wireless router, an audio function, a body control module, a rear view camera and a USB hub.
In one or more embodiments the at least one core may be configured to receive an operating state of the at least one safety critical function, and provide an indication of, or calculation based on, the safety critical function. The at least one other core may be configured to: receive an operating state of the at least one non-safety critical function, and provide an indication of, or calculation based on, the non-safety critical function.
In one or more embodiments the at least one core and the at least one other core may be configured to provide the indication of the safety critical function operating state and the indication of the non-safety critical function operating state for display on at least one display.
In one or more embodiments the at least one display may comprise a first display and a second display. The first display may be configured to display the indication of the at least one safety critical function. The second display may be configured to display the indication of the at least one non-safety critical function, and / or the indication of the at least one safety critical function.
In one or more embodiments the multi-core processor may be configured to process requests from the at least one safety critical function and the at least one non-safety critical function simultaneously.
In one or more embodiments the multi-core processor may comprise at least two cores pre-allocated for use with the at least one safety critical function.
In one or more embodiments the multi-core processor may be configured to route the request from the at least one safety critical function to a core of the at least two cores based on processor availability.
In one or more embodiments the multi-core processor may comprise at least two cores pre-allocated for use with the at least one non-safety critical function.
In one or more embodiments the automobile control system may comprise a system configured to call the at least one safety critical function, and / or the at least one non-safety critical function.
According to a further aspect of the present disclosure, there is provided an automobile comprising any automobile control system disclosed herein.
According to a further aspect of the present disclosure, there is provided a method of configuring an automobile control system comprising a multi-core processor, the multi-core processor comprising a plurality of cores, the method comprising: receiving a request from a function; and routing the request to a pre-allocated core of the plurality of cores based on whether the request is from a function that is either: (i) a safety critical function of an automobile, or (ii) a non-safety critical function of the automobile, wherein the safety critical function is configured to comply with an automotive safety integrity level, ASIL.
There may be provided a computer program, which when run on a computer, causes the computer to configure any apparatus, including a circuit, controller, converter, or device disclosed herein or perform any method disclosed herein. The computer program may be a software implementation, and the computer may be considered as any appropriate hardware, including a digital signal processor, a Field Programmable Gate Array, a graphics process unit, a microcontroller, and an implementation in read only memory (ROM), erasable programmable read only memory (EPROM) or electronically erasable programmable read only memory (EEPROM), as non-limiting examples. The software may be an assembly program.
The computer program may be provided on a computer readable medium, which may be a physical computer readable medium such as a disc or a memory device, or may be embodied as a transient signal. Such a transient signal may be a network download, including an internet download. There may be provided one or more non-transitory computer-readable storage media storing computer-executable instructions that, when executed by a computing system, causes the computing system to perform any method disclosed herein.
BRIEF DESCRIPTION OF THE DRAWINGS
One or more embodiments will now be described by way of example only with reference to the accompanying drawings in which: Figure 1 shows an example automobile comprising an automobile control system; Figure 2 shows an example schematic of an automobile control system; Figure 3 shows an example method of the present disclosure; Figure 4 shows a further example schematic of an automobile control system; Figure 5 shows a further example schematic of an automobile control system; Figure 6 shows a further example schematic of an automobile control system; and Figure 7 shows a further example method of the present disclosure.
DESCRIPTION
Figure 1 shows an example automobile 100 comprising an automobile control system 102. The automobile control system 102 comprises a processor and can also comprise at least one safety critical function and at least one non-safety critical function (not shown) of the automobile 100. The processor may be configured for use with the at least one safety critical function and the at least one non-safety critical function.
Throughout the present disclosure, a function may be understood as being 'safety critical' if it is vital to the safe operation of the automobile 100. Safe operation may be determined from one or more standpoints: users of the automobile 100, other road users, pedestrians, regulators etc., and may be characterised by factors including compliance with one or more safety ratings, reliability and robustness. Examples of safety critical functions and non-safety critical functions are described later in the present disclosure.
Ensuring safe operation of the automobile 100, for example, also necessitates the automobile control system 102 being safe and reliable. This is because the automobile control system 102 is configured for use with (e.g., to control, handle, serve or otherwise respond to) the at least one safety critical function and the at least one non-safety critical function of the automobile 100. Depending on its architecture, any faults that occur on the automobile control system 102 may cause the at least one safety critical function to function sub-optimally, in particular if the fault corrupts the at least one safety critical function, or results in a processor of the automobile control system 102 not having sufficient resource to service the safety critical function quickly enough.
It has been unexpectedly found that a single multi-core processor can be used to serve both safety critical and non-safety critical functions. Furthermore, such a single multi-core processor can be compliant with the stringent safety requirements of the automotive industry, whereas there has been no teaching or expectation that combining the processing resource for such functions into a multi-core processor could
be acceptable.
An objective of one or more embodiments disclosed herein is to provide an automobile control system with improved reliability in respect of any safety critical function(s) that it controls and / or one that is relatively simple to implement.
Figure 2 shows an example schematic of an automobile control system 202. The automobile control system 202 comprises a multi-core processor 204 comprising a plurality of cores 206, 208. Also shown in Figure 2 is a routing layer 210 and a lookup table (LUT) 212 in communication with the multi-core processor 204. The routing layer 210 represents a functional configuration of the multi-core processor 210, details of which are provided below.
In some examples a database may be provided as an alternative to the LUT 212. Whereas the LUT 212 is illustrated in Figure 2 as external to the automobile control system 202, in some examples the LUT 212 (or a database) may be provided on a memory (not shown) of the automobile control system 202.
Each core of the plurality of cores 206, 208 may be a physical core provided as a separate processing unit on the die of the multi-core processor 204. In this way, each core may be considered distinct, irrespective of whether the plurality of cores 206, 208 are identical (or near-identical) from a fabrication standpoint.
In the example of Figure 2, the automobile control system 202 also comprises at least one safety critical function 214 and at least one non-safety critical function 216. The at least one safety critical function 214 is configured to comply with an automotive safety level (ASIL).
Such safety critical and non-safety critical functions may be provided by hardware, software or a combination of hardware and software. In some examples a system (provided as hardware) of the automobile may be configured to call or perform a function. Therefore, a function can be understood as having a corresponding system (e.g., a multimedia system for a multimedia function), to the extent that the corresponding system can call the function. In some examples the at least one safety critical function 214 and the at least one non-safety critical function 216 may be provided by the same system, and / or be provided by separate systems. Such systems may or may not be considered as separate from the automobile control system 202.
At least one core 206 of the plurality of cores 206, 208 -highlighted in Figure 2 by the dotted pattern -is pre-allocated for use with the at least one safety critical function 214. The multi-core processor 204 is configured such that a request from the at least one safety critical function 214 is routed to the least one core 206 that is pre-allocated for use with the at least one safety critical function 214.
At least one other core 208 of the plurality of cores 206, 208 -shown in Figure 2 without any pattern -is pre-allocated for use with the at least one non-safety critical function 216. The multi-core processor 204 may be configured such that a request from the at least one non-safety critical function 216 is routed to the least one other core 208 based on the pre-allocation of the at least one other core 208.
In some examples the multi-core processor 204 may be configured to preclude routing of a request from the at least one non-safety critical function 216 to the at least one core 206 (that is pre-allocated for use with the at least one safety critical function 214). Similarly, the multi-core processor 204 may be configured to preclude routing of a request from the at least one safety critical function 214 to the at least one other core 208 (that is pre-allocated for use with the at least one non-safety critical function 216). In this way the multi-core processor may provide for exclusive processing of requests: the at least one core 206 only handles requests from the at least one safety critical function 214, and the at least one other core 208 only handles requests from the at least one non-safety critical function 216.
The routing layer 210 in this example is configured to receive requests from the safety and non-safety critical functions 214, 216 and, for each request, determine an appropriate core 206, 208 for handling the request. In this way, the routing layer 210 can ensure that the correctly pre-allocated cores 206, 208 are used to service the safety and non-safety critical functions 214, 216. To this end, each request can comprise a request identifier that identifies the sender of the request (e.g., the at least one safety critical function 214). The request identifier corresponds to one of the cores 206, 208 of the multi-core processor 204, such that a core is pre-assigned to the request identifier. The routing layer 210 can check the request identifier of a received request in order to determine to which of the cores 206, 208 to route the request. In this way, the multi-core processor 204 can route the request based on the request identifier.
To determine the correspondence between a request identifier and a core, the routing layer 210 may access information contained in a look-up table, such as the LUT 212, or a database. That is, the multi-core processor can determine which of the plurality of cores 206, 208 to route the request to by accessing the look-up table 212 using the request identifier.
Accordingly, the routing layer 210 enables requests from the at least one safety critical function 214 and the at least one non-safety critical function 216 to be serviced by the correctly pre-allocated core 206, 208 of the multi-core processor 204.
As set out above, the at least one core 206 and the at least one other core 208 are pre-allocated for particular, in some cases dedicated, uses. In combination with the routing layer 210 competition between the processing of requests from safety and non-safety critical functions may thus be avoided. Furthermore, if a fault develops on one core (e.g., the core pre-allocated for non-safety critical function use), operations performed by the other core (that is pre-allocated for safety critical function use) will not be affected. Further advantages will become apparent from the following discussion of the safety considerations of the present disclosure.
In the example of Figure 2 the at least one safety critical function 214 is configured to comply with an ASIL. For the purposes of the present disclosure, ASIL compliance can be a characteristic of the at least one safety critical function 214 and not necessarily its implementing hardware.
In general terms, ASIL compliance may comprise satisfying a safety rating (e.g., mean time to failure) against the risks(s) and hazard(s) associated with the ASIL. As such the ASIL may be a specific ASIL; for example, one of A, B, C or D as defined under ISO 26262. In some examples the at least one non-safety critical function 216 does not comply with a specific ASIL.
Accordingly, routing a request from a safety critical function to a specific core can enable a request to be processed in a quick and efficient manner. Consider an example where the multi-core processor receives two processing requests: one from the non-safety critical function 216 (e.g., a request to access media); and another from the safety critical function 214 (e.g., a request to deploy an airbag). In the example of Figure 2, the processing for the safety critical function is 214 handed by the core 206 that is pre-allocated for use with at least one safety critical function. Similarly, the processing for the non-safety critical function 216 is handed by the other core 208 (which is pre-allocated for use with at least one non-safety critical function). In this way, the processing resource that is required by the non-safety critical function 216 does not negatively impact the ability of the multi-core processor 204 from being able to service the safety critical function 214. This can enable safety critical functions 214 that are time critical, such as a request to deploy an airbag, to be serviced by the multi-core processor 204 in such a way that the associated ASIL rating remains satisfied.
The at least one safety critical function may be selected from (or otherwise correspond to) the group at least consisting of but not limited to: an airbag function, a brake function, an engine temperature warning function, a tyre pressure monitor, an engine warning function, a battery warning function, an oil level monitor, a coolant level monitor, an electronic stability control function, an advanced driver assistance system (ADAS) video processing function and an emergency telephony function. The at least one non-safety critical function may be selected from (or otherwise correspond to) the group consisting of but not limited to: a multi-media function, an AM/FM radio, a digital radio, a global navigation satellite receiver, a wireless router, an audio function, a body control module, a rear view camera, a clock and a USB hub. The skilled person will appreciate that comparable advantages to the airbag example provided above can be realised for other types of safety critical function.
Use of the multi-core processor 204 can advantageously avoid the need for a plurality of separate processors. Use of such a plurality of separate processors may result in an unduly complex automobile control system architecture. Use of a multi-core processor 204 with both safety and non-safety critical functions can represent a relatively uncomplicated solution, which surprisingly can meet one or more safety requirements set by automotive industry regulators.
By way of comparison, an automobile control system comprising a single core processor would, if a fault developed on the core, affect both the non-safety critical and the safety critical functions. Also, a safety critical function may be denied processing resource until a non-safety critical function has been completed. Such scenarios may be unacceptable from a safety standpoint.
One or more embodiments of automobile control systems as set out in the present disclosure may therefore offer an improvement over other automobile control systems by reducing the effects of core failure within function sets of an automobile. In addition, such one or more embodiments can offer consolidated processing of signals on a single processor, and may also - - allow for multiple dedicated cores for different automobile functions, mitigating (from a safety standpoint) risks associated with using one processor core for all automobile functions; - facilitate resource management (load distribution) between and within core sets, an aspect of the disclosure that is discussed in detail below; - allow for the pre-allocation of cores to be tailored to the ASIL compliance of safety-critical functions; and / or facilitate automobile control system operation using a dedicated instruction set (exemplified here by the routing layer) for a multi-core processor.
In some examples, the multi-core processor 204 may be configured to process requests from the at least one safety critical function 214 and the at least one non-safety critical function 216 simultaneously via the plurality of cores 206, 208. In other words, the multi-core processor 204 can provide processing power for both the at least one safety critical function 214 and the at least one non-safety critical function 216 at the same time, without having to alternate between providing processing power to one of the types of function before it can provide processing power to the other type of function.
The at least one core 206 may be configured to receive an operating state of the at least one safety function 214 and provide an indication of the operating state for display to a user of the automobile. The at least one other core 208 may be configured in a similar manner in respect of the at least one non-safety function 216. Additionally, or alternatively, the cores 206, 208 may provide the indications for aural and / or haptic presentation to a user of the automobile. These indications may facilitate user awareness of the operational states of the functions served by the automobile control system, and / or user operation of the automobile. Examples of such indications include a low brake fluid level indicator, an engine temperature warning indicator (e.g. because the temperature falls outside of a normal operating range) and a flat battery indicator.
In the same or other examples, a core may be configured to perform a calculation based on an operating state. Based on the calculation, the core may provide an instruction for another function or system of the automobile. For example, based on an operating state of a safety critical function (e.g., an engine temperature warning function), the at least one core pre-allocated for use with the safety critical function may calculate a risk rating. If the risk rating is above a threshold, the core may generate and send an instruction to an engine control unit in order to mitigate the risk.
To allow for the display of operating state indications as set out above, each core may be configured to provide their respective indication(s) for display on one or more displays, as set out later in the present disclosure.
Figure 3 shows an example method 320 of the present disclosure, which can correspond to the functionality of the routing layer that is described with respect to Figure 2.
The method comprises receiving 322 a request from a function of the automobile control system. As set out above, the request can include a request identifier that is representative of the function that generated the request. The method continues by checking 324 the request identifier. Again, as set out above, the step of checking 324 may comprise looking up the request identifier in a look-up table or database to determine a core identifier that is associated with the received request identifier.
Step 326 is shown schematically as determining, based on the request identifier, whether or not the request is from a safety critical function. Then at step 328, if it is determined that the request is from a safety critical function, the method involves routing the request to at least one core pre-allocated for use with the safety-critical function. Alternatively, at step 330, if it is determined that the request is not from a safety critical function, the method involves routing the request to at least one core pre-allocated for use with a non-safety critical function. It will be appreciated that the functionality of steps 326, 328 and 330 may be implemented by the method simply routing the request to the core that has the core identifier that is returned from the LUT at step 324. In this way, the determination of whether or not the request is from a safety critical function is implicitly embodied by the specific core identifier that is returned from the LUT as being associated with the request identifier.
Advantages arising from this method can be understood with reference to the examples provided in relation to Figure 2.
Figure 4 shows a further example of an automobile control system 402. The automobile control system 402 of Figure 4 is similar to the automobile control system shown in Figure 2 in that it comprises a multi-core processor 404 comprising a plurality of cores 406, 408, a routing layer 410, a LUT 412, at least one safety critical function 414 and at least one non-safety critical function 416. A difference is that the multi-core processor 404 comprises two cores 406, 440 pre-allocated for use with the at least one safety critical function 414 and two cores 408, 442 pre-allocated for use with the at least one non-safety critical function 416. Hence, in this example, the multi-core processor 404 is a quad-core processor.
In examples where two or more cores are pre-allocated for a particular use, these cores may be described as belonging to an identifiable core set. To this end, a core set may be identified using a core set identifier.
For example, two cores 406, 440 pre-allocated for use with at least one safety critical function 414 may be described as belonging to a core set with the core set identifier 'safety critical'. Similarly, two cores 408, 442 pre-allocated for use with at least one non-safety critical function 416 may be described as belonging to a core set with the core set identifier 'non-safety critical'. The skilled person will understand that these identifiers are merely exemplary and that alternatives (including alternative formats) can also be used.
Core set identifiers may be stored alongside, or instead of, request identifiers in the LUT 412. The routing layer 410 may be configured to determine a core set identifier that corresponds to a given request identifier by accessing the LUT. From this, the routing layer 410 may identify a core set that is pre-allocated for receiving the request.
The routing layer 410 may then determine a specific core within the core set for handling the request routing using any technique that is known in the art.
Using core sets (comprising a plurality of cores that are pre-allocated for the same type of function) may advantageously facilitate efficient processor load management on a multi-core processor. Consider as one example a routing layer 410 that receives several safety critical functions simultaneously. If these requests were routed to a single processor (or a single core) configured for use with the safety critical functions, then the available processing power may be insufficient to meet the required demand. As such, a bottleneck may form that limits the ability of the multi-core processor to process safety critical requests expediently. This may risk automobile and / or user safety if these safety critical functions are time critical.
Instead, by initially routing a request to a core set that is pre-allocated for servicing a safety critical function, the selection of a specific core that is available to process a request can be facilitated. In this way, processing bottlenecks may be avoided or reduced by sharing the processing load between multiple cores that are pre-allocated for a particular use (e.g., for use with safety critical functions). Furthermore, if a fault develops on one core within a core set, the remaining cores may continue to process requests (e.g., in a backup capacity).
In the example of Figure 4 the multi-core processor is shown with four cores: two pre-allocated for use with safety critical functions and two pre-allocated for use with non-safety critical functions. In other examples, the multi-core processor 404 may comprise at least four cores, optionally six, pre-allocated for use with the at least one non-safety critical function 412 (i.e., the processor may be an octo-core processor with a 4/4 or 6/2 split between cores pre-allocated for non-safety and safety critical functions respectively). In this way, the number of cores of the multi-core processor 404 pre-allocated for use with either the at least one safety critical function 414 or the at least one non-safety critical function 416 may be chosen based on the number of safety critical and non-safety critical functions and their respective processing requirements.
Figure 5 shows a further example of an automobile control system 502. While the automobile control system 502 of Figure 5 is similar to the automobile control system shown in Figure 4, a difference is that the automobile control system 502 comprises at least one display 544, which may be selected from the group consisting of an analogue readout, a digital readout, a telltale strip, a screen, and a heads-up display. In other examples, the at least one display may be considered as separate to the automobile control system.
The at least one display 544 is configured to display the indication of the safety critical function operating state (e.g., displaying a warning sign) and the indication of the non-safety critical function operating state (e.g., displaying a text message). These indications may be displayed in the same or different areas of a single display, or on different displays.
In some examples, the automobile control system 502 may comprise a first display and a second display. In such examples, the first display can be configured to display the indication of the safety critical function operating state. The second display can be configured to display the indication of the safety critical and / or non-safety critical function operating state. Alternatively, or in addition, a given indication may be shared, duplicated or replicated across each display.
Each display of the first and second displays may be of the same type or of a different type. For example, the first display may be an analogue readout and the second display may be a screen. Both displays, however, are controlled by the same processor (i.e., the multi-core processor 504).
Figure 6 shows a further example schematic of an automobile control system 602. The automobile control system 602 comprises a multi-core processor ('Head Unit') 604, at least one safety critical function 614 ('eCall SOS'), at least one non-safety critical function 616 CAM/FM Antenna'), a first display 644 ('Telltale LED strip' -shown here as a non-limiting example of the display of the automobile control system of Figure 5) and a second display 646 ('IPC/Media-Display'). Figure 6 includes various features that can be provided with one or more of the other examples disclosed herein. It will be appreciated that the features of Figure 6 can be provided independently of other features of Figure 6 with which they are not inextricably linked.
The first display 644 is configured to display indications 648a,b of safety critical function operating states. The second display 646 is configured to display an indication 648c of the operating state of the at least one non-safety critical function 616 and, in this example, also an indication 648d of the at least one safety critical function 614.
Figure 7 shows an example method 760 of the present disclosure. The method is for an automobile control system, which comprises a multi-core processor. The multi-core processor includes a plurality of cores.
The method comprises receiving 762 a request from a function, and routing 764 the request to a pre-allocated core of the plurality of cores based on whether the request is from a function that is either: a safety critical function of an automobile, or a non-safety critical function of the automobile. As discussed above, the at least one safety critical function is configured to comply with an automotive safety integrity level, ASIL. Advantages of this method are discussed in detail above with reference to Figure 2 in particular.

Claims (16)

  1. CLAIMS1. An automobile control system comprising: a multi-core processor comprising a plurality of cores, wherein: at least one core of the plurality of cores is pre-allocated for use with at least one safety critical function of an automobile, the at least one safety critical function configured to comply with an automotive safety integrity level, ASIL, at least one other core of the of the plurality of cores is pre-allocated for use with at least one non-safety critical function of the automobile, and the multi-core processor is configured to route a request from the at least one safety critical function to the at least one core that is pre-allocated for use with the at least one safety critical function.
  2. 2. The automobile control system of claim 1, wherein: the request comprises a request identifier identifying the at least one safety critical function, and the multi-core processor is configured to route the request based on the request identifier.
  3. 3. The automobile control system of claim 2, wherein the multi-core processor is configured to determine which of the plurality of cores to route the request to by accessing a look-up table using the request identifier.
  4. 4. The automobile control system of any preceding claim, wherein the multi-core processor is configured to route a request from the at least one non-safety critical function to the at least one other core.
  5. 5. The automobile control system of any preceding claim, wherein the multi-core processor is configured to preclude routing of a request from the at least one non-safety critical function to the at least one core that is pre-allocated for use with the at least one safety critical function.
  6. 6. The automobile control system of any preceding claim, wherein the ASIL of the function is one of A, B, C or D as defined under ISO 26262.
  7. 7. The automobile control system of any preceding claim, wherein each core of the multi-core processor is physically distinct from each other core.
  8. 8. The automobile control system of any preceding claim, wherein the at least one safety critical function is selected from the group comprising: an airbag function, a brake function, an engine temperature warning function, a tyre pressure monitor, an engine warning function, a battery warning function, an oil level monitor, a coolant level monitor, an electronic stability control function, and an emergency telephony function.
  9. 9. The automobile control system of any preceding claim, wherein the at least one non-safety critical function is selected from the group comprising: a multi-media function, an AM/FM radio, a digital radio, a global navigation satellite receiver, a wireless router, an audio function, a body control module, a rear view camera and a USB hub.
  10. 10. The automobile control system of any preceding claim, wherein the at least one core is configured to: receive an operating state of the at least one safety critical function, and provide an indication of, or calculation based on, the safety critical function, and wherein the at least one other core is configured to: receive an operating state of the at least one non-safety critical function, and provide an indication of, or calculation based on, the non-safety critical function.
  11. 11. The automobile control system of claim 10, wherein the at least one core and the at least one other core are configured to provide the indication of the safety critical function operating state and the indication of the non-safety critical function operating state for display on at least one display.
  12. 12. The automobile control system of any preceding claim, wherein the multi-core processor comprises at least two cores pre-allocated for use with the at least one safety critical function.
  13. 13. The automobile control system of any preceding claim, comprising a system configured to call the at least one safety critical function, and / or the at least one non-safety critical function.
  14. 14. An automobile comprising the automobile control system of any preceding claim.
  15. 15. A method of configuring an automobile control system comprising a multi-core processor, the multi-core processor comprising a plurality of cores, the method comprising: receiving a request from a function; and routing the request to a pre-allocated core of the plurality of cores based on whether the request is from a function that is either: (i) a safety critical function of an automobile, or (ii) a non-safety critical function of the automobile, wherein the safety critical function is configured to comply with an automotive safety integrity level, ASIL.
  16. 16. A computer program comprising instructions which, when the program is executed by a computer, cause the computer to perform the method of claim 15.
GB2008727.6A 2020-06-09 2020-06-09 An automobile control system Active GB2594530B (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
GB2008727.6A GB2594530B (en) 2020-06-09 2020-06-09 An automobile control system
EP21734904.2A EP4162155A2 (en) 2020-06-09 2021-06-09 An automobile control system
CN202180046845.2A CN115917138A (en) 2020-06-09 2021-06-09 Automobile control system
US18/009,190 US20230256978A1 (en) 2020-06-09 2021-06-09 An automobile control system
PCT/GB2021/051433 WO2021250403A2 (en) 2020-06-09 2021-06-09 An automobile control system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB2008727.6A GB2594530B (en) 2020-06-09 2020-06-09 An automobile control system

Publications (3)

Publication Number Publication Date
GB202008727D0 GB202008727D0 (en) 2020-07-22
GB2594530A true GB2594530A (en) 2021-11-03
GB2594530B GB2594530B (en) 2022-06-22

Family

ID=71615900

Family Applications (1)

Application Number Title Priority Date Filing Date
GB2008727.6A Active GB2594530B (en) 2020-06-09 2020-06-09 An automobile control system

Country Status (1)

Country Link
GB (1) GB2594530B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060161918A1 (en) * 2001-05-16 2006-07-20 Continental Teves Ag & Co. Ohg Method, microprocessor system for critical safety regulations and the use of the same
US20150175170A1 (en) * 2013-12-20 2015-06-25 Denso Corporation Electronic control unit
US20170293464A1 (en) * 2014-10-09 2017-10-12 Continental Automotive Gmbh Device and method for controlling an audio output for a motor vehicle
US10012691B1 (en) * 2017-11-07 2018-07-03 Qualcomm Incorporated Audio output diagnostic circuit

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060161918A1 (en) * 2001-05-16 2006-07-20 Continental Teves Ag & Co. Ohg Method, microprocessor system for critical safety regulations and the use of the same
US20150175170A1 (en) * 2013-12-20 2015-06-25 Denso Corporation Electronic control unit
US20170293464A1 (en) * 2014-10-09 2017-10-12 Continental Automotive Gmbh Device and method for controlling an audio output for a motor vehicle
US10012691B1 (en) * 2017-11-07 2018-07-03 Qualcomm Incorporated Audio output diagnostic circuit

Also Published As

Publication number Publication date
GB202008727D0 (en) 2020-07-22
GB2594530B (en) 2022-06-22

Similar Documents

Publication Publication Date Title
CN109305197A (en) Train control method, system and Vehicle Controller
CN106990982A (en) Method for updating program and device
CN110083146A (en) Fault determination method and device, the equipment and storage medium of automatic driving vehicle
WO2021002164A1 (en) Method and control system for operating ecus of vehicles in fails-safe mode
CN109747524A (en) Method, apparatus, equipment and the computer storage medium that vehicle trouble is shown
GB2594530A (en) An automobile control system
US20180130349A1 (en) Methods and systems for displaying virtual signs based on vehicle to everything communications
US20220250655A1 (en) Mobility control system, method, and program
CN110774896B (en) Vehicle instrument information display method and device, vehicle and storage medium
CN117076383A (en) Central computing unit storage system, storage space allocation method and device
CN114741203A (en) Vehicle data processing method, device, equipment and storage medium
CN111845679B (en) Braking force distribution method and terminal equipment
US20230365158A1 (en) Determining a minimal risk maneuver for a vehicle
CN113348646A (en) Method for operating a vehicle while transferring computational power from the vehicle to at least one edge cloud computer
US20060136120A1 (en) Car navigation system
US20230256978A1 (en) An automobile control system
CN110608874A (en) Method and equipment for detecting homing performance of accelerator pedal
CN112311616B (en) Data communication frequency statistical method, device and storage medium
CN112309153B (en) Parking method and device for fault vehicle
CN116150771B (en) Redundancy processing device, redundancy processing method, redundancy processing system and intelligent vehicle
CN117083198A (en) Control method and control device for controlling indicators of human-computer interface of vehicle
CN117533352A (en) Auxiliary driving control method and system integrating lamp language information
CN107908422A (en) The application program of dispatching from the factory of equipment determines method, apparatus, equipment and storage medium
CN115683650A (en) Function degradation method and device of intelligent automobile
US20220171613A1 (en) Electronic control unit, software update method, software update program product and electronic control system