WO1997006487A1 - Microprozessorsystem für sicherheitskritische regelungen - Google Patents
Microprozessorsystem für sicherheitskritische regelungen Download PDFInfo
- Publication number
- WO1997006487A1 WO1997006487A1 PCT/EP1996/002688 EP9602688W WO9706487A1 WO 1997006487 A1 WO1997006487 A1 WO 1997006487A1 EP 9602688 W EP9602688 W EP 9602688W WO 9706487 A1 WO9706487 A1 WO 9706487A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- read
- bus
- microprocessor system
- central units
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/18—Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60T—VEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
- B60T8/00—Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force
- B60T8/32—Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force responsive to a speed condition, e.g. acceleration or deceleration
- B60T8/88—Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force responsive to a speed condition, e.g. acceleration or deceleration with failure responsive means, i.e. means for detecting and indicating faulty operation of the speed responsive control means
- B60T8/885—Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force responsive to a speed condition, e.g. acceleration or deceleration with failure responsive means, i.e. means for detecting and indicating faulty operation of the speed responsive control means using electrical circuitry
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/04—Programme control other than numerical control, i.e. in sequence controllers or logic controllers
- G05B19/042—Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
- G05B19/0421—Multiprocessor system
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B9/00—Safety arrangements
- G05B9/02—Safety arrangements electric
- G05B9/03—Safety arrangements electric with multiple-channel loop, i.e. redundant control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/1629—Error detection by comparing the output of redundant processing systems
- G06F11/1641—Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components
- G06F11/1645—Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components and the comparison itself uses redundant hardware
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60T—VEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
- B60T2270/00—Further aspects of brake control systems not otherwise provided for
- B60T2270/40—Failsafe aspects of brake control systems
- B60T2270/413—Plausibility monitoring, cross check, redundancy
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/24—Pc safety
- G05B2219/24182—Redundancy
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/08—Error detection or correction by redundancy in data representation, e.g. by using checking codes
- G06F11/10—Adding special bits or symbols to the coded information, e.g. parity check, casting out 9's or 11's
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/08—Error detection or correction by redundancy in data representation, e.g. by using checking codes
- G06F11/10—Adding special bits or symbols to the coded information, e.g. parity check, casting out 9's or 11's
- G06F11/1008—Adding special bits or symbols to the coded information, e.g. parity check, casting out 9's or 11's in individual solid state devices
- G06F11/1044—Adding special bits or symbols to the coded information, e.g. parity check, casting out 9's or 11's in individual solid state devices with specific ECC/EDC distribution
Definitions
- the invention relates to a microprocessor system intended for safety-critical control systems, which contains two synchronously operated central processing units or CPUs, which receive the same input information and process the same program, which have read-only memories (ROM) and read-write memories (RAM) and memory locations for Test information and equipped with test information generators and which also contain comparators which check the output information of the central units and, in the event of a mismatch, emit switch-off signals.
- ROM read-only memories
- RAM read-write memories
- the safety-critical control systems include, for example, the motor vehicle control systems which intervene in the brake function, of which in particular the anti-lock control systems or anti-lock braking systems (ABS) and the traction control systems (TCS, TCS, etc.) are on the market in many variants and are of great importance possess.
- Driving stability control systems (FSR.ASMS), chassis control systems, etc. are also safety-critical because they are based on brake intervention or because the vehicle's driving stability may otherwise suffer if they fail. It is therefore absolutely necessary to constantly monitor the functionality of such systems in order to be able to switch off the control system in the event of an error or to switch to a state which is less dangerous for safety.
- the input data are likewise fed in parallel to two microcomputers, of which only one, however, carries out the complete, complex signal processing.
- the second microcomputer is used primarily for monitoring, which is why the input signals can be processed further with the aid of simplified control algorithms and a simplified control philosophy after processing, formation of time derivatives, etc.
- the simplified data processing is sufficient to generate signals which, by comparison with the signals processed in the complex microcomputer, allow conclusions to be drawn about the correct operation of the system.
- a microprocessor system of the type mentioned is also known from DE 43 41 082 AI. In particular, it is intended for use in the control system of an anti-lock brake system.
- This known system ⁇ which can be accommodated on a single chip, contains two central processing units or CPUs, in which the input data are processed in parallel.
- the read-only memories and the read-write memories, to which both central units are connected, contain additional memory locations for test information and each include a generator for generating test information.
- the output signals of one of the two central units are further processed to generate the control signals, while the other, the "passive" central unit, only serves to monitor the "active" central unit.
- the invention is also based on the object of developing a microprocessor system in such a way that malfunctions in the system are recognized and signaled with the extremely high probability and reliability required for safety-critical applications. At the same time, a comparatively low production outlay for such a microprocessor system should suffice. It has been found that this object can be achieved with the system described in the appended claim 1, the special feature of which is that the central units or CPU's are connected to the read-only memories and to the read-write memories and to separate bus systems Input and output units are connected and that the bus systems are connected or coupled to one another by driver stages which enable the two central units to read and process the pending data, ie the test data available in the two bus systems, including the test data and commands. The input and output data of the two central units present on the two bus systems, including the test data and commands, are checked for agreement by the comparator or comparators of the system according to the invention.
- the microprocessor system according to the invention is based on the use of two equal, fully redundant computer cores or central units, which process the data supplied via two separate bus systems redundantly. With the aid of a simple hardware comparator, for security reasons a second comparator being connected in parallel, the input and output signals of the two central units are then compared for agreement.
- the memories of the system according to the invention are only available once; only additional storage locations for test data, for example in the form of parity bits, are provided.
- a complete microprocessor consisting of a central unit, read-only memory and read-only memory, input and output stage is connected to one of the two bus systems, while the second bus system instead of the read-only memory and read-only memory only with corresponding ones Storage spaces for test data is directly connected.
- the driver stages coupling the two bus systems enable both central units to read all the required data supplied by the user data memories, the test data memories and the input stages; this results in a particularly simple structure of the microprocessor system according to the invention, which accommodates all components on a single one Favored chip.
- the attached figure serves to explain the basic structure and the mode of operation of a microprocessor system according to the invention.
- it is a one-chip microcomputer system that has two synchronously operated central units 1, 2, which are also referred to as computer or processor cores or as CPUs, separate bus systems 3, 4 (bus 1, bus 2). contains.
- the clock common to both central units 1, 2 is supplied via the connection cl (common clock).
- the central unit 1 is closed by a read-only memory 5 (ROM), by a read / write memory 6 (RAM) and by input or input stages 7, 8 (peripheral 1, port 1) and by an output or output stage 9 a complete microcomputer MCI.
- the second bus system 4 (bus 2) are excluded only the test data memory 10, 11 and also input or input stages 12, 13 and an output stage 14 are connected to the central unit 2.
- the test data storage locations for the data in the permanent memory 5 are accommodated in the memory 10 and the test data for the read / write memory 6 in the memory 11. The whole thing forms a "lean" microcomputer MC2.
- the two bus systems 3, 4 (bus 1, bus 2) are also, which is essential to the invention, coupled by driver stages 15, 16, 17, which enable the incoming data to be read by the two central units 1, 2 together .
- Levels 15 to 17 are drivers (or “buffers" with enable function). The directions of transmission of the drivers 15 to 17 are symbolically represented by an arrow; the driver 15 is used to transfer the data located on the bus system 3 (bus 1) to the central unit 2, the driver 16 to transfer the test information or data from the test data memories 10, 1t to the central unit 1 and the driver 17 to transmit the data from the input stages 12, 13 of the second bus system 4 (bus 2) to the central unit 1.
- the bus systems 3, 4 each comprise a control bus "C", a data bus “D” and an address bus "A”.
- the test data "p” are also on the data bus.
- the input and output data of the central processing units, which are checked for correspondence in a hardware comparator 18 and in a similar comparator 19, which is arranged on the same chip and are spatially separated, are therefore referred to as "CDpA" in FIG.
- Both central units 1, 2 deliver identical output signals to the output units 9, 14 via the bus systems 3, 4.
- An inverter 22 is inserted in the way to one of the two output units, here in the way to the output unit 14.
- the valve control 20 is connected via a serial bus 21.
- two output shift registers 22, 23 are provided, the data being fed to the second shift register 22 in an inverted manner in order to exclude short circuits between the computers.
- the data contained in the shift registers 22, 23 are compared for agreement via an AND gate 24 with an inverting input. If the AND condition, which monitors the gate 24, is not met, a switch 26 in the power supply for the actuated valves or actuators 25 is opened and the actuator actuation is switched off because of an error.
- the shift registers 22, 23 are to be regarded as components of the output stages 9 and 14, respectively. Independent of the comparators 18, 19, the conformity of the output signals is monitored again, in this case externally. In the event of a fault, control of the valves 25 is thus prevented, regardless of the function of the central units 1, 2.
- the central unit which includes the entirety of the arithmetic unit and the sequence control, double to ensure the calculation results and the correct execution of the programs.
- the data bus is expanded by a generator for the test data or for redundancy information, for example for parity bits.
- the output signals of the two central units are sent to the hardware comparators (18, 19) for checking. These check the identity of the signals, including the test signals, and cause a system-SHUTDOWN-y if the synchronous processing of the programs by the redundant central units yield results which differ from one another.
- the output signals of both central units are equal, i.e. a control of memory units (RAM, ROM) or the "periphery" can be done by one of the two central units.
- the brake light switch and other sensors are connected via these input stages, for example.
- the read-only memories and the read-write memories are, as previously explained, only provided for one of the two microcomputers (MCI), while the second microcomputer (MC2) only has storage spaces (10, 11) for test data.
- the driver stages 15, 16, 17 with which both bus systems are coupled ensure that the stored user data and test data are nevertheless available to both central units in the data processing process.
- the memory locations of the memories 5, 6, 10, 11 can also be distributed completely differently between the two bus systems 3, 4 or microcomputers MCI, MC2. This does not increase the total storage space required.
- the test data or parity bits are used to detect errors when reading and writing the stored and stored data.
- the redundancy information is stored under the same address in the memories 10, 11 of the second microprocessor MC2, which only contains memory locations for the test data.
- the test or redundancy information for the read-only memory was already defined during programming. With the read / write memories, this test or redundancy information is generated during the write process. Analogously to the reading process of the data and commands, the test or redundancy information is transmitted via the driver stage 16, which couples the two bus systems 3, 4. With write access, the data to be written is therefore expanded by redundant information which is stored with the data. In the case of a read access, this data and the read back redundant information are then compared by the comparators 18, 19 Validity checked.
- the input or input stages (7, 8, 12, 13) are designed twice. These stages can each be arranged in part in the address space of one and the other central unit. A decoupling of the peripheral elements is therefore given, as in a symmetrical microprocessor system.
- the output signals in particular the control signals for the valve control 20, which contain double output stages, can also be arranged in part in the address space of one or the other central unit. As a result, there is a decoupling of output peripheral elements as in a fully symmetrical concept.
- bus 1, bus 4 In order to detect errors in the transmission of information via the bus system, this is designed redundantly in the form of bus systems 3 and 4 (bus 1, bus 4).
- bus 1, bus 4 The signals emitted by the two central units 1, 2 and present on the bus systems are monitored for correspondence by the comparators 18, 19.
- parity generators are used to generate the test data or redundancy data
- two generators are required in the system according to the invention, which can be accommodated, for example, in the central units 1, 2 or in the comparators 18, 19.
- the information generated with the aid of the redundancy generator is stored in the central unit 2.
- the information generated by the redundancy generator is compared with the read redundancy information for agreement.
- Suitable redundancy generators can e.g. Realize in a known manner with the help of exclusive OR gates.
Abstract
Description
Claims
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP96922870A EP0843853B1 (de) | 1995-08-10 | 1996-06-20 | Microprozessorsystem für sicherheitskritische regelungen |
US09/011,439 US6201997B1 (en) | 1995-08-10 | 1996-06-20 | Microprocessor system for safety-critical control systems |
JP50804997A JP3958365B2 (ja) | 1995-08-10 | 1996-06-20 | 安全上重要な制御装置のためのマイクロプロセッサ装置 |
DE59602962T DE59602962D1 (de) | 1995-08-10 | 1996-06-20 | Microprozessorsystem für sicherheitskritische regelungen |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE19529434.3 | 1995-08-10 | ||
DE19529434A DE19529434B4 (de) | 1995-08-10 | 1995-08-10 | Microprozessorsystem für sicherheitskritische Regelungen |
Publications (1)
Publication Number | Publication Date |
---|---|
WO1997006487A1 true WO1997006487A1 (de) | 1997-02-20 |
Family
ID=7769178
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP1996/002688 WO1997006487A1 (de) | 1995-08-10 | 1996-06-20 | Microprozessorsystem für sicherheitskritische regelungen |
Country Status (6)
Country | Link |
---|---|
US (1) | US6201997B1 (de) |
EP (1) | EP0843853B1 (de) |
JP (1) | JP3958365B2 (de) |
KR (1) | KR100369492B1 (de) |
DE (2) | DE19529434B4 (de) |
WO (1) | WO1997006487A1 (de) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1999026820A1 (de) * | 1997-11-22 | 1999-06-03 | Continental Teves Ag & Co. Ohg | Elektromechanisches bremssystem |
WO2001045982A2 (en) * | 1999-12-21 | 2001-06-28 | Motorola Limited | Fault-tolerant system |
WO2002093287A2 (de) * | 2001-05-16 | 2002-11-21 | Continental Teves Ag & Co. Ohg | Verfahren, mikroprozessorsystem für sicherheitskritische regelungen und dessen verwendung |
US8650440B2 (en) | 2008-01-16 | 2014-02-11 | Freescale Semiconductor, Inc. | Processor based system having ECC based check and access validation information means |
DE102005057066B4 (de) * | 2004-12-15 | 2021-03-04 | General Motors Corp. (N.D.Ges.D. Staates Delaware) | Dualprozessoraufsichtssteuersystem für ein Fahrzeug |
DE102020203965A1 (de) | 2020-03-26 | 2021-09-30 | Zf Friedrichshafen Ag | Verarbeitungssystem und Verfahren zur redundanten Verarbeitung von Eingangssignalen |
Families Citing this family (59)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP3288390B2 (ja) * | 1997-02-19 | 2002-06-04 | シーメンス アクチエンゲゼルシヤフト | 自動車用ブレーキ装置及び電気的に制御される自動車ブレーキ装置におけるデータの伝達のための方法 |
DE19716197A1 (de) | 1997-04-18 | 1998-10-22 | Itt Mfg Enterprises Inc | Mikroprozessorsystem für sicherheitskritische Regelungen |
DE19717686A1 (de) | 1997-04-28 | 1998-10-29 | Itt Mfg Enterprises Inc | Schaltungsanordnung für ein Kraftfahrzeug-Regelungssystem |
DE19805819B4 (de) * | 1997-05-06 | 2006-11-23 | Ee-Signals Gmbh & Co. Kg | Verfahren zur Überwachung von integrierten Schaltkreisen |
DE19720618A1 (de) * | 1997-05-16 | 1998-11-19 | Itt Mfg Enterprises Inc | Mikroprozessorsystem für Kfz-Regelungssysteme |
DE19800311A1 (de) * | 1998-01-07 | 1999-07-08 | Itt Mfg Enterprises Inc | Elektronische, digitale Einrichtung |
US6213567B1 (en) | 1998-02-02 | 2001-04-10 | Siemens Aktiengesellschaft | Brake system for a motor vehicle and method for transmitting data in an electrically controlled brake system for a motor vehicle |
DE59904168D1 (de) * | 1998-06-10 | 2003-03-06 | Siemens Ag | Steuereinrichtung für eine maschine, anlage oder ein gerät, sowie verfahren zum überwachen einer steuerung |
DE19826875A1 (de) * | 1998-06-17 | 1999-12-23 | Heidenhain Gmbh Dr Johannes | Numerische Steuerung mit einem räumlich getrennten Eingabegerät |
GB2339869B (en) * | 1998-07-20 | 2002-05-15 | Motorola Ltd | Fault-tolerant electronic braking system |
DE19837242C1 (de) * | 1998-08-17 | 2000-03-02 | Siemens Ag | Bussystem in einem Fahrzeug und Verfahren zur Übertragung von Nachrichten |
AU758135B2 (en) * | 1998-10-21 | 2003-03-13 | Deka Products Limited Partnership | Fault tolerant architecture for a personal vehicle |
US6367031B1 (en) * | 1998-12-17 | 2002-04-02 | Honeywell International Inc. | Critical control adaption of integrated modular architecture |
US6456891B1 (en) * | 1999-10-27 | 2002-09-24 | Advanced Micro Devices, Inc. | System and method for transparent handling of extended register states |
DE60011583T2 (de) * | 1999-12-15 | 2004-11-04 | Delphi Technologies, Inc., Troy | Hardwaretopologien für elektrisch betätigte Bremssättel und Lenkmotor eines Sicherheitssystems |
DE10007008B4 (de) * | 2000-02-16 | 2007-03-08 | Daimlerchrysler Ag | Verfahren zur Überwachung einer Datenverarbeitungseinrichtung |
DE10032950A1 (de) * | 2000-07-06 | 2002-01-24 | Freudenberg Carl Fa | Steuerung für mehrere miteinander vernetzte Aktoren |
DE10053820A1 (de) | 2000-10-30 | 2002-05-29 | Pilz Gmbh & Co | Elektronisches Sicherheitsschaltgerät |
DE10113917B4 (de) * | 2001-03-21 | 2019-05-23 | Robert Bosch Gmbh | Verfahren und Vorrichtung zur Überwachung von Steuereinheiten |
US6778079B2 (en) * | 2001-05-16 | 2004-08-17 | Banner Engineering | Input/output methodology for control reliable interconnection of safety light curtains and other machine safety controls |
EP1396772B1 (de) * | 2001-05-31 | 2008-03-05 | Omron Corporation | Sicherheitseinheit, steuerungsverkettungsverfahren, steuerungssystemsteuerverfahren und steuerungssystemüberwachungsverfahren |
ES2295456T3 (es) * | 2001-12-11 | 2008-04-16 | CONTINENTAL TEVES AG & CO. OHG | Sistemas de ordenadores de control redundante, conjunto de ordenadores para aplicaciones criticas en vehiculos automoviles, asi como su uso. |
GB0216740D0 (en) * | 2002-07-18 | 2002-08-28 | Ricardo Consulting Eng | Self-testing watch dog system |
DE10235527C1 (de) * | 2002-08-03 | 2003-10-09 | Daimler Chrysler Ag | Vorrichtung und Verfahren zur redundanten Spannungsversorgung sicherheitsrelevanter Systeme |
GB2395241B (en) * | 2002-11-12 | 2004-12-29 | Knorr Bremse Systeme | Electronic control apparatus for a vehicle |
SE0203819D0 (sv) * | 2002-12-19 | 2002-12-19 | Abb As | Method to increase the safety integrity level of a control system |
DE10302456A1 (de) * | 2003-01-23 | 2004-07-29 | Robert Bosch Gmbh | Vorrichtung für sicherheitskritische Anwendungen und sichere Elektronik-Architektur |
ES2329581T3 (es) | 2003-10-08 | 2009-11-27 | CONTINENTAL TEVES AG & CO. OHG | Sistema integrado de microprocesadores para regulaciones criticas para la seguridad. |
US20050193378A1 (en) * | 2004-03-01 | 2005-09-01 | Breault Richard E. | System and method for building an executable program with a low probability of failure on demand |
US7428694B2 (en) * | 2004-03-02 | 2008-09-23 | Stmicroelectronics S.A. | Device for protection against error injection into a synchronous flip-flop of an elementary logic module |
US7069090B2 (en) * | 2004-08-02 | 2006-06-27 | E.G.O. North America, Inc. | Systems and methods for providing variable output feedback to a user of a household appliance |
US7069109B2 (en) * | 2004-11-09 | 2006-06-27 | E.G.O. North America, Inc. | Systems and methods of using multiple microcontrollers for fail-safe control and enhanced feature operation of an appliance |
US20060174051A1 (en) * | 2005-02-02 | 2006-08-03 | Honeywell International Inc. | Method and apparatus for a redundancy approach in a processor based controller design |
DE102006008958A1 (de) * | 2005-03-10 | 2006-09-28 | Continental Teves Ag & Co. Ohg | Elektronisches Kraftfahrzeugbremsensteuergerät |
EP1712996A1 (de) * | 2005-04-15 | 2006-10-18 | STMicroelectronics S.r.l. | Verfahren und System zur Konfiguration von Registern in Mikrocontrollern, entsprechender Mikrocontroller und Computerprogrammprodukt |
JP3978617B2 (ja) * | 2005-04-19 | 2007-09-19 | オムロン株式会社 | 安全ユニットの入力装置 |
US8219860B2 (en) * | 2005-08-11 | 2012-07-10 | Continental Ab & Co. Ohg | Microprocessor system for controlling at least partly safety-critical processes |
JP2009505188A (ja) * | 2005-08-11 | 2009-02-05 | コンティネンタル・テーベス・アクチエンゲゼルシヤフト・ウント・コンパニー・オッフェネ・ハンデルスゲゼルシヤフト | 少なくとも部分的に安全上重大なプロセスの制御または調節用マイクロプロセッサシステム |
US7329854B2 (en) * | 2005-09-26 | 2008-02-12 | Banner Engineering Corporation | System and method of connecting multiple safety light curtains |
GB0602641D0 (en) * | 2006-02-09 | 2006-03-22 | Eads Defence And Security Syst | High speed data processing system |
US20080080114A1 (en) * | 2006-09-29 | 2008-04-03 | Schweitzer Engineering Laboratories, Inc. | Apparatus, systems and methods for reliably detecting faults within a power distribution system |
DE102007025827A1 (de) | 2007-04-26 | 2008-10-30 | Continental Teves Ag & Co. Ohg | Integrierte Schaltungsanordnung für sicherheitskritische Regelungssysteme |
EP2153328B1 (de) | 2007-05-25 | 2011-08-10 | Freescale Semiconductor, Inc. | Datenverarbeitungssystem, datenverarbeitungsverfahren und vorrichtung |
US9207661B2 (en) * | 2007-07-20 | 2015-12-08 | GM Global Technology Operations LLC | Dual core architecture of a control module of an engine |
DE102007045398A1 (de) | 2007-09-21 | 2009-04-02 | Continental Teves Ag & Co. Ohg | Integriertes Mikroprozessorsystem für sicherheitskritische Regelungen |
DE102007050341A1 (de) * | 2007-10-12 | 2009-04-23 | E.G.O. Commercial Electronics Ag | Induktionsmodul, Anordnung mehrerer Induktionsmodule und Verfahren zur Einrichtung eines solchen Induktionsmoduls |
US8260487B2 (en) * | 2008-01-08 | 2012-09-04 | General Electric Company | Methods and systems for vital bus architecture |
DE102009000249A1 (de) * | 2009-01-15 | 2010-07-29 | Zf Friedrichshafen Ag | Getriebesteuerungseinrichtung |
DE102011007467A1 (de) | 2010-04-28 | 2011-11-03 | Continental Teves Ag & Co. Ohg | Mehrkernige integrierte Mikroprozessorschaltung mit Prüfeinrichtung, Prüfverfahren und Verwendung |
DE102011007437A1 (de) * | 2010-11-15 | 2012-05-16 | Continental Teves Ag & Co. Ohg | Verfahren und Schaltungsanrodnung zur Datenübertragung zwischen Prozessorbausteinen |
US9007731B2 (en) | 2012-03-26 | 2015-04-14 | Schweitzer Engineering Laboratories, Inc. | Leveraging inherent redundancy in a multifunction IED |
US8874346B2 (en) * | 2012-11-15 | 2014-10-28 | Caterpillar Inc. | System with blended anti-lock and stability control |
US9599970B2 (en) | 2013-03-27 | 2017-03-21 | The United States Of America As Represented By The Secretary Of The Navy | Safety critical control system that includes control logic or machine readable instructions that selectively locks or enables the control system based on one or more machine implemented state machines that includes states associated with detection or matching of one or more predetermined signals on distinct conduction paths between elements of the control system and related methods |
DE102014217321A1 (de) | 2014-08-29 | 2016-03-03 | Continental Teves Ag & Co. Ohg | Mikrocontrollersystem und Verfahren für sicherheitskritische Kraftfahrzeugsysteme sowie deren Verwendung |
US10520928B2 (en) | 2017-05-15 | 2019-12-31 | Rockwell Automation Technologies, Inc. | Safety industrial controller providing diversity in single multicore processor |
US11244046B2 (en) | 2019-09-16 | 2022-02-08 | Nuvoton Technology Corporation | Data-sampling integrity check using gated clock |
US11321457B2 (en) | 2019-09-16 | 2022-05-03 | Nuvoton Technology Corporation | Data-sampling integrity check by sampling using flip-flops with relative delay |
JP7312141B2 (ja) * | 2020-05-25 | 2023-07-20 | ルネサスエレクトロニクス株式会社 | 半導体装置 |
DE102020208370A1 (de) | 2020-07-03 | 2022-01-05 | Vitesco Technologies GmbH | Elektronische Steuereinheit |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE3234637A1 (de) * | 1982-09-18 | 1984-03-22 | Alfred Teves Gmbh, 6000 Frankfurt | Verfahren und schaltungsanordnung zur steuerung einer bremsschlupfregelanlage |
EP0306348A2 (de) * | 1987-09-04 | 1989-03-08 | Digital Equipment Corporation | Zweiwegeprozessoren mit Fehleruntersuchung in E/A-Lesungen |
EP0372579A2 (de) * | 1988-12-09 | 1990-06-13 | Tandem Computers Incorporated | Hochleistungsrechnersystem mit fehlertoleranter Fähigkeit |
JPH07160521A (ja) * | 1993-12-13 | 1995-06-23 | Nec Corp | 耐障害機能を有する情報処理装置 |
Family Cites Families (34)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4049957A (en) * | 1971-06-23 | 1977-09-20 | Hitachi, Ltd. | Dual computer system |
US3978327A (en) * | 1972-03-13 | 1976-08-31 | Siemens Aktiengesellschaft | Program-controlled data processor having two simultaneously operating identical system units |
DE3024370C2 (de) | 1980-06-27 | 1987-01-02 | Siemens AG, 1000 Berlin und 8000 München | Redundantes Steuersystem |
JPS58221453A (ja) * | 1982-06-17 | 1983-12-23 | Toshiba Corp | 多重系情報処理装置 |
DE3225455C2 (de) * | 1982-07-07 | 1986-07-17 | Siemens AG, 1000 Berlin und 8000 München | Verfahren zum sicheren Betrieb eines redundanten Steuersystems |
AT376860B (de) * | 1983-03-15 | 1985-01-10 | Philips Nv | System zum wiedergeben von auf einem magnetband gespeicherten informationssignalen |
GB2237904B (en) * | 1984-02-28 | 1991-10-02 | Lucas Ind Plc | Digital control system |
US5067071A (en) * | 1985-02-27 | 1991-11-19 | Encore Computer Corporation | Multiprocessor computer system employing a plurality of tightly coupled processors with interrupt vector bus |
US4961067A (en) * | 1986-07-28 | 1990-10-02 | Motorola, Inc. | Pattern driven interrupt in a digital data processor |
JPS63121934A (ja) * | 1986-11-10 | 1988-05-26 | Oki Electric Ind Co Ltd | 評価用ワンチツプマイクロコンピユ−タ |
DE3938501A1 (de) * | 1989-11-20 | 1991-05-23 | Siemens Ag | Verfahren zum betrieb eines mehrkanaligen failsafe-rechnersystems und einrichtung zur durchfuehrung des verfahrens |
EP0518630A3 (en) * | 1991-06-12 | 1993-10-20 | Aeci Ltd | Redundant control system |
US5458404A (en) * | 1991-11-12 | 1995-10-17 | Itt Automotive Europe Gmbh | Redundant wheel sensor signal processing in both controller and monitoring circuits |
GB2268817B (en) * | 1992-07-17 | 1996-05-01 | Integrated Micro Products Ltd | A fault-tolerant computer system |
US5551047A (en) * | 1993-01-28 | 1996-08-27 | The Regents Of The Univeristy Of California | Method for distributed redundant execution of program modules |
US5420883A (en) * | 1993-05-17 | 1995-05-30 | Hughes Aircraft Company | Train location and control using spread spectrum radio communications |
DE4341082A1 (de) * | 1993-12-02 | 1995-06-08 | Teves Gmbh Alfred | Schaltungsanordnung für sicherheitskritische Regelungssysteme |
EP0724813B1 (de) * | 1994-07-15 | 2005-07-20 | Koninklijke Philips Electronics N.V. | Telekommunikationsanlage mit einem prozessorsystem und ein prozessorsystem |
US5625276A (en) * | 1994-09-14 | 1997-04-29 | Coleman Powermate, Inc. | Controller for permanent magnet generator |
JP3011035B2 (ja) * | 1994-12-08 | 2000-02-21 | 株式会社日立製作所 | 計算機システム |
US5880954A (en) * | 1995-12-04 | 1999-03-09 | Thomson; Robert | Continous real time safety-related control system |
US5777874A (en) * | 1996-02-12 | 1998-07-07 | Allen-Bradley Company, Inc. | Programmable controller backup system |
JP3327123B2 (ja) * | 1996-06-04 | 2002-09-24 | トヨタ自動車株式会社 | 作業用ロボットの統合制御システム |
US6125419A (en) * | 1996-06-13 | 2000-09-26 | Hitachi, Ltd. | Bus system, printed circuit board, signal transmission line, series circuit and memory module |
US5786996A (en) * | 1996-06-28 | 1998-07-28 | Eaton Corporation | Appliance control circuit comprising dual microprocessors for enhanced control operation and agency safety redundancy and software application method thereof |
US5778203B1 (en) * | 1996-10-01 | 2000-02-08 | Honeywell Emical | Aircraft display and control system with virtual backplane architecture |
US6044207A (en) * | 1997-03-21 | 2000-03-28 | Adaptec, Inc. | Enhanced dual port I/O bus bridge |
US5993039A (en) * | 1997-03-26 | 1999-11-30 | Avalon Imagining, Inc. | Power-loss interlocking interface method and apparatus |
US5997167A (en) * | 1997-05-01 | 1999-12-07 | Control Technology Corporation | Programmable controller including diagnostic and simulation facilities |
US5933347A (en) * | 1997-06-13 | 1999-08-03 | Allen-Bradley Company Llc | Industrial controller with program synchronized updating of back-up controller |
US6049855A (en) * | 1997-07-02 | 2000-04-11 | Micron Electronics, Inc. | Segmented memory system employing different interleaving scheme for each different memory segment |
US6073190A (en) * | 1997-07-18 | 2000-06-06 | Micron Electronics, Inc. | System for dynamic buffer allocation comprising control logic for controlling a first address buffer and a first data buffer as a matched pair |
US6073194A (en) * | 1997-07-31 | 2000-06-06 | Advanced Micro Devices, Inc. | Transaction based windowing methodology for pre-silicon verification |
US6067595A (en) * | 1997-09-23 | 2000-05-23 | Icore Technologies, Inc. | Method and apparatus for enabling high-performance intelligent I/O subsystems using multi-port memories |
-
1995
- 1995-08-10 DE DE19529434A patent/DE19529434B4/de not_active Expired - Lifetime
-
1996
- 1996-06-20 DE DE59602962T patent/DE59602962D1/de not_active Revoked
- 1996-06-20 WO PCT/EP1996/002688 patent/WO1997006487A1/de not_active Application Discontinuation
- 1996-06-20 JP JP50804997A patent/JP3958365B2/ja not_active Expired - Fee Related
- 1996-06-20 US US09/011,439 patent/US6201997B1/en not_active Expired - Fee Related
- 1996-06-20 KR KR10-1998-0700890A patent/KR100369492B1/ko not_active IP Right Cessation
- 1996-06-20 EP EP96922870A patent/EP0843853B1/de not_active Revoked
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE3234637A1 (de) * | 1982-09-18 | 1984-03-22 | Alfred Teves Gmbh, 6000 Frankfurt | Verfahren und schaltungsanordnung zur steuerung einer bremsschlupfregelanlage |
EP0306348A2 (de) * | 1987-09-04 | 1989-03-08 | Digital Equipment Corporation | Zweiwegeprozessoren mit Fehleruntersuchung in E/A-Lesungen |
EP0372579A2 (de) * | 1988-12-09 | 1990-06-13 | Tandem Computers Incorporated | Hochleistungsrechnersystem mit fehlertoleranter Fähigkeit |
JPH07160521A (ja) * | 1993-12-13 | 1995-06-23 | Nec Corp | 耐障害機能を有する情報処理装置 |
Non-Patent Citations (1)
Title |
---|
PATENT ABSTRACTS OF JAPAN vol. 95, no. 006 * |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1999026820A1 (de) * | 1997-11-22 | 1999-06-03 | Continental Teves Ag & Co. Ohg | Elektromechanisches bremssystem |
US6317675B1 (en) | 1997-11-22 | 2001-11-13 | Continental Teves Ag & Co., Ohg | Electromechanical brake system |
WO2001045982A2 (en) * | 1999-12-21 | 2001-06-28 | Motorola Limited | Fault-tolerant system |
WO2001045982A3 (en) * | 1999-12-21 | 2002-11-07 | Motorola Ltd | Fault-tolerant system |
WO2002093287A2 (de) * | 2001-05-16 | 2002-11-21 | Continental Teves Ag & Co. Ohg | Verfahren, mikroprozessorsystem für sicherheitskritische regelungen und dessen verwendung |
WO2002093287A3 (de) * | 2001-05-16 | 2004-04-08 | Continental Teves Ag & Co Ohg | Verfahren, mikroprozessorsystem für sicherheitskritische regelungen und dessen verwendung |
DE102005057066B4 (de) * | 2004-12-15 | 2021-03-04 | General Motors Corp. (N.D.Ges.D. Staates Delaware) | Dualprozessoraufsichtssteuersystem für ein Fahrzeug |
US8650440B2 (en) | 2008-01-16 | 2014-02-11 | Freescale Semiconductor, Inc. | Processor based system having ECC based check and access validation information means |
DE102020203965A1 (de) | 2020-03-26 | 2021-09-30 | Zf Friedrichshafen Ag | Verarbeitungssystem und Verfahren zur redundanten Verarbeitung von Eingangssignalen |
Also Published As
Publication number | Publication date |
---|---|
KR100369492B1 (ko) | 2003-04-10 |
KR19990036222A (ko) | 1999-05-25 |
DE19529434B4 (de) | 2009-09-17 |
EP0843853B1 (de) | 1999-09-01 |
US6201997B1 (en) | 2001-03-13 |
DE59602962D1 (de) | 1999-10-07 |
DE19529434A1 (de) | 1997-02-13 |
EP0843853A1 (de) | 1998-05-27 |
JP3958365B2 (ja) | 2007-08-15 |
JPH11510925A (ja) | 1999-09-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP0843853B1 (de) | Microprozessorsystem für sicherheitskritische regelungen | |
EP0976012B1 (de) | Mikroprozessorsystem für sicherheitskritische regelungen | |
EP0979189B1 (de) | Schaltungsanordnung für ein kraftfahrzeug-regelungssystem | |
EP0981783B1 (de) | Mikroprozessorsystem für kfz-regelungssysteme | |
EP0731937B1 (de) | Schaltungsanordnung für sicherheitskritische regelungssysteme | |
DE2225841C3 (de) | Verfahren und Anordnung zur systematischen Fehlerprüfung eines monolithischen Halbleiterspeichers | |
EP0712360B1 (de) | Regelschaltung für bremsanlagen mit abs und/oder asr | |
WO2002093287A2 (de) | Verfahren, mikroprozessorsystem für sicherheitskritische regelungen und dessen verwendung | |
DE4446314A1 (de) | Verfahren und Schaltungsanordnung zur Überwachung der Funktion einer programmgesteuerten Schaltung | |
EP1588380B1 (de) | Verfahren zur erkennung und/oder korrektur von speicherzugriffsfehlern und elektronische schaltungsanordnung zur durchführung des verfahrens | |
EP1913478B1 (de) | Mikroprozessorsystem zur steuerung bzw. regelung von zumindest zum teil sicherheitskritischen prozessen | |
EP1615087A2 (de) | Steuer- und Regeleinheit | |
DE102006036384A1 (de) | Mikroprozessorsystem zur Steuerung bzw. Regelung von zumindest zum Teil sicherheitskritischen Prozessen | |
DE19511842A1 (de) | Verfahren und Schaltungsanordnung zur Überwachung einer Datenverarbeitungsschaltung | |
EP0613077B1 (de) | Verfahren zur Reset-Erzeugung in Datenverarbeitungsanlagen | |
EP1019824B1 (de) | Verfahren zum erzeugen eines fehlerkennzeichnungssignals im datenbestand eines speichers und hierzu geeignete einrichtung | |
DE10317651A1 (de) | Verfahren und Vorrichtung zum Vergleichen von binären Datenworten | |
EP1176508A2 (de) | Anordnung zur Überwachung des ordnungsgemässen Betriebes von die selben oder einander entsprechende Aktionen ausführenden Komponenten eines elektrischen Systems | |
EP1537396A2 (de) | Anordnung aus einem sensormodul und einem steuerger t |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): JP KR US |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): AT BE CH DE DK ES FI FR GB GR IE IT LU MC NL PT SE |
|
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 1996922870 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1019980700890 Country of ref document: KR |
|
ENP | Entry into the national phase |
Ref country code: JP Ref document number: 1997 508049 Kind code of ref document: A Format of ref document f/p: F |
|
WWE | Wipo information: entry into national phase |
Ref document number: 09011439 Country of ref document: US |
|
WWP | Wipo information: published in national office |
Ref document number: 1996922870 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 1019980700890 Country of ref document: KR |
|
WWG | Wipo information: grant in national office |
Ref document number: 1996922870 Country of ref document: EP |
|
WWG | Wipo information: grant in national office |
Ref document number: 1019980700890 Country of ref document: KR |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: 1996922870 Country of ref document: EP |