Classifications

• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F11/00—Error detection; Error correction; Monitoring
  • G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
  • G06F11/16—Error detection or correction of the data by redundancy in hardware
  • G06F11/18—Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits
• • B—PERFORMING OPERATIONS; TRANSPORTING
  • B60—VEHICLES IN GENERAL
  • B60T—VEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
  • B60T8/00—Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force
  • B60T8/32—Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force responsive to a speed condition, e.g. acceleration or deceleration
  • B60T8/88—Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force responsive to a speed condition, e.g. acceleration or deceleration with failure responsive means, i.e. means for detecting and indicating faulty operation of the speed responsive control means
  • B60T8/885—Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force responsive to a speed condition, e.g. acceleration or deceleration with failure responsive means, i.e. means for detecting and indicating faulty operation of the speed responsive control means using electrical circuitry
• • G—PHYSICS
  • G05—CONTROLLING; REGULATING
  • G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
  • G05B19/00—Programme-control systems
  • G05B19/02—Programme-control systems electric
  • G05B19/04—Programme control other than numerical control, i.e. in sequence controllers or logic controllers
  • G05B19/042—Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
  • G05B19/0421—Multiprocessor system
• • G—PHYSICS
  • G05—CONTROLLING; REGULATING
  • G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
  • G05B9/00—Safety arrangements
  • G05B9/02—Safety arrangements electric
  • G05B9/03—Safety arrangements electric with multiple-channel loop, i.e. redundant control systems
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F11/00—Error detection; Error correction; Monitoring
  • G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
  • G06F11/16—Error detection or correction of the data by redundancy in hardware
  • G06F11/1629—Error detection by comparing the output of redundant processing systems
  • G06F11/1641—Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components
  • G06F11/1645—Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components and the comparison itself uses redundant hardware
• • B—PERFORMING OPERATIONS; TRANSPORTING
  • B60—VEHICLES IN GENERAL
  • B60T—VEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
  • B60T2270/00—Further aspects of brake control systems not otherwise provided for
  • B60T2270/40—Failsafe aspects of brake control systems
  • B60T2270/413—Plausibility monitoring, cross check, redundancy
• • G—PHYSICS
  • G05—CONTROLLING; REGULATING
  • G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
  • G05B2219/00—Program-control systems
  • G05B2219/20—Pc systems
  • G05B2219/24—Pc safety
  • G05B2219/24182—Redundancy
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F11/00—Error detection; Error correction; Monitoring
  • G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
  • G06F11/08—Error detection or correction by redundancy in data representation, e.g. by using checking codes
  • G06F11/10—Adding special bits or symbols to the coded information, e.g. parity check, casting out 9's or 11's
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F11/00—Error detection; Error correction; Monitoring
  • G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
  • G06F11/08—Error detection or correction by redundancy in data representation, e.g. by using checking codes
  • G06F11/10—Adding special bits or symbols to the coded information, e.g. parity check, casting out 9's or 11's
  • G06F11/1008—Adding special bits or symbols to the coded information, e.g. parity check, casting out 9's or 11's in individual solid state devices
  • G06F11/1044—Adding special bits or symbols to the coded information, e.g. parity check, casting out 9's or 11's in individual solid state devices with specific ECC/EDC distribution

Definitions

• the invention relates to a microprocessor system intended for safety-critical control systems, which contains two synchronously operated central processing units or CPUs, which receive the same input information and process the same program, which have read-only memories (ROM) and read-write memories (RAM) and memory locations for Test information and equipped with test information generators and which also contain comparators which check the output information of the central units and, in the event of a mismatch, emit switch-off signals.
• ROM read-only memories
• RAM read-write memories
• the safety-critical control systems include, for example, the motor vehicle control systems which intervene in the brake function, of which in particular the anti-lock control systems or anti-lock braking systems (ABS) and the traction control systems (TCS, TCS, etc.) are on the market in many variants and are of great importance possess.
• Driving stability control systems (FSR.ASMS), chassis control systems, etc. are also safety-critical because they are based on brake intervention or because the vehicle's driving stability may otherwise suffer if they fail. It is therefore absolutely necessary to constantly monitor the functionality of such systems in order to be able to switch off the control system in the event of an error or to switch to a state which is less dangerous for safety.
• the input data are likewise fed in parallel to two microcomputers, of which only one, however, carries out the complete, complex signal processing.
• the second microcomputer is used primarily for monitoring, which is why the input signals can be processed further with the aid of simplified control algorithms and a simplified control philosophy after processing, formation of time derivatives, etc.
• the simplified data processing is sufficient to generate signals which, by comparison with the signals processed in the complex microcomputer, allow conclusions to be drawn about the correct operation of the system.
• a microprocessor system of the type mentioned is also known from DE 43 41 082 AI. In particular, it is intended for use in the control system of an anti-lock brake system.
• This known system ⁇ which can be accommodated on a single chip, contains two central processing units or CPUs, in which the input data are processed in parallel.
• the read-only memories and the read-write memories, to which both central units are connected, contain additional memory locations for test information and each include a generator for generating test information.
• the output signals of one of the two central units are further processed to generate the control signals, while the other, the "passive" central unit, only serves to monitor the "active" central unit.
• the invention is also based on the object of developing a microprocessor system in such a way that malfunctions in the system are recognized and signaled with the extremely high probability and reliability required for safety-critical applications. At the same time, a comparatively low production outlay for such a microprocessor system should suffice. It has been found that this object can be achieved with the system described in the appended claim 1, the special feature of which is that the central units or CPU's are connected to the read-only memories and to the read-write memories and to separate bus systems Input and output units are connected and that the bus systems are connected or coupled to one another by driver stages which enable the two central units to read and process the pending data, ie the test data available in the two bus systems, including the test data and commands. The input and output data of the two central units present on the two bus systems, including the test data and commands, are checked for agreement by the comparator or comparators of the system according to the invention.
• the microprocessor system according to the invention is based on the use of two equal, fully redundant computer cores or central units, which process the data supplied via two separate bus systems redundantly. With the aid of a simple hardware comparator, for security reasons a second comparator being connected in parallel, the input and output signals of the two central units are then compared for agreement.
• the memories of the system according to the invention are only available once; only additional storage locations for test data, for example in the form of parity bits, are provided.
• a complete microprocessor consisting of a central unit, read-only memory and read-only memory, input and output stage is connected to one of the two bus systems, while the second bus system instead of the read-only memory and read-only memory only with corresponding ones Storage spaces for test data is directly connected.
• the driver stages coupling the two bus systems enable both central units to read all the required data supplied by the user data memories, the test data memories and the input stages; this results in a particularly simple structure of the microprocessor system according to the invention, which accommodates all components on a single one Favored chip.
• the attached figure serves to explain the basic structure and the mode of operation of a microprocessor system according to the invention.
• it is a one-chip microcomputer system that has two synchronously operated central units 1, 2, which are also referred to as computer or processor cores or as CPUs, separate bus systems 3, 4 (bus 1, bus 2). contains.
• the clock common to both central units 1, 2 is supplied via the connection cl (common clock).
• the central unit 1 is closed by a read-only memory 5 (ROM), by a read / write memory 6 (RAM) and by input or input stages 7, 8 (peripheral 1, port 1) and by an output or output stage 9 a complete microcomputer MCI.
• the second bus system 4 (bus 2) are excluded only the test data memory 10, 11 and also input or input stages 12, 13 and an output stage 14 are connected to the central unit 2.
• the test data storage locations for the data in the permanent memory 5 are accommodated in the memory 10 and the test data for the read / write memory 6 in the memory 11. The whole thing forms a "lean" microcomputer MC2.
• the two bus systems 3, 4 (bus 1, bus 2) are also, which is essential to the invention, coupled by driver stages 15, 16, 17, which enable the incoming data to be read by the two central units 1, 2 together .
• Levels 15 to 17 are drivers (or “buffers" with enable function). The directions of transmission of the drivers 15 to 17 are symbolically represented by an arrow; the driver 15 is used to transfer the data located on the bus system 3 (bus 1) to the central unit 2, the driver 16 to transfer the test information or data from the test data memories 10, 1t to the central unit 1 and the driver 17 to transmit the data from the input stages 12, 13 of the second bus system 4 (bus 2) to the central unit 1.
• the bus systems 3, 4 each comprise a control bus "C", a data bus “D” and an address bus "A”.
• the test data "p” are also on the data bus.
• the input and output data of the central processing units, which are checked for correspondence in a hardware comparator 18 and in a similar comparator 19, which is arranged on the same chip and are spatially separated, are therefore referred to as "CDpA" in FIG.
• Both central units 1, 2 deliver identical output signals to the output units 9, 14 via the bus systems 3, 4.
• An inverter 22 is inserted in the way to one of the two output units, here in the way to the output unit 14.
• the valve control 20 is connected via a serial bus 21.
• two output shift registers 22, 23 are provided, the data being fed to the second shift register 22 in an inverted manner in order to exclude short circuits between the computers.
• the data contained in the shift registers 22, 23 are compared for agreement via an AND gate 24 with an inverting input. If the AND condition, which monitors the gate 24, is not met, a switch 26 in the power supply for the actuated valves or actuators 25 is opened and the actuator actuation is switched off because of an error.
• the shift registers 22, 23 are to be regarded as components of the output stages 9 and 14, respectively. Independent of the comparators 18, 19, the conformity of the output signals is monitored again, in this case externally. In the event of a fault, control of the valves 25 is thus prevented, regardless of the function of the central units 1, 2.
• the central unit which includes the entirety of the arithmetic unit and the sequence control, double to ensure the calculation results and the correct execution of the programs.
• the data bus is expanded by a generator for the test data or for redundancy information, for example for parity bits.
• the output signals of the two central units are sent to the hardware comparators (18, 19) for checking. These check the identity of the signals, including the test signals, and cause a system-SHUTDOWN-y if the synchronous processing of the programs by the redundant central units yield results which differ from one another.
• the output signals of both central units are equal, i.e. a control of memory units (RAM, ROM) or the "periphery" can be done by one of the two central units.
• the brake light switch and other sensors are connected via these input stages, for example.
• the read-only memories and the read-write memories are, as previously explained, only provided for one of the two microcomputers (MCI), while the second microcomputer (MC2) only has storage spaces (10, 11) for test data.
• the driver stages 15, 16, 17 with which both bus systems are coupled ensure that the stored user data and test data are nevertheless available to both central units in the data processing process.
• the memory locations of the memories 5, 6, 10, 11 can also be distributed completely differently between the two bus systems 3, 4 or microcomputers MCI, MC2. This does not increase the total storage space required.
• the test data or parity bits are used to detect errors when reading and writing the stored and stored data.
• the redundancy information is stored under the same address in the memories 10, 11 of the second microprocessor MC2, which only contains memory locations for the test data.
• the test or redundancy information for the read-only memory was already defined during programming. With the read / write memories, this test or redundancy information is generated during the write process. Analogously to the reading process of the data and commands, the test or redundancy information is transmitted via the driver stage 16, which couples the two bus systems 3, 4. With write access, the data to be written is therefore expanded by redundant information which is stored with the data. In the case of a read access, this data and the read back redundant information are then compared by the comparators 18, 19 Validity checked.
• the input or input stages (7, 8, 12, 13) are designed twice. These stages can each be arranged in part in the address space of one and the other central unit. A decoupling of the peripheral elements is therefore given, as in a symmetrical microprocessor system.
• the output signals in particular the control signals for the valve control 20, which contain double output stages, can also be arranged in part in the address space of one or the other central unit. As a result, there is a decoupling of output peripheral elements as in a fully symmetrical concept.
• bus 1, bus 4 In order to detect errors in the transmission of information via the bus system, this is designed redundantly in the form of bus systems 3 and 4 (bus 1, bus 4).
• bus 1, bus 4 The signals emitted by the two central units 1, 2 and present on the bus systems are monitored for correspondence by the comparators 18, 19.
• parity generators are used to generate the test data or redundancy data
• two generators are required in the system according to the invention, which can be accommodated, for example, in the central units 1, 2 or in the comparators 18, 19.
• the information generated with the aid of the redundancy generator is stored in the central unit 2.
• the information generated by the redundancy generator is compared with the read redundancy information for agreement.
• Suitable redundancy generators can e.g. Realize in a known manner with the help of exclusive OR gates.

Landscapes

• Engineering & Computer Science (AREA)
• Physics & Mathematics (AREA)
• General Physics & Mathematics (AREA)
• Theoretical Computer Science (AREA)
• Automation & Control Theory (AREA)
• Quality & Reliability (AREA)
• General Engineering & Computer Science (AREA)
• Transportation (AREA)
• Mechanical Engineering (AREA)
• Hardware Redundancy (AREA)
• Multi Processors (AREA)
• Combined Controls Of Internal Combustion Engines (AREA)

Priority Applications (4)

Applications Claiming Priority (2)

Publications (1)

Family

ID=7769178

Family Applications (1)

Country Status (6)

Cited By (6)

Families Citing this family (60)

Citations (4)

Family Cites Families (34)

• 1995
  • 1995-08-10 DE DE19529434A patent/DE19529434B4/de not_active Expired - Lifetime
• 1996
  • 1996-06-20 EP EP96922870A patent/EP0843853B1/de not_active Revoked
  • 1996-06-20 WO PCT/EP1996/002688 patent/WO1997006487A1/de not_active Ceased
  • 1996-06-20 JP JP50804997A patent/JP3958365B2/ja not_active Expired - Fee Related
  • 1996-06-20 DE DE59602962T patent/DE59602962D1/de not_active Revoked
  • 1996-06-20 US US09/011,439 patent/US6201997B1/en not_active Expired - Fee Related
  • 1996-06-20 KR KR10-1998-0700890A patent/KR100369492B1/ko not_active Expired - Fee Related

Patent Citations (4)

Non-Patent Citations (1)

Also Published As

Similar Documents

Legal Events