WO2002075464A1 - Verfahren zum betreiben eines verteilten sicherheitsrelevanten systems - Google Patents
Verfahren zum betreiben eines verteilten sicherheitsrelevanten systems Download PDFInfo
- Publication number
- WO2002075464A1 WO2002075464A1 PCT/DE2002/000915 DE0200915W WO02075464A1 WO 2002075464 A1 WO2002075464 A1 WO 2002075464A1 DE 0200915 W DE0200915 W DE 0200915W WO 02075464 A1 WO02075464 A1 WO 02075464A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- pro
- process computer
- communication
- communication system
- faulty
- Prior art date
Links
Classifications
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60G—VEHICLE SUSPENSION ARRANGEMENTS
- B60G17/00—Resilient suspensions having means for adjusting the spring or vibration-damper characteristics, for regulating the distance between a supporting surface and a sprung part of vehicle or for locking suspension during use to meet varying vehicular or surface conditions, e.g. due to speed or load
- B60G17/015—Resilient suspensions having means for adjusting the spring or vibration-damper characteristics, for regulating the distance between a supporting surface and a sprung part of vehicle or for locking suspension during use to meet varying vehicular or surface conditions, e.g. due to speed or load the regulating means comprising electric or electronic elements
- B60G17/0195—Resilient suspensions having means for adjusting the spring or vibration-damper characteristics, for regulating the distance between a supporting surface and a sprung part of vehicle or for locking suspension during use to meet varying vehicular or surface conditions, e.g. due to speed or load the regulating means comprising electric or electronic elements characterised by the regulation being combined with other vehicle control systems
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60T—VEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
- B60T13/00—Transmitting braking action from initiating means to ultimate brake actuator with power assistance or drive; Brake systems incorporating such transmitting means, e.g. air-pressure brake systems
- B60T13/74—Transmitting braking action from initiating means to ultimate brake actuator with power assistance or drive; Brake systems incorporating such transmitting means, e.g. air-pressure brake systems with electrical assistance or drive
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B9/00—Safety arrangements
- G05B9/02—Safety arrangements electric
- G05B9/03—Safety arrangements electric with multiple-channel loop, i.e. redundant control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/1629—Error detection by comparing the output of redundant processing systems
- G06F11/1641—Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60G—VEHICLE SUSPENSION ARRANGEMENTS
- B60G2600/00—Indexing codes relating to particular elements, systems or processes used on suspension systems or suspension control systems
- B60G2600/08—Failure or malfunction detecting means
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60G—VEHICLE SUSPENSION ARRANGEMENTS
- B60G2600/00—Indexing codes relating to particular elements, systems or processes used on suspension systems or suspension control systems
- B60G2600/70—Computer memory; Data storage, e.g. maps for adaptive control
- B60G2600/702—Parallel processing
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60G—VEHICLE SUSPENSION ARRANGEMENTS
- B60G2800/00—Indexing codes relating to the type of movement or to the condition of the vehicle and to the end result to be achieved by the control action
- B60G2800/80—Detection or control after a system or component failure
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60W—CONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
- B60W50/00—Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
- B60W2050/0001—Details of the control system
- B60W2050/0043—Signal treatments, identification of variables or parameters, parameter estimation or state estimation
- B60W2050/0044—In digital systems
- B60W2050/0045—In digital systems using databus protocols
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60W—CONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
- B60W50/00—Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
- B60W50/02—Ensuring safety in case of control system failures, e.g. by diagnosing, circumventing or fixing failures
- B60W50/0205—Diagnosing or detecting failures; Failure detection models
- B60W2050/021—Means for detecting failure or malfunction
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60W—CONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
- B60W50/00—Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
- B60W50/04—Monitoring the functioning of the control system
- B60W2050/041—Built in Test Equipment [BITE]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/18—Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/18—Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits
- G06F11/181—Eliminating the failing redundant component
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/18—Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits
- G06F11/182—Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits based on mutual exchange of the output between redundant processing components
Definitions
- the present invention relates to a method for operating a distributed safety-relevant system, in particular an X-by-wire system in a motor vehicle.
- the distributed system comprises at least one first process computer for controlling one
- Component of the system and at least one further process computer each being connected to a communication system via a communication controller.
- the functionality of the at least one first process computer is checked by the at least one further process computer.
- the invention also relates to a distributed security-relevant system, in particular an X-by-wire system in a motor vehicle.
- the distributed system comprises at least a first process computer for controlling a component of the system and at least one further process computer, the process computers each being connected to a communication system via a communication controller. Monitoring the functionality the at least one first process computer is carried out by the at least one further process computer.
- the present invention relates to a communication controller for connecting at least one first process computer and at least one further process computer to a communication system of a distributed safety-relevant system, in particular an X-by-wire system in a motor vehicle.
- the at least one first process computer is used to control a component of the distributed system.
- a communication protocol runs on the communication controller to implement data transmission between the process computers and the • communication system.
- the invention also relates to a communication protocol for a communication system of a distributed security-relevant system, in particular an X-by-wire system in a motor vehicle.
- the 'distributed system comprising at least a first
- Process computer for controlling a component of the distributed system and at least one further process computer.
- the process computers are each connected to the communication system via a communication controller.
- the communication protocol runs to implement data transmission between the process computers and the communication system on the communication controllers.
- X-by-wire systems are a special implementation of such distributed systems.
- An X-by-Wire system is one
- An X-by-Wire system is a system with high security requirements, i.e. a complete failure of this system generates an error of the highest security level possible in the vehicle. Three classes of such systems are considered.
- Water X-by-Wire systems are systems with a hydraulic (mechanical) fallback level that improve the basic functionality even without electrical power supply (e.g. after a failure of the
- Basic braking function the braking function without an electronic control system that could generate a variable braking force distribution.
- the basic braking function then specifies (depending on the system) that, for example, 65% of the braking force is applied to the front axle and 35% to the rear axle.
- Anti-lock braking system (ABS), anti-slip control (ASR) and vehicle dynamics control (FDR) are not part of the basic brake function.
- Dry X-by-Wire systems are such systems without a mechanical / hydraulic fallback level. The implementation is based exclusively on electromechanical components.
- Semi-dry X-by-Wire systems are systems that have a hydraulic actuator but have a "dry interface". In terms of communication requirements, these systems should therefore be treated in the same way as dry X-by-Wire Systems.
- X-by-wire systems are steer-by- wire and brake-by-wire systems (electronic steering and electronic brakes).
- a method of the type mentioned is known, for example, from DE 198 26 131 AI.
- the distributed safety-related system is described as an electrical braking system of a motor vehicle.
- the components are designed as the brakes of the motor vehicle or more precisely as actuators for controlling the brakes.
- Such a system is to a high degree relevant to safety, since faulty control of the components, in particular faulty actuation of the brakes, can lead to an unforeseeable safety risk. For this reason, incorrect control of the components must be ruled out with certainty become.
- Essential features of the known brake system are a pedal module for central driver request recording, four wheel modules for wheel-specific regulation of the brake actuators and a processing module for calculating higher-level brake functions.
- the individual modules can communicate with one another using one or more communication systems.
- FIG. 2 of the present patent application the internal structure of a wheel module with different logic levels is shown as an example.
- the logical level L1 comprises at least the calculation of the control and regulating functions for the wheel brakes, while the logical levels L2 to L4 contain various functions for computer monitoring and functional testing of Ll.
- the control of the brakes or the electric motors for actuating the brake shoes comprises the following steps for each wheel module:
- the input signals are made available to the microcomputer system (R_1A) via a communication system (K_l), for example a bus system.
- e_lH Determining at least one logical control signal (e_lH).
- the logic control signal (e_lH) is at least partially dependent on a monitoring unit (R_1B) which is independent of the first microcomputer system (R_1A) determined at least one input signal.
- the monitoring unit (R_1B) is used in particular to identify systematic (so-called common mode) errors. Faults in the power supply are an example of such faults.
- the monitoring unit (R_1B) is designed as an independent microcomputer system. Alternatively, the monitoring unit (R_1B) can also be used as a
- Hardware module can be designed without its own processor, which, however, can perform specific logical functions or, if it has a register, even switching functions.
- An example of such a hardware module is, for example, an ASIC (Applied Specific Integrated Circuit), an FPGA (Field-Programmable Gate Array) or a monitoring circuit (so-called watchdog).
- the control device (micro-computer system or process computer) that is used to control the component (actuators) is responsible, is monitored and switched off by the monitoring unit in the event of a fault. Monitoring is based on question-answer communication, which must follow a specified protocol.
- the actuators (LE2R) are only released if the microcomputer system (R_l ⁇ ) and the independent monitoring unit (R_1B) agree (question-answer communication works as specified).
- the principle of this release is based on an electrical release circuit (AND link), which is implemented between the process computer and the monitoring unit. This means that both units have one for the normal function of the actuators . have to create a logical "one" on the release circuit.
- the actuators are switched off as soon as a process in the microcomputer system (R_1A) gives the signal to switch off.
- the monitoring component (R_1B) will only give the signal to switch off if the monitored unit (microcomputer system R__1A) has been identified as faulty.
- the use of communication systems in the automotive sector has become the standard for almost all manufacturers.
- the Society for Automotive Engineering (SAE) has defined three different classes of requirements for communication: Classes A, B and C. These classes differ in the amount of information that is exchanged down to the different real-time requirements and areas of application.
- the protocol class _ with the highest requirements is class C.
- a specification of the SAE "Communication protocols for class C applications", SAE J2056 / 1, June 1993 is available.
- This class C is the class responsible for X-by-wire systems.
- TTCAN Time Triggered CAN
- TTP / C or FlexRay protocol An important service for the present invention in such protocols is the subscriber service (so-called membership service).
- the membership / activity of a communication subscriber is determined by a mechanism of the message confirmation in a decision-making process of all active communication subscribers.
- the information about the affiliation / activity of the communication participants is provided as a so-called membership
- the membership information is stable, ie recognized by all participants as valid. If a participant is designated as inactive by this decision, this node may no longer be active in the communication take part.
- the process computer responsible for this node recognizes the inactive state and must take measures to switch its communication controller active again (restart and resynchronization).
- the 'ECHANISM for the determination of the participants is performed continuously and is part of the actual communication protocol.
- a disadvantage of the state of the art resulting from DE 198 26 131 AI is that the logic level L4 is always implemented in a separate component which, for example in wheel modules of an electrical braking system, is also provided several times within the distributed safety-related system got to.
- the object of the present invention is to provide possibilities in such a distributed monitoring concept by means of which the basic functionality of a
- Communication systems or a communication protocol namely secure message transmission, sending messages that are simultaneously directed to several destinations in the communication system (so-called multicasting), message confirmation and - for example in the case of TTP / C (Time Triggered Protocol for Class C) or CAN ( Controller Area Network) - the subscriber service is expanded to include a mechanism for secure shutdown of process computers via the communication system.
- the present invention based on the method of the type mentioned at the beginning, proposes a method with the following steps: at least one of the further process computers which has an error in at least one of the first
- Process computer has determined, transmits a control message via the communication system to control the faulty first process computer or the component controlled by it; - It is checked whether the sender of the
- Control message is authorized to control the faulty first process computer; it is checked whether the sender of the control message is connected to the communication system and is actively involved in communication via the communication system; depending on the content of control messages from those senders who are authorized to control the faulty first process computer and who are connected to the communication system and actively involved in the communication via the
- Communication system are involved, it is decided according to a predeterminable decision algorithm how the faulty first process computer and / or the component are to be controlled; and the faulty first process computer and / or the component are controlled accordingly.
- Monitoring concept can be achieved within the communication system.
- This information concerns for the first process computer each has a local list in which those further process computers are listed which may control (eg switch off) the respective first process computer in the event of an error.
- the information relates to a global list, which lists those process computer connected to the communication system and actively involved in communication via the 'communication system. For example, the membership information of the subscriber service can be used for this list.
- the information relates to a globally available list for each additional process computer, in which those first process computers are listed which the respective further process computer has identified as faulty and which it therefore wishes to control (eg switch off).
- the present invention is based on one
- Process computers are divided into two groups, namely first process computers that are monitored and other process computers that monitor. Which of the process computers of the distributed system belongs to the first and which to the second group is a question of definition. It is quite conceivable that one and the same process computer belongs on the one hand to the first group because it is monitored by one or more of the other process computers, but on the other hand also belongs to the second group because it monitors one or more other (first) process computers.
- the present invention provides the basic functionality of a communication system or communication protocol, namely secure message transmission, multicasting, message confirmation and subscriber service Mechanism for secure shutdown of process computers via the communication system expanded.
- the communication system replaces the switch-off paths implemented in the prior art in hardware (by cabling) (for example monitoring unit with star-shaped cabling to wheel computers in a brake-by ⁇ wire system).
- the communication system enables an intelligent watchdog implemented locally according to the prior art (often in the form of simple hardware circuits) on the process computer of the control unit to be shifted to any selected process computer in the communication system.
- a control unit with its process computer that is already present in the distributed system is preferably used.
- An extended watchdog functionality such as a plausibility check
- the additional mechanism for secure shutdown in the communication system also enables a distributed monitoring concept. This means that not only a process computer takes over the function of the intelligent watchdog, but that several control units with their process computers can trigger or switch off via the communication system.
- a communication system that is already standardized in today's motor vehicles and an associated bus cabling (single-wire or two-wire line) is used as the switch-off path. There is no explicit wiring for the shutdown path between the units of the
- the communication system executes a control or shutdown protocol which is built into the normal protocol sequence (actual sending and receiving of messages, message confirmation and subscriber service). This creates a small one Increased load on the communication controller, but a significant improvement in the use of existing control devices (processor computers). Furthermore, the communication system provides software and hardware interfaces to the process computer in order to initiate or implement the control or switch-off protocol.
- An enable circuit via which a component (the actuators) of a distributed safety-relevant system is controlled according to the method according to the invention, is operated by a process computer on the one hand and by a communication controller on the other hand.
- a process computer itself can also be coupled to the communication controller, so that the process computer which controls the component can itself be controlled or switched off, e.g. by connecting the communication controller to a reset line of the process computer.
- control message shuts down the faulty first process computer and / or the component controlled by it.
- a local authorization list is provided to the process computer, on the basis of which it is checked whether the sender of the control message is authorized to control the faulty first process computer by identifying the sender of the control message with the content of the control message Authorization list is compared.
- a global subscriber list is provided in the communication system, on the basis of which it is checked whether the sender of the control message is connected to the communication system and is actively involved in the communication via the communication system by an identifier of the sender of the control message is compared with the content of the participant list.
- a successful activation of the defective first process computer and / or the component is advantageously communicated to at least one sender of the activation message.
- the successful activation of the faulty first process computer and / or the component is preferably communicated to all process computers by deleting the faulty first process computer from a global participant list provided in the communication system, the participant list listing those process computers which are connected to the communication system and are active are involved in communication via the communication system.
- At least one of the further process computers has means for determining an error of at least one of the first process computers and means for, if the at least one faulty the first process computer has an error in transmitting a control message for controlling the faulty first process computer and / or the component controlled by it via the communication system;
- the communication controller of the faulty first process computer has information available as to whether the sender of the control message is authorized to control the faulty first process computer;
- the communication controller of the faulty first process computer has information available as to whether the sender of the control message is connected to the communication system and is active on the
- the communication controller of the faulty first process computer has means for deciding according to a predeterminable decision algorithm, such as the faulty first process computer and / or the component, depending on the content of control messages from the senders who are authorized to control the faulty first process computer, and to the
- Communication system connected and actively involved in communication via the communication system are to be controlled; and the communication controller of the faulty first process computer means for corresponding control of the faulty first process computer and / or the component.
- the information as to whether the sender of the control message is authorized to control the faulty first process computer is available in the form of a local authorization list provided in the communication controller of the at least one first process computer.
- Communication via the communication system is involved in the form of a global subscriber list provided in the communication system.
- the communication protocol is supplemented by mechanisms which enable the communication controller to check whether one of the further process computers which have a trigger message for triggering at least one first faulty process computer and / or the component controlled by it is transmitted via the communication system, connected to the communication system and active on the
- Communication via the communication system is involved; to check whether the sender of the control message is authorized to control the faulty first process computer; , to decide according to a predeterminable decision algorithm, such as the first process computer and / or the component, depending on the content of control messages of the senders who are authorized, the faulty first one
- Control process computers and which are connected to the communication system and are actively involved in communication via the communication system are to be controlled; and - to control the first process computer and / or the component accordingly.
- the communication protocol be supplemented by mechanisms for executing the method according to the invention.
- Communication via the communication system are involved, are to be controlled; and the first process computer and / or the component.
- Communication protocol is supplemented by mechanisms for executing the method according to the invention.
- FIG. 1 shows a distributed safety-relevant system according to the invention in a cutout according to a preferred embodiment
- FIG. 2 shows a control module of a distributed safety-relevant system known from the prior art
- FIG. 3 enable signals within a control module from FIG. 1;
- Figure 4 shows a shutdown protocol according to a first preferred embodiment of the invention
- Figure 5 shows a shutdown protocol according to a second preferred embodiment of the method according to the invention.
- the present invention is explained in more detail below on the basis of an electrical braking system.
- the invention is not limited to electrical braking systems, but rather can be used for any distributed safety-related systems.
- the present invention allows components Akt_l of the safety-relevant system to be safely released without the use of additional monitoring units.
- the tasks of the monitoring units are rather taken over by further process computers P-m of the distributed system, which are present in the system anyway and have been expanded by a corresponding functionality.
- the braking system comprises a wheel module R__l, R_m for each vehicle wheel to be braked.
- Each wheel module R_l, R_m. comprises a microcomputer system P_l, P_m and an enabling circuit FS_1, FS_m.
- the microcomputer systems P_l, P_m each include a process computer Pro_l, Pro_m and an intelligent communication controller S_l, S_m. The process computer Pro_l, Pro_m and the
- Communication controllers S_l, S__m of a microcomputer system P_l f P can be on a semiconductor module (so-called chip) be summarized; however, they are always designed as independent, separate units.
- Each wheel module R_l, R__m is connected via a communication controller S_l, S_m to a communication system K_l in the form of a physical data bus. Data is transmitted via the data bus, e.g. according to the CAN (Controller Area Network), TTCAN (Time Triggered CAN), TTP / C (Time Triggered Protocol for Class C) or FlexRay protocol.
- Wheel modules R_l, R_m each control a component in the form of an actuator Akt_l, Akt_m, which are designed, for example, as electric motors for actuating or releasing wheel brakes.
- FIG. 1 shows the internal structure of two wheel modules and the signal flow running therein in one possible embodiment of the distributed monitoring concept.
- the task of the wheel module R_l (more precisely, the process computer Pro_l) is to control the actuators Akt_l of the electric braking system.
- the actuator Akt_l When activating the actuator Akt_l, it is important to prevent the actuator Akt_l from being actuated by a faulty actuation signal A_ll of the microcomputer system P_l. This means that the control signal A_ll should only be passed on to the actuator Akt_l if it is determined with a sufficiently high probability that it is error-free.
- Actuator Akt_l therefore essentially comprises the following steps:
- the processor Pro_l of the microcomputer system P_l determines by executing a program code as a function of at least one input signal at least one control signal A_ll for the actuator system Akt_l.
- the input signals contain information about the actual state of the brake system and the motor vehicle and are sent to the via the data bus K_l first wheel module R_l transmitted.
- Processor Pro_l must be available. In the present example with a plurality of similar wheel modules R_l, R_m, this means no or only minimal additional effort, since the program codes running on the processors Pro_l, Pro_m are essentially the same. Thus, the program code, which is available in the processors Pro_m anyway, can be processed with the input signals of the first wheel module R_l in order to obtain the logical control signals A_lm. This simplification applies to all distributed systems with identical control modules. The input signals can be transmitted to the microcomputer systems P__m via the data bus K_l. If the process computers Pro_l, Pro_m are functioning correctly, the control signals are
- the control signal A_ll is compared in the process computers Pro_m of the further microcomputer systems P_m with the control signal A_ll previously determined in the process computer Pro__l. For this purpose, the control signal A_ll must be transmitted to the further microcomputer systems P_m via the data bus K_l.
- the other microprocessor systems P_m generate status information which is sent to the data bus K 1 Communication controller S_l of the first microcomputer system P_l are transmitted.
- the information that has to be transmitted via the communication system K_1 in order to implement the distributed monitoring concept consists, for example, of one or more bits. It is conceivable to include the information for transmission in the communication protocol of the data bus K_l.
- Microcomputer system P__l evaluates the incoming status information and generates an enable signal F_l in the event of a corresponding status (i.e. when the correct functioning of the process computer Pro_l is signaled). Evaluating the
- Status information can be done in different ways. For example, it can be a comparison, a logical (preferably an AND) link or a majority decision of the status information SF_lm.
- the at least one control signal A_ll or at least one signal dependent thereon is forwarded to the actuator Akt__l if the at least one enable signal F_l has a predeterminable value.
- an AND operation of the control signal A_ll with the enable signal F_l is carried out in the enable circuit FS_1. If the enable signal F_l is logic one, the control signal A__ll is forwarded to the actuator Akt_l. However, if the enable signal F_l is logic zero, the control signal A_ll is not passed on to the actuator Akt__l.
- the described method can Functionality of the processor Pro_l des
- Microcomputer system P_l checked and a safe release of Aktorik Akt_l can be achieved.
- the Pro_m processors of the other microcomputer systems P_m are mainly used to check the Pro__l processor.
- the method according to the invention can also be used to check the functionality of the processors Pro_m of the further microcomputer systems P_m and to safely release the actuators Akt__m. Then the other processors Pro_m (without the processor to be checked) and the processor Pro_l of the first microcomputer system P_l are used for the check.
- Each individual microcomputer system P_l, P_m within the safety-relevant distributed braking system therefore has on the one hand the primary task, to determine the control signals A_ll, A_ml for the actuators Akt_l, Akt_m assigned to it, and on the other hand the secondary task, the function of the other processors in fulfilling them Control primary tasks.
- the described distributed monitoring concept thus creates the possibility of a safe and even redundantly effective release of the actuators Akt__l, Akt_m.
- the wheel module R_1 is shown in detail in FIG.
- Software interfaces SS__1 are provided between the communication controller S_l and the process computer Pro_l to implement a secure shutdown path via the communication system K_l.
- the interfaces SS_1 are used to set a control message in the form of a
- a hardware interface is also required, which is brought up to the release circuit FS_1 by the communication controller S_l.
- the hardware interface is used in particular in the event of error situations in which the 5 process computer Pro__l can no longer reliably read the current shutdown vector and the actuator Akt_l can be switched off by the communication controller 'S_l.
- a connection pin F_l is provided which is connected to the
- a communication system K__l already standardized in today's motor vehicles and the associated one
- an enable circuit FS_1 is therefore operated by the process computer Pro_l on the one hand and by the communication controller S_l on the other. It is thus possible to switch off the actuator Akt__l using the switch-off mechanism described in this patent application via the communication system K_l.
- the process computer Pro_l itself can also use the
- ⁇ Communication controller S_l are coupled so that the process computer Pro_l can also be switched off, eg. B. by coupling to a Res ' et line B of the process computer Pro_l.
- the realization of the secured shutdown path via the communication system K_l is possible with almost every control device Pro_l, Pro_m which is connected to a data bus K_l with its communication controller S_l, S_m.
- the communication controller S_l, S_m must implement the shutdown protocol in the communication protocol.
- the shutdown protocol and the necessary configuration data or interfaces SS_1, F_l are described below.
- a static information is stored about which microcomputer system has P_m or which process computer Pro_m permission 'to disable the communications controller S_L associated process computer Pro_l.
- the static information is stored, for example, on a flash EPROM (Erasable and Programmable Read Only Memory) in the communication controllers S_l.
- This static information can be composed of the following contents: e An identifier of the local communication controller S_l. For some protocols, e.g. B. TTP / C, already exists. ⁇ A local (individual) list, in which identifiers of communication controllers S_m are listed, whose switch-off message for switching off the local process computer Pro_l or the actuators Akt_l controlled by it via the
- Communication controller S_l may lead.
- the list is preferably based on the number of authorized communication controllers, e.g. B. limited to three entries.
- the shutdown vector is a bit vector and represents the m participants in the entire distributed safety-relevant system.
- a certain bit position is an identifier of a certain one
- Shutdown vector can have two states per control unit .P_l,
- the shutdown vector can be shortened for reasons of limited bandwidth or a limited number of protocol data (control data for the protocol sequence, which are sent together with the user data in a message packet via the communication system K_l). Only selected control devices P 1, P m are then shown in the shutdown vector.
- information is also accessed as to whether the sender of a shutdown vector is connected to the communication system K_l and is actively involved in communication via the communication system K_l.
- Some communication protocols provide this information as standard. This functionality is also referred to in the communication protocols as a subscriber service or membership service. Then these are
- control device P_l, P_m If a control device P_l, P_m is designated as inactive by this decision, this control device may no longer actively participate in the communication.
- the responsible process computer Pro_l, Pro_m recognizes this state and must take measures to correct the one assigned to it Switch communication controller S_l, S_m active again (restart and resynchronization).
- the mechanism for determining the active participants (membership) is carried out continuously and is part of the actual communication protocol.
- the leadership information is available in the communication system K_l in the form of a membership vector Me.
- the starting situation for carrying out the method according to the invention is an active distributed system with functioning participants
- FIGS. 4 and 5 Communication controllers S_l, ' S_m and their control devices P_l, P_m or process computers Pro ⁇ l, Pro_m).
- the membrane information Me is therefore "1" for each subscriber, and there is no requirement for a shutdown (shutdown vector Ab).
- This starting situation is in step 1) of FIGS. 4 and 5 for a distributed system with four subscribers A, B, C, D.
- Figure 4 relates to a switch-off protocol with only one authorized user (subscriber A may only be switched off by user D)
- Figure 5 relates to a switch-off protocol with three authorized users and an absolute majority (user A is switched off if at least two of the three other participants B, C, D advocate switching off participant A).
- the shutdown vector Ab represents a shutdown command from an authorized control device P_m for a specific control device P_l as soon as the bit position for this control device P_l is set to "1".
- the shutdown vector is used by the communication protocol at the sender P_m with the other control data a message coded and sent (see step 2) in Figures 4 and 5).
- the communication system K_l is based on multicast messages. It can be assumed that each active control unit P_l, P_rn receives all messages sent and recognized as error-free and then starts local protocol mechanisms. Special cases in which the correctness of a message is only decided after a certain number of further transmission processes (e.g. with TTP / C) must be treated separately. This special case means that the received shutdown vector is to be regarded as invalid until this final decision.
- the communication controller S_l takes the information from the shutdown vector Ab from the received protocol data.
- the authorization S can be checked at the recipient S__l.
- the recipient S_l knows the identifier of the sender P__m of the message from the connection between the time of transmission, message identifier and static information on the deactivation authorization If the identity of the sender P_m is not clearly defined, the identifier of the sender P_m must also be transmitted in addition to the shutdown vector Ab.
- a bit position is set in the shutdown vector Ab of subscriber D that corresponds to the identifier of subscriber A.
- subscriber D is entered as the authorized person to switch off. For this reason, in step 3) the process computer and / or the actuator system of subscriber A controlled by the process computer is switched off.
- the communication controller S_l sets the status of the shutdown vector Ab in the software interface SS_1 to the current status (cf. step 3) in FIG. 4 and SS_1 in FIG. 3).
- the communication controller S 1 sets the level for switching off at the connection pin provided on the hardware interface in order to initiate the switching off of the actuators via the enable circuit FS_1 (cf. step 3) in FIG. 4 'and signal F_1 and signal B in FIG. 3).
- the communication controller S_l changes to a passive state, ie it no longer takes part in the communication via the communication system K_l. This measure signals to the other participants B, C, D that the entire node (including the control unit, the actuators, the sensors and the communication controller of the participant A) is no longer available.
- subscriber A is only shutdown if, on the one hand, the bit position set in the shutdown vector Ab matches the identifier of subscriber A and, on the other hand, there is a match between the authorized subscribers B, C, D Subscriber A is switched off, with all three subscribers B, C, D being entered in the local authorization list as authorized to switch off subscriber A.
- the shutdown vectors Ab of the different participants B, C, D must be collected.
- the Shutdown vector From a certain participant B, C or D may only be collected if the participant B, C or D in the membership vector Me des
- Communication protocol is marked as active (see steps 3 to 5 in Figure 5). This prevents a situation from occurring in which a shutdown of subscriber A would be necessary but one of the subscribers B, C, D itself is not active and thus can prevent the shutdown of subscriber A, since the shutdown command of the inactive subscriber B, C or D.
- the voting process is initiated according to a predeterminable decision algorithm.
- the absolute majority of active authorized participants B, C, D is chosen for the vote.
- Another decision algorithm such as B. a two out of three selection can also be implemented.
- the choice of the decision algorithm to be used can be set with the configuration in the communication controller S_l, e.g. B. a choice of an absolute majority, a two- from three-choice or a at least one (at least one) semantics.
- B a choice of an absolute majority, a two- from three-choice or a at least one (at least one) semantics.
- the communication controller S_l has the status of the shutdown vector Ab in the software interface to the current status (cf. step 5) in FIG. 5 and SS__1 in FIG. 3).
- the communication controller S_l sets the level for switching off at the connection pin provided in the hardware interface in order to initiate the switching off via the enable circuit FS_1 (Step 5) in Figure 5 and signal F_l and signal B in Figure 3).
- the communication controller S_l changes to a passive state, ie it no longer takes part in the communication.
- This measure signals to the other participants B, C, D that the entire node comprising the control unit, the actuators, the sensors and the communication controller is no longer available.
- This causes the deletion of subscriber A in the membership vector Me of the other subscribers B, C, D in the distributed system (cf. step 6) in FIG. 5).
- the senders (subscribers B, C, D) of the shutdown vector Ab receive confirmation of the success of the shutdown command.
- Repeated setting of the bit position in the shutdown vector Ab which corresponds to subscriber A is no longer necessary (cf. step 7) in FIG. 5).
- Each sender Pro_m a shut-vector from sets the corresponding subscriber A bit position in its shut-vector from so long, transmitted to the confirmation of successful disconnection of the disconnected subscriber A by an absence 'of the corresponding subscriber A in the membership vector Me becomes.
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Automation & Control Theory (AREA)
- Theoretical Computer Science (AREA)
- Mechanical Engineering (AREA)
- Computer Networks & Wireless Communication (AREA)
- Medical Informatics (AREA)
- General Health & Medical Sciences (AREA)
- Signal Processing (AREA)
- Transportation (AREA)
- Computing Systems (AREA)
- Quality & Reliability (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Safety Devices In Control Systems (AREA)
- Hardware Redundancy (AREA)
- Programmable Controllers (AREA)
Abstract
Description
Claims
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2002574009A JP2004519060A (ja) | 2001-03-15 | 2002-03-14 | 分配された安全上重要なシステムを駆動する方法 |
DE10291113T DE10291113D2 (de) | 2001-03-15 | 2002-03-14 | Verfahren zum Betreiben eines verteilten sicherheitsrelevanten Systems |
EP02726060A EP1370914A1 (de) | 2001-03-15 | 2002-03-14 | Verfahren zum betreiben eines verteilten sicherheitsrelevanten systems |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE10112911.4 | 2001-03-15 | ||
DE10112911 | 2001-03-15 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2002075464A1 true WO2002075464A1 (de) | 2002-09-26 |
Family
ID=7677840
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/DE2002/000915 WO2002075464A1 (de) | 2001-03-15 | 2002-03-14 | Verfahren zum betreiben eines verteilten sicherheitsrelevanten systems |
Country Status (5)
Country | Link |
---|---|
US (1) | US20030184158A1 (de) |
EP (1) | EP1370914A1 (de) |
JP (1) | JP2004519060A (de) |
DE (2) | DE10211279A1 (de) |
WO (1) | WO2002075464A1 (de) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3492999A1 (de) * | 2017-11-30 | 2019-06-05 | Siemens Aktiengesellschaft | Verfahren zum betrieb eines kommunikationssystems, kommunikationssystem und kommunikationsteilnehmer |
Families Citing this family (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE10248456A1 (de) * | 2001-10-19 | 2003-06-18 | Denso Corp | Fahrzeugkommunikationssystem |
DE10235527C1 (de) * | 2002-08-03 | 2003-10-09 | Daimler Chrysler Ag | Vorrichtung und Verfahren zur redundanten Spannungsversorgung sicherheitsrelevanter Systeme |
WO2005053223A2 (en) * | 2003-11-19 | 2005-06-09 | Honeywell International Inc. | Coupling linear bus nodes to rings |
DE102005018837A1 (de) * | 2005-04-22 | 2006-10-26 | Robert Bosch Gmbh | Verfahren und Vorrichtung zur Synchronisation zweier Bussysteme sowie Anordnung aus zwei Bussystemen |
DE102009005266A1 (de) | 2009-01-20 | 2010-07-22 | Continental Teves Ag & Co. Ohg | Anbindung eines Kommunikationscontrollers in Sicherheitsarchitekturen |
FR2944612A3 (fr) * | 2009-04-15 | 2010-10-22 | Renault Sas | Architecture de commande electronique d'un vehicule automobile. |
DE102010054188A1 (de) | 2010-07-27 | 2012-02-02 | Volkswagen Aktiengesellschaft | Verfahren und Rechnerverbund zur Steuerung eines Elektromotors |
DE102010039858A1 (de) | 2010-08-27 | 2011-09-15 | Robert Bosch Gmbh | Watchdog-Funktion |
DE102010039860A1 (de) | 2010-08-27 | 2012-03-01 | Robert Bosch Gmbh | Komponentenüberwachung in einem elektrisch betriebenen Fahrzeug |
DE102011118172A1 (de) | 2011-11-10 | 2013-05-16 | Volkswagen Aktiengesellschaft | Notlaufbetrieb eines Elektromotors |
US10112606B2 (en) | 2016-01-22 | 2018-10-30 | International Business Machines Corporation | Scalable sensor fusion and autonomous x-by-wire control |
US10269192B2 (en) | 2017-04-07 | 2019-04-23 | Airbiquity Inc. | Technologies for verifying control system operation |
DE102019207809A1 (de) * | 2019-05-28 | 2020-12-03 | Siemens Mobility GmbH | Steueranlage und Verfahren zum Betreiben einer Steueranlage |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6002970A (en) * | 1997-10-15 | 1999-12-14 | International Business Machines Corp. | Method and apparatus for interface dual modular redundancy |
DE19826131A1 (de) * | 1998-06-12 | 1999-12-16 | Bosch Gmbh Robert | Elektrisches Bremssystem für ein Kraftfahrzeug |
WO2000005116A1 (en) * | 1998-07-20 | 2000-02-03 | Motorola Limited | Fault-tolerant electronic braking system |
WO2001014940A1 (de) * | 1999-08-20 | 2001-03-01 | Pilz Gmbh & Co. | Vorrichtung zum steuern von sicherheitskritischen prozessen |
Family Cites Families (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE4022671A1 (de) * | 1990-07-17 | 1992-01-23 | Wabco Westinghouse Fahrzeug | Elektronisches bremssystem fuer stassenfahrzeuge |
DE4339570B4 (de) * | 1993-11-19 | 2004-03-04 | Robert Bosch Gmbh | Elektronisches Bremssystem |
DE19510525A1 (de) * | 1995-03-23 | 1996-09-26 | Bosch Gmbh Robert | Verfahren und Vorrichtung zur Steuerung bzw. Regelung der Bremsanlage eines Fahrzeugs |
US5924774A (en) * | 1995-11-30 | 1999-07-20 | Zeftron, Inc. | Electronic pneumatic brake system |
DE19742988C1 (de) * | 1997-09-29 | 1999-01-28 | Siemens Ag | Bremsanlage für ein Kraftfahrzeug |
US6748438B2 (en) * | 1997-11-17 | 2004-06-08 | International Business Machines Corporation | Method and apparatus for accessing shared resources with asymmetric safety in a multiprocessing system |
DE19800311A1 (de) * | 1998-01-07 | 1999-07-08 | Itt Mfg Enterprises Inc | Elektronische, digitale Einrichtung |
DE19840484A1 (de) * | 1998-09-04 | 2000-03-09 | Bosch Gmbh Robert | Fahrzeugrechneranordnung |
GB2345161A (en) * | 1998-12-23 | 2000-06-28 | Motorola Ltd | Microprocessor module and method |
US6212457B1 (en) * | 1999-08-05 | 2001-04-03 | Trw Inc. | Mixed parallel and daisy chain bus architecture in a vehicle safety system |
DE19937156A1 (de) * | 1999-08-06 | 2001-02-08 | Bosch Gmbh Robert | Elektrisch gesteuertes, dezentrales Steuersystem in einem Fahrzeug |
DE60011583T2 (de) * | 1999-12-15 | 2004-11-04 | Delphi Technologies, Inc., Troy | Hardwaretopologien für elektrisch betätigte Bremssättel und Lenkmotor eines Sicherheitssystems |
EP1257903A4 (de) * | 2000-02-01 | 2004-10-13 | Delphi Tech Inc | Multimodul-control-by-wire-architektur |
JP4727896B2 (ja) * | 2001-06-27 | 2011-07-20 | ローベルト ボッシュ ゲゼルシャフト ミット ベシュレンクテル ハフツング | システムの機能性の監視方法,その監視装置,メモリ素子,コンピュータプログラム |
-
2002
- 2002-03-14 EP EP02726060A patent/EP1370914A1/de not_active Withdrawn
- 2002-03-14 DE DE10211279A patent/DE10211279A1/de not_active Withdrawn
- 2002-03-14 DE DE10291113T patent/DE10291113D2/de not_active Expired - Fee Related
- 2002-03-14 JP JP2002574009A patent/JP2004519060A/ja active Pending
- 2002-03-14 US US10/276,816 patent/US20030184158A1/en not_active Abandoned
- 2002-03-14 WO PCT/DE2002/000915 patent/WO2002075464A1/de active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6002970A (en) * | 1997-10-15 | 1999-12-14 | International Business Machines Corp. | Method and apparatus for interface dual modular redundancy |
DE19826131A1 (de) * | 1998-06-12 | 1999-12-16 | Bosch Gmbh Robert | Elektrisches Bremssystem für ein Kraftfahrzeug |
WO2000005116A1 (en) * | 1998-07-20 | 2000-02-03 | Motorola Limited | Fault-tolerant electronic braking system |
WO2001014940A1 (de) * | 1999-08-20 | 2001-03-01 | Pilz Gmbh & Co. | Vorrichtung zum steuern von sicherheitskritischen prozessen |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3492999A1 (de) * | 2017-11-30 | 2019-06-05 | Siemens Aktiengesellschaft | Verfahren zum betrieb eines kommunikationssystems, kommunikationssystem und kommunikationsteilnehmer |
Also Published As
Publication number | Publication date |
---|---|
US20030184158A1 (en) | 2003-10-02 |
DE10291113D2 (de) | 2004-04-15 |
EP1370914A1 (de) | 2003-12-17 |
JP2004519060A (ja) | 2004-06-24 |
DE10211279A1 (de) | 2002-09-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE102017209721B4 (de) | Vorrichtung für die Steuerung eines sicherheitsrelevanten Vorganges, Verfahren zum Testen der Funktionsfähigkeit der Vorrichtung, sowie Kraftfahrzeug mit der Vorrichtung | |
EP0925674B1 (de) | Verfahren zur kontrolle der verbindungen eines übertragungssystems und komponente zur durchführung des verfahrens | |
DE19634567B4 (de) | Elektrisches Bremssystem | |
EP0979189B1 (de) | Schaltungsanordnung für ein kraftfahrzeug-regelungssystem | |
EP1763454B1 (de) | Redundantes datenbussystem | |
EP2176106B1 (de) | Bremssystem für ein fahrzeug und verfahren zum betreiben eines bremssystems für ein fahrzeug | |
WO2002075464A1 (de) | Verfahren zum betreiben eines verteilten sicherheitsrelevanten systems | |
DE102007036259A1 (de) | Bremssystem für ein Fahrzeug und ein Verfahren zum Betreiben eines Bremssystems für ein Fahrzeug | |
EP1533673A2 (de) | Steuerungssystem | |
EP3385934B1 (de) | Vorrichtung für die steuerung eines sicherheitsrelevanten vorganges, verfahren zum testen der funktionsfähigkeit der vorrichtung, sowie kraftfahrzeug mit der vorrichtung | |
EP1615811B1 (de) | Elektrisches, dezentrales bremssystem in einem fahrzeug | |
EP1401690A1 (de) | Verfahren zur ansteuerung einer komponente eines verteilten sicherheitsrelevanten systems | |
EP1814765B1 (de) | Verfahren und vorrichtung zur lenksäulenverriegelung | |
DE10236080A1 (de) | Verfahren und Vorrichtung zur Steuerung von Betriebsabläufen, insbesondere in einem Fahrzeug | |
WO2011048145A1 (de) | Automatisierungssystem und verfahren zum betrieb eines automatisierungssystems | |
DE102008029948B4 (de) | Überwachungssystem | |
EP1962193B1 (de) | Schaltungsvorrichtung und entsprechendes Verfahren zum Ansteuern einer Last | |
EP3871393B1 (de) | Verfahren zur überwachung eines datenübertragungssystems, datenübertragungssystem und kraftfahrzeug | |
WO2006024447A1 (de) | Energiemanagement auf der basis eines logischen rings | |
EP3096970B1 (de) | Verfahren zum betrieb eines hochspannungsnetzes eines kraftfahrzeugs und kraftfahrzeug | |
EP1447830B1 (de) | Schaltvorrichtung zur codierung unterschiedlicher Schaltzustände | |
EP4187858A1 (de) | Eine sekundärsteuereinheit für ein fahrzeug mit einer primärsteuereinheit und einem datenübertragungsweg | |
WO2024061559A1 (de) | Anhängernetzwerksystem zur datenkommunikation in einem anhängerfahrzeug sowie anhängerfahrzeug damit und verfahren dafür | |
DE102020107751A1 (de) | Verfahren zur Arbitrierung von Signalen von Steuergeräten in einem redundanten System für autonomes Fahren | |
DE102022203853A1 (de) | Verfahren und Vorrichtung zum Abbremsen eines Fahrzeugs bei Ausfall der Bremsensteuerung |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG US UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2002726060 Country of ref document: EP |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 10276816 Country of ref document: US |
|
WWP | Wipo information: published in national office |
Ref document number: 2002726060 Country of ref document: EP |
|
REF | Corresponds to |
Ref document number: 10291113 Country of ref document: DE Date of ref document: 20040415 Kind code of ref document: P |
|
WWE | Wipo information: entry into national phase |
Ref document number: 10291113 Country of ref document: DE |