WO2009040137A1 - A control system for vehicles - Google Patents

A control system for vehicles Download PDF

Info

Publication number
WO2009040137A1
WO2009040137A1 PCT/EP2008/008264 EP2008008264W WO2009040137A1 WO 2009040137 A1 WO2009040137 A1 WO 2009040137A1 EP 2008008264 W EP2008008264 W EP 2008008264W WO 2009040137 A1 WO2009040137 A1 WO 2009040137A1
Authority
WO
WIPO (PCT)
Prior art keywords
control
subsystem
control means
accordance
control system
Prior art date
Application number
PCT/EP2008/008264
Other languages
French (fr)
Inventor
Mark Willerton
Lothar Weichenberger
Original Assignee
Autoliv Development Ab
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Autoliv Development Ab filed Critical Autoliv Development Ab
Priority to EP08802696A priority Critical patent/EP2190712B1/en
Publication of WO2009040137A1 publication Critical patent/WO2009040137A1/en

Links

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B9/00Safety arrangements
    • G05B9/02Safety arrangements electric
    • G05B9/03Safety arrangements electric with multiple-channel loop, i.e. redundant control systems
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60TVEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
    • B60T8/00Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force
    • B60T8/32Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force responsive to a speed condition, e.g. acceleration or deceleration
    • B60T8/88Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force responsive to a speed condition, e.g. acceleration or deceleration with failure responsive means, i.e. means for detecting and indicating faulty operation of the speed responsive control means
    • B60T8/885Arrangements for adjusting wheel-braking force to meet varying vehicular or ground-surface conditions, e.g. limiting or varying distribution of braking force responsive to a speed condition, e.g. acceleration or deceleration with failure responsive means, i.e. means for detecting and indicating faulty operation of the speed responsive control means using electrical circuitry
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/02Ensuring safety in case of control system failures, e.g. by diagnosing, circumventing or fixing failures
    • B60W50/029Adapting to failures or work around with other constraints, e.g. circumvention by avoiding use of failed parts
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60TVEHICLE BRAKE CONTROL SYSTEMS OR PARTS THEREOF; BRAKE CONTROL SYSTEMS OR PARTS THEREOF, IN GENERAL; ARRANGEMENT OF BRAKING ELEMENTS ON VEHICLES IN GENERAL; PORTABLE DEVICES FOR PREVENTING UNWANTED MOVEMENT OF VEHICLES; VEHICLE MODIFICATIONS TO FACILITATE COOLING OF BRAKES
    • B60T2270/00Further aspects of brake control systems not otherwise provided for
    • B60T2270/40Failsafe aspects of brake control systems
    • B60T2270/413Plausibility monitoring, cross check, redundancy
    • FMECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
    • F16ENGINEERING ELEMENTS AND UNITS; GENERAL MEASURES FOR PRODUCING AND MAINTAINING EFFECTIVE FUNCTIONING OF MACHINES OR INSTALLATIONS; THERMAL INSULATION IN GENERAL
    • F16HGEARING
    • F16H61/00Control functions within control units of change-speed- or reversing-gearings for conveying rotary motion ; Control of exclusively fluid gearing, friction gearing, gearings with endless flexible members or other particular types of gearing
    • F16H61/12Detecting malfunction or potential malfunction, e.g. fail safe; Circumventing or fixing failures
    • F16H2061/1208Detecting malfunction or potential malfunction, e.g. fail safe; Circumventing or fixing failures with diagnostic check cycles; Monitoring of failures
    • F16H2061/1212Plausibility checks; Counting means for repeated failures
    • FMECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
    • F16ENGINEERING ELEMENTS AND UNITS; GENERAL MEASURES FOR PRODUCING AND MAINTAINING EFFECTIVE FUNCTIONING OF MACHINES OR INSTALLATIONS; THERMAL INSULATION IN GENERAL
    • F16HGEARING
    • F16H61/00Control functions within control units of change-speed- or reversing-gearings for conveying rotary motion ; Control of exclusively fluid gearing, friction gearing, gearings with endless flexible members or other particular types of gearing
    • F16H61/12Detecting malfunction or potential malfunction, e.g. fail safe; Circumventing or fixing failures
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/24Pc safety
    • G05B2219/24183If error, spare unit takes over, message to master, confirm new configuration

Definitions

  • the invention relates to a control system for vehicles and in particular for the control of vehicle safety devices in accordance with the preamble of claim 1.
  • Controllers for measurement work, control work and feedback control work are used in the field of vehicle electronics.
  • the steps required to carry out this work are described in programs or routines and are predominantly executed on a processor.
  • Specific measures must be provided in dependence on the safety demands of the system to secure against systematic and spontaneous malfunction. It is known for this purpose to use control computers for critical safety systems in vehicles such as in electronic braking systems, electronic stability programs and electrohydraulic brakes.
  • the so-called electronic regulators or controllers already have physical and/or functional default planes today in dependence on the embodiment variant.
  • Such a hydraulic default plane is realised, for example, in a known manner in that the electronic ABS controller is deactivated in the event of a malfunction in an anti- lock braking system.
  • the hydraulic valves which are currentless with a deactivated controller are designed so that a usual braking can still be carried out without the anti-lock system. An emergency operation or a restricted operation can therefore be ensured on the failure of the system or of system parts.
  • a functional default plane can likewise be realised in a similar manner. If, for example, a complex high-order software function - such as an electronic stability program - is faulty, it is shut down, with the software of a lower order, for example an anti-lock system, still remaining operable.
  • a fault-tolerant electronic controller is known from WO 03/050624 A1 whose availability and safety with respect to the microprocessor system is better than is the case with previously known microprocessor concepts.
  • a multi- core redundant control computer system is provided in which at least two control computers are connected to one another. They are equipped, in addition to respectively having a computer core, with partially redundant or fully redundant peripheral elements and partially redundant or fully redundant memory elements and are integrated on a shared chip carrier or a shared chip, with the at least two control computers being connected to at least one shared first arbitration unit which monitors the control computers for an error function.
  • a complete fault-tolerance is not required for most safety applications. On the occurrence of a fault, the system must, however, be fail safe. Future developments in the automotive sector will, however, make increasingly higher demands on the safety systems.
  • the purely electronic control of vehicles is named here by way of example which e.g. completely dispenses with the presence of mechanical steering gears or which only controls the use of brakes electronically. If 1 for example, a fault should occur in the case of an electronic control of the brakes, no replacement hydraulic system is available.
  • a fault-tolerance system is indispensable in this application case.
  • control system for vehicles which are both fail-safe and fault-tolerant in operation.
  • control system should have as few components as possible.
  • This object is solved by a control system for vehicles in accordance with claim 1.
  • This solution consists of a control system for vehicles, in particular for the control of vehicle safety devices, comprising at least two control means which each communicate with at least one operating means, with the control means each being connected to a check means which can suppress the forwarding of check means data.
  • a redundant control means can additionally be associated with each control means and has a control algorithm which is equivalent to the control algorithm of the control means.
  • the check means can suppress the forwarding of check means data via a switching means.
  • a respective decision means can be connected after the control means and the data from the switching means connected after the control means and from the redundant control means are supplied to said decision means.
  • the control system advantageously consists of two subsystems in which the check means of the individual subsystems are arranged in an apparatus and a control system of a subsystem is likewise arranged with the redundant control system of the other subsystem in a respective device.
  • a subsystem is to be understood in each case here as a system which, on the one hand, has a control means and a check means and a redundant control means.
  • the two subsystems are connected to one another locally in that the check means are realised together in an apparatus, for example a chip.
  • the control system of the first subsystem is realised with the redundant control system of the second subsystem, whereas in a third device, the redundant control system of the first subsystem is included in the control system of the second subsystem.
  • a simplified control algorithm is implemented in each check means, said simplified control algorithm mapping the control function in a simplified manner and forwarding these simplified control data to the associated decision means of the subsystem.
  • the decision means can thus check whether the value of the control means is disposed within the expected results range which is calculated in a simplified manner and which is communicated to the simplified control algorithm in the check means.
  • the first subsystem represents a control system for active safety components and the second subsystem represents a control system for passive safety components.
  • FIG. 1 - 7 in each case, simplified schematic diagrams according to the present invention of different control systems in accordance with the invention; and Figure 8: another schematic representation of a control system in accordance with the invention.
  • a control system in accordance with the invention is shown in Figure 1.
  • a safety system architecture is realised here which includes two independent subsystems 10 and 12. Data of one or more sensors 14 are fed into each subsystem.
  • the subsystems communicate with operating means, for example actuators 16.
  • Each of the subsystems 10 and 12 shown here includes a control means 18.
  • the respective control means 18 communicate with check means 20 which are connected in parallel and which check the function of the control means 18, as is shown by the double arrow. If the check means 20 find that the control means 18 is not working without problem, the data stream from the control means 18 is interrupted via a switching means 30.
  • a redundant control means 21 whose output data are supplied directly to the decision means 24 is provided here in each subsystem.
  • a control algorithm is implemented in the redundant control means 21 which works differently, but equivalently, to the control algorithm of the control means 18.
  • a homogeneous redundancy is provided by such a realisation of two control paths.
  • different implementing methods should be selected where possible for the implementation of the algorithm.
  • the corresponding algorithms for the control means 18 and 21 can also each be realised by respective different programmers by different tools or the like.
  • the power supply not otherwise shown in any more detail here should also, where possible, ensure that independent power supply paths are available here.
  • Status data on the control means 18 and 21 red respectively which are evaluated by the decision means for the control of the operating means 16 can also be supplied additionally in the decision means 24 via the data line 26 in addition to the flow data of the check means 20.
  • the embodiment variant in accordance with Figure 2 corresponds in a large part to that in accordance with Figure 1.
  • the check means 20" are realised on a first common chip.
  • the control means 18 of the first decision maker is realised together with the redundant control means 21 of the second decision maker on a second chip.
  • the control means 18' of the second subsystem is realised together with the redundant control means 21' on a third chip.
  • the check means 20" thus monitor both the control means 18 and the redundant control means 21 of the respective subsystem 10 and 12, as results from the wiring in accordance with Figure 2.
  • the embodiment in accordance with Figure 4 substantially corresponds to that in accordance with Figure 3.
  • the decision means 24 is here made as an intelligent component which has the capability of recognising faulty data from the control means 18, 18' or from the redundant control means 21 , 21' and of suppressing them via the respective switching means 30.
  • corresponding data lines are provided between the decision means 24 and the switching means 30.
  • the decision means 24 in the aspect of this embodiment will preferably suppress the data stream of the redundant control means 21 , 21 '.
  • An embodiment of a system architecture in accordance with Figure 4 is shown in Figure 5.
  • the first subsystem is here made as an active safety system and the second subsystem as a passive safety system.
  • the data flows are forwarded from the control means 18, 18' and 21 , 21' respectively as an SPI bus (serial peripheral interface), whereas the data stream of the respective check means is forwarded in a simple logical data line.
  • Figure 6 contains the identical implementation as Figure 5.
  • the respective components, which are arranged on a chip, are, however, combined here.
  • the representation in accordance with Figure 7 shows the internal structure of the check means 20" as well as the internal structure of the decision means 24.
  • the internal structure of the check means 20 it takes over two tasks, namely the monitoring of the operations of the associated control means of the chip on which the respective control means is arranged, on the one hand.
  • the simplified algorithm safety event identification - active safety saving
  • the data of the control means and of the redundant control means are checked in the decision means (inputs SPH and SPI2). On the occurrence of faults, these faulty data are suppressed when they are recognised (cf. failure monitor in Figure 7).
  • FIG 8 is a simplified overview of the realisation of the control system in accordance with Figure 7 in which the respective safety control functions are compiled in an overview.

Landscapes

  • Engineering & Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Transportation (AREA)
  • Mechanical Engineering (AREA)
  • Human Computer Interaction (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Hardware Redundancy (AREA)
  • Safety Devices In Control Systems (AREA)

Abstract

The invention relates to a control system for vehicles comprising at least two control means which each communicate with at least one operating means, with the control means each being connected to a check means which can suppress the forwarding of check means data. In accordance with the invention, a redundant control means can be associated with each control means and has a control algorithm which is equivalent to the control algorithm of the control means.

Description

A control system for vehicles
The invention relates to a control system for vehicles and in particular for the control of vehicle safety devices in accordance with the preamble of claim 1.
Controllers for measurement work, control work and feedback control work are used in the field of vehicle electronics. The steps required to carry out this work are described in programs or routines and are predominantly executed on a processor. Specific measures must be provided in dependence on the safety demands of the system to secure against systematic and spontaneous malfunction. It is known for this purpose to use control computers for critical safety systems in vehicles such as in electronic braking systems, electronic stability programs and electrohydraulic brakes. The so-called electronic regulators or controllers already have physical and/or functional default planes today in dependence on the embodiment variant.
Such a hydraulic default plane is realised, for example, in a known manner in that the electronic ABS controller is deactivated in the event of a malfunction in an anti- lock braking system. The hydraulic valves which are currentless with a deactivated controller are designed so that a usual braking can still be carried out without the anti-lock system. An emergency operation or a restricted operation can therefore be ensured on the failure of the system or of system parts. A functional default plane can likewise be realised in a similar manner. If, for example, a complex high-order software function - such as an electronic stability program - is faulty, it is shut down, with the software of a lower order, for example an anti-lock system, still remaining operable.
The use of safe electronic hardware for the control and regulation of vehicle functions is constantly increasing in vehicles. In this context, the focus is in particular on a high reliability and a fault-tolerant embodiment of the electronic devices.
A fault-tolerant electronic controller is known from WO 03/050624 A1 whose availability and safety with respect to the microprocessor system is better than is the case with previously known microprocessor concepts. For this purpose, a multi- core redundant control computer system is provided in which at least two control computers are connected to one another. They are equipped, in addition to respectively having a computer core, with partially redundant or fully redundant peripheral elements and partially redundant or fully redundant memory elements and are integrated on a shared chip carrier or a shared chip, with the at least two control computers being connected to at least one shared first arbitration unit which monitors the control computers for an error function.
Similar safety mechanisms are known from DE 103 50 919 A1 , which relates to a controller and to an acceleration sensor system and from EP 0 728 635 B1 which relates to a control system for an occupant protection device.
A complete fault-tolerance is not required for most safety applications. On the occurrence of a fault, the system must, however, be fail safe. Future developments in the automotive sector will, however, make increasingly higher demands on the safety systems. The purely electronic control of vehicles is named here by way of example which e.g. completely dispenses with the presence of mechanical steering gears or which only controls the use of brakes electronically. If1 for example, a fault should occur in the case of an electronic control of the brakes, no replacement hydraulic system is available. A fault-tolerance system is indispensable in this application case.
It is therefore the object of the present invention to provide control systems for vehicles which are both fail-safe and fault-tolerant in operation. At the same time, the control system should have as few components as possible.
This object is solved by a control system for vehicles in accordance with claim 1. This solution consists of a control system for vehicles, in particular for the control of vehicle safety devices, comprising at least two control means which each communicate with at least one operating means, with the control means each being connected to a check means which can suppress the forwarding of check means data. In accordance with the invention, a redundant control means can additionally be associated with each control means and has a control algorithm which is equivalent to the control algorithm of the control means.
Preferred embodiments of the solution in accordance with claim 1 result from claims 2 to 8.
In a first preferred embodiment the check means can suppress the forwarding of check means data via a switching means.
In a further embodiment of the invention a respective decision means can be connected after the control means and the data from the switching means connected after the control means and from the redundant control means are supplied to said decision means.
Status data of the check means can be supplied to the decision means. The fault- free operation of the check means can hereby be checked by the decision means. The control system advantageously consists of two subsystems in which the check means of the individual subsystems are arranged in an apparatus and a control system of a subsystem is likewise arranged with the redundant control system of the other subsystem in a respective device.
A subsystem is to be understood in each case here as a system which, on the one hand, has a control means and a check means and a redundant control means. In accordance with this solution, the two subsystems are connected to one another locally in that the check means are realised together in an apparatus, for example a chip. In a further device, the control system of the first subsystem is realised with the redundant control system of the second subsystem, whereas in a third device, the redundant control system of the first subsystem is included in the control system of the second subsystem.
In accordance with a further embodiment of the invention, a simplified control algorithm is implemented in each check means, said simplified control algorithm mapping the control function in a simplified manner and forwarding these simplified control data to the associated decision means of the subsystem. The decision means can thus check whether the value of the control means is disposed within the expected results range which is calculated in a simplified manner and which is communicated to the simplified control algorithm in the check means.
In accordance with a further preferred aspect of the invention, the first subsystem represents a control system for active safety components and the second subsystem represents a control system for passive safety components.
Further details and advantages of the invention result from embodiments explained in the following with reference to the drawing. There are shown:
Figure 1 - 7 in each case, simplified schematic diagrams according to the present invention of different control systems in accordance with the invention; and Figure 8: another schematic representation of a control system in accordance with the invention.
A control system in accordance with the invention is shown in Figure 1. A safety system architecture is realised here which includes two independent subsystems 10 and 12. Data of one or more sensors 14 are fed into each subsystem. The subsystems communicate with operating means, for example actuators 16. Each of the subsystems 10 and 12 shown here includes a control means 18. The respective control means 18 communicate with check means 20 which are connected in parallel and which check the function of the control means 18, as is shown by the double arrow. If the check means 20 find that the control means 18 is not working without problem, the data stream from the control means 18 is interrupted via a switching means 30.
In the safety system architecture as shown in Figure 1 , a redundant control means 21 whose output data are supplied directly to the decision means 24 is provided here in each subsystem. A control algorithm is implemented in the redundant control means 21 which works differently, but equivalently, to the control algorithm of the control means 18.
A homogeneous redundancy is provided by such a realisation of two control paths. To minimize the risk of failure between the two control means 18 and 21 , different implementing methods should be selected where possible for the implementation of the algorithm. Furthermore, the corresponding algorithms for the control means 18 and 21 can also each be realised by respective different programmers by different tools or the like. The power supply not otherwise shown in any more detail here should also, where possible, ensure that independent power supply paths are available here. Status data on the control means 18 and 21 red respectively which are evaluated by the decision means for the control of the operating means 16 can also be supplied additionally in the decision means 24 via the data line 26 in addition to the flow data of the check means 20. The embodiment variant in accordance with Figure 2 corresponds in a large part to that in accordance with Figure 1. However, specific functions are here realised on preset devices on specific chips. It is indicated by the indexing which components are realised on a common chip. The check means 20" are realised on a first common chip. The control means 18 of the first decision maker is realised together with the redundant control means 21 of the second decision maker on a second chip. The control means 18' of the second subsystem is realised together with the redundant control means 21' on a third chip. The check means 20" thus monitor both the control means 18 and the redundant control means 21 of the respective subsystem 10 and 12, as results from the wiring in accordance with Figure 2.
The embodiment in accordance with Figure 3 substantially builds on that in accordance with Figure 2. The same parts are again also marked by the same reference numerals here. In this embodiment, simplified versions of the control algorithm such as was realised in the monitored control means are additionally realised in the respective check means 20". An additional security hereby takes place. The data from the control means 18, 18' and from the redundant control means 21 ', 21 as well as the security via the simplified algorithm of the check means are supplied for each subsystem 10 and 12 to the decision means 24 which then control the corresponding operating means.
The embodiment In accordance with Figure 4 substantially corresponds to that in accordance with Figure 3. The decision means 24 is here made as an intelligent component which has the capability of recognising faulty data from the control means 18, 18' or from the redundant control means 21 , 21' and of suppressing them via the respective switching means 30. For this purpose, corresponding data lines are provided between the decision means 24 and the switching means 30. According to a decision priority, the decision means 24 in the aspect of this embodiment will preferably suppress the data stream of the redundant control means 21 , 21 '. An embodiment of a system architecture in accordance with Figure 4 is shown in Figure 5. The first subsystem is here made as an active safety system and the second subsystem as a passive safety system. The data flows are forwarded from the control means 18, 18' and 21 , 21' respectively as an SPI bus (serial peripheral interface), whereas the data stream of the respective check means is forwarded in a simple logical data line.
Figure 6 contains the identical implementation as Figure 5. The respective components, which are arranged on a chip, are, however, combined here.
The representation in accordance with Figure 7 shows the internal structure of the check means 20" as well as the internal structure of the decision means 24. As can be seen from the internal structure of the check means 20", it takes over two tasks, namely the monitoring of the operations of the associated control means of the chip on which the respective control means is arranged, on the one hand. On the other hand, the simplified algorithm (safety event identification - active safety saving) is carried out.
The data of the control means and of the redundant control means are checked in the decision means (inputs SPH and SPI2). On the occurrence of faults, these faulty data are suppressed when they are recognised (cf. failure monitor in Figure 7).
Figure 8 is a simplified overview of the realisation of the control system in accordance with Figure 7 in which the respective safety control functions are compiled in an overview.

Claims

A control system for vehiclesClaims
1. A control system for vehicles, in particular for the control of vehicle safety devices, comprising at least two subsystems (10, 12), each comprising a control means (18), which each communicate with at least one operating means (16), and a check means (20) to which the control means is connected and which can suppress the forwarding of control means data,
characterised in that
each subsystem also comprises a redundant control means (21) having a control algorithm which is equivalent to the control algorithm of the control means (18).
2. A control system in accordance with claim 1 , characterised in that the check means (20) can suppress the forwarding of control means data via a switching means (30).
3. A control system in accordance with claim 1 or 2, characterised in that respective decision means (24) are connected after the control means (18) and the data from the switching means (30) connected after the control means (18) and from the redundant control means (21) are supplied to said decision means (24).
4. A control system in accordance with one of the claims 1 to 3, characterised in that status data of the check means (20) are supplied to the decision means (24).
5. A control system in accordance with one of the claims 1 to 4, characterized in that the control means (18) of one subsystem (10) is arranged with the redundant control means (21) of the other subsystem (12) in a first device/chip and the control means (18') of the other subsystem (12) is likewise arranged with the redundant control means (21 ') of said one subsystem (10) in a second device/chip.
6. A control system in accordance with one of the claims 1 to 5, characterized in that the check means (20") of the individual subsystems are arranged in a third device/chip.
7. A control system in accordance with claim 6, characterized in that a simplified control algorithm is implemented in each check means (20"), said simplified control algorithm mapping the control function and forwarding these simplified control data to the associated decision means of the subsystem.
8. A control system in accordance with one of the claims 1 to 7, characterized in that the first subsystem (10) represents a control device for active safety components and the second subsystem (12) represents a control device for passive safety components.
PCT/EP2008/008264 2007-09-28 2008-09-29 A control system for vehicles WO2009040137A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP08802696A EP2190712B1 (en) 2007-09-28 2008-09-29 A control system for vehicles

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102007046706A DE102007046706A1 (en) 2007-09-28 2007-09-28 Control device for vehicles
DE102007046706.2 2007-09-28

Publications (1)

Publication Number Publication Date
WO2009040137A1 true WO2009040137A1 (en) 2009-04-02

Family

ID=40099530

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2008/008264 WO2009040137A1 (en) 2007-09-28 2008-09-29 A control system for vehicles

Country Status (3)

Country Link
EP (1) EP2190712B1 (en)
DE (1) DE102007046706A1 (en)
WO (1) WO2009040137A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016139147A1 (en) * 2015-03-04 2016-09-09 Abb Ag Safety control system and method of operation of a safety control system
US11609567B2 (en) * 2018-02-05 2023-03-21 Hl Mando Corporation Apparatus and method for controlling vehicle based on redundant architecture

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111965968A (en) * 2019-05-20 2020-11-20 华为技术有限公司 Switching control method, system and device
EP4155838A1 (en) * 2021-09-28 2023-03-29 Siemens Aktiengesellschaft Device control system and safety monitoring method for controlling a device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE4212337A1 (en) * 1992-04-13 1993-10-14 Bosch Gmbh Robert Safety system for car - has ABS and retardation systems working with common control unit processing sensor signals in parallel channels
DE4439060A1 (en) * 1994-11-02 1996-05-09 Teves Gmbh Alfred Microprocessor arrangement for a vehicle control system
DE19716197A1 (en) * 1997-04-18 1998-10-22 Itt Mfg Enterprises Inc Microprocessor system for safety-critical regulations
DE19717686A1 (en) 1997-04-28 1998-10-29 Itt Mfg Enterprises Inc Circuit arrangement for a motor vehicle control system
WO2004029737A1 (en) * 2002-09-20 2004-04-08 Daimlerchrysler Ag Redundant control unit arrangement

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1995013940A1 (en) 1993-11-15 1995-05-26 Sensor Technology Co., Ltd. Operation device for crew protection apparatus
WO2003050624A1 (en) 2001-12-11 2003-06-19 Continental Teves Ag & Co. Ohg Multi-core redundant control computer system, computer network for applications that are critical with regard to safety in motor vehicles, and use thereof
DE10350919A1 (en) 2003-10-31 2005-05-25 Robert Bosch Gmbh Control unit and acceleration sensors

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE4212337A1 (en) * 1992-04-13 1993-10-14 Bosch Gmbh Robert Safety system for car - has ABS and retardation systems working with common control unit processing sensor signals in parallel channels
DE4439060A1 (en) * 1994-11-02 1996-05-09 Teves Gmbh Alfred Microprocessor arrangement for a vehicle control system
DE19716197A1 (en) * 1997-04-18 1998-10-22 Itt Mfg Enterprises Inc Microprocessor system for safety-critical regulations
DE19717686A1 (en) 1997-04-28 1998-10-29 Itt Mfg Enterprises Inc Circuit arrangement for a motor vehicle control system
WO2004029737A1 (en) * 2002-09-20 2004-04-08 Daimlerchrysler Ag Redundant control unit arrangement

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016139147A1 (en) * 2015-03-04 2016-09-09 Abb Ag Safety control system and method of operation of a safety control system
CN107407919A (en) * 2015-03-04 2017-11-28 Abb股份公司 The operation method of safety control system and safety control system
US10599137B2 (en) 2015-03-04 2020-03-24 Abb Ag Safety control system and method of operation of a safety control system
US11609567B2 (en) * 2018-02-05 2023-03-21 Hl Mando Corporation Apparatus and method for controlling vehicle based on redundant architecture

Also Published As

Publication number Publication date
EP2190712B1 (en) 2013-02-27
DE102007046706A1 (en) 2009-04-16
EP2190712A1 (en) 2010-06-02

Similar Documents

Publication Publication Date Title
JP4768617B2 (en) Embedded microprocessor system for safety limit control.
KR100947791B1 (en) Multi-core redundant control computer system, computer network for applications that are critical with regard to safety in motor vehicles, and use thereof
JP6714611B2 (en) Method and apparatus for providing redundancy in a vehicle electronic control system
JP6189342B2 (en) Method for improving functional safety and increasing the availability of electronic closed loop control systems, and electronic closed loop control systems
JP3965410B2 (en) Redundant vehicle control device
US6275752B1 (en) Microprocessor system for automobile control systems
US6823251B1 (en) Microprocessor system for safety-critical control systems
JP2008532836A (en) Electronic vehicle brake control device
US20070277023A1 (en) Method For Switching Over Between At Least Two Operating Modes Of A Processor Unit, As Well Corresponding Processor Unit
US7469179B2 (en) Longitudinal dynamic control device for motor vehicles
JP2010254298A (en) Electrically-controlled brake system
EP2190712B1 (en) A control system for vehicles
JP2008146659A (en) Safety module and automation system
US11433737B2 (en) Cooling device and method for the redundant cooling of a control unit for a vehicle
US20170277153A1 (en) Hybrid dual-duplex fail-operational pattern and generalization to arbitrary number of failures
CN104718532A (en) Interface for interchanging data between redundant programs for controlling a motor vehicle
JP5089693B2 (en) Control device and function control method
KR20210050573A (en) Vehicle control system
JP6884206B2 (en) Vehicle braking system
CN117425881A (en) Zxfoom zxfoom zxfoom zxfoom device and method for controlling the same And to be used for A kind of electronic device with high-pressure air-conditioning system
US6971047B2 (en) Error handling of software modules
US11104378B2 (en) Steering control system for a steering system of a transportation vehicle and method for operating a steering control system
JP6681304B2 (en) Vehicle control device and vehicle internal combustion engine control device
CN112739578B (en) Auxiliary power supply and method for providing auxiliary power
US20100114422A1 (en) Control device for vehicles

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08802696

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2008802696

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: DE