WO2011072662A1 - Überwachungsrechner in einem steuergerät - Google Patents
Überwachungsrechner in einem steuergerät Download PDFInfo
- Publication number
- WO2011072662A1 WO2011072662A1 PCT/DE2010/001492 DE2010001492W WO2011072662A1 WO 2011072662 A1 WO2011072662 A1 WO 2011072662A1 DE 2010001492 W DE2010001492 W DE 2010001492W WO 2011072662 A1 WO2011072662 A1 WO 2011072662A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- monitoring
- computer
- function
- monitoring computer
- control
- Prior art date
Links
Classifications
-
- F—MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
- F02—COMBUSTION ENGINES; HOT-GAS OR COMBUSTION-PRODUCT ENGINE PLANTS
- F02D—CONTROLLING COMBUSTION ENGINES
- F02D41/00—Electrical control of supply of combustible mixture or its constituents
- F02D41/24—Electrical control of supply of combustible mixture or its constituents characterised by the use of digital means
- F02D41/26—Electrical control of supply of combustible mixture or its constituents characterised by the use of digital means using computer, e.g. microprocessor
- F02D41/266—Electrical control of supply of combustible mixture or its constituents characterised by the use of digital means using computer, e.g. microprocessor the computer being backed-up or assisted by another circuit, e.g. analogue
-
- F—MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
- F02—COMBUSTION ENGINES; HOT-GAS OR COMBUSTION-PRODUCT ENGINE PLANTS
- F02D—CONTROLLING COMBUSTION ENGINES
- F02D41/00—Electrical control of supply of combustible mixture or its constituents
- F02D41/22—Safety or indicating devices for abnormal conditions
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0703—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
- G06F11/0706—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment
- G06F11/0736—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment in functional embedded systems, i.e. in a data processing system designed as a combination of hardware and software dedicated to performing a certain function
- G06F11/0739—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment in functional embedded systems, i.e. in a data processing system designed as a combination of hardware and software dedicated to performing a certain function in a data processing system embedded in automotive or aircraft systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0703—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
- G06F11/0751—Error or fault detection not based on redundancy
- G06F11/0754—Error or fault detection not based on redundancy by exceeding limits
- G06F11/076—Error or fault detection not based on redundancy by exceeding limits by exceeding a count or rate limit, e.g. word- or bit count limit
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0703—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
- G06F11/0793—Remedial or corrective actions
-
- F—MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
- F02—COMBUSTION ENGINES; HOT-GAS OR COMBUSTION-PRODUCT ENGINE PLANTS
- F02D—CONTROLLING COMBUSTION ENGINES
- F02D41/00—Electrical control of supply of combustible mixture or its constituents
- F02D41/02—Circuit arrangements for generating control signals
- F02D41/14—Introducing closed-loop corrections
- F02D41/1401—Introducing closed-loop corrections characterised by the control or regulation method
- F02D2041/1411—Introducing closed-loop corrections characterised by the control or regulation method using a finite or infinite state machine, automaton or state graph for controlling or modelling
-
- F—MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
- F02—COMBUSTION ENGINES; HOT-GAS OR COMBUSTION-PRODUCT ENGINE PLANTS
- F02D—CONTROLLING COMBUSTION ENGINES
- F02D41/00—Electrical control of supply of combustible mixture or its constituents
- F02D41/24—Electrical control of supply of combustible mixture or its constituents characterised by the use of digital means
- F02D41/2403—Electrical control of supply of combustible mixture or its constituents characterised by the use of digital means using essentially up/down counters
Definitions
- the invention relates to a monitoring computer for monitoring a processor, a processor and a method for monitoring a processor according to the preambles of the independent claims.
- the power control control unit has only a single computer element.
- the computer element carries out both the shutdown path control and the monitoring. Operational safety and availability are ensured by the fact that at least two independent levels are provided in a single computer element for the control and monitoring, wherein the functions for power control are determined in a first level and in a second level, in particular in cooperation with a monitoring module, these functions and thus the functionality of the computer element itself are monitored.
- DE 44 38 714 A1 describes a third level which carries out a sequence check of the second level.
- This third-level monitoring significantly increases the reliability and availability of the controller.
- the sequence control is carried out as a question and answer communication.
- the 3-level monitoring concept (EGAS concept) is preferred
- CONFIRMATION COPY Engine control units of vehicles used for monitoring electronic engine control systems The engine control unit consists of the so-called function computer and the monitoring computer. Function computers and monitoring computers communicate via a question and answer procedure. In addition, they have separate shutdown paths.
- the level 1 comprises the actual function module for controlling the function of the drive unit of the vehicle. It is therefore also referred to as a functional level. It includes motor control functions, i.a. For the implementation of the requested engine torques, component monitoring, the diagnosis of the input and output variables as well as the control of the system reactions in the event of a detected error. Level 1 is executed on the function computer.
- Level 2 also referred to as function monitoring level, comprises the security module and is also executed on the function computer. It recognizes the erroneous sequence of monitoring relevant scope of the function module of level 1, u. a. by monitoring the calculated moments or vehicle acceleration. In the event of a fault, system reactions are triggered, such as switching off safety-relevant output stages.
- Level 2 is carried out in a hardware area of the function computer protected by level 3.
- Level 3 also referred to as the computer monitoring level, comprises the monitoring module on an independent function computer with instruction set test, program sequence control, A / D converter test as well as cyclic and complete level 2 memory tests.
- the monitoring module is executed on a function computer.
- the monitoring computer independent of the function computer tests the proper execution of the program instructions of the function computer by means of a question and answer procedure. In the event of an error, the triggering of system reactions takes place independently of the function computer.
- the entire operating and monitoring software is integrated in a control unit.
- the monitoring concept can also be implemented in other vehicle control devices, in particular transmission control devices
- Monitoring concepts are known from the prior art, in which a monitoring computer performs more than one program sequence check by means of a single monitoring unit (monitoring unit) in the function computer. In this case, this one monitoring unit must synchronize both the individual responses from the individual program flow control as well as the individual answers to form a total response. This error can occur both during synchronization and when assembling the answers.
- the object is achieved by a monitoring computer having the features of the independent claim 1.
- the processor essentially comprises a monitoring computer and a function computer.
- a computing element is executed on the processor.
- the computing element comprises three software program modules: a function module for function control of the force vehicle, a safety module for checking the function module and a monitoring module at least for checking the safety module.
- the monitoring computer communicates with the monitoring module on the function computer by means of a question and answer procedure via an interface.
- the monitoring computer and the function computer are designed as physically independent hardware components.
- the monitoring computer comprises two functionally independent monitoring units, each being executed as hardware
- Monitoring unit in the function computer by means of a corresponding, running as a software monitoring element each control for monitoring the proper execution of particular program commands of the function computer is executable.
- the first monitoring unit uses the first monitoring element as the first control in the security module to perform a memory test and a program sequence check in particular. Furthermore, the second monitoring unit performs, by means of the second monitoring element as the second control in the monitoring module, in particular an instruction set test and an AD converter test.
- the respective controls are carried out in so-called test paths. Particularly noteworthy is that when an error occurs in one of the two controls each an error counter is operable and when exceeding programmable error response thresholds regardless of the function module, a system response can be triggered by the monitoring module. Such a system reaction may be to bring the vehicle into a restricted limp-home mode which, for example, makes it possible to just roll out on the hard shoulder of a roadway.
- the error count can be asymmetric, meaning that a wrong answer in the question-and-answer procedure is counted twice upwards, whereas a correct answer is simply counted down.
- a so-called state machine for configuring the associated monitor unit is run through in the computing element.
- a state machine is a behavioral model consisting of states, the so-called states, state transitions and actions.
- a state stores the information about the past. It reflects the changes in input from system startup to the current time.
- a state transition indicates a change in the state of the state machine and is described by logical conditions that must be met to enable the transition.
- An action is the output of the state machine that occurs in a certain situation.
- the corresponding monitoring unit is configured during initialization of the control unit in the computing element.
- the associated state machine by means of the associated state machine, among other parameters, for example a response time and a response time window of the question-and-answer procedure as well as a switch-off threshold and a reset threshold are defined.
- the parameters for each monitoring unit may differ. However, it is also conceivable that both monitoring units are configured identically.
- the two monitoring units advantageously record the monitoring of the computing element by means of the respective monitoring element.
- the outputs of the monitoring computer are designed in particular complementary. That is, if one output is high, the other is low. If the chip is destroyed, both outputs will most likely be either high or low. As a result, the safety-critical output stages are in the off state via the shutdown path.
- the response time which is determined when passing through the state machine, is essentially freely configurable and is usually in the range between 1 ms and 255 ms. Typical fault reaction times are approx. 60ms. However, this time may vary depending on transmission design, customer requirements, etc. This range has been chosen as a compromise between maximum corifigurability and implementation effort.
- the response time window is also defined in the state machine and is primarily in the range between 1 ms and 255 ms.
- the response time is the latest possible time to send the answer.
- a so-called “closed window” is configured, in which no reply may be sent.
- the difference between the response time and the "closed window” results in the "open window” or the response time window
- the relationship between the response time and the response time window is, in particular, freely scalable. In the case of a possible functional software error (eg falsified timing), it could happen that the correct answers are sent too fast, because the "closed window” does not score these too early answers, which leads to an increase of the error counter.
- a shutdown path test is advantageously carried out as a separate state.
- the answers from the question and answer procedure between the monitoring computer and the function computer can be sent as quickly as possible without regard to the response time window. This allows the system startup time to be kept short.
- a shutdown path test can check whether the function computer or the monitoring computer can correctly switch off the safety-relevant output stages, for example, if an error occurs.
- a further object of the invention is to specify a processor which is improved compared with the cited prior art with a monitoring computer as described above in a control unit of a motor vehicle. This object is achieved by a processor with the
- the computing element which is executed on the processor of the control unit essentially comprises the three program modules: function module, security module and monitoring module.
- the processor is in particular subdivided into a function computer and a monitoring computer, wherein the functional module, the security module and the monitoring module are executed on the function computer.
- the monitoring computer usually communicates with the function computer via a question and answer method via an interface.
- the function computer and the monitoring computer are in particular physically independent of each other and the monitoring computer also comprises two functionally independent monitoring units.
- To monitor the proper execution of the program commands of the function computer is advantageously in the function computer through each monitoring unit by means of an appropriate monitoring element • one control each.
- the control method can be advantageously accelerated and also made safer.
- Fig. 1 shows a 3-level concept, divided into modules (software) and
- Fig. 1 shows a substantially from the EGAS concept known 3-level monitoring model, as used for example in an engine control unit or a transmission control unit in motor vehicles.
- the first dot-dashed box indicates the function calculator (FR) of the processor.
- the second dot-dashed box identifies the processor (UR) of the processor.
- Function computer (FR) and monitoring computer (UR) are physically separated from each other on the processor arranged.
- the monitoring computer (UR) can be designed, for example, as an ASIC.
- the three program modules Function Module (El), Security Module (E2) and monitor module (E3) are executed on the function calculator (FR).
- the functional module (El) represents level 1 of the EGAS concept, which is also called the functional level. In particular, it serves to control the operation of the drive unit of the vehicle, and includes, as explained above, for example, engine control functions, i.a. for the implementation of the requested engine torques, component monitoring, the diagnosis of the input and output variables as well as the control of the system reactions in the case of a detected error.
- engine control functions i.a. for the implementation of the requested engine torques, component monitoring, the diagnosis of the input and output variables as well as the control of the system reactions in the case of a detected error.
- the security module (E2) represents level 2 of the EGAS concept, which is also referred to as the functional monitoring level. It detects the erroneous sequence of monitoring-relevant peripheries of the function module (El) of level 1. In particular, the calculated moments or, for example, the vehicle acceleration are monitored. If an error occurs, in particular the triggering of system reactions takes place.
- the safety module (E2) is primarily performed in a hardware area of the function computer (FR) protected by the monitoring module (E3).
- the monitoring module (E3) represents level 3 of the EGAS concept, also referred to as the computer monitoring level.
- the monitoring module (E3) is executed, in particular, on the function computer (FR) which is independent of the monitoring computer (UR).
- the monitoring computer (UR) tests the proper execution of the program commands of the function computer (FR), for example, by means of at least one question / answer procedure. If an error occurs, in particular a triggering of system reactions takes place independently of the function computer (FR).
- the monitoring computer essentially comprises two independent monitoring units (MU1, MU2). On each monitoring unit (MUl, MU2) a corresponding monitoring element (ME1, ME2) is checked (Kl, K2) of the security module (E2) or the monitoring module (E3).
- the first monitoring unit (MU1) uses the first one
- ME 1 Monitoring Elements (ME 1) as a first control (Kl) on the first test path (TP1) in the security module (E2) a memory test and a program flow control by.
- Monitoring Unit (MU2) by means of the second monitoring element (ME2) as a second control (K2) on the second test path (TP2) in the monitoring module (E3) preferably an instruction set test and an AD converter test by.
- the second check (K2) could also be carried out on the first monitoring unit (MU1) by means of the first monitoring element (ME1) via the first test path (TP1), and vice versa.
- said program sequence control takes place as a question and answer procedure between a monitoring unit (MU1, MU2) and the function computer (FR).
- MU1, MU2 monitoring unit
- FR function computer
- FG Question Generator assigned to the Monitoring Element (ME 1, ME2)
- the Question Generators (FG) are the same, but the selection of a question happens by chance. Therefore, the questions of Monitoring Unit (MU1) and Monitoring Unit (MU2) are almost always different.
- an error counter is advantageously set up in each case.
- a corresponding free, programmable fault reaction threshold is exceeded, in particular the monitoring module (E3) triggers a system reaction independently of the functional module (El).
- the freely programmable error reaction thresholds can be used for various system reactions, such as switching off the safety-related power amplifiers or resetting the function computer (FR). be different. If one of the monitoring units (MU1, MU2) generates a reset, the complete system incl.
- SM1, SM2 State machine
- FR function computer
- the configuration could, for example, be such that a reset is only triggered in the event of errors in the monitoring unit (MU1), and in the case of errors in the monitoring unit (MU2) only the safety-relevant output stage is switched off.
- the generation of a reset command may be selectively enabled or disabled as an error response.
- the outputs (URA) of the monitoring computer (UR) are advantageously designed to be complementary.
- a total failure of the monitoring computer (UR) which is designed, for example, as an ASIC, for example by a chip break or a so-called latch-up, d. H. a transition of a semiconductor device in a low-impedance state, it is assumed that all outputs of the monitoring computer (UR) are either simultaneously at a high or a low level.
- the complementary outputs together with an external wiring, not shown, in this case ensure that the safety path of the system and thus the safety-relevant power amplifiers of the system are switched off.
- the external wiring consists z. B. off
- Resistors and transistors ensures that only exactly a combination of the complementary outputs releases the safety-relevant power amplifiers.
- Fig. 2 shows a state machine.
- the state machine can advantageously be realized with little hardware effort.
- This embodiment of the state machine is faster, safer and less prone to failure than a state machine running as a software. Moreover, it is not manipulable.
- a state machine is a behavioral model consisting of states, the so-called states, state transitions and actions.
- a state stores the information about the past. It gives the input changes since system start up to the current time again.
- a state transition indicates a change in the state of the state machine and is described by logical conditions that must be met to enable the transition.
- An action is the output of the state machine that occurs in a given situation.
- the state machines are implemented in digital circuits mainly by programmable logic controllers, logic gates, flip-flops or relays. To implement the hardware, one usually uses a register for storing the state variables, a logic unit that selects the state transitions, and another logic unit that is responsible for the output.
- Each monitoring element ME 1, ME2
- SM 1, SM2 has its own state machine
- the (INIT) state is assumed.
- the monitoring unit (MU1, MU2) is configured by the function module (El) via a communication interface between the monitoring computer (UR) and the function computer (FR).
- the response time, the response time window, the error reaction threshold, especially the switch-off threshold (thresh) and the reset threshold (reset thresh) are determined.
- the response time, which is determined when passing through the state machine (SM1, SM2), is essentially freely configurable and is usually in the range between 1 ms and 255 ms.
- the response time window is also defined in the state machine and is primarily in the range between 1 ms and 255 ms.
- the ratio between the response time and the response time window is in particular freely scalable.
- the initial value of the error counter is automatically set above the shutdown threshold (thresh) to ensure that the error counter remains off in the ( ⁇ ) state.
- SOPCDIS Switch Off Path Check Disable
- SOPC is the shutdown path test, wherein a shutdown path test can ensure that the function calculator or supervisor can correctly shut off, for example, the safety-relevant output stages when an error occurs. In this state, the power output stages are not yet unlocked.
- the states (SOPCDIS) and (SOPCENA) are assumed in the state machine. At the first the power stages are switched off, at the second released.
- SOPCDIS state
- SOPCDIS the SOPC timer advantageously continues running.
- the question and answer game between monitoring computer (UR) and function computer (FR) also continues without time limit. If the error counter has reached or exceeded an interruption threshold (thresh), in particular a transition back into the state (SOPCDIS) takes place through the condition
- NVMAL In the state (NORMAL), the power output stages are enabled, unless they have already been enabled in a previous state. In this state, the question-answer game between monitoring computer (UR) and function computer (FR) continues, in particular, the count of the error counter is taken from the previous state.
- SOPCENA states
- SOPCDIS SOPCDIS
- the two monitoring units in the NORMAL state advantageously record the monitoring of the computing element by means of the respective monitoring element.
- the monitoring concept according to the invention for monitoring a computing element in a control unit of a motor vehicle is an improvement over the known monitoring concepts both in terms of speed, programming effort and safety.
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Chemical & Material Sciences (AREA)
- Combustion & Propulsion (AREA)
- Mechanical Engineering (AREA)
- Microelectronics & Electronic Packaging (AREA)
- Debugging And Monitoring (AREA)
- Combined Controls Of Internal Combustion Engines (AREA)
Abstract
Description
Claims
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2012546360A JP5843786B2 (ja) | 2009-12-18 | 2010-12-20 | 制御装置にある監視計算機 |
DE112010004085T DE112010004085A5 (de) | 2009-12-18 | 2010-12-20 | Überwachungsrechner in einem Steuergerät |
EP10805586.4A EP2513456B1 (de) | 2009-12-18 | 2010-12-20 | Überwachungsrechner in einem steuergerät |
US13/515,327 US9068527B2 (en) | 2009-12-18 | 2010-12-20 | Monitoring computer in a control device |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE102009059087 | 2009-12-18 | ||
DE102009059087.0 | 2009-12-18 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2011072662A1 true WO2011072662A1 (de) | 2011-06-23 |
Family
ID=43901216
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/DE2010/001492 WO2011072662A1 (de) | 2009-12-18 | 2010-12-20 | Überwachungsrechner in einem steuergerät |
Country Status (5)
Country | Link |
---|---|
US (1) | US9068527B2 (de) |
EP (1) | EP2513456B1 (de) |
JP (1) | JP5843786B2 (de) |
DE (1) | DE112010004085A5 (de) |
WO (1) | WO2011072662A1 (de) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE102011011755A1 (de) * | 2011-02-18 | 2012-08-23 | Conti Temic Microelectronic Gmbh | Halbleiterschaltkreis und Verfahren in einem Sicherheitskonzept zum Einsatz in einem Kraftfahrzeug |
WO2018050908A1 (de) * | 2016-09-19 | 2018-03-22 | Elmos Semiconductor Aktiengesellschaft | Watchdog zur überwachung eines prozessors |
EP3761179A1 (de) | 2019-07-05 | 2021-01-06 | Elmos Semiconductor SE | Verfahren zur überprüfung der funktion eines prozessors durch einen watchdog |
DE102021206379A1 (de) | 2021-06-22 | 2022-12-22 | Continental Autonomous Mobility Germany GmbH | Steuereinrichtung sowie Assistenzsystem für ein Fahrzeug |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9156357B2 (en) * | 2013-09-11 | 2015-10-13 | GM Global Technology Operations LLC | Controller for an electric motor, and a method thereof |
US9558052B2 (en) * | 2014-03-18 | 2017-01-31 | Stmicroelectronics International N.V. | Safe scheduler for finite state deterministic application |
US10536168B2 (en) * | 2016-11-07 | 2020-01-14 | Infineon Technologies Ag | Program flow monitoring for deterministic firmware functions |
EP3792765A1 (de) * | 2019-09-10 | 2021-03-17 | Vitesco Technologies GmbH | Verfahren zur handhabung von transienten sicherheitsrelevanten fehlern in einem fahrzeug und elektronisches steuerungssystem des fahrzeugs |
WO2022199787A1 (en) * | 2021-03-22 | 2022-09-29 | Huawei Technologies Co., Ltd. | Program flow monitoring for gateway applications |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE4438714A1 (de) | 1994-10-29 | 1996-05-02 | Bosch Gmbh Robert | Verfahren und Vorrichtung zur Steuerung der Antriebseinheit eines Fahrzeugs |
WO2003056427A2 (de) * | 2001-12-21 | 2003-07-10 | Robert Bosch Gmbh | Verfahren und vorrichtung zur steuerung einer funktionseinheit eines kraftfahrzeugs |
EP2090952A2 (de) * | 2008-02-14 | 2009-08-19 | Robert Bosch GmbH | Hydraulikkomponenten-Steuergerät und Verfahren zum Ansteuern von hydraulischen Komponenten |
Family Cites Families (29)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6733036B2 (en) * | 1995-06-07 | 2004-05-11 | Automotive Technologies International, Inc. | Automotive electronic safety network |
DE4220247A1 (de) * | 1992-06-20 | 1993-12-23 | Bosch Gmbh Robert | Steuereinrichtung für Fahrzeuge |
US5654888A (en) | 1992-06-20 | 1997-08-05 | Robert Bosch Gmbh | Control arrangement for vehicles |
DE4424020A1 (de) * | 1994-07-08 | 1996-01-11 | Telefunken Microelectron | Prüfverfahren für eine passive Sicherheitseinrichtung in Kraftfahrzeugen |
DE19609242A1 (de) * | 1996-03-09 | 1997-09-11 | Bosch Gmbh Robert | Verfahren und Vorrichtung zur Steuerung einer Antriebseinheit eines Fahrzeugs |
DE19917208A1 (de) * | 1999-04-16 | 2000-10-19 | Bosch Gmbh Robert | Verfahren und Vorrichtung zur Überwachung eines Rechenelements in einem Kraftfahrzeug |
DE19933086B4 (de) * | 1999-07-15 | 2008-11-20 | Robert Bosch Gmbh | Verfahren und Vorrichtung zur gegenseitigen Überwachung von Steuereinheiten |
DE10056408C1 (de) * | 2000-11-14 | 2002-03-07 | Bosch Gmbh Robert | Vorrichtung zur Überwachung eines Prozessors |
DE10057916C2 (de) * | 2000-11-21 | 2003-04-17 | Bosch Gmbh Robert | Steuergerät für ein Rückhaltesystem in einem Kraftfahrzeug |
DE10065118A1 (de) * | 2000-12-28 | 2002-07-04 | Bosch Gmbh Robert | System und Verfahren zur Steuerung und/oder Überwachung eines wenigstens zwei Steuergeräte aufweisenden Steuergeräteverbundes |
RU2284929C2 (ru) * | 2001-03-15 | 2006-10-10 | Роберт Бош Гмбх | Способ управления компонентом важной для обеспечения безопасности распределенной системы |
JP4391724B2 (ja) * | 2001-06-08 | 2009-12-24 | ローベルト ボッシュ ゲゼルシャフト ミット ベシュレンクテル ハフツング | 車両の駆動シーケンス制御の監視方法及びその装置 |
DE10131198A1 (de) * | 2001-06-28 | 2003-01-16 | Bosch Gmbh Robert | Verfahren und Vorrichtung zur Beeinflussung wenigstens eines Parameters eines Fahrzeugs |
US6941205B2 (en) * | 2002-08-01 | 2005-09-06 | Ford Global Technologies, Llc. | System and method for deteching roll rate sensor fault |
DE10236080A1 (de) * | 2002-08-07 | 2004-02-19 | Robert Bosch Gmbh | Verfahren und Vorrichtung zur Steuerung von Betriebsabläufen, insbesondere in einem Fahrzeug |
DE10307698A1 (de) * | 2003-02-21 | 2004-09-02 | Robert Bosch Gmbh | Steuergerät und Compterprogramm zum Steuern eines Antriebsaggregates eines Fahrzeugs |
US7034696B2 (en) * | 2003-05-09 | 2006-04-25 | Gregory Ehlers | Proximity dead man interrupter, alarm and reporting system |
DE10331873B4 (de) * | 2003-07-14 | 2022-09-01 | Robert Bosch Gmbh | Verfahren zur Überwachung verteilter Software |
DE102004047925B4 (de) * | 2004-10-01 | 2016-09-15 | Bayerische Motoren Werke Aktiengesellschaft | Längsdynamiksteuervorrichtung für Kraftfahrzeuge |
DE102006028695B4 (de) * | 2005-06-23 | 2017-11-30 | Denso Corporation | Elektronisches Steuersystem mit Fehlfunktionsüberwachung |
JP2007158979A (ja) * | 2005-12-08 | 2007-06-21 | Fujitsu Access Ltd | 認証装置及び乱数生成方法 |
JP4661722B2 (ja) | 2006-07-31 | 2011-03-30 | 日本電気株式会社 | 運用管理システム、監視装置、監視設定情報生成方法及びプログラム |
DE102006048169A1 (de) * | 2006-10-10 | 2008-04-17 | Robert Bosch Gmbh | Verfahren zur Überwachung einer Funktionsfähigkeit einer Steuerung |
JP4984226B2 (ja) * | 2006-12-13 | 2012-07-25 | 富士電機株式会社 | パルス幅変調回路 |
JP4848979B2 (ja) * | 2007-03-07 | 2011-12-28 | 日本電気株式会社 | 監視システムおよび監視方法ならびにプログラム |
JP4618263B2 (ja) * | 2007-03-23 | 2011-01-26 | 株式会社豊田中央研究所 | ソフトウェア挙動監視装置及びソフトウェア挙動監視システム |
JP4776610B2 (ja) * | 2007-11-26 | 2011-09-21 | 三菱電機株式会社 | 監視制御回路を有する車載電子制御装置 |
US8509989B2 (en) * | 2009-12-18 | 2013-08-13 | Conti Temic Microeletronic GMBH | Monitoring concept in a control device |
US8621273B2 (en) * | 2010-11-29 | 2013-12-31 | Infineon Technologies Ag | Enhanced scalable CPU for coded execution of SW in high-dependable safety relevant applications |
-
2010
- 2010-12-20 JP JP2012546360A patent/JP5843786B2/ja active Active
- 2010-12-20 DE DE112010004085T patent/DE112010004085A5/de not_active Withdrawn
- 2010-12-20 WO PCT/DE2010/001492 patent/WO2011072662A1/de active Application Filing
- 2010-12-20 US US13/515,327 patent/US9068527B2/en active Active
- 2010-12-20 EP EP10805586.4A patent/EP2513456B1/de active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE4438714A1 (de) | 1994-10-29 | 1996-05-02 | Bosch Gmbh Robert | Verfahren und Vorrichtung zur Steuerung der Antriebseinheit eines Fahrzeugs |
WO2003056427A2 (de) * | 2001-12-21 | 2003-07-10 | Robert Bosch Gmbh | Verfahren und vorrichtung zur steuerung einer funktionseinheit eines kraftfahrzeugs |
EP2090952A2 (de) * | 2008-02-14 | 2009-08-19 | Robert Bosch GmbH | Hydraulikkomponenten-Steuergerät und Verfahren zum Ansteuern von hydraulischen Komponenten |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE102011011755A1 (de) * | 2011-02-18 | 2012-08-23 | Conti Temic Microelectronic Gmbh | Halbleiterschaltkreis und Verfahren in einem Sicherheitskonzept zum Einsatz in einem Kraftfahrzeug |
US9434379B2 (en) | 2011-02-18 | 2016-09-06 | Conti Temic Microelectronic Gmbh | Semiconductor circuit and method in a safety concept for use in a motor vehicle |
WO2018050908A1 (de) * | 2016-09-19 | 2018-03-22 | Elmos Semiconductor Aktiengesellschaft | Watchdog zur überwachung eines prozessors |
CN109716301A (zh) * | 2016-09-19 | 2019-05-03 | 艾尔默斯半导体股份公司 | 用于监视处理器的监视器 |
KR20190070921A (ko) * | 2016-09-19 | 2019-06-21 | 엘모스 세미콘두크터르 아크티엔게젤샤프트 | 프로세서를 감시하기 위한 와치독 |
EP3620923A1 (de) | 2016-09-19 | 2020-03-11 | ELMOS Semiconductor AG | Watchdog zur überwachung eines prozessors |
EP3627324A1 (de) | 2016-09-19 | 2020-03-25 | Elmos Semiconductor Aktiengesellschaft | Watchdog zur überwachung eines prozessors |
US10678620B2 (en) | 2016-09-19 | 2020-06-09 | Elmos Semiconductor Ag | Watchdog for monitoring a processor |
KR102376265B1 (ko) * | 2016-09-19 | 2022-03-18 | 엘모스 세미컨덕터 에스이 | 프로세서를 감시하기 위한 와치독 |
CN109716301B (zh) * | 2016-09-19 | 2022-06-24 | 艾尔默斯半导体欧洲股份公司 | 用于监视处理器的监视器 |
EP3761179A1 (de) | 2019-07-05 | 2021-01-06 | Elmos Semiconductor SE | Verfahren zur überprüfung der funktion eines prozessors durch einen watchdog |
DE102021206379A1 (de) | 2021-06-22 | 2022-12-22 | Continental Autonomous Mobility Germany GmbH | Steuereinrichtung sowie Assistenzsystem für ein Fahrzeug |
Also Published As
Publication number | Publication date |
---|---|
DE112010004085A5 (de) | 2012-10-25 |
JP5843786B2 (ja) | 2016-01-13 |
JP2013514498A (ja) | 2013-04-25 |
EP2513456B1 (de) | 2015-02-25 |
US9068527B2 (en) | 2015-06-30 |
EP2513456A1 (de) | 2012-10-24 |
US20120272104A1 (en) | 2012-10-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2513456B1 (de) | Überwachungsrechner in einem steuergerät | |
EP2513455B1 (de) | Überwachungskonzept in einem steuergerät | |
EP0512240B1 (de) | System zur Steuerung eines Kraftfahrzeuges | |
DE10049441B4 (de) | Verfahren zum Betrieb eines von einem Prozessor gesteuerten Systems | |
EP2676200B1 (de) | Halbleiterschaltkreis und verfahren in einem sicherheitskonzept zum einsatz in einem kraftfahrzeug | |
DE102011005800A1 (de) | Kontrollrechnersystem, Verfahren zur Steuerung eines Kontrollrechnersystems, sowie Verwendung eines Kontrollrechnersystems | |
DE10331873B4 (de) | Verfahren zur Überwachung verteilter Software | |
WO2006015945A2 (de) | Verfahren, betriebssystem und rechengerät zum abarbeiten eines computerprogramms | |
WO2015028581A1 (de) | Verfahren zur überwachung einer komponente in einem kraftfahrzeug | |
EP1810139B1 (de) | Verfahren, betriebssystem und rechengerät zum abarbeiten eines computerprogramms | |
EP1860565A1 (de) | Verfahren zur Funktionsprüfung eines Steuergeräts für ein Kraftfahrzeug | |
EP2239752A1 (de) | Sichere Schalteinrichtung und modulares fehlersicheres Steuerungssystem | |
DE10312553B3 (de) | Kraftfahrzeug | |
DE102012209144A1 (de) | Verfahren zur Überführung eines elektrischen Antriebsystems in einen sicheren Zustand und Anordnung zur Durchführung des Verfahrens | |
WO2006108849A1 (de) | Verfahren und rechnereinheit zur fehlererkennung und fehlerprotokollierung in einem speicher | |
EP2612059B1 (de) | Vorrichtung und verfahren zur regelung eines doppelkupplungsgetriebes | |
DE102017123911A1 (de) | Verfahren und Vorrichtung zum Überwachen der Reaktionszeit einer durch ein Sicherheitssystem bereitgestellten Sicherheitsfunktion | |
EP2435915B1 (de) | Verringerung der reaktionszeit in einem system zur überwachung eines funktionsrechners | |
DE102006020793A1 (de) | Schaltungsanordnung und Verfahren zum Betrieb einer Schaltungsanordnung | |
DE3731097A1 (de) | Schaltungsanordnung zur ueberwachung einer einrichtung mit zwei mikroprozessoren, insbesondere einer kraftfahrzeug-elektronik | |
DE102019203783A1 (de) | Verfahren, Programm und System zur Verwendung von Signalqualitätsanforderungen im Rahmen von Sicherheitskonzepten | |
DE102015215847B3 (de) | Vorrichtung und Verfahren zur Erhöhung der funktionalen Sicherheit in einem Fahrzeug. | |
EP4114691B1 (de) | Verfahren zum betreiben eines bordnetzes | |
DE102022205943A1 (de) | Verfahren zum Überprüfen eines mehrere Einzelkomponenten aufweisenden Systems zum gemeinsamen Durchführen einer Funktion durch die mehreren Einzelkomponenten | |
DE102014112102B4 (de) | Verfahren zum Überwachen eines Controller Area Network zur Fehlerdetektion |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 10805586 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1120100040850 Country of ref document: DE Ref document number: 112010004085 Country of ref document: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2010805586 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2012546360 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 13515327 Country of ref document: US |
|
REG | Reference to national code |
Ref country code: DE Ref legal event code: R225 Ref document number: 112010004085 Country of ref document: DE Effective date: 20121025 |