WO2011113405A1 - Groupement d'appareils de commande - Google Patents
Groupement d'appareils de commande Download PDFInfo
- Publication number
- WO2011113405A1 WO2011113405A1 PCT/DE2011/000138 DE2011000138W WO2011113405A1 WO 2011113405 A1 WO2011113405 A1 WO 2011113405A1 DE 2011000138 W DE2011000138 W DE 2011000138W WO 2011113405 A1 WO2011113405 A1 WO 2011113405A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- level
- control device
- control unit
- subordinate
- main processor
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B9/00—Safety arrangements
- G05B9/02—Safety arrangements electric
- G05B9/03—Safety arrangements electric with multiple-channel loop, i.e. redundant control systems
-
- F—MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
- F16—ENGINEERING ELEMENTS AND UNITS; GENERAL MEASURES FOR PRODUCING AND MAINTAINING EFFECTIVE FUNCTIONING OF MACHINES OR INSTALLATIONS; THERMAL INSULATION IN GENERAL
- F16H—GEARING
- F16H61/00—Control functions within control units of change-speed- or reversing-gearings for conveying rotary motion ; Control of exclusively fluid gearing, friction gearing, gearings with endless flexible members or other particular types of gearing
- F16H61/12—Detecting malfunction or potential malfunction, e.g. fail safe; Circumventing or fixing failures
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/04—Programme control other than numerical control, i.e. in sequence controllers or logic controllers
- G05B19/042—Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
- G05B19/0428—Safety, monitoring
-
- F—MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
- F16—ENGINEERING ELEMENTS AND UNITS; GENERAL MEASURES FOR PRODUCING AND MAINTAINING EFFECTIVE FUNCTIONING OF MACHINES OR INSTALLATIONS; THERMAL INSULATION IN GENERAL
- F16H—GEARING
- F16H61/00—Control functions within control units of change-speed- or reversing-gearings for conveying rotary motion ; Control of exclusively fluid gearing, friction gearing, gearings with endless flexible members or other particular types of gearing
- F16H61/12—Detecting malfunction or potential malfunction, e.g. fail safe; Circumventing or fixing failures
- F16H2061/122—Avoiding failures by using redundant parts
-
- F—MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
- F16—ENGINEERING ELEMENTS AND UNITS; GENERAL MEASURES FOR PRODUCING AND MAINTAINING EFFECTIVE FUNCTIONING OF MACHINES OR INSTALLATIONS; THERMAL INSULATION IN GENERAL
- F16H—GEARING
- F16H61/00—Control functions within control units of change-speed- or reversing-gearings for conveying rotary motion ; Control of exclusively fluid gearing, friction gearing, gearings with endless flexible members or other particular types of gearing
- F16H61/12—Detecting malfunction or potential malfunction, e.g. fail safe; Circumventing or fixing failures
- F16H2061/1256—Detecting malfunction or potential malfunction, e.g. fail safe; Circumventing or fixing failures characterised by the parts or units where malfunctioning was assumed or detected
- F16H2061/126—Detecting malfunction or potential malfunction, e.g. fail safe; Circumventing or fixing failures characterised by the parts or units where malfunctioning was assumed or detected the failing part is the controller
- F16H2061/1268—Electric parts of the controller, e.g. a defect solenoid, wiring or microprocessor
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/24—Pc safety
- G05B2219/24008—Safety integrity level, safety integrated systems SIL SIS
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/30—Nc systems
- G05B2219/34—Director, elements to supervisory
- G05B2219/34482—Redundancy, processors watch each other for correctness
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/30—Nc systems
- G05B2219/34—Director, elements to supervisory
- G05B2219/34487—Redundant diagnostic controllers watch redundant process controllers
Definitions
- the invention relates to a control device arrangement with respect to a processing hierarchy parent and at least one subordinate control unit, each with a main processor and an effective over three levels security concept, with a higher, third level is provided as a process flow control, the second level with predetermined Security requirements are monitored for compliance, and the second level monitors a first level with no given security requirements on function.
- Control operations are safety-relevant and subject to strict safety requirements, which as a rule can not be met by a single data processing unit, for example by a single microprocessor.
- controllers with multiple microprocessors, which monitor each other.
- control device arrangements and the control methods implemented therewith can be used in particular for control tasks in motor vehicles, in which a general task in the higher-level control unit and special tasks in at least one, advantageously in several similar control devices that control, for example, directly associated actuators or actuator modules, are processed ,
- a central transmission or clutch control device may be provided which controls individual actuator modules with subordinate control devices and each control individual functions, such as the operation of a friction clutch of a dual clutch for a dual clutch transmission, a gear actuation of a partial drive train of a dual clutch transmission, a subfunction, such as switching or dialing a transmission such as dual clutch transmission and the like.
- functions such as an engine controlled by an electronic accelerator pedal, brake devices, and the like may be controlled by such controller assemblies.
- an intrinsically safe control each device includes a first microprocessor such as main processor and a second microprocessor in the form of a monitoring computer.
- the implementation of the necessary for the control of an actuator with appropriate operating mechanism for performing the actuation function control routines is divided into a first level with non-safety-related routines and a second level with safety-related routines, the first level test by the main processor and the test of the second Level is done by the monitoring computer.
- the control unit and thus the actuator controlled by it are transferred to a defined backup state.
- the supervisor monitors the operation of the main processor by comparing a supervisor command set issued by it with a key word set issued by the main processor for error-free operation. If an error occurs in level three, the control unit with connected actuator is transferred to a defined safe state.
- the higher-level control unit is provided with a main processor and a monitoring computer and monitored according to the security concept of the three levels for proper function.
- a main processor and a monitoring computer are required for each control device. This leads to high costs.
- the object of the invention is therefore to propose a control device arrangement with lower production costs for equivalent function.
- the object is achieved by a control device arrangement with respect to a processing hierarchy parent and at least one subordinate control unit, each with a main processor and an effective over three levels security concept, with a higher, third level is provided as a process flow control, the second Level with predetermined safety requirements for compliance monitors this, the second level monitors a first level without predetermined security requirements on function and the process flow control of the at least one subordinate control device is arranged in the parent control unit.
- a provided for the monitoring routine of the third level microprocessor for the control units can also be arranged in a subordinate control unit, although a housing of this microprocessor in the parent control unit is preferably provided in particular because of the then same training of the subordinate control units.
- the third level and the creation of the monitoring command sets may be provided by a general operating system, while the computing operations for controlling the actuator of a subordinate controller may be implemented in an application specific operating system independent of the general operating system.
- a higher-level control unit can be operated with subordinate control units, which each have their own operating systems and can come from different manufacturers.
- the process flow control of the third level of the at least one subordinate control device can be accommodated in the main processor of the superordinate control device.
- the third level of the higher-level control device in the monitoring computer and the third level of the at least one lower-level control device in the main processor of the higher-level control device are processed.
- the third level including the creation of the monitoring command set, takes place, for example, in the second level of the security concept of the higher-level control device.
- the security criteria of level three of the subordinate control unit can be deposited as user software in the main processor and are in turn secured by the third level of the monitoring computer for the second level in the main processor.
- a hierarchical monitoring structure can be provided.
- standard software can be used for level three of the monitoring computer. Specific extensions of the operating system and the monitoring system of the monitoring computer can be omitted since the monitoring of the third level of the subordinate control devices does not interfere with the monitoring computer of the parent control device.
- the process flow control in the form of the third level of the at least one subordinate control device can be accommodated in the monitoring computer.
- the operating system of the monitoring computer to the operating system of the subordinate Adjusted control units, so that all monitoring functions of the main processors of all control devices run in the central monitoring computer.
- uniform software interfaces are created between the monitoring computer and the main processors, and preferably also uniform hardware interfaces to the subordinate control devices with their main processors.
- the checking of the main processors in the third level is advantageously carried out by a two-part sublevel, in which in the computing area of the third level for each control unit, a check command set is generated, which may contain static commands and based on a correct order and in the correct time frame of these the process Sequence control initiates.
- the check command set is transferred to the second part of the sublevel, which initiates execution of the check command set and acquires a second level command reply set in the main processor arithmetic area and transfers it to the third level as the signal reply of the check set, where it is evaluated, thereby completing the process flow Control is ended and, if necessary, a malfunction is output.
- the transmission of the monitoring signals between the higher-level control unit and the at least one subordinate control unit is effected by a first signal line, preferably a standardized interface, for example CAN bus, Flexray or the like, which is provided inter alia for communication between the second and third level of the security concept.
- a first signal line preferably a standardized interface, for example CAN bus, Flexray or the like, which is provided inter alia for communication between the second and third level of the security concept.
- a first signal line preferably a standardized interface, for example CAN bus, Flexray or the like, which is provided inter alia for communication between the second and third level of the security concept.
- at least one redundant signal line for transferring the subordinate control device to a safe state in the event of a fault is present between the higher-level control device and the at least one subordinate control device intended.
- the at least one subordinate control device can be transferred to a safe state.
- control unit application described may be provided in a particularly advantageous manner with a designed as a transmission control unit and / or clutch control unit higher-level control unit and at least two provided with a respective subordinate control unit actuator modules.
- the actuator Modules may be one or two clutch actuators for one or two friction clutches such as a dual clutch and / or one or more transmission actuator modules for actuating a transmission, for example a dual clutch transmission.
- FIG. 1 shows a flowchart of a security concept of a control device arrangement
- Figure 2 is a systematically illustrated control device arrangement with a security concept in which a third level of the security concept of a subordinate control device in the main processor of a higher-level control device is performed
- Figure 3 is a systematically illustrated control device arrangement with a security concept in which a third level of the security concept of a subordinate control device in the monitoring computer for monitoring the main processor of a higher-level control device is performed.
- FIG. 1 shows the flow diagram 1 for implementing a security concept for one of a superordinate and at least one subordinate control device in a superordinate control device, in which a third level of a surveillance concept for monitoring the main processors of the superordinate and subordinate control devices is implemented in a monitoring computer.
- Flowchart 1 shows a routine implemented in the monitoring computer.
- branch 2 checks to see if there is an error in the branch
- Main processor of the parent controller is present. If this is the case, all subordinate control devices or the actuators controlled by these are brought into a secure state in block 3. For example, clutch actuators are controlled so that you open controlled friction clutches or insert gearbox neutral gear.
- the start of the subroutine is initiated, successively or in parallel in the branch 5 checks the subordinate ECUs for errors in the main processor. If an error in the main processor is detected in one of the subordinate control devices, this is incorporated in the main processor. secured state or the actuator to achieve a secure state of the actuated by this functional component such as friction clutch, transmission and the like controlled accordingly. In addition, further cooperating control devices can be treated accordingly. For example, in the case of a defective control unit for actuating a partial function of a transmission, a second control unit for actuating a further partial function can also be operated in a secured state. After the review of all subordinate controllers has been completed, the subroutine in box 7 and the entire routine for monitoring the controller assembly are terminated and, if necessary, restarted to ensure continuous monitoring.
- FIG. 2 shows a schematic representation of the control device arrangement 8 with the higher-level control unit 9 and the lower-level control unit 10.
- the higher-level control unit 9 assumes the higher-level functions that are common to several subordinate control units 10, for example the communication with other function carriers of a motor vehicle, the detection of Sensor signals, Paramet- rations and the like.
- the subordinate control unit 10 controls or regulates the actuator arranged, for example, in the same housing, for example an electric motor for actuating a functional component of the motor vehicle, for example a friction clutch, a transmission and the like.
- each control unit 9, 10 has a main processor 11, 12.
- the security concept 13 is active, which subjects the higher-level control device 9 and the subordinate control device 10 to three levels with monitoring routines.
- the three levels of the higher-level control unit 9 are the first level 14, the second level 15 and the third level 16.
- the first level 14 comprises the monitoring of non-safety-related software routines which run in the main processor 11 and which are detected, for example, by further software routines of the main processor 11 Plausibility be checked for example in the second level 15. In the second level 15, security-relevant software routines of the main processor 11 are checked.
- the error can be detected by means of a monitoring model in the second level 15, in the measures for the secure operation of the subordinate control unit 10 in the event of an error in the second level 15 of the security concept 13 in the higher-level control unit 9, namely in the main processor 11, are initiated.
- the third level 16 for monitoring the proper functioning of the main processor 11 is arranged in the monitoring computer 17, which also checks the main processor by means of the monitoring command set 18, for example by means of static commands for compliance with the processing sequence and the time frame to be observed.
- the verification command set 18 is executed in the main processor 11 and a corresponding command response sentence 19 is output to the third level 16 in the monitoring computer.
- the first level 20, the second level 21 and the third level 22 of the security concept 23 for the subordinate control unit 10 or the main processor 12 are split between the main processor 11 of the higher-level control unit 9 and the main processor 12 the subordinate control unit 10, wherein the main processor 11 is used as a monitoring processor for the main processor 12.
- the main processor 11 is used as a monitoring processor for the main processor 12.
- a malfunction of the main processor 12 is therefore detected in a monitoring of the second level 15.
- the monitoring of the main processor 12 with respect to the second level 21 and the first level 20 correspond largely to the monitoring functions of the first level 14 and second level 15.
- the monitoring of the main processors 11a, 12a of the higher-level control device 9a and of the subordinate control device 10a takes place in the monitoring computer 17a in a single third plane 16a. Accordingly, the signal lines 24a, 25a are formed between the main processor 12a and the monitor computer 17a.
- the other two levels 14a, 15a, 20a, 21a are respectively executed in accordance with FIG. 2 in the main processors 11a, 12a.
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Automation & Control Theory (AREA)
- General Engineering & Computer Science (AREA)
- Mechanical Engineering (AREA)
- Safety Devices In Control Systems (AREA)
Abstract
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE112011100917T DE112011100917A5 (de) | 2010-03-15 | 2011-02-15 | Steuergeräteanordnung |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE102010011452 | 2010-03-15 | ||
DE102010011452.9 | 2010-03-15 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2011113405A1 true WO2011113405A1 (fr) | 2011-09-22 |
Family
ID=44168258
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/DE2011/000138 WO2011113405A1 (fr) | 2010-03-15 | 2011-02-15 | Groupement d'appareils de commande |
Country Status (2)
Country | Link |
---|---|
DE (2) | DE102011011224A1 (fr) |
WO (1) | WO2011113405A1 (fr) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE102012003328A1 (de) | 2012-02-15 | 2013-08-22 | Getrag Getriebe- Und Zahnradfabrik Hermann Hagenmeyer Gmbh & Cie Kg | Verfahren und Steuergerät für eine Antriebsstrang-Komponente |
DE102016222060A1 (de) | 2016-11-10 | 2018-05-17 | Schaeffler Technologies AG & Co. KG | Steuergerät für ein Aktorsystem zur Umrüstung zwischen einer niedrigen und einer höheren Funktionssicherheitsstufe sowie ein Steuergerätesystem zur Steuerung eines Aktorsystems |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE102005003916A1 (de) * | 2005-01-27 | 2006-08-24 | Siemens Ag | Überwachen der Funktionssicherheit einer Brennkraftmaschine |
DE102007045509A1 (de) * | 2007-09-24 | 2009-04-23 | Continental Automotive Gmbh | Fahrzeug-Steuereinheit mit einem Versorgungspannungsüberwachten Mikrocontroller sowie zugehöriges Verfahren |
-
2011
- 2011-02-15 WO PCT/DE2011/000138 patent/WO2011113405A1/fr active Application Filing
- 2011-02-15 DE DE102011011224A patent/DE102011011224A1/de not_active Withdrawn
- 2011-02-15 DE DE112011100917T patent/DE112011100917A5/de not_active Withdrawn
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE102005003916A1 (de) * | 2005-01-27 | 2006-08-24 | Siemens Ag | Überwachen der Funktionssicherheit einer Brennkraftmaschine |
DE102007045509A1 (de) * | 2007-09-24 | 2009-04-23 | Continental Automotive Gmbh | Fahrzeug-Steuereinheit mit einem Versorgungspannungsüberwachten Mikrocontroller sowie zugehöriges Verfahren |
Non-Patent Citations (2)
Title |
---|
"Innovatives Doppelkupplungssystem fuer Sportwagen", ATZ AUTOMOBILTECHNISCHE ZEITSCHRIFT, VIEWEG PUBLISHING, WIESBADEN, DE, vol. 111, no. 4, 1 April 2009 (2009-04-01), pages 252 - 261, XP001521129, ISSN: 0001-2785 * |
HOBELSBERGER, MARTIN ; MOTTOK, JÜRGEN ; DUMKE, REINER: "Modellbasierte Sicherheitsanalysen von Software-Architekturen", 27 August 2009 (2009-08-27), XP002646574, Retrieved from the Internet <URL:http://www.opus-bayern.de/fh-regensburg/volltexte/2009/40/> [retrieved on 20110629] * |
Also Published As
Publication number | Publication date |
---|---|
DE112011100917A5 (de) | 2013-01-17 |
DE102011011224A1 (de) | 2011-09-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE19927635B4 (de) | Sicherheitsbezogenes Automatisierungsbussystem | |
EP2972607B1 (fr) | Procédé de traitement d'erreurs dans une unité de commande centrale et unité de commande | |
DE102009054157B3 (de) | Steuerungssystem zum Steuern von sicherheitskritischen und nichtsicherheitskritischen Prozessen | |
EP0742500A2 (fr) | Fonctions de commutateur simple et à contact à sûreté intégrée avec évitement d'erreur | |
DE19933086A1 (de) | Verfahren und Vorrichtung zur gegenseitigen Überwachung von Steuereinheiten | |
EP1540428A1 (fr) | Systeme de dispositifs de commande redondant | |
EP1392546B1 (fr) | Dispositif de commande de systemes electriques | |
EP1092177B1 (fr) | Regulateur ou regulateur de propulseur, propulseur et procede pour reguler un systeme de reglage ou d'entrainement ou un propulseur | |
EP3661819B1 (fr) | Système de commande pour véhicule automobile, véhicule automobile, procédé de commande d'un véhicule automobile, produit programme informatique et support lisible par ordinateur | |
DE19509150C2 (de) | Verfahren zum Steuern und Regeln von Fahrzeug-Bremsanlagen sowie Fahrzeug-Bremsanlage | |
DE102006008575B4 (de) | Getriebestellvorrichtung, Kraftfahrzeugkomponente und Verfahren zur Herstellung eines Fail-Safe-Zustandes einer Getriebestellvorrichtung | |
DE102017109886A1 (de) | Steuerungssystem zum Steuern von sicherheitskritischen und nichtsicherheitskritischen Prozessen mit Master-Slave-Funktionalität | |
DE102008009652A1 (de) | Überwachungseinrichtung und Überwachungsverfahren für einen Sensor, sowie Sensor | |
EP3100121B1 (fr) | Procédé et dispositif pour déconnecter en toute sécurité une charge électrique | |
DE102005023296B4 (de) | Zugbeeinflussungssystem | |
EP2237118B1 (fr) | Système de sécurité destiné à sécuriser la commande protégée contre l'erreur d'installations électriques et commande de sécurité équipée de celui-ci | |
WO2011113405A1 (fr) | Groupement d'appareils de commande | |
DE102012221277A1 (de) | Fahrzeugsteuervorrichtung | |
EP3470937A1 (fr) | Procédé et dispositifs de surveillance du temps réactionnel d'une fonction de sécurité fournie par un système de sécurité | |
DE102005007477B4 (de) | Programmierbare Steuerung zur Maschinen-und/oder Anlagenautomatisierung mit Standard-Steuerungs- und Sicherheitsfunktionen und Kommunikation mit einer Sicherheits-EA sowie Verfahren zum Betrieb der programmierbaren Steuerung | |
DE10328059A1 (de) | Verfahren und Vorrichtung zur Überwachung eines verteilten Systems | |
EP2612059A2 (fr) | Dispositif et procédé de régulation d'une transmission à double embrayage | |
DE102013213402A1 (de) | Mikrocontroller mit mindestens zwei Kernen | |
EP4211525B1 (fr) | Dispositif et procédé permettant de générer et transmettre des instructions de commande pour un véhicule automobile circulant en mode automatisé | |
WO2004036324A1 (fr) | Procede et dispositif d'automatisation de processus comprenant des appareils de commande redondants destines a commander des peripheriques via un systeme de bus |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 11716364 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 112011100917 Country of ref document: DE Ref document number: 1120111009178 Country of ref document: DE |
|
REG | Reference to national code |
Ref country code: DE Ref legal event code: R225 Ref document number: 112011100917 Country of ref document: DE Effective date: 20130117 |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 11716364 Country of ref document: EP Kind code of ref document: A1 |