• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    The invention relates to a method for the treatment of errors in a central control unit, wherein the control unit comprises a distributed computer system (100), to which distributed computer system (100) sensors (112, 113, 122, 123) can be connected or connected are, wherein the distributed computer system (100), in particular all components of the computer system, on a first fault containment unit FCU1 (101) and a second fault containment unit FCU2 (102) is divided, the FCU1 (101) and the FCU2 (102) are each supplied with their own independent power supply, and wherein the FCU1 (101) and the FCU2 (102) exchange data exclusively via galvanically isolated lines, and wherein at least part of the sensors are connected to the FCU1 (101) and the other part of the sensors is at least connected to the FCU2 (102), and wherein the FCU1 (101) and the FCU2 (102) are connected to a redundant communication system (131, 132) having one or more In the event of FCU1 failure, the FCU2 will maintain limited functionality using the sensors associated with the FCU2, and if the FCU2 fails, the FCU1 will maintain limited functionality using the sensors associated with the FCU1.
    公开号:AT515454A2
    申请号:T50824/2013
    申请日:2013-12-13
    公开日:2015-09-15
    发明作者:Stefan Poledna
    申请人:Fts Computertechnik Gmbh;
    IPC主号:
    专利说明:

    Method for handling errors in a central control unit and control unit
    The invention relates to a method for the treatment of errors in a central control device, wherein the control device comprises a distributed computer system to which distributed computer system sensors are connected or connectable.
    Furthermore, the invention relates to a control device, in particular a central control device, wherein the control device comprises a distributed computer system to which distributed computer system sensors are connected or connectable.
    Finally, the invention also relates to a system comprising such a control unit, to which control unit a number, in particular two or more sensors are connected.
    The technological and economic developments in the field of microelectronics and sensor technology allow the construction of electronic assistance systems for motor vehicles, which relieve the driver considerably in many driving situations. A typical assistance system consists of a number of different and partly redundant sensors (eg camera (s), radar, laser, ultrasonic sensors) that cyclically monitor the environment of the vehicle and the preprocessed data to a central control unit for data fusion and further analysis of the data to hand over. The central control unit calculates control variables for steering, brakes and engine of the vehicle from these data, so that the vehicle can drive autonomously under certain conditions.
    In a driver assistance system, the reliability and safety of the functions is of particular importance. Since in principle every component of a technical system can fail, it must be ensured by the appropriate application of redundancy that even if one sensor or one electronic component fails, the important functions of the overall system can be maintained. Since in electronics of the vehicle triplexing of the electronics commonly used in aircraft electronics can not be realized for masking a fault for cost reasons, new ways of achieving the required reliability and safety must be found.
    It is an object of the present invention to provide a method for dealing with errors in a controller, in particular a central controller, e.g. specify a control device for a motor vehicle, so that even after failure of a sensor or an electronic component see the essential functions of the control unit can be maintained, for example, to be able to autonomously lead the vehicle to a safe state.
    Furthermore, it is an object of the invention to provide a control device, in particular a central control device, preferably a control device for a motor vehicle, which can maintain its essential functions even after failure of a sensor or an electronic component, for example, the vehicle autonomously in a safe state to be able to lead.
    This object is achieved with a method mentioned above and a control unit mentioned above in that according to the invention, the distributed computer system, in particular all components of the computer system, to a first fault containment unit FCU1 and a second fault containment unit FCU2 is divided, the FCU1 and the FCU2 are each supplied with their own, independent power supply, and wherein the FCU1 and the FCU2 exchange data exclusively via galvanically isolated lines, and some of the sensors are connected at least to the FCU1 and the other part of the sensors is at least connected to the FCU2, and wherein the FCU1 and the FCU2 are connected to a communication system with one or more actuators, in particular for forwarding results of the fault containment units to the actuators, so that in case of failure of the FCU1, the FCU2 a limited Functionality using the FCU2 assigned Sensors, and in the event of FCU2 failure, the FCU1 maintains limited functionality using the sensors associated with the FCU1. The communication system is preferably configured redundantly.
    According to the invention, the functions of the central control unit are divided into two independent fault-containment units (FCUs), the FCU1 and the FCU2. An FCU is a unit that decapsulates all immediate consequences of a failure of one of its components (see [5, p.136]). Each of the two FCUs consists of two subsystems, the SSI, which performs the one specified function, and the SS2, which monitors the correct behavior of the SSI. Some of the sensors are connected at least to the FCU1 and the other part at least to the FCU2. The two FCUs, FCU1 and FCU2, are powered by separate power supplies and communicate over isolated lines to preclude propagation of a hardware failure of one FCU to the other FCU.
    Each of the two FCUs can observe the environment and maintain minimal functionality of the vehicle without the involvement of the other FCUs with their associated sensors. This minimal functionality allows limited but safe operation of the vehicle until a safe state is achieved (e.g., autonomous parking of the vehicle at the roadside or until a time when the driver takes manual control of the vehicle). Normally, when both FCUs are functional, full functionality is provided.
    For reasons of reliability (and also for reasons of cost), both FCUs are arranged on a single circuit board. By arranging both FCUs on a printed circuit board, the signals of the FCUs can be exchanged via conductor tracks without mechanical plug connections. Experience has shown that a track has a much higher reliability (and lower cost) than a connector. This advantage is offset by the disadvantage that in the (rare) case of a permanent hardware fault, the entire circuit board has to be replaced.
    The present invention thus describes how failure of a part of the control device and the sensors can be tolerated by the design and function of a central control device in a vehicle. It is proposed to divide the functions of the central control unit into two independent fault containment units (FCUs), each FCU being connected to a part of the sensors, having its own power supply and where the two FCUs exchange data exclusively via galvanically isolated lines. If one FCU or the connected sensors fails, the other FCU is able to maintain the specified function to a limited extent with its sensors. None of the patents [1] - [4] found in a patent analysis has found a device or method that is similar or close to that described above.
    Advantageous embodiments of the method according to the invention and of the control unit according to the invention are described in the subclaims, wherein any combination of the preferably enumerated below technical features can be realized: the FCU1 and the FCU2, or one or more components of the FCU1 and one or more components of the FCU2 have access to a globally synchronized time; The FCU1 and the FCU2 each consist of a first subsystem SSI and a second subsystem SS2, the first subsystems SSI processing the sensor data and the second subsystems SS2 monitoring the function of the respective first subsystem SSI; The second subsystems SS2 periodically execute a challenge-response protocol for checking the function of the first subsystem SSI; The second subsystems SS2 monitor the power supply of their fault containment unit; The second subsystems SS2 periodically check the data structures within their fault containment unit; • a second subsystem periodically sends an I-am-alive message to the other fault containment unit; The time of the timely arrival of the periodic I-am-alive message is monitored by the other fault-containment unit with a time-out; The times of sending the I-am-alive message and the time-out monitoring of the I-am-alive message are synchronized in the receiving fault containment unit over the global time; In the event of a fault containment unit failure, in particular as a result of the expiry of the timeout of the I-am-alive message, the surviving fault containment unit realizes a limited functionality using the sensors assigned to it; • Each functioning fault containment unit periodically sends the relevant part of its internal state to the other fault containment unit; After the failure of the first subsystem SSI of a fault containment unit, the second subsystem SS2 initiates a reset of the first subsystem SSI, and subsequently the failed fault containment unit takes a reintegration using the internal state of the other fault Containment unit in front; • Monitor and simulation components monitor sensor data and simulate sensor function in real time; • the FCU1 and the FCU2 are arranged on a single circuit board; • a sensor assigned to a fault containment unit can be connected or connected directly to this fault containment unit; A sensor assigned to a fault containment unit is connected or connectable to a message distribution unit, which message distribution unit can be connected or connected to both the fault containment unit assigned to the sensor and to the other fault containment unit; • the FCU1 and the FCU2 can be connected or connected to various sensors; • A monitor and simulation component can be connected to the message distribution units.
    In the following, an exemplary realization of the invention will be discussed in more detail with reference to the drawing. In this shows
    Fig. 1 shows the structure of a central control device according to the invention, and
    2 shows the connection of sensors to the central control unit via message distribution unit.
    FIG. 1 shows the structure of a central control device. The function of the control unit is realized by a distributed computer system, wherein the components of this distributed computer system are arranged on a central board 100. The components of the computer system are, for example, CPUs, GPUs, FPGAs, memory components, etc.
    The computer system is divided into an FCU1 101 located to the left of the dividing line 103 and an FCU2 102 located to the right of the dividing line 103 into which FCUs the components of the computer system are divided.
    The FCU1101 consists of a functional subsystem SSI 110 and a monitor subsystem SS2 111. In the illustrated, non-limiting example, two sensors 112, 113 are connected directly to the SSI 110. The SS2 111 of the FCU 101 is connected via a data bus 117 to the SSI 110 and via a galvanic isolation 130 to a data bus 127 of the FCU2 102. Via a direct line 118, SS2 111 may send a hardware reset signal to SSI 110. SSI 110 is connected via a connection 115 to the data bus 132 and via a connection 116 to a data bus 131.
    The structure of FCU2 102 is analogous to FCU1. FCU2 102 consists of a function subsystem SSI 120 and a monitor subsystem SS2 121. In the illustrated, non-limiting example, two sensors 122, 123 are connected directly to the SSI 120. The SS2 121 of the FCU 102 is connected to the SSI 120 via a data bus 127 and to the data bus 117 of the FCU1 101 via the galvanic isolation 130. Via direct line 128, SS2 121 may send a hardware reset signal to SSI 120. SSI 120 is connected via a connection 125 to the data bus 132 and via the connection 126 to the data bus 131.
    The sensors 112, 113, 122, 123 are generally different (diversified), for example the sensor 112 may be a telephoto camera, the sensor 113 may be a radar sensor, the sensor 122 may be a laser sensor and the sensor 123 may be a camera wide angle lens. As part of the system design, it must be ensured that each of the two FCUs with the sensors assigned to them can maintain the restricted operation.
    Preferably, all components of the FCU1 110 and the FCU2 120 as well as the connected sensors 112,113,122,123 have access to a global time. The clock synchronization can be realized by means of the IEEE 1588 standard [7].
    In normal operation, SSI 110 of FCU1 101 periodically receives data from sensors 112 and 113 and processes this data to determine, e.g. Detecting objects in the environment of the vehicle. Similarly, SSI 120 of FCU2 102 periodically receives data from sensors 122 and 123 and processes this data to detect, for example, objects around the vehicle. Subsequently, the detected objects are exchanged via the buses 117 of the FCU1 101 and 127 of the FCU2 102, respectively, to improve a model of the environment of the vehicle in this example. On the basis of this improved environment model, the two SSI calculate the desired manipulated variables and periodically pass these manipulated variables to the actuators via a redundant communication system in the form of the redundant buses 131 and 132. In normal operation, an actuator receives four identical values at the end of a cycle, two from FCU1 101 (one each over bus 131 and one over bus 132) and two from FCU2 102 (one each over bus 131 and one over the bus 132).
    In normal operation, the monitor components SS2 (the components 111 in FCU 101 and 121 in FCU 102) monitor the power supply of the respective FCU, the plausibility of the data structures of the respective FCU, and the function of the processing components SSI (the components 110 in FCU 101 and 120 in FCU 102 ).
    The plausibility of the data structures of the FCU is checked at the syntactic and preferably also at the semantic level. Syntactic validation refers to the formal integrity of the data structure. The semantic check contains the plausibility of the values stored in the data structures.
    The monitoring of the function of the processing components SSI is carried out by the periodic execution of a challenge response protocol. A challenge response protocol is a special form of a request-reply protocol. The sender SS2 periodically transmits an input data to SSI and requests SSI (request) to calculate the result and respond within a predetermined time limit by means of a predetermined program comprising the execution of as many of the SSI hardware commands as possible. If the result calculated by SSI is correct and timely, SS2 concludes that the SSI hardware is working.
    If all checks detect the integrity of the monitored SSI, the SS2 111 sends the FCU1101 an I alive message to the SS2 121 of the FCU 102 via the bus 117. Similarly, the SS2 111 of the FCU2 102 sends an I alive via the bus 127 Message to the SSI 111 of the FCU 101. The corresponding receiver of the I alive message monitors this periodic message with a time-out. According to the invention, the time of sending the I alive message is synchronized with the time of the I-alive message's timeout over the global time in order to minimize the error detection latency.
    If no error is detected, the FCU1110 periodically sends the relevant portion of its internal state and global time to the FCU2 120. Similarly, if no error is detected, the FCU2 120 periodically transmits the relevant portion of its internal state and global time the FCU1 110.
    The relevant part of the inner state comprises the information of the ground state classified as important. The ground state of a cyclic system is the state of the system at that periodically-timed point in time, to which the entirety of the information from the past, which may have an influence on the future behavior of the system, within the cycle Minimum goes through.
    As part of the development of an application, it must be decided which information of the ground States is relevant in this application. For example, in a driver assistance system, it may be determined that all objects having a diameter of more than 10 cm and lying on the road are to be imaged in the relevant part of the interior state of the model describing the environment of the vehicle.
    If an error has occurred in the FCU1101 or in one or more of the sensors 112 or 113 connected to FCU1, or if the power supply of FCU1 101 has failed, then SS2 111 does not send an I alive message to SS2 121. SS2 121 detects the error SS2 121 then prompts SSI 120 of FCU2 102 to implement limited operation with the existing sensors 122 and 123 and bring the vehicle to a safe state.
    If an error has occurred in the FCU1102 or in one or more of the sensors 122 or 123 connected to FCU2, or if the power supply of FCU2 102 has failed, then SS2 121 does not send an I alive message to SS2 111. SS2 111 detects the error immediately by the absence of the periodic I alive message from SS2 121. SS2 111 then requests SSI 110 from FCU2 101 to implement limited operation with the existing sensors 112 and 113 and bring the vehicle to a safe state.
    Since the probability of the occurrence of a transient error is orders of magnitude higher than the occurrence of a permanent error [5, p.155], the faulty FCU immediately attempts an autonomous restart after detecting an error. First, SS2 performs a hardware reset to reinitialize all internal data structures of SS2. In the next step SS2 initiates a hardware reset of SSI and the sensors connected to SSI via the hardware reset fuse (the fuse 118 in FCU1 101 or the fuse 128 in FCU2 102). Subsequently, the FCU waits until the message arrives with the relevant part of the internal state from the operational FCU. This message also contains the global time and allows the time synchronization of the faulty FCU and the connected sensors. As a result, the incoming FCU takes over the internal state of the partner FCU and completes the reintegration by resending the I am alive message.
    Fig. 2 shows an alternative to the connection of the sensors. Between the sensors 112 and 113 and the FCUs, a message distribution unit 118 is inserted, so that the sensor data of 112 and 113 can be transmitted to both the FCU1 101 and the FCU2 102. Analogously, a message distributor unit 128 is inserted between the sensors 122 and 123 and the FCUs so that the sensor data of 122 and 123 can be transmitted to both the FCU1101 and the FCU2 102.
    The advantage of this alternative, which is associated with higher costs, is that in case of failure of an FCU, the remaining functional FCU has access to all sensor data. Another advantage is that connections, such as connectors 141, an external monitor and simulator 140 can be connected to the distribution units 118 and 128, so that all sensor data without affecting the system behavior are observed during commissioning and the stored sensor data in the replay process Real time again to the FCU 101 and the FCU 102 can be sent to analyze special cases repeatedly accurately. The protocol for the message distribution units 118 and 128 is the TT Ethernet protocol [6].
    Cited documents: [1] US Patent 8,566,633. Fuhrman, et al. Method of Dynamic Allocation on a Statically Allocated and Embedded Software Architecture. Granted Oct. 22, 2013 [2] US Patent 7,669,073. Graham et al. System and Method for Split Mode Operation of Fault-Tolerant Computer Systems. Granted Feb 23, 2010 [3] US Patent 6,654,910. Eibach et al. Intelligent Fault Management. Granted Nov. 25, 2003.
    [4] US Patent Application 20110246831. The; Dipankar et al. Method and Apparatus for Operational Level Functional and Degradation Fault Analysis. Published Oct. 6, 2011.
    [5] Kopetz, H. Real-Time Systems, Design Principles for Distributed Embedded Applications. Springer Verlag. 2011th
    [6] SAE standard AS6802 from TT Ethernet. URL: http://standards.sae.org/as6802 [7] IEEE 1588 Standard for a Precision Clock Synchronization Protocol for Network Measurement and Control Systems. URL: http://www.ieeel588.com/
    权利要求:
    Claims (34)
    [1]
    1. A method for handling errors in a central control device, wherein the control device comprises a distributed computer system (100) to which distributed computer system (100) sensors (112,113,122,123) are connected or connectable, characterized in that the distributed computer system (100 ), in particular all components of the computer system, are divided into a first fault containment unit FCU1 (101) and a second fault containment unit FCU2 (102), the FCU1 (101) and the FCU2 (102) each having its own independent power supply, and wherein the FCU1 (101) and the FCU2 (102) exchange data exclusively via galvanically isolated lines, and part of the sensors are connected at least to the FCU1 (101) and the other part the sensor is connected at least to the FCU2 (102), and wherein the FCU1 (101) and the FCU2 (102) are connected to a communication system (131,132) having one or more ren actuators are connected.
    [2]
    2. The method according to claim 1, characterized in that the communication system (131,132) is designed redundant.
    [3]
    The method of claim 1 or 2, characterized in that the FCU1 and the FCU2, or one or more components of the FCU1 and one or more components of the FCU2 have access to a globally synchronized time.
    [4]
    4. The method according to any one of claims 1 to 3, characterized in that the FCU1 and the FCU2 each consist of a first subsystem SSI (110, 120) and a second subsystem SS2 (111,121), wherein the first subsystems SSI (110,120) the Processing the sensor data and the second subsystems SS2 (111, 121) monitors the function of the respective first subsystem SSI (110,120).
    [5]
    5. The method according to claim 4, characterized in that the second subsystems SS2 (111, 121) periodically execute a challenge-response protocol for checking the function of the first subsystem SSI (110, 120).
    [6]
    6. The method according to claim 4 or 5, characterized in that the second subsystems SS2 (111, 121) monitor the power supply of their fault containment unit (101, 102).
    [7]
    7. The method according to any one of claims 4 to 6, characterized in that the second subsystems SS2 (111, 121) periodically check the data structures within their fault containment unit (101,102).
    [8]
    8. The method according to any one of claims 4 to 7, characterized in that a second subsystem (111, 121) periodically sends an I-am-alive message to the other fault containment unit (102,101).
    [9]
    9. The method according to claim 8, characterized in that the time of timely arrival of the periodic I-am-alive message from the other fault-containment unit is monitored with a time-out.
    [10]
    10. The method according to claim 9, characterized in that the times of sending the I-am-alive message and the time-out monitoring of the I-am-alive message in the receiving fault containment unit are synchronized over the global time.
    [11]
    11. The method according to any one of claims 1 to 10, characterized in that in the case of, in particular on the expiry of the timeout of the I-am-alive message, recognized failure of a fault containment unit (101, 102), the surviving Fault- Containment unit (102, 101) realized a limited functionality using their associated sensors.
    [12]
    12. The method according to any one of claims 1 to 11, characterized in that each functioning fault containment unit (101, 102) periodically sends the relevant part of its internal state to the other fault containment unit (102,101).
    [13]
    13. The method according to any one of claims 4 to 12, characterized in that after a failure of the first subsystem SSI (110,120) of a fault containment unit (101,102), the second subsystem SS2 (111,121) a reset of the first subsystem SSI (110,120) and, as a result, the failed fault containment unit (101, 102) reintegrates using the internal state of the other fault containment unit (102, 101).
    [14]
    14. The method according to any one of claims 1 to 13, characterized in that observed with a monitor and simulation component data of the sensors and the function of the sensors are simulated in real time.
    [15]
    15. Control unit, in particular central control unit, wherein the control unit comprises a distributed computer system (100) to which distributed computer system (100) sensors (112, 113, 122, 123) are connected or connectable, characterized in that the distributed computer system (100), in particular all components of the computer system are divided into a first fault containment unit FCU1 (101) and a second fault containment unit FCU2 (102), wherein the FCU1 (101) and the FCU2 (102) each have a separate, independent power supply, and wherein the FCU1 (101) and the FCU2 (102) exchange data exclusively via galvanically isolated lines, and wherein a part of the sensors is at least connected to the FCU1 (101) and the other part of the sensors at least is connected to the FCU2 (102), and wherein the FCU1 (101) and the FCU2 (102) are connected to a communication system (131, 132) having one or more actuators.
    [16]
    16. Control device according to claim 15, characterized in that the communication system (131,132) is designed to be redundant.
    [17]
    17. A control device according to claim 15 or 16, characterized in that the FCU1 and the FCU2, or one or more components of the FCU1 and one or more components of the FCU2 have access to a globally synchronized time.
    [18]
    18. Control unit according to one of claims 15 to 17, characterized in that the FCU1 and the FCU2 each consist of a first subsystem SSI (110, 120) and a second subsystem SS2 (111, 121), the first subsystems SSI ( 110, 120) perform the processing of the sensor data and the second subsystems SS2 (111, 121) monitor the function of the respective first subsystem SSI (110, 120).
    [19]
    19. Control unit according to claim 18, characterized in that the second subsystems SS2 (111, 121) periodically execute a challenge-response protocol for checking the function of the first subsystem SSI (110, 120).
    [20]
    20. Control unit according to claim 18 or 19, characterized in that the second subsystems SS2 (111, 121) monitor the power supply of their fault containment unit (101, 102).
    [21]
    21. Control device according to one of claims 18 to 20, characterized in that the second subsystems SS2 (111, 121) periodically check the data structures within their fault containment unit (101, 102).
    [22]
    22. Control unit according to one of claims 18 to 21, characterized in that a second subsystem (111, 121) periodically sends an I-am-alive message to the other fault containment unit (102,101).
    [23]
    23. Control unit according to claim 22, characterized in that the time of timely arrival of the periodic I-am-alive message from the other fault-containment unit is monitored with a time-out.
    [24]
    24. Control unit according to claim 23, characterized in that the times of sending the I-am-alive message and the time-out monitoring of the I-am-alive message in the receiving fault containment unit are synchronized over the global time.
    [25]
    25. Control unit according to one of claims 15 to 24, characterized in that in the event of, in particular on the expiry of the timeout of the I-am-alive message, recognized failure of a fault containment unit (101, 102), the surviving Fault- Containment unit (102, 101) realized a limited functionality using their associated sensors.
    [26]
    26. Control unit according to one of claims 15 to 25, characterized in that each functioning fault containment unit (101, 102) periodically sends the relevant part of its internal state to the other fault containment unit (102,101).
    [27]
    27. Control device according to one of claims 18 to 26, characterized in that after the failure of the first subsystem SSI (110, 120) of a fault containment unit (101, 102), the second subsystem SS2 (111, 121) a reset of the first subsystem SSI (110, 120) and, as a result, the failed fault containment unit (101, 102) reintegrates using the internal state of the other fault containment unit (102, 101).
    [28]
    28. Control device according to one of claims 15 to 27, characterized in that observed with a monitor and simulation component data of the sensors and the function of the sensors are simulated in real time.
    [29]
    29. Control device according to one of claims 15 to 28, characterized in that the FCU1 and the FCU2 are arranged on a single circuit board (100).
    [30]
    30. Control device according to one of claims 15 to 29, characterized in that a fault-containment unit associated sensor is directly connected or connected to this fault-containment unit.
    [31]
    31. Control unit according to one of claims 15 to 29, characterized in that a fault-containment unit associated sensor is connected to a message distribution unit or connectable, which message distribution unit both with the sensor associated with the fault containment unit as well as with the other fault containment unit connected or connected.
    [32]
    32. Control device according to one of claims 15 to 31, characterized in that the FCU1 and the FCU2 are connectable or connected to diverse sensors.
    [33]
    33. Control device according to claim 31 or 32, characterized in that a monitor and simulation component can be connected to the message distribution units.
    [34]
    34. A system comprising a control device according to any one of claims 15 to 33, wherein the controller is connected to a number of sensors.
    类似技术:
    公开号 | 公开日 | 专利标题
    AT515454A2|2015-09-15|Method for handling errors in a central control unit and control unit
    DE102017209721B4|2022-02-03|Device for controlling a safety-relevant process, method for testing the functionality of the device, and motor vehicle with the device
    EP1763454B1|2008-07-09|Redundant data bus system
    DE102014220781A1|2016-04-14|Fail-safe E / E architecture for automated driving
    DE102014102582A1|2014-09-18|Fault-tolerant control system
    EP1297394B1|2004-03-17|Redundant control system and control computer and peripheral unit for said control system
    DE10223880B4|2004-06-17|Procedure for the mutual monitoring of components of a decentrally distributed computer system
    EP2478685B1|2018-02-14|Control device, input/output device, connection switch device and method for an aircraft control system
    WO2014138765A1|2014-09-18|Device and method for the autonomous control of motor vehicles
    EP2981868A1|2016-02-10|Control and data transmission system, process device, and method for redundant process control with decentralized redundancy
    DE60309012T2|2007-01-25|METHOD AND SYSTEM FOR SECURING A BUS AND A CONTROLLER
    DE102013220526A1|2015-04-16|Fail-safe sensor architecture for driver assistance systems
    WO2018233935A1|2018-12-27|Device and method for controlling a vehicle module depending on a status signal
    EP2491492A1|2012-08-29|Automation system and method for operating an automation system
    WO2016008948A1|2016-01-21|Control and data-transfer system, gateway module, i/o module, and method for process control
    EP1053153B1|2003-03-19|Method for handling errors in an electronic brake system and corresponding device
    EP2418580B1|2012-10-10|Method for operating a network and network
    EP3385934A1|2018-10-10|Device for controlling a safety-relevant process, method for testing the functionality of the device, and motor vehicle using the device
    EP2648100B1|2017-08-09|Automation device with devices for processor monitoring
    WO2018233934A1|2018-12-27|Device and method for controlling a vehicle module
    EP3020162A1|2016-05-18|Semantic deduplication
    EP1384122B1|2011-05-25|Method for controlling a component of a distributed safety-relevant system
    DE102007020480B4|2009-04-09|Method for checking a communication connection
    DE102018220605A1|2020-06-04|Motor vehicle network and method for operating a motor vehicle network
    WO2011113405A1|2011-09-22|Controller arrangement
    同族专利:
    公开号 | 公开日
    EP2972607B1|2020-09-23|
    US20160034363A1|2016-02-04|
    US9880911B2|2018-01-30|
    AT515454A3|2018-07-15|
    WO2014138767A1|2014-09-18|
    EP2972607A1|2016-01-20|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    US3688099A|1971-04-28|1972-08-29|Lear Siegler Inc|Automatic control system with a digital computer|
    US5528215A|1994-05-31|1996-06-18|Landis & Gyr Powers, Inc.|Building automation system having expansion modules|
    TW420771B|1999-08-14|2001-02-01|Ibm|Electronic control system for controlling the function of a processing system and method for managing system fault situations of the electronic control system|
    EP1161664B1|1999-12-15|2004-06-16|Delphi Technologies, Inc.|Electric caliper and steering motor hardware topologies for a safety system|
    US6625749B1|1999-12-21|2003-09-23|Intel Corporation|Firmware mechanism for correcting soft errors|
    GB2369692B|2000-11-29|2002-10-16|Sun Microsystems Inc|Processor state reintegration|
    US6704887B2|2001-03-08|2004-03-09|The United States Of America As Represented By The Secretary Of The Air Force|Method and apparatus for improved security in distributed-environment voting|
    US7146260B2|2001-04-24|2006-12-05|Medius, Inc.|Method and apparatus for dynamic configuration of multiprocessor system|
    US7237243B2|2001-06-11|2007-06-26|Microsoft Corporation|Multiple device management method and system|
    GB2399913B|2002-03-19|2004-12-15|Sun Microsystems Inc|Fault tolerant computer system|
    DE10330489A1|2003-07-01|2005-01-27|Valeo Schalter Und Sensoren Gmbh|Steering column module for a vehicle|
    US20070294559A1|2004-10-25|2007-12-20|Thomas Kottke|Method and Device for Delaying Access to Data and/or Instructions of a Multiprocessor System|
    US7467029B2|2004-12-15|2008-12-16|General Motors Corporation|Dual processor supervisory control system for a vehicle|
    WO2007106062A2|2005-02-16|2007-09-20|Leach International Corporation|Power distribution system using solid state power controllers|
    US7669073B2|2005-08-19|2010-02-23|Stratus Technologies Bermuda Ltd.|Systems and methods for split mode operation of fault-tolerant computer systems|
    US7933696B2|2006-08-31|2011-04-26|GM Global Technology Operations LLC|Distributed arithmetic logic unit security check|
    WO2008103760A2|2007-02-20|2008-08-28|Avery Biomedical Devices, Inc.|Master/slave processor configuration with fault recovery|
    DE102007030589A1|2007-06-27|2009-01-02|Siemens Ag|Multi-channel error evaluating method for measuring or processing variables, involves representing measuring/process variables as pulse-width-modulated signals, where pulse length and pulse flanks are evaluated with synchronous basis clock|
    JP2010117813A|2008-11-12|2010-05-27|Nec Electronics Corp|Debugging system, debugging method, debugging control method, and debugging control program|
    IT1391785B1|2008-11-21|2012-01-27|St Microelectronics Srl|ELECTRONIC SYSTEM FOR DETECTION OF FAILURE|
    US8175759B2|2009-06-22|2012-05-08|Honeywell International Inc.|Systems and methods for validating predetermined events in reconfigurable control systems|
    US8515609B2|2009-07-06|2013-08-20|Honeywell International Inc.|Flight technical control management for an unmanned aerial vehicle|
    WO2011003121A1|2009-07-09|2011-01-13|Fts Computertechnik Gmbh|System-on-chip fault identification|
    JP5841532B2|2009-07-31|2016-01-13|ヒューレット−パッカード デベロップメント カンパニー エル.ピー.Hewlett‐Packard Development Company, L.P.|Providing fault-tolerant spread spectrum clock signals in the system|
    US20110191627A1|2010-01-29|2011-08-04|Maarten Koning|System And Method for Handling a Failover Event|
    WO2011101707A1|2010-02-16|2011-08-25|Freescale Semiconductor, Inc.|Data processing method, data processor and apparatus including a data processor|
    WO2011117156A2|2010-03-23|2011-09-29|Continental Teves Ag & Co. Ohg|Control computer system, method for controlling a control computer system, and use of a control computer system|
    EP2550598A1|2010-03-23|2013-01-30|Continental Teves AG & Co. oHG|Redundant two-processor controller and control method|
    US8108728B2|2010-04-02|2012-01-31|GM Global Technology Operations LLC|Method and apparatus for operational-level functional and degradation fault analysis|
    US8713363B2|2010-09-29|2014-04-29|Xyratex Technology Limited|Power supply system for a data storage system and a method of controlling a power supply|
    EP2643198B1|2010-11-23|2017-11-01|Siemens S.A.S.|Method for securing a control system of a reconfigurable multi-unit vehicle, and secured control system|
    US8566633B2|2011-02-10|2013-10-22|GM Global Technology Operations LLC|Method of dynamic allocation on a statically allocated and embedded software architecture|
    US9547294B2|2012-05-18|2017-01-17|General Electric Company|System and method for controlling and diagnosing a combined cycle power plant|
    US9137151B2|2012-05-18|2015-09-15|Google Technology Holdings LLC|Redundant architecture for failover of transcoder instances|
    US8868989B2|2012-07-12|2014-10-21|Freescale Semiconductor, Inc.|System for testing error detection circuits|
    US9946675B2|2013-03-13|2018-04-17|Atieva, Inc.|Fault-tolerant loop for a communication bus|
    US9076275B2|2013-03-13|2015-07-07|Bosch Automotive Service Solutions Inc.|Vehicle measurement apparatus having a system-on-a-chip device and a sensor|
    US9702349B2|2013-03-15|2017-07-11|ClearMotion, Inc.|Active vehicle suspension system|
    JP2015222467A|2014-05-22|2015-12-10|ルネサスエレクトロニクス株式会社|Microcontroller and electronic control device using the same|US9454152B2|2013-03-14|2016-09-27|Fts Computertechnik Gmbh|Method for allocating control in a system of systems|
    US10249109B1|2016-01-22|2019-04-02|State Farm Mutual Automobile Insurance Company|Autonomous vehicle sensor malfunction detection|
    US11242051B1|2016-01-22|2022-02-08|State Farm Mutual Automobile Insurance Company|Autonomous vehicle action communications|
    DE102016225772A1|2016-12-21|2018-06-21|Audi Ag|Prediction of traffic situations|
    DE102017117297A1|2017-07-31|2019-01-31|HELLA GmbH & Co. KGaA|Control system for a motor vehicle, motor vehicle, method for controlling a motor vehicle, computer program product and computer-readable medium|
    DE102017220481A1|2017-11-16|2019-05-16|Robert Bosch Gmbh|A device for controlling functions for a vehicle, vehicle system for a vehicle and method for resetting electrical circuits of a device for controlling functions for a vehicle|
    DE102018207684A1|2018-05-17|2019-11-21|Volkswagen Aktiengesellschaft|Method for determining a synchronization accuracy, computer program, communication unit and motor vehicle|
    US11037382B2|2018-11-20|2021-06-15|Ford Global Technologies, Llc|System and method for evaluating operation of environmental sensing systems of vehicles|
    CN110682920B|2019-12-09|2020-04-21|吉利汽车研究院(宁波)有限公司|Automatic driving control system, control method and equipment|
    CN110745144B|2019-12-23|2020-04-21|吉利汽车研究院(宁波)有限公司|Automatic driving control system, control method and equipment|
    法律状态:
    优先权:
    申请号 | 申请日 | 专利标题
    AT2002013|2013-03-14|
    ATA50824/2013A|AT515454A3|2013-03-14|2013-12-13|Method for handling errors in a central control unit and control unit|ATA50824/2013A| AT515454A3|2013-03-14|2013-12-13|Method for handling errors in a central control unit and control unit|
    US14/776,359| US9880911B2|2013-03-14|2014-03-13|Method for handling faults in a central control device, and control device|
    PCT/AT2014/050064| WO2014138767A1|2013-03-14|2014-03-13|Method for handling faults in a central control device, and control device|
    EP14719192.8A| EP2972607B1|2013-03-14|2014-03-13|Method for handling faults in a central control device, and control device|
    [返回顶部]