Data processing: vehicles – navigation – and relative location – Vehicle control – guidance – operation – or indication – Indication or control of braking – acceleration – or deceleration
Reexamination Certificate
1999-12-22
2004-11-23
Louis-Jacques, Jacques H. (Department: 3661)
Data processing: vehicles, navigation, and relative location
Vehicle control, guidance, operation, or indication
Indication or control of braking, acceleration, or deceleration
C701S033000, C701S070000, C303S122000, C303S122050, C303S122060, C714S012000, C700S004000, C700S020000
Reexamination Certificate
active
06823251
ABSTRACT:
TECHNICAL FIELD
The present invention relates generally to vehicle safety systems and more particularly relates to a microprocessor system for safety-critical control operations.
BACKGROUND OF THE INVENTION
Safety-critical control operations of this type include, among others, control systems which intervene into the braking function of an automotive vehicle. These control systems are marketed in large quantities and marketed under many different designs. Examples are anti-lock systems (ABS), traction slip control systems (TCS), driving stability control systems (DSC, ASMS), suspension control systems, etc. Failure of any such control system jeopardizes the driving stability of the vehicle. Therefore, operability of the systems is constantly monitored in order to deactivate the control when a malfunction occurs, or to switch it to a default mode which is less dangerous.
Matters are even more critical for brake systems or automotive vehicle control systems where a switch-over to a mechanical or hydraulic system is not possible upon failure of the electronics. Among those systems are brake system concepts such as ‘brake-by-wire’ which are likely to gain in significance in the future. The braking function in such systems strongly depends on an intact electronics.
German patent No. 32 34 637 discloses one example of a circuit configuration or a microprocessor system for controlling and monitoring an anti-lock vehicle brake system. In this patent, the input data are sent in parallel to two identically programmed microcomputers where they are processed synchronously. The output signals and intermediate signals of the two microcomputers are compared for correlation by way of redundant comparators. In the event of non-correlation of the signals, the control is disconnected by a circuit which also has a redundant design. In this prior art circuit, one of the two microcomputers is used to produce the braking pressure control signals and the other one is used to produce the test signals. Thus, two complete microcomputers, including the associated read-only and random-access memories are required in this symmetrically designed microprocessor system.
According to another prior art system, the way the circuit described in German patent application No. 41 37 124 is designed, the input data are also sent in parallel to two microcomputers, only one of which executes the complete sophisticated signal processing operation. The main purpose of the second microcomputer is for monitoring the input signals, and, after conditioning the input signals, for producing time derivatives, etc., that can be processed further by way of simplified control algorithms and a simplified control philosophy. The simplified data processing is sufficient to generate signals which indicate the proper operation of the system by comparison with the signals processed in the more sophisticated microcomputer. The use of a test microcomputer of lower capacity permits reducing the manufacturing effort compared to a system with two complete sophisticated microcomputers of the same capacity.
German patent application No. 43 41 082 discloses a microprocessor system which is provided especially for the control system of an anti-lock brake system. The system known from the art which can be incorporated on one single chip comprises two central units in which the input data are processed in parallel. The read-only and the random-access memories which are connected to the two central units have additional memory locations for test information, each comprising a generator to produce the test information. The output signals of one of the two central units are further processed to produce the control signals, while the other central unit, being a passive central unit, is only used to monitor the active central unit.
Thus, the necessary safety is principally achieved by redundance of the data processing in the above-mentioned prior art systems. In the first case of application (German patent No. 32 34 637), the system is based on using two processors with identical software which the experts call a symmetrical redundance. In the second case of application (German patent application No. 41 37 124), two processors with a different software are used (so-called unsymmetrical redundance). It is principally also possible to utilize one single processor which processes the input data on the basis of different algorithms, and additional testing algorithms are then applied for determining faultless operation.
Finally, a system of the above-mentioned type is known from German patent application No. 195 292 434 (P 7959) which could be interpreted as a system with core redundance. In this prior art microprocessor system, two synchronously operated central units are provided on one chip or on several chips which have the same input information and execute the same program. The two central units are connected to the read-only and the random-access memories by way of separate bus systems as well as to input and output units. The bus systems are interconnected by drivers or bypasses, respectively, which enable both central units to jointly read and execute the data available, including the test data and commands. The system renders it possible to economize memory locations. Only one of the two central units is connected (directly) to a complete read-only and random-access memory, while the memory capacity of the second processor is limited to memory locations for test data (parity monitoring) in connection with a test data generator. Access to all data is possible by way of the bypasses. This makes it possible for both central units to execute the complete program.
All above-mentioned systems are principally based on the comparison of redundantly processed data and the generation of an error signal when differences appear. The control can be deactivated upon the occurrence of an error or malfunction of a system. An emergency operation function, i.e., continuing the control after the occurrence of the error, is in no case possible. Basically, such an emergency operation function would be possible only by doubling the redundant systems in connection with an identification and elimination of the source of errors.
An object of the present invention is to configure a microprocessor system of the above-mentioned type with as little additional effort and cost so that an emergency operation function becomes possible upon the occurrence of an error without impairing safety.
The special features of this system include that there is provision of at least three central units with associated bus systems which are extended by redundant periphery units into at least two complete control signal circuits and are interconnected in such a manner that, upon failure of a central unit or an associated component, the faulty central unit is identified by a majority decision and an emergency operation function is ensured, and the output or generation of control signals as a function of the faulty central unit is prevented. During the emergency operation function, preferably, redundant data processing and comparison of the data processing results for correlation is maintained and non-correlation of the data processing results is signaled.
Thus, the present invention is founded upon the above-mentioned system known from German patent application No. 195 29 434 which is principally composed of one complete and one incomplete data processing system, and extends this system by an additional complete data processing system with the associated periphery units. The result is two complete control signal circuits or control signal processing systems which are interconnected to provide a total system that achieves an emergency operation function and ensures maintaining the control with redundant data processing and, hence, with the necessary high degree of safety even upon failure of a processor or a central unit. This means that the interconnection of the individual systems or components according to the present invention permits maintaining the redundance of the data processing even up
Continental Teves AG & Co. OHG
Honigman Miller Schwartz & Cohn LLP
Louis-Jacques Jacques H.
LandOfFree
Microprocessor system for safety-critical control systems does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Microprocessor system for safety-critical control systems, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Microprocessor system for safety-critical control systems will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3332029