1. Patent Search
  2. Details

Method and System for Performing Time-Synchronization Between Units of a Communication Bus System

20230155806 ยท 2023-05-18

    Inventors

    Cpc classification

    International classification

    Abstract

    A method for performing time-synchronization between a master clock of a master unit and a plurality of slave clocks of a corresponding plurality of slave units includes sending a forward time-synchronization message indicative of the master clock from the master unit to the plurality of slave units, in order to enable the plurality of slave units to time-synchronize their respective slave clocks with the master clock. The method also includes receiving a reverse time-synchronization message indicative of the respective slave clock from each of the plurality of slave units at a first validator. The method also includes time-synchronizing a plurality of validator clocks of the first validator to the corresponding plurality of slave clocks using the reverse time-synchronization messages from the plurality of slave units, and validating the time-synchronization between the plurality of slave clocks at the first validator based on the plurality of validator clocks.

    Claims

    1-12. (canceled)

    13. A method for performing time-synchronization between a master clock of a master unit and a plurality of slave clocks of a corresponding plurality of slave units within a communication bus system, the method comprising: sending a forward time-synchronization message indicative of the master clock from the master unit to the plurality of slave units, in order to enable the plurality of slave units to time-synchronize their respective slave clocks with the master clock; receiving a reverse time-synchronization message indicative of the respective slave clock from each of the plurality of slave units at a first validator; time-synchronizing a plurality of validator clocks of the first validator to the corresponding plurality of slave clocks, respectively, using the reverse time-synchronization messages from the plurality of slave units; and validating the time-synchronization between the plurality of slave clocks at the first validator based on the plurality of validator clocks of the first validator.

    14. The method according to claim 13, further comprising: time-synchronizing validator clocks of a second validator to at least some of the plurality of slave clocks using the reverse time-synchronization messages from at least some of the plurality of slave units, and/or to the master clock using the forward time-synchronization message from the master unit; and validating the time-synchronization between the plurality of slave clocks at the second validator based on the validator clocks of the second validator.

    15. The method according to claim 14, wherein at least one of: the first validator is located at and/or implemented within the master unit; the second validator is located at and/or implemented within a slave unit of the plurality of slave units; or the first validator and the second validator are part of different communication bus systems.

    16. The method according to claim 14, wherein the method comprises validating the plurality of slave clocks for the communication bus system if the plurality of slave clocks has been validated at the first validator and at the second validator.

    17. The method according to claim 14, wherein the method comprises validating the plurality of slave clocks for the communication bus system only if the plurality of slave clocks has been validated at the first validator and at the second validator.

    18. The method according to claim 13, wherein: the master unit comprises a gateway between the communication bus system and an Ethernet communication network; and the method comprises time-synchronizing the master clock with a clock of a unit within the Ethernet communication network.

    19. The method according to claim 13, wherein the communication bus system comprises at least one of a Controller Area Network bus system or a FlexRay communication network.

    20. The method according to claim 13, wherein validating the time-synchronization between the plurality of slave clocks at the first validator comprises at least one of: comparing validator times of the plurality of validator clocks of the first validator; validating the plurality of slave clocks at the first validator when the validator times of the plurality of validator clocks of the first validator are time-synchronized; or determining that the plurality of slave clocks is not time-synchronized when the validator times of at least two of the plurality of validator clocks of the first validator are not time-synchronized.

    21. The method according to claim 13, wherein at least one of the forward time-synchronization message or the reverse time-synchronization message is in accordance with a PTP protocol.

    22. The method according to claim 13, wherein the plurality of validator clocks of the first validator are implemented in a corresponding plurality of different time domains of a Synchronized Time-Base Manager of an AUTOSAR standard.

    23. The method according to claim 13, wherein: at least one of the plurality of slave clocks or the plurality of slave units is associated with a plurality of sensors; and each of the sensors is configured to provide sensor data with a time stamp generated by the respective slave clock.

    24. The method according to claim 23, wherein the time stamp is generated by the respective slave clock according to a pre-determined safety integrity ASIL level.

    25. The method according to claim 13, wherein the time-synchronization between the plurality of slave clocks is validated according to at least one of safety integrity ASIL B or safety integrity ASIL D.

    26. A system for performing time-synchronization between a master clock of a master unit and a plurality of slave clocks of a corresponding plurality of slave units within a communication bus system, wherein the system is configured to: send a forward time-synchronization message indicative of the master clock from the master unit to the plurality of slave units, in order to enable the plurality of slave units to time-synchronize their respective slave clocks with the master clock; receive a reverse time-synchronization message indicative of the respective slave clock from each of the plurality of slave units at a first validator; time-synchronize a plurality of validator clocks of the first validator to the corresponding plurality of slave clocks, respectively, using the reverse time-synchronization messages from the plurality of slave units; and validate the time-synchronization between the plurality of slave clocks at the first validator based on the plurality of validator clocks of the first validator.

    Description

    BRIEF DESCRIPTION OF THE DRAWINGS

    [0028] FIG. 1a shows example components of a vehicle.

    [0029] FIG. 1b illustrates the fusion of sensor data in case of time-synchronized environment sensors.

    [0030] FIG. 1c illustrates the fusion of sensor data in case of environment sensors having time offsets.

    [0031] FIG. 2a shows an example time-synchronization system.

    [0032] FIG. 2b shows an example time-synchronization system with a clock validator.

    [0033] FIG. 3a shows an example time-synchronization system between different communication bus systems.

    [0034] FIG. 3b shows an example time-synchronization system with a clock validator.

    [0035] FIG. 3c shows an example time-synchronization system with multiple clock validators.

    [0036] FIG. 4 shows a flow chart of an example method for performing time-synchronization.

    DETAILED DESCRIPTION OF THE DRAWINGS

    [0037] As indicated above, the present document addresses the technical problem of performing time-synchronization at a high level of integrity, notably at a relatively high ASIL (Automotive Safety Integrity Level) Level, e.g. ASIL D. In this context FIG. 1a shows example components of a vehicle 100. The vehicle 100 comprises different sensors 111, 112 (notably environment sensors) which are configured to capture sensor data. Example sensors 111 112 are a radar sensor, a camera, a lidar sensor, an ultrasonic sensor, etc.

    [0038] A (central) control unit 101 of the vehicle 100 may be configured to perform fusion of the sensor data from the different sensors 111, 112. In particular, the control unit 101 may be configured to determine an environment model of the environment of the vehicle 100 based on the fused sensor data. Furthermore, the control unit 101 may be configured to operate one or more actors 103 (e.g. an engine, a motor, a braking system and/or a steering system) of the vehicle 100 in dependence of the environment model, e.g. in order to provide an autonomous driving mode of the vehicle 100. By way of example, an autonomous longitudinal control and/or lateral control of the vehicle 100 may be performed based on the fused sensor data.

    [0039] Each sensor 111, 112 of the vehicle 100 typically comprises a local clock which indicates a local time at the respective sensor 111, 112. The sensor data of the different sensors 111, 112 may be provided with time stamps of the respective local clocks. The quality and/or reliability of the fused sensor data and/or of the environment model typically depends on the time synchronicity of the different local clocks. In particular, time offsets between the different local clocks of the different sensors 111, 112 typically lead to a reduced quality of the fused sensor data. This is illustrated in FIGS. 1b and 1c, which show a vehicle 100 and a static object 120, wherein the object 120 is located at a distance 121 from the vehicle 100.

    [0040] FIG. 1b shows a situation for which the different local clocks are time-synchronized. As a result of this, the position of the vehicle 100 and/or the position of the static object 120, which are indicated by the sensor data of different sensors 111 112, are similar for all of the different sensors 111, 112. On the other hand, if the local clocks of the different sensors 111, 112 exhibit time offsets with respect to one another, the sensor data of the different sensors 111, 112 may indicate different positions for the vehicle 100 and/or different positions for the static object 120.

    [0041] FIG. 2a shows an example system 200 for synchronizing the local time or the local clocks 213, 214 of different units 203, 204 within a vehicle 100. The system 200 may comprise a plurality of sensor units 204 for a corresponding plurality of sensors 111, 112 of the vehicle 100. Each sensor unit 204 may comprise a local clock 214 which is configured to indicate a local time. Furthermore, the system 200 may comprise a fusion unit 203 which is configured to fuse and/or combine the sensor data provided by the plurality of sensor units 204 (i.e. sensors 111, 112). The fusion unit 203 may comprise a local clock 213 which is configured to indicate a local time.

    [0042] The different units 203, 204 may be interconnected through a communication network 210, notably an Ethernet network, comprising one or more switches 202. Furthermore, the synchronization system 200 comprises a master unit 201 comprising a master clock 211 which is configured to indicate a local time at the master unit 201 (also referred to herein as the master time).

    [0043] The master unit 201 may be configured to perform time-synchronization with the fusion unit 203 and with the plurality of sensor units 204. For this purpose, the PTP (Precision Time Protocol) protocol may be used (specified in IEEE 1588). Due to the fact that at least some of the components within the communication network 210 typically exhibit a relatively low integrity level (notably a relatively low ASIL Level or only QM (Quality Management)), the integrity of time-synchronization is relatively low. As a result of this, the time stamps of the sensor data of the different sensors 111, 112 exhibit a relatively low integrity level.

    [0044] The distribution of the master time from the master clock 211 to the slave entities 203, 204 or slave clocks 213, 214 may be viewed as a forward time-synchronization 231. As indicated above, the PTP protocol may be used for this forward time-synchronization 231.

    [0045] The system 200 may comprise a validator 220, as illustrated in FIG. 2b. The validator 220 may comprise a plurality of time domains 221 with a respective plurality of validator clocks 222. The validator 220 may exhibit a relatively high integrity level (e.g. ASIL D). The system 200 may be configured to perform backward or reverse time-synchronization 232, during which each of the slave clocks 213, 214 and the master clock 211 are time-synchronized with a respective one of the validator clocks 222. The backward or reverse time-synchronization 232 may be performed using the PTP protocol.

    [0046] As a result of the backward time-synchronization 232, the validator 220 has access to each slave clock 213, 214 within the system 200 and/or to the master clock 211. In particular, the validator 220 comprises a plurality of validator clocks 222 which are time-synchronized with the corresponding plurality of slave clocks 213, 214. Furthermore, the validator 220 may comprise a validator clock 222 which is time-synchronized with the master clock 211.

    [0047] The validator 220 may be configured to compare the different times or time stamps which are indicated by the different validator clocks 222. In particular, the validator 220 may be configured to verify whether the different times which are indicated by the different validator clocks 222 are synchronized or not. If the different times a synchronized, then it may be concluded with a relatively high integrity level (e.g. with ASIL D) that the slave clocks 213, 214 of the system 200 are time-synchronized with each other and/or with the master clock 211. As a result of this, it may be ensured at a relatively high integrity level that the time stamps of the sensor data of the different sensors 111, 112 are time-synchronized.

    [0048] The validator 220 may be implemented in an efficient manner as a Synchronized Time-Base Manager of the AUTOSAR standard. In particular, the multiple time domains 221 of a Synchronized Time-Base Manager may be used for providing the different validator clocks 222.

    [0049] The validator 220 may form a joint unit with the fusion unit 203. As a result of this, no backward or reverse synchronization 232 needs to be performed with the master clock 211.

    [0050] For the forward and the reverse synchronization, the PTP Protocol may make use of different EtherTypes for the forward TSync messages and for the reverse TSync messages. By doing this, correct time-synchronization may be ensured within the Ethernet switches 202, as the Ethernet switches will only perform time stamping for forward TSync messages (as specified within the PTP Protocol).

    [0051] A vehicle 100 typically makes use of and/or comprises different communication networks and/or communication bus systems. FIGS. 3a to 3b illustrate a system 200 which comprises a first communication bus system 210 (e.g. an Ethernet bus) and a second communication bus system 300, e.g. a CAN FD bus and/or a FlexRay bus. Both communication buses 210, 300 may be linked with one another via a gateway unit 303. The gateway clock 313 of the gateway unit 303 may be synchronized with the master clock 211 of the master unit 201 using the forward backward synchronization scheme outlined within the present document (notably in the context of FIGS. 2a and 2b). By doing this, it may be ensured that the gateway clock 313 is time-synchronized with the master clock 211 at a relatively high integrity level (notably ASIL D). The gateway clock 313 may therefore be considered to be the master clock of the second communication bus system 300.

    [0052] The second communication bus system 300 comprises the gateway unit 303 (which may be considered to be a master unit) and a plurality of slave units 304, 305, 306, each of the slave units 304. 305, 306 comprising a respective slave clock 314, 315, 316. The slave clocks 314, 315, 316 may be time-synchronized over the second communication bus 300 using the forward and backward synchronization scheme outlined in the context of FIGS. 2a and 2b. For this purpose, a forward time-synchronization message 331 may be sent from the gateway unit 303 to the slave units 304, 305, 306, thereby distributing the gateway clock 313 to the different slave units 304, 305, 306.

    [0053] Furthermore, each of the slave units 304, 305, 306 may send a backward time-synchronization message 332 to a validator 320, in order to indicate the respective slave clocks 314, 315, 316 to the validator 320. The validator 320 comprises validator clocks 324, 325, 326 for each of the slave clocks 314, 315, 316. The validator 320 may be located at the gateway unit 303. This validator 320 may be referred to as the first validator.

    [0054] Furthermore, a validator 340 (referred to herein as the second validator) may be provided at one or more of the slave units 304, 305, 306. In FIG. 3c a second validator 340 is shown for the slave unit 304. The validator 304 of a slave unit 304 may comprise a validator clock 325, 326 for each of the slave clocks 315, 316 of the other slave units 305, 306. Furthermore, the validator 340 may comprise a validator clock 323 for the gateway clock 313.

    [0055] As indicated above, the different validator clocks 323, 324, 325, 326 of the one or more validators 320. 340 may be implemented as different time domains 321, notably of an AUTOSAR Synchronized Time-Base Manager (STBM). The first validator 320 may be part of the gateway unit 303, and a second validator 340 may be part of a slave unit 304.

    [0056] By using the above mentioned forward/backward time-synchronization scheme using a single validator 320 at the gateway unit 303, time-synchronization may be performed at the integrity level of the gateway unit 303 (which may e.g. by ASIL B). In order to further increase the integrity level of time-synchronization, one or more of the slave units 304, 305, 36 (e.g. slave unit 304 in the example shown in FIG. 3c) may be provided with a further validator 340, which comprises validator clocks 323, 325, 326 for the gateway clock 313 (taken from the forward time-synchronization message 331) and for the slave clocks 325, 326 of the other slave units 315, 316 (taken from the backward time-synchronization messages 332 of the other slave units 315, 316). The validator 340 of a slave unit 304 may be integrated into the slave unit 304. The validator 340 may comprise a validator clock for the slave unit 304.

    [0057] Hence, multiple units 303, 304 within a communication bus system 300 may be provided with a validator 320, 340. The validators 320, 340 of the different units 303, 304 may be used to monitor and/or to control each other. In particular, it may be verified whether (individually) for each of the validators 320, 340 the validator clocks 323, 324, 325, 326 are time-synchronized with one-another. If this is the case for each of the multiple validators 320, 340 (individually), then it may be concluded at an increased integrity level that time-synchronization is established. By way of example, by making use of at least two validators 320, 340 within two different units 303, 304 of the communication bus 300, each unit 303, 304 having ASIL B, an overall integrity according to ASIL D may be achieved.

    [0058] Hence, forward and reverse synchronization between an Ethernet communication network 210 (as master bus) and all other communication buses 300 (as slave buses) may be performed according to the PTP protocol (using sync and sync follow up messages) and possibly using AUTOSAR (multiple time domains 221, 321), wherein all time domain generated time stamps may be monitored for time corruption and clock synchronization Jitter detection according to Safety Integrity Level ASIL D.

    [0059] Time synchronization of different bus systems 300 with Safety Integrity Level ASIL D may be achieved, if Ethernet itself is implemented and validated to an integrity level of ASIL D. This may be achieved by mutual monitoring of relevant clock nodes 304 on the bus system 300 side by side with monitoring from Ethernet time gateway node 303 on the same bus system 300. Alternatively, time synchronization of different bus systems 300 with Safety Integrity Level ASIL B may be achieved.

    [0060] FIG. 4 shows a flow chart of an example computer-implemented method 400 for performing time-synchronization between a master clock 313 of a master unit 303 and a plurality of slave clocks 314, 315, 316 of a corresponding plurality of slave units 304, 305, 306 within a communication bus system 300 (notably within a CAN-FD bus system and/or a FlexRay bus system). The master unit 303 may comprise or may be a gateway unit which is configured to couple the communication bus system 300 to another communication network 210, such as an Ethernet network.

    [0061] The method 400 comprises sending 401 a forward time-synchronization message 331 indicative of the master clock 313 from the master unit 303 to the plurality of slave units 304, 305, 306, in order to enable the plurality of slave units 304, 305, 306 to time-synchronize their respective slave clocks 314, 315, 316 with the master clock 313. In other words, a forward time-synchronization may be performed between the master clock 313 and the plurality of slave clocks 314, 315, 316.

    [0062] In addition, the method 400 comprises receiving 402 a reverse time-synchronization message 332 indicative of the respective slave clock 314, 315, 316 from each of the plurality of slave units 304, 305, 306 at a first validator 320. The first validator 320 may be part of the master unit 303. The method 400 further comprises time-synchronizing 403 a plurality of validator clocks 324, 325, 326 of the first validator 320 to the corresponding plurality of slave clocks 314, 315, 316, respectively, using the reverse time-synchronization messages 332 from the plurality of slave units 304, 305, 306. Hence, a reverse time-synchronization may be performed with regards to the plurality of slave clocks 314, 315, 316 and the corresponding plurality of validator clocks 324, 325, 326 of the first validator 320.

    [0063] Furthermore, the method 400 comprises validating 404 the time-synchronization between the plurality of slave clocks 314, 315, 316, notably between the master clock 313 and the plurality of slave clocks 314, 315, 316, at the first validator 320 based on the plurality of validator clocks 324, 325, 326 of the first validator 320.

    [0064] The time-synchronized slave clocks 314, 315, 316 and master clock 313 may be used for exchanging and/or processing data (e.g. sensor data) within the communication bus system 300 and/or within a vehicle 100. As a result of this, the quality of the processed data may be improved.

    [0065] The synchronization scheme described herein may ensure time synchronization between different units 303, 304, 305, 306 (e.g. sensors and/or gateways and/or fusion units) within a communication bus system 300 with a relatively high integrity level, e.g. ASIL D, even if the units 303, 304, 305, 306 exhibit a relatively low integrity level, e.g. ASIL B.

    [0066] It should be noted that the description and drawings merely illustrate the principles of the proposed methods and systems. Those skilled in the art will be able to implement various arrangements that, although not explicitly described or shown herein, embody the principles of the invention and are included within its spirit and scope. Furthermore, all examples and embodiment outlined in the present document are principally intended expressly to be only for explanatory purposes to help the reader in understanding the principles of the proposed methods and systems. Furthermore, all statements herein providing principles, aspects, and embodiments of the invention, as well as specific examples thereof, are intended to encompass equivalents thereof.