Computer architecture and functional architecture for increasing the fail-safety of auxiliary power steering
10800449 ยท 2020-10-13
Assignee
Inventors
- Valerie Bernon-Enjalbert (Tournefeuille, FR)
- Jerome Dietsch (Lavernose-Lacasse, FR)
- Frank Galtie (Plaisance du Touch, FR)
Cpc classification
B62D5/0493
PERFORMING OPERATIONS; TRANSPORTING
International classification
B62D5/30
PERFORMING OPERATIONS; TRANSPORTING
G06F11/16
PHYSICS
G06F13/00
PHYSICS
B62D5/00
PERFORMING OPERATIONS; TRANSPORTING
Abstract
The invention relates to a computer architecture and functional architecture for the operation of electric power steering, to an electronic control unit, and to power steering, having a first group of modules with a high probability of failure and a second group of modules with a low probability of failure. In this case, the modules of the first group have a higher probability of failure than the modules of the second group. The first group of modules is maintained redundantly in this case and, as a result, divided into main modules and into the redundant implementation of what are known as secondary modules. The main modules are arranged on a main control path and the secondary modules are respectively arranged on a secondary control path. Each of these control paths ultimately produces a control signal, i.e., a main control signal and a secondary control signal. A multiplexer is used to decide which of these two control signals is forwarded to modules from the second group. This second group of modules is implemented only once and not present in redundant form.
Claims
1. A computer architecture and functional architecture for operation of an electric power steering, comprising: a first group of modules designated as having a first probability of failure; a second group of modules designated as having a second probability of failure; and a multiplexer, wherein the first group of modules have a higher probability of failure than the second group of modules, wherein the first group of modules is maintained redundantly and, as a result, main modules and secondary modules of the first group of modules are provided in redundant implementation, the main modules being arranged on a main control path and the secondary modules being arranged on a secondary control path, and the main modules generating a main control signal and the secondary modules generating a secondary control signal, wherein the second group of modules is implemented only once, the second group of modules each generating a first signal that is combined into the main control signal, and the second group of modules each generating a second signal that is combined into the secondary control signal, and wherein the multiplexer forwards one of the main control signal and the secondary control signal to a driver.
2. The computer architecture and functional architecture according to claim 1, wherein the first group of modules comprises at least one of the following modules: a current monitor; or a computing unit, and wherein the second group of modules comprises at least one of the following modules: a driver; a power stage; or a phase cut-off.
3. The computer architecture and functional architecture according to claim 1, wherein a main module of the main control modules sets a main error signal in an event of an error of a main module and wherein a secondary module of the secondary control modules sets a secondary error signal in an event of a secondary module error.
4. The computer architecture and functional architecture according to claim 1, wherein the only communication between the main control path and the secondary control path or between the secondary control path and the main control path includes: transmission of main error signals from the main modules to the secondary modules; and transmission of secondary error signals from the secondary modules to the main modules.
5. The computer architecture and functional architecture according to claim 1, wherein a main module sets a secondary error signal in an event of an error of a secondary module, and wherein a secondary module sets a main error signal in an event of an error of a main module.
6. The computer architecture and functional architecture according to claim 2, wherein the first group of modules comprise a current monitor and a computing unit, in particular a main current monitor, a main computing unit, and parallel thereto, a redundant secondary current monitor and a redundant secondary computing unit, wherein the main current monitor sets a second main error signal when it detects an error of the main current monitor or the main computing unit, wherein the main computing unit sets a first main error signal when it detects an error of the main computing unit, wherein the secondary current monitor sets a second secondary error signal when it detects an error of the secondary current monitor or the secondary computing unit, and wherein the secondary computing unit sets a first secondary error signal when it detects an error of the secondary computing unit.
7. The computer architecture and functional architecture according to claim 3, wherein the multiplexer forwards the secondary control signal of the secondary control path when the main error signal is set by the main control module, and when the main error signal is not set, the multiplexer forwards the main control signal of the main control path.
8. The computer architecture and functional architecture according to claim 1, wherein an emergency operating mode is activated when a main error signal is set by the main control modules and at a same time a secondary error signal is set by the secondary modules.
9. An electronic control unit or combined motor/electronic control unit, comprising a computer architecture and functional architecture according to claim 1.
10. The electronic control unit or combined motor/electronic control unit according to claim 9, wherein external interfaces are not present redundantly.
11. A power steering comprising an electronic control unit or a combined motor/electronic control unit according to claim 9.
12. The computer architecture and functional architecture according to claim 1, wherein redundancy for the first group of modules is hardware redundancy for each module of the first group of modules.
13. An electronic control unit, comprising: at least one main control unit outputting a main control signal; at least one auxiliary control unit providing hot-redundancy for the at least one main control unit by parallel computation with the at least one main control unit, and outputting an auxiliary control signal; at least one system control unit transmitting a first control signal to the at least one main control unit and transmitting a second control signal to the at least one auxiliary control unit; a multiplexer receiving the main control signal and the auxiliary control signal, the multiplexer transmitting the main control signal, when a first error logic value is not set, to a driver, the multiplexer transmitting the auxiliary control signal, when the first error logic value is set, to the driver, wherein the first control signal is encoded in the main control signal, and the second control signal is encoded in the auxiliary control signal, and wherein the at least one main control unit and the auxiliary control unit exchange error signals indicating failure of the at least one main control unit and/or the at least one auxiliary control unit.
14. The electronic control unit of claim 13, further comprising: a first main control unit and a second main control unit of the at least one main control unit; a first auxiliary control unit and a second auxiliary control unit of the at least one auxiliary control unit, the first auxiliary control unit providing parallel computation for the first main control unit, and the second auxiliary control unit providing parallel computation for the second main control unit; a first system control unit and a second system control unit of the at least one system control unit, the first system control unit transmitting the first control signal to the first main control unit and transmitting the second control signal to the first auxiliary control unit, the second system control unit transmitting a third control signal to the second main control unit and transmitting a fourth control signal to the second auxiliary control unit, wherein the first main control unit is connected to the second main control unit, wherein the first auxiliary control unit is connected to the second auxiliary control unit, wherein the first main control unit is connected to the multiplexer via a first signal path and the first auxiliary control unit is connected to the multiplexer via a second signal path, and wherein the first main control unit is connected to the first auxiliary control unit via a first error signal path and a second error signal path.
15. The electronic control unit of claim 13, wherein the at least one main control unit, the at least one auxiliary control unit, the at least one system control unit, and the driver are implemented in hardware on the electronic control unit.
16. The electronic control unit of claim 13, wherein the first error logic value indicates an error condition in the at least one main control unit, and a second error logic value provided in the multiplexer indicates another error condition in the at least one auxiliary control unit, wherein an emergency operating mode of the electronic control unit is initiated if the first error logic value is set and the second error logic value is set, and wherein the electronic control unit operates in the emergency operating mode with a reduced functionality.
Description
BRIEF DESCRIPTION OF THE DRAWINGS
(1) The present invention will become more fully understood from the detailed description given hereinbelow and the accompanying drawings which are given by way of illustration only, and thus, are not limitive of the present invention, and wherein:
(2)
(3)
DETAILED DESCRIPTION
(4)
(5) The dashed line indicates modules and the path of the secondary control path (the lower path). These are also installed in the electronic control unit (ECU) together with the multiplexers (DMUX), also shown as dashed lines, to enable partial redundancy. Modules and signals of the secondary control path carry the prefix AUX, or optionally also SUB or as a suffix _S.
(6) In the further course starting from the multiplexer (DMUX), the further common control path and its modules (the second group) are identified by a dotted line or border. Finally, connections are provided for connecting a motor, here referred to as the three phases U/V/W.
(7) Further, other input variables or modules processing such input variables are shown as the ignition (IGN), the speed or torque, the motor position, or a bus connection (CAN). These are shown with a dot-dashed line.
(8) Further internal state variables and signal flows are, for example, those from the respective computing unit (MCU) or microcontroller to the current monitoring unit (PMIC), the current measurement (shunt current), which leads from the driver (GDU) to the respective computing unit (MCU), or information on the power stage (PS), which is passed to the driver (GDU). According to the association described, these signals are also drawn using a solid, dashed, or dotted line.
(9) A main control path is shown (solid, thick line) leading from the external power supply KL30/31 (terminal 30continuous current) to a main current monitor (MAIN PMIC) which ensures the correct voltage supply of the subsequent main computing unit (MAIN MCU) and the diagnosis thereof. The same arrangement applies to the secondary control path (dashed, thick line) with the secondary current monitor (AUX PMIC) and the secondary computing unit (AUX MCU).
(10) The error signals described below are marked with single, i.e., thin, solid lines and attached arrows. In this case, the main current monitor supplies a second main error signal (2.sup.nd_Safety_M), which is set when an error is detected in the main current monitor (MAIN PMIC) or the main computing unit (MAIN MCU). The main computing unit, on the other hand, supplies a first main error signal (1.sup.st_Safety_M) indicating an error detected by or in the main computing unit.
(11) This also applies to the errors of the modules on the secondary control path. The secondary current monitor (AUX PMIC) supplies a second secondary error signal (2.sup.nd_Safety_S), which indicates an error detected in the secondary current monitor (AUX PMIC) or secondary computing unit (AUX MCU). The secondary computing unit (AUX MCU) supplies a first secondary error signal (1.sup.st_Safety_S), which represents an error detected by or in the secondary computing unit (AUX MCU).
(12) The main computing unit (MAIN MCU) obtains information from the first secondary error signal (1.sup.st_Safety_S), which is sent out by the secondary computing unit (AUX MCU). Conversely, the secondary computing unit (AUX MCU) receives information from the first main error signal (1.sup.st_Safety_M), which is sent out by the main computing unit (MAIN MCU). Further, the main computing unit (Main MCU) obtains information via the second secondary error signal (2.sup.nd_Safety_S). The secondary computing unit (AUX MCU) likewise obtains information via the second main error signal (2.sup.nd_Safety_M). The second main error signal (2.sup.nd_Safety_M) is provided by the main current monitor (MAIN PMIC). The second secondary error signal (2.sup.nd_Safety_S) is likewise provided by the secondary current monitor (AUX PMIC).
(13) Both the main and secondary control paths or their modules receive all the data coming from the various sensors, from the vehicle interface, the motor, the driver, the torque, the motor position sensor, the CAN bus interface, and the current feedback or shunt current. These data are used to perform calculations that provide the necessary assistance, i.e., in particular the control signals for the driver (GDU) and finally the motor control. In one embodiment, the main and secondary control paths are both operative and capable of taking over the control of the motor at any time.
(14) The particular computing unit (MCU) generates in each case a PWM signal (MAIN PWM ENA and AUX PWM ENA), which is supplied to the multiplexer (DMux). This switches through one of the two control signals and forwards it to the driver (GDU). In the figure shown, the multiplexer (DMux) is switched as a function of the second main control signal (2.sup.nd_Safety_M). If there is no error, then the control signal of the main error path is forwarded, but in the case of an error, the control signal of the secondary control path is forwarded by the multiplexer (DMux).
(15) The subsequent driver stage (GDU), which receives one of these two control signals, can likewise be switched off when the second main error signal and the second secondary error signal are present, in particular in an AND combination of the two error signals.
(16) The signal of the driver (GDU) reaches the power stage (PS) and finally thereupon the phase control (PCO). The latter can also be designed redundantly, wherein a main phase control is switched off in the presence of a first or second main error signal, whereas independently thereof a secondary phase control is switched off in the presence of a first or second secondary error signal. As a result, the phase control (PCO) represents a safety switch if both paths, the main and secondary control path, provide erroneous signals. This type of shutdown interrupts the cutting off of assistance from the motor, i.e., an application of force. The motor can then no longer apply force to the steering, so that the latter can continue to be operated manually, but also experiences no incorrect force application.
(17)
(18) If there is an error, no assistance is provided and the system is set to an OFF mode. However, if the system is error-free and thus ready for operation, thus it is set to the operating mode (RUN mode) on the basis of the main control signal (MAIN control signal).
(19) If an error were to occur during operation (RUN mode), the process is as follows:
(20) In the presence of a second secondary error signal without the presence of a second main error signal, the operating mode (RUN mode) remains based on the main control signal (MAIN control signal).
(21) In the presence of an error of the second main error signal and no error in the second secondary error signal, the operating mode (RUN mode) is switched to the effect that instead of the main control signal (MAIN control signal), the secondary control signal (AUX control signals) is switched through and the signals of the secondary control path now effect the control of the motor.
(22) As long as neither the second main error signal nor the second secondary error signal are set or these error states were to be canceled, the operating mode (RUN mode) remains or is switched back to on the basis of the main control signal (MAIN control signal).
(23) If an error is indicated by the second main error signal and at the same time by the second secondary error signal, then the operating mode and a safety mode (SAFE mode) end, and a safe mode is activated. This can result in the complete shutdown of the assistance. Special embodiments for limited operating modes are not included further here.
(24) These transitions are switched in the low voltage range, i.e., in the automotive industry at voltages up to about 6 volts. This has energetic advantages and allows a quick change between the control paths and thus a smooth transition of the motor control.
(25) The invention being thus described, it will be obvious that the same may be varied in many ways. Such variations are not to be regarded as a departure from the spirit and scope of the invention, and all such modifications as would be obvious to one skilled in the art are to be included within the scope of the following claims