CN102189995A - Method for stopping functional unit operated by controller in motor vehicle - Google Patents
Method for stopping functional unit operated by controller in motor vehicle Download PDFInfo
- Publication number
- CN102189995A CN102189995A CN2011100489809A CN201110048980A CN102189995A CN 102189995 A CN102189995 A CN 102189995A CN 2011100489809 A CN2011100489809 A CN 2011100489809A CN 201110048980 A CN201110048980 A CN 201110048980A CN 102189995 A CN102189995 A CN 102189995A
- Authority
- CN
- China
- Prior art keywords
- controller
- circuit
- final circuit
- functional unit
- functional
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 14
- 238000012544 monitoring process Methods 0.000 claims abstract description 20
- 230000001960 triggered effect Effects 0.000 claims description 2
- 238000012806 monitoring device Methods 0.000 abstract 1
- 238000004891 communication Methods 0.000 description 5
- 230000004913 activation Effects 0.000 description 3
- 230000002950 deficient Effects 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 230000003213 activating effect Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000035484 reaction time Effects 0.000 description 2
- 230000001419 dependent effect Effects 0.000 description 1
- 239000006185 dispersion Substances 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000002349 favourable effect Effects 0.000 description 1
- WABPQHHGFIMREM-VENIDDJXSA-N lead-201 Chemical compound [201Pb] WABPQHHGFIMREM-VENIDDJXSA-N 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012946 outsourcing Methods 0.000 description 1
- 230000004224 protection Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000010977 unit operation Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B9/00—Safety arrangements
- G05B9/02—Safety arrangements electric
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/04—Programme control other than numerical control, i.e. in sequence controllers or logic controllers
- G05B19/042—Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
- G05B19/0428—Safety, monitoring
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60W—CONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
- B60W50/00—Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
- B60W2050/0001—Details of the control system
- B60W2050/0002—Automatic control, details of type of controller or control system architecture
- B60W2050/0004—In digital systems, e.g. discrete-time systems involving sampling
- B60W2050/0006—Digital architecture hierarchy
Abstract
The present invention relates to a method for stopping a functional unit (220) operated by a first controller (210) in a motor vehicle, wherein, the first controller (210) is provided with an inner final circuit (213) for operating the functional unit (220), wherein, a second controller (240) is set for monitoring the first controller (210). When function failure of the first controller (210) is identified through the second controller (240), the second controller (240) switches off the inner final circuit (213) of the first controller. Additionally, the invention relates to a corresponding monitoring device (400).
Description
Technical field
The present invention relates to a kind of be used for the making functional unit that moves by the control of first controller at automobile, for example electrical motor or actuator method out of service, and a kind of control monitor unit that comprises at least two controllers.
Background technology
In the functional unit in automobile, for example fill in the control system (EGAS), in the controller of operation, used a kind of so-called three grades of schemes in order to carry out security monitoring at the driving engine of electronics to security-critical.Wherein mainly be that (calculating unit CPU) and between the independent monitoring module (house dog (Watchdog)) is monitored mutually at functional machine in the inside of controller.Functional machine is got in touch by asking-answer to communicate by letter with monitoring module, and can to make power output stage in the controller-its setting when et out of order be the operation that is used for functional unit-out of service, and therefore guarantees the safety of automobile.
For example one-level is exactly original functional software when electrical motor is moved by controller control as functional unit, and is needed when it is the functional unit operation.On functional machine, carry out this software.In secondary-it also is performed the moment of-permission of calculating by the engine mockup of simplifying on functional machine and the actual moment of a driving engine compares.This one-level is performed in by three grades of hardware areas that are protected at one.Command detection, program run control, A/D converter detect and periodically and completely memory device to detect be three grades component part.Disclosed as DE 44 38 714 A1, fill in the control system at the driving engine of the electronics of reality and in controller, to be provided with function-monitoring software.
A kind of 2 computing machine schemes are disclosed in addition.At functional unit, this 2 computing machine schemes have been used when for example ABS-or ESP system move to the safety particular importance.DE 103 31 872 A1 disclose a kind of method with the controller monitoring system that networks in this respect, and wherein, these controllers have at least one computing element respectively, and carry out respectively monitoring important control program and watchdog routine.
The controller of monitored control system is by bus system, and for example CAN, FlexRay or ethernet communicate each other.Secondary function/module can freely be distributed to all on bonded assembly controller on the joint network, and the one-level module in such controller just can be monitored by the secondary module of another or other controller.The monitoring that is distributed in a plurality of controllers has following advantage, promptly can reduce the probability failure of monitoring function characteristic by additional remaining design.Like this, the monitoring of dispersion can reach than three grades of integrated ranks of vehicle safety (ASIL Level) that scheme is higher.
Disclosed disconnection scheme in the monitoring that disperses is to disconnect energy resource supply.At least two controllers can send the request of disconnection to energy management system by communication network, and this energy management system just disconnects energy resource supply to whole monitoring system then.Yet this disconnection scheme has a series of defective.On the one hand it is to be prerequisite with the high ASIL level in the energy management system, that is to say that the break function characteristic must be (eigensicher) of " intrinsic safety type ".This problem is because following situation becomes more outstanding, and promptly the manufacturer of energy management system also needs not to be the manufacturer of monitored control system or control monitor unit.
In addition, make the Function detection of monitored control system become difficult, because the disconnection requirement that energy supplyystem is proposed may cause whole automotive electric equipment to quit work.In addition, the main safety device in battery system (for example circuit breaker-relay) is openable when not carrying usually, because this can damage or destroy main safety device.Therefore for example the disconnection in the framework of Function detection causes the raising of maintenance cost and additional cost.Also increased for example difficulty of the open test during researching and developing by this way in a word.
In addition, be transferred to energy management system because will disconnect request by controller by communication network, thus since for example EMV disturb reaction time in the time of can increasing failure condition when bouncing or information shortage occurring.
This situation people according to prior art wish can propose a kind of improved way with regard to the disconnection problem of functional unit in 2 computing machine schemes.
Summary of the invention
Advise according to the present invention a kind of have an independent claims feature be used to make functional unit method and a kind of control monitor unit out of service by first controller control operation.Some favourable schemes are themes of dependent claims and following explanation.
Advantage of the present invention
The present invention realizes the direct disconnection of final circuit of definite power of first controller by second controller of a monitoring.Can avoid described in the prior art those defectives by this measure.Therefore the fault reaction time is constant, but and be computing machine, and be repeatably.Whole control monitor unit with a plurality of controllers is an intrinsic safety type.Therefore the functional safety and the outsourcing product of system are for example irrelevant with energy management system.Can defective component in the disconnection process or when detecting yet, because final circuit can be connected according to the rules.Compare the available property that has improved automobile with prior art by this measure, it has improved maintainability.What should emphasize especially is additionally to have improved safety or reduced probability failure by additional Redundancy Design.
Can obtain other advantage of the present invention and scheme from specification sheets and accompanying drawing.
Certainly, foregoing feature and followingly also the feature of explanation not only can be used in the combination that each has illustrated and also can used in the combination at other under the situation that does not break away from framework of the present invention, perhaps uses separately.
By the embodiment sketch in the accompanying drawing the present invention is shown, the present invention will be described in detail below with reference to accompanying drawing.
Description of drawings
Fig. 1: control monitor unit, it comprises the controller of two prior aries.
Fig. 2: according to a preferred form of implementation of control monitor unit of the present invention.
Fig. 3: according to one second preferred form of implementation of control monitor unit of the present invention.
Fig. 4: according to another preferred form of implementation of control monitor unit of the present invention.
The specific embodiment
Sketch shows the circuit planar view of the control monitor unit 100 of a prior art in Fig. 1.This control monitor unit comprises first controller 110 of an operation that is used for first functional unit 120 and second controller 140 of an operation that is used for functional unit 150.Controller 110 has a functional machine (calculating unit or CPU) 111.This functional machine for example is used to receive with one that the interface 112 of the sensor signal of sensor 130 is connected.These functional machine 111 processes sensor signals, and according to handling and its programming triggers the final circuit 113 of the operation that is used for functional unit 120.This outer controller 110 also has one and is used for the interface 114 that is coupled with communication bus 160, and has a monitoring module (house dog) 115 that is used for the Functional Capability of monitoring function computing machine 111.
The final circuit 113 of controller 110 is that a battery 182 is connected by 180 and main protections 181 of lead-in wire and an energy generator at this.For being checked, energy generator is provided with an energy management system 170.This energy management system also is connected with communication bus 160, and triggers main safety device 181 at corresponding request, so that cut off the electricity supply.
Functional unit 120,150 particularly can be electrical motor, and wherein, final circuit 113,143 for example comprises transistor or the IGBT that is used for the pulse inverter.
In order to realize that 2 computing machine schemes, first controller 110 and second controller 140 monitor each other, and when defining fault, send one for energy management system 170 to disconnect request by communication bus 160.
In following figure, introduce improved by comparison monitored control system according to preferred form of implementation of the present invention.Represent with identical Reference numeral at Fig. 2 identical parts in Fig. 4.Those are represented with the Reference numeral that improves 100 with the identical parts of parts in the accompanying drawing 1.
Between the final circuit 213 of the functional machine 241 of second controller 240 and first controller 210, a direct connecting wire 201 is arranged according to the preferred form of implementation 200 of the control monitor unit of the present invention of Fig. 2.By the signal on the lead 201, for example digital signal or PWM-signal, second controller 240 can be directly with the final circuit activation of first controller 210 or deactivate.For example high level is represented " activation " in digital signal, and low level (Low-Pegel) expression " not activating ", and signal indication " activation " is perhaps arranged in pwm signal, and no signal is then represented " not activating ".
In according to the second preferred form of implementation 300 of the monitored control system of Fig. 3, additionally between the final circuit 213 of the monitoring module 245 of second controller 240 and first controller 210, be provided with an open-circuit line 301.This scheme has following advantage, even the final circuit 213 that the monitoring module 245 of second controller 240 also can disconnect in first controller 210 by open-circuit line 301 when promptly the function of the functional machine 241 of second controller 240 breaks down.
Figure 3 illustrates a preferred form of implementation.In this form of implementation, except open-circuit line 301, also be provided with open-circuit line 201 according to Fig. 2.Also need should be mentioned that also such form of implementation to be arranged even so, open-circuit line 301 only is set in this form of implementation.
Some open-circuit lines of second controller, 240 in-to-ins at first accumulate in the collector 246 from functional machine 241 and monitoring module 245s in the preferred form of implementation 400 of Fig. 4, for example in AND element, and and then lead to the final circuit 213 of first controller 210 by open-circuit line 401.Kept in this manner and can also can pass through monitoring module 245 open circuited advantages, wherein, the open-circuit line of a physics only need be set between controller even so by the functional machine 241 of second controller.
Disconnecting final circuit for example can comprise and stop at the transistor that is provided with in the final circuit, the operation of IGBT, switch etc.Instead or additionally disconnect final circuit also can comprise voltage transformer of stopping to be provided with in case of necessity etc. in final circuit operation.Also can be special in cut off is provided with some on-off elements in final circuit, these on-off elements are triggered by the open-circuit line of second controller.Though in Fig. 4, only show the situation that disconnects the final circuit of first controller by second controller at Fig. 2, in the solution of the present invention, also can monitor mutually and disconnect.
Claims (8)
1. be used for making functional unit (220) the out of service method of automobile by first controller (210) operation, wherein, first controller (210) has the inside final circuit (213) of the operation that is used for functional unit (220), wherein, stipulate that second controller (240) is used to monitor first controller (210), wherein, when recognizing the functional fault of first controller (210) by second controller (240), disconnect the inside final circuit (213) of first controller (210) by second controller (240).
2. in accordance with the method for claim 1, wherein, for disconnect using at least one oneself open-circuit line (201,301,401).
3. according to claim 1 or 2 described methods, wherein, disconnect the inside final circuit (213) of first controller (210) by the functional machine (241) of second controller (240).
4. according to each described method of aforementioned claim, wherein, disconnect the inside final circuit (213) of first controller (210) by the monitoring module (245) of second controller (240).
5. according to each described method of aforementioned claim, wherein, disconnect the on-off element in the final circuit (213), it is quit work.
6. according to each described method of aforementioned claim, wherein, the voltage that disconnects in the final circuit (213) provides circuit, and it is quit work.
7. control monitor unit (200,300,400), comprise that at least one first controller (210) and at least one are used to monitor second controller (240) of first controller (210), wherein, first controller (210) has the inside final circuit (213) that is used for operation function unit (213), wherein, for the inside final circuit (213) that disconnects first controller (210) by second controller (240) direct open-circuit line (201,301,401) is set between second controller (240) and first controller (210).
8. according to the described control monitor unit of claim 7, wherein, open-circuit line is set, thereby it can be triggered by the functional machine (241) and/or the monitoring module (245) of second controller (240).
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| DE102010002468A DE102010002468A1 (en) | 2010-03-01 | 2010-03-01 | Method for stopping functional unit operated by controller in motor vehicle, involves operating functional unit by internal output circuit of controller |
| DE102010002468.6 | 2010-03-01 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102189995A true CN102189995A (en) | 2011-09-21 |
| CN102189995B CN102189995B (en) | 2016-03-16 |
Family
ID=44501883
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110048980.9A Expired - Fee Related CN102189995B (en) | 2010-03-01 | 2011-02-28 | For making method out of service by the functional unit of controller controlling run in the car |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN102189995B (en) |
| DE (1) | DE102010002468A1 (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105517850A (en) * | 2013-09-02 | 2016-04-20 | 罗伯特·博世有限公司 | Method for monitoring a component in a motor vehicle |
| CN112566830A (en) * | 2018-08-07 | 2021-03-26 | 海拉有限双合股份公司 | Control system for a motor vehicle and method for fault diagnosis in a control system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE3841400A1 (en) * | 1987-12-28 | 1989-07-06 | Aisin Aw Co | DEVICE FOR DETECTING THE MALFUNCTION OF AN INTERFACE CIRCUIT AT THE OTHER END OF A CONNECTION LINE |
| US4853932A (en) * | 1986-11-14 | 1989-08-01 | Robert Bosch Gmbh | Method of monitoring an error correction of a plurality of computer apparatus units of a multi-computer system |
| US6628993B1 (en) * | 1999-07-15 | 2003-09-30 | Robert Bosch Gmbh | Method and arrangement for the mutual monitoring of control units |
| CN1577197A (en) * | 2003-07-14 | 2005-02-09 | 罗伯特-博希股份公司 | Method for monitoring technique system |
| WO2008119869A1 (en) * | 2007-04-03 | 2008-10-09 | Kone Corporation | Fail-safe power control apparatus |
| KR20090082727A (en) * | 2008-01-28 | 2009-07-31 | 엘지전자 주식회사 | Device controlling system and emergency controlling method thereof |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE4438714A1 (en) | 1994-10-29 | 1996-05-02 | Bosch Gmbh Robert | Method and device for controlling the drive unit of a vehicle |
-
2010
- 2010-03-01 DE DE102010002468A patent/DE102010002468A1/en not_active Withdrawn
-
2011
- 2011-02-28 CN CN201110048980.9A patent/CN102189995B/en not_active Expired - Fee Related
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4853932A (en) * | 1986-11-14 | 1989-08-01 | Robert Bosch Gmbh | Method of monitoring an error correction of a plurality of computer apparatus units of a multi-computer system |
| DE3841400A1 (en) * | 1987-12-28 | 1989-07-06 | Aisin Aw Co | DEVICE FOR DETECTING THE MALFUNCTION OF AN INTERFACE CIRCUIT AT THE OTHER END OF A CONNECTION LINE |
| US6628993B1 (en) * | 1999-07-15 | 2003-09-30 | Robert Bosch Gmbh | Method and arrangement for the mutual monitoring of control units |
| CN1577197A (en) * | 2003-07-14 | 2005-02-09 | 罗伯特-博希股份公司 | Method for monitoring technique system |
| WO2008119869A1 (en) * | 2007-04-03 | 2008-10-09 | Kone Corporation | Fail-safe power control apparatus |
| KR20090082727A (en) * | 2008-01-28 | 2009-07-31 | 엘지전자 주식회사 | Device controlling system and emergency controlling method thereof |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105517850A (en) * | 2013-09-02 | 2016-04-20 | 罗伯特·博世有限公司 | Method for monitoring a component in a motor vehicle |
| US9725054B2 (en) | 2013-09-02 | 2017-08-08 | Robert Bosch Gmbh | Method for monitoring a component in a motor vehicle |
| CN105517850B (en) * | 2013-09-02 | 2018-09-07 | 罗伯特·博世有限公司 | Method for monitoring the component in motor vehicle |
| CN112566830A (en) * | 2018-08-07 | 2021-03-26 | 海拉有限双合股份公司 | Control system for a motor vehicle and method for fault diagnosis in a control system |
| US11872996B2 (en) | 2018-08-07 | 2024-01-16 | HELLA GmbH & Co. KGaA | Control system for a motor vehicle and method for diagnosing a failure in a control system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102189995B (en) | 2016-03-16 |
| DE102010002468A1 (en) | 2011-09-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107681757B (en) | Backup power supply | |
| CN105150856B (en) | A kind of high-pressure system trouble-shooter and method | |
| JP6452724B2 (en) | Energy transmission device and on-board power supply system | |
| US9475437B2 (en) | System and method for high-voltage disconnection in a vehicle | |
| US20140167778A1 (en) | Battery management system and integrated battery management device | |
| KR102501641B1 (en) | Distributed battery management system and method | |
| US10153632B2 (en) | Device and method for protecting an electrical system component of a vehicle electrical system | |
| CN101604165B (en) | Vehicular diagnosis system for hybrid power vehicle and diagnosis method thereof | |
| CN105291875A (en) | Electromobile quick charge method | |
| CN111580422B (en) | Relay power supply control device and method | |
| CN107110896B (en) | Method for monitoring a vehicle electrical system | |
| CN105981285A (en) | Power conversion device | |
| CN113258631A (en) | Energy storage system protection system | |
| CN102189995A (en) | Method for stopping functional unit operated by controller in motor vehicle | |
| CN107634501B (en) | Motor control system and torque safety monitoring method | |
| CN110962603B (en) | Control module, battery management system, circuit detection and control method | |
| CN113954640B (en) | Active discharge control system and method for electric automobile | |
| EP3242372B1 (en) | System for controlling power device | |
| US11243257B2 (en) | Control system for a battery system | |
| JP6627598B2 (en) | In-vehicle power supply | |
| US20200282843A1 (en) | Electrified vehicle high-voltage disconnect system and method | |
| KR101204512B1 (en) | Detection system and method for relay fault and relay control fault of electric powered moving object | |
| US20190207509A1 (en) | Protection control apparatus for power conversion circuitry and control method thereof | |
| CN106300229A (en) | A kind of for protecting equipment and the method for high-tension battery electricity system | |
| CN113608049B (en) | Collision failure detection system, collision failure detection device, and electronic device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160316 Termination date: 20210228 |