CN102189995B - For making method out of service by the functional unit of controller controlling run in the car - Google Patents
For making method out of service by the functional unit of controller controlling run in the car Download PDFInfo
- Publication number
- CN102189995B CN102189995B CN201110048980.9A CN201110048980A CN102189995B CN 102189995 B CN102189995 B CN 102189995B CN 201110048980 A CN201110048980 A CN 201110048980A CN 102189995 B CN102189995 B CN 102189995B
- Authority
- CN
- China
- Prior art keywords
- controller
- circuit
- final circuit
- functional
- open
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 15
- 238000012544 monitoring process Methods 0.000 claims abstract description 24
- 230000001960 triggered effect Effects 0.000 claims description 2
- 230000008901 benefit Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 5
- 238000001514 detection method Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000003213 activating effect Effects 0.000 description 2
- 230000004913 activation Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 239000006185 dispersion Substances 0.000 description 2
- 230000007257 malfunction Effects 0.000 description 2
- 230000035484 reaction time Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000002349 favourable effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 239000004615 ingredient Substances 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000012946 outsourcing Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B9/00—Safety arrangements
- G05B9/02—Safety arrangements electric
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/04—Programme control other than numerical control, i.e. in sequence controllers or logic controllers
- G05B19/042—Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
- G05B19/0428—Safety, monitoring
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60W—CONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
- B60W50/00—Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
- B60W2050/0001—Details of the control system
- B60W2050/0002—Automatic control, details of type of controller or control system architecture
- B60W2050/0004—In digital systems, e.g. discrete-time systems involving sampling
- B60W2050/0006—Digital architecture hierarchy
Abstract
The present invention relates to one and make method out of service by the functional unit (220) of the first controller (210) controlling run in automobile, wherein, first controller (210) has the inside final circuit (213) run for functional unit (220), wherein, regulation second controller (240) is for monitoring the first controller (210), wherein, disconnected the inside final circuit (213) of the first controller by second controller (240) when being recognized the functional fault of the first controller (210) by second controller (240).In addition, the invention still further relates to a kind of corresponding supervising device (400).
Description
Technical field
The present invention relates to a kind of for making in the car by the functional unit of the first controller controlling run, the method that such as motor or action device are out of service, and a kind of supervising device comprising at least two controllers.
Background technology
In the car in the functional unit of security-critical, such as filling in control system (EGAS) at the engine of electronics, in the controller run, employing a kind of so-called three grades of schemes to carry out security monitoring.Wherein mainly mutually monitor between functional machine (computing unit, CPU) and independent monitoring module (house dog (Watchdog)) in the inside of controller.Functional machine contacts by asking-answering to communicate with monitoring module, and the power output stage in controller-its setting can be made to be operation-out of service for functional unit when breaking down, and therefore ensures the safety of automobile.
Such as when motor is exactly original functional software as functional unit by one-level during controller controlling run, it is that functional unit is required when running.Functional machine performs this software.In secondary-it is also performed-mono-and compares by the moment of permission calculated of engine mockup simplified and the actual moment of an engine on functional machine.This one-level obtains by three grades being performed in the hardware area of protection at one.Command detection, program run control, A/D converter detects and periodically and completely storer detects is the ingredient of three grades.Disclosed in DE4438714A1, fill in control system at the engine of the electronics of reality and be provided with function-monitoring software in the controller.
Disclose a kind of 2 computing machine schemes in addition.At the functional unit to safe particular importance, such as, during ABS-or ESP system cloud gray model, employ this 2 computing machine schemes.DE10331872A1 discloses a kind of method of controller monitoring system of networking in this respect, and wherein, these controllers have at least one computing element respectively, and performs respectively the important control program of monitoring and watchdog routine.
The controller of supervisory system is by bus system, and such as CAN, FlexRay or Ethernet communicate each other.Secondary function/module can freely be distributed on all controllers connected on joint network, and the previous module in such controller just can be monitored by the secondary module of another or other controller.The monitoring be distributed in multiple controller has the following advantages, and namely can be reduced the probability of malfunction of monitoring function characteristic by additional redundancy design.Like this, the monitoring of dispersion can reach the vehicle safety integrated rank (ASILLevel) higher than three grades of schemes.
Published disconnection scheme in the monitoring of dispersion disconnects energy resource supply.At least two controllers send the request of disconnection to energy management system by communication network, and then this energy management system disconnects energy resource supply just to whole supervisory system.But this disconnection scheme has a series of defect.On the one hand it is that premised on high ASIL level in energy management system, that is break function characteristic must be (eigensicher) of " intrinsic safety type ".This problem becomes more outstanding due to following situation, and namely the manufacturer of energy management system also needs not to be the manufacturer of supervisory system or supervising device.
In addition, the Function detection of supervisory system is made to become difficulty, because whole automotive electric equipment may be caused to quit work to the disconnection requirement that energy supplyystem proposes.In addition, the main safety apparatus (such as isolating switch-relay) in battery system are openable usually when not carrying, because this can damage or destroy main safety apparatus.Therefore the disconnection such as in the framework of Function detection causes the raising of maintenance cost and additional cost.The difficulty of the open test such as during researching and developing is too increased in a word by this way.
In addition, because disconnection is asked to be transferred to energy management system by controller by communication network, so due to reaction time during failure condition can be increased when image jitter or information shortage appear in such as EMV interference.
The way that can propose a kind of improvement in 2 computing machine schemes with regard to the disconnection problem of functional unit is wished according to this situation people of prior art.
Summary of the invention
According to the present invention advise a kind of have independent claims feature for making by the functional unit of the first controller controlling run method out of service and a kind of supervising device.Some favourable schemes are themes of dependent claims and following explanation.
Advantage of the present invention
The present invention realizes the direct disconnection of the final circuit of the determination power of the first controller by the second controller of a monitoring.Those described in the prior art defects can be avoided by this measure.The fault reaction time is constant, and therefore can computing machine, and is repeatably.The whole supervising device with multiple controller is intrinsic safety type.Therefore the functional safety of system and outsourcing product, such as, have nothing to do with energy management system.Also can not defective component in disconnection process or when detecting, because final circuit can be connected according to the rules.Compared to the prior art improve the available property of automobile by this measure, with an improved maintenanceability.Special it is emphasized that additionally improve security by additional Redundancy Design or reduce probability of malfunction.
Other advantage of the present invention and scheme can be obtained from instructions and accompanying drawing.
Certainly, use in the combination that also feature of explanation not only can have been illustrated at each below foregoing characteristic sum, and also can use in other combination when not departing from framework of the present invention, or be used alone.
By the embodiment sketch in accompanying drawing, the present invention is shown, below with reference to the accompanying drawings the present invention will be described in detail.
Accompanying drawing explanation
Fig. 1: supervising device, it comprises the controller of two prior aries.
Fig. 2: according to a preferred form of implementation of supervising device of the present invention.
Fig. 3: according to one second preferred form of implementation of supervising device of the present invention.
Fig. 4: according to another preferred form of implementation of supervising device of the present invention.
Embodiment
Sketch shows the circuit planes figure of the supervising device 100 of a prior art in FIG.This supervising device comprises the first controller 110 and the second controller 140 for the operation of functional unit 150 of an operation for the first functional unit 120.Controller 110 has a functional machine (computing unit or CPU) 111.This functional machine is connected for the interface 112 receiving the sensor signal of such as sensor 130 with one.This functional machine 111 processes sensor signal, and trigger according to process and its final circuit 113 of programming to the operation for functional unit 120.This outer controller 110 also has an interface 114 for being coupled with communication bus 160, and has a monitoring module for the Functional Capability of monitoring function computing machine 111 (house dog) 115.
The final circuit 113 of controller 110, by a lead-in wire 180 and a main protection 181 and an energy generator, is that a battery 182 is connected at this.An energy management system 170 is provided with in order to carry out inspection to energy generator.This energy management system is also connected with communication bus 160, and triggers main safety apparatus 181, to cut off the electricity supply for corresponding request.
Second controller 140 is corresponding with the first controller 110 in its structure, does not just describe in detail at this.Represent with the Reference numeral of increase by 30 at some parts of controller 140 inside.Second controller 140 is connected with one or more sensor 135, and operation function unit 150.
Functional unit 120,150 can be particularly motor, and wherein, final circuit 113,143 such as comprises transistor for Pulse Inverter or IGBT.
In order to realize 2 computing machine scheme first controllers 110 and second controller 140 is monitored each other, and send one to energy management system 170 when defining fault by communication bus 160 to disconnect request.
The supervisory system improved by comparison according to preferred form of implementation of the present invention is introduced in following figure.The identical Reference numeral of parts identical in Fig. 2 to Fig. 4 represents.Those parts identical with the parts in accompanying drawing 1 Reference numerals of raising 100 represent.
Between the functional machine 241 and the final circuit 213 of the first controller 210 of second controller 240, one is had directly to connect wire 201 according to the preferred form of implementation 200 of the supervising device of the present invention of Fig. 2.By the signal on wire 201, such as digital signal or PWM-signal, the final circuit of the first controller 210 can directly activate or deactivate by second controller 240.Such as high level represents " activation " in a digital signal, and low level (Low-Pegel) represents " not activating ", or in pwm signal, have signal to represent " activation ", and no signal then represents " not activating ".
Additionally between the monitoring module 245 and the final circuit 213 of the first controller 210 of second controller 240, an open-circuit line 301 is provided with in the second preferred form of implementation 300 of the supervisory system according to Fig. 3.This scheme has following advantage, even if the monitoring module 245 of second controller 240 also disconnects the final circuit 213 in the first controller 210 by open-circuit line 301 when namely the function of the functional machine 241 of second controller 240 breaks down.
Figure 3 illustrates a preferred form of implementation.Except open-circuit line 301, the open-circuit line 201 according to Fig. 2 is also provided with in this form of implementation.Also it is mentioned that also can have such form of implementation even so, open-circuit line 301 is only set in this form of implementation.
In the preferred form of implementation 400 of Fig. 4, first some open-circuit lines of second controller 240 inside are gathered in a collector 246 from functional machine 241 and monitoring module 245s, such as, in an AND element, and lead to the final circuit 213 of the first controller 210 followed by open-circuit line 401.Remain both by the functional machine 241 of second controller in this manner, also by the advantage that monitoring module 245 disconnects, wherein, the open-circuit line of a physics only need be set even so between the controllers.
Disconnect final circuit and such as can comprise the transistor stopping at and arrange in final circuit, the operation of IGBT, switch etc.Alternatively or additionally disconnect the operation that final circuit also can comprise the transformer that stopping arranges if desired in final circuit etc.Also can be off circuit specially in final circuit and arrange some on-off elements, these on-off elements are triggered by the open-circuit line of second controller.Although merely illustrate the situation of the final circuit being disconnected the first controller by second controller in Fig. 2 to Fig. 4, also can mutually carry out monitoring and disconnecting in the solution of the present invention.
Claims (8)
1. the method for making the functional unit (220) that run by the first controller (210) in automobile out of service, wherein, first controller (210) has the inside final circuit (213) for the operation of functional unit (220), wherein, regulation second controller (240) is for monitoring the first controller (210), wherein, disconnected the inside final circuit (213) of the first controller (210) by second controller (240) when being recognized the functional fault of the first controller (210) by second controller (240), from functional machine (241) and monitoring module, (first 245)s were gathered in collector (246) open-circuit line that wherein second controller (240) is inner, and followed by the inside final circuit (213) of described open-circuit line (401) towards the first controller (210).
2. in accordance with the method for claim 1, wherein, be off and use at least one oneself open-circuit line (401).
3. the inside final circuit (213) of the first controller (210) according to the method described in claim 1 or 2, wherein, is disconnected by the functional machine (241) of second controller (240).
4. the inside final circuit (213) of the first controller (210) according to the method described in claim 1 or 2, wherein, is disconnected by the monitoring module (245) of second controller (240).
5. according to the method described in claim 1 or 2, wherein, the on-off element in breaking inner final circuit (213), or make it quit work.
6. according to the method described in claim 1 or 2, wherein, the circuit for providing voltage in breaking inner final circuit (213), or make it quit work.
7. supervising device (400), comprise at least one first controller (210) and at least one is for monitoring the second controller (240) of the first controller (210), wherein, first controller (210) has the inside final circuit (213) for operation function unit, wherein, in order to be disconnected the inside final circuit (213) of the first controller (210) by second controller (240), direct open-circuit line (401) is set between second controller (240) and the first controller (210), from functional machine (241) and monitoring module, (first 245)s were gathered in collector (246) open-circuit line that wherein second controller (240) is inner, and followed by the inside final circuit (213) of described open-circuit line (401) towards the first controller (210).
8. according to supervising device according to claim 7, wherein, open-circuit line is set, thus it can be triggered by the functional machine of second controller (240) (241) and/or monitoring module (245).
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| DE102010002468.6 | 2010-03-01 | ||
| DE102010002468A DE102010002468A1 (en) | 2010-03-01 | 2010-03-01 | Method for stopping functional unit operated by controller in motor vehicle, involves operating functional unit by internal output circuit of controller |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102189995A CN102189995A (en) | 2011-09-21 |
| CN102189995B true CN102189995B (en) | 2016-03-16 |
Family
ID=44501883
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110048980.9A Expired - Fee Related CN102189995B (en) | 2010-03-01 | 2011-02-28 | For making method out of service by the functional unit of controller controlling run in the car |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN102189995B (en) |
| DE (1) | DE102010002468A1 (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE102013217461B4 (en) * | 2013-09-02 | 2023-10-05 | Robert Bosch Gmbh | Method and arrangement for monitoring a component in a motor vehicle |
| DE102018213182A1 (en) | 2018-08-07 | 2020-02-13 | Bayerische Motoren Werke Aktiengesellschaft | Control system for a motor vehicle and method for fault diagnosis in a control system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE3841400A1 (en) * | 1987-12-28 | 1989-07-06 | Aisin Aw Co | DEVICE FOR DETECTING THE MALFUNCTION OF AN INTERFACE CIRCUIT AT THE OTHER END OF A CONNECTION LINE |
| US4853932A (en) * | 1986-11-14 | 1989-08-01 | Robert Bosch Gmbh | Method of monitoring an error correction of a plurality of computer apparatus units of a multi-computer system |
| US6628993B1 (en) * | 1999-07-15 | 2003-09-30 | Robert Bosch Gmbh | Method and arrangement for the mutual monitoring of control units |
| CN1577197A (en) * | 2003-07-14 | 2005-02-09 | 罗伯特-博希股份公司 | Method for monitoring technique system |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE4438714A1 (en) | 1994-10-29 | 1996-05-02 | Bosch Gmbh Robert | Method and device for controlling the drive unit of a vehicle |
| FI119508B (en) * | 2007-04-03 | 2008-12-15 | Kone Corp | Fail safe power control equipment |
| KR101400399B1 (en) * | 2008-01-28 | 2014-06-27 | 엘지전자 주식회사 | Device controlling system and emergency controlling method thereof |
-
2010
- 2010-03-01 DE DE102010002468A patent/DE102010002468A1/en not_active Withdrawn
-
2011
- 2011-02-28 CN CN201110048980.9A patent/CN102189995B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4853932A (en) * | 1986-11-14 | 1989-08-01 | Robert Bosch Gmbh | Method of monitoring an error correction of a plurality of computer apparatus units of a multi-computer system |
| DE3841400A1 (en) * | 1987-12-28 | 1989-07-06 | Aisin Aw Co | DEVICE FOR DETECTING THE MALFUNCTION OF AN INTERFACE CIRCUIT AT THE OTHER END OF A CONNECTION LINE |
| US6628993B1 (en) * | 1999-07-15 | 2003-09-30 | Robert Bosch Gmbh | Method and arrangement for the mutual monitoring of control units |
| CN1577197A (en) * | 2003-07-14 | 2005-02-09 | 罗伯特-博希股份公司 | Method for monitoring technique system |
Also Published As
| Publication number | Publication date |
|---|---|
| DE102010002468A1 (en) | 2011-09-01 |
| CN102189995A (en) | 2011-09-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106364426B (en) | A kind of automobile start and stop protection system and method | |
| KR101641435B1 (en) | Battery management system and electric vehicles equipped with the same | |
| KR102113494B1 (en) | System and method for high voltage cable detection in hybrid vehicles | |
| CN103383430B (en) | For monitoring the method and apparatus of the high-tension circuit comprising discharge circuit | |
| CN102546295B (en) | CAN (Controller Area Network) detecting method of hybrid vehicle based on rigid line control | |
| KR20150047335A (en) | Method for controlling vehicle driving | |
| CN101604165B (en) | Vehicular diagnosis system for hybrid power vehicle and diagnosis method thereof | |
| KR101439050B1 (en) | Method for dark current inspection of vehicle | |
| CN104199370A (en) | Automotive motor controller security monitoring circuit and control method thereof | |
| CN105711423B (en) | A kind of electric automobile high-voltage safety control system | |
| CN106654403A (en) | Method for preventing battery failure false alarm and apparatus thereof | |
| CN103124086B (en) | The battery management system of electric automobile | |
| CN107472029A (en) | The high voltage fault detection method and vehicle of vehicle | |
| CN104648178A (en) | Charging power-on control method based on battery electric vehicle | |
| CN105291875A (en) | Electromobile quick charge method | |
| CN106080229B (en) | Cell safety charging method, device and battery management system | |
| CN105981285A (en) | Power conversion device | |
| CN104298223A (en) | Fault processing method and system | |
| CN108536122A (en) | Hybrid vehicle diagnostic system and method | |
| CN102189995B (en) | For making method out of service by the functional unit of controller controlling run in the car | |
| CN114475252A (en) | Data processing system and method for vehicle battery, vehicle and storage medium | |
| CN107634501B (en) | Motor control system and torque safety monitoring method | |
| CN106696753A (en) | Motor control device and motor control method | |
| JP6627598B2 (en) | In-vehicle power supply | |
| EP4087118A1 (en) | Electric motor control system and vehicle having same |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160316 Termination date: 20210228 |