DE102008009905A1 - Method for providing an emergency function - Google Patents

Abstract

The invention relates to a method for providing an emergency function, via which a function is controlled redundantly, wherein at least one provided for triggering the function input signal (52) along a number of redundant paths to a device that is designed to implement the function redundantly transmitted and at which a diagnosis of at least one redundant path is performed.

Description

The Invention relates to a method for providing an emergency function, a device for providing an emergency function, a computer program and a computer program product

State of the art

So-called. System Basic Chips (SBC) or Integrated System Basic Chips (SBIC) will u. a. in control units for automotive Applications are used and typically take different Functions, such as voltage regulation and monitoring, reset functions (Reset), monitoring functions (Watchdog), interface functions and the like together. On the market available SBICs are, for example, TLE6263 from Infineon, UJA1065 from Philips or MC33889 from Freescale.

Disclosure of the invention

The The invention relates to a method for providing a limp-home function, via which a function is controlled redundantly. In this method is one to trigger the function provided input signal along a number of redundant Paths to a facility designed to implement the function is transmitted redundantly. Furthermore a diagnosis of at least one redundant path is performed.

With This method is by providing the emergency function a instantaneous and multiple redundant control of a function plus one complete, typically on-the-fly diagnostic of the at least one redundant one Path, which can also be referred to as an emergency run path, or one implemented corresponding signal path.

The Input signal can thus over securely transmit multiple redundant paths so that the function is safely implemented. By doing the diagnosis of the at least one path, its functionality can be checked.

The Redundant paths used in the method may be varied be structured. Along such paths, for example emergency running paths, can different electronic and / or circuit devices be arranged. So it is possible the input signal directly via a first redundant path or run-flat path to the device to convey. In addition, can the input signal over a second redundant path formed as an operating path is and includes a microcontroller, transmitted to the device become. Furthermore can Several paths are diagnosed by this microcontroller. Thus, this microcontroller can also diagnose paths along where this microcontroller is not arranged.

In Another variant of the method becomes at least one redundant one Path and the microcontroller through a system base circuit, the here at the same time as a monitoring unit is trained, supervised.

The Method is, for example, for Applications in the automotive sector or in the automotive sector suitable. there is it u. a. possible, in the context of the method, a brake light is controlled redundantly becomes. In this case, the input signal is through a brake switch or a corresponding brake device is provided. in this connection is to generate by this input signal, a brake light, wherein the input signal is transmitted redundantly to the brake light, so this Brake light indicates a braking. Thus, with the method the Brake light actuated and controlled.

in the Framework of the described diagnosis, in addition to the redundant Paths or run-flat paths are also diagnosed as mistakes. Thus is For example, a shutdown of faulty signals possible.

The The invention also relates to a device for providing a emergency function intended for the redundant activation of a function, this device comprises a number of redundant paths, along which one to trigger the function provided input to the device, the designed to implement the function to transmit redundantly is. Furthermore, the device is designed to diagnose at least one redundant path.

These Device can usually a microcontroller, a trained as a monitoring unit System base circuit and a module, also called run-flat module may be referred to. The module can contain a number of logical elements include, so that this module in a variant as a logical Switching element is formed. The logic switching elements are via line sections connected with each other. Thus, it is possible that the redundant Paths or Notlaufpfade at least in sections along the logical switching elements within the module, which means that along the redundant Paths logical elements can be arranged.

The microcontroller of the device can be arranged at the beginning of a branch of a redundant path, so that the input signal via the microcontroller directly to this redundant path is transmitted or directed. In addition, the device can have a number of readback lines, the microcontroller being connected to one of the redundant paths via in each case one such readback line, so that the diagnosis of the paths via these readback lines can be carried out with the microcontroller.

Of the System base circuitry is adapted to the microcontroller and in a further embodiment to monitor the redundant paths. For this purpose, the system base circuit is connected to the microcontroller. Furthermore The system base circuit may also be at the beginning of a second branch of the described redundant path, at the first branch of the microcontroller is connected, be arranged.

With the invention is u. a. a controllable, delay-free control of at least one function, d. H. also of several functions that triggered by respective input signals possible. It It is clear that in one variant, several different input signals via redundant Paths of the module within a device redundantly transmitted can be. Furthermore can additional redundant control for the Failure of the first redundant control plus a complete diagnosis carried out in normal operation become.

Consequently is a direct control by an input signal under provision different control options realizable. A monitoring unit can z. Eg as system base IC or circuit with integrated monitoring module (watchdog) for monitoring a microcontroller, which in case of error, in addition to the readback signal, the also as a reset or reset signal is suitable, a high (high) or a low (low) active error signal that provides the at least one function redundant can be controlled.

In Embodiment of the invention may be a combination of the above Variants, d. H. a possibly multiple redundant control as well an example. In-service diagnosis done. This results Fast response times, flexible control options, a usually complete one Diagnosis for the detection of sleeping errors and / or a shutdown a function with a faulty input signal, for example for a short-circuit protection.

The The invention also relates in design to an emergency running function delay-free and multiple redundant control of a function including complete diagnostics at least one redundant signal path or at least one for Provision of signals provided redundant line and thus at least one redundant path within the module. The Module can, for example, logical switching elements, usually AND and OR elements, include. Such logic switching elements are common along the at least one redundant path within the module arranged so that two logic switching elements over a Section of the at least one redundant path interconnected could be. In this case, a logical switching element along a redundant Path and thus arranged along several redundant paths be.

The controllable, delay-free Activation of the at least one function is typically direct feasible by the input signal. There is also the possibility a control of at least one function in normal operation through the microcontroller and a multi-redundant control in case of failure of the microcontroller or other components of the device or a corresponding system.

A full Diagnosis of the redundant drive or signal paths, at least sections within the module, eg. Run-flat module, run and thus at least in sections as redundant paths within of the module can, for example. During operation u. a. by Detecting sleeping errors done. A shutdown of a function at a faulty input signal, z. B. by short circuit, can additional be provided.

In Design is a delay-free Activation of the function, this function possibly in a as Emergency running path trained path can be integrated.

The The device described is adapted to all steps of the presented Procedure to perform. It can individual steps of this process also of individual components of Device performed become. Furthermore you can Functions of the device or functions of individual components the device can be implemented as steps of the method.

The Invention further relates to a computer program with program code means, to perform all the steps of a described method, if the computer program on a computer or equivalent Computing unit, in particular in a device according to the invention, accomplished becomes.

The computer program product according to the invention with program code means which are stored on a computer-readable data carrier is for carrying out all steps of a be trained method when the computer program on a computer or a corresponding processing unit, in particular in a device according to the invention, is executed.

A Function, here by way of example based on the function of the brake light described, becomes almost instantaneous, d. H. without software reaction time, and application-specific, eg. B. with a pulse width modulated (PWM) signal driven. The Application-specific control by the control signal for pulse width modulation and for testing ("PWM & Test") by the microcontroller In this case, not only with the function request the input signal is activated but pre-set and then activated immediately by the input signal. The invention thus opens in a variant the possibility a delay-free Control without software reaction time.

Consequently controls the input signal (brake switch input) of a brake switch the corresponding function directly and without delay with the correct Control signal by hardware control (HW control) on. It exists also the possibility the function over the microcontroller providing software control head for. The control can usually without active input signal, if direct activation is deactivated by the input signal should be done by the microcontroller redundant.

Furthermore can in case of a short circuit to Battery voltage of the input signal the function will be switched off, not to erroneously control the function and / or an output driver protect.

In a further embodiment is a dimming of a light bulb possible by means of a pulse width modulated signal. The control signal ("PWM & test") can u. a. also for diagnosing at least one redundant path, which is typically within the module, be used.

A first redundant control by the monitoring unit (System Base chip, SBIC) is usually under failure of the microcontroller under Provision of an error signal implemented.

A second redundant control can be due to the absence of a signal respectively. Ie. the redundant control is immediate or with delay by switching on a supply voltage or a supply current, z. B. KL15, activated. By an error signal (Micro Limp) of the microcontroller this activation is deactivated again, so that if it fails this error signal from the microcontroller the redundant control is activated. This error signal (Micro Limp) can also be used for diagnosis the at least one redundant path are used.

For a complete diagnosis are in one embodiment typically two readback lines (FB1, FB2) provided.

A first readback line is used to check a first OR element OR1 and a second OR element OR2, the along the at least one redundant path within the module are arranged. For review will a corresponding error signal (SBIC Limp or Micro Limp), the as a monitoring module trained system base circuit and / or on the microcontroller is enabled and based on a signal level via a first readback line (FB1) diagnosed without a function being controlled. Will the Activation of the function during Accepted the test can be applied to this first readback at future Tests may be omitted.

One second readback signal, the above the second readback line (FB2) is used at the end of a control for checking a AND element AND1 and a third OR element OR3 within of the module, activating the function. This can be the input signal and control signal ("PWM & test") are active.

This over the second readback line (FB2) provided readback signal (FB2) can also be used for diagnostics when controlled by the microcontroller be used in normal operation.

at a combination of the embodiments described above can the signals (Micro Limp or PWM & Test) of the microcontroller for the test and the correct application-specific Control can be used. Depending on the system design, this may only be the case one of the designated signals of a microcontroller sufficient.

The emergency function, which can be carried out as part of an implementation of an emergency mode, is generalized for outdoor lighting, usually provided brake or stop lights and / or for a long-term supply relay. In the event that the conditions for emergency running are given, a continuous specific path for energizing the exterior lighting, for example at least one brake light, is activated. Furthermore, an output for the permanent supply is set to an OFF or OFF position. To activate the emergency function, two redundant paths are provided in an embodiment. The monitoring module of the system base circuit monitors the microcontroller. In the event of a fault, a suitable signal ("SBIC Limp") is provided to provide emergency running set by the system base circuit so as to activate the emergency function. The microcontroller prevents the emergency function as long as it is sufficiently supplied with electrical energy. In case of loss of a signal ("Micro Limp") of the microcontroller for emergency operation of the microcontroller, the emergency function is activated. The logic to provide the emergency function can be activated by an internal signal ("Limp_home_supply_5V"). This signal can be generated by suitable switching elements, which may also be designed as microprocessors.

A Diagnosis, for example, the emergency function, for the outdoor lighting is at each Functional request to activate the exterior lighting possible. At least a trained as emergency run path redundant path is in this Case over an emergency function starting from the system base circuit or activated by an output signal of the microcontroller. To confirm a such activation becomes a readback signal (feedback signal) sent to a driver. After that, the at least one redundant path, here the emergency running path, be deactivated, with other steps passed to the microcontroller and thus performed by this become. In general, the microcontroller is independent of a currently performed Function monitored by the system base circuit. Furthermore, it is envisaged that usually as Emergency running paths formed redundant paths to prove sleeping Error monitored become.

A Diagnosis of emergency function for at least one brake light is on every request of a function for Activation of such a brake light possible. A switch for the brake light is about to activate activates the microcontroller by means of a signal ("Stop PWM / Test"). When the switch for the brake light depressed This is typically activated immediately, so this one shines. The microcontroller recognizes a signal transmitted by a signal Request for activation of the brake light. The microcontroller can in this case, an activation of a switching of the brake light over at least a redundant path over a readback signal of the driver. Furthermore, the microcontroller can Activation of the brake light take over and disable switching through the switch for the brake light. If the switch for the brake light is triggered is, a switching of the switch for the brake light is again through activates the microcontroller. In this context, a pulse width modulated Signal for that Brake light available. The brake light can continue to be activated immediately be, with no delay through a monitoring of the microcontroller takes place. To display sleeping errors is at least one redundant path when switching through a signal for the Brake light monitored.

Further Advantages and embodiments of the invention will become apparent from the Description and attached drawing.

It it is understood that the above and the following yet to be explained features not only in the specified combination, but also in other combinations or alone, without to leave the scope of the present invention.

Brief description of the drawings

1 shows a schematic representation of an embodiment of a device according to the invention.

2 shows a schematic representation of waveforms of signals that are implemented in one embodiment of the method according to the invention.

Embodiments of the invention

The Invention is based on embodiments schematically shown in the drawings and will be in the following described in detail with reference to the drawings.

In the 1 schematically illustrated embodiment of the device according to the invention 2 includes an integrated system base circuit 4 (SBIC), which serves as a monitoring unit, a microcontroller 6 and a trained here as Notlaufmodul module 8th , the OR and AND elements described below 18 . 24 . 28 . 30 and therefore comprises logic circuit elements or logic modules. Here are the integrated system base circuit 4 and the microcontroller 6 via a serial peripheral interface 10 (serial perephial interface, SPI) interconnected. The integrated system base circuit 4 and the microcontroller 6 lie over a first line 12 at a voltage V _REG or VCC.

About a second line 14 sets the system base circuit 4 the microcontroller 6 either a monitoring signal (Watchdog, WD) or a reset signal (Reset) ready. It is also envisaged that the integrated system base circuit 4 the module 8th via a third line 16 can transmit an S-error signal (SBIC limp) for the redundant realization of an emergency function. This S-error signal (SBIC Limp) of the system base circuit 4 becomes a first OR element in the present embodiment 18 (OR1) of the module 8th fed.

About a fourth line 20 is starting from the microcontroller 6 the first OR-Ele ment 18 (OR1) of the module 8th transmits an M error signal (Micro Limp). A fifth line 22 is intended that the microcontroller 6 a second OR element 24 (OR2) of the module 8th transmitted a pulse width modulated (PWM) signal or a test signal. About a sixth line 26 transmitted by the microcontroller 6 a third OR element 28 (OR3) of the module 8th a signal for software control (SW control).

Furthermore, the module has 8th another AND element 30 (AND1). The second OR element 24 (OR2) and the AND element 30 (AND1) are for providing a first readback signal via a first readback line 32 (FB1) with the microcontroller 6 connected. Furthermore, the third OR element 28 (OR3) via a second readback line 34 (FB2) for providing a second readback signal to the microcontroller 6 connected. During operation of the device 2 becomes the module 8th via a supply line 36 supplied with a current (KL15 supply).

The first readback line 32 (FB1) is used to check the first and second OR elements 18 . 24 (OR1, OR2) of the module 8th , For verification, either the S error signal (SBIC Limp) of the system base circuit is used 4 or the M error signal (Micro Limp) of the microcontoller 6 activated and based on a signal level on the first readback line 32 (FB1) diagnosed without a function being controlled.

The second readback signal is for checking the AND element 30 (AND1) and the third OR element 28 (OR3) provided. The function is activated, whereby the pulse width modulated signal and a via a supply line 38 provided active input signal. In addition, the second readback signal is triggered by the microcontroller 6 to diagnose at least one path within the module 8th used in normal operation.

The application-specific control by the control signal for pulse width modulation and for testing ("PWM &test") by the microcontroller 8th In this case, it is set in advance and activated by the input signal.

It is envisaged that the present embodiment of the device 2 designed for implementing a limp home function for brake or stop lights of a motor vehicle. It is provided that the AND element 30 (AND1) of the logic switching element 8th over the supply line 38 the input signal of a brake switch is provided. Via a switching line 40 is based on the logic switching element 8th a brake light output signal for providing a brake light transmitted as a function to be controlled here. In addition, this input signal is via a branch line 42 the supply line 38 to the microcontroller 6 transmitted. Thus, it is possible the input signal via the microcontroller of the switching line 40 supply redundant and control the brake light redundant.

It is also possible to control the brake light only by the microcontroller by the PWM signal 22 is switched off. This allows a diagnosis of the path 6 via the fifth line of the microcontroller via feedback via the second readback line 34 , This is a so-called. Normal function, there is a delay-free switching, then take over control by the microcontroller 6 and turning off the direct feedthrough. After the function request disappears and the brake light is turned off, the PWM signal is reactivated to allow quick turn-on.

A first redundant control by a monitoring unit (System Base chip SBIC) is usually in case of failure of the microcontroller delivered as an error signal (Limp).

A second redundant control can be in the absence of a signal respectively. Ie. the redundant control is immediate or with delay by switching on a supply voltage or a supply current, z. B. KL15, activated. By an M error signal (Micro Limp) of the microcontroller this activation is deactivated again, so that if it fails This M-error signal, the redundant control is activated.

The module 8th the device 2 In the present embodiment, it comprises three redundant lines, referred to as redundant paths, which are designed to activate the emergency function. The first redundant path begins at the end of the supply line 38 and passes over the AND element 30 (AND1) and the third OR element 28 (OR3) to the switching line 40 , The second redundant path includes the first OR element 18 (OR1) and runs along the second OR element 24 (OR2), the AND element 30 (AND1) and the third OR element 28 (OR3) and ends at the switching line 40 , Depending on which redundant drive is provided, this second redundant path has at its beginning the system base circuit 4 and the third line 16 or the microcontroller 6 and the fourth line 20 on.

The supply line 36 activates the second redundant path from the first OR element 18 (OR1). The microcontroller 6 prevents this emergency function as long as its supply is present. A signal provided for this purpose "Micro Limp" is typically immediately at startup, after a Re set or after switching on a voltage of the system circuit 4 (VCC ON), assuming a correctly running system, transmitted and thus provided. In case of a failure of the integrated system base circuit 4 , For example, in case of failure of the supply voltage VCC, via the first line 12 for the microcontroller 6 is provided, the microcontroller 6 do not provide the signal so that the emergency function is activated.

Thus, a logic for emergency running over the internally via the supply line 36 redundantly provided KL15 signal can be generated. In the event that conditions for the emergency, there is a direct passage of the input signal of the brake light switch to the switching line 40 Activated via the first redundant path for the input signal, so that the brake light over this redundant path, here along the AND element 30 and the third OR element 28 , is controlled directly.

Furthermore, it is provided that with the present device 2 a direct control and a direct test of the brake light is possible. For this purpose, in a flow to the control application specific starting from microcontroller 6 either the pulse width modulated signal or the test signal activated. The input signal of the brake switch outputs the pulse width modulated signal or the test signal for control by the via the supply line 38 provided input signal free. Readback or feedback signals via the two readback lines 32 . 34 (SW1, FB2) are transmitted for checking a signal for emergency operation and a signal for normal operation.

In the diagram 2 are along a timeline 50 during a check of the brake light, the course of an input signal 52 the brake switch, a control signal 54 , here a combination of a pulse width modulated signal and a test signal, an output signal 56 for the brake light and a software control signal 58 applied. Within this diagram, a first dashed line indicates 60 a first time that indicates a minimum hardware response time. A second timeline 62 indicates the time that has elapsed after a software response time has passed 64 starts. The output signal 56 for the brake light is when performing the method via a first control mechanism 66 starting from the control signal 54 (PWM and test) or via a second control mechanism 68 starting from the software control signal 58 controlled and the control signal 54 (PWM and test) turned off, leaving the output signal 56 for the Bramslicht under normal operation is under the control of the microcontroller. The diagram serves for the representation of the normal operation and the delay-free control of the function (brake light). The control signal 54 and the software control signal 58 are input signals of the in 1 shown OR elements 28 , the output signal 56 its output signal.

The first OR element designed as a logic device 18 also generates, immediately or with delay, when the supply voltage KL15 is applied via the supply line 36 a signal to activate the emergency operation, if the signal "Micro Limp" is not active. Ie. in normal operation, the microcontroller deactivates 6 this emergency path as soon as possible. In case of error z. B. in case of failure of the voltage of the system basic circuit 4 this path is activated because the signal "Micro Limp" is missing, but the first OR element 18 Logic is still supplied. Other errors, eg. B. Software errors are detected by monitoring the microcontroller 6 by means of the monitoring module in the system basic circuit 4 covered.

Claims (13)

Method for providing an emergency operation function, via which a function is controlled redundantly, in which an input signal intended for triggering the function ( 52 ) is redundantly transmitted along a number of redundant paths to a device adapted to implement the function, and wherein a diagnosis of at least one redundant path is performed. Method according to Claim 1, in which the input signal is transmitted directly to the device via a first redundant path, and in which the input signal is transmitted via a second redundant path, which is a microcontroller ( 6 ) is transmitted to the device. Method according to Claim 2, in which the paths through the microcontroller ( 6 ) are diagnosed. Method according to Claim 2 or 3, in which at least one redundant path and the microcontroller ( 6 ) by a system base circuit ( 2 ) be monitored. Method according to one of the preceding claims, in the at least one brake light is controlled redundantly. Method according to one of the preceding claims, in the function is delay-free controlled and integrated into the at least one redundant path becomes. Device for providing a redundancy function provided for the redundant activation of a function, this device having a number includes redundant paths along which an input signal intended to trigger the function ( 52 ) to a device adapted to implement the function, to be redundantly transmitted, and wherein the device is adapted to perform a diagnosis of at least one redundant path. Apparatus according to claim 7, wherein the redundant ones Paths run along logical elements within a module. Apparatus according to claim 7 or 8, comprising a microcontroller ( 6 ) located at the beginning of a first branch of a redundant path. Device according to Claim 9, in which the microcontroller ( 6 ) via one read-back line ( 32 . 34 ) is connected to one of the redundant paths. Apparatus according to claim 9 or 10, comprising a system base circuit connected to the microcontroller ( 6 ) and located at the beginning of a second branch of the redundant path. Computer program with program code means to all To perform steps of a method according to any one of claims 1 to 6, when the computer program on a computer or equivalent Arithmetic unit, in particular in a device according to one of claims 7 to 11, executed becomes. Computer program product with program code means, which are stored on a computer-readable medium to all To perform steps of a method according to any one of claims 1 to 6, when the computer program on a computer or equivalent Arithmetic unit, in particular in a device according to one of claims 7 to 11, executed becomes.