Vehicle systems designers are developing numerous propulsion systems to improve energy-efficiency and reduce need for consumption of fossil fuels, including fuel/electric hybrid systems having batteries and individual wheel motors, and fuel-cell systems. Each system uses one or more electronic controllers to control ongoing operation of all or part of one or more systems related to vehicle operation and propulsion. Such vehicle systems include various by-wire control systems, each consisting of an operator-controlled input device which is connected via electric wiring harness and a controller to one or more actuators. Such systems include, for example, propulsion-by-wire and brake-by-wire systems.
By-wire control systems provide a number of advantages with regard to system packaging. The associated electronic control systems and the implementation of advanced computer control algorithms facilitate numerous new control features. Much attention has been given to designing by-wire control systems and control architectures that ensure robust operation. General design techniques which have been employed in such systems are redundancy, fault tolerance to undesired events (e.g., events affecting control signals, data, hardware, software or other elements of such systems), and, fault monitoring and recovery to determine if and when such an event has occurred. A typical fault detection scheme takes or recommends action to ensure desired response and control of the vehicle. One approach to providing fault tolerance utilized in by-wire control systems is to design control systems and control architectures which ensure that no single event occurring in the system causes a complete loss of the desired control of the system.
The prior art often uses a control architecture comprising dual-redundant control systems to overcome the aforementioned concerns. FIG. 1 schematically illustrates a general dual-redundant by-wire control system 10, which comprises a fail-silent control system. The control system 10 generally comprises a pair of substantially identical controllers 11, 13 which implement substantially identical software algorithms. Each of controllers 11, 13 is adapted to provide a control signal for agreement comparison with the other. When the controller outputs agree, a control signal is provided to an actuator, smart actuator or controller for implementation of the control signal. Unless and until the controllers agree, the actuator assumes a predetermined state. Therefore, the system shown in FIG. 1 fails silent after the first fault in either controller. This behavior may be acceptable from a risk management standpoint but undesirably reduces the availability of the system. Additionally, such architecture does not address software anomalies that may manifest in systems having identity of algorithms among controllers.
Increased dependability in performance-critical by-wire systems, e.g., propulsion-by-wire (‘PBW’), is typically achieved by increasing the level of hardware redundancy. However, increased levels of hardware redundancy lead to increased system cost and complexity. A single fault in a traditional dual-redundant PBW system (i.e., system with lowest level of redundancy) has the potential to lead to the loss of both the front and the rear (or other distribution) propulsion systems.
In addition, such systems typically make certain assumptions regarding occurrence of system faults, including there being a single, independent fault per communication cycle (arbitrary or fail-silent); there being no masquerading faults on a controller area network (CAN); and there being no integration of a disabled propulsion system until system reset or successful built-in-self test.