Electronic safety systems for crash avoidance are now very widely used in motor vehicles. Such safety systems may include, for example: blind spot monitoring systems; active cruise control systems; pre-safe braking systems; collision avoidance systems; lane departure prevention systems; and rear-collision mitigation systems.
The complex nature of modern vehicular safety systems places great importance on the performance and reliability of the electronic control systems which are required to provide and manage the safety systems. Such control systems typically include integrated hardware and software in order to host and run so-called Advanced Driver Assistance Systems (ADAS) algorithms.
Such systems are required to satisfy very stringent safety requirements such as the ISO 26262 Functional Safety for Road Vehicles standard, which defines a so-called Automotive Safety Integrity Level (ASIL) risk classification scheme. ASIL-D represents the highest integrity requirements under this standard, and is applicable to safety-related processing tasks.
A requirement of the functional safety standard is that the control system must be capable of identifying safety-relevant errors in its arithmetic, logical and memory units, which is only possible for an ASIL-D electronic control unit if a lockstep processor architecture is used. However, processors with a lockstep architecture of this type have a relatively low processing power which is insufficient to handle modern applications like ADAS with a set of suitable sensors such as Radar, Lidar and/or cameras. It has therefore been proposed to use electronic control units (ECUs) having at least two microcontrollers, such that a first so-called “safety” microcontroller can handle important safety-related tasks and monitor the operation of a second so-called “performance” microcontroller which has a higher processing power and is thus configured to handle the main processing tasks of the system, under the supervision of the safety microcontroller. In these types of arrangements, the safety microcontroller is thus usually configured to operate as a so-called “master” microcontroller, and the performance microcontroller is usually configured to operate as a so-called “slave” microcontroller.
As will be appreciated, a typical modern ADAS system will be configured to perform various different functions (e.g. blind spot monitoring; active cruise control; pre-safe braking; collision avoidance; lane departure prevention etc.), and so the system architecture will usually include a plurality of multi-core microcontrollers. The ADAS system will furthermore include a number of communication buses to interconnect the various components, including a plurality of sensors and the microcontrollers, of the system. These communication buses may include a FlexRay serial bus, a Controller Area Network (“CAN”) bus, and an Ethernet bus.
ADAS systems are generally configured to operate according to the Time Division Multiple Access (“TDMA”) protocol for channel access, whereby the nodes of the system network are allocated respective time slots in which they will have exclusive access to the relevant communication bus. It is thus essential that the execution of tasks within the various nodes of the system is synchronized to the respective bus (e.g. the FlexRay bus). The system network thus has one or more synchronization nodes, which transmit synchronization signals on the bus. On reception of each synchronization signal, each other node on the network compares its own clock to that of the synchronization node clock and makes any changes required to maintain synchronization.
AUTOSAR (AUTomotive Open System ARchictecture) is an open and standardized automotive system architecture which has been jointly developed by motor vehicle manufacturers and suppliers, and its use is becoming increasingly common in modern motor vehicles as their electronics becomes more and more complex and integrated. In the context of functional safety in motor vehicles, statically scheduled tasks and alarms are required, and so the use of schedule table based processing is advantageous in such systems. AUTOSAR compliant operating systems use the schedule table processing concept.
AUTOSAR operating systems use alarms and counters with the schedule table concept. Alarms and counters allow the processing of recurring phenomena, such as timer ticks, or signals from mechanical components of the motor vehicle. When associated with a timer, they allow the management of periodic tasks. Counters are provided to count the number of “ticks” from a source. Each counter will have a maximum value, and when this value is reached the counter will return to zero. An alarm links a counter and a task. The alarm will expire when the counter reaches a predefined value, at which point a statically defined action is taken, which may be the activation of an associated task.
Schedule tables extend the concept of alarms. Like alarms, a schedule table is linked to a counter. The schedule table includes a set of expiry points, whose corresponding counter values are relative to the activation of the schedule table. When an expiry point is reached, one or more actions (e.g. task activation) are taken. The schedule table will define the activation points of all tasks in the system.
All of the microprocessors deploying AUTOSAR compliant operating systems in an automotive safety system must be synchronized to the TDMA bus, and so the schedule table on each microprocessor must be synchronized to the bus. This has not previously been possible in a reliable and simple manner in the case of multiple microcontrollers, for example within an ECU.
It is an object of the present invention to provide an improved vehicle safety electronic control system.
According to the present invention, there is provided a vehicle safety electronic control system, including: a master microcontroller and a slave microcontroller; the master microcontroller being connected to a TDMA network bus, and the slave microcontroller being connected to the master microcontroller via a general purpose input/connection; both of the microcontrollers being configured to operate schedule table based execution, and each microcontroller having a respective synchronization counter, wherein the master microcontroller is configured to update its synchronization counter in response to receipt of a primary synchronization signal from the network bus, and to issue a corresponding secondary synchronization signal to the slave microcontroller via the general purpose input/output connection, the slave microcontroller being configured to update its synchronization counter in response to receipt of the secondary synchronization signal from the master microcontroller such that the schedule tables of both microcontrollers are synchronized to the network bus.
Optionally, the control system includes a plurality of the slave microcontrollers, wherein each slave microcontroller is connected to the master microcontroller via a respective general purpose input/output connection, and the master microcontroller is configured to issue a respective the secondary synchronization signal to each slave microcontroller via its respective general purpose input/output connection.
Preferably, the master microcontroller is configured to issue the one or each the secondary synchronization signal in the form of an Interrupt Service Routine.
Advantageously, the synchronization counters of the microcontrollers have identical resolutions.
Conveniently, the one or each the slave microcontroller is not connected to the network bus directly.
Preferably the microcontrollers are provided within a single integrated electronic control unit
Advantageously, the network bus is a FlexRay bus.
Conveniently the network bus is a Controller Area Network bus.
Preferably, each the microcontroller is configured to run an AUTOSAR-compliant operating system.
Optionally, each the microcontroller includes a plurality of processing cores.
According to a second aspect of the present invention, there is provided a motor vehicle electronic safety system including a control system in accordance with the first aspect.