The invention relates to an array of control devices having a plurality of control devices which are interconnected via a first data bus, and a data bus isolating switch.
Safety-related systems in drive-by-wire vehicles—drive-by-wire meaning that each drive train function of a vehicle, including the steering, is controlled exclusively by means of electrical signals—have to be particularly protected against failure. Examples of drive-by-wire systems in vehicles are steer-by-wire systems in which there is no permanent mechanical or hydraulic connection between the steering wheel and the steerable vehicle wheels, or ESP (Electronic Stability Program) systems in which the driving behavior of the vehicle is adapted in the limiting range of vehicle movement dynamics. In order to increase the failsafeness of such drive-by-wire systems, these systems are of redundant configuration so that when, for example, one control device fails, it is possible to switch over to a control device which is of redundant configuration.
A system which is of redundant configuration is a system in which a component, for example a microprocessor, is provided multiply and the same function is carried out on these components which are provided multiply. This means in particular that the same input data is processed by the components and the same output data is produced it being possible to assign the output data to the components for evaluation purposes.
Known redundant arrays are the TRM (Triple Modular Redundancy) system and the duo-duplex system.
In the TRM system, also referred to as the two out of three system, three redundant components are coupled in such a way that a faulty component can be detected and it is prevented from having any effect on the surroundings.
In the case of the duo-duplex system, also referred to as the dual self-checking pair system, in each case two redundant components are combined to form one channel, it being possible to detect the faulty behavior of a component within a channel. If the faulty behavior of a component is detected, the corresponding channel is switched off.
European Patent document EP 0 760 973 B1 discloses a processing system in an aircraft wire remote-steering control system, in which each of a plurality of redundant, asynchronous primary flight computers generates command signals, at least one control surface of the aircraft being controlled by a plurality of actuator drives. The processing system controls the flight command signals which are transmitted to the actuator drives, and contains a plurality of selectors, each selector being connected to a primary flight computer and one or more actuator drives in order to receive the flight command signals from all the primary flight computers, and voting means for acting in accordance with a predetermined selection algorithm in order to transmit a selected flight signal.
German Patent document DE 196 31 309 A1 discloses a microprocessor array for a vehicle regulating system which has a plurality of microprocessor systems which are of redundant configuration and are connected to one another by means of bus systems. The data processing in the microprocessors is used for regulating systems such as antilock brake control and/or traction control as well as for conditioning input signals. The output results an/or intermediate results of the data processing which, are symmetrically redundant, are compared. When they differ, the respective system is switched off. In addition, the data processing operations which run in these microprocessor systems are each compared with the results of a simplified data processing operation and checked for plausibility. In the case of discrepancies, the regulating system can be maintained temporarily for functionally important data which is not “safety-critical”.
Redundant system functions of transportation are generally implemented by a plurality of microprocessors accommodated on a printed circuit board. This implementation of redundant systems has the advantage of short and high-speed switching paths between the microprocessors. The disadvantage is that this implementation is the very high development costs and long development times. This is disadvantageous in particular in the field of automobiles because ever shorter development times are now being required for the generation of new models.
For this reason, systems which are of redundant configuration in the field of automobiles are composed of components which are already available on the market and only have to be adapted to a minimum degree in order to be part of a redundant system. In particular, control devices which are already available on the market are suitable as components.
The object of the present invention is to optimize a redundant array of control devices in such a way that control devices only have to be adapted to a minimum degree as part of a redundant system.
This object is achieved according to the invention by having each data bus isolating switch connected to a signal line of at least one further redundant control device. A further redundant control device transmits an evaluation signal to the data bus isolating switch which is assigned to a first redundant control device. The evaluation signal is a result of functional checking of the further redundant control device with respect to the first redundant control device. The data bus isolating switch of the first redundant control device disconnects the data bus as a function of the result of a logic circuit. At least one input signal of the logic circuit is formed by the at least one evaluation signal.
The array of control devices according to the invention has the advantage that control devices of any desired manufacturers can be used to make up a redundant array.
It is further advantage that the switching off of the control devices and the isolation from the data bus is independent of the voting process which is used in the redundant control. The voting process in the redundant control device for evaluating the further redundant control devices is independent of the selected hardware or software and can be changed individually. Only the final evaluation signal, which has to be transmitted to the data bus isolating switch of the respective evaluated redundant control device, is important.
The data bus isolating switch can be developed independently of the control device since the switch does not require any functional elements of the control device nor does the control device require any functional elements of the data bus isolating switch.
The simple design of the array of control devices and the data bus isolating switch is advantageous, ensuring high-speed and cost-effective manufacture.
Since all the output assignments of the data bus isolating switch can easily be completely tested by means of all the input assignments, the data bus switch can be manufactured with a high degree of reliability.
Since the array of control devices is based on a smallest units of two control devices which are redundant with respect to a control function, the array of control devices can be expanded with further control devices which are redundant with respect to this control function. As a result, it is possible to easily map TRM and duo-duplex arrays.
The array of control devices, which has a first and second data bus, has the advantage that when a data bus is disconnected, the disconnection can be bridged by means of a gateway circuit. This can be a rapid remedy, for example, in the event of a short-circuit of the data bus or a disconnection of the data bus cable.
A further advantage of the array of control devices with the additional data bus is that the first data bus, by which the communication is carried out with the further control devices of the means of transportation, is not loaded with additional data traffic.
There are then various possible ways of advantageously configuring and developing the teaching of the present invention.