In recent years in-vehicle networks (IVN) have found their way into cars and are used for transmitting control data for a variety of distributed applications. Prominent and recent examples of such communication networks in the field of automotive are LIN (local interconnected network), CAN (controller area network) and FlexRay. These networks are also used in safety-relevant applications in the area of vehicle dynamics control such as for example assisted front steering (AFS) or electronic stability program (ESP), in passive safety systems such as for example air bags, and in engine management systems. For those applications, in a distributed system setup, safety related data have to be transmitted via the communication network.
Control systems used in such applications are often designed in such a way that, in a first node, sensor information provided by a sensor connected to the first node is gathered and possibly pre-processed and then transmitted to at least one other node, i.e. to a second node. The second node uses the transmitted information to control an actuator connected to the second node. The first and second nodes usually comprise microcontroller units (MCU).
With respect to the transmission of safety related data in such a system, particular measures have to be taken in order to cope with the occurrence of transmission errors such as data repetition, loss of data, insertion of data, sequence failures, delays in transmission as well as kinds of masquerade and data corruption. As an example for such measures, safety procedures are used which run on top of the transmission protocol as a safety layer and which allow the receiving node, i.e. the second node, to detect that a transmission error has occurred. After the detection of a transmission error, the second node can then take proper actions, e.g. enter a safe system state.
As an example of such a safety procedure, the data to be transmitted are often protected with an application checksum before transmission from the first node to the second node, the application checksum allowing the second node to detect whether the data have been altered during transmission due to the occurrence of a transmission error. Commonly, a CRC (cyclic redundancy check) is used for the checksum which is appended to the data to be transmitted, thus enabling reliable detection of transmission errors.
Additionally to transmission errors during transmission of data from the first node to the second node, faults can occur in the processing subsystem of the first node which processing subsystem is responsible for execution of all software tasks required to be performed in the first node.
Various concepts have been proposed in order to address detection and handling of faults which affect the processing subsystem of a node. These concepts include complex dual microcontroller solutions, asymmetric microcontroller architectures as well as integrated dual-core, lock-step concepts.
Running a full-redundant microcontroller as an independent unit is quite expensive since another microcontroller with the same performance as the main controller is needed.
An asymmetric solution with plausibility checks suffers from the lack in comprehensiveness with respect to fault coverage. Some errors cannot be detected so that the trustworthiness is in question. Further, such approach requires a number of interconnections between the separate microcontrollers in order to realize the complex and often application-dependent information exchange. The introduced delay for error detection might exceed the allowable limits for certain applications. Thus, the asymmetric approach is not suitable for all kinds of applications.
The publication “Cost-effective Approach to Error Detection for an Embedded Automotive Platform” by R. Mariani et al. in SAE TECHNICAL PAPER SERIES 2006-01-0837 discloses the realization of fast and accurate fault detection by an independent checker and monitor architecture. According to this architecture, integrated fault detectors are provided to subunits of a node and the error indications of these integrated fault detectors are gathered and processed by a main fault supervisor unit which is also integrated on the same chip. This architecture eliminates the need for a second microcontroller to do redundant operations and processing tasks at application level.
In particular in use in safety-relevant applications, the operation of the second node must depend on correct operation of the first node and information about faults occurring in the processing subsystem of the first node has to be forwarded to the second node in order to prevent unintended or incorrect operation of the second node.
It is generally known to transmit information about faults in the processing subsystem of the first node via an extra line or an additional communication system. However, such a solution is expensive and not feasible for applications in the automotive domain. Further, it is known to transmit such information in separate pieces, e.g. to transmit data and associated validity information one after another. In this case, data and validity information are only loosely coupled in time which might violate requirements regarding fault detection latency time, which is not acceptable in safety-relevant applications. As a consequence, it has to be ensured that data and validity information are transmitted as one single entity.
Furthermore, it has to be ensured that the data and the validity information are not both affected by common failures based on the same cause which might lead to false data erroneously declared to be valid.