The present invention relates to a process making it possible to monitor the state of a safety facility.
The present invention finds its application in an architecture managed by a computer and in which an action may be instructed only if a safety facility is in a given state. This type of architecture is very frequent in respect of industrial machines, in the field of home automation, in the automobile field, etc.
An exemplary application of such an architecture is the device for controlling a starter of a motor vehicle. The starter can be actuated only when a steering column lock (safety facility) is in its unlocked state. It must be completely impossible to turn on the engine of the vehicle while the steering column is disabled.
In a motor vehicle, the state of the steering column lock is generally monitored by a first computer. The latter also monitors the state of other facilities in the passenger compartment of the vehicle, such as for example the hand brake or the controls for switching on the headlights. A second computer is intended to manage the functions carried out under the bonnet. The starter receives its orders to turn on from this second computer. A link by CAN bus is effected between the two computers.
Hence, before instructing the starter, the second computer must verify the unlocked state of the column lock. It therefore interrogates the first computer which informs it as to this state. Depending on the response obtained, the second computer does or does not instruct the turning on of the starter.
In the event of a partial failure of the first computer causing it not to verify the state of the column lock, a start command can be sent without the steering column being enabled. Thus a single error of the system may entail a fault.
To solve this problem, the second computer must be capable of monitoring the state of the column lock. The second computer can use the first computer as communication gateway. However, in the event of a fault with the first computer, erroneous information may be sent back to the second computer. The use of such a gateway improves the reliability of the system but insufficiently.
One solution then consists in creating a direct link between the second computer and the steering column lock. Thus, the safety of the system is doubled since the second computer receives the information as to the state of the column lock via two independent routes. The reliability of this solution is satisfactory but its cost is high since it requires the production of new wiring between the second computer and the safety facility. In a motor vehicle, such wiring has to be provided not only with the steering lock but also with other safety facilities.
The aim of the present invention is therefore to provide a process which allows reliable monitoring of the state of a safety facility without however requiring additional direct wiring.
Accordingly, it proposes a process for monitoring the state of a safety facility via a computer in which a first computer is linked to the safety facility and in which a second computer intended to control an actuator interrogates prior to any command to turn on and/or turn off the actuator the first computer as to the state of the safety facility.
According to the invention, the second computer interrogates the state of the safety facility directly by sending an encrypted message, the first computer forwards in one direction the question of the second computer to the safety facility and in the opposite direction the response of the latter, and the second computer verifies the consistency of the response received, the encryption code being known to the second computer and to the safety facility but being unknown to the first computer.
In this manner, the first computer is called upon to serve solely as a mailbox without being interrogated directly. This makes it possible to pass via the first computer without having to establish a direct line between the second computer and the safety facility while ensuring reliable transmission of information.
In this process according to the invention, provision may be made for the second computer to generate a random number, for the transmission of this number to the safety facility via the first computer to constitute the question and for the response sent to depend on the number transmitted according to a predetermined algorithm corresponding to the encryption code.
For a good link between the computers, they are for example linked together by a bus, for example of CAN type. A serial link may also be envisaged.
The second computer is for example linked to the safety facility by a bus, for example of CAN type. This type of link is commonly used in the automobile field and its implementation is fully perfected.
The process according to the invention can be applied to the case where the safety facility is a steering column lock in an automobile and where the actuator is a starter.