Electronic safety systems are now very widely used in motor vehicles. Suh safety systems may include, for example: blind spot monitoring systems; active cruise control systems; pre-safe braking systems; collision avoidance systems; lane departure prevention systems; and rear-collision mitigation systems.
The complex nature of modern vehicular safety systems places great importance on the performance and reliability of the electronic control systems which are required to provide and manage the safety systems. Such control systems typically include integrated hardware and software in order to host and run so-called Advanced Driver Assistance Systems (ADAS) algorithms.
Such systems are required to satisfy very stringent safety requirements such as the ISO 26262 Functional Safety for Road Vehicles standard, which defines a so-called Automotive Safety Integrity Level (ASIL) risk classification scheme. ASIL-D represents the highest integrity requirements under this standard, and is applicable to safety-related processing tasks.
A requirement of the functional safety standard is that the control system must be capable of identifying safety-relevant errors in its arithmetic, logical and memory units, which is only possible for an ASIL-D electronic control unit if a lockstep processor architecture is used. However, processors with a lockstep architecture of this type have a relatively low processing power which is insufficient to handle modern applications like ADAS with a set of suitable sensors such as Radar, Lidar and/or cameras. It has therefore been proposed to use two microcontrollers, such that a first so-called “safety” microcontroller can handle important safety-related tasks and monitor the operation of a second so-called “performance” microcontroller which has a higher processing power and is thus configured to handle the main processing tasks of the system, under the supervision of the safety microcontroller.
In the type of arrangement described above, the two microcontrollers are required to communicate with one another. The safety microcontroller is usually configured to monitor the performance microcontroller via a high level software flow monitoring approach. In this type of arrangement the safety microcontroller will be able to diagnose problems in the performance microcontroller, providing the communication path between the two microcontrollers is healthy such that the performance microcontroller can communicate with the safety microcontroller. The safety microcontroller may thus be configured to operate as a master microcontroller, and the performance microcontroller may be configured to act as a slave microcontroller. The safety (master) microcontroller thus operates to initiate communication between the two microcontrollers and is generally configured to determine whether or not the communication at any given moment should be in simplex or duplex mode and to clock the transfer of data. As will be appreciated, duplex communication will be necessary when the performance (slave) microcontroller is required to communicate data regarding its state or performance back to the safety (master) microcontroller. Communication between the two microcontrollers is achieved via an Inter-Processor Communication (“IPC”) path. The IPC path can take various different forms, with a Serial Peripheral Interface (“SPI”) bus being common. In terms of bandwidth, it has been found that at least 100 Mbps of IPC speed are required to operate ADAS functions.
However, it has been found that it can be difficult to achieve sufficient bandwidth for the IPC between microprocessors in prior art arrangements. Furthermore, when using a duplex mode to communicate between microcontrollers it is important that the two microcontrollers are closely matched in terms of frequency in order to permit high-speed communication. This requirement can often mean that a system designer's choice of suitable microprocessors becomes limited, such that the designer cannot select microprocessors solely on the basis of other advantageous technical characteristics, meaning that the designer's ability to create an optimised system becomes compromised. For example, a designer might wish to select two microprocessors from different manufacturers, but doing so can make it very difficult to achieve reliable high-speed duplex communication between them.
It is therefore an object of the present invention to provide an improved vehicle safety electronic control system.