Hybrid dual-duplex fail-operational pattern and generalization to arbitrary number of failures

US 10,037,016 B2
Filed: 03/23/2016
Issued: 07/31/2018
Est. Priority Date: 03/23/2016
Status: Active Grant

First Claim

Patent Images

1. A dual-duplex fail-operational control system comprising:

a primary controller controlling features of devices while operating under non-fault operating conditions, the primary controller comprising;

a first processing unit executing a function utilizing an input data from sensing devices to generate a function result;

a second processing unit simultaneously executing the function utilizing the input data from sensing devices to generate a function result;

a first comparative module comparing the function result from the first processing unit with the function result from the second processing unit to determine whether an error is present in the primary controller, wherein the first comparative module generates a matching function result when the function result from the first processing unit substantially matches the function result from the second processing unit;

a second controller comprising;

a first processing unit executing the function utilizing the input data from sensing devices to generate a function result;

a second processing unit operating in a non-redundant state, the second processing unit not executing the function while in the non-redundant state;

a second comparative module determining whether an error is present in the second controller;

wherein the matching function result identified by the first comparative module of the primary controller is input to the second comparative module of the second controller, wherein the second comparative module determines whether an error is present in the second controller utilizing only the matching function result identified by the first comparative module and the function result determined by the first processing unit of the second controller; and

designating the second controller as a reconfigured primary controller to control the features of the devices when an error is detected in the primary controller, wherein the first processing unit and the second processing unit of the second controller are each enabled to respectively execute the function utilizing the input data from the sensing devices to generate a respective function result so that the second comparative module may compare the respective function results to determine whether an error is present in the second controller.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A modified dual-duplex fail-operational control system. A primary controller includes a first processing unit and a second processing unit for executing a function. A first comparative module comparing the function results from the first and second processing unit to determine an error the first controller. A second controller includes a first processing unit and second processing unit. The first processing unit executes the function. The second processing unit operating in a non-redundant state and not executing the function while in the non-redundant state. A second comparative module determines whether an error is present in the second controller. A matching function result identified by the first comparative module of the first controller is input to second comparative module of the second controller to determine whether an error is present in the second controller utilizing only the matching function result identified by the first comparative module and the function result determined by the first processing unit of the second controller.

Citations

20 Claims

1. A dual-duplex fail-operational control system comprising:
- a primary controller controlling features of devices while operating under non-fault operating conditions, the primary controller comprising;
  
  a first processing unit executing a function utilizing an input data from sensing devices to generate a function result;
  
  a second processing unit simultaneously executing the function utilizing the input data from sensing devices to generate a function result;
  
  a first comparative module comparing the function result from the first processing unit with the function result from the second processing unit to determine whether an error is present in the primary controller, wherein the first comparative module generates a matching function result when the function result from the first processing unit substantially matches the function result from the second processing unit;
  
  a second controller comprising;
  
  a first processing unit executing the function utilizing the input data from sensing devices to generate a function result;
  
  a second processing unit operating in a non-redundant state, the second processing unit not executing the function while in the non-redundant state;
  
  a second comparative module determining whether an error is present in the second controller;
  
  wherein the matching function result identified by the first comparative module of the primary controller is input to the second comparative module of the second controller, wherein the second comparative module determines whether an error is present in the second controller utilizing only the matching function result identified by the first comparative module and the function result determined by the first processing unit of the second controller; and
  
  designating the second controller as a reconfigured primary controller to control the features of the devices when an error is detected in the primary controller, wherein the first processing unit and the second processing unit of the second controller are each enabled to respectively execute the function utilizing the input data from the sensing devices to generate a respective function result so that the second comparative module may compare the respective function results to determine whether an error is present in the second controller.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The control system of claim 1 further comprising a communication link coupled between the first comparative module and the second comparative module, wherein the matching function result determined by the first comparative module is communicated from the first comparative module to the second comparative module via the communication link.
  - 3. The control system of claim 1 further comprising:
    - at least a third controller including;
      
      a first processing unit executing a function utilizing the input data from sensing devices to generate a function result;
      
      a second processing unit operating in a non-redundant state, the second processing unit not executing the function while in the non-redundant state;
      
      a third comparative module determining whether an error is present in the at least third controller;
      
      wherein a matching function result identified by a respective comparative module of one of the preceding controllers is input to the third comparative module of the at least third controller, wherein the third comparative module determines whether an error is present in the at least third controller utilizing only the matching function result identified by the respective comparative module of one of the preceding controllers and the function result determined by the first processing unit of the at least third controller.
  - 4. The control system of claim 3 wherein an error detected in the primary controller results in the primary controller failing fail-silent, and wherein the second controller is designated as a reconfigured primary controller, wherein the first processing unit and the second processing unit of the second controller are active to execute the function to determine whether the error is present in the second controller via the second comparative module.
  - 5. The control system of claim 4 wherein the second comparative module determines whether an error is present the second controller designated as the reconfigured primary controller based on the function results from the first processing unit and the second processing unit of the second controller, wherein the matching function result identified by the second comparative module is provided to the third comparative module, wherein the third comparative module utilizes the matching function result from the second comparative module in cooperation with the function result from the first processing unit of the at least third controller to determine whether an error is present in the at least third controller.
  - 6. The control system of claim 5 wherein an error in the second controller results in the second controller failing fail-silent, and wherein the third comparative module utilizes the matching function result from the first comparative module in cooperation with the function result from the first processing unit of the third controller to determine an error in the third controller.
  - 7. The control system of claim 3 wherein each respective controller includes a dual-core processor, wherein each dual-core processor includes a respective first core and a respective second core.
  - 8. The control system of claim 3 wherein each controller includes two single-core processors, wherein each respective core in each controller is a single-core processor.
  - 9. The control system of claim 3 further comprising a communication link coupled between the second comparative module and the third comparative module, wherein the matching function result determined by the second comparative module is communicated from the second comparative module to the third comparative module via the communication link.
  - 10. The control system of claim 1 wherein a number of controllers utilized in the control system is determined by a number of failures the control system is designed to tolerate, wherein the number of controllers is one greater than the number of failures the control system is designed to tolerate.

11. A method of minimizing software backups in a dual-duplex pattern approach, the method comprising the steps of:
- executing a function simultaneously in a first processing unit and a second processing unit of a primary controller utilizing an input data from sensing devices, the primary controller controlling features of devices while operating under non-fault operating conditions;
  
  comparing, by a comparative module of the primary controller, a function result from the first processing unit with a function result from the second processing unit to determine whether an error is present in the primary controller;
  
  executing the function in a first processing unit of a second controller utilizing the input data from sensing devices, wherein a second processing unit of the second controller operates in a non-redundant state, the second processing unit not executing the function while in the non-redundant state;
  
  inputting a matching function result identified by the first comparative module to a second comparative module in the second controller;
  
  comparing, by the comparative module of the second controller, the function result from the first processing unit of the second controller with the matching function result from the first comparative module; and
  
  determining, by the second comparative module, whether an error is present in the second controller utilizing only the matching function result identified by the first comparative module and the function result determined by the first processing unit of the second controller; and
  
  designating the second controller as a reconfigured primary controller to control the features of the devices when an error is detected in the primary controller, wherein the first processing unit and the second processing unit of the second controller are each enabled to respectively execute the function utilizing the input data from the sensing devices to generate a respective function result so that the second comparative module may compare the respective function results to determine whether an error is present in the second controller.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The method of claim 11 further comprising the steps of:
    - detecting a fault in the primary controller; and
      
      enabling fail-silent operation of the primary controller.
  - 13. The method of claim 11 further comprising:
    - providing at least a third controller;
      
      executing the function, by a first processing unit of the at least third controller, utilizing the input data from the sensing devices, with a second processing unit of the at least third controller operating in a non-redundant state, the second processing unit of the at least third controller not executing the function while in the non-redundant state;
      
      inputting a matching function result from the second comparative module to a third comparative module in the at least third controller;
      
      comparing, by the third comparative module, a function result determined by the first processing unit of the at least third controller with the matching function result from the second comparative module;
      
      determining, by the third comparative module, whether an error is present in the at least third controller utilizing only the matching function result identified by the second comparative module and the function result determined by the first processing unit of the at least third controller.
  - 14. The method of claim 13 further comprising the steps of:
    - detecting a fault in the primary controller; and
      
      failing the primary controller as fail-silent in response to detecting the fault in the primary controller.
  - 15. The method of claim 14 further comprising the steps of:
    - determining, by the second comparative module, whether the error ispresent in the second controller based on the function result from the first processing unit and the second processing unit of the second controller when designated as the reconfigured primary controller;
      
      providing to the third comparative module, a matching function result from the second comparative module when the second controller is designated as the reconfigured primary controller;
      
      comparing, by the third comparative module, the matching function result from the second comparative module designated as the reconfigured primary module with the function result from the first processing unit of the at least third controller to determine whether an error is present in the at least third controller.
  - 16. The method of claim 15 wherein each respective controller includes a dual-core processor, wherein each dual-core processor utilizes a respective first core and a respective second core.
  - 17. The method of claim 15 wherein each controller includes two single-core processors, wherein each respective core in each controller is a single-core processor, and wherein each single core processor executes the function independently utilizing the input data from sensing devices.
  - 18. The method of claim 11 wherein determining a number of controllers to utilize in the control system is determined by a number of failures the control system is designed to tolerate, wherein the number of controllers is one greater than the number of failures the control system is designed to tolerate.

19. A dual-duplex fail-operational control system comprising:
- a primary controller including a first processing unit and a second processing unit, the first processing unit and the second processing unit operable to simultaneously execute a function utilizing an input data from sensing devices to generate a respective function result, wherein the primary controller further includes a first comparative module operable to compare the respective function result from the first and second processing units to determine an error in the primary controller;
  
  a second controller including a first processing unit and second processing unit, the first processing unit operable to execute the function, the second processing unit operable to operate in a non-redundant state and not execute the function while in the non-redundant state, wherein the primary controller further includes a second comparative module operable to determine whether an error is present in the second controller;
  
  wherein a matching function result identified by the first comparative module of the primary controller is input to the second comparative module of the second controller to determine whether an error is present in the second controller utilizing only the matching function result identified by the first comparative module and the function result determined by the first processing unit of the second controller; and
  
  designating the second controller as a reconfigured primary controller to control the features of the devices when an error is detected in the primary controller, wherein the first processing unit and the second processing unit of the second controller are each enabled to respectively execute the function utilizing the input data from the sensing devices to generate a respective function result so that the second comparative module may compare the respective function results to determine whether an error is present in the second controller.
- View Dependent Claims (20)
- - 20. The control system of claim 19 further comprising:
    - at least a third controller including a first processing unit and a second processing unit, the first processing unit of the at least third controller operable to execute the function, the second processing unit of the at least third controller operable to operate in a non-redundant state and not execute the function while in the non-redundant state, wherein the at least third controller further includes a third comparative module operable to determine whether an error is present in the at least third controller;
      
      wherein a matching function result identified by the second comparative module of the second controller is input to the third comparative module of the at least third controller to determine whether an error is present in the third controller utilizing only the matching function result identified by the second comparative module and the function result determined by the first processing unit of the third controller.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
GM Global Technology Operations LLC (General Motors Company)
Original Assignee
GM Global Technology Operations LLC (General Motors Company)
Inventors
Samii, Soheil, Jochim, Markus, Fuhrman, Thomas E., Osella, Massimo
Primary Examiner(s)
Cao, Chun

Application Number

US15/078,248
Publication Number

US 20170277153A1
Time in Patent Office

860 Days
Field of Search

714 63, 714 11, 714 37, 714 471, 700 3, 700 20
US Class Current
CPC Class Codes

G05B 19/0425   Safety, monitoring

G05B 2219/24033   Failure, fault detection an...

G05B 2219/25022   LAN local area network for ...

G05B 9/03   with multiple-channel loop,...

Hybrid dual-duplex fail-operational pattern and generalization to arbitrary number of failures

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Hybrid dual-duplex fail-operational pattern and generalization to arbitrary number of failures

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links