Fail-operational system design pattern based on software code migration

US 10,324,636 B2
Filed: 08/25/2016
Issued: 06/18/2019
Est. Priority Date: 08/25/2016
Status: Active Grant

First Claim

Patent Images

1. A fail-operational control system comprising:

a primary controller including a non-volatile memory and a central processing unit operable to execute a first software code stored in the non-volatile memory of the primary controller to control operation of a respective first system, wherein the first software code stored in the non-volatile memory of the primary controller includes non-critical software and fail-operational software code executed by the central processing unit of the primary controller during non-failed and failed states; and

a migrating controller including a non-volatile memory, a random access memory, and a central processing unit, the migrating controller including a second software code, distinct from the first software code, stored in the non-volatile memory of the migrating controller, wherein the second software code stored in the non-volatile memory of the migrating controller and executed by the central processing unit of the migrating controller is dedicated to controlling operation of a respective second system, distinct from the first system controlled by the primary controller, the respective second system being not under the control of the primary controller;

wherein the primary controller is operable, in response to an enablement of a system operation of the respective first system controlled by the primary controller that requires a backup controller during execution of the system operation, to transfer the fail-operational software code stored in the non-volatile memory of the primary controller to the random access memory of the migrating controller, andwherein the migrating controller is operable, in response to a failure occurring in the primary controller, to temporarily function as the backup controller and execute the transferred fail-operational software code during the execution of the system operation in the primary controller.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A fail-operational control system includes a migrating controller having a non-volatile memory, a RAM, and a CPU. The migrating controller includes software code stored in the non-volatile memory of the migrating controller. The software code stored in the non-volatile memory of the migrating controller executed by the CPU of the migrating controller is dedicated to a respective system. The respective system is not under the control of a primary controller from another system. In response to an enablement of a system operation of the primary controller of another system that requires a backup controller during execution of the system operation, fail-operational software code stored in the non-volatile memory of the primary controller of the other system is transferred to the RAM of the migrating controller. The migrating controller temporarily functions as a backup controller during the execution of the system operation in the primary controller of the other system.

Citations

22 Claims

1. A fail-operational control system comprising:
- a primary controller including a non-volatile memory and a central processing unit operable to execute a first software code stored in the non-volatile memory of the primary controller to control operation of a respective first system, wherein the first software code stored in the non-volatile memory of the primary controller includes non-critical software and fail-operational software code executed by the central processing unit of the primary controller during non-failed and failed states; and
  
  a migrating controller including a non-volatile memory, a random access memory, and a central processing unit, the migrating controller including a second software code, distinct from the first software code, stored in the non-volatile memory of the migrating controller, wherein the second software code stored in the non-volatile memory of the migrating controller and executed by the central processing unit of the migrating controller is dedicated to controlling operation of a respective second system, distinct from the first system controlled by the primary controller, the respective second system being not under the control of the primary controller;
  
  wherein the primary controller is operable, in response to an enablement of a system operation of the respective first system controlled by the primary controller that requires a backup controller during execution of the system operation, to transfer the fail-operational software code stored in the non-volatile memory of the primary controller to the random access memory of the migrating controller, andwherein the migrating controller is operable, in response to a failure occurring in the primary controller, to temporarily function as the backup controller and execute the transferred fail-operational software code during the execution of the system operation in the primary controller.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The fail-operational control system of claim 1 further comprising a communication network, wherein the fail-operational software code stored in the non-volatile memory of the primary controller is transferred to the random access memory of the migrating controller via the communication network.
  - 3. The fail-operational control system of claim 1 wherein the fail-operational software code is transferred from the non-volatile memory of the primary controller to the random access memory of the migrating controller when the system operation in the primary controller is enabled.
  - 4. The fail-operational control system of claim 1 wherein the migrating controller is further configured to remove the fail-operational software code from the random access memory upon disablement of the system operation of the respective first system.
  - 5. The fail-operational control system of claim 1 wherein, in response to the failure in the primary controller, the migrating controller functions to execute both the transferred fail-operational software code stored in the random access memory and the second software code stored in the non-volatile memory of the migrating controller.
  - 6. The fail-operational control system of claim 1 further comprising a plurality of system controllers each operable to control a respective system, wherein the migrating controller is selected from the plurality of system controllers.
  - 7. The fail-operational control system of claim 6 wherein the migrating controller is selected based on whether the migrating controller is currently executing the second software code for controlling operation of the respective second system.
  - 8. The fail-operational control system of claim 6 wherein the migrating controller is selected based on whether the second software code stored in the non-volatile memory of the migrating controller is related to the fail-operational software code of the primary controller.
  - 9. The fail-operational control system of claim 1 wherein the fail-operational software code includes operations performed autonomously by the respective first system.
  - 10. The fail-operational control system of claim 1 wherein the fail-operational software code includes operations performed semi-autonomously by the respective first system.
  - 11. The fail-operational control system of claim 1 wherein the fail-operational software code is applied for safety-critical systems.
  - 12. The fail-operational control system of claim 1 wherein the fail-operational software code includes instructions for controlling operation of an adaptive cruise control system of a vehicle.
  - 13. The fail-operational control system of claim 1 wherein the fail-operational software code includes instructions for controlling operation of an autonomous parking system of a vehicle.
  - 14. The fail-operational control system of claim 1 wherein the fail-operational software code includes instructions for controlling operation of a lane centering system of a vehicle.
  - 15. The fail-operational control system of claim 1 wherein the fail-operational software code includes instructions for controlling operation of a collision avoidance system of a vehicle.
  - 16. The fail-operational control system of claim 1 wherein the migrating controller executes a select portion of the second software code stored in the non-volatile memory of the migrating controller and the fail-operational software code transferred from the primary controller and stored in the random access memory in response to the failure occurring in the primary controller.
  - 17. The fail-operational control system of claim 16 wherein the migrating controller executes at least a portion of the second software code stored in the non-volatile memory of the migrating controller relating to the respective second system while concurrently executing the transferred fail-operational software code stored in the random access memory in response to the detected failure.
  - 18. The fail-operational control system of claim 16 wherein the migrating controller is further operable to stop executing the second software code stored in the non-volatile memory of the migrating controller relating to the respective second system while executing the transferred fail-operational software code stored in the random access memory in response to the detected failure.

19. A fail-operational control system for a motor vehicle, the motor vehicle including a primary controller with a non-volatile memory and a central processing unit operable to execute a first software code stored in the non-volatile memory to control operation of a respective first system, the fail-operational control system comprising:
- a migrating controller including a non-volatile memory, a random access memory, and a central processing unit, the migrating controller including a second software code, distinct from the first software code, stored in the non-volatile memory of the migrating controller, wherein the second software code stored in the non-volatile memory of the migrating controller and executed by the central processing unit of the migrating controller is dedicated to controlling operation of a respective second system, distinct from the first system controlled by the primary controller, the respective second system being not under the control of the primary controller;
  
  wherein, in response to an enablement of a system operation of the respective first system controlled by the primary controller that requires a backup controller during execution of the system operation, fail-operational software code stored in the non-volatile memory of the primary controller is transferred by the primary controller to the random access memory of the migrating controller, andwherein the migrating controller is operable, in response to a failure occurring in the primary controller, to temporarily function as the backup controller and execute the transferred fail-operational software code during the execution of the system operation in the primary controller.
- View Dependent Claims (20, 21)
- - 20. The fail-operational control system of claim 19 wherein the fail-operational software code is transferred from the non-volatile memory of the primary controller to the random access memory of the migrating controller when the system operation in the primary controller is enabled.
  - 21. The fail-operational control system of claim 19 wherein the migrating controller is further configured to remove the fail-operational software code from the random access memory upon disablement of the system operation of the respective first system.

22. A method of operating a fail-operational control system, the method comprising the steps of:
- detecting if a failure has occurred in a primary controller with a non-volatile memory (NVM) and a central processing unit (CPU), the CPU being operable to execute a first software code stored in the NVM of the primary controller to control operation of a respective first system, the first software code including non-critical software and fail-operational software code executed by the CPU of the primary controller during non-failed and failed states;
  
  selecting a migrating controller with a NVM, a random access memory (RAM), and a CPU, the migrating controller including a second software code, distinct from the first software code, stored in the NVM of the migrating controller, the second software code being executed by the CPU of the migrating controller to control operation of a respective second system, distinct from the first system and not controlled by the primary controller;
  
  transferring the fail-operational software code, from the NVM of the primary controller to the RAM of the migrating controller, responsive to the detected during a failure of the primary controller from another system, the migrating controller not under the control of the primary controller;
  
  enabling a system operation of the respective first system controlled by the primary controller requiring a backup controller during execution of the system operation in the primary controller;
  
  detecting a fault in the primary controller; and
  
  executing the fail-operational software code in the random access memory of the migrating controller in response to the detecting the fault in the primary controller.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
GM Global Technology Operations LLC (General Motors Company)
Original Assignee
GM Global Technology Operations LLC (General Motors Company)
Inventors
Samii, Soheil
Primary Examiner(s)
Alsip, Michael

Application Number

US15/246,793
Publication Number

US 20180059963A1
Time in Patent Office

1,027 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/07   Responding to the occurrenc...

G06F 11/16   Error detection or correcti...

G06F 11/203   using migration

G06F 11/2035   without idle spare hardware

G06F 2201/845   Systems in which the redund...

G06F 3/0619   in relation to data integri...

G06F 3/0647   Migration mechanisms

G06F 3/065   Replication mechanisms

G06F 3/0688   Non-volatile semiconductor ...

Fail-operational system design pattern based on software code migration

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Fail-operational system design pattern based on software code migration

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links