Secured microcontroller architecture

US 20020077782A1
Filed: 02/14/2002
Published: 06/20/2002
Est. Priority Date: 05/10/1999
Status: Active Grant

First Claim

Patent Images

11. A method for detecting a fault in a controller, the controller including a primary processing unit, a secondary processing unit coupled to the primary processing unit, and a common memory coupled to the secondary and primary processing units, including the steps of:

reading a control algorithm stored in the common memory by the primary processing unit;

reading the control algorithm stored in the common memory by the secondary processing unit;

comparing a primary output of the primary processing unit and a secondary output of the secondary processing unit and responsively detecting a fault.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A microcontroller unit (MCU) having a primary, or main, processing unit, a secondary processing unit coupled to the primary processing unit, and a common memory coupled to the primary and secondary processing units is disclosed. A functional compare module is coupled to the primary processing unit and the secondary processing unit for comparing a primary output of the primary processing unit and a secondary output of the secondary processing units to detect a fault if the primary output and the secondary output are not the same. The invention provides a method for detecting a fault in the MCU including the steps of reading a control algorithm stored in the common memory by the primary processing unit, reading the control algorithm stored in the common memory by the secondary processing unit, comparing the primary output and the secondary output and responsively detecting a fault, if the primary output does not match the second output.

Citations

58 Claims

11. A method for detecting a fault in a controller, the controller including a primary processing unit, a secondary processing unit coupled to the primary processing unit, and a common memory coupled to the secondary and primary processing units, including the steps of:
- reading a control algorithm stored in the common memory by the primary processing unit;
  
  reading the control algorithm stored in the common memory by the secondary processing unit;
  
  comparing a primary output of the primary processing unit and a secondary output of the secondary processing unit and responsively detecting a fault.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. A method, as set forth in claim 11, wherein the primary output and the secondary output are data.
  - 13. A method, as set forth in claim 11, wherein the primary output and the secondary output are control signals.
  - 14. A method, as set forth in claim 11, including the step of performing diagnostics upon startup of the controller.
  - 15. A method, as set forth in claim 11, wherein the controller includes at least one peripheral module coupled to the primary processing unit, the method including the step of detecting faults within the peripheral module using a built in self test circuit coupled to the primary processing unit.
  - 16. A method, as set forth in claim 11, wherein the controller includes at least one bus, wherein the common memory, primary and secondary processing units, and functional compare module are coupled to the at least one bus, and including the steps of:
    - reading signals on the at least one bus;
      
      generating a signature of the signals;
      
      comparing the generated signature with a reference signal; and
      
      , detecting a fault if the signals are not the same.
  - 17. A method, as set forth in claim 16, wherein the at least one bus includes an address bus, a data bus, and a control bus.
  - 18. A method, as set forth in claim 11, wherein the primary processing unit is coupled to a system for control of the system, the method including the step of controlling the system by the secondary processing unit if a fault is detected in the primary processing unit.
  - 19. A method, as set forth in claim 18, wherein the secondary processing unit is coupled to a second system for control of the second system.

20. An apparatus for controlling a first system of a motor vehicle, comprising:
- a primary processing unit for performing a first set of functions with respect to the first system;
  
  a secondary processing unit coupled to the primary processing unit;
  
  a common memory coupled to the primary and secondary processing units, the common memory containing a control algorithm, wherein the primary and secondary processing units are adapted to run the control algorithm; and
  
  , a functional compare module coupled to the primary processing unit and the secondary processing unit for comparing a primary output of the primary processing unit and a secondary output of the secondary processing units after the control algorithm has been run by the primary and secondary processing units.
- View Dependent Claims (1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 46, 47, 48, 49, 50, 52)
- - 1. A controller, comprising:
    - a primary processing unit;
      
      a secondary processing unit coupled to the primary processing unit;
      
      a common memory coupled to the primary and secondary processing units, the common memory containing a control algorithm, wherein the primary and secondary processing units are adapted to run the control algorithm; and
      
      , a functional compare module coupled to the primary processing unit and the secondary processing unit for comparing a primary output of the primary processing unit and a secondary output of the secondary processing units after the control algorithm has been run by the primary and secondary processing units.
  - 2. A controller, as set forth in claim 1, wherein the functional compare module is adapted to detect a fault if the primary output and the secondary output are not the same.
  - 3. A controller, as set forth in claim 1, wherein the primary output and the secondary output are data.
  - 4. A controller, as set forth in claim 1, wherein the primary output and the secondary output are control signals.
  - 5. A controller, as set forth in claim 1, wherein the functional compare module is adapted to perform diagnostics upon startup of the controller.
  - 6. A controller, as set forth in claim 1, including at least one peripheral module coupled to the primary processing unit, wherein the at least one peripheral nodule includes a built in self test circuit for detecting faults within the peripheral module, the built in self test circuit being coupled to the primary processing unit.
  - 7. A controller, as set forth in claim 1, including at least one bus, wherein the common memory, primary and secondary processing units, and functional compare module are coupled to the at least one bus, wherein the functional compare module is adapted to read signals on the at least one bus, generate a signature of the signals, compare the generated signature with a reference signal and detect a fault if the signals are not the same.
  - 8. A controller, as set forth in claim 7, wherein the at least one bus includes an address bus, a data bus, and a control bus.
  - 9. A controller, as set forth in claim 1, wherein the primary processing unit is coupled to a system for control of the system, and wherein the secondary processing unit is adapted to control the system if a fault is detected in the primary processing unit.
  - 10. A controller, as set forth in claim 9, wherein the secondary processing unit is coupled to a second system for control of the second system.
  - 21. An apparatus, as set forth in claim 20, wherein the first system is a brake system.
  - 22. An apparatus, as set forth in claim 20, wherein the first system is a steering system.
  - 23. An apparatus, as set forth in claim 22, wherein the steering system is a steer by wire system.
  - 24. An apparatus, as set forth in claim 20, wherein the first system is an engine control system.
  - 25. An apparatus, as set forth in claim 20, wherein the functional compare module is adapted to detect a fault if the primary output and the secondary output are not the same.
  - 26. An apparatus, as set forth in claim 20, wherein the primary output and the secondary output are data.
  - 27. An apparatus, as set forth in claim 20, wherein the primary output and the secondary output are control signals.
  - 28. An apparatus, as set forth in claim 20, wherein the functional compare module is adapted to perform diagnostics upon startup of the apparatus.
  - 29. An apparatus, as set forth in claim 20, including at least one peripheral module coupled to the primary processing unit, wherein the at least one peripheral nodule includes a built in self test circuit for detecting faults within the peripheral module, the built in self test circuit being coupled to the primary processing unit.
  - 30. An apparatus, as set forth in claim 20, including at least one bus, wherein the common memory, primary and secondary processing units, and functional compare module are coupled to the at least one bus, wherein the functional compare module is adapted to read signals on the at least one bus, generate a signature of the signals, compare the generated signature with a reference signal and detect a fault if the signals are not the same.
  - 31. An apparatus, as set forth in claim 30, wherein the at least one bus includes an address bus, a data bus, and a control bus.
  - 32. An apparatus, as set forth in claim 20, wherein the secondary processing unit is adapted to control the first system if a fault is detected in the primary processing unit.
  - 33. An apparatus, as set forth in claim 32, wherein the secondary processing unit is coupled to a second system for control of the second system.
  - 35. A method, as set forth in claim 34, wherein the first system is a brake system.
  - 36. A method, as set forth in claim 34, wherein the first system is a steering system.
  - 37. A method, as set forth in claim 35, wherein the steering system is a steer by wire system.
  - 38. A method, as set forth in claim 34, wherein the primary output and the secondary output are control signals.
  - 39. A method, as set forth in claim 34, including the step of performing diagnostics upon startup of the controller.
  - 40. A method, as set forth in claim 34, wherein the controller includes at least one peripheral module coupled to the primary processing unit, the method including the step of detecting faults within the peripheral module using a built in self test circuit coupled to the primary processing unit.
  - 41. A method, as set forth in claim 34, wherein the controller includes at least one bus, wherein the common memory, primary and secondary processing units, and functional compare module are coupled to the at least one bus, and including the steps of:
    - reading signals on the at least one bus;
      
      generating a signature of the signals;
      
      comparing the generated signature with a reference signal; and
      
      , detecting a fault if the signals are not the same.
  - 42. A method, as set forth in claim 41, wherein the at least one bus includes an address bus, a data bus, and a control bus.
  - 43. A method, as set forth in claim 34, wherein the primary processing unit is coupled to a system for control of the system, the method including the step of controlling the system by the secondary processing unit if a fault is detected in the primary processing unit.
  - 44. A method, as set forth in claim 43, wherein the secondary processing unit is coupled to a second system for control of the second system.
  - 46. A controller, as set forth in claim 45, wherein the first system is a brake system.
  - 47. A controller, as set forth in claim 45, wherein the first system is a steering system.
  - 48. A controller, as set forth in claim 46, wherein the steering system is a steer by wire system.
  - 49. A controller, as set forth in claim 45, wherein the first system is an engine control system.
  - 50. A controller, as set forth in claim 45, wherein the secondary processing unit is adapted to perform a second set of functions, and wherein the primary processing unit is adapted to perform a set of secondary test functions, and wherein the functional compare module is adapted to detect a fault in the secondary processing unit, wherein the primary processing unit is adapted to perform the second set of functions upon detection of a fault in the secondary processing unit.
  - 52. A method, as set forth in claim 51, wherein the first system is a brake system.

34. A method for detecting a fault in a controller for use in a motor vehicle, the controller including a primary processing unit, a secondary processing unit coupled to the primary processing unit, and a common memory coupled to the secondary and primary processing units, including the steps of:
- reading a control algorithm stored in the common memory by the primary processing unit;
  
  reading the control algorithm stored in the common memory source by the secondary processing unit;
  
  comparing a primary output of the primary processing unit and a secondary output of the secondary processing unit and responsively detecting a fault.

36-1. A method, as set forth in claim 34, wherein the first system is an engine control system.

37-2. A method, as set forth in claim 34, wherein the primary output and the secondary output are data.

45. A controller for a motor vehicle, comprising:
- a primary processing unit coupled to the motor vehicle and adapted to perform a first set of functions;
  
  a secondary processing unit coupled to the motor vehicle and to the primary processing unit and adapted to perform a set of primary test functions;
  
  a common memory coupled to the primary and secondary processing units, the common memory containing a control algorithm, wherein the primary processing unit is adapted to run the control algorithm; and
  
  , a functional compare module coupled to the primary processing unit and the secondary processing unit for comparing a primary output of the primary processing unit after the control algorithm has been run and a test output of the secondary processing units and to responsively detect a fault in the primary processing unit, wherein the secondary processing unit is adapted to perform the first set of functions upon detection of a fault in the primary processing unit.

51. A method for detecting a fault in a controller for use in a motor vehicle, the controller including a primary processing unit coupled to the motor vehicle and adapted to perform a first set of functions and a common memory coupled to the primary and secondary processing units, the common memory containing a control algorithm, wherein the primary processing unit is adapted to run the control algorithm, wherein the method includes the steps of:
- performing a set of primary test functions by the secondary processing unit;
  
  comparing a primary output of the primary processing unit after the control algorithm has been run and a test output of the secondary processing units;
  
  responsively detecting a fault in the primary processing unit; and
  
  , performing the first set of functions by the secondary processing unit upon detection of a fault in the primary processing unit.
- View Dependent Claims (53, 54, 55, 56)
- - 53. A method, as set forth in claim 51, wherein the first system is a steering system.
  - 54. A system, as set forth in claim 53, wherein the steering system is a steer by wire system.
  - 55. A system, as set forth in claim 51, wherein the first system is an engine control system.
  - 56. A system, as set forth in claim 51, including the steps of:
    - performing a second set of functions by the secondary processing unit;
      
      performing a set of secondary test functions by the primary processing unit; and
      
      , wherein the secondary processing unit is adapted to perform a set of secondary test functions, and responsively detecting a fault in the secondary processing unit; and
      
      , performing the second set of functions by the primary processing unit upon detection of a fault in the secondary processing unit.

57. A controller for controlling a system, comprising:
- a processing unit;
  
  a common memory coupled to the primary processing unit, the common memory containing a control algorithm, wherein the primary processing unit is adapted to run the control algorithm and to store data on the common memory during runtime of the control algorithm, wherein the controller is adapted to store a set of data values on the memory and a first signature of the data values determined in real-time and to subsequently retrieve the data, determine a second signature of the data values, compare the first and second signatures, and to detect a fault of the common memory in response to the first and second signatures being different.

58. A method for detecting a fault within a controller, the controller being adapted to control a system, and including a processing unit and a common memory coupled to the primary processing unit, the common memory containing a control algorithm, wherein the primary processing unit is adapted to run the control algorithm and to store data on the common memory during runtime of the control algorithm, wherein the method includes the steps of:
- storing a set of data values on the memory;
  
  determining a first signature of the data values in real-time and storing the first signature on the common memory; and
  
  , subsequently retrieving the data and determining a second signature of the data values; and
  
  , comparing the first and second signatures and detecting a fault of the common memory in response to the first and second signatures being different.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Samsung Electronics Co. Ltd.
Original Assignee
Delphi Technologies, Inc. (BorgWarner Incorporated)
Inventors
Fruehling, Terry L., Helm, Troy L.

Granted Patent

US 6,981,176 B2
Time in Patent Office

Days
Field of Search
US Class Current

702/185
CPC Class Codes

G06F 11/1008   in individual solid state d...

G06F 11/1641   where the comparison is not...

G06F 11/1654   where the output of only on...

Secured microcontroller architecture

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

58 Claims

Specification

Solutions

Use Cases

Quick Links

Secured microcontroller architecture

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

58 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links