Method for operating a distributed safety-relevant system
First Claim
1. A method for operating a distributed safety-related system, in particular an X-by-wire system in a motor vehicle, comprising at least one first process computer (Pro_1) for triggering a component (Akt_1) of the system and at least one additional process computer (Pro_m), the process computers (Pro_1, Pro_m) each being connected via a communications controller (S_1, S_m) to a communication system (K_1) and the functionality of the at least one first process computer (Pro_1) being checked by the at least one additional process computer (Pro_m), characterized by the following steps:
- at least one of the additional process computers (Pro_m) which has determined a fault in at least one of the first process computers (Pro_1), relays a triggering message (Ab_m) via the communication system (K_1) for triggering the faulty first process computer (Pro_1) or the component (Akt_1) triggered by it;
a check is performed to determine whether the sender of the triggering message (Ab_m) is authorized to trigger the faulty first process computer (Pro_1);
a check is performed to determine whether the sender of the triggering message (Ab_m) is connected to the communication system (K_1) and is actively involved in communication via the communication system (K_1);
a decision is made according to a preselectable decision-making algorithm as to how the faulty first process computer (Pro_1) and/or the component (Akt_1) are to be triggered as a function of the content of triggering messages (Ab_m) of those senders that are authorized to trigger the faulty first process computer (Pro_1) and are connected to the communication system (K_1) and are actively involved in communication via the communication system (K_1); and
the faulty first process computer (Pro_1) and/or the component (Akt_1) are triggered accordingly.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of operating a distributed safety-related system, [in particular] i.e., an X-by-wire system in a motor vehicle, is described. The distributed system includes at least one first process computer [(Pro—1)] for triggering a component [(Akt—1)] of the system and at least one additional process computer[(Pro_m)]. The process computers [(Pro—1, Pro_m)] are each connected to a communication system [(K—1)] via a communications controller[(S—1, S_m)]. The functionality of the at least one first process computer [(Pro—1)] is checked by the at least one additional process computer [(Pro_m)]. This method is also [known] referred to as a distributed monitoring concept. A mechanism for secured shutdown of at least one faulty first process computer [(Pro—1)] by at least one of the additional process computers [(Pro—1) is described] is provided, by which a communication protocol of the communication system [(K—1)] is supplemented for implementation of the distributed monitoring concept.
-
Citations
14 Claims
-
1. A method for operating a distributed safety-related system, in particular an X-by-wire system in a motor vehicle, comprising at least one first process computer (Pro_1) for triggering a component (Akt_1) of the system and at least one additional process computer (Pro_m), the process computers (Pro_1, Pro_m) each being connected via a communications controller (S_1, S_m) to a communication system (K_1) and the functionality of the at least one first process computer (Pro_1) being checked by the at least one additional process computer (Pro_m), characterized by the following steps:
-
at least one of the additional process computers (Pro_m) which has determined a fault in at least one of the first process computers (Pro_1), relays a triggering message (Ab_m) via the communication system (K_1) for triggering the faulty first process computer (Pro_1) or the component (Akt_1) triggered by it;
a check is performed to determine whether the sender of the triggering message (Ab_m) is authorized to trigger the faulty first process computer (Pro_1);
a check is performed to determine whether the sender of the triggering message (Ab_m) is connected to the communication system (K_1) and is actively involved in communication via the communication system (K_1);
a decision is made according to a preselectable decision-making algorithm as to how the faulty first process computer (Pro_1) and/or the component (Akt_1) are to be triggered as a function of the content of triggering messages (Ab_m) of those senders that are authorized to trigger the faulty first process computer (Pro_1) and are connected to the communication system (K_1) and are actively involved in communication via the communication system (K_1); and
the faulty first process computer (Pro_1) and/or the component (Akt_1) are triggered accordingly. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A distributed safety-related system, in particular an X-by-wire system in a motor vehicle, comprising at least one first process computer (Pro_1) for triggering a component (Akt_1) of the system and at least one additional process computer (Pro_m), the process computers (Pro_1, Pro_m) each being connected via a communications controller (S_1, S_m) to a communication system (K_1), and monitoring of the functionality of the at least one first process computer (Pro_1) being performed by the at least one additional process computer (Pro_m), wherein
at least one of the additional process computers (Pro_m) has means for determining a fault in at least one of the first process computers (Pro_1) and means for relaying a triggering message (Ab_m) for triggering the faulty first process computer (Pro_1) and/or the component (Akt_1) triggered by it via the communication system (K_1) if the at least one faulty first process computer (Pro_1) has a fault; -
information is made available to the communications controller (S_1) of the faulty first process computer (Pro_1) regarding whether the sender of the triggering message (Ab_m) is authorized to trigger the faulty first process computer (Pro_1);
information is made available to the communications controller (S_1) of the faulty first process computer (Pro_1) regarding whether the sender of the triggering message (Ab_m) is connected to the communication system (K_1) and is actively involved in communication via the communication system (K_1);
the communications controller (S_1) of the faulty first process computer (Pro_1) has means for deciding according to a preselectable decision-making algorithm how the faulty first process computer (Pro_1) and/or the component (Akt_1) are to be triggered as a function of the content of triggering messages (Ab_m) of those senders that are authorized to trigger the faulty first process computer (Pro_1) and are connected to the communication system (K_1) and are actively involved in communication via the communication system (K_1); and
the communications controller (S_1) of the faulty first process computer (Pro_1) has means for triggering the faulty first process computer (Pro_1) and/or the component (Akt_1) accordingly. - View Dependent Claims (9, 10)
-
-
11. A communications controller (S_1) for connecting at least one first process computer (Pro_1) and at least one additional process computer (Pro_m) to a communication system (K_1) of a distributed safety-related system, in particular an X-by-wire system in a motor vehicle, the at least one first process computer (Pro_1) being used for triggering a component (Akt_1) of the distributed system and a communication protocol running on the communications controller (S_1) for implementing a data transfer between the process computers (Pro_1, Pro_m) and the communication system (K_1), wherein the communication protocol is supplemented by mechanisms which make it possible for the communications controller (S_1)
to check whether one of the additional process computers (Pro_m) which relays a triggering message (Ab_m) for triggering at least one faulty first process computer (Pro_1) and/or the component (Akt_1) triggered by it via the communication system (K_1) is connected to the communication system (K_1) and is actively involved in communication via the communication system (K_1); -
to check whether the sender of the triggering message (Ab_m) is authorized to trigger the faulty first process computer (Pro_1);
to decide according to a preselectable decision-making algorithm how the first process computer (Pro_1) and/or the component (Akt_1) are to be triggered as a function of the content of triggering messages (Ab_m) of those senders that are authorized to trigger the faulty first process computer (Pro_1) and are connected to the communication system (K_1) and are actively involved in communication via the communication system (K_1); and
to trigger the first process computer (Pro_1) and/or the component (Akt_1) accordingly. - View Dependent Claims (12)
-
-
13. A communication protocol for a communication system (K_1) of a distributed safety-related system, in particular an X-by-wire system in a motor vehicle, the distributed system including at least one first process computer (Pro_1) for triggering a component (Akt_1) of the distributed system and at least one additional process computer (Pro_m), and the process computers (Pro_1, Pro_m) each being connected to the communication system (K_1) via a communications controller (S_1, S_m), the communication protocol for implementing a data transfer between the process computers (Pro_1, Pro_m) and the communication system (K_1) running on the communications controllers (S_1, S_m), wherein the communication protocol is supplemented by a mechanism:
-
to check whether one of the additional process computers (Pro_m), which relays a triggering message (Ab_m) for triggering at least one faulty first process computer (Pro_1) and/or the component (Akt_1) triggered by it via the communication system (K_1), is connected to the communication system (K_1) and is actively involved in communication via the communication system (K_1);
to check whether the sender of the triggering message (Ab_m) is authorized to trigger the faulty first process computer (Pro_1);
to decide according to a preselectable decision-making algorithm how the first process computer (Pro_1) and/or the component (Akt_1) are to be triggered as a function of the content of triggering messages (Ab_m) of those senders that are authorized to trigger the faulty first process computer (Pro_1) and are connected to the communication system (K_1) and are actively involved in communication via the communication system (K_1); and
to trigger the first process computer (Pro_1) and/or the component (Akt_1) accordingly. - View Dependent Claims (14)
-
Specification