Method for operating a distributed safety-relevant system

US 20030184158A1
Filed: 03/14/2003
Published: 10/02/2003
Est. Priority Date: 03/15/2001
Status: Abandoned Application

First Claim

Patent Images

1. A method for operating a distributed safety-related system, in particular an X-by-wire system in a motor vehicle, comprising at least one first process computer (Pro_1) for triggering a component (Akt_1) of the system and at least one additional process computer (Pro_m), the process computers (Pro_1, Pro_m) each being connected via a communications controller (S_1, S_m) to a communication system (K_1) and the functionality of the at least one first process computer (Pro_1) being checked by the at least one additional process computer (Pro_m), characterized by the following steps:

at least one of the additional process computers (Pro_m) which has determined a fault in at least one of the first process computers (Pro_1), relays a triggering message (Ab_m) via the communication system (K_1) for triggering the faulty first process computer (Pro_1) or the component (Akt_1) triggered by it;

a check is performed to determine whether the sender of the triggering message (Ab_m) is authorized to trigger the faulty first process computer (Pro_1);

a check is performed to determine whether the sender of the triggering message (Ab_m) is connected to the communication system (K_1) and is actively involved in communication via the communication system (K_1);

a decision is made according to a preselectable decision-making algorithm as to how the faulty first process computer (Pro_1) and/or the component (Akt_1) are to be triggered as a function of the content of triggering messages (Ab_m) of those senders that are authorized to trigger the faulty first process computer (Pro_1) and are connected to the communication system (K_1) and are actively involved in communication via the communication system (K_1); and

the faulty first process computer (Pro_1) and/or the component (Akt_1) are triggered accordingly.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of operating a distributed safety-related system, [in particular] i.e., an X-by-wire system in a motor vehicle, is described. The distributed system includes at least one first process computer [(Pro_—1)] for triggering a component [(Akt_—1)] of the system and at least one additional process computer[(Pro_m)]. The process computers [(Pro_—1, Pro_m)] are each connected to a communication system [(K_—1)] via a communications controller[(S_—1, S_m)]. The functionality of the at least one first process computer [(Pro_—1)] is checked by the at least one additional process computer [(Pro_m)]. This method is also [known] referred to as a distributed monitoring concept. A mechanism for secured shutdown of at least one faulty first process computer [(Pro_—1)] by at least one of the additional process computers [(Pro_—1) is described] is provided, by which a communication protocol of the communication system [(K_—1)] is supplemented for implementation of the distributed monitoring concept.

Citations

14 Claims

1. A method for operating a distributed safety-related system, in particular an X-by-wire system in a motor vehicle, comprising at least one first process computer (Pro_1) for triggering a component (Akt_1) of the system and at least one additional process computer (Pro_m), the process computers (Pro_1, Pro_m) each being connected via a communications controller (S_1, S_m) to a communication system (K_1) and the functionality of the at least one first process computer (Pro_1) being checked by the at least one additional process computer (Pro_m), characterized by the following steps:
- at least one of the additional process computers (Pro_m) which has determined a fault in at least one of the first process computers (Pro_1), relays a triggering message (Ab_m) via the communication system (K_1) for triggering the faulty first process computer (Pro_1) or the component (Akt_1) triggered by it;
  
  a check is performed to determine whether the sender of the triggering message (Ab_m) is authorized to trigger the faulty first process computer (Pro_1);
  
  a check is performed to determine whether the sender of the triggering message (Ab_m) is connected to the communication system (K_1) and is actively involved in communication via the communication system (K_1);
  
  a decision is made according to a preselectable decision-making algorithm as to how the faulty first process computer (Pro_1) and/or the component (Akt_1) are to be triggered as a function of the content of triggering messages (Ab_m) of those senders that are authorized to trigger the faulty first process computer (Pro_1) and are connected to the communication system (K_1) and are actively involved in communication via the communication system (K_1); and
  
  the faulty first process computer (Pro_1) and/or the component (Akt_1) are triggered accordingly.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as recited in claim 1, wherein shutdown of the faulty first process computer (Pro_1) and/or the component (Akt_1) is achieved through the triggering message.
  - 3. The method as recited in claim 1 or 2, wherein a local authorization list (Be_1) is provided in the communications controller (S_1) of the at least one first process computer (Pro_1) on the basis of which a check is performed to determine whether the sender of the triggering message (Ab_m) is authorized to trigger the faulty first process computer (Pro_1) by comparing an identifier of the sender of the triggering message (Ab_m) with the content of the authorization list (Be_1).
  - 4. The method as recited in one of claims 1 through 3, wherein a global membership list (Me) is provided in the communication system (K_1) on the basis of which a check is performed to determine whether the sender of the triggering message (Ab_m) is connected to the communication system (K_1) and is actively involved in communication via the communication system (K_1) by comparing an identifier of the sender of the triggering message (Ab_m) with the content of the membership list (Me).
  - 5. The method as recited in one of claims 1 through 4, wherein if there are multiple triggering messages (Ab_m) for the at least one first process computer (Pro_1) a decision is made as a function of the content of the triggering messages (Ab_m) by a majority decision as to how the faulty first process computer (Pro_1) and/or the component (Akt_1) are to be triggered.
  - 6. The method as recited in one of claims 1 through 5, wherein a successful triggering of the faulty first process computer (Pro_1) and/or the component (Akt_1) is reported at least to the at least one sender of the triggering message (Ab_m).
  - 7. The method as recited in claim 6, wherein the successful triggering of the faulty first process computer (Pro_1) and/or the component (Akt_1) is reported to all process computers (Pro_m) in that the faulty first process computer (Pro_1) is deleted from a global membership list (Me) provided in the communication system (K_1), those process computers (Pro_1, Pro_m) that are connected to the communication system (K_1) and are actively involved in communication via the communication system (K_1) being included in the membership list (Me).

8. A distributed safety-related system, in particular an X-by-wire system in a motor vehicle, comprising at least one first process computer (Pro_1) for triggering a component (Akt_1) of the system and at least one additional process computer (Pro_m), the process computers (Pro_1, Pro_m) each being connected via a communications controller (S_1, S_m) to a communication system (K_1), and monitoring of the functionality of the at least one first process computer (Pro_1) being performed by the at least one additional process computer (Pro_m), wherein at least one of the additional process computers (Pro_m) has means for determining a fault in at least one of the first process computers (Pro_1) and means for relaying a triggering message (Ab_m) for triggering the faulty first process computer (Pro_1) and/or the component (Akt_1) triggered by it via the communication system (K_1) if the at least one faulty first process computer (Pro_1) has a fault;
- information is made available to the communications controller (S_1) of the faulty first process computer (Pro_1) regarding whether the sender of the triggering message (Ab_m) is authorized to trigger the faulty first process computer (Pro_1);
  
  information is made available to the communications controller (S_1) of the faulty first process computer (Pro_1) regarding whether the sender of the triggering message (Ab_m) is connected to the communication system (K_1) and is actively involved in communication via the communication system (K_1);
  
  the communications controller (S_1) of the faulty first process computer (Pro_1) has means for deciding according to a preselectable decision-making algorithm how the faulty first process computer (Pro_1) and/or the component (Akt_1) are to be triggered as a function of the content of triggering messages (Ab_m) of those senders that are authorized to trigger the faulty first process computer (Pro_1) and are connected to the communication system (K_1) and are actively involved in communication via the communication system (K_1); and
  
  the communications controller (S_1) of the faulty first process computer (Pro_1) has means for triggering the faulty first process computer (Pro_1) and/or the component (Akt_1) accordingly.
- View Dependent Claims (9, 10)
- - 9. The distributed system as recited in claim 8, wherein the information regarding whether the sender of the triggering message (Ab_m) is authorized to trigger the faulty first process computer (Pro_1) is available in the form of a local authorization list (Be_1) provided in the communications controller (S_1) of the at least one first process computer (Pro_1).
  - 10. The distributed system as recited in claim 8 or 9, wherein the information regarding whether the sender of the triggering message (Ab_m) is connected to the communication system (K_1) and is actively involved in communication via the communication system (K_1) is available in the form of a global membership list (Me) provided in the communication system (K_1).

11. A communications controller (S_1) for connecting at least one first process computer (Pro_1) and at least one additional process computer (Pro_m) to a communication system (K_1) of a distributed safety-related system, in particular an X-by-wire system in a motor vehicle, the at least one first process computer (Pro_1) being used for triggering a component (Akt_1) of the distributed system and a communication protocol running on the communications controller (S_1) for implementing a data transfer between the process computers (Pro_1, Pro_m) and the communication system (K_1), wherein the communication protocol is supplemented by mechanisms which make it possible for the communications controller (S_1) to check whether one of the additional process computers (Pro_m) which relays a triggering message (Ab_m) for triggering at least one faulty first process computer (Pro_1) and/or the component (Akt_1) triggered by it via the communication system (K_1) is connected to the communication system (K_1) and is actively involved in communication via the communication system (K_1);
- to check whether the sender of the triggering message (Ab_m) is authorized to trigger the faulty first process computer (Pro_1);
  
  to decide according to a preselectable decision-making algorithm how the first process computer (Pro_1) and/or the component (Akt_1) are to be triggered as a function of the content of triggering messages (Ab_m) of those senders that are authorized to trigger the faulty first process computer (Pro_1) and are connected to the communication system (K_1) and are actively involved in communication via the communication system (K_1); and
  
  to trigger the first process computer (Pro_1) and/or the component (Akt_1) accordingly.
- View Dependent Claims (12)
- - 12. The communications controller (S_1) as recited in claim 11, wherein the communication protocol is supplemented by mechanisms for execution of a method as recited in one of claims 2 through 7.

13. A communication protocol for a communication system (K_1) of a distributed safety-related system, in particular an X-by-wire system in a motor vehicle, the distributed system including at least one first process computer (Pro_1) for triggering a component (Akt_1) of the distributed system and at least one additional process computer (Pro_m), and the process computers (Pro_1, Pro_m) each being connected to the communication system (K_1) via a communications controller (S_1, S_m), the communication protocol for implementing a data transfer between the process computers (Pro_1, Pro_m) and the communication system (K_1) running on the communications controllers (S_1, S_m), wherein the communication protocol is supplemented by a mechanism:
- to check whether one of the additional process computers (Pro_m), which relays a triggering message (Ab_m) for triggering at least one faulty first process computer (Pro_1) and/or the component (Akt_1) triggered by it via the communication system (K_1), is connected to the communication system (K_1) and is actively involved in communication via the communication system (K_1);
  
  to check whether the sender of the triggering message (Ab_m) is authorized to trigger the faulty first process computer (Pro_1);
  
  to decide according to a preselectable decision-making algorithm how the first process computer (Pro_1) and/or the component (Akt_1) are to be triggered as a function of the content of triggering messages (Ab_m) of those senders that are authorized to trigger the faulty first process computer (Pro_1) and are connected to the communication system (K_1) and are actively involved in communication via the communication system (K_1); and
  
  to trigger the first process computer (Pro_1) and/or the component (Akt_1) accordingly.
- View Dependent Claims (14)
- - 14. The communication protocol as recited in claim 13, wherein the communication protocol is supplemented by mechanisms for execution of a method as recited in one of claims 2 through 7.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Robert Bosch GmbH
Original Assignee
Robert Bosch GmbH
Inventors
Fuehrer, Thomas

Application Number

US10/276,816
Publication Number

US 20030184158A1
Time in Patent Office

Days
Field of Search
US Class Current

307/10.1
CPC Class Codes

B60G 17/0195   characterised by the regula...

B60G 2600/08   Failure or malfunction dete...

B60G 2600/702   Parallel processing

B60G 2800/80   Detection or control after ...

B60T 13/74   with electrical assistance ...

B60W 2050/0045   using databus protocols

B60W 2050/021   Means for detecting failure...

B60W 2050/041   Built in Test Equipment [BITE]

G05B 9/03   with multiple-channel loop,...

G06F 11/1641   where the comparison is not...

G06F 11/18   using passive fault-masking...

G06F 11/181   Eliminating the failing red...

G06F 11/182   based on mutual exchange of...

H04L 67/12   specially adapted for propr...

Method for operating a distributed safety-relevant system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Method for operating a distributed safety-relevant system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links