Fault Tolerant Control System

US 20140277608A1
Filed: 03/14/2013
Published: 09/18/2014
Est. Priority Date: 03/14/2013
Status: Active Grant

First Claim

Patent Images

1. A fault tolerant controller strategy for a fail-operational vehicle system comprising the steps of:

(a) providing a first controller and a second controller both generating control signals intended to control actuation devices on a vehicle under non-fault operating conditions, the first controller initially designated as a primary controller and the second controller initially designated as a secondary controller, the actuation devices being responsive only to the designated primary controller;

(b) detecting an error in one of the two controllers, wherein the respective controller detected with the error is initially identified as a faulty controller and the other controller is initially identified as a non-faulty controller;

(c) if a controller error is detected in step (b), then generating control signals by the non-faulty designated primary controller for controlling actuation of the actuation devices, the control signals including an identifier that identifies the non-faulty controller as the designated primary controller;

(d) in response to detecting the error in step (b), resetting the faulty controller to operate in a safe operating mode as the secondary controller.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A fault tolerant controller system includes a first controller and a second controller. One of the first and second controllers designated as a primary controller for generating control signals intended to control actuation devices on a vehicle under non-fault operating conditions, and the other of the first and second controllers designated as a secondary controller generating control signals intended to control actuation devices on the vehicle. The actuation devices are responsive only to the designated primary controller. An error is detected in the primary controller and a message is transmitted from the faulty controller to the non-faulty controller identifying the error. The non-faulty controller is subsequently designated as the primary controller. The control signals including an identifier that identifies the non-faulty controller as the designated primary controller. In response to detecting the error, the faulty controller is reset to operate in a safe operating mode as the secondary controller.

79 Citations

View as Search Results

22 Claims

1. A fault tolerant controller strategy for a fail-operational vehicle system comprising the steps of:
- (a) providing a first controller and a second controller both generating control signals intended to control actuation devices on a vehicle under non-fault operating conditions, the first controller initially designated as a primary controller and the second controller initially designated as a secondary controller, the actuation devices being responsive only to the designated primary controller;
  
  (b) detecting an error in one of the two controllers, wherein the respective controller detected with the error is initially identified as a faulty controller and the other controller is initially identified as a non-faulty controller;
  
  (c) if a controller error is detected in step (b), then generating control signals by the non-faulty designated primary controller for controlling actuation of the actuation devices, the control signals including an identifier that identifies the non-faulty controller as the designated primary controller;
  
  (d) in response to detecting the error in step (b), resetting the faulty controller to operate in a safe operating mode as the secondary controller.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The fault tolerant controller strategy of claim 1 further comprising the step of actuating a first error message to a user alerting the user of the error detected in step (b).
  - 3. The fault tolerant controller strategy of claim 2 wherein detecting an error in one of the two controllers in step (b) comprises the following steps:
    - the first and second controller monitoring communication activity of one another; and
      
      identifying an error in the other controller in response to no communication activity from the other controller.
  - 4. The fault tolerant controller strategy of claim 2 wherein detecting an error in one of the two controllers in step (b) comprises the following steps:
    - the first and second controller monitoring communication activity of one another; and
      
      identifying an error in the other controller in response to the other controller deviating from an expected behavior.
  - 5. The fault tolerant controller strategy of claim 2 wherein detecting an error in one of the two controllers in step (b) includes self-detection of the error by the faulty controller.
  - 6. The fault tolerant controller strategy of claim 5 further comprising the step of(e) transmitting a message from the faulty controller to the non-faulty controller identifying the error in response to detecting the error in one of the two controllers, wherein the non-faulty controller is subsequently designated as the primary controller.
  - 7. The fault tolerant controller strategy of claim 6 comprising the steps of:
    - (f) if an error is subsequently detected in the non-faulty controller designated as the primary controller in step (e), then transmitting a message identifying the error from the designated primary controller to the secondary controller operating in the safe operating mode;
      
      (g) generating control signals by the secondary controller operating in the safe operating mode in response to the error detected in step (f), the control signals including an identifier that identifies the secondary controller operating in safe operating mode as the designated primary controller; and
      
      (h) actuating a second error message to the user in response to the error detected in step (f), wherein the second error message generated in response to the error detected in step (f) is of a greater urgency relative to the first error message generated in response to the error detected in step (b).
  - 8. The fault tolerant controller strategy of claim 7 wherein the primary controller identified in step (f) operates in safe operating mode as succeeding designated secondary controller.
  - 9. The fault tolerant controller strategy of claim 8 wherein the error message actuated in response to the error detected in step (f) signals to the user that user intervention should be performed for taking control of the control actuation device.
  - 10. The fault tolerant controller strategy of claim 9 wherein control of the actuation devices by the first and second controllers are terminated in response to the user performing a control action for taking control of the actuation device.
  - 11. The fault tolerant controller strategy of claim 7 wherein the first and second controllers are reset to a non-fault operating mode in response to an ignition start sequence, the ignition start sequence including turning off a vehicle ignition and the re-actuating the vehicle ignition.
  - 12. The fault tolerant controller strategy of claim 7 wherein the safe operating mode operation includes operating the actuation devices using limited operating system support.
  - 13. The fault tolerant controller strategy of claim 6 wherein if the first controller and second controller fail simultaneously, then the respective controller that re-initializes and begins operating in the safe operating mode is designated the primary controller.
  - 14. The fault tolerant controller strategy of claim 6 wherein if the first controller and second controller fail permanently, then the actuation devices include a self-contained control strategy for maintaining operation until the user performs a control action for taking control of the autonomous vehicle system.

15. A fault tolerant controller system for a fail-operational vehicle system comprising:
- a first controller generating control signals intended to control actuation devices on a vehicle under non-fault operating conditions, the first controller initially designated as a primary controller;
  
  a second controller generating control signals intended to control the actuation devices on the vehicle, the second controller initially designated as a secondary controller, the actuation devices being responsive only to the designated primary controller;
  
  wherein when an error is detected in one of the two controllers, a message is transmitted from the faulty controller to the non-faulty controller identifying the error, and wherein the non-faulty controller is subsequently designated as the primary controller;
  
  wherein control signals generated by the non-faulty designated primary controller for controlling actuation of the actuation devices include an identifier that identifies the non-faulty controller as the designated primary controller; and
  
  wherein in response to detecting the error, the faulty controller is re-initialized to operate in a safe operating mode as the secondary controller.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
- - 16. The fault tolerant controller system of claim 15 wherein a first error message is actuated for alerting a user of the error detected in one of the two controllers.
  - 17. A fault tolerant controller system of claim 15 wherein if an error is subsequently detected in the non-faulty controller designated as the primary controller, then transmitting a message identifying the error from the designated primary controller to the secondary controller operating currently in the safe operating mode, the primary controller identified as having an error is designated as a succeeding secondary controller operating in safe operating mode;
    - wherein the secondary controller currently operating in the safe operating mode generates control signals that include an identifier identifying the secondary controller currently operating in safe operating mode as the designated primary controller; and
      
      wherein a second error message is actuated to the user after errors are detected in both the first and second controllers, and wherein the second error message generated in response to the error detected in first and second controllers is of greater urgency relative to the first error message generated in response to the error detected in one of the two controllers.
  - 18. The fault tolerant controller system of claim 17 wherein if an error is subsequently detected in the designated primary controller operating in safe operating mode, then the succeeding secondary controller is designated as the succeeding designated primary controller operating in safe operating mode.
  - 19. The fault tolerant controller system of claim 17 wherein the second error message indicates that user intervention should be performed for taking control of the actuation device.
  - 20. The fault tolerant controller system of claim 15 wherein the first and second controllers relinquish vehicle controls to the user of the vehicle in response to the user performing a control action for taking control of the autonomous vehicle system.
  - 21. The fault tolerant controller system of claim 15 further comprising an ignition system, wherein the first and second controllers are reset to a non-fault operating mode in response to an ignition start sequence, the ignition start sequence including turning off the vehicle ignition and the re-actuating the vehicle ignition.
  - 22. The fault tolerant controller system of claim 15 wherein if the first controller and second controller fail simultaneously, then the respective controller re-initialized and operating in safe operating mode operation is designated the primary controller.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
GM Global Technology Operations LLC (General Motors Company)
Original Assignee
GM Global Technology Operations LLC (General Motors Company)
Inventors
Debouk, Rami I., Baker, Stephen M., Joyce, Jeffrey

Granted Patent

US 9,740,178 B2
Time in Patent Office

Days
Field of Search
US Class Current

700/79
CPC Class Codes

B60W 50/023   Avoiding failures by using ...

G05B 2219/24187   Redundant processors run id...

G05B 2219/24198   Restart, reinitialize, boot...

G05B 2219/24208   Go into safety mode if comm...

G05B 9/02   electric

G05B 9/03   with multiple-channel loop,...

Fault Tolerant Control System

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

79 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Fault Tolerant Control System

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

79 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links