Fault Tolerant Control System
First Claim
1. A fault tolerant controller strategy for a fail-operational vehicle system comprising the steps of:
- (a) providing a first controller and a second controller both generating control signals intended to control actuation devices on a vehicle under non-fault operating conditions, the first controller initially designated as a primary controller and the second controller initially designated as a secondary controller, the actuation devices being responsive only to the designated primary controller;
(b) detecting an error in one of the two controllers, wherein the respective controller detected with the error is initially identified as a faulty controller and the other controller is initially identified as a non-faulty controller;
(c) if a controller error is detected in step (b), then generating control signals by the non-faulty designated primary controller for controlling actuation of the actuation devices, the control signals including an identifier that identifies the non-faulty controller as the designated primary controller;
(d) in response to detecting the error in step (b), resetting the faulty controller to operate in a safe operating mode as the secondary controller.
3 Assignments
0 Petitions
Accused Products
Abstract
A fault tolerant controller system includes a first controller and a second controller. One of the first and second controllers designated as a primary controller for generating control signals intended to control actuation devices on a vehicle under non-fault operating conditions, and the other of the first and second controllers designated as a secondary controller generating control signals intended to control actuation devices on the vehicle. The actuation devices are responsive only to the designated primary controller. An error is detected in the primary controller and a message is transmitted from the faulty controller to the non-faulty controller identifying the error. The non-faulty controller is subsequently designated as the primary controller. The control signals including an identifier that identifies the non-faulty controller as the designated primary controller. In response to detecting the error, the faulty controller is reset to operate in a safe operating mode as the secondary controller.
79 Citations
22 Claims
-
1. A fault tolerant controller strategy for a fail-operational vehicle system comprising the steps of:
-
(a) providing a first controller and a second controller both generating control signals intended to control actuation devices on a vehicle under non-fault operating conditions, the first controller initially designated as a primary controller and the second controller initially designated as a secondary controller, the actuation devices being responsive only to the designated primary controller; (b) detecting an error in one of the two controllers, wherein the respective controller detected with the error is initially identified as a faulty controller and the other controller is initially identified as a non-faulty controller; (c) if a controller error is detected in step (b), then generating control signals by the non-faulty designated primary controller for controlling actuation of the actuation devices, the control signals including an identifier that identifies the non-faulty controller as the designated primary controller; (d) in response to detecting the error in step (b), resetting the faulty controller to operate in a safe operating mode as the secondary controller. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A fault tolerant controller system for a fail-operational vehicle system comprising:
-
a first controller generating control signals intended to control actuation devices on a vehicle under non-fault operating conditions, the first controller initially designated as a primary controller; a second controller generating control signals intended to control the actuation devices on the vehicle, the second controller initially designated as a secondary controller, the actuation devices being responsive only to the designated primary controller; wherein when an error is detected in one of the two controllers, a message is transmitted from the faulty controller to the non-faulty controller identifying the error, and wherein the non-faulty controller is subsequently designated as the primary controller; wherein control signals generated by the non-faulty designated primary controller for controlling actuation of the actuation devices include an identifier that identifies the non-faulty controller as the designated primary controller; and wherein in response to detecting the error, the faulty controller is re-initialized to operate in a safe operating mode as the secondary controller. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
-
Specification