HYBRID DUAL-DUPLEX FAIL-OPERATIONAL PATTERN AND GENERALIZATION TO ARBITRARY NUMBER OF FAILURES

US 20170277153A1
Filed: 03/23/2016
Published: 09/28/2017
Est. Priority Date: 03/23/2016
Status: Active Grant

First Claim

Patent Images

1. A modified dual-duplex fail-operational control system comprising:

a primary controller controlling features of devices while operating under non-fault operating conditions, the primary controller comprising;

a first processing unit executing a function utilizing input data from sensing devices;

a second processing unit simultaneously executing the function utilizing the input data from sensing devices;

a first comparative module comparing the function result from the first processing unit with the function result from the second processing unit to determine whether an error is present in the first controller;

a second controller comprising;

a first processing unit executing the function utilizing the input data from sensing devices;

a second processing unit operating in a non-redundant state, the second processing unit not executing the function while in the non-redundant state;

a second comparative module determining whether an error is present in the second controller;

wherein a matching function result identified by the first comparative module of the first controller is input to second comparative module of the second controller, wherein the second comparative module determines whether an error is present in the second controller utilizing only the matching function result identified by the first comparative module and the function result determined by the first processing unit of the second controller.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A modified dual-duplex fail-operational control system. A primary controller includes a first processing unit and a second processing unit for executing a function. A first comparative module comparing the function results from the first and second processing unit to determine an error the first controller. A second controller includes a first processing unit and second processing unit. The first processing unit executes the function. The second processing unit operating in a non-redundant state and not executing the function while in the non-redundant state. A second comparative module determines whether an error is present in the second controller. A matching function result identified by the first comparative module of the first controller is input to second comparative module of the second controller to determine whether an error is present in the second controller utilizing only the matching function result identified by the first comparative module and the function result determined by the first processing unit of the second controller.

Citations

21 Claims

1. A modified dual-duplex fail-operational control system comprising:
- a primary controller controlling features of devices while operating under non-fault operating conditions, the primary controller comprising;
  
  a first processing unit executing a function utilizing input data from sensing devices;
  
  a second processing unit simultaneously executing the function utilizing the input data from sensing devices;
  
  a first comparative module comparing the function result from the first processing unit with the function result from the second processing unit to determine whether an error is present in the first controller;
  
  a second controller comprising;
  
  a first processing unit executing the function utilizing the input data from sensing devices;
  
  a second processing unit operating in a non-redundant state, the second processing unit not executing the function while in the non-redundant state;
  
  a second comparative module determining whether an error is present in the second controller;
  
  wherein a matching function result identified by the first comparative module of the first controller is input to second comparative module of the second controller, wherein the second comparative module determines whether an error is present in the second controller utilizing only the matching function result identified by the first comparative module and the function result determined by the first processing unit of the second controller.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The control system of claim 1 wherein an error detected in the primary controller results in the primary controller failing fail-silent, and wherein the second controller is designated as a reconfigured primary controller, wherein first processing unit and the second processing unit of the second controller are enabled to execute the function to determine whether an error is present in the second controller via the second comparative module.
  - 3. The control system of claim 1 further comprising a communication link coupled between the first comparative module and the second comparative module, wherein the matching function result determined by the first comparative module is communicated from the first comparative module to the second comparative module via the communication link.
  - 4. The control system of claim 1 further comprising:
    - at least a third controller comprising;
      
      a first processing unit executing a function utilizing the input data from sensing devices;
      
      a second processing unit operating in a non-redundant state, the second processing unit not executing the function while in the non-redundant state;
      
      a third comparative module determining whether an error is present in the at least third controller;
      
      wherein a matching function result identified by a respective comparative module of one of the preceding controllers is input to third comparative module of the at least third controller, wherein the third comparative module determines whether an error is present in the at least third controller utilizing only the matching function result identified by the respective comparative module of one of the preceding controllers and the function result determined by third processing unit of the at least third controller.
  - 5. The control system of claim 4 wherein a error detected in the primary controller results in the primary controller failing fail-silent, and wherein the second controller is designated as a reconfigured primary controller, wherein first processing unit and the second processing unit of the second controller are active to execute the function to determine whether the error is present in the second controller via the second comparative module.
  - 6. The control system of claim 5 wherein second comparative module determines whether an error is present the second controller designated as the reconfigured primary controller based on the function results from the first processing unit and the second processing unit of the second controller, wherein the matching function result identified by the second comparative module is provided to the third comparative module, wherein the third comparative module utilizes the matching function result from the second comparative module in cooperation with the function result from the first processing unit of the at least third controller to determine whether an error is present in the at least third controller.
  - 7. The control system of claim 6 wherein an error in the second controller results in the second controller failing fail-silent, and wherein the third comparative utilizes the matching function result from the first comparative module in cooperation with the function result from the first processing unit of the third controller to determine an error in the third controller.
  - 8. The control system of claim 4 wherein each respective controller includes a dual-core processor, where each dual-core processor includes the respective first core and the respective second core in each controller.
  - 9. The control system of claim 4 wherein each controller includes two single-core processors, where each respective core in each controller is a single-core processor.
  - 10. The control system of claim 4 further comprising a communication link coupled between the second comparative module and the third comparative module, wherein the matching function result determined by the second comparative module is communicated from the second comparative module to the third comparative module via the communication link.
  - 11. The control system of claim 1 wherein a number of controllers utilized in the control system is determined by a number of failures the control system is designed to tolerate, wherein the number of controllers is one greater than the number of failures the control system is designed to tolerate.

12. A method minimizing software backups in a dual-duplex pattern approach comprising the steps of:
- executing a function simultaneously in a first processing unit and a second processing unit of a primary controller utilizing input data from sensing devices, the primary controller controlling features of devices while operating under non-fault operating conditions;
  
  comparing, by a comparative module of the primary controller, the function results from the first processing unit with the function results from the second processing unit to determine whether an error is present in the first controller;
  
  executing the function in a first processing unit of a second controller utilizing input data from sensing devices, wherein a second processing unit of the second controller operates in a non-redundant state, the second processing unit not executing the function while in the non-redundant state;
  
  inputting a matching functional result identified by the first comparative module to a second comparative module in the second controller;
  
  comparing, by a comparative module of the second controller, the function results from the first processing unit of the second controller with the matching function result from the first comparative module;
  
  determining, by the second comparative module, whether an error is present in the second controller utilizing only the matching function result identified by the first comparative module and the function result determined by the first processing unit of the second controller.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The method of claim 12 further comprising the steps of:
    - detecting a fault in the primary controller;
      
      enabling fail-silent operation of the primary controller;
      
      designating the second controller as a reconfigured primary controller, wherein first processing unit and the second processing unit of the second controller are enabled to execute the function to determine whether a error is present in the second controller via the second comparative module.
  - 14. The method of claim 12 further comprising:
    - providing at least a third controller;
      
      executing a function, by a first processing unit of the at least controller, utilizing the input data from the sensing devices, wherein a second processing unit of the at least third controller operating in a non-redundant state, the second processing unit of the at least third controller not executing the function while in the non-redundant state;
      
      inputting the matching function result from the second comparative module to a third comparative module in the at least third controller;
      
      comparing, by the third comparative module, the a function result determined by the first processing unit of the at least third controller with the matching function result from the second comparative module;
      
      determining, by the third comparative module, whether an error is present in the at least third controller utilizing only the matching function result identified by the second comparative module and the function result determined by the first processing unit of the at least third controller.
  - 15. The method of claim 14 further comprising the steps of:
    - detecting a fault in the primary controller;
      
      failing the primary controller as fail-silent in response to detecting the fault in the primary controller;
      
      designating the second controller as a reconfigured primary controller, wherein the first processing unit and the second processing unit of the second controller are enabled to execute the function to determine whether an error is present in the second controller via the second comparative module.
  - 16. The method of claim 15 further comprising the steps of:
    - determining, by the second comparative module, whether the error is present in the second controller based on the function result from the first processing unit and the second processing unit of the second controller when designated as the reconfigured primary controller;
      
      providing to the third comparative module, a matching function result from the second comparative module when the second controller is designated as the reconfigured primary controller;
      
      comparing, by the third comparative module, the matching function result from the second comparative module designated as the reconfigured primary module with the function result from the first processing unit of the at least third controller to determine whether an error is present in the at least third controller.
  - 17. The method of claim 16 wherein each respective controller includes a dual-core processor, where each dual-core processor utilizes the respective first core and the respective second core in each controller.
  - 18. The method of claim 16 wherein each controller includes two single-core processors, where each respective core in each controller is a single-core processor, wherein each single core processor executes the function independently utilizing the sensed input data.
  - 19. The method of claim 12 wherein determining a number of controllers to utilize in the control system is determined by a number of failures the control system is designed to tolerate, wherein the number of controllers is one greater than the number of failures the control system is designed to tolerate.

20. A modified dual-duplex fail-operational control system comprising:
- a primary controller including a first processing unit and a second processing unit, the first processing unit and second processing unit simultaneously execute a function, wherein the primary controller further includes a first comparative module comparing the function results from the first and second processing unit to determine an error the first controller;
  
  a second controller includes a first processing unit and second processing unit, the first processing unit executing the function, the second processing unit operating in a non-redundant state and not executing the function while in the non-redundant state, wherein the primary controller further includes a second comparative module determining whether an error is present in the second controller;
  
  wherein a matching function result identified by the first comparative module of the first controller is input to second comparative module of the second controller to determine whether an error is present in the second controller utilizing only the matching function result identified by the first comparative module and the function result determined by the first processing unit of the second controller.
- View Dependent Claims (21)
- - 21. The control system of claim 20 further comprising:
    - at least a third controller including a first processing unit and a second processing unit, the first processing unit of the at least third controller executing the function, the second processing unit of the at least third controller operating in a non-redundant state and not executing the function while in the non-redundant state, wherein the at least third controller further includes a third comparative module determining whether an error is present in the third controller;
      
      wherein a matching function result identified by the second comparative module of the second controller is input to third comparative module of the at least third controller to determine whether an error is present in the third controller utilizing only the matching function result identified by the second comparative module and the function result determined by the first processing unit of the third controller.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
GM Global Technology Operations LLC (General Motors Company)
Original Assignee
GM Global Technology Operations LLC (General Motors Company)
Inventors
SAMII, SOHEIL, JOCHIM, MARKUS, FUHRMAN, THOMAS E., OSELLA, MASSIMO

Granted Patent

US 10,037,016 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G05B 19/0425   Safety, monitoring

G05B 2219/24033   Failure, fault detection an...

G05B 2219/25022   LAN local area network for ...

G05B 9/03   with multiple-channel loop,...

HYBRID DUAL-DUPLEX FAIL-OPERATIONAL PATTERN AND GENERALIZATION TO ARBITRARY NUMBER OF FAILURES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

HYBRID DUAL-DUPLEX FAIL-OPERATIONAL PATTERN AND GENERALIZATION TO ARBITRARY NUMBER OF FAILURES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links