Method to ensure safety integrity of a microprocessor over a distributed network for automotive applications

US 8,380,392 B2
Filed: 07/08/2010
Issued: 02/19/2013
Est. Priority Date: 04/19/2010
Status: Active Grant

First Claim

Patent Images

1. A processor integrity system in a vehicle, the system comprising:

m main processor modules that control at least m respective functions of the vehicle, where m is an integer greater than one; and

a monitoring processor module that controls at least one function of the vehicle, that communicates with the m main processor modules over a distributed vehicle network, that selectively transmits a first query to at least one of the m main processor modules over the distributed vehicle network, that receives a first answer from at least one of the m main processor modules over the distributed vehicle network, that selectively transmits a second query to at least one of the m main processor modules if the first answer does not match a first expected answer, that receives a second answer from the at least one of the m main processor modules over the distributed vehicle network, and that sends a request for remedial action for at least one of the m main processor modules to a remedial action module if the second answer does not match a second expected answer,wherein the first query and the second query are different and the first expected answer and second expected answer are different.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A processor integrity system in a vehicle includes m main processor modules that control at least m respective functions of the vehicle, where m is n integer greater than or equal to one. A monitoring processor module controls at least one function of the vehicle, communicates with the m main processor modules over a distributed vehicle network, selectively transmits a query to at least one of the m main processor modules over the distributed vehicle network, receives an answer from the at least one of the m main processor modules over the distributed vehicle network, that verifies integrity of the at least one of the m main processor modules based on the answer.

8 Citations

View as Search Results

17 Claims

1. A processor integrity system in a vehicle, the system comprising:
- m main processor modules that control at least m respective functions of the vehicle, where m is an integer greater than one; and
  
  a monitoring processor module that controls at least one function of the vehicle, that communicates with the m main processor modules over a distributed vehicle network, that selectively transmits a first query to at least one of the m main processor modules over the distributed vehicle network, that receives a first answer from at least one of the m main processor modules over the distributed vehicle network, that selectively transmits a second query to at least one of the m main processor modules if the first answer does not match a first expected answer, that receives a second answer from the at least one of the m main processor modules over the distributed vehicle network, and that sends a request for remedial action for at least one of the m main processor modules to a remedial action module if the second answer does not match a second expected answer,wherein the first query and the second query are different and the first expected answer and second expected answer are different.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1 wherein the monitoring processor module compares the first answer to the first expected answer to verify the integrity of the at least one of the m main processor modules, and wherein the first expected answer is based on the first query.
  - 3. The system of claim 2 wherein the monitoring processor module increments a counter if either one of the first answer and the second answer does not match the first expected answer or the second expected answer, respectively, and decrements the counter if either one of the first answer and the second answer does match the first expected answer or the second expected answer, respectively.
  - 4. The system of claim 3 wherein the monitoring processor module transmits the second query if the counter does not exceed a predetermined limit and the first answer does not match the first expected answer.
  - 5. The system of claim 4 wherein the monitoring processor module initiates a remedial action if the counter exceeds a predetermined value.
  - 6. The system of claim 1 wherein the monitoring processor module receives the first query and the second query from the at least one of the m main processor modules over the distributed vehicle network.
  - 7. The system of claim 1 wherein the monitoring processor module adjusts the first query after verifying the integrity of the at least one of the m main processor modules.
  - 8. The system of claim 1 wherein the monitoring processor module transmits at least one of the first query and the second query to at least two of the m main processor modules.
  - 9. The system of claim 1 wherein the main processor module transmits a different query to each of the m main processor modules.

10. A processor integrity method in a vehicle, the method comprising:
- controlling at least m respective functions of the vehicle using m respective main processor modules, where m is an integer greater than one;
  
  controlling at least one function of the vehicle using a monitoring processor module;
  
  communicating with the m main processor modules over a distributed vehicle network using the monitoring processor module;
  
  selectively transmitting a first query from the monitoring processor module to at least one of the m main processor modules over the distributed vehicle network;
  
  receiving a first answer from the at least one of the m main processor modules at the monitoring processor module over the distributed vehicle network;
  
  comparing the first answer to a first expected answer that is based on the first query to verify the integrity of the at least one of the m main processor modules using the monitoring processor module;
  
  transmitting a second query to the at least one of the m main processor modules if the first answer does not match the first expected answer, wherein the first query and the second query are different;
  
  receiving a second answer from the at least one of the m main processor modules over the distributed vehicle network; and
  
  sending a request for remedial action for the at least one of the m main processor modules to a remedial action module if the second answer does not match a second expected answer, wherein the first expected answer and the second expected answer are different.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The method of claim 10 further comprising incrementing a counter using the monitoring processor module if either one of the first answer and the second answer does not match the first expected answer or the second expected answer, respectively, and decrementing the counter using the monitoring processor module if either one of the first answer and the second answer does match the first expected answer or the second expected answer, respectively.
  - 12. The method of claim 11 further comprising transmitting the second query if the counter does not exceed a predetermined limit and if the first answer does not match the first expected answer.
  - 13. The method of claim 12 further comprising initiating a remedial action using the monitoring processor module if the counter exceeds a predetermined value.
  - 14. The method of claim 10 further comprising receiving the first query and the second query at the monitoring processor module from the at least one of the m main processor modules over the distributed vehicle network.
  - 15. The method of claim 10 further comprising adjusting the first query using the monitoring processor module after verifying the integrity of the at least one of the m main processor modules.
  - 16. The method of claim 10 further comprising transmitting at least one of the first query and the second query to at least two of the m main processor modules using monitoring processor module.
  - 17. The method of claim 10 further comprising transmitting a different query to each of the m main processor modules using the main processor module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
GM Global Technology Operations LLC (General Motors Company)
Original Assignee
GM Global Technology Operations LLC (General Motors Company)
Inventors
Trush, Christopher J., Sundaram, Padma
Primary Examiner(s)
Tarcza, Thomas
Assistant Examiner(s)
Dunn, Alex C

Application Number

US12/832,310
Publication Number

US 20110257833A1
Time in Patent Office

957 Days
Field of Search

701/36, 701/37, 701/38
US Class Current

701/36
CPC Class Codes

B60W 2050/0006   Digital architecture hierarchy

B60W 50/04   Monitoring the functioning ...

G07C 5/0808   Diagnosing performance data...

Method to ensure safety integrity of a microprocessor over a distributed network for automotive applications

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

8 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Method to ensure safety integrity of a microprocessor over a distributed network for automotive applications

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

8 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others