Methods and systems for compensating for common failures in fail operational systems

US 9,195,232 B1
Filed: 02/05/2014
Issued: 11/24/2015
Est. Priority Date: 02/05/2014
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a primary controller configured to perform functions associated with control of operation of a vehicle including vehicle propulsion, braking and steering;

a secondary controller configured in a redundant configuration as the primary controller, wherein the primary controller and the secondary controller are configured to operate based on execution of a first set of logic and perform cross-checks of each other;

a control module configured to transfer control of operation of the vehicle between the primary controller and the secondary controller based on a detected fault at one of the primary controller and the secondary controller, wherein the control module is further configured to detect a common fault of the primary controller and the secondary controller and the control module is configured to responsively output a common fault signal;

a safety controller coupled to the control module configured to operate based on execution of a second set of logic independent of operation of the primary controller and the secondary controller, and based on receiving the common fault signal the safety controller is configured to receive transfer of control of operation of the vehicle; and

to perform functions associated with control of operation of the vehicle including vehicle braking.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for compensating for common failures in fail operational systems are described herein. An example system may include a primary controller configured to perform functions of a vehicle such as propulsion, braking and steering and a secondary controller configured in a redundant configuration with the primary controller. The controllers may perform cross-checks of each other and may each perform internal self-checks as well. Additionally, the system may include a control module configured to transfer control of the vehicle between the controllers based on detecting a fault. The control module may detect a common fault of the controllers that causes the control module to output a common fault signal. In response, the system may transfer of control to a safety controller configured to perform the vehicle functions until the system may transfer control back to the primary controller.

64 Citations

View as Search Results

18 Claims

1. A system comprising:
- a primary controller configured to perform functions associated with control of operation of a vehicle including vehicle propulsion, braking and steering;
  
  a secondary controller configured in a redundant configuration as the primary controller, wherein the primary controller and the secondary controller are configured to operate based on execution of a first set of logic and perform cross-checks of each other;
  
  a control module configured to transfer control of operation of the vehicle between the primary controller and the secondary controller based on a detected fault at one of the primary controller and the secondary controller, wherein the control module is further configured to detect a common fault of the primary controller and the secondary controller and the control module is configured to responsively output a common fault signal;
  
  a safety controller coupled to the control module configured to operate based on execution of a second set of logic independent of operation of the primary controller and the secondary controller, and based on receiving the common fault signal the safety controller is configured to receive transfer of control of operation of the vehicle; and
  
  to perform functions associated with control of operation of the vehicle including vehicle braking.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the common fault is based on an error in execution of the first set of logic.
  - 3. The system of claim 1, wherein the first set of logic includes instructions for control of operation of the vehicle including vehicle propulsion, braking and steering, and the second set of logic includes instructions for control of operation of the vehicle including vehicle braking.
  - 4. The system of claim 1, wherein the safety controller is further configured to:
    - determine a state of operation of the vehicle; and
      
      based on the state of operation, perform functions associated with control of operation of the vehicle including vehicle braking.
  - 5. The system of claim 1, wherein the safety controller is further configured to:
    - determine a state of operation of the vehicle; and
      
      based on the state of operation, perform all functions associated with control of operation of the vehicle as were performed by the primary controller and the secondary controller.
  - 6. The system of claim 1, further comprising a reset module configured to:
    - reset the primary controller and the secondary controller based on detection of the common fault; and
      
      transfer control of operation of the vehicle from the safety controller to the primary controller after reset.
  - 7. The system of claim 1, wherein only one of the primary controller, the secondary controller, and the safety controller are set to be in control of operation of the vehicle at any given time.
  - 8. The system of claim 1, wherein the control module is further configured to:
    - provide a notification indicating the detected common fault; and
      
      based on receiving an input signal, transfer control of operation of the vehicle to a human driver.
  - 9. The system of claim 8, wherein the control module is configured to reset the primary controller and the secondary controller based on transfer of control of operation of the vehicle to the human driver.
  - 10. The system of claim 1, wherein the vehicle is configured to operate in an autonomous manner.

11. A method comprising:
- providing instructions, by a primary controller, to perform functions associated with control of operation of a vehicle including vehicle propulsion, braking and steering;
  
  providing a secondary controller configured in a redundant configuration as the primary controller, wherein the primary controller and the secondary controller are configured to operate based on execution of a first set of logic and perform cross-checks of each other and to reset based on a detected fault at one of the primary controller and the secondary controller;
  
  transferring control of operation of the vehicle between the primary controller and the secondary controller based on the detected fault at one of the primary controller and the secondary controller;
  
  outputting a common fault signal based on detection of a common fault of the primary controller and the secondary controller;
  
  based on the common fault signal, transferring control of operation of the vehicle by the primary controller to a safety controller that is configured to operate based on execution of a second set of logic independent of operation of the primary controller and the secondary controller; and
  
  performing functions associated with control of operation of the vehicle at the safety controller including vehicle braking.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, wherein transferring control of operation of the vehicle to a safety controller that is configured to perform functions associated with control of operation of the vehicle including vehicle braking comprises:
    - transferring control of operation of the vehicle to a plurality of safety controllers, wherein a given safety controller of the plurality of safety controllers is configured to perform a respective function associated with control of operation of the vehicle.
  - 13. The method of claim 11, further comprising:
    - determining a state of operation of the vehicle; and
      
      based on the state of operation, performing all functions associated with control of operation of the vehicle as were performed by the primary controller and the secondary controller.
  - 14. The method of claim 11, wherein the common fault of the primary controller and the secondary controller causes the primary controller and the secondary controller to reset.
  - 15. The method of claim 11, further comprising:
    - resetting the primary controller and the secondary controller based on detection of the common fault; and
      
      transferring control of operation of the vehicle from the safety controller to the primary controller after reset.

16. A non-transitory computer readable medium having stored therein instructions, that when executed by a computing device, cause the computing device to perform functions comprising:
- receiving outputs of a primary controller and a secondary controller, wherein the primary controller is configured to perform functions associated with control of operation of a vehicle including vehicle propulsion, braking and steering, and the secondary controller is configured in a redundant configuration as the primary controller, wherein the primary controller and the secondary controller are configured to operate based on execution of a first set of logic and perform cross-checks of each other;
  
  providing instructions to transfer control of operation of the vehicle between the primary controller and the secondary controller based on receiving a given output indicative of a detected fault at one of the primary controller and the secondary controller;
  
  providing instructions to transfer control of operation of the vehicle from the primary controller to a safety controller based on detection of a common fault of the primary controller and the secondary controller, wherein the safety controller is configured to operate based on execution of a second set of logic independent of operation of the primary controller and the secondary controller; and
  
  performing functions associated with control of operation of the vehicle at the safety controller including vehicle braking.
- View Dependent Claims (17, 18)
- - 17. The non-transitory computer readable medium of claim 16, wherein the primary controller and the secondary controller are further configured to perform internal self-checks to determine whether one or both of the primary controller and the secondary controller provide outputs indicative of a detected fault.
  - 18. The non-transitory computer readable medium of claim 16, wherein the instructions to transfer control of operation of the vehicle to a safety controller based on detection of a common fault of the primary controller and the secondary controller comprise:
    - instructions to transfer control of operation of the vehicle to a plurality of safety controllers configured to operate in a redundant configuration.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Egnor, Daniel Trawick, Zbrozek, Alexander, Schultz, Andrew
Primary Examiner(s)
Shafi, Muhammad

Application Number

US14/172,906
Time in Patent Office

657 Days
Field of Search

701/23, 701/28
US Class Current

1/1
CPC Class Codes

B60W 10/184   with wheel brakes

B60W 10/20   including control of steeri...

B60W 50/023   Avoiding failures by using ...

G05D 1/0055   with safety arrangements

G05D 1/0077   using redundant signals or ...

Methods and systems for compensating for common failures in fail operational systems

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

64 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for compensating for common failures in fail operational systems

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

64 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links