This application claims benefit to German Patent Application No. DE 10 2023 124 705.0, filed on Sep. 13, 2023, which is hereby incorporated by reference herein.
The present invention relates to a control unit for a control system of a vehicle, to a steering actuator for a vehicle, to a vehicle, to a method for a control system of a vehicle, and to a computer program.
Today's control systems require a high safety integrity level (ASIL) and therefore design-specific measures such as redundant chains of subcomponents, signal paths and functional paths. Such systems and even subsystems are often designed with insufficient protection against manipulations in the sense of cyber security (hardware and software protection). Particularly wiring harness connections are poorly protected and pose a risk of signal manipulation after a connector has been released.
For example, a communication path is based on a bidirectional bus system (SENT=single edge nibble transmission, with address-synchronized communication as follows (simplified)). In the event of “manipulation of steering behavior”, the connector of a redundant signal connection could be released so that a trigger sensor signal could be read out of the control system and a manipulated signal could be induced into the control system by the open connector making contact with an external hardware component (for example a signal generator). Depending on the internal diagnostics of the control system, this modification may remain undetected and lead to safety-critical faults.
In an embodiment, the present disclosure provides a control unit for a control system of a vehicle, comprising a first interface, a second interface, and a data processing circuit. The data processing circuit is configured to control the first interface and the second interface, transmit a verification signal, wherein the verification signal is indicative of a verification parameter, and receive the verification parameter. The verification signal is transmitted via the first interface and the verification parameter is received via the second interface.
Subject matter of the present disclosure will be described in even greater detail below based on the exemplary figures. All features described and/or illustrated herein can be used alone or combined in different combinations. The features and advantages of various embodiments will become apparent by reading the following detailed description with reference to the attached drawings, which illustrate the following:
In an embodiment, the present invention enables improved monitoring of a control system.
The foregoing is achieved by a control unit for a control system of a vehicle, a steering actuator for a vehicle, a vehicle, a method for a control system of a vehicle, and a computer program in accordance with the present disclosure.
A first aspect of the present disclosure provides a control unit for a control system of a vehicle. The control unit comprises a first interface and a second interface. The control unit furthermore comprises a data processing circuit which is designed to control the first interface and the second interface. The data processing circuit is furthermore designed to transmit a verification signal indicative of a verification parameter and to receive the verification parameter. The verification signal is transmitted via the first interface and the verification parameter is received via the second interface. The first interface and the second interface are two separate interfaces. Transmitting the verification signal via the first interface and receiving the verification parameter via the second interface mean that a correct contact-connection of the first interface and the second interface can be verified. For example, the control unit can determine a specific assignment of the first interface and the second interface for transmitting the verification signal and receiving the verification parameter. Accordingly, the control unit can transmit the verification signal specifically via the first interface and expect reception of the verification parameter via the second interface. If a manipulation is carried out, for example an external hardware component is connected to the first interface or the second interface, the external hardware component may lack information about which interface is to be used to transmit the verification parameter. Accordingly, a possible manipulation, for example connection of an external device, can be determined, provided that the verification parameter is not received via the second interface.
In an exemplary embodiment, the data management circuit can be designed to deactivate a part of the control system if the verification parameter is not received via the second interface within a predefined time after transmission. Deactivating a part of the control system can prevent misuse. For example, it is possible to prevent data from being read and/or imported from that part of the control system.
In an exemplary embodiment, the first interface and the second interface can be comprised by an interface module. The control unit can furthermore comprise a further interface module comprising a further interface. The data management circuit can be designed to transmit a further verification signal indicative of a further verification parameter via the further interface. Furthermore, the data management circuit can be designed to receive the further verification parameter via the interface module. The first interface and the second interface can be comprised by a hardware component, for example a connector. For example, the hardware component can include two pins, that is to say the first interface and the second interface. For example, redundancy in the signal transmission can be established by using a further interface module. Protection against manipulation can be improved based on this redundancy. In particular, it is possible to verify whether a large number of interface modules have not been manipulated. Reception of the further verification parameter via the interface module makes it possible in particular to verify whether the further interface module is connected correctly. In the event of a manipulation of the further interface module, for example removal of a connector from the further interface module, the further checking parameter can no longer be received via the interface module. The use of the further interface module and the interface module can therefore improve the security of the control system.
In an exemplary embodiment, the further verification parameter can be received via the second interface or a third interface. For example, the further verification parameter can be received together with the verification parameter via the second interface of the interface module. This can simplify the configuration of the interface module. As an alternative, the further verification parameter can be received via a third interface of the interface module. In particular, the control unit can determine an assignment of the third interface for receiving the further verification parameter. This enables the control unit to verify whether the further verification parameter has been received via the correct interface. This can increase the security of the control system.
In an exemplary embodiment, the part of the control system that correlates to the verification parameter or the further verification parameter can be deactivated if the verification parameter or the further verification parameter is not received via the interface module within a predefined time after transmission. This enables a part of the control system to be disconnected selectively. For example, the control unit cannot receive the further verification parameter and can selectively deactivate the part of the control system connected to the further interface module.
In an exemplary embodiment, the data management circuit can be designed to enable data transmission of sensor data via the interface module only after reception of the verification parameter. This can ensure that information is not exchanged until the security of the connection has been verified.
A second aspect of the present disclosure provides a steering actuator for a vehicle comprising a control unit as described above. The control unit can thus be comprised by a steering actuator, for example a steering axle or a steering wheel. This can improve the security of the configuration of a vehicle's on-board electrical system.
A third aspect of the present disclosure provides a vehicle having a control unit as described above or a steering actuator as described above. In the case of a vehicle, the control unit has the advantage that the security of a vehicle's on-board electrical system can be increased.
A fourth aspect of the present disclosure provides a method for a control unit for a control system of a vehicle. The method comprises transmission of a verification signal via a first interface, the verification signal being indicative of a verification parameter. The method also comprises reception of the verification parameter via a second interface. The first interface is different from the second interface.
A fifth aspect of the present disclosure provides a computer program. The computer program is for carrying out a method described above when the computer program runs on a computer, a processor, or a programmable hardware component.
The present disclosure is to be described in the following text purely by way of example with reference to the accompanying figures.
The verification signal can be based on a request signal exchanged as standard between a control unit and another component of the vehicle. For example, in some communication protocols, in particular those based on a request-response basis, a type of coding or identification code can be transmitted with it. This coding or the identification code can be used to identify a request and to ensure that the component, for example a sensor, and/or the control unit are exchanging the correct data.
A control unit can transmit a request, that is to say a request signal, to a particular sensor. This request can be a particular query for specific data required by the control unit. The request can include a coding or identification code that indicates which sensor the request concerns and what type of data is expected. The sensor can receive the request, decrypt it, evaluate the identification code and determine which data are requested. The sensor can then respond with the requested data, which can also be coded or in a specific format. This form of transfer can be used in particular in bidirectional bus systems.
The verification signal can extend a request signal to include the verification parameter. For example, the verification signal includes a request signal from the prior art and the verification parameter. In particular, the verification parameter may not be a coding of a request for data. The verification parameter can be used solely to verify the connectivity between the control unit 130 and another component, for example a sensor. The verification parameter may not be associated with the request for data. The control unit 130 can thus receive via the second interface 134b the same verification parameter that was transmitted via the first interface 134a.
Accordingly, the data processing circuit 134 is furthermore designed to receive the verification parameter. A verification parameter can be a value, an identifier or a data structure. The verification parameter can be used in a communication process to verify the integrity, correctness and/or authenticity of a connection. The verification parameter can be used to verify a correct connection between the control unit 130 and another component of the vehicle.
The verification signal is transmitted via the first interface 134a and the verification parameter is received via the second interface 134b. The first interface 134a and the second interface 134b are two separate interfaces.
The verification signal and the verification parameter can thus be used in particular to verify a hardware configuration of the control unit 130 or of the control system. For example, the control unit 130 can be used to identify whether a component of the control system connected to the control unit 130, for example an on-board electrical system, of a vehicle has been removed from the control unit 130. For example, a release or removal of a connector (for example by removing a wiring harness) can be detected by means of the control unit 130. Detecting a release of a connector can help to increase the security of the vehicle or the control system of the vehicle. In particular, a hardware-based manipulation can be made more difficult. The control unit 130 can be used to identify decoupling of a connection system, for example a wiring harness. Furthermore, access to the control unit 130 using manipulated signals can be prevented.
The control unit 130 can build on the existing signal path structure and the existing information exchange process as described with reference to
The use of the control unit 130 can particularly protect wiring harness paths of a vehicle that are connected to other components (for example a steering sensor, a steering actuator, an ambient sensor). This ensures fault-tolerant performance with secure data transfer. In particular, fault-tolerant, redundant performance with secure data transfer can be ensured by using the further verification parameter.
In one exemplary embodiment, the data management circuit 134 can be designed to deactivate a part of the control system if the verification parameter is not received via the second interface within a predefined time after transmission. For example, the part of the control system that belongs to the control unit 130 can be deactivated. This means that the control unit 130 can be at least partially deactivated. As an alternative, the control unit 130 can be completely deactivated. Optionally or alternatively, a further control unit of the control system can be at least partially deactivated based on the at least partial deactivation of the control unit 130. For example, the further control unit can be responsible for the same processes or can handle the same processes as the control unit 130. This means that the further control unit can be a redundant control unit in relation to the control unit 130. If a possible manipulation of the control unit 130 is detected, the redundant further control unit can also be at least partially, in particular completely, deactivated as a precaution. This can increase the security of the control system.
In an exemplary embodiment, the first interface 134a and the second interface 134b can be comprised by an interface module. The interface module can be a hardware-based component. The first interface 134a and the second interface 134b can converge in the interface module. For example, the interface module can include a housing for the first interface and the second interface. Releasing the interface module can simultaneously release the first interface 134a and the second interface 134b. For example, the interface module can be a connector, for example a bus connector, a plug-in connector and/or a hybrid plug-in connector.
The control unit 130 can furthermore comprise a further interface module comprising a further interface. The further interface module can be formed separately from the interface module. This means that the interface module can be a first hardware component and the further interface module can be a second hardware component. The interface module and the further interface module can be connected separately to the control system of the vehicle.
The data management circuit 134 can be designed to transmit a further verification signal indicative of a further verification parameter via the further interface. Furthermore, the data management circuit 134 can be designed to receive the further verification parameter via the interface module. Transmitting a further verification signal via the further interface module makes it possible to verify a correct connection of the interface module and/or the further interface module.
Optionally or alternatively, the control unit 130 can be used to detect a defect in the first interface 134a and/or the second interface 134b. For example, the first interface 134a can be a connector pin that is no longer functional and is assigned to receiving the verification parameter. In a redundant arrangement, the control unit 130 could then still receive the further verification parameter but no longer receive the verification parameter. Receiving only the further verification parameter could thus be indicative of a malfunction of the first interface 134a.
By using the further verification parameter, the control unit 130 can thus verify the individual interfaces at least partially independently of one another. For example, the control unit 130 can receive only the further verification parameter via the second interface 134b. This enables the control unit 130 to determine that the first interface 134a via which the first verification parameter is transmitted could not be functioning correctly. The control unit 130 could thus selectively detect a failure of an interface.
Using the further verification parameter can maintain a fault-tolerant strategy for a redundant signal path. Furthermore, the redundancy of the control system can be maintained in “normal” operating mode.
In an exemplary embodiment, the further verification parameter can be received via the second interface 134b or a third interface. For example, the further verification parameter can be connected to the verification parameter by multiplexing and simultaneously received via the second interface 134b. As an alternative, a third interface of the control unit 130 can be used to receive the further verification parameter. For example, the third interface can be a specific processor sense port for receiving the further verification parameter. In this case, the second interface 134b can be a specific processor sense port for receiving the verification parameter.
In an exemplary embodiment, the part of the control system that correlates to the verification parameter or the further verification parameter can be deactivated if the verification parameter or the further verification parameter is not received via the interface module within a predefined time after transmission. This means that control unit 130 can be at least partially deactivated if the verification parameter or the further verification parameter is not received. As an alternative, the control unit 130 can be completely deactivated.
In an exemplary embodiment, the data management circuit 134 can be designed to enable data transmission of sensor data via the interface module only after reception of the verification parameter. This can ensure that information is not exchanged until the security of the connection has been verified.
As shown in
In an embodiment, the control unit 130 can comprise a memory 136 and at least one data processing circuit 132 which is functionally coupled to the memory 136 and configured to carry out the method described below.
In examples, the interface 134 can correspond to any means of obtaining, receiving, transferring or providing analog or digital signals or information, for example any terminal, contact, pin, register, input terminal, output terminal, conductor, track, etc., that allows the provision or obtaining of a signal or a piece of information. The interface 134 can be wireless or wired and can be configured to be able to communicate with other internal or external components, for example can transmit or receive signals or information.
Even if the exemplary embodiments describe that the verification signal also includes data other than the verification parameter, the verification signal is not restricted to this. As an alternative, the verification signal may not be based on a request signal of the prior art. For example, the verification signal may only include the verification parameter. This means that the verification parameter can be transmitted separately from other data, for example a data request.
The control unit can be a central control device of a vehicle or can be comprised thereby.
As can be seen in
As shown in
Each verification parameter can be returned via both wiring harnesses 360, 362. The control unit 300 can compare the received verification parameters with the “sense” ports, that is to say the assigned interfaces 380, 382. If the verification parameters have been received at the correct interfaces, the control unit 300 can enable the data request and the sensor data transfer. This allows data to be exchanged.
Only the signal transmission, power supply 306 and ground (GND) connections 308 are shown for the purpose of illustration.
An induced verification parameter on the sense line is also not accepted by the control unit 300, as the randomly generated verification parameter can also be checked internally in the control unit.
Removing the two wiring harnesses 360, 362 can block both drive stages and prevent complete communication. The control unit 300 can then switch to a secure mode, for example go offline. The control unit 300 can thus be fully deactivated.
It can also detect the loss of a connector or the improper insertion of a connector. As a result, a faulty connection cannot affect the fault-tolerant strategy and diagnostics integrated in the control unit 300 during operation.
For example, only one defective interface can also be identified selectively. For example, the control unit can obtain both verification parameters via the second interface module 398 and obtain the first verification parameter via the first interface module only at the second interface 380. Accordingly, the control unit 300 could determine that the third interface 382 is defective.
Even if the exemplary embodiments describe that the verification signal also includes data other than the verification parameter, the verification signal is not restricted to this. As an alternative, the verification signal may not be based on a request signal of the prior art. For example, the verification signal may only include the verification parameter. This means that the verification parameter can be transmitted separately from other data, for example a data request.
Further exemplary embodiments are computer programs for carrying out a method described herein when the computer program runs on a computer, a processor, or a programmable hardware component. Depending on specific implementation requirements, exemplary embodiments of the present disclosure can be implemented in hardware or in software. The implementation can be carried out using a digital storage medium, for example a floppy disk, a DVD, a Blu-ray disc, a CD, a ROM, a PROM, an EPROM, an EEPROM or a FLASH memory, a hard disk, or other magnetic or optical memory which stores electronically readable control signals that can interact with or interact with a programmable hardware component in such a way that the respective method is carried out.
While subject matter of the present disclosure has been illustrated and described in detail in the drawings and foregoing description, such illustration and description are to be considered illustrative or exemplary and not restrictive. Any statement made herein characterizing the invention is also to be considered illustrative or exemplary and not restrictive as the invention is defined by the claims. It will be understood that changes and modifications may be made, by those of ordinary skill in the art, within the scope of the following claims, which may include any combination of features from different embodiments described above.
The terms used in the claims should be construed to have the broadest reasonable interpretation consistent with the foregoing description. For example, the use of the article “a” or “the” in introducing an element should not be interpreted as being exclusive of a plurality of elements. Likewise, the recitation of “or” should be interpreted as being inclusive, such that the recitation of “A or B” is not exclusive of “A and B,” unless it is clear from the context or the foregoing description that only one of A and B is intended. Further, the recitation of “at least one of A, B and C” should be interpreted as one or more of a group of elements consisting of A, B and C, and should not be interpreted as requiring at least one of each of the listed elements A, B and C, regardless of whether A, B and C are related as categories or otherwise. Moreover, the recitation of “A, B and/or C” or “at least one of A, B or C” should be interpreted as including any singular entity from the listed elements, e.g., A, any subset from the listed elements, e.g., A and B, or the entire list of elements A, B and C.
Number | Date | Country | Kind |
---|---|---|---|
10 2023 124 705.0 | Sep 2023 | DE | national |