Patent Application
20240161556
The present disclosure relates to a fault remediation system for a vehicle, and more particularly to a fault remediation system for selecting a remediation state from a group of two or more prospective remediation states. The selected remediation state addresses an active fault of a consumed signal.
Many vehicles include a modular control system architecture, which discretizes functions into subfunctions to achieve overarching control objectives. While a modular control system architecture may facilitate development and testing, there are challenges the modular control system architecture faces when attempting to address corrupted data. Specifically, for example, one or more sensors that collect data consumed and analyzed by a vehicle motion control system may experience a fault. Corrupted sensor data may be propagated throughout the vehicle motion controller to downstream functions, which in turn may create issues such as preemptively aborting a control function, limiting vehicle control capability, or relying on worst-case remedial actions. For example, an electronic all-wheel-drive (eAWD) controller relies upon data collected by a steering angle sensor. There is a possibility that the eAWD controller may be deactivated in response to the steering angle sensor experiencing a fault, which may adversely affect a customer's experience. In addition to the eAWD controller, other vehicle motion controllers such as an electronic limited slip differential (eLSD) controller may be deactivated to remediate corrupted data as well.
Thus, while systems based on a modular control system architecture achieve their intended purpose, there is a need in the art for an improved approach to address and remediate corrupted data.
According to several aspects, a fault remediation system for a vehicle is disclosed, and includes one or more controllers in electronic communication with one or more consumed interfaces and one or more provided interfaces. The one or more controllers execute instructions to receive, from the one or more consumed interfaces, a consumed signal. The one or more controllers perform fault detection upon the consumed signal to determine the presence of an active fault within the consumed signal. In response to detecting an active fault with the consumed signal, the one or more controllers select a remediation state from a group of two or more prospective remediation states based on a significance analysis of the consumed signal, where the remediation state addresses the active fault of the consumed signal. The one or more controllers evaluate a relevant subfunction that corresponds to the consumed signal that the remediation state addresses for the presence of remediation tolerance. The one or more controllers generate arbitration instructions based on the remediation tolerance and execute the relevant subfunction that corresponds to the consumed signal that the remediation state addresses based on the arbitration instructions.
In another aspect, the group of prospective remediation states include two or more of the following: a related interface state, a secondary interface state, a fault-tolerant logic state, a last known good value state, and a constant value state.
In yet another aspect, the related interface state includes transitioning the consumed signal to a remediated signal, and where the remediated signal is derived from a source that measures the same parameter as the one or more consumed interfaces that generate the consumed signal.
In an aspect, the secondary interface state includes transitioning from the consumed signal to a remediated signal, wherein the remediated signal is derived from one or more sources that measure another parameter than the consumed signal.
In another aspect, the fault-tolerant logic state includes transitioning from the consumed signal to a remediated signal, where the remediated signal is derived by combining two or more signals together.
In yet another aspect, the two or more signals are each generated by a source that is not the consumed interface that generates the consumed signal.
In an aspect, the last known good value state includes latching a last known value of the consumed signal prior to detecting the active fault, wherein the last known value is the remediated signal.
In another aspect, the constant value state includes converging from the consumed signal to a constant value in response to detecting the active fault, where the constant value is the remediated signal.
In yet another aspect, the significance analysis selects the remediation state based on one or more of the following: an importance of the consumed signal upon a relevant subfunction, a driving state of the vehicle, and the presence of one or more alternative signals utilized to calculate a remediated signal.
In an aspect, the one or more controllers execute instructions to determine the remediation tolerance is absent in the relevant subfunction, and in response to determining the remediation tolerance is absent in the relevant subfunction, generate arbitration instructions that instruct the one or more controllers to deactivate the relevant subfunction.
In yet another aspect, the one or more controllers execute instructions to determine the remediation tolerance is present in the relevant subfunction, and in response to determining the remediation tolerance is present in the relevant subfunction, generate arbitration instructions instructing the one or more controllers to consume the remediated signal in place of the consumed signal.
In an aspect, the one or more controllers execute instructions to determine a level of operation for the relevant subfunction based on the arbitration instructions and execute the relevant subfunction based on the level of operation.
In another aspect, the level of operation for the relevant subfunction is selected from the following: a fully functional level, a remediated level, and a deactivated level.
In yet another aspect, the one or more controllers execute instructions to filter the consumed signal by adjusting values of one or more filter coefficients based on a health of the consumed signal.
In an aspect, a method for addressing an active fault by a fault remediation system includes receiving, from one or more consumed interfaces, a consumed signal. The method includes performing, by one or more controllers, fault detection upon the consumed signal to determine the presence of an active fault within the consumed signal. In response to detecting an active fault with the consumed signal, the method includes selecting a remediation state from a group of two or more prospective remediation states based on a significance analysis of the consumed signal, where the remediation state addresses the active fault of the consumed signal. The method includes evaluating a relevant subfunction that corresponds to the consumed signal that the remediation state addresses for the presence of remediation tolerance. The method includes generating arbitration instructions based on the remediation tolerance. Finally, the method includes executing the relevant subfunction that corresponds to the consumed signal that the remediation state addresses based on the arbitration instructions.
In another aspect, a vehicle is disclosed and includes a fault remediation system including one or more consumed interfaces, one or more provided interfaces, and one or more controllers in electronic communication with the one or more consumed interfaces and the one or more provided interfaces. The one or more controllers execute instructions to receive, from the one or more consumed interfaces, a consumed signal. The one or more controllers perform fault detection upon the consumed signal to determine the presence of an active fault within the consumed signal. In response to detecting an active fault with the consumed signal, the one or more controllers select a remediation state from a group of two or more prospective remediation states based on a significance analysis of the consumed signal, where the remediation state addresses the active fault of the consumed signal. The one or more controllers evaluate a relevant subfunction that corresponds to the consumed signal that the remediation state addresses for the presence of remediation tolerance. The one or more controllers generate arbitration instructions based on the remediation tolerance and determine a level of operation for the relevant subfunction based on the arbitration instructions, where the level of operation for the relevant subfunction is selected from the following: a fully functional level, a remediated level, and a deactivated level. The one or more controllers execute the relevant subfunction that corresponds to the consumed signal that the remediation state addresses based on the arbitration instructions and the level of operation.
In an aspect, the group of prospective remediation states include two or more of the following: a related interface state, a secondary interface state, a fault-tolerant logic state, a last known good value state, and a constant value state.
In another aspect, the significance analysis selects the remediation state based on one or more of the following: an importance of the consumed signal upon a relevant subfunction, a driving state of the vehicle, and the presence of one or more alternative signals utilized to calculate a remediation signal.
In yet another aspect, the one or more controllers execute instructions to determine the remediation tolerance is absent in the relevant subfunction, and in response to determining the remediation tolerance is absent in the relevant subfunction, generate arbitration instructions that instruct the one or more controllers to deactivate the relevant subfunction.
In an aspect, the one or more controllers execute instructions to determine the remediation tolerance is present in the relevant subfunction and in response to determining the remediation tolerance is present in the relevant subfunction, generate arbitration instructions instructing the one or more controllers to consume the remediated signal in place of the consumed signal.
Further areas of applicability will become apparent from the description provided herein. It should be understood that the description and specific examples are intended for purposes of illustration only and are not intended to limit the scope of the present disclosure.
The drawings described herein are for illustration purposes only and are not intended to limit the scope of the present disclosure in any way.
The following description is merely exemplary in nature and is not intended to limit the present disclosure, application, or uses.
Referring to
In one non-limiting embodiment, the one or more controllers 20 are part of a vehicle motion control system. In this embodiment, the one or more consumed interfaces 22 include, but are not limited to, an inertial measurement unit (IMU), a steering angle sensor, wheel speed sensors, wheel-to-body sensors, and a global positioning system (GPS). In the present example, the one or more provided interfaces 24 include, but are not limited to, an electronic all-wheel-drive (eAWD) system 26 and an electronic limited slip differential (eLSD) system 28. It is to be appreciated that while the fault remediation system 10 is illustrated as part of a motion control system for the vehicle 12,
Referring to
After performing signal processing, the signal processing module 42 performs fault detection upon the consumed signal 60 to determine the presence of an active fault within the consumed signal 60. In response to detecting an active fault with the consumed signal 60, the signal processing module 42 sends the consumed signal 60 to the remediation module 44. The remediation module 44 of the one or more controllers 20 selects a remediation state from a group of two or more prospective remediation states based on a significance analysis of the consumed signal 60. The significance analysis of the consumed signal 60 is described below. The remediation state addresses the active fault of the consumed signal 60. In one non-limiting embodiment, the group of prospective remediation states include a related interface state, a secondary interface state, a fault-tolerant logic state, a last known good value state, and a constant value state. However, it is to be appreciated that the group of prospective remediation states may include fewer prospective remediation states or additional prospective remediation states as well.
The related interface state includes transitioning the consumed signal 60 to a remediated signal 80, where the remediated signal 80 is derived from a source that measures the same parameter as the consumed interface 22 (
The secondary interface state includes transitioning from the consumed signal 60 to a remediated signal 80, where the remediated signal 80 is derived from one or more sources that measure another parameter than the consumed signal 60. In the present example, if the consumed signal 60 is generated by one of the wheel speed sensors that are part of the vehicle 12, then the remediated signal 80 would be generated based on an estimated wheel or axle torque value from the same axle as the wheel speed sensor.
The fault-tolerant logic state includes transitioning from the consumed signal 60 to a remediated signal 80, where the remediated signal 80 is derived by combining two or more signals together. The two or more signals are each generated by a source that is not the consumed interface 22 (
The last known good value state includes latching a last known value of the consumed signal 60 prior to detecting the active fault, where the last known value is the remediated signal 80. For example, if the consumed signal 60 is yaw rate, then the last known value prior to detecting the active fault for the yaw rate may be used as the remediated signal 80. Finally, the constant value state includes converging from the consumed signal 60 to a constant value in response to detecting the active fault, where the constant value is the remediated signal 80. The calibrated constant value is a predetermined value that does not interfere with the remaining subfunctions 52 that are executed by the function module 48.
The remediation module 44 selects the remediation state from the group of two or more prospective remediation states based on the significance analysis. The significance analysis selects the remediation state based on one or more of the following: an importance of the consumed signal 60 upon a relevant subfunction 52, a driving state of the vehicle 12 (
The importance of the consumed signal 60 upon a relevant subfunction 52 is determined based on the specific function that the consumed signal 60 instructs the vehicle 12 to execute, where some specific functions are of greater importance than other functions. For example, if the consumed signal 60 indicates a total loss of wheel slip control function, then the specific function is wheel slip control, and the remediation module 44 selects a remediation state that addresses the wheel slip. In contrast, if the consumed signal 60 indicates a partial loss of lateral control, then the remediation module 44 would select a remediation state that address the partial loss of lateral control. The driving state of the vehicle 12 indicates a behavior of the vehicle 12 during operation. In an embodiment, the driving states of the vehicle 12 are selected from steady-state conditions and dynamic conditions. The dynamic conditions may vary in degree, where a highly dynamic condition indicates the vehicle 12 travels at high speed and/or the vehicle 12 executes maneuvers in a relatively short period of time. When the driving state indicates steady-state conditions, the remediation module 44 selects a remediation state that retains the current control state of the vehicle 12 such as the last known good value state or the constant value state. When the driving state indicates a highly dynamic condition, then the remediation module 44 selects a remediation state that retains the current control state of the vehicle such as the last known good value state for a predetermined amount of time. For example, the lateral acceleration during a highly dynamic condition would be held for a predetermined period of time. The one or more alternative signals are used in place of the consumed signal 60, however, it is to be appreciated that alternative signals may not always be available. For example, if one or more alternative signals are available, then the remediation module 44 may select the related interface state, the secondary interface state, or the fault-tolerant logic state as the remediation state. However, if no alternative signals are available, then the remediation module 44 may select either the last known good value state or the constant value state as the remediation state.
The remediation module 44 then sends the remediated signal 80 as well as the active fault that corresponds to the consumed signal 60 that the remediated signal 80 addresses to the arbitration module 46. The arbitration module 46 of the one or more controllers 20 evaluates the relevant subfunction 52 that corresponds to the consumed signal 60 that the remediation state addresses for remediation tolerance and generates arbitration instructions 82 based on the remediation tolerance. When the relevant subfunction 52 is unable to tolerate any remediation, the arbitration module 46 determines remediation tolerance is absent in the relevant subfunction 52, and the arbitration module 46 generates arbitration instructions 82 that instruct the function module 48 of the one or more controllers 20 to deactivate the relevant subfunction 52. In contrast, when the relevant subfunction 52 tolerates remediation, the arbitration module 46 determines remediation tolerance is present in the relevant subfunction 52. Specifically, remediation tolerance indicates the remediated signal 80 affects but does not compromise operation of the relevant subfunction 52. In response to determining the remediated signal 80 tolerate remediation, the arbitration module 46 generates arbitration instructions 82 instructing the function module 48 of the one or more controllers 20 to consume the remediated signal 80 in place of the consumed signal 60.
The function module 48 of the one or more controllers 20 receives the remediated signal 80 and the arbitration instructions 82 as input and executes the relevant subfunction 52 based on the remediated signal 80 and the arbitration instructions 82. Specifically, the function module 48 determines a level of operation for the relevant subfunction 52 based on the arbitration instructions 82 and executes the relevant subfunction 52 based on the level of operation. In an embodiment, the level of operation for the relevant subfunction 52 is selected from the following: a fully functional level, a remediated level, and a deactivated level. When the arbitration instructions 82 indicate the fully functional level as the level of operation, the function module 48 determines that no active faults exist for signals consumed by the relevant subfunction 52, and the relevant subfunction 52 is executed based on the consumed signal 60. When the arbitration instructions 82 indicate the remediated level, the function module 48 executes the relevant subfunction 52 based on the remediated signal 80. When executed at the remediated level, the relevant subfunction 52 maintains core functionality, however, it is to be appreciated that the relevant subfunction 52 may abstain from generating a final output depending on the circumstances. When the arbitration instructions 82 indicate the deactivated level, the function module 48 does not execute the relevant subfunction 52 based on the consumed signal 60 or the remediated signal 80. Instead, the function module 48 outputs a value that will not interfere with the execution of the remaining downstream subfunctions 52.
In one non-limiting example, the one or more controllers 20 are part of the (eAWD) system 26 shown in
In block 204, the signal processing module 42 of the one or more controllers 20 filters and calibrates the consumed signal 60. The method 200 may then proceed to decision block 206.
In decision block 206, the signal processing module 42 of the one or more controllers 20 performs fault detection upon the consumed signal 60 to determine the presence of an active fault within the consumed signal 60. Specifically, if no active fault is detected, then the method 200 may terminate. However, in response to detecting an active fault with the consumed signal 60, the method 200 may then proceed to block 208.
In block 208, the remediation module 44 of the one or more controllers 20 select the remediation state from the group of two or more prospective remediation states based on the significance analysis of the consumed signal 60, where the remediation state addresses the active fault of the consumed signal 60. The method 200 may then proceed to block 210.
In block 210, the arbitration module 46 of the one or more controllers 20 evaluates the relevant subfunction 52 that corresponds to the consumed signal 60 that the remediation state addresses for remediation tolerance and generates arbitration instructions 82 based on the remediation tolerance. The method 200 may then proceed to block 212.
In block 212, the arbitration module 46 of the one or more controllers 20 generates arbitration instructions 82 based on the remediation tolerance. The method 200 may then proceed to block 214.
In block 214, function module 48 of the one or more controllers 20 executes the relevant subfunction 52 that corresponds to the consumed signal 60 that the remediation state addresses based on the arbitration instructions 82. The method 200 may then terminate.
Referring generally to the figures, the disclosed fault remediation system provides various technical effects and benefits. Specifically, the fault remediation system addresses active faults that are consumed by one or more controllers based on a significance analysis. The fault remediation system also intelligently arbitrates specific subfunctions that are executed by the system to preserve at least some functionality and to minimize the impact on downstream subfunctions. In contrast, some conventional systems may allow for corrupted sensor data to propagate throughout a controller to downstream functions, which results in the controller preemptively aborting a control function.
The controllers may refer to, or be part of an electronic circuit, a combinational logic circuit, a field programmable gate array (FPGA), a processor (shared, dedicated, or group) that executes code, or a combination of some or all of the above, such as in a system-on-chip. Additionally, the controllers may be microprocessor-based such as a computer having a at least one processor, memory (RAM and/or ROM), and associated input and output buses. The processor may operate under the control of an operating system that resides in memory. The operating system may manage computer resources so that computer program code embodied as one or more computer software applications, such as an application residing in memory, may have instructions executed by the processor. In an alternative embodiment, the processor may execute the application directly, in which case the operating system may be omitted.
The description of the present disclosure is merely exemplary in nature and variations that do not depart from the gist of the present disclosure are intended to be within the scope of the present disclosure. Such variations are not to be regarded as a departure from the spirit and scope of the present disclosure.
