1. Field of the Invention
The present invention relates to a method and a system for actuating at least one actuator.
2. Description of Related Art
The so-called 1oo2 systems (1oo2=1 out of 2) are known, in which a selection logic decides which of two control units is to be activated. The decision is made as a function of the activating signals supplied to the selection logic. The activating signals are generated by higher-level diagnosis and monitoring devices which continuously check the two control units with respect to their reliability performance. The implementation of these diagnosis and monitoring devices, in particular, is associated with a high degree of hardware and software expenditure.
A system and a method for switching a control between redundant control units are known from U.S. Pat. No. 6,845,467 B1. During this process, the status of the two redundant control units is monitored to determine whether it is necessary to switch the control between the control units. The monitoring and the switchover system are hardware-based and the control is implemented via a state machine. Status signals are generated which correspond to the status of the control units to which they are assigned.
It is an object of the present invention to provide a system of the type mentioned at the outset which requires less effort with respect to the ongoing monitoring.
In the present invention, each of the control units performs a self-diagnosis. As a function of the self-diagnosis, each of the control units subsequently generates at least one activating signal indicating which of the control units is to be activated. The selection logic then activates one of the two control units for influencing the actuator as a function of the activating signals.
Both control units perform a self-diagnosis according to the present invention. Thus, there is no need for an additional hardware expenditure for a higher-level diagnosis and monitoring device. The self-diagnosis may essentially instead be implemented solely with the aid of additional software in the particular control units. The system according to the present invention thus provides a substantial simplification and cost reduction.
In an advantageous refinement of the present invention, at least one of the two control units has a processor and a watchdog, the processor being continuously checked by the watchdog for possible errors, and an error signal being generated by the watchdog in the case of an error, as a function of which the activating signal(s) of the associated control unit is/are generated. The so-called watchdog is a device which may be implemented without a higher degree of expenditure.
In a way not shown, one or multiple input signals are applied to both control units A, B. Preferably, the same input signals are applied to both control units A, B. These input signals, just as the two actuating signals Aout, Bout, may be digital or analog signals.
Each of two control units A, B is designed to influence actuator 11 as a function of the input signals. Each of two control units A, B is capable of actuating actuator 11 as desired completely independently from the other control unit B, A.
Furthermore, each of two control units A, B is designed to check itself. Each of two control units A, B may thus perform a self-diagnosis. This self-diagnosis of one of two control units A, B takes place independently from the other control unit B, A.
As a function of its self-diagnosis, each of two control units A, B generates its activating signals AA, AB, BA, BB. All four activating signals AA, AB, BA, BB are received by selection logic 13. With the aid of the table in
Four activating signals AA, AB, BA, BB may each have a logical value “L” or “H,” in the present exemplary embodiment a logic being assumed in which value “L” identifies a desired status.
If activating signal AA has, for example, the value “H” and activating signal AB the value “L,” this means that control unit A wants to have control unit B activated as a desired status. This desired status of control unit A may, for example, arise when control unit A determines during self-diagnosis that it does not work completely error-free. In this case, control unit A does not want to be active itself and thus generates activating signal AA with the value “H.” Instead, control unit A wants control unit B to be active and thus generates activating signal AB with the value “L.”
In the table of
The case explained above, where control unit A generates activating signals AA=H and AB=L, is entered in the table of
In combination 5, control unit A wants control unit B to be activated. Control unit B, however, generates activating signals BA=BB=H. The fact that control unit B wants to deactivate itself as well as control unit A is not plausible and indicates that control unit B is no longer operational. For this reason, a switch is made in this case over to control unit A, although control unit A itself does not want to be activated.
The situation is similar in combination 8. Here, control unit B wants to activate itself and control unit A at the same time based on activating signals BA=BB=L. This is not plausible and indicates that control unit B is no longer operational. For this reason, a switch is made over to control unit A in this case as well, although control unit A itself does not want to be activated.
In combination 7, control units A, B generate activating signals which are opposed to each other. Control unit A wants, for example, to deactivate itself and to activate control unit B, while control unit B does not want to be activated at that moment, but wants to activate control unit A. According to the table of
In combination 11, both control units A, B want control unit A to be activated. The combination thus represents the normal state for activating control unit A.
In combinations 9 and 12, the activating signals of control unit B are not plausible. For this reason, control unit A, which itself also wants to be activated, is activated in these cases. Similarly, in combination 13 control unit A is activated.
In combination 10, control units A, B generate activating signals which are opposed to each other. According to the table of
In combinations 2, 3 and 4, at least the activating signals of control unit A are not plausible. Thus, it is always switched over to control unit B in these cases, even if control unit B itself does not want to be activated. Similarly, in combinations 14 and 15, the activating signals of control unit A are not plausible. Control unit B is therefore activated in these cases as well.
In combinations 1 and 16, all four activating signals are not plausible. This results in control unit B being activated, by definition, in both cases.
Thus, in all possible combinations of activating signals AA, AB, BA, BB, one of two control units A, B is activated. This is achieved with the aid of switchover signal U by accordingly positioning selector switch 14. Actuator 11 is then influenced by actuating signal Aout, Bout of the selected control unit A, B.
As previously explained, there are combinations in which one of two control units A, B is activated, although it does not want to be activated itself. This is the case in combination 5, for example. If a similar or comparable combination occurs, it is additionally possible to communicate this state to a higher-level control or to the user. The higher-level control or the user may then correctively intervene in system 10 of
The design of two control units A, B is illustrated in
Control unit B has a processor 21 and a so-called watchdog 22. Processor 21 is responsible, among other things, for generating actuating signal Bout. Watchdog 22 has the function of continuously checking the reliability performance of processor 21. This is identified with arrow 23 in
If watchdog 22 detects a malfunction of processor 21, watchdog 22 generates an error signal F. This error signal F may contain information about the error type of processor 21.
If processor 21 detects a malfunction of watchdog 22, processor 21 changes its mode of operation in such a way that it seems to watchdog 22 as if processor 21 does not work properly. Based on this alleged malfunction of processor 21, watchdog 22 generates the previously mentioned error signal F. Alternatively or additionally, it is possible for processor 21 to generate an error signal F′ which is transmitted independently of watchdog 22.
Error signal F and, possibly, error signal F′ are supplied to a circuit 25 which generates two activating signals BA, BB of control unit B as a function of error signal F, F′.
The values “L,” “H” for activating signals BA, BB may be dependent on information with respect to the error type, which may be contained in error signal F, F′. For example, if watchdog 22 detects a complete failure of processor 21, this may result in other values “L,” “H” for activating signals BA, BB than in the case of a temporary interference of the checking activity of watchdog 22.
With the aid of the explained design of control unit B it is, for example, achieved that a complete failure of processor 21 is detected by watchdog 22 and is further communicated to selection logic 13 via circuit 25. Circuit 25 may be designed in such a way that even if neither processor 21 nor watchdog 22 are operational, the values “L,” “H” of activating signals BA, BB may be generated in such a way that control unit B is deactivated.
Number | Date | Country | Kind |
---|---|---|---|
10 2009 027 369 | Jul 2009 | DE | national |
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/EP2010/057649 | 6/1/2010 | WO | 00 | 3/26/2012 |
Publishing Document | Publishing Date | Country | Kind |
---|---|---|---|
WO2011/000651 | 1/6/2011 | WO | A |
Number | Name | Date | Kind |
---|---|---|---|
4841209 | Poumakis | Jun 1989 | A |
5428745 | de Bruijn et al. | Jun 1995 | A |
6334084 | Moteki et al. | Dec 2001 | B1 |
6647301 | Sederlund et al. | Nov 2003 | B1 |
6845467 | Ditner et al. | Jan 2005 | B1 |
6965206 | Kamen et al. | Nov 2005 | B2 |
7870417 | Blinick et al. | Jan 2011 | B2 |
20120078575 | Feuchter et al. | Mar 2012 | A1 |
Number | Date | Country |
---|---|---|
10 2006 047 026 | Apr 2008 | DE |
61-23204 | Jan 1986 | JP |
6-348521 | Dec 1994 | JP |
2003-256001 | Sep 2003 | JP |
2 223 532 | Feb 2004 | RU |
WO 2005093531 | Oct 2005 | WO |
Entry |
---|
International Search Report for PCT/EP2010/057649, dated Sep. 3, 2010. |
Number | Date | Country | |
---|---|---|---|
20120185145 A1 | Jul 2012 | US |