技术领域Technical Field
本发明属于新能源汽车功能安全开发技术领域,具体涉及一种整车控制器功能安全架构系统及其工作方法。The present invention belongs to the technical field of functional safety development of new energy vehicles, and specifically relates to a whole vehicle controller functional safety architecture system and a working method thereof.
背景技术Background Art
随着软件定义汽车的趋势日益加强,高效的软件架构设计对功能安全实施和落地起着引导性作用,旨在覆盖一系列车型整车电气功能、法规等需求,综合研发、生产、售后等各场景需求,平衡成本、新技术应用风险、灵活性、可扩展性等方面,以整车的视角进行的汽车软件架构开发。在欧盟车辆型式批准(type approval依据部分UNECE法规)和我国车辆的3C认证中,对采用电子控制的转向、制动、动力电池管理系统等也引入了功能安全要求。As the trend of software-defined cars becomes stronger, efficient software architecture design plays a guiding role in the implementation and implementation of functional safety. It aims to cover a series of vehicle models, electrical functions, regulations and other requirements, integrate the needs of various scenarios such as R&D, production, and after-sales, balance costs, new technology application risks, flexibility, scalability, etc., and develop automotive software architecture from the perspective of the whole vehicle. In the EU vehicle type approval (type approval is based on some UNECE regulations) and my country's 3C certification of vehicles, functional safety requirements are also introduced for electronically controlled steering, braking, power battery management systems, etc.
整车控制器VCU(Vehicle Control Unit)新能源汽车中央控制单元,用于监控电机及电池状态,采集加速踏板信号、制动踏板信号、各类执行器及传感器信号,根据驾驶员的意图综合分析做出相应判定后,监控下层各部件控制器的动作。VCU负责汽车的正常行驶、制动能量回馈、整车驱动系统及动力电池的能量管理、网络管理、故障诊断及处理、车辆状态监控等,从而保证整车在良好的动力性、经济性及可靠性状态下正常稳定的工作。整车控制器硬件主要由电源模块、MCU、信号采集模块、驱动输出模块和通信功能模块组成,整车控制器(VCU)系统具有自动完成操作者的意图解析、扭矩管理、电机电池协调控制管理、充电过程管理、故障诊断及CAN网络控制等多项功能。The vehicle controller VCU (Vehicle Control Unit) is a central control unit for new energy vehicles. It is used to monitor the status of the motor and battery, collect accelerator pedal signals, brake pedal signals, various actuators and sensor signals, make corresponding judgments based on the driver's intentions, and monitor the actions of the lower-level component controllers. VCU is responsible for the normal driving of the vehicle, brake energy feedback, energy management of the vehicle drive system and power battery, network management, fault diagnosis and processing, vehicle status monitoring, etc., so as to ensure that the vehicle works normally and stably under good power, economy and reliability. The hardware of the vehicle controller is mainly composed of power module, MCU, signal acquisition module, drive output module and communication function module. The vehicle controller (VCU) system has multiple functions such as automatically completing the operator's intention analysis, torque management, motor battery coordinated control management, charging process management, fault diagnosis and CAN network control.
进行功能安全产品开发时,为降低开发难度和提高开发效率,需对各模块ASIL等级进行分解,可将原本复杂的VCU功能安全开发分解为基本功能与功能安全两部分,对基本功能开发执行QM等级标准,而对安全功能开发执行分解后的ASIL等级标准。针对软件架构满足功能安全要求,VCU系统软件构架必须考虑避免、检测或处理随机硬件故障和软件系统故障。When developing functional safety products, in order to reduce the difficulty of development and improve development efficiency, the ASIL level of each module needs to be decomposed. The originally complex VCU functional safety development can be decomposed into two parts: basic functions and functional safety. The QM level standard is implemented for basic function development, while the decomposed ASIL level standard is implemented for safety function development. In order for the software architecture to meet the functional safety requirements, the VCU system software architecture must consider avoiding, detecting or handling random hardware failures and software system failures.
国内相关论文和专利主要针对功能安全标准设计了整车控制器硬件和软件,较少涉及满足分层结构和高效开发效率等功能安全要求的Level2功能监控层软件架构具体设计方案。Domestic related papers and patents mainly design the hardware and software of the vehicle controller according to the functional safety standards, and rarely involve the specific design of the Level 2 functional monitoring layer software architecture that meets the functional safety requirements such as layered structure and efficient development efficiency.
发明内容Summary of the invention
本发明的目的在于克服现有整车控制器VCU分层架构分层不彻底并且未考虑Level2功能监控层的设计与测试功能,提供了一种整车控制器功能安全架构系统及其工作方法。The purpose of the present invention is to overcome the problems that the existing vehicle controller VCU layered architecture is not completely layered and does not consider the design and testing functions of the Level 2 functional monitoring layer, and provides a vehicle controller functional safety architecture system and a working method thereof.
为了达到上述目的,本发明采用如下技术方案:In order to achieve the above object, the present invention adopts the following technical solution:
一种整车控制器功能安全架构系统,包括:A vehicle controller functional safety architecture system, comprising:
Level1功能层:用于完成整车控制器VCU基本功能的执行;Level 1 functional layer: used to complete the execution of basic functions of the vehicle controller VCU;
Level2功能监控层:用于对Level1功能层的运行状态进行实时监控、确保其正常工作;包括对Level1功能层基本功能执行过程中安全相关的信号校验判定,以及对Level1功能层基本功能执行过程中软件架构的监控;Level 2 function monitoring layer: used to monitor the operation status of the Level 1 function layer in real time to ensure its normal operation; including the verification and determination of safety-related signals during the execution of the basic functions of the Level 1 function layer, and the monitoring of the software architecture during the execution of the basic functions of the Level 1 function layer;
Level3控制器监控层:用于监控Level1功能层基本功能是否正常运行,监控Level2功能监控层的监控程序是否运行正常,当Level1功能层和Level2功能监控层出现故障时,Level3能够发现并采取相应措施。Level3 controller monitoring layer: used to monitor whether the basic functions of the Level1 functional layer are running normally, and whether the monitoring program of the Level2 functional monitoring layer is running normally. When the Level1 functional layer and Level2 functional monitoring layer fail, Level3 can detect and take corresponding measures.
在Level2功能监控层的数据帧中设置数据段、仲裁段、控制段和CRC段,用于将标准数据帧扩展为扩展数据帧,其中:The data segment, arbitration segment, control segment, and CRC segment are set in the data frame of the Level 2 function monitoring layer to extend the standard data frame into an extended data frame, wherein:
仲裁段设置在帧起始位之后,用于标识该数据帧的优先级;The arbitration segment is set after the frame start bit and is used to identify the priority of the data frame;
控制段设置在仲裁段之后,用于表示数据的字节数及保留位数;The control segment is set after the arbitration segment and is used to indicate the number of bytes of data and the number of reserved bits;
数据段设置在控制段之后,用于保存数据帧需要发送的内容;The data segment is set after the control segment and is used to store the content of the data frame to be sent;
CRC段设置在数据段之后,用于检查数据帧传输错误的字节段。The CRC segment is set after the data segment and is used to check the byte segment for data frame transmission errors.
Level1功能层和Level2功能监控层独立开发和各自生产代码要运行到不同分区内。The Level 1 functional layer and the Level 2 functional monitoring layer are developed independently and their respective production codes must run in different partitions.
一种整车控制器功能安全架构系统的工作方法,包括:A working method of a vehicle controller functional safety architecture system, comprising:
接收到动作信号,Level1功能层根据动作信号完成基本功能的执行;After receiving the action signal, the Level 1 functional layer completes the execution of basic functions according to the action signal;
Level2功能监控层对Level1层接收的动作信号进行安全相关信号的校验判定,以及通过监控程序对Level1功能层中基本功能的执行过程中的软件架构进行监控,若出现故障及时反馈至Level1功能层;The Level 2 functional monitoring layer verifies and determines the safety-related signals of the action signals received by the Level 1 layer, and monitors the software architecture of the execution process of the basic functions in the Level 1 functional layer through the monitoring program. If a fault occurs, it will be fed back to the Level 1 functional layer in a timely manner;
Level3控制器监控层实现独立监控,监控Level1功能层是否正常运行,以及Level2功能监控层的监控程序是否运行正常,如果监控程序没有按照设定的顺序运行或没有在规定时间内执行,则检查失败,系统会进入安全状态。The Level3 controller monitoring layer implements independent monitoring to monitor whether the Level1 functional layer is running normally, and whether the monitoring program of the Level2 functional monitoring layer is running normally. If the monitoring program does not run in the set order or is not executed within the specified time, the check fails and the system will enter a safe state.
Level2功能监控层对Level1功能层安全相关信号校验判定的过程为:The process of checking and judging the safety-related signals of the Level 1 functional layer by the Level 2 functional monitoring layer is as follows:
S1:整车控制器VCU接收安全相关信号;S1: The vehicle controller VCU receives safety-related signals;
S2:假设每隔TBD ms接收接口信号,首先对接收的安全相关信号进行超时校验,超过TBD ms信号周期未接收到则判定信号丢失;S2: Assuming that the interface signal is received every TBD ms, firstly, a timeout check is performed on the received safety-related signal. If the signal is not received within the TBD ms signal period, it is determined that the signal is lost.
S3:对未丢失的安全相关信号进行CRC校验,当校验没有通过时判定该帧信号CRC错误;S3: Perform CRC check on the safety-related signals that are not lost. If the check fails, it is determined that the frame signal CRC is wrong.
S4:对通过CRC校验的安全相关信号进行alive counter校验,监测数据传输的实时性和有效性;S4: Perform alive counter check on the safety-related signals that pass the CRC check to monitor the real-time and validity of data transmission;
S5:对通过alive counter校验的安全相关信号进行信号有效性校验,当校验未通过时判定该信号无效;S5: Perform signal validity check on the safety-related signal that has passed the alive counter check. If the check fails, the signal is deemed invalid.
S6:对通过有效性校验的安全相关信号进行信号合理性校验,当校验未通过时判定该信号不合理。S6: Perform signal rationality check on the safety-related signals that have passed the validity check. If the check fails, the signal is determined to be unreasonable.
安全相关信号校验完成后,在出现错误时,生成故障信息,Level2功能监控层将故障信息反馈至Level1功能层。After the safety-related signal verification is completed, if an error occurs, fault information is generated, and the Level 2 functional monitoring layer feeds back the fault information to the Level 1 functional layer.
生成故障信息的具体方法如下:The specific method of generating fault information is as follows:
获取故障节点:Get the faulty node:
若故障节点在物理层出现CANH和CANL异常和收发器异常,则通过双MCU控制原则对其报文发送的方式进行监测和诊断,得到故障信息。If the faulty node has abnormal CANH and CANL and transceiver abnormalities at the physical layer, the message sending method is monitored and diagnosed through the dual MCU control principle to obtain fault information.
双MCU控制原则的控制过程为:由主M-MCU控制驱动芯片进行数字量的驱动输出,从S-MCU进行驱动芯片工作状态的诊断,得到相应的诊断结果,然后主M-MCU和从S-MCU通过SPI通信方式进行诊断信息的交互,同时主M-MCU将对诊断结果进行相应解析与处理,得到故障信息。The control process of the dual MCU control principle is: the main M-MCU controls the driver chip to drive the output of digital quantity, and the slave S-MCU diagnoses the working status of the driver chip to obtain the corresponding diagnosis results. Then the main M-MCU and the slave S-MCU exchange diagnostic information through SPI communication. At the same time, the main M-MCU will analyze and process the diagnostic results accordingly to obtain fault information.
主M-MCU和从S-MCU各自控制对应的CAN收发器,从S-MCU形成对主M-MCU通信功能冗余,正常情况下,主M-MCU控制对应的CAN收发器完成通信,从S-MCU对其进行监测;当监测到主M-MCU控制的通信功能出现异常时,从S-MCU接管主M-MCU的工作,恢复整车控制器通信功能以控制车辆。The master M-MCU and the slave S-MCU each control the corresponding CAN transceiver, and the slave S-MCU forms a redundant communication function for the master M-MCU. Under normal circumstances, the master M-MCU controls the corresponding CAN transceiver to complete communication, and the slave S-MCU monitors it; when it is detected that the communication function controlled by the main M-MCU is abnormal, the slave S-MCU takes over the work of the main M-MCU and restores the communication function of the vehicle controller to control the vehicle.
Level2功能监控层对Level1功能层的软件架构进行监控,监控包括对输出信号、驱动输出、执行器反馈进行闭环监控。The Level 2 functional monitoring layer monitors the software architecture of the Level 1 functional layer, including closed-loop monitoring of output signals, drive outputs, and actuator feedback.
与现有技术相比,本发明具有如下有益效果:Compared with the prior art, the present invention has the following beneficial effects:
本发明提供了一种整车控制器功能安全架构系统及其工作方法,将整车控制器VCU划分为Level1功能层、Level2功能监控层和Level3控制器监控层。该架构形成科学高效的分层监视框架并有效实现了功能安全分解,这三层结构可以分给三个不同的开发团队,可以进行并行开发,大大降低开发难度并且提高开发效率。针对Level2功能监控层,通过对Level1功能层基本功能执行过程中安全相关的信号校验以及对Level1功能层输出软件架构的监控,保障了车辆运行过程中的安全。The present invention provides a vehicle controller functional safety architecture system and a working method thereof, which divides the vehicle controller VCU into a Level 1 functional layer, a Level 2 functional monitoring layer, and a Level 3 controller monitoring layer. The architecture forms a scientific and efficient hierarchical monitoring framework and effectively realizes functional safety decomposition. The three-layer structure can be divided into three different development teams, and parallel development can be carried out, which greatly reduces the development difficulty and improves the development efficiency. For the Level 2 functional monitoring layer, the safety of the vehicle during operation is guaranteed by checking the safety-related signals during the execution of the basic functions of the Level 1 functional layer and monitoring the output software architecture of the Level 1 functional layer.
进一步的,标准数据帧扩展为扩展数据帧,提高了CAN总线的节点数量、数据链路上的灵活性和数据处理能力,同时保持与标准数据帧相同的优先级机制。这种扩展使得CAN总线能够支持更为复杂和庞大的网络系统。Furthermore, the standard data frame is extended to an extended data frame, which increases the number of nodes on the CAN bus, the flexibility of the data link, and the data processing capability, while maintaining the same priority mechanism as the standard data frame. This extension enables the CAN bus to support more complex and large network systems.
进一步的,采用信号校验判定,提升数据传输的可靠性,保障车辆安全性能,同时降低了维护成本。Furthermore, signal verification and judgment are used to improve the reliability of data transmission, ensure vehicle safety performance, and reduce maintenance costs.
进一步的,通过双MCU控制原则对其报文发送的方式进行监测和诊断,如果一个MCU出现故障或失效,另一个MCU仍然可以正常工作,保证系统的基本功能不受影响。这种冗余设计提高了系统的可靠性和稳定性。Furthermore, the dual MCU control principle is used to monitor and diagnose the way its message is sent. If one MCU fails or fails, the other MCU can still work normally, ensuring that the basic functions of the system are not affected. This redundant design improves the reliability and stability of the system.
进一步的,Level2功能监控层采用独立于Level1功能层的控制策略进行监控,提高了整车控制器VCU的灵活性、节能性、精确性、安全性、可维护性和可拓展性。Furthermore, the Level 2 functional monitoring layer adopts a control strategy independent of the Level 1 functional layer for monitoring, which improves the flexibility, energy saving, accuracy, safety, maintainability and scalability of the vehicle controller VCU.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1为本发明三层架构示意图。FIG1 is a schematic diagram of a three-layer architecture of the present invention.
图2为Level2功能监控层数据帧格式示意图。Figure 2 is a schematic diagram of the data frame format of the Level 2 functional monitoring layer.
图3为Level2功能监控层数据帧格式对应示意图。Figure 3 is a schematic diagram of the data frame format corresponding to the Level 2 functional monitoring layer.
图4为Level2功能监控层输入模块安全相关的信号校验流程图。FIG4 is a flow chart of signal verification related to safety of the input module of the Level 2 functional monitoring layer.
图5为Level2功能监控层安全功能校验信号流转图。Figure 5 is a flow chart of the safety function verification signal of the Level 2 functional monitoring layer.
图6为主M-MCU和从S-MCU信号传递示意图。FIG6 is a schematic diagram of signal transmission between the master M-MCU and the slave S-MCU.
图7为主M-MCU和从S-MCU工作过程示意图。FIG7 is a schematic diagram of the working process of the master M-MCU and the slave S-MCU.
图8为Level2功能监控层输出监控软件架构示意图。FIG8 is a schematic diagram of the output monitoring software architecture of the Level 2 functional monitoring layer.
具体实施方式DETAILED DESCRIPTION
为进一步了解本发明的内容,以下结合附图和具体实施例对本发明作详细描述。应当理解的是,实施例仅仅是对本发明进行解释而并非限定。In order to further understand the content of the present invention, the present invention is described in detail below in conjunction with the accompanying drawings and specific embodiments. It should be understood that the embodiments are only for explaining the present invention and are not intended to limit it.
功能安全开发是从上至下、从架构顶部到底部,逐层细化,最后分解到软硬件具体设计的递进过程,所有设计都源于起点的系统级架构设计,科学高效的系统架构设计能保证整个产品设计走在正确的方向上。本发明在软件设计方面,采用分层次、模块化的设计思想,完成整车控制器软件Level2功能监控层主程序、子程序和接口层程序设计。划分好层次化的组件后,软件架构重点描述组件之间的关系,即静态关系和动态关系。静态设计方面包括组件之间的接口、与硬件的关系、组件的分层结构,动态设计包括事件和行为的功能、数据处理逻辑顺序、控制流和并发进程、通过接口和全局变量传递的数据流、时间约束等。Functional safety development is a progressive process from top to bottom, from the top of the architecture to the bottom, layer by layer, and finally decomposed into the specific design of software and hardware. All designs are derived from the system-level architecture design at the starting point. Scientific and efficient system architecture design can ensure that the entire product design is on the right direction. In terms of software design, the present invention adopts a hierarchical and modular design concept to complete the main program, subroutine and interface layer program design of the Level 2 functional monitoring layer of the vehicle controller software. After dividing the hierarchical components, the software architecture focuses on describing the relationship between the components, that is, the static relationship and the dynamic relationship. The static design aspect includes the interface between components, the relationship with the hardware, and the hierarchical structure of the components. The dynamic design includes the functions of events and behaviors, the logical order of data processing, control flow and concurrent processes, data flow transmitted through interfaces and global variables, time constraints, etc.
如图1所示,本发明的整车控制器功能安全架构系统,由Level1功能层、Level2功能监控层和Level3控制器监控层三部分组成。该架构形成科学高效的分层监视框架并有效实现了功能安全分解,通常采用QM+ASIL X(ASIL X)的安全分解策略,即将功能实现软件(Level1功能层)按QM等级开发,功能冗余软件或安全措施(Level2功能监控层、Level3控制器监控层)按照要求等级ASIL X(ASIL X)进行开发,这样可有效降低功能软件安全开发成本。As shown in Figure 1, the functional safety architecture system of the vehicle controller of the present invention is composed of three parts: Level 1 functional layer, Level 2 functional monitoring layer and Level 3 controller monitoring layer. This architecture forms a scientific and efficient hierarchical monitoring framework and effectively realizes functional safety decomposition. It usually adopts the safety decomposition strategy of QM+ASIL X (ASIL X), that is, the function realization software (Level 1 functional layer) is developed according to the QM level, and the functional redundancy software or safety measures (Level 2 functional monitoring layer, Level 3 controller monitoring layer) are developed according to the required level ASIL X (ASIL X), which can effectively reduce the cost of functional software safety development.
Level1功能层:用于完成整车控制器VCU基本功能的执行,如驱动系统控制、能量管理、网络管理等,根据驾驶员的操作意图,如加速踏板位置、制动踏板力等,计算出电动机所需转矩等参数,协调各部件运动,保证电动汽车正常行驶。Level 1 functional layer: used to complete the execution of the basic functions of the vehicle controller VCU, such as drive system control, energy management, network management, etc. According to the driver's operating intention, such as accelerator pedal position, brake pedal force, etc., it calculates the parameters such as the torque required by the motor, coordinates the movement of various components, and ensures the normal driving of electric vehicles.
Level2功能监控层:对Level1功能层的运行状态进行实时监控、确保其正常工作。包括对Level1功能层基本功能执行过程中安全相关的信号校验判定,以及对Level1功能层基本功能执行过程中软件架构的监控。监控功能的单元(如SBC或从MCU)完成对功能运行状态的实时监控、自身内存的诊断、对驱动级关断路径的诊断与控制等功能。Level 2 function monitoring layer: monitors the operation status of the Level 1 function layer in real time to ensure its normal operation. This includes safety-related signal verification and judgment during the execution of the basic functions of the Level 1 function layer, and monitoring of the software architecture during the execution of the basic functions of the Level 1 function layer. The monitoring function unit (such as SBC or slave MCU) completes the real-time monitoring of the function operation status, the diagnosis of its own memory, the diagnosis and control of the driver-level shutdown path, and other functions.
Level3控制器监控层:监控Level1功能层基本功能是否正常运行,监控Level2功能监控层的监控程序是否运行正常,当Level1功能层和Level2功能监控层出现故障时,Level3能够及时发现并采取相应措施。Level3 controller monitoring layer: monitors whether the basic functions of the Level1 functional layer are running normally, monitors whether the monitoring program of the Level2 functional monitoring layer is running normally. When the Level1 functional layer and the Level2 functional monitoring layer fail, Level3 can detect them in time and take corresponding measures.
需要说明的是,通过将整车控制器VCU分成三层结构,降低了开发难度,这三层结构可以分给三个不同的开发团队,可以进行并行开发,大大降低开发难度并且提高开发效率。It should be noted that by dividing the vehicle controller VCU into a three-layer structure, the development difficulty is reduced. The three-layer structure can be divided into three different development teams for parallel development, which greatly reduces the development difficulty and improves the development efficiency.
整车控制器VCU和其他控制器及传感器、执行器之间通过CAN总线传输信号,信号类型需包括数据帧、远程帧、故障帧、校验帧、帧间隔。数据帧和远程帧有标准和扩展两种格式,标准格式设置为11位标识符(Identifier:简称ID),扩展格式为29位ID,各种帧用途如表1所示:The vehicle controller VCU transmits signals to other controllers, sensors, and actuators through the CAN bus. The signal types must include data frames, remote frames, fault frames, check frames, and frame intervals. Data frames and remote frames have standard and extended formats. The standard format is set to an 11-bit identifier (ID for short), and the extended format is a 29-bit ID. The uses of various frames are shown in Table 1:
表1Table 1
作为本发明的进一步技术方案,在Level2功能监控层中,为满足该VCU功能安全开发机构Level2功能监控层要求,在数据帧中设置数据段、仲裁段、控制段和CRC段:As a further technical solution of the present invention, in the Level 2 functional monitoring layer, in order to meet the Level 2 functional monitoring layer requirements of the VCU functional safety development organization, a data segment, an arbitration segment, a control segment and a CRC segment are set in the data frame:
数据段:数据的内容,可发送0~16个字节的数据;Data segment: data content, which can send 0 to 16 bytes of data;
仲裁段:用于标识该帧优先级的段;Arbitration segment: a segment used to identify the priority of the frame;
CRC段:检查帧传输错误的段;CRC segment: a segment for checking frame transmission errors;
控制段:表示数据的字节数及保留位的段;Control segment: a segment indicating the number of bytes of data and reserved bits;
ACK段:表示确认正常接收的段;ACK segment: indicates the segment confirming normal reception;
如图2所示,CAN协议可以接收和发送11位标准数据帧和29位扩展数据帧,CAN标准数据帧扩展数据帧只是帧ID长度不同,以便可以扩展更多CAN节点。标准格式适用于较小的网络,具有较少的节点和标识符需求,扩展格式则适用于更大的网络,需要更多的节点和更复杂的标识符管理。As shown in Figure 2, the CAN protocol can receive and send 11-bit standard data frames and 29-bit extended data frames. The CAN standard data frame and the extended data frame are just different in frame ID length so that more CAN nodes can be extended. The standard format is suitable for smaller networks with fewer nodes and identifier requirements, while the extended format is suitable for larger networks that require more nodes and more complex identifier management.
标准格式的CAN总线通信组成如下:The standard format of CAN bus communication consists of the following:
帧起始段(SOF):1bit,固定位显性位、即逻辑0,表示数据帧的开始,只有在总线空闲期间节点才能发送;Start of Frame (SOF): 1 bit, fixed dominant bit, i.e. logic 0, indicating the beginning of the data frame. The node can only send when the bus is idle.
标识符位(Identify ID):11bit,ID10~ID0,ID10为最高权重位(MSB),ID0为最低权重位(LSB),按照ID10~ID0的顺序进行传输;Identify ID: 11 bits, ID10 to ID0, ID10 is the most weighted bit (MSB), ID0 is the least weighted bit (LSB), and is transmitted in the order of ID10 to ID0;
RTR:远程传输请求,用于标识帧是数据帧还是远程帧。当RTR位为显性('0')时,表示这是一个数据帧;当RTR位为隐性('1')时,表示这是一个远程帧。位于仲裁段中,标识符位后。RTR: Remote Transmission Request, used to identify whether a frame is a data frame or a remote frame. When the RTR bit is dominant ('0'), it indicates that this is a data frame; when the RTR bit is recessive ('1'), it indicates that this is a remote frame. Located in the arbitration segment, after the identifier bit.
IDE:标识符位扩展,用于区分数据帧是标准格式还是扩展格式。当IDE位为显性('0')时,表示数据帧是扩展格式;当IDE位为隐性('1')时,表示数据帧是标准格式。位于控制段中。IDE: Identifier bit extension, used to distinguish whether the data frame is in standard format or extended format. When the IDE bit is dominant ('0'), it indicates that the data frame is in extended format; when the IDE bit is recessive ('1'), it indicates that the data frame is in standard format. Located in the control segment.
r0:保留位,r0位在当前CAN标准中未使用,并保留为未来可能的用途。它必须被设置为显性('0')。位于控制段中,紧邻数据长度码(DLC)。r0: Reserved bit, r0 is not used in the current CAN standard and is reserved for possible future use. It must be set to dominant ('0'). Located in the control segment, next to the data length code (DLC).
DLC:数据长度代码,用于指示数据段中数据的字节数。它占4位,可以表示0到8个字节的数据长度。位于控制段中,r0位之后。DLC: Data Length Code, used to indicate the number of bytes of data in the data segment. It occupies 4 bits and can represent a data length of 0 to 8 bytes. It is located in the control segment, after the r0 bit.
Data(数据段):0~8个字节,长度由数据长度码(DLC)指定,包含了节点之间要传输的实际数据。位于控制段之后。Data segment: 0 to 8 bytes, the length is specified by the data length code (DLC), contains the actual data to be transmitted between nodes. It is located after the control segment.
CRC段:CRC段由CRC Sequence(循环冗余校验数列)和CRC界定符组成,循环冗余校验数列由15个字符组成,用于校验或校验数据传输或保存后可能出现的错误。在要发送的数据帧后面附加一个数(即CRC校验码),通过附加在数据帧后面的CRC校验码来确保数据传输的正确性和完整性;CRC segment: The CRC segment consists of a CRC sequence (cyclic redundancy check sequence) and a CRC delimiter. The cyclic redundancy check sequence consists of 15 characters and is used to check or verify errors that may occur after data transmission or storage. A number (i.e., CRC check code) is appended to the data frame to be sent. The CRC check code appended to the data frame ensures the correctness and integrity of data transmission.
CRC界定符:用于数据帧的封装和解封装过程。标记数据帧的起始和结束位置,以便接收端能够准确地解封装数据帧,确保数据的完整性和可靠性。CRC delimiter: used in the encapsulation and decapsulation process of data frames. It marks the start and end positions of data frames so that the receiving end can accurately decapsulate the data frames to ensure the integrity and reliability of the data.
ACK段:ACK段用来确认是否正常接收,由ACK槽(ACK SLOT)和ACK界定符(ACKDELIMITER)2个位构成,发送单元在ACK段发送2个位的隐性位。当接收器正确地接收到有效的报文时,接收器就会在应答间隙(ACK SLOT)期间(发送ACK信号)向发送器发送一个“显性”的位以示应答,通知发送单元正常接收结束,这称作“发送ACK”或者“返回ACK”。ACK segment: The ACK segment is used to confirm whether the message is received normally. It consists of two bits: ACK slot (ACK SLOT) and ACK delimiter (ACKDELIMITER). The sending unit sends two recessive bits in the ACK segment. When the receiver correctly receives a valid message, the receiver will send a "dominant" bit to the sender during the ACK slot (ACK SLOT) (sending ACK signal) to indicate the normal reception of the sending unit. This is called "sending ACK" or "returning ACK".
帧结束:由7个隐性位组成,用于指示帧的结束。End of frame: Consists of 7 recessive bits and is used to indicate the end of the frame.
如图3所示,当数据帧由标准格式转为扩展格式时:As shown in Figure 3, when the data frame is converted from the standard format to the extended format:
需要为新的扩展格式数据帧确定一个29位的标识符(ID)。这个ID应该与原始标准格式数据帧的11位ID在某种方式上相关,但也要确保在CAN网络中唯一。IDE位设置为显性(‘0’)。扩展格式的ID字段有29位,而标准格式只有11位。因此,需要为扩展格式的ID字段填充剩余的18位。数据帧的其他字段保持不变。A 29-bit identifier (ID) needs to be determined for the new extended format data frame. This ID should be related in some way to the 11-bit ID of the original standard format data frame, but also ensure that it is unique within the CAN network. The IDE bit is set to dominant ('0'). The ID field of the extended format has 29 bits, while the standard format only has 11 bits. Therefore, the remaining 18 bits need to be filled in for the ID field of the extended format. The other fields of the data frame remain unchanged.
一种整车控制器功能安全架构系统的工作方法如下:A working method of a vehicle controller functional safety architecture system is as follows:
接收到动作信号,Level1功能层根据动作信号完成基本功能的执行;After receiving the action signal, the Level 1 functional layer completes the execution of basic functions according to the action signal;
Level2功能监控层对Level1层发出的动作信号进行安全相关的信号校验判定,以及通过监控程序对Level1功能层中基本功能的执行过程中的软件架构进行监控,若出现故障及时反馈至Level1功能层;The Level 2 functional monitoring layer performs safety-related signal verification and judgment on the action signals sent by the Level 1 layer, and monitors the software architecture of the basic functions in the Level 1 functional layer through the monitoring program. If a fault occurs, it will be fed back to the Level 1 functional layer in a timely manner;
Level3控制器监控层实现独立监控,监控Level1功能层是否正常运行,以及Level2功能监控层的监控程序是否运行正常,如果监控程序没有按照设定的顺序运行或没有在规定时间内执行,则检查失败,系统会进入安全状态。The Level3 controller monitoring layer implements independent monitoring to monitor whether the Level1 functional layer is running normally, and whether the monitoring program of the Level2 functional monitoring layer is running normally. If the monitoring program does not run in the set order or is not executed within the specified time, the check fails and the system will enter a safe state.
具体地,Level2功能监控层架构功能包括对Level1功能层扭矩监控、对扭矩请求和实际扭矩对比、对电流需求监控等,对输入输出信号的诊断,对执行器相关状态读取、监控,对诊断发现的故障进行处理,Level1功能层和Level2功能监控层独立开发和各自生产代码要运行到不同分区内,避免共因失效和免于干扰,且Level2功能监控层代码要运行到硬件安全核内,Level2功能监控层过程监控模块输入输出接口,如表2所示。Specifically, the functions of the Level 2 functional monitoring layer architecture include torque monitoring of the Level 1 functional layer, comparison of torque request and actual torque, current demand monitoring, etc., diagnosis of input and output signals, reading and monitoring of actuator related states, and processing of faults discovered during diagnosis. The Level 1 functional layer and the Level 2 functional monitoring layer are independently developed and their respective production codes must run in different partitions to avoid common cause failures and interference, and the Level 2 functional monitoring layer code must run in the hardware safety core. The input and output interfaces of the Level 2 functional monitoring layer process monitoring module are shown in Table 2.
表2Table 2
(1)Level2功能监控层对Level1功能层基本功能执行过程中安全相关信号校验如下(1) The Level 2 functional monitoring layer verifies the safety-related signals during the execution of the basic functions of the Level 1 functional layer as follows
Level2功能监控层输入模块对相应安全相关信号进行完整性、有效范围、合理性等校验,然后分别输出给Level1功能层和Level2功能监控层过程监控和输出监控模块,具体校验逻辑如图4所示。The input module of the Level 2 functional monitoring layer verifies the integrity, effective range, rationality, etc. of the corresponding safety-related signals, and then outputs them to the process monitoring and output monitoring modules of the Level 1 functional layer and Level 2 functional monitoring layer respectively. The specific verification logic is shown in Figure 4.
S1:整车控制器VCU接收安全相关信号;S1: The vehicle controller VCU receives safety-related signals;
S2:假设每隔TBD ms接收接口1信号,首先对接收的安全相关信号进行超时校验,超过TBD ms信号周期未接收到则判定信号丢失;S2: Assuming that the interface 1 signal is received every TBD ms, firstly, a timeout check is performed on the received safety-related signal. If the signal is not received within the TBD ms signal period, it is determined that the signal is lost;
S3:对未丢失的安全相关信号进行CRC校验,当校验没有通过时判定该帧信号CRC错误;S3: Perform CRC check on the safety-related signals that are not lost. If the check fails, it is determined that the frame signal CRC is wrong.
S4:对通过CRC校验的安全相关信号进行alive counter校验,监测数据传输的实时性和有效性;S4: Perform alive counter check on the safety-related signals that pass the CRC check to monitor the real-time and validity of data transmission;
S5:对通过alive counter校验的安全相关信号进行信号有效性校验,当校验未通过时判定信号无效;S5: Perform signal validity check on the safety-related signal that has passed the alive counter check. If the check fails, the signal is considered invalid.
S6:对通过有效性校验的安全相关信号进行信号合理性校验,当校验未通过时判定信号不合理。S6: Perform signal rationality check on the safety-related signals that have passed the validity check. If the check fails, the signal is judged to be unreasonable.
如图5所示,整车控制器VCU的控制器将需要校验的信号校验输出至Level2功能监控层,Level2功能监控层根据Level1功能层中安全相关信号输出作为Level2功能监控层输入,由Level2功能监控层对Level1功能层进行监控,被监控的Level1功能层应在Level2功能监控层中采取冗余异构算法对接口4进行校验,在出现错误时进入安全状态(safetystate),生成故障信息,并输出相关的故障信号等级,中断错误信号启动,在仪表盘上报警灯常亮。As shown in Figure 5, the controller of the vehicle controller VCU outputs the signal verification that needs to be verified to the Level2 functional monitoring layer. The Level2 functional monitoring layer uses the safety-related signal output in the Level1 functional layer as the input of the Level2 functional monitoring layer, and the Level2 functional monitoring layer monitors the Level1 functional layer. The monitored Level1 functional layer should adopt a redundant heterogeneous algorithm in the Level2 functional monitoring layer to verify the interface 4, enter the safety state (safetystate) when an error occurs, generate fault information, and output the relevant fault signal level, interrupt the error signal start, and the alarm light on the instrument panel is always on.
根据对通信功能故障的分析,节点在物理层可能会出现CANH和CANL异常和收发器异常,在数据链路层可能会出现错误帧和总线关闭异常,在应用层会出现报文数据异常等情况。对于物理层出现的CANH和CANL异常可通过从S-MCU对其报文发送的方式进行监测和诊断,而出现的收发器异常则可自身对其进行诊断。针对上述信号处理故障类型和双MCU控制原则,对输入信号处理进行相应安全机制设计,主M-MCU和从S-MCU分别对重要的输入信号进行采集,然后通过SPI通信交互采集后的数据,对数据进行限制范围诊断、差异值对比以及关联性诊断。According to the analysis of communication function failures, nodes may have CANH and CANL anomalies and transceiver anomalies at the physical layer, error frames and bus shutdown anomalies at the data link layer, and message data anomalies at the application layer. CANH and CANL anomalies at the physical layer can be monitored and diagnosed by sending messages from the S-MCU, while transceiver anomalies can be diagnosed by themselves. In view of the above signal processing failure types and dual MCU control principles, corresponding safety mechanisms are designed for input signal processing. The master M-MCU and the slave S-MCU collect important input signals respectively, and then the collected data are exchanged through SPI communication to perform limit range diagnosis, difference value comparison, and correlation diagnosis on the data.
双MCU控制原则的控制过程为:The control process of the dual MCU control principle is:
如图6所示,主M-MCU和从S-MCU对驱动芯片形成双控制,默认情况下由主M-MCU控制驱动芯片进行数字量的驱动输出,S-MCU进行驱动芯片工作状态的诊断,然后主M-MCU和从S-MCU通过SPI通信方式进行诊断信息的交互,同时主M-MCU将对诊断结果进行相应解析与处理。主M-MCU和从S-MCU之间的信号传递,通过PWM、CAN、LIN以太网进行交互。主M-MCU通过控制逻辑的判断,向从S-MCU发出指令,从S-MCU在接收到指令时对自己负责的模块进行分析,确认马上执行该指令是否合适,如合适会立即执行并反馈执行状态信号给主M-MCU,如不合适会拒绝执行并反馈拒绝执行信号给主M-MCU。As shown in Figure 6, the master M-MCU and the slave S-MCU form dual control over the driver chip. By default, the master M-MCU controls the driver chip to drive the output of digital quantity, and the S-MCU diagnoses the working status of the driver chip. Then the master M-MCU and the slave S-MCU exchange diagnostic information through SPI communication. At the same time, the master M-MCU will analyze and process the diagnostic results accordingly. The signal transmission between the master M-MCU and the slave S-MCU is carried out through PWM, CAN, and LIN Ethernet. The master M-MCU sends instructions to the slave S-MCU through the judgment of the control logic. When the slave S-MCU receives the instruction, it analyzes the module it is responsible for to confirm whether it is appropriate to execute the instruction immediately. If it is appropriate, it will execute it immediately and feedback the execution status signal to the master M-MCU. If it is not appropriate, it will refuse to execute and feedback the refusal to execute signal to the master M-MCU.
如图7所示,主M-MCU和从S-MCU各自控制对应CAN收发器,从S-MCU形成对主M-MCU通信功能冗余,正常情况下,主M-MCU控制对应的CAN收发器完成通信,从S-MCU对其进行监测。当监测到主M-MCU控制的通信功能出现异常时,从S-MCU接管主M-MCU的工作,恢复整车控制器通信功能以控制车辆。As shown in Figure 7, the master M-MCU and the slave S-MCU each control the corresponding CAN transceiver, and the slave S-MCU forms a redundant communication function for the master M-MCU. Under normal circumstances, the master M-MCU controls the corresponding CAN transceiver to complete the communication, and the slave S-MCU monitors it. When the communication function controlled by the master M-MCU is detected to be abnormal, the slave S-MCU takes over the work of the master M-MCU and restores the communication function of the vehicle controller to control the vehicle.
具体实施例如下:The specific embodiments are as follows:
针对模拟量信号输入异常检测,通过主M-MCU和从S-MCU同时对信号进行采集,以制动踏板开度信号S1采集处理为例,首先主M-MCU和从S-MCU分别采集制动踏板开度信号S1,并对其供电电压进行监测,然后从S-MCU通过SPI通信传输采集转换后结果给主M-MCU,主M-MCU对其主M-MCU和从S-MCU采集的结果进行差异对比,如出现差异值过大则认为该采集值无效并进行错误计数,当连续错误次数超过某一次数时上报为整车故障等级。For the detection of abnormal analog signal input, the signal is collected by the main M-MCU and the slave S-MCU at the same time. Taking the collection and processing of the brake pedal opening signal S1 as an example, the main M-MCU and the slave S-MCU first collect the brake pedal opening signal S1 respectively, and monitor its power supply voltage. Then the slave S-MCU transmits the collected and converted results to the main M-MCU through SPI communication. The main M-MCU compares the results collected by the main M-MCU and the slave S-MCU. If the difference value is too large, the collected value is considered invalid and the error count is performed. When the number of consecutive errors exceeds a certain number, it is reported as the vehicle fault level.
针对数字量信号输出的异常检测,主要通过对驱动芯片的诊断,从S-MCU通过SPI与驱动芯片进行通信,监测驱动芯片的状态,再把诊断结果通过SPI传输给主M-MCU。主M-MCU对其相应诊断结果进行处理,如出现驱动芯片通道开路或短路时进行故障上报,由应用层对其故障等级进行评定以控制车辆安全运行。当某主M-MCU本身无法控制其驱动芯片时,由从S-MCU进行接替工作以控制车辆。For the abnormal detection of digital signal output, the driver chip is mainly diagnosed. The slave S-MCU communicates with the driver chip through SPI, monitors the status of the driver chip, and then transmits the diagnosis result to the main M-MCU through SPI. The main M-MCU processes its corresponding diagnosis results. If the driver chip channel is open or short-circuited, it will report the fault. The application layer will assess its fault level to control the safe operation of the vehicle. When a main M-MCU itself cannot control its driver chip, the slave S-MCU will take over to control the vehicle.
(2)Level2功能监控层输出监控软件架构(2) Level 2 functional monitoring layer output monitoring software architecture
如图8所示,Level2功能监控层对Level1功能层输出结果、驱动输出、执行器反馈进行闭环监控,具体策略分为:As shown in Figure 8, the Level 2 functional monitoring layer performs closed-loop monitoring on the output results, drive output, and actuator feedback of the Level 1 functional layer. The specific strategies are as follows:
1)安全信号监控:Level2功能监控层采用独立于Level1功能层控制策略对相关接口进行监控;1) Safety signal monitoring: The Level 2 functional monitoring layer uses a control strategy independent of the Level 1 functional layer to monitor related interfaces;
2)驱动输出监控:接口2输出给输出驱动,Level2功能监控层故障确认一定时间后监控驱动是否正确输出;2) Drive output monitoring: Interface 2 outputs to the output driver, and the Level 2 function monitors whether the driver outputs correctly after a certain period of time after the fault is confirmed at the monitoring layer;
3)执行器监控:执行器响应接口2信号后,执行动作并反馈接口7,Level2功能监控层监控其执行状态是否满足预期结果,若出现监控故障则通过接口5发送仪表提醒驾驶员,然后进入安全状态。3) Actuator monitoring: After the actuator responds to the signal from interface 2, it executes the action and feeds back to interface 7. The Level 2 functional monitoring layer monitors whether its execution status meets the expected results. If a monitoring failure occurs, the instrument will be sent through interface 5 to remind the driver, and then the system will enter a safe state.
具体实施例如下:The specific embodiments are as follows:
Level2功能监控层对Level1功能层的制动踏板功能进行监控,驾驶员踩下制动踏板时,Level功能层接收到制动踏板信号,Level2功能监控层中的接口1进行监控,接口2进行校验后输出至驱动输出监控,随即Level2功能监控层进行故障确认,确定驱动信号是否正确输出,即执行器是否接收接口2的执行信号开始制动,如果接收到制动踏板信号,则执行制动功能并反馈至接口7,Level2功能监控层监控其执行状态是否满足预期结果,若出现监控故障则通过接口5发送仪表提醒驾驶员,停止制动过程,然后进入安全状态。The Level 2 function monitoring layer monitors the brake pedal function of the Level 1 function layer. When the driver steps on the brake pedal, the Level function layer receives the brake pedal signal, and the interface 1 in the Level 2 function monitoring layer monitors it. The interface 2 verifies and outputs it to the drive output monitoring. Then the Level 2 function monitoring layer confirms the fault to determine whether the drive signal is output correctly, that is, whether the actuator receives the execution signal of interface 2 to start braking. If the brake pedal signal is received, the braking function is executed and fed back to interface 7. The Level 2 function monitoring layer monitors whether its execution status meets the expected results. If a monitoring fault occurs, the instrument is sent through interface 5 to remind the driver, stop the braking process, and then enter a safe state.
最后应当说明的是:以上实施例仅用以说明本发明的技术方案而非对其限制,尽管参照上述实施例对本发明进行了详细的说明,所属领域的普通技术人员应当理解:依然可以对本发明的具体实施方式进行修改或者等同替换,而未脱离本发明精神和范围的任何修改或者等同替换,其均应涵盖在本发明的权利要求保护范围之内。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention rather than to limit it. Although the present invention has been described in detail with reference to the above embodiments, ordinary technicians in the relevant field should understand that the specific implementation methods of the present invention can still be modified or replaced by equivalents. Any modification or equivalent replacement that does not depart from the spirit and scope of the present invention should be covered within the scope of protection of the claims of the present invention.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410812235.4ACN118810804A (en) | 2024-06-21 | 2024-06-21 | A vehicle controller functional safety architecture system and working method thereof |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410812235.4ACN118810804A (en) | 2024-06-21 | 2024-06-21 | A vehicle controller functional safety architecture system and working method thereof |
| Publication Number | Publication Date |
|---|---|
| CN118810804Atrue CN118810804A (en) | 2024-10-22 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410812235.4APendingCN118810804A (en) | 2024-06-21 | 2024-06-21 | A vehicle controller functional safety architecture system and working method thereof |
| Country | Link |
|---|---|
| CN (1) | CN118810804A (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119974982A (en)* | 2025-02-28 | 2025-05-13 | 广州汽车集团股份有限公司 | Fuel cell control method, system, vehicle and computer readable storage medium |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119974982A (en)* | 2025-02-28 | 2025-05-13 | 广州汽车集团股份有限公司 | Fuel cell control method, system, vehicle and computer readable storage medium |
| Publication | Publication Date | Title |
|---|---|---|
| JP5523443B2 (en) | Elevator signal transmission device | |
| US7729827B2 (en) | Vehicle control system | |
| CN113093687B (en) | A fault diagnosis system and method based on domain controller | |
| CN111007713A (en) | Heterogeneous redundant vehicle control unit conforming to functional safety | |
| US20140081508A1 (en) | Automotive Control Unit and Automotive Control System | |
| CN118810804A (en) | A vehicle controller functional safety architecture system and working method thereof | |
| US20150312123A1 (en) | Method and apparatus for isolating a fault in a controller area network | |
| CN104512422A (en) | Fault processing method and fault processing system of hybrid electric car | |
| CN105388893A (en) | CAN communication data monitoring method and system based on OBD interface | |
| CN112068536A (en) | Universal self-adaptive vehicle remote diagnosis method, device and system | |
| CN113721447A (en) | Reconfigurable vehicle control system based on redundancy and control method | |
| CN106656570A (en) | Vehicle redundancy heterogeneous line transmission network and data transmission method thereof | |
| US8447447B2 (en) | Actuation system for a drive unit of a motor vehicle | |
| CN112511396A (en) | Whole vehicle communication monitoring method and device | |
| CN119024674A (en) | Controller redundancy system, vehicle, and controller redundancy system control method | |
| CN101610142B (en) | Detection method of CAN of hybrid motor vehicle | |
| JP2004348274A (en) | Diagnosis device for communication failure | |
| CN116449791A (en) | Whole vehicle-level fault diagnosis system, vehicle and method | |
| CN114995353A (en) | Vehicle diagnosis method, device and system | |
| CN101786453B (en) | Interactive control method of double congruent central coordinators | |
| CN114545829B (en) | Signal output device, signal output control method, and construction machine | |
| Suwatthikul | Fault detection and diagnosis for in-vehicle networks | |
| CN111287824B (en) | Control method, device and system for urea pump in air-assisted SCR system | |
| US20250016025A1 (en) | A secondary control unit for a vehicle with a primary control unit and a data transmission path | |
| CN113946147A (en) | A CAN message diagnosis method |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |