CN114194125B - Whole vehicle controller, running method of whole vehicle controller and automobile - Google Patents
Whole vehicle controller, running method of whole vehicle controller and automobile Download PDFInfo
- Publication number
- CN114194125B CN114194125B CN202111669788.1A CN202111669788A CN114194125B CN 114194125 B CN114194125 B CN 114194125B CN 202111669788 A CN202111669788 A CN 202111669788A CN 114194125 B CN114194125 B CN 114194125B
- Authority
- CN
- China
- Prior art keywords
- core
- state
- vehicle controller
- buses
- reset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims description 43
- 239000000725 suspension Substances 0.000 claims description 29
- 230000008569 process Effects 0.000 claims description 27
- 238000004364 calculation method Methods 0.000 claims description 25
- 238000012544 monitoring process Methods 0.000 claims description 21
- 238000012545 processing Methods 0.000 claims description 11
- 238000004891 communication Methods 0.000 abstract description 18
- 238000010586 diagram Methods 0.000 description 5
- 230000001939 inductive effect Effects 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 238000013528 artificial neural network Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 241001417527 Pempheridae Species 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000008054 signal transmission Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000004083 survival effect Effects 0.000 description 1
- 230000002618 waking effect Effects 0.000 description 1
Classifications
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60R—VEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
- B60R16/00—Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for
- B60R16/02—Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements
- B60R16/023—Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements for transmission of signals between vehicle parts or subsystems
- B60R16/0231—Circuits relating to the driving or the functioning of the vehicle
Landscapes
- Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Mechanical Engineering (AREA)
- Hardware Redundancy (AREA)
- Small-Scale Networks (AREA)
- Debugging And Monitoring (AREA)
Abstract
The first core and the second core in the whole vehicle controller are mutually active and standby, different groups of CAN buses are configured for the first core and the second core, and a third core in the whole vehicle controller has permission for state scheduling of the first core and the second core. Therefore, communication redundancy backup based on multiple cores and multiple CAN buses is realized, and when a main core fails, a third core CAN wake up the backup core to take over buses in time, so that the whole vehicle controller CAN keep control over node equipment, and safety is improved.
Description
Technical Field
The present disclosure relates to the field of automotive technologies, and in particular, to a vehicle controller, an operation method of the vehicle controller, and an automobile.
Background
With the continuous advancement of the intelligent process in the automotive field, users put forward higher and higher requirements on the performance of automobiles. The whole vehicle controller (Vehicle Control Unit, VCU) is used as a core control unit of the automobile, performs information interaction with node equipment such as a motor controller, a battery management system, a steer-by-wire system, a light-by-wire system and the like in a CAN (Controller Area Network ) bus or a vehicle-mounted Ethernet and the like, and performs reasonable and safe instruction through processing of the received information so as to realize whole vehicle control. Therefore, the functionality and reliability of the overall vehicle controller is critical. At present, when a hardware fault (such as a CAN bus is disconnected) or a single node fault (such as a bus consistency is poor, so that a single node error frame is excessive and the bus is actively withdrawn), the whole vehicle controller cannot keep control over node equipment, so that a large safety risk exists.
Disclosure of Invention
According to a first aspect of embodiments of the present disclosure, a vehicle controller is provided, including a first core, a second core, and a third core, where when any one of the first core and the second core is in a main state, the other is in a standby state; wherein: the first core is used for communicating with the node equipment through the first group of CAN buses when in the active state, and processing the calculation tasks distributed by the second core or keeping the suspension state when in the standby state; the second core is used for communicating with the node equipment through a second group of CAN buses when in a main state, and processing the calculation tasks distributed by the first core or keeping a suspension state when in a standby state; the third core is used for monitoring states of the first core, the second core and the node equipment and sending corresponding scheduling signals to the first core or the second core according to the states.
In some embodiments, the first core is further configured to: in the initialization process, checking whether the working state of the second core is a suspension state, if so, maintaining the running state, otherwise, switching to the suspension state; the second core is further configured to: in the initialization process, checking whether the working state of the first core is a suspension state, if so, maintaining the running state, and otherwise, switching to the suspension state.
In some embodiments, the third core is further configured to: in the initialization process, a system clock and node equipment are initialized.
In some embodiments, the third core is further configured to: after the power-on initialization is finished, if the first core is in the main state, monitoring whether a first group of CAN buses survive according to the zone bit of the bus register, if so, continuing monitoring, otherwise, sending a first scheduling signal to the second core to enable the second core to be switched from the standby state to the main state, and sending a reset signal to the first core to enable the first core to reset; if the second core is in the active state, monitoring whether a second group of CAN buses survive according to the flag bit of the bus register, if so, continuing monitoring, otherwise, sending a second scheduling signal to the first core so as to enable the first core to be switched from the standby state to the active state, and sending a reset signal to the second core so as to enable the second core to be reset.
In some embodiments, the vehicle controller further includes: the watchdog module is internally provided with a timer; and the count value of the timer is cleared according to a dog feeding signal periodically sent by the core in the main state, and the third core judges whether the core in the main state fails according to whether the count value of the timer overflows or not.
In some embodiments, the first core is further configured to: when receiving the second scheduling signal, acquiring calculation task data of a second core from the shared memory; the second core is further configured to: when a first scheduling signal is received, acquiring computing task data of a first core from a shared memory; the computing task data includes real-time task progress and corresponding variable values.
In some embodiments, the first core is further configured to: after the reset is finished, confirming whether the second core is in a main state, and if so, entering a standby state; the second core is further configured to: after the reset is finished, whether the first core is in the main state or not is confirmed, and if yes, the standby state is entered.
In some embodiments, the first set of CAN buses includes 4-way CAN buses and the second set of CAN buses includes 4-way CAN buses.
According to a second aspect of embodiments of the present disclosure, there is provided a method for operating an overall vehicle controller, the overall vehicle controller including a first core, a second core, and a third core, any one of the first core and the second core being in a standby state when the other is in a primary state; the first core communicates with the node equipment through a first group of CAN buses when in a main state, and processes a computing task distributed by the second core or maintains a suspension state when in a standby state; the second core is communicated with the node equipment through a second group of CAN buses when in a main state, and processes the calculation task distributed by the first core or keeps a suspension state when in a standby state; the method is applied to a third core, the method comprising: monitoring states of the first core, the second core and the node equipment; and sending a corresponding scheduling signal to the first core or the second core according to the state.
According to a third aspect of embodiments of the present description, there is provided an automobile comprising the overall vehicle controller of any of the embodiments of the present description.
The technical scheme provided by the embodiment of the specification can comprise the following beneficial effects:
in an embodiment of the specification, a whole vehicle controller, an operation method of the whole vehicle controller and an automobile are disclosed, wherein a first core and a second core in the whole vehicle controller are main and standby, different groups of CAN buses are configured for the first core and the second core, and a third core in the whole vehicle controller has authority for state scheduling of the first core and the second core. Therefore, communication redundancy backup based on multiple cores and multiple CAN buses is realized, and when a main core fails, a third core CAN wake up the backup core to take over buses in time, so that the whole vehicle controller CAN keep control over node equipment, and safety is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the specification and together with the description, serve to explain the principles of the specification.
FIG. 1 is a schematic diagram of a vehicle control unit according to an exemplary embodiment of the present disclosure;
FIG. 2 is a flowchart illustrating a method of operating an overall vehicle controller according to an exemplary embodiment of the present disclosure;
FIG. 3 is a schematic diagram of the architecture of the overall vehicle controller shown in this specification according to an exemplary embodiment;
FIG. 4 is a schematic diagram of an architecture supporting CAN redundancy backup as illustrated in the present specification according to an exemplary embodiment.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the present specification. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present description as detailed in the accompanying claims.
The terminology used in the description presented herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the description. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used in this specification to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, the first information may also be referred to as second information, and similarly, the second information may also be referred to as first information, without departing from the scope of the present description. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
With the continuous advancement of the intelligent process in the automotive field, users put forward higher and higher requirements on the performance of automobiles. The whole vehicle controller (Vehicle Control Unit, VCU) is used as a core control unit of the automobile, performs information interaction with node equipment such as a motor controller, a battery management system, a steer-by-wire system, a light-by-wire system and the like in a CAN (Controller Area Network ) bus or a vehicle-mounted Ethernet and the like, and performs reasonable and safe instruction through processing of the received information so as to realize whole vehicle control. Therefore, the functionality and reliability of the overall vehicle controller is critical. At present, when a hardware fault (such as a CAN bus is disconnected) or a single node fault (such as a bus consistency is poor, so that a single node error frame is excessive and the bus is actively withdrawn), the whole vehicle controller cannot keep control over node equipment, so that a large safety risk exists.
Based on this, the embodiment of the present specification provides a vehicle controller to solve the above technical problems. Next, embodiments of the present specification will be described in detail.
As shown in fig. 1, fig. 1 is a schematic diagram of a vehicle controller according to an exemplary embodiment of the present disclosure, where the vehicle controller 11 includes a first core 12, a second core 13, and a third core 14, and when any one of the first core 12 and the second core 13 is in a main state, the other is in a standby state;
wherein:
the first core 12 is configured to communicate with the node device 17 through the first set of CAN buses 15 when in the active state, and process the computing task allocated by the second core 13 or maintain the suspended state when in the standby state;
the second core 13 is configured to communicate with the node device 17 via the second set of CAN buses 16 when in the active state, and process the computing task allocated by the first core 12 or maintain a suspended state when in the standby state;
the third core 14 is configured to monitor the states of the first core 12, the second core 13, and the node device 17, and send corresponding scheduling signals to the first core 12 or the second core 13 according to the states.
The whole vehicle controller of the present embodiment may be a chip with three or more cores, and the chip may be an MCU (Microcontroller Unit, micro control unit) chip, which is a chip-level computer formed by appropriately reducing the frequency and specification of a CPU (Central Processing Unit ) and integrating a memory, a counter, a USB (Universal Serial Bus, a universal serial bus), an analog-to-digital converter, a DMA (Direct Memory Access, a direct memory access), and the like on a single chip. The MCU chip has the advantages of high performance, low power consumption, programmability, high flexibility and the like, and is suitable for being used as a whole vehicle controller. Of course, the chip may be other types of chips, such as an NPU (Neural-network Processing Unit, embedded Neural network processor) chip, and the like. It should be noted that the chip may also adopt a heterogeneous architecture, such as an mcu+npu architecture. The Core (Core) of the overall vehicle controller is a hardware unit that can perform computational tasks. Taking the whole vehicle controller as an example, the multi-core MCU is a microprocessor with two or more than two CPUs, and each CPU can be regarded as one core of the whole vehicle controller.
When any one of the first core and the second core is in the active state, the other is in the standby state, that is, the first core and the second core are active and standby, the core in the active state can communicate with the node device through the bus of the takeover, that is, normally execute tasks, and can distribute part of calculation tasks with large calculation amount and low requirement on real-time performance to the core in the standby state; while cores in standby state keep silent on the bus, if an allocated computing task is received, executing the computing task, otherwise, keeping a suspended state. The third core of the embodiment may check the states of the first core, the second core and the node device to perform scheduling, so as to switch the states of the first core and/or the second core, that is, schedule the core in the active state to switch to the standby state, and/or schedule the core in the standby state to switch to the active state.
In some examples, when the vehicle controller is a chip integrating an energy efficiency core (E core) and a performance core (P core), since the pipeline number of the P core is generally greater than that of the E core, that is, the performance of the P core is generally higher, the first core and the second core mainly responsible for processing the computing task may be P cores, and the third core mainly responsible for scheduling the work may be E cores. Whereas for the first core and the second core, the two cores may be equivalent, i.e. the performance is the same; alternatively, the first core may be set to enter the active state after the whole vehicle controller is started, that is, the default first core is mainly and the second core is standby, in this case, one of the cores of the whole vehicle controller with the best performance may be used as the first core, so that the performance of the first core is higher than that of the second core.
In this embodiment, the first set of CAN buses allocated to the first core and the second set of CAN buses allocated to the second core are CAN buses of different routes. CAN is a serial communication network capable of realizing distributed real-time control, and CAN bus is a multi-master bus system, and the communication medium CAN be any one of twisted pair, coaxial cable, optical fiber and the like. The devices connected with the vehicle controller through the CAN bus are called node devices, such as a motor controller, a battery management system, a steer-by-wire system, a light-by-wire system and the like. The architecture of the whole vehicle controller in the related art is generally a multi-core isomorphic architecture, so the whole vehicle controller in the related art generally communicates with the node equipment through a set of CAN buses, and once the fault occurs, the control of the node equipment cannot be maintained. In this embodiment, two groups of CAN buses are configured, and the cores in the active state take over the CAN buses, so that the two groups of CAN buses CAN be redundantly backed up, for example, when the two groups of CAN buses operate normally, the first core is in the active state, the second core is in the standby state, when a certain bus of the first group of CAN buses fails at a certain moment, the third core detects that the state of the first core is failed, immediately schedules the second core to switch to the active state, and the second core communicates with the node device through the second group of CAN buses, so that the whole vehicle controller CAN continuously maintain control over the node device.
The first core and the second core in the vehicle controller of the embodiment are primary and secondary, different sets of CAN buses are configured for the first core and the second core, and the third core in the vehicle controller has the authority for state scheduling of the first core and the second core. Therefore, communication redundancy backup based on multiple cores and multiple CAN buses is realized, and when a main core fails, a third core CAN wake up the backup core to take over buses in time, so that the whole vehicle controller CAN keep control over node equipment, and safety is improved.
In some examples, the first core may also be configured to: in the initialization process, checking whether the working state of the second core is a suspension state, if so, maintaining the running state, otherwise, switching to the suspension state; the second core may also be used to: in the initialization process, checking whether the working state of the first core is a suspension state, if so, maintaining the running state, and otherwise, switching to the suspension state. The run (run) state and the suspend (hold) state herein represent actual operating states of the core, and in addition, the actual operating states of the core may include an idle (idle) state and a reset (reset) state. Wherein the run state characterizes the core as executing a computing task; the suspension state characterizes the core to stop working and wait for waking up; the idle state characterizes the core to wait for distributing the calculation task; the reset state characterizes the core as being restored to the starting state. When the first core and the second core are initialized, checking whether the working state of the other side is a suspension state, if so, keeping the running state, and otherwise, switching to the suspension state, wherein after the initialization of the first core and the second core is completed, only one of the two cores is in the running state.
In some examples, the third core may also be used to: in the initialization process, a system clock and node equipment are initialized. The system clock can be a circuit composed of an oscillator, a frequency divider and the like, all cores of the whole vehicle controller complete actions such as instruction execution, state conversion and the like under the driving of the system clock, and all node equipment complete actions such as serial data transmission, analog-to-digital conversion and the like under the driving of the system clock. The system clock and the node device are initialized by the third core which does not need to bear the calculation task, so that the reliability can be improved, for example, the system clock and the node device are initialized by the first core, when the first core enters a reset state in the process of initializing the system clock and the node device, the first core can re-initialize the system clock and the node device after the reset is finished, the original progress of the system clock and the node device is lost, the reliability is reduced, and the system clock and the node device are initialized by the second core, and the security risk is also provided; the third core does not bear the calculation task, the load is lighter, and the situation is not easy to occur, so that the reliability is improved.
In addition, after the initialization is completed, the third core can maintain the running state, check the states of the first core and the second core, and perform corresponding scheduling according to the states. The states herein may include a primary state/standby state, and an operating state, for example, when the third core checks that both the first core and the second core are in the standby state, a scheduling signal may be sent to one of the cores, so that the core that receives the scheduling signal switches to the primary state; or when the third core checks that the first core and the second core are in the running state, a state update signal may be sent to the core in the standby state to instruct the core that receives the state update signal to switch the working state to the suspended state or the idle state, where it should be noted that, if the core that receives the state update signal is executing the computing task allocated by the core in the active state, the state update signal may be ignored. The third core may check the states of the first core and the second core by means of inter-core communication, such as SRI Crossbar (a bus system capable of implementing inter-core communication), etc.
In some examples, the third core may also be used to: after initialization is completed, if the first core is in the main state, monitoring whether a first group of CAN buses survive according to the flag bit of the bus register, if so, continuing monitoring, otherwise, sending a first scheduling signal to the second core to enable the second core to be switched from the standby state to the main state, and sending a reset signal to the first core to enable the first core to reset; if the second core is in the active state, monitoring whether a second group of CAN buses survive according to the flag bit of the bus register, if so, continuing monitoring, otherwise, sending a second scheduling signal to the first core so as to enable the first core to be switched from the standby state to the active state, and sending a reset signal to the second core so as to enable the second core to be reset. The bus register is embedded in the whole vehicle controller and is used for recording the survival state of each path of CAN bus through the flag bit, the third core CAN monitor whether the corresponding CAN bus is alive or exited according to the flag bit of the bus register, and when the CAN bus exits from a group of CAN buses connected with the core in the main state, the third core CAN schedule the core in the standby state to be switched to the main state, so that the whole vehicle controller CAN keep control over node equipment, and the redundancy backup capability based on multiple cores and multiple CAN is realized.
In order to improve accuracy of the state check of the first core and the second core, in other examples, the whole vehicle controller may further include a watchdog module, wherein a timer is built in the watchdog module, and a count value of the timer is cleared according to a dog feeding signal periodically sent by the core in a main state; and the third core judges whether the core in the main state fails according to whether the count value of the timer overflows or not. The watchdog module may be a timer circuit, when any one of the first core and the second core is in the active state, a signal is output to the watchdog module at intervals, where the signal is called a watchdog feeding signal, and is used to clear the count value of the counter of the watchdog module, if the watchdog is not fed for longer than a specified time, the count value of the timer of the watchdog module overflows, which indicates that the core in the active state fails, at this time, the third core may send a scheduling instruction to the core in the standby state, so that the core in the standby state switches to the active state, and at the same time, the third core may send a reset signal to the core in the active state, so that the core in the active state enters the reset state to be reset. Therefore, through the watchdog module, the third core CAN timely make scheduling processing when the master core fails, and the whole vehicle controller CAN keep control over node equipment, so that redundancy backup capacity based on multiple cores and multiple CAN is realized.
Also, to enable active-standby non-inductive switching, in some examples, the first core may also be configured to: when receiving the second scheduling signal, acquiring calculation task data of a second core from the shared memory; the second core may also be used to: when a first scheduling signal is received, acquiring computing task data of a first core from a shared memory; the computing task data includes real-time task progress and corresponding variable values. The shared memory can be a shared data area in the whole vehicle controller, the first core, the second core and the third core can read and write the shared memory, when the first core and the second core execute a calculation task, key parameters of the calculation task, such as real task progress and corresponding variable values, can be written into the shared memory, and when the first core, the second core and the third core normally run, necessary running states can be written into the shared memory, such as when the first core is switched to a main state, data representing that the first core is in the main state can be written into the shared memory. Therefore, the core which is just switched to the main state can acquire the real-time task progress and the corresponding variable value of the core which is in the main state from the shared memory, and continue to execute the calculation task, thereby realizing the non-inductive switching connection of the bus.
Further, in some examples, the first core may also be used to: after the reset is finished, confirming whether the second core is in a main state, and if so, entering a standby state; the second core may also be used to: after the reset is finished, whether the first core is in the main state or not is confirmed, and if yes, the standby state is entered. That is, after the reset is finished, the first core or the second core can confirm the state of the other core which is the main core and the standby core, and if the core is confirmed to be in the main state, the core is actively in the standby core mode; if the core is confirmed not to be in the active state, which indicates that the core may fail or be in reset, the core may not enter the backup core mode, but still keep the active core mode before reset, and continue to execute the previous computing task. Accordingly, the state of the other core that the first core or the second core is active to each other may be implemented through a shared memory and/or through an SRI Crossbar, and in other embodiments, the process of confirming the state may be implemented through other inter-core communication manners.
For the first set of CAN buses and the second set of CAN buses, considering that the current multi-core MCU chip generally supports 8 paths of CAN buses, in some examples, the first set of CAN buses and the second set of CAN buses may respectively include 4 paths of CAN buses, so that performance of the first core and performance of the second core are averaged, and control capability of the whole vehicle controller may remain unchanged before and after the master core is switched. Of course, in other embodiments, the number of CAN buses respectively included in the first set of CAN buses and the second set of CAN buses may be different, and the total number of CAN buses may be greater than 8, which is not limited in this specification.
It should be noted that the vehicle controller may further include other hardware units, such as a housing, a memory, other communication interfaces, etc., where the memory may include, but is not limited to: phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory, etc. In addition, the whole vehicle controller of the present embodiment can be applied to various types of vehicles including conventional buses, automated guided vehicles, and the like.
Corresponding to the embodiment of the whole vehicle controller, the present specification also provides an embodiment of the operation method of the whole vehicle controller. As shown in fig. 2, fig. 2 is a flowchart illustrating an operation method of an overall vehicle controller according to an exemplary embodiment, the overall vehicle controller including a first core, a second core, and a third core, the method being applied to the third core, the method including:
step 201, monitoring states of a first core, a second core and node equipment; the first core is communicated with the node equipment through a first group of CAN buses when in a main state, and processes a computing task distributed by the second core or keeps a suspension state when in a standby state; the second core is communicated with the node equipment through a second group of CAN buses when in a main state, and processes the calculation task distributed by the first core or keeps a suspension state when in a standby state; when any one of the first core and the second core is in a main state, the other core is in a standby state;
step 202, sending a corresponding scheduling signal to the first core or the second core according to the state.
The implementation process of each step in this embodiment is specifically shown in the implementation process of the functions and roles of each module of the whole vehicle controller, and this description is not repeated here.
In order to describe the vehicle controller of the present specification in more detail, a specific embodiment is described below:
as shown in fig. 3, fig. 3 is a schematic diagram of the structure of the whole vehicle controller of the present embodiment, where the whole vehicle controller of the present embodiment includes a processor 31, a memory 32 and a communication interface 33, and all the components are electrically connected to each other through at least one communication bus to realize data transmission or interaction. The memory 32 may be used to store programs that may be run on the processor 31 and the communication interface 33 may be used for communication of signaling or data with the node device. Specifically, in this embodiment, the processor 31 employs a three-Core MCU chip, which includes three independent cores, core0, core1 and Core2, where Core0 is an E Core, core1 and Core2 are P cores, and the three cores can operate simultaneously in a Lockstep state (Lockstep). The Memory comprises a Shared Memory (Shared Memory), which is a common Memory area Shared by the three cores, and each of Core0, core1 and Core2 can read and write the Shared Memory, for example, key parameters and necessary running states of a computing task are written into the Shared Memory. Core1 and Core2 are equivalent, with Core1 being the primary Core and Core2 being the backup Core by default. In addition, the whole vehicle controller of the embodiment further comprises a watchdog module, when the main core is in a run state, the main core periodically sends a watchdog feeding signal to the watchdog module so as to clear the count value of a timer arranged in the watchdog module, and when the count value of the timer arranged in the watchdog module overflows, the main core sends a reset signal.
The whole vehicle controller of this embodiment CAN be used to build the architecture supporting the CAN redundancy backup shown in fig. 4, in which the first set of CAN buses 42 are allocated to Core1 (denoted as 411 in the figure) of the whole vehicle controller 41, the second set of CAN buses 43 are allocated to Core2 (denoted as 412 in the figure) of the whole vehicle controller 41, nodeA, nodeB, nodeC (denoted as 441, 442, 443 in the figure in turn) are three of the node devices 44, the first set of CAN buses 42 and the second set of CAN buses 43 are connected to each node device 44, and the termination resistors 45 in the architecture are provided for circuit reasonable matching for reducing standing waves and losses in signal transmission, alternatively, the termination resistors may be 120 ohm resistors.
The whole vehicle controller provides communication redundancy backup capability based on the following operation scheme:
first, in the initialization phase:
core1 performs the following actions: checking the working state of Core2, if Core2 is in a halt state, maintaining a run state, starting to execute a calculation task, and if Core2 is not in a halt state, entering the halt state;
core2 performs the following actions: checking the working state of Core1, if Core1 is in a halt state, maintaining a run state, starting to execute a calculation task, and if Core1 is not in a halt state, entering the halt state;
core0 performs the following actions: initializing a system clock and node equipment, entering a run state, checking working states of Core1 and Core2 through an SRI Crossbar, and if both Core1 and Core2 are in the run state, sending an indication signal to Core2 to indicate Core2 to switch the working states to a halt state;
second, in the normal operation phase:
core1 performs the following actions: normally executing calculation tasks, distributing part of calculation tasks with large calculation amount and low real-time requirement to Core2 through a shared memory, and communicating with node equipment through a first group of CAN buses;
core2 performs the following actions: assuming a calculation task distributed by Core1, if an indication signal which is sent by Core0 and used for indicating to enter a halt state is received in the process of executing the calculation task, ignoring the indication signal, entering an idle state after completing the calculation task, and keeping silence on a second group of CAN buses as a backup Core;
core0 performs the following actions: detecting whether each bus survives or not through the flag bit of the bus register, detecting whether a program of a main Core runs or not through a watchdog module, confirming the states of Core1 and Core2 through an SRI Crossbar as an inter-Core communication mode, and having the authority of carrying out state scheduling on Core1 and Core 2;
third, when a fault occurs, i.e., core0 detects a Core1 fault (e.g., watchdog timeout/CAN bus exit, etc.):
core0 performs the following actions: sending a scheduling signal to Core2 to wake Core2 to take over the bus, and after the bus is successfully taken over, sending a reset signal to Core 1;
core2 performs the following actions: when receiving the scheduling signal, switching to a master Core mode, acquiring real-time task progress and corresponding strain value of Core1 from the shared memory, continuously executing the calculation task, and communicating with the node equipment through a second group of CAN buses;
core1 performs the following actions: when a reset signal is received, the reset state is entered for resetting, after the resetting is finished, the shared memory is checked, the Core2 state is confirmed through the SRI Crossbar, if the Core2 is in a state of taking over the bus, the standby Core mode is actively entered, and the standby task borne by the Core2 before is borne.
Through the scheme, a framework combining the HSM (Hardware Security Module ), the secure internal communication bus and the distributed memory protection system is constructed, so that the security of the whole vehicle system is improved while the hard real-time is met; and moreover, the multi-path CAN bus is adopted for communication redundancy backup, so that the non-inductive communication link switching under the low-level fault is realized, and the safety of high-level automatic driving is ensured to a certain extent.
Corresponding to the foregoing embodiments, the present embodiment further provides an embodiment (not shown) of an automobile, where the automobile includes the vehicle controller of the foregoing embodiments. The automobile can be a traditional passenger car, a traditional bus car and the like, and also can be an automatic driving car, such as an automatic driving sweeper car, an automatic driving passenger car and the like.
The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
Other embodiments of the present description will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This specification is intended to cover any variations, uses, or adaptations of the specification following, in general, the principles of the specification and including such departures from the present disclosure as come within known or customary practice within the art to which the specification pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the specification being indicated by the following claims.
It is to be understood that the present description is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present description is limited only by the appended claims.
The foregoing description of the preferred embodiments is provided for the purpose of illustration only, and is not intended to limit the scope of the disclosure, since any modifications, equivalents, improvements, etc. that fall within the spirit and principles of the disclosure are intended to be included within the scope of the disclosure.
Claims (6)
1. The whole vehicle controller is characterized by comprising a first core, a second core and a third core, wherein when any one of the first core and the second core is in a main use state, the other one is in a standby state; the first core, the second core and the third core are integrated on the same chip; the chip is configured on the whole vehicle controller; wherein:
the first core is used for communicating with the node equipment through the first group of CAN buses when in the active state, keeping a suspension state when not receiving the computation tasks distributed by the second core when in the standby state, and processing the computation tasks distributed by the second core when receiving the computation tasks distributed by the second core; in the initialization process, checking whether the working state of the second core is a suspension state, if so, maintaining the running state, otherwise, switching to the suspension state; when receiving the second scheduling signal, acquiring calculation task data of a second core from the shared memory; after the reset is finished, confirming whether the second core is in a main state, and if so, entering a standby state;
the second core is used for communicating with the node equipment through the second group of CAN buses when in the main state, keeping a suspension state when not receiving the computation tasks distributed by the first core when in the standby state, and processing the computation tasks distributed by the first core when receiving the computation tasks distributed by the first core; in the initialization process, checking whether the working state of the first core is a suspension state, if so, maintaining the running state, otherwise, switching to the suspension state; when a first scheduling signal is received, acquiring computing task data of a first core from a shared memory; calculating task data including real-time task progress and corresponding values; after the reset is finished, confirming whether the first core is in a main state, and if so, entering a standby state;
the third core is used for monitoring states of the first core, the second core and the node equipment and sending corresponding scheduling signals to the first core or the second core according to the states; after the power-on initialization is finished, if the first core is in the main state, monitoring whether a first group of CAN buses survive according to the zone bit of the bus register, if so, continuing monitoring, otherwise, sending a first scheduling signal to the second core to enable the second core to be switched from the standby state to the main state, and sending a reset signal to the first core to enable the first core to reset; if the second core is in the active state, monitoring whether a second group of CAN buses survive according to the flag bit of the bus register, if so, continuing monitoring, otherwise, sending a second scheduling signal to the first core so as to enable the first core to be switched from the standby state to the active state, and sending a reset signal to the second core so as to enable the second core to be reset.
2. The vehicle controller of claim 1, wherein the third core is further configured to: in the initialization process, a system clock and node equipment are initialized.
3. The vehicle controller of claim 1, further comprising: the watchdog module is internally provided with a timer; and the count value of the timer is cleared according to a dog feeding signal periodically sent by the core in the main state, and the third core judges whether the core in the main state fails according to whether the count value of the timer overflows or not.
4. The overall vehicle controller of claim 1, wherein the first set of CAN buses comprises a 4-way CAN bus and the second set of CAN buses comprises a 4-way CAN bus.
5. The running method of the whole vehicle controller is characterized in that the whole vehicle controller comprises a first core, a second core and a third core, and the first core, the second core and the third core are integrated on the same chip; the chip is configured on the whole vehicle controller; when any one of the first core and the second core is in the active state, the other core is in the standby state; the first core communicates with the node equipment through a first group of CAN buses when in a main state, and maintains a suspension state when not receiving the computation tasks distributed by the second core when in a standby state, and processes the computation tasks distributed by the second core when receiving the computation tasks distributed by the second core; in the initialization process, checking whether the working state of the second core is a suspension state, if so, maintaining the running state, otherwise, switching to the suspension state; when receiving the second scheduling signal, acquiring calculation task data of a second core from the shared memory; after the reset is finished, confirming whether the second core is in a main state, and if so, entering a standby state; the second core communicates with the node equipment through a second group of CAN buses when in a main state, and maintains a suspension state when not receiving the computation tasks distributed by the first core when in a standby state, and processes the computation tasks distributed by the first core when receiving the computation tasks distributed by the first core; in the initialization process, checking whether the working state of the first core is a suspension state, if so, maintaining the running state, otherwise, switching to the suspension state; when a first scheduling signal is received, acquiring computing task data of a first core from a shared memory; calculating task data including real-time task progress and corresponding values; after the reset is finished, confirming whether the first core is in a main state, and if so, entering a standby state; the method is applied to a third core, the method comprising:
monitoring states of the first core, the second core and the node equipment;
sending a corresponding scheduling signal to the first core or the second core according to the state;
after the power-on initialization is finished, if the first core is in the main state, monitoring whether a first group of CAN buses survive according to the zone bit of the bus register, if so, continuing monitoring, otherwise, sending a first scheduling signal to the second core to enable the second core to be switched from the standby state to the main state, and sending a reset signal to the first core to enable the first core to reset; if the second core is in the active state, monitoring whether a second group of CAN buses survive according to the flag bit of the bus register, if so, continuing monitoring, otherwise, sending a second scheduling signal to the first core so as to enable the first core to be switched from the standby state to the active state, and sending a reset signal to the second core so as to enable the second core to be reset.
6. An automobile comprising the vehicle controller according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111669788.1A CN114194125B (en) | 2021-12-31 | 2021-12-31 | Whole vehicle controller, running method of whole vehicle controller and automobile |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111669788.1A CN114194125B (en) | 2021-12-31 | 2021-12-31 | Whole vehicle controller, running method of whole vehicle controller and automobile |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114194125A CN114194125A (en) | 2022-03-18 |
| CN114194125B true CN114194125B (en) | 2024-01-19 |
Family
ID=80657749
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111669788.1A Active CN114194125B (en) | 2021-12-31 | 2021-12-31 | Whole vehicle controller, running method of whole vehicle controller and automobile |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114194125B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115447510B (en) * | 2022-10-10 | 2024-10-11 | 北京超星未来科技有限公司 | Vehicle-mounted computing platform control system, method and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104228589A (en) * | 2014-09-05 | 2014-12-24 | 北京新能源汽车股份有限公司 | High-level safety device of pure electric vehicle based on double CPUs |
| CN105550074A (en) * | 2015-12-08 | 2016-05-04 | 中国计量学院 | Aerospace computer |
| CN107054255A (en) * | 2017-05-03 | 2017-08-18 | 北京电子工程总体研究所 | A kind of vehicle-mounted complex control system of land equipment vehicle |
| CN109664846A (en) * | 2018-12-11 | 2019-04-23 | 北京赛迪认证中心有限公司 | A kind of autonomous driving vehicle circuit |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10628275B2 (en) * | 2018-03-07 | 2020-04-21 | Nxp B.V. | Runtime software-based self-test with mutual inter-core checking |
-
2021
- 2021-12-31 CN CN202111669788.1A patent/CN114194125B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104228589A (en) * | 2014-09-05 | 2014-12-24 | 北京新能源汽车股份有限公司 | High-level safety device of pure electric vehicle based on double CPUs |
| CN105550074A (en) * | 2015-12-08 | 2016-05-04 | 中国计量学院 | Aerospace computer |
| CN107054255A (en) * | 2017-05-03 | 2017-08-18 | 北京电子工程总体研究所 | A kind of vehicle-mounted complex control system of land equipment vehicle |
| CN109664846A (en) * | 2018-12-11 | 2019-04-23 | 北京赛迪认证中心有限公司 | A kind of autonomous driving vehicle circuit |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114194125A (en) | 2022-03-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20190303255A1 (en) | Cluster availability management | |
| CN101576836B (en) | Degradable three-machine redundancy fault-tolerant system | |
| CN107733684B (en) | Multi-controller computing redundancy cluster based on Loongson processor | |
| CN103853622A (en) | Control method of dual redundancies capable of being backed up mutually | |
| CN110351174B (en) | Module redundancy safety computer platform | |
| CN111775769A (en) | Battery management system and method | |
| CN114194125B (en) | Whole vehicle controller, running method of whole vehicle controller and automobile | |
| CN207937961U (en) | The dormancy awakening system of remote information processor | |
| CN105242608B (en) | Vehicle control unit and control method thereof | |
| CN100538647C (en) | The processing method for service stream of polycaryon processor and polycaryon processor | |
| CN102508746A (en) | Management method for triple configurable fault-tolerant computer system | |
| CN110196564B (en) | Smooth switching dual-machine redundant power distribution system resistant to single-particle irradiation | |
| CN108762994A (en) | It is a kind of that machine method is cut based on the board computer system of multi-computer back-up and the system | |
| US12007820B2 (en) | Systems, devices, and methods for controller devices handling fault events | |
| CN112987896B (en) | Power supply device, power supply method and electronic control system | |
| CN105204956A (en) | Real-time dynamic reconstruction management method | |
| CN111142945B (en) | Master and slave channel dynamic switching method for dual-redundancy computer | |
| US10620857B2 (en) | Combined backup power | |
| CN110162432B (en) | Multistage fault-tolerant spaceborne computer system based on ARM | |
| CN213634460U (en) | Program updating device of multi-core chip | |
| CN115328706A (en) | Comprehensive control method and system for dual-CPU redundant architecture | |
| CN115827320A (en) | FPGA-based dual-redundancy flight control computer control device and method | |
| CN115114224A (en) | Flight control computer hardware system of SOC + FPGA | |
| CN112208588B (en) | Train awakening and sleeping system and method | |
| CN109782578A (en) | A kind of high reliability deep-sea autonomous underwater vehicle control method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |