发明名称 |
Architecture for scalable fault tolerance in integrated fail-silent and fail-operational systems |
摘要 |
An integrated fail-silence and fail-operational control system includes a primary controller controlling features of devices while operating under non-fault operating conditions. A secondary controller includes a fail detector/decider module monitoring faults in the primary controller. The fail detector/decider module determines whether the fault in the primary controller is associated with a fail-silence requirement or a fail-operational requirement. If the fail detector/decider module determines the fault is a fail-silence requirement, then the fail detector/decider module actuates a shutdown command to the primary controller to shut down a feature affected by the fault where the feature becomes non-operational. If the fail detector/decider module determines that the feature associated with the fault is a fail-operational requirement, then the fail detector/decider module signals the primary controller to relinquish controls of the feature to the secondary controller. The secondary controller functions as a high assurance system for controlling the feature in a fail-operational mode. |
申请公布号 |
US9563523(B2) |
申请公布日期 |
2017.02.07 |
申请号 |
US201514688083 |
申请日期 |
2015.04.16 |
申请人 |
GM Global Technology Operations LLC |
发明人 |
Fuhrman Thomas E.;Samii Soheil |
分类号 |
G06F11/00;G06F11/20 |
主分类号 |
G06F11/00 |
代理机构 |
Quinn Law Group |
代理人 |
Quinn Law Group |
主权项 |
1. An integrated fail-silence and fail-operational control system comprising:
a primary controller controlling features of devices while operating under non-fault operating conditions; a secondary controller including a fail detector/decider module, the fail detector/decider module monitoring faults in the primary controller and the secondary controller, the fail detector/decider module determining whether the fault in the primary controller is associated with a fail-silence requirement or a fail-operational requirement, wherein if the fail detector/decider module determines the fault is a fail-silence requirement, then the fail detector/decider actuates a shutdown command to the primary controller to shut down a feature affected by the fault where the feature becomes non-operational, and wherein if the fail detector/decider module determines that the feature associated with the fault is a fail-operational requirement, then the fail detector/decider module signals the primary controller to relinquish controls of the feature to the secondary controller, wherein secondary controller functions as a high assurance system for controlling the feature in a fail-operational mode. |
地址 |
Detroit MI US |