CN217008192U - Circuit arrangement for preventing faulty data transmission via a bus interface - Google Patents

Circuit arrangement for preventing faulty data transmission via a bus interface Download PDF

Info

Publication number
CN217008192U
CN217008192U CN202090000456.7U CN202090000456U CN217008192U CN 217008192 U CN217008192 U CN 217008192U CN 202090000456 U CN202090000456 U CN 202090000456U CN 217008192 U CN217008192 U CN 217008192U
Authority
CN
China
Prior art keywords
bus interface
microcontroller
bus
circuit
circuit arrangement
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202090000456.7U
Other languages
Chinese (zh)
Inventor
A·万德利希
A·菲施
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Vitesco Technologies GmbH
Original Assignee
Vitesco Technologies GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Vitesco Technologies GmbH filed Critical Vitesco Technologies GmbH
Application granted granted Critical
Publication of CN217008192U publication Critical patent/CN217008192U/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0706Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment
    • G06F11/0736Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment in functional embedded systems, i.e. in a data processing system designed as a combination of hardware and software dedicated to performing a certain function
    • G06F11/0739Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment in functional embedded systems, i.e. in a data processing system designed as a combination of hardware and software dedicated to performing a certain function in a data processing system embedded in automotive or aircraft systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0751Error or fault detection not based on redundancy
    • G06F11/0754Error or fault detection not based on redundancy by exceeding limits
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0766Error or fault reporting or storing
    • G06F11/0772Means for error signaling, e.g. using interrupts, exception flags, dedicated error registers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0796Safety measures, i.e. ensuring safe condition in the event of error, e.g. for controlling element

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The utility model relates to a circuit arrangement for preventing faulty data transmission via a BUS interface (BUS), comprising a Microcontroller (MC), a BUS interface module (BT) connected to the Microcontroller (MC), AND a Monitoring Unit (MU) which monitors the Microcontroller (MC), wherein both the Microcontroller (MC) AND the Monitoring Unit (MU) have disconnection outputs which are each connected to an input of a logical AND circuit (AND), AND wherein a switching unit (SE; SR) which connects the BUS interface module (BT) to a supply voltage potential (VDDx) is connected to the output of the AND circuit (AND) in order to be able to disconnect the BUS interface module (BT) from the supply voltage in the event of a fault.

Description

Circuit arrangement for preventing faulty data transmission via a bus interface
Technical Field
The utility model relates to a circuit arrangement for preventing faulty data transmission via a bus interface, having a microcontroller, a bus interface module connected to the microcontroller, and a monitoring unit for monitoring the microcontroller.
Bus interfaces, such as CAN, Flexray, Ethernet or LIN, which are used in vehicles to control safety-relevant actuators via control devices, are mostly included in safety disconnection schemes. The aim here is to block bus communication in the event of a fault.
In a first possible scenario, an Enable Pin (Enable-Pin) present at the bus interface module or bus transceiver is used for disconnection, which is also referred to as a mode control Pin. By means of which the transmission direction can be blocked or the transceiver can be completely deactivated.
In another possible case, a disconnection within the microcontroller of the transmission path is used. In this case, the function is triggered internally by software or externally by pins at the microcontroller.
However, the above-described solution is likely not to meet the required FIT-ratio for ASIL D safety objectives because Common Cause failures (Common Cause Fehler) of voltage supply schemes such as microcontrollers, logic circuits, and bus transceivers cannot be eliminated.
Background
DE 102011016706 a1 discloses a circuit arrangement for a control unit for carrying out a Fail-quiet or Fail-Safe function (Fail-silence-bzw. Fail-Safe-function), which has a microcontroller which comprises a hardware-implemented monitoring device which detects errors in individual modules of the microcontroller and has at least one output in order to inform external components about detected errors by means of a signal voltage, and which has a bus driver for communication of the control unit with a bus network, wherein the signal voltage applied to the output of the monitoring device is used to control the bus driver when an error is detected by the monitoring device, so that the bus communication of the control unit is not interrupted.
The bus driver may comprise a bus monitor interface with an input and the output of the monitoring device is connected to the input of the bus monitor interface, wherein a high level of the signal voltage is applied at the output of the monitoring device in the normal case and a low level of the signal voltage is applied in the fault case, and the bus driver interrupts the bus communication if a low level is present at the input of the bus monitor interface.
This solution and the solutions described above cannot be used for all bus transceivers in the automotive field, since the enable pins are not present on all bus interface modules or bus transceivers.
The disconnection within the microcontroller is not guaranteed outside the specified voltage range and is not present on some manufacturers' microcontrollers.
Disclosure of Invention
It is therefore an object of the present invention to provide a circuit arrangement for preventing faulty data transmission via a bus interface, which circuit arrangement is independent of the specific properties of the microcontroller and of the bus transceiver.
This object is achieved by a circuit arrangement according to the utility model.
The circuit arrangement according to the utility model for preventing faulty data transmission via a bus interface is therefore formed by a microcontroller, a bus interface module connected to the microcontroller and a monitoring unit which monitors the microcontroller, wherein both the microcontroller and the monitoring unit have disconnection outputs which are each connected to one input of a logical and circuit, and wherein a switching unit which connects the bus interface module to a supply voltage potential is connected to the output of the logical and circuit in order to be able to disconnect the bus interface module from the supply voltage in the event of a fault.
Irrespective of the specific properties of the microcontroller or the enable input of the bus transceiver or of the bus interface module, data transmission can therefore be prevented in the event of a fault in an advantageous and simple manner, since the voltage supply of the bus interface module is interrupted and it can therefore no longer be operated.
The switching unit can be a switching element which is connected between a supply voltage potential, preferably a positive supply voltage potential, of the supply voltage supplied to the bus interface module and its respective supply voltage input. In this case the bus interface module is simply separated from the supply voltage.
In an alternative embodiment of the circuit arrangement according to the utility model, the switching unit is a voltage regulator, from which the bus interface module is supplied with a supply voltage. A defined level at the output of the logic and circuit causes the voltage regulator to be deactivated, so that likewise no supply voltage is present anymore at the bus interface module and the bus interface module likewise becomes inactive.
In an advantageous embodiment of the circuit arrangement according to the utility model, the voltage regulator and the monitoring unit and possibly also the circuit are also integrated in the electronic module. This is a so-called power-application-specific integrated circuit (ASIC) with integrated watchdog circuitry (watchdog-switching).
Drawings
The utility model is explained in more detail below by means of embodiments with the aid of the drawings.
Fig. 1 shows a first embodiment of a circuit arrangement according to the utility model; and
fig. 2 shows a second embodiment of the circuit arrangement according to the utility model.
Detailed Description
In a first variant of the circuit arrangement according to the utility model, as shown in fig. 1, the microcontroller MC also has two data ports, one of which is connected to the data transmission channel TxD and the other to the data reception channel RxD of the data. The data transmission channel and the data reception channel are connected to respective inputs or outputs of a bus interface module BT, which is also commonly referred to as a bus driver or a bus transceiver. The BUS interface module BT then gives signals of a determined level corresponding to the BUS specification to the respective channel BUS or has a receiving circuit capable of receiving and converting these signals. All possible buses, such as a CAN bus, a Flexray bus, an Ethernet bus or a LIN bus, which are currently common, CAN be considered as a bus.
The bus interface module BT is coupled to a voltage supply source VDDx in a manner according to the utility model via a switching unit, which in the embodiment of fig. 1 is constructed by a switching element, which is constructed for example by a MOS-FET.
The microcontroller MC is monitored in a known manner by a monitoring unit MU, usually called Watchdog (Watchdog), for correct functioning, and which, like the microcontroller MC, has a disconnection output DIS.
The microcontroller MC AND the disconnection output DIS of the monitoring unit MU are each connected to an input of a logical AND circuit AND, which may be designed, for example, as a simple AND circuit (UND-gate).
The monitoring unit MU and the logic and circuit may be designed as separate or as an integrated module.
The output of the AND logic circuit AND is connected to the control input of the switching element SE, in order to be able to open the switching element in the event of a fault, so that the bus interface module BT is no longer connected to the positive potential VDDx of the voltage supply source AND is therefore no longer supplied. As a result, the BUS interface module can no longer transmit signals via the BUS, so that, for example, actuators, such as injection valves, cannot be actuated with errors.
In a second variant of the circuit arrangement according to the utility model, as shown in fig. 2, identical components are provided with the same reference numerals and are also connected to one another in the same manner. These components are therefore not described again, for which reference is made to the description of the variant of fig. 1.
The bus interface module BT is coupled to a voltage supply source which is designed as a voltage regulator SR and likewise provides the bus interface module BT with a positive voltage supply potential VDDx and a negative voltage supply potential GND. The bus interface module is coupled in the manner according to the utility model here to a voltage regulator SR, which is constructed in an integrated circuit IC, which is generally referred to as a Power-Supply-ASIC.
The integrated circuit IC is connected for communication and for monitoring via one or more channels Comm/MO. The integrated circuit furthermore has a port which is connected to the disconnection port DIS of the microcontroller MC AND, within the integrated circuit IC, to an input of the AND logic circuit AND. The integrated circuit is supplied in the embodiment presented by the vehicle battery at a voltage Vbatt.
The monitoring unit MU is likewise constructed in this exemplary embodiment in the integrated circuit IC, AND so is the logical AND circuit AND. In this case, the open output of the monitoring unit MU is advantageously connected directly on the semiconductor chip to the logical AND circuit AND. The output of the AND logic circuit AND is connected in the same way directly on the semiconductor chip to the voltage regulator SR, so that the voltage regulator can be deactivated in the event of a fault.
The circuit arrangement according to the utility model makes it possible to implement a flexible disconnection concept which can be used for a variety of different transceivers and can also be used independently of the microprocessor manufacturer. All safety-relevant control tasks implemented via the bus interface can be reliably performed in this case.

Claims (5)

1. Circuit arrangement for preventing faulty data transmission via a BUS interface (BUS), having a Microcontroller (MC), a BUS interface module (BT) connected to the Microcontroller (MC), and a Monitoring Unit (MU) which monitors the Microcontroller (MC),
wherein both the Microcontroller (MC) AND the Monitoring Unit (MU) have disconnection outputs which are each connected to an input of a logical AND circuit (AND),
AND wherein a switching unit (SE; SR) connecting the bus interface module (BT) to a supply voltage potential (VDDx) is connected to an output of the AND circuit (AND) in order to be able to disconnect the bus interface module (BT) from the supply voltage in the event of a fault.
2. The circuit arrangement according to claim 1, wherein the switching unit (SE) is a switching element.
3. The circuit arrangement according to claim 1, wherein the switching unit (SE) is a voltage regulator (SR).
4. The circuit arrangement according to one of claims 1 to 3, wherein the voltage regulator (SR) and the Monitoring Unit (MU) are constructed integrally in one module (IC).
5. The circuit arrangement according to claim 4, wherein said AND-circuit (AND) is also integrally constructed in said module (IC).
CN202090000456.7U 2019-03-26 2020-03-25 Circuit arrangement for preventing faulty data transmission via a bus interface Active CN217008192U (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
DE102019204176.0 2019-03-26
DE102019204176.0A DE102019204176B4 (en) 2019-03-26 2019-03-26 Circuit arrangement for preventing incorrect data transmission via a bus interface
PCT/EP2020/058387 WO2020193642A1 (en) 2019-03-26 2020-03-25 Circuit arrangement for preventing erroneous data transmission via a bus interface

Publications (1)

Publication Number Publication Date
CN217008192U true CN217008192U (en) 2022-07-19

Family

ID=70057105

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202090000456.7U Active CN217008192U (en) 2019-03-26 2020-03-25 Circuit arrangement for preventing faulty data transmission via a bus interface

Country Status (3)

Country Link
CN (1) CN217008192U (en)
DE (1) DE102019204176B4 (en)
WO (1) WO2020193642A1 (en)

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1672505A3 (en) * 2004-12-20 2012-07-04 BWI Company Limited S.A. Fail-silent node architecture
DE102005061392A1 (en) * 2005-12-22 2007-06-28 Robert Bosch Gmbh Bus guardian for monitoring and controlling access to data bus, has serial peripheral interface approving access of controller to data bus only when communication offers normal functioning of controller
DE102009055797A1 (en) * 2009-11-25 2011-05-26 Valeo Schalter Und Sensoren Gmbh Circuit arrangement and a control unit for safety-related functions
DE102011009183A1 (en) * 2011-01-21 2012-07-26 Continental Automotive Gmbh Circuit device for use in control device of motor car, has voltage monitoring lines formed with switch that is controlled by microcontroller, where switch is closed with successful initialization of control device by microcontroller
DE102011016706A1 (en) 2011-04-11 2012-10-11 Conti Temic Microelectronic Gmbh Circuit arrangement with fail-silent function
DE102012209582A1 (en) * 2012-06-06 2013-12-12 Robert Bosch Gmbh Integrated controller, in particular voltage regulator, and personal protective equipment control unit
DE102014213206B4 (en) * 2014-07-08 2022-03-17 Vitesco Technologies GmbH Control arrangement for safety-related actuators
DE102015201278B4 (en) * 2015-01-26 2016-09-29 Continental Automotive Gmbh control system

Also Published As

Publication number Publication date
DE102019204176B4 (en) 2021-05-27
DE102019204176A1 (en) 2020-10-01
WO2020193642A1 (en) 2020-10-01

Similar Documents

Publication Publication Date Title
US7594054B2 (en) Data bus interface for a control unit, and control unit having a data bus interface
JP4057782B2 (en) Information control system for vehicle current distribution.
US10120434B2 (en) Semiconductor device chip package with electronic switching using dedicated ground pin coupled to a virtual ground node
CN111971934B (en) Gateway device
JP5746791B2 (en) Circuit configuration with fail-silent function
JP2005521182A (en) Redundant array of control units
KR102355092B1 (en) Operation method of communication node for diagnosing in vehicle network
US20030100980A1 (en) Method and device for programming a control unit
US20210209051A1 (en) Bus subscriber and method for operating a bus subscriber
EP4012984B1 (en) A processing system, related integrated circuit, device and method
KR20210050573A (en) Vehicle control system
CN112217704A (en) Communication between transceiver and microcontroller
CN217008192U (en) Circuit arrangement for preventing faulty data transmission via a bus interface
CN101271317A (en) Circuit device and corresponding method for controlling a load
US20220393788A1 (en) Transceiver device
US8189497B2 (en) Error detection and suppression in a TDMA-based network node
US20230216704A1 (en) Onboard apparatus, onboard communication system, and communication control method
CN115441896A (en) Transceiver device
US5404498A (en) Voltage setting apparatus in a multiplex transmission system
CN111819103B (en) Safety control system, control method and automobile
CN111245695B (en) Method for switching off communication and corresponding communication device
WO2023058189A1 (en) Communication semiconductor device
CN214067627U (en) Control circuit, PCB and electronic device
JP7050154B2 (en) Electronic control device
WO2023106091A1 (en) On-board device, connection switching method, and connection switching program

Legal Events

Date Code Title Description
GR01 Patent grant
GR01 Patent grant