DE-102024133036-A1 - Fail-silent vehicle ECU with maintenance of Ethernet on-board communication

Abstract

The invention relates to a control unit (1) for a vehicle (2), comprising a switching module (3), a safety microcontroller (4), an Ethernet switch (5), and an oscillator (6) connected to the safety microcontroller (4) and the Ethernet switch (5), which is configured to transmit a synchronization signal to the safety microcontroller (4) and the Ethernet switch (5) for communication between the safety microcontroller (4) and the Ethernet switch (5), characterized in that the switching module (3) is configured to switch off the synchronization signal or stop its transmission to the safety microcontroller (4) and/or the Ethernet switch (5) upon detection of a fault in the safety microcontroller (4), without interrupting the power supply to the Ethernet switch (5).

Inventors

• Gwenael Helmy

Assignees

• BAYERISCHE MOTOREN WERKE AKTIENGESELLSCHAFT

Dates

Publication Date

20260513

Application Date

20241112

Claims (8)

1. Control unit (1) for a vehicle (2), comprising a switching module (3), a safety microcontroller (4), an Ethernet switch (5), and an oscillator (6) connected to the safety microcontroller (4) and the Ethernet switch (5), which is configured to transmit a synchronization signal to the safety microcontroller (4) and the Ethernet switch (5) for communication between the safety microcontroller (4) and the Ethernet switch (5), characterized in that the switching module (3) is configured to switch off the synchronization signal or to stop its transmission to the safety microcontroller (4) and/or to the Ethernet switch (5) upon detection of a fault in the safety microcontroller (4), in each case without interrupting the power supply to the Ethernet switch (5).
2. Control unit (1) after Claim 1 , wherein the control unit (1) has at least one further integrated microcontroller (7) which is connected to the Ethernet switch (5) of the control unit (1).
3. Control unit (1) according to one of the preceding claims, wherein the security microcontroller (4) is designed as a system-on-a-chip.
4. Control unit (1) according to one of the preceding claims, wherein the switching module (3) is a Power Management Integrated Circuit.
5. Control unit according to one of the preceding claims, wherein the switching module (3) is connected to the safety microcontroller (4) via a power supply rail and a data rail.
6. Vehicle (2) with at least one control unit (1) according to one of the preceding claims.
7. Vehicle (2) after Claim 6 , wherein the vehicle (2) has further control unit modules (8) which are connected to the control unit (1) via an Ethernet network.
8. Method for operating a control unit (1) of a vehicle (2), wherein an oscillator (6) connected to an Ethernet switch (5) and a security microcontroller (4) of the control unit (1) transmits a synchronization signal to the security microcontroller (4) and the Ethernet switch (5) for communication between the security microcontroller (4) and the Ethernet switch (5) (S1), and a switching module (3) switches off the synchronization signal and/or stops its transmission to the security microcontroller (4) and/or to the Ethernet switch (5) upon detection (S2) of a fault in the security microcontroller (4) (S3), without interrupting the power supply to the Ethernet switch (5).

Description

The invention relates to a control unit for a vehicle, a vehicle with at least one such control unit, and a method for operating a control unit of a vehicle. Motor vehicles, such as passenger cars, typically incorporate a large number of sensors and actuators. The latter are often intended for numerous subsystems within such a vehicle, and the sensors are also conveniently distributed throughout the vehicle. Therefore, sensors, actuators, and their associated control units must be connected via a network within the vehicle. It is known from the prior art to use an Ethernet network to connect a large number of control units. One possibility is that each control unit includes one or more microcontrollers and its own Ethernet switch as a communication interface to the Ethernet network. In this context, for example, the WO 2021/068067 A1 A redundant Ethernet network system in a vehicle comprises a first node connected to a first sensor and a second node connected to a second sensor. A first Ethernet cable connects the first and second nodes, a second Ethernet cable connects the first node to an electronic control unit (ECU), and a third Ethernet cable connects the second node to the ECU. Data from the first and second sensors is transmitted over the Ethernet network to reach the ECU. This sensor data is also compared and processed locally at the first and second nodes to improve reliability and reduce the processing load on the ECU. Furthermore, the CN 115042729 A An electronic control unit (ECU) sleep system based on a vehicle Ethernet connection and a shutdown procedure, comprising a central gateway module, a vehicle body control module, a vehicle entertainment module, and an automatic driving module. A 1000BASE-T1 interface is used between the modules to establish a signal link between a PHY sleep signal (physical layer) and an optical module. Furthermore, the low-power process of the equipment in the ECU sleep system is limited. First, an Ethernet link partner sends a Low Power Protocol (LPS) power-saving command to the device. After the command data is acknowledged, a sleep handshake is initiated, thus realizing a comprehensive and integrated automatic shutdown process to reduce power consumption and extend the device's lifespan. Furthermore, the EP 3 385 728 A1 With regard to safety and fault detection, this is an electronic control system for vehicle safety. It describes the importance of detecting deviations in the performance of processors within this electronic control system. The electronic control system consists of a processor with a processor clock and a reference clock source. It also includes a test device configured to calculate the difference between a test count and a reference count. The values for the reference count and the test count depend on the processor clock source and the processor clock source, respectively. The CN 118300813 A It also relates to a vehicle-mounted Ethernet communication method, a control unit, an electronic device, and a storage medium belonging to the technical field of communication security, wherein the method comprises the following steps: receiving the message content from a communication control unit; assessing the security level of the message content to obtain a security level result for the message content; if the security level result is the first or second security level, retrieving a target authentication key and a target encryption key and performing security authentication for the message content based on the target authentication key; and if the security authentication of the message content is successful, decrypting the communication ciphertext in the message content based on the target encryption key to obtain communication data transmitted by the communication control unit. The vehicle-mounted Ethernet communication method ensures the authenticity of the message content, prevents the message content from being transmitted in plaintext only, and can effectively prevent malicious attackers from stealing the message content to be encrypted, thereby improving the security of vehicle-mounted Ethernet communication. Given the current state of the art, it is logical to interrupt the power supply when a fault is detected in a safety microcontroller of a control unit (also called ECU, short for "electronic control unit") of a vehicle. The Ethernet switch of this control unit is disabled as a fail-safe measure, preventing the control unit from transmitting data to the rest of the Ethernet network. However, if the control unit contains other microcontrollers besides the safety microcontroller, these will also be unable to access the Ethernet network and communicate with other control units in the vehicle due to the lack of power to the control unit's Ethernet switch, even if they are otherwise unaffected by the detected fault in the safety microcontroller and are still functioning. This also applies to temporary deactivations of the Ethernet switch, for examp