The invention relates to a circuit arrangement in an electronic control unit of a motor vehicle for the detection of faults in an electronically controlled drive system.
As a result of standards prescribed by law (for example, ISO or CARB Standard Regulations), motor vehicle manufacturers have been required for many years to ensure that electronic control units or electronically controlled systems in motor vehicles, such as the digital engine control or the adaptive transmission control, are capable of self-diagnosing. So-called OBD (On-Board Diagnosis) systems, for example, were developed on that basis. One example of a design of an OBD system is contained in the applicant's German Patent Document DE 197 31 283 A1.
In this respect, the motor-vehicle-internal electronic control units have a large software capacity for self-diagnosis, in addition to the software capacity for the actual function control. One example of a self-diagnosis within the control unit is described in the applicant's German Patent Document DE 196 12 857 A1.
Up to now, the focus of the prescribed fault diagnosis has been the inherent security of each individual control unit or of each individual electronically controlled vehicle system separately. This results in high application expenditures. Particularly in the case of a motor or internal-combustion engine control (for spark-ignition engines or diesel engines), this results in a large number of stored characteristic diagrams when each programmed function has to be secured. One example, just of the expenditures of a function programming when inputting a desired drive power as a function of the accelerator pedal position is indicated in the applicant's German Patent Document DE 102 49 689 A1. If the characteristic diagrams illustrated there for the function programming were inherently securely diagnosed, approximately twice the programming expenditures or the storage space would be necessary because a fault recognition threshold would have to be stored for each characteristic curve of the characteristic diagrams.
Furthermore, from German Patent Document DE 44 38 714 A1, a so-called 3-level security concept currently widespread in practice is known—particularly in connection with electronic engine control units for the control of drive functions. The circuit arrangement according to the invention for the monitoring of drive functions is based on this 3-level security concept. The known 3-level security concept has a complex system architecture, which requires high development expenditures for control unit functionalities, which will become more and more complex and increasingly more cross-linked in the future.
Finally, in addition, reference is made to the applicant's German Patent Document DE 10 2011 002 805.6 (which is not a prior publication) which already contains a process for the detection of faults in an electronically controlled drive system of a motor vehicle, the system architecture for implementing the process not being addressed.
It is an object of the invention to simplify the system architecture of a security concept for the detection of faults in a drive system of a motor vehicle, particularly with the following objectives:                reducing development expenditures caused by additional functions and components,        avoiding multiple expenditures at various components,        restricting security-relevant communication between the control units,        demand addition from various components (functional and quantitative),        while ISO security evidence for cross-linked systems is to continue to be guaranteed.        
According to the invention, this task is implemented by a circuit arrangement according to the invention in an electronic control unit of a motor vehicle for detecting faults in an electronically controlled drive system, which is structured in at least two levels, specifically, a first function-controlling level and a second monitoring level. The two levels acquire at least the accelerator pedal position as an input signal. The first level has a driver intention determination block for determining a quantity proportional to a desired longitudinal acceleration and transmits this quantity as an input signal to a plausibility block of the second level. The plausibility block has at least one fault detection program by which a fault can be detected when a defined (static or dynamic) correct relationship between the accelerator pedal position and/or an accelerator pedal position change with respect to a determined quantity proportional to a desired longitudinal acceleration (particularly for a specified time period) is not present, and this relationship is therefore implausible.
By way of the invention, the main security requirement is met, specifically the avoidance of an unintended acceleration and of an unintended spinning of wheels.
The invention is based on the conventional so-called 3-level security concept, which will be explained in detail below in connection with the description of the figures.
In the circuit arrangement according to the invention, a first fault detection program can preferably be run in the plausibility block, by which fault detection program a fault is detected when a defined desired longitudinal acceleration gradient dependent on an accelerator pedal position change is exceeded longer than for a specified time period (first defined correct relation is not present). For the implementation of the process according to the invention, the plausibility block of the control unit is programmed correspondingly.
The defined acceleration gradient dependent on an accelerator pedal position change is preferably limited by the maximal slope of a characteristic curve of the actual function extent of the first level by which, depending on the accelerator pedal position, a desired vehicle acceleration is specified. This maximal slope is empirically determined, particularly in driving tests, in order to determine which acceleration gradients can still just be reasonably handled or controlled by the driver. The defined acceleration gradient(s) dependent on an accelerator pedal change is/are stored in a memory of the control unit and are integrated in the plausibility block of the control unit for the implementation of the process according to the invention.
In a further development of the invention, while the accelerator pedal is not actuated, by use of the control unit, a second fault detection program can be run in the plausibility block, by which fault detection program a fault is recognized when a defined desired longitudinal acceleration threshold value preferably depending on the vehicle speed is exceeded longer than for a specified time period (second defined correct relation is not present).
In a further development of the invention, in the case of an non-activated drive slip control system, a third fault detection program can be run by the control unit in the plausibility block, by which a fault is detected if, when the accelerator pedal is not actuated or the accelerator pedal angle is decreasing, a longitudinal acceleration gradient determined from the rotational wheel speeds is positive for longer than for a specified time period, and simultaneously the desired longitudinal acceleration gradient not determined from the rotational wheels speeds is also positive (third defined correct relation is not present).
For this purpose, the plausibility block in the second level of the control unit receives, either directly or by way of a digital bus, information such as the rotational wheel speed values or the acceleration determined from the rotational wheel speeds, as input signal(s). The rotational wheel speeds are acquired by way of corresponding sensors in a known manner anyhow, for example, for a slip control.
Furthermore, a fourth fault detection program can be run in the plausibility block, by which a fault is detected when, in the case of a specified accelerator pedal position, a disproportionately high desired longitudinal acceleration is specified (fourth defined correct relation is not present).
By way of the invention, all required ISO Regulations are complied with:                the new concept permits manageable analyses and documentations;        the small number of input variables can be provided with the acquired ASIL level;        the monitoring precision is at least comparable with the actual-engine torque monitoring of the previous security concept;        the concept covers all fault mechanisms (such as spinning wheels, actuator system, etc).        
Other objects, advantages and novel features of the present invention will become apparent from the following detailed description of one or more preferred embodiments when considered in conjunction with the accompanying drawings.