An error monitoring is provided in order to prevent an unintentional acceleration of the motor vehicle due to a software or hardware error in the engine control unit, for example. The error monitoring may include a torque-based, acceleration-based and/or power- or energy-based monitoring, in particular a three-level monitoring.
In the torque-based monitoring, a comparison of reference variables, which are generated via different torque-calculating paths, may be used for ascertaining a too high set point for a fuel quantity to be injected to the internal combustion engine, which may result in an unintentional acceleration of the vehicle, i.e., which is not intended by the driver.
In an acceleration-based monitoring, a signal from an acceleration sensor in the motor vehicle is evaluated. For this purpose, the actual vehicle acceleration, as well as the rotational acceleration of the drive train and of the wheels, which is calculated from the measured rotational speeds, is compared to a permissible acceleration. The permissible acceleration is calculated from the driver input, the requirements of driver assistance systems and external control units, braking torques, and tractional resistances.
If an actual acceleration is ascertained, in an acceleration monitoring, which is higher than the permissible acceleration and if this is not attributable to certain general conditions which may erroneously cause an error detection, an unintentional acceleration of a motor vehicle is detected and an error response is triggered, in which the drive system is shifted into an error response operating mode. The error response operating mode may provide that the rotational speed of the drive engine is limited to a maximum permissible engine speed. The maximum permissible engine speed may result from a specified driver input, in particular an accelerator pedal position of an accelerator pedal actuated by the driver of the motor vehicle. The maximum permissible engine speed is forwarded, e.g., to a maximum speed controller which ascertains a limiting torque to which the engine torque requested by the engine control unit is limited, on the basis of a difference between the accelerator pedal-dependent, maximum permissible engine speed and the instantaneous engine speed. If the maximum permissible engine speed is nevertheless exceeded by more than a certain rotational speed offset, e.g., due to an error in the rotational speed controller, an injection fade-out may be additionally requested. If injections continue to take place nevertheless and the engine speed remains above the permissible, accelerator pedal-dependent maximum speed, a safety shutoff of the output stage controlling the fuel injectors may be carried out and an engine shutoff may be initiated.
In certain situations, the acceleration monitoring may also erroneously indicate an error or an acceleration which is too high, e.g., when the actual tractional resistances are substantially lower than is assumed, e.g., on the basis of models, for the calculation of the permissible acceleration. Since the acceleration monitoring is not meaningful in these cases, a switch to an alternative monitoring function initially takes place and, there, the error-free operation is monitored in these situations as well. If the error is also confirmed in the alternative monitoring, the above-described error response is triggered.
If a substitute signal, e.g., calculated from the wheel speed sensors, is used as the acceleration signal instead of the signal from an acceleration sensor, there is a need to continue to provide safety and robustness of the acceleration monitoring system.