The present invention is directed to a process and a circuit for control of power windows, sun roofs, or door locks in motor vehicles with an electromechanical drive arrangement.
It is well known in the art to use bus technology in motor vehicles for data transmission between various electronically controlled devices within an automobile. Thus, for example, the individual door control devices of a door, by which the respective window lifters and the respective locks are controlled, are connected to each other and to a central electronic control module of the motor vehicle. Enabling signals, on which functions of the door control devices or the adjustable devices (window lifters, locks) are dependent, are generated by the central control module.
It has turned out that already with the failure of one part of the electrical circuit (central module or decentralized control devices) connected via the bus that important functions or even all functions of the adjustable devices can be blocked because a failed electronic circuit can no longer deliver the data which are necessary for the generation of enabling signals. Consequently, a risk to the occupants of a motor vehicle may result if the adjustable devices react incorrectly or not at all to the control commands. The situation described is thus unsatisfactory, especially since the technical operability of the adjustable devices would be present again without limitation with intact decentralized electronic circuits.
The failure of parts of the bus system, caused, for example, by water infiltration, fire, or mechanical influences (especially a crash), can lead to additional dangers especially in the event of accident-related emergency situations.
As described in EP 0 869 040 A2, a master control unit and a slave unit for a window lifter, which are connected via a xe2x80x9cmultiplex communication linexe2x80x9d, are known. With a manual power switch, an engine current for a window lifter motor can be switched to the ON position, even if an error occurs in the xe2x80x9cmultiplex communication linexe2x80x9d. However, manual power switches are very expensive and time-consuming to produce. Also, the solution presented in EP 0 869 040 A2 has the great disadvantage that the manual power switch is used only and exclusively in an emergency situation, such that operability cannot be tested until the occurrence of an emergency, and, in the event of inoperability, the manual power switch is an additional unsafe factor in an emergency since this manual power switch represents only untested redundancy for the window lifter system.
Consequently, the object of the invention is to report a circuit for the control of power window lifters, sun roofs, or door locks in motor vehicles, which improves safety in emergency operation without additional redundancy of the operating switch. Another part of the object is to report a process to improve the availability of the adjustable device through the circuit which is disrupted, for example, through a defect of a bus system communicating with the circuit or connections of the circuit, and at the same time to reduce malfunctions of the circuit.
According to the present invention, an input level of at least one connection of a power driver is defined by a logical AND-operation (a switching state) of an operating switch and a switching element. Thus, the operating switch can be used in a particularly advantageous manner both for normal operation and emergency operation without a switchover between normal operation and emergency operation being necessary. The operability and reliability of the operating switch for emergency operation is thus verifiable at all times and can already be monitored automatically by actuation in normal operation by a vehicle occupant.
The AND-operation thus only enables actuation of the power driver if the operating switch is actuated and the switching element performs the AND-operation, is specifically in the ON state. In this case, the power driver is designed such that the input level now present with the application of current to the electromechanical drive device causes an adjustment of the window lifter or the sun roof.
The switching element ensures that the actuation of the power driver can be turned on and off by a control element, for example, a door lock switch of a vehicle door. It is thus possible to prevent intentionally damaging the circuit for misuse, in particular, preventing theft of the motor vehicle by opening the window upon one actuating the operating switch.
Such disconnection of the actuation is controlled in a preferred embodiment of the invention by the circuit in that data for actuation of the switching element are verified once or a plurality of times. Thus, in an emergency situation, it is possible to effectively rule out that the AND-operation as an activated antitheft device prevents actuation of the power driver to open the window by an endangered occupant who wishes to leave the vehicle.
The power driver can be controlled in emergency operation at least by the operating switch preferably in the ON direction. Additional switches or operating switches can also permit opening the window in emergency operation in that a safety switching element, for example, or an automatic switching element is connected in parallel with the operating switch. If, for example, the operating switch fails because of a mechanical defect, the window can also be opened by another operating switch, for example, the operating switch for closing the window or the handle for opening the vehicle door.
The number of input levels is determined according to the type of power driver. For example, a coil of a relay has two connections. The AND-operation determines the potential difference of the input levels between the two connections of the coil of the relay and, thus, whether a control current is flowing through the coil. If, for example, a semiconductor bridge is used as the power controller, the individual transistors of the bridge are connected individually or in groups to a connector directly or through appropriate drivers, for example, charge pumps, and actuated with the input level.
All touch, pressure, or push switches or other switches suitable for this can be used as operating switches. Depending on the requirement of the power driver, the operating switches can be designed as low power switches or load-free potential switches, for example, capacitive switches. A semiconductor bridge is, for example, actuated at a low ohm level by a driver. If the operating switch is intended to enable the supplying of current to a relay, the inclusion of a relay current necessary to operate the relay through the operating switch, for example, a low power switch, must be guaranteed.
In one embodiment, the circuit will switch over to emergency operation adapted, for example, to the failure, based on the detection of a failure, for example, a specific error pattern. In the specification of the functions of emergency operation, i.e., which functions are still permitted, available with limits, or blocked, the risks for malfunctions according to the failure are also taken into account. This differentiated problem solving results, on the one hand, in the fact that upon the occurrence of failures in the system, a comparatively high (possibly maximized) availability of functions is provided and, on the other, in that the risk to the occupants is minimized.
In a preferred embodiment of the invention, a change in the control level of the switching element can be verified by running a safety routine in the circuit. An ARQ protocol (Automatic Request Protocol) is, for example, used as a safety routine. However, all other routines expedient for this, for example, a checksum, may be used. Because of the small amount of data of the control level, the control levels may be verified several times or with high redundancy without having to put up with significant losses in system performance, whereby the control levels transmitted are checked for errors in the safety routine.
In an alternative embodiment, a control level to control the switching element is stored in a static memory, for example, a flip-flop. Static CMOS memories, which, because of their low current consumption, can be buffered for a short-term drop in the supply voltage, are, for example, suitable as memories. Even more advantageous is the use of non-volatile memories, for example, EEPROMs, which do not lose their stored content even for a relatively long failure of the operating voltage. In addition, the switching states and error messages of the safety routine can be recorded in a log file in the EEPROM memory. A logical 1 or logical 0 of CMOS logic or other logic levels such as TTL logic levels, or a bit pattern or analog voltage levels advantageous for the control are possible as control levels.
One output of the static memory is connected with the switching element for control. If the output is directly connected with the switching element, for example, an ON-chip, the probability of errors due to electrostatic or magnetic interference is reduced. In addition, the output can be connected with the input of an element for display of the switching state. If a semiconductor bridge is used as a power driver, the memory, the switching element, and the driver for actuation of the semiconductor bridge are advantageously integrated on a semiconductor chip.
Provision may further be made that the switching element is switched on in the event of the destruction of the memory or deletion of the control level in the memory to enable emergency operation by actuation of the power driver in the open direction. For this, for example, a high ohm pull-up resistor is arranged between the gate NMOS transistor as a switching element and the operating voltage. The destruction, for example, of a non-volatile memory can be caused by high energy x-rays.
In an alternative embodiment, the control level to be stored can be checked by a control unit. For this, the control level and possible additional data to be stored by the control unit are checked for accuracy and set in relation to the type of operation, for example, emergency operation, before the control level is read into the memory, for example, by means of a storage command, a so-called latch command. Until the correct reception of the latch command, the memory retains the previously stored levels as output signals.
In a further embodiment, the memory and the control unit are linked via a serial data line with the microcontroller. The control level is transmitted via the serial data line as a connection. By means of a protocol, the accuracy of the data transmitted by the control unit and the microcontroller is verified. Thus, advantageously, the protected transmission of safety-relevant data, here at least the control level, can be guaranteed for at least a minimum period of time, and, thus, the safety-relevant functions are again made available.
The protocol permits, for a bidirectional serial data line, a request of the already transmitted data under more severe conditions, for example, infiltration of water into the vehicle door and the resultant failure of functional units, for example, a quartz as an external clock, as may occur in emergency operation. For this, the previously transmitted data of the control level is temporarily stored in a comparison memory and re-transmitted for the comparison.
For a process essential to the invention, the operation of the electromagnetic drive arrangement is released by a switching element. The release enables manual or automatic adjustment by means of the drive arrangement for a pre-specified period of time, with specific temporal delays of the turning on or switchover of the drive arrangement. For the release, external and drive-device specific parameters are advantageously evaluated by the microcontroller.
The switching state of the switching element is verified before possible emergency operation by running a safety routine. The safety routine is, in one embodiment of the invention, a program sequence programmed in the microcontroller, which queries and verifies all safety-relevant parameters of the drive arrangement and other electronic devices or electronic units or electronic components connected with the microcontroller. The safety routine is run before possible emergency operation, for example, upon unlocking of the vehicle door or starting the engine, such that the operation of the electromagnetic drive arrangement is ensured by an appropriate enabling of the drive arrangement by the switching element for emergency operation.
In a first of two preferred variants for verification, provision is made that the control level is transmitted from a microcontroller via a bidirectional serial or parallel data line to the memory and back. The control level is verified in the microcontroller, and a memory command (latch) for the storage of the control level is then transmitted to the memory by the microcontroller. In the second variant, provision is alternatively made that the control level is transmitted by a microcontroller via a data line to the memory, and the control level transmitted is verified by a control unit, which controls the storage of the verified control level in the memory. The data line is unidirectional or bidirectional in this variant.
In an advantageous improvement of the invention, a switching state of the switching element or the operating switch can be evaluated by a microcontroller for monitoring. The monitoring by the microcontroller already enables an early error analysis, which can be undertaken in a timely manner by a service technician. The switching state of the switching element or the operating switch can be defective, which also increases the risk of an emergency and impairs emergency operation to open the window.
For monitoring, the switching element or the operating switch is connected to an input of the microcontroller. In particular, the connection of the switching element or the operating switch to the power driver is also connected to the microcontroller. Thus, in a particularly advantageous manner, sticking of a contact of the operating switch or burning out of the switching element, for example, can be detected by the microcontroller.
Advantageously, a relay or a semiconductor bridge is used as a power driver. One coil current of the relay can be switched by the operating switch for actuation, by connecting the operating switch directly or via the switching element with the connection of the coil of the relay. If multiple relays are provided to supply current to the electromechanical drive arrangement, the respective connections are actuated together or with a time offset.
For a semiconductor bridge, at least one input level of the connection of the semiconductor bridge, preferably in the OPEN direction, can be switched by the operating switch. If four individual transistors to bridge are actuated individually, the so-called high-side and the low-side transistor is actuated to open the window.
For a variant of the invention, the switching element and the operating switch are arranged in a series connection as a logical AND-operation. The switching element is preferably a switching transistor, for example, a PMOS transistor, such that one coil current of a relay flows through the coils of the relay and through the switching element (PMOS transistor) and through the operating switch. For the series connection, it is not necessary for the switching element and the operating switch to be directly connected to each other. In addition, an evaluation of the coil current can enable additional analytical functions, for example, to verify the operability of the relay.
In another variant of the invention, the switching element is a switchable current source or a switchable voltage source. Thus, particularly advantageously, the safety of the control level at the connection of the power driver, in particular a semiconductor bridge, is increased. The reduction of the input level, possibly by moisture-induced parallel resistances, can be advantageously countered by the use of voltage sources. In addition, it is possible to detect parasitic parallel resistances with the help of a voltage source or current source and to minimize the risk of non-unique control levels by appropriate switchover.
In an alternative variant of the invention, the switching element is a part of a gate as a logical AND-operation. The position of the operating switch linked to the input of the gate defines an input value of the gate. Thus, particularly advantageously, a logical evaluation with a driver for relatively large output currents is permitted. Moreover, the additional linkage with other conditions can advantageously be logically evaluated. Another condition is, for example, the temporal delay of the output of the control level, which enables shutdown of the drive arrangement in the event of a change in the direction of movement.
Preferably, in emergency operation of a microcontroller every signal recognized as valid is interpreted as an emergency signal. Accordingly, the activation of any operating switch, regardless of the direction of the control command, always results in the opening of the window, preferably in automatic opening. Every lock activation always results, regardless of the direction of the control command, in the unlocking of the door or in the automatic opening of the window. An occupant locked inside the vehicle in an emergency can thus leave the vehicle since, depending on the remaining operable devices, the emergency operation automatically opens at least one emergency opening of the vehicle, i.e., a window or a vehicle door, based on an error pattern.
In another embodiment of the invention, for activation of theft protection outside emergency operation, the switching element is opened after verification. The verification, in this case, evaluates all safety-relevant parameters, whether, for example, a person is still inside the vehicle, whether a crash has occurred, and the crash sensors indicate that the activation of the theft protection is an erroneous message. Alternatively, or in addition, the data for activation are transmitted multiple times to ensure their accuracy with the necessary redundancy. Advantageously, outside of emergency operation, the theft protection is activated with the acknowledgment of all nodes of a CAN-bus which are associated with a safety function. The acknowledgment of all nodes at the time of the rundown of the CAN-bus guarantees that no node has triggered the theft protection due to crash-related malfunctions, which would mean additional danger for the occupants involved in a crash.
However, if the verification showed that it is a matter of normal parking and locking of the vehicle, the operation of the electromagnetic drive arrangement is blocked at least in the open direction, to make entry of a thief by damaging or manipulating the operating switch difficult.