The invention relates to the safety monitoring of a drive in a motor vehicle.
Vehicles with a digital electronic engine control module typically have a safety monitoring of the drive, in order to detect fault situations and to initiate suitable countermeasures. Such fault situations can be induced, for example, by an incorrect calculation in the engine control module (in particular, due to a random hardware error) or can be induced by sensor errors.
A safety monitoring function often serves to guarantee a wide range of safety goals. One safety goal is to prevent the vehicle from accelerating contrary to the driver's intention, for example, because the setpoint drive torque deviates significantly from the driver's request on account of a computational error.
In order to control the engine of motor vehicles, it is often the case that the operating function uses a so-called torque structure that is also referred to as a torque controller. The torque structure processes a driver-requested torque that is determined by an accelerator pedal characteristic map. As a function of the torque requested by the driver and the additional torque demands (for example of subassemblies or the transmission control module), a setpoint drive torque (that is, a torque requirement) is calculated for the drive. From the setpoint drive torque the engine control module then determines the desired engine parameters (for example, the ignition angle, quantity of fuel, etc.) by means of the engine functions in order to control the engine.
A conventional concept for preventing an undesired acceleration consists in essence of simply simulating and calculating in parallel the accelerator pedal characteristic map and the torque structure of the operating function in a safety function. Then the results of the parallel calculation in the parallel path are compared with a corresponding variable from the normal path of the vehicle. In the event of deviations that exceed an allowable tolerance, a fault is detected, for example, after a fault clearance time, and a fault reaction is triggered. A suitable fault reaction is, for example, the shutdown of the fuel supply at higher speeds.
One example of a conventional torque-based concept of a safety function for preventing an undesired acceleration is shown in FIG. 1. In a desired path 1 of the operating function, an accelerator pedal signal, which indicates the deflection of the accelerator pedal, is converted into a driver-requested torque MFW by an accelerator pedal interpreter 2 (accelerator pedal characteristic map). As an alternative, the driver-requested torque MFW can also be determined by a driver assistance system (for example, a cruise control or an adaptive cruise control). In the torque structure 3 a setpoint drive torque Mi,soll is calculated from the driver-requested torque MFW taking into consideration various torque demands 4 (for example, the torque demands of the transmission, the vehicle dynamic control, the speed control or the subassemblies).
The actuator setpoint values 6 of the engine (for example, the ignition angle, fuel quantity, air mass, etc.) are calculated from the setpoint drive torque Mi,soll by way of the engine functions 5. The desired engine parameters 6 serve to control the engine 7. The engine 7 generates an actual drive torque Mi,ist, from which an actual acceleration aist is calculated by way of the vehicle. The actual drive torque Mi,ist is back-calculated by sensors at the engine by means of a dedicated module in the computing block 10 as a function of the actuator setpoint values 6 (or the actuator actual values) and as a function of the signal values 9, because typically there is no torque sensor to measure directly the actual drive torque Mi,ist.
The safety function has a simulation 1* of the desired path 1 up to the torque structure 3. The simulated desired path 1* comprises a simulation 2* of the accelerator pedal characteristic map 2 and a simulation 3* of the torque structure 3. Furthermore, there is a simulation 10* of the actual torque back-calculation 10. The simulations typically involve simplified simulations that calculate with less accuracy, but, therefore, are, in particular, validated.
The back-calculated actual drive torque Mi,ist* and the setpoint drive torque Mi,soll*, which is calculated in the safety function, are compared in a comparison block 11, and in the event of a defined deviation from Mi,ist* and Mi,soll* after a defined fault clearance time, a fault is detected and a suitable fault reaction is triggered.
The object of the present invention is to provide an alternative concept to those described above in order to monitor the safety of a drive.
This engineering object is achieved by the method and apparatus disclosed herein.
A first aspect of the invention relates to an acceleration-based method for the safety monitoring of a drive. In this method a setpoint torque is calculated in a safety function as a function of a characteristic accelerator pedal signal for the position of the accelerator pedal.
As an alternative, the setpoint torque can also be determined as a function of a signal (for example, of a setpoint torque) of a driver assistance system (for example of a cruise control or an adaptive cruise control) that influences the longitudinal movement of the vehicle. An expected vehicle acceleration is determined, as a function of the setpoint torque, in the safety function. In addition, an actual vehicle acceleration is determined, for example, by an acceleration sensor or by differentiating a speed (for example, the rotational speed of the wheels). A fault situation can be detected by comparing the actual vehicle acceleration with the expected vehicle acceleration, for example, when the actual vehicle acceleration exceeds the expected vehicle acceleration by a certain amount (and optionally for a defined fault clearance time).
Then in a fault situation a suitable fault reaction is triggered. For example, the speed may be limited, as a fault reaction, in particular, by preventing the injection of fuel above a specified speed threshold.
The above-described concept has the advantage that there is no need for a simulation of the back-calculation of the actual drive torque, because the comparison takes place on the basis of the acceleration signals. This approach makes it possible to significantly reduce the functional scope of the safety function and, as a result, cuts the costs for the implementation and validation.
Preferably no additional torque demands are considered in the safety function in the direction of the signal after the simulation of the accelerator pedal interpreter, and a torque structure that is present in the operating function and located in the desired path is dispensed with in the safety function. The driver-requested torque generated by the accelerator pedal interpreter is converted preferably directly into a vehicle acceleration (but, for example, a braking torque can still be considered beforehand), so that the driver-requested torque is not changed prior to the conversion into a vehicle acceleration due to additional torque demands. This simplification is based on the knowledge that each of the additional torque demands, such as the intervention of an engine drag torque control that increases the setpoint torque, should be designed in such a way that this intervention does not result in a violation of the safety goal. Despite the possibility of an increase in torque, such a torque demand does not usually result in a noticeable increase in the measurable actual vehicle acceleration and can, therefore, be left out of account in the signal path for determining the expected vehicle acceleration.
The elimination of the torque demands in the safety function makes it possible to significantly reduce the functional scope of the safety function, so that the result is a cost reduction during implementation and validation. In addition, such an elimination allows the safety function to be independent of the operating function that is used for a specific purpose. Changes in the torque structure of the operating function do not require any commensurate changes in the safety function, so that the effort and cost incurred in the implementation and validation of the changes can be reduced. In addition, by decreasing the need to make changes in the safety function there is also less of a risk that a change in the safety function could cause a fault that could have a negative impact on the safety or the availability of the system. The independence of the safety function enables the broad use of the safety function. As a result, the function is subjected to intensive testing that will improve the robustness and reliability.
As an alternative, it can also be provided that one or more additional torque demands are considered in the safety function in the signal direction after the simulation of the accelerator pedal interpreter. However, not all torque demands of the operating function are also considered in the safety function. For example, only the intervention of an electronic transmission control module is considered in the safety function; other torque demands, which are considered in the operating function, are not considered in the safety function. According to an advantageous embodiment, the setpoint torque is determined not only as a function of an accelerator pedal signal, but also as a function of a service brake-based brake signal. Preferably a braking torque, which acts on the service brake, is used for this purpose. For example, prior to the calculation of the setpoint acceleration the braking torque is superposed with a torque request, delivered by the accelerator pedal interpreter, in the signal direction in the safety function. If a brake signal is considered in the safety function, then it is possible to detect, for example, the fault case that the drive torque of the engine is too high owing to a fault and that the driver is endeavoring to compensate for this fault by applying the brake. If the brake information is considered, then it can be detected if the actual vehicle acceleration is inadmissibly high during a braking action. In addition, by considering the braking torque it is possible to monitor whether the actual delay of the vehicle at the current braking torque is inadmissibly large.
The actual vehicle acceleration can be calculated, for example, by differentiating a wheel rotational speed. However, this procedure has the drawback that the actual vehicle acceleration also comprises, depending on the degree of climb, a corresponding component that can be attributed to the climbing resistance. In order to compensate for this climbing resistance, a climb signal has to be considered when determining the actual vehicle acceleration, a feature that is associated with additional effort and costs. In order to eliminate this disadvantage, the actual vehicle acceleration is determined preferably with the use of a signal of at least one acceleration sensor. Thus, there is no need to include a climb signal in the calculation. Owing to the physical measuring principle of such an acceleration sensor, only a driving or delaying actual acceleration, which is not caused by the climb, is outputted by the sensor. Acceleration sensors belong to the group of inertial sensors and measure the acceleration, which is caused by an initial force acting on a test mass.
For example, in the case of a vehicle standing in a firmly braked manner on a slope, an acceleration sensor shows the gravitational acceleration component in the direction of the slope—that is, a=g·sin α at the acceleration due to gravity g and the inclination α of the slope. This matches, according to F=m·a (ignoring the friction), exactly the force that acts in the longitudinal direction on the vehicle and is necessary to hold the vehicle. If, however, the vehicle is not firmly braked and rolls down the slope without drive, then in participle no acceleration is indicated. Consequently the measuring principle determines precisely the acceleration that is caused by driving or braking, but not caused by the slope descending force.
It is advantageous that, in addition to the actual vehicle-longitudinal acceleration, the influence of the moments of inertia of the drive and/or the wheels during a change in speed is also considered—for example, the moments of inertia of two wheels of the engine driven axle (or all four wheels), of the engine and/or of the crankshaft. Thus, it is possible, for example, to detect an engine torque that is set incorrectly too high when there is insufficient contact with a road surface at a low coefficient of friction, even though the vehicle does not show an obvious increase in the vehicle-longitudinal acceleration owing to the spinning wheels. Preferably in this case a torque and/or a corresponding rotationally acting acceleration—both of which are caused by the moments of inertia of the drive and/or one or more wheels—are/is calculated.
For example, the actual vehicle acceleration is determined as a function of the actual vehicle-longitudinal acceleration (which is determined, in particular, by an acceleration sensor) and as a function of an actual acceleration due to the inertia of the drive and/or wheels. For example, in order to calculate the actual vehicle acceleration, the actual vehicle-longitudinal acceleration and the actual acceleration due to the inertia of the drive and/or the wheels are added. As an alternative to the consideration in the actual path, the actual acceleration can be considered owing to the inertia of the drive and/or wheels in the desired path of the safety function, in which the expected acceleration is determined (and in this case it is then subtracted).
In addition to the longitudinal acceleration, the transverse acceleration can also be considered, in order to compensate for the sensor errors of an acceleration sensor, in order to determine the longitudinal acceleration at a high float angle.
The safety monitoring provides that the expected vehicle acceleration and the actual vehicle acceleration are compared with each other. The actual vehicle acceleration can be derived from the vehicle-longitudinal acceleration and optionally an acceleration due to the inertia of the drive and/or the wheels.
The comparison typically takes place in the direction of too high an acceleration. It is checked whether the actual vehicle acceleration exceeds the expected vehicle acceleration in a defined way—for example, whether the actual vehicle acceleration deviates upwards from the expected vehicle acceleration by more than a defined specified tolerance—for example, by 1.5 m/s2. The specified tolerance may not be constant and can depend on the operating point—for example, on the value of the accelerator pedal signal and/or the brake signal.
Preferably the comparison also takes place in the direction of too high a delay, in order to cover the safety goal of the undesired delay. For this purpose it is checked whether the actual vehicle acceleration drops below the expected vehicle acceleration in a defined way—for example, whether the actual vehicle acceleration deviates downwards from the expected vehicle acceleration by more than a defined fixed (for example, by 1.5 m/s2) or variable specified tolerance. The specified tolerance may increase, for example, over a subrange of the accelerator pedal signal in the same way as the expected acceleration as the accelerator pedal application increases.
An advantageous embodiment of the safety monitoring function provides that the absence of the frictional connection in the drive train is detected. A frictional connection in the drive train is not present, for example, if the clutch is actuated or no gear is engaged. On detection of the absence of the frictional connection, the safety function can be deactivated, for example, by deactivating the fault detection or a fault reaction (for example, for a defined period of time). It can also be provided that the tolerance of the safety monitoring is increased—for example, the tolerance of the fault detection is increased. This expansion serves the purpose of avoiding a fault detection or fault reaction in such an improper case as the acceleration of the vehicle due to a force outside the vehicle—for example, when the vehicle is being towed or when the vehicle moves in a car wash.
Preferably a tow start detection is provided. Tow start is defined herein as the movement of the vehicle by forces outside the vehicle for the purpose of starting an internal combustion engine—for example, by towing with a second vehicle. On detection of the tow start, the safety monitoring can be deactivated or the tolerance of the safety monitoring can be increased, for example, for a defined period of time. In order to detect a tow start, the vehicle speed (or the wheel rotational speed), the engine speed and the actuation of the start device can be evaluated. A tow start is detected, for example, by the increase in the engine speed, starting from a zero speed without actuation of a starter. To this end it can be checked, for example, whether a self-running threshold (below the idle speed) has been reached or exceeded, starting from a zero speed.
A second aspect of the invention relates to a device for safety monitoring. This device can be a part of an electronic engine control module. The safety monitoring device comprises hardware and/or software such as a suitably programmed control module, for determining a setpoint torque as a function of a characteristic accelerator pedal signal for the position of the accelerator pedal. Furthermore, the safety monitoring device determines an expected vehicle acceleration as a function of the setpoint torque. In addition, the device determines (or only considers) an actual vehicle acceleration. An acceleration sensor can be used to determine the actual vehicle acceleration. Furthermore, the device detects a fault situation in that the actual vehicle acceleration is compared with the expected vehicle acceleration.
The above embodiments of the inventive method according to the first aspect of the invention also apply in a corresponding way to the inventive device according to the second aspect of the invention.
Other objects, advantages and novel features of the present invention will become apparent from the following detailed description of one or more preferred embodiments when considered in conjunction with the accompanying drawings.