The present invention generally relates to a control system for adjusting devices of a motor vehicle which, in addition to a basic mechanical function, carry out an additional function which can be achieved by electronic devices, the control system having at least one sensor for receiving an input value which is provided to a computer for generating a control signal for controlling a control element assigned to the additional function, and more particularly to an arrangement and process for carrying out an emergency measure in the case of a failure during use of such a control system.
The control devices discussed in the following and which are contemplated for use with preferred embodiments of the present invention include rear-axle steering arrangements in addition to conventional front-axle steering arrangements, superimposed front-axle steering arrangements in addition to conventional front-axle steering arrangements, active roll stabilizing arrangements, active suspension arrangements, or so-called electronic gas pedal arrangements.
All control arrangements have in common that a basic mechanical function exists which, in the case of the rear-axle steering arrangement, represents the zero position of the rear wheels. In the case of the superimposed steering arrangement, the conventional front-axle steering position is the mechanical function. In the case of the roll stabilizing arrangement and the active suspension, the conventional mechanical suspension is the basic mechanical function And in the case of the electronic gas pedal, the initial position of an internal-combustion engine power control or regulating element is the basic mechanical function.
The emergency measure required to compensate for a failure of any control system will differ according to each application and/or severity of the failure. In the simplest case, it may consist of switching the control element to an ineffective state for the additional function or to arrest the control element in the position which immediately precedes the failure. To the extent that this is possible, the control element, in a controlled manner, may also be changed to a defined uncritical inoperative position. The failure, in turn, may be contained in one of the function chains forming the control system or in the control element itself.
In this field of technology, different solutions are known for recognizing an emergency and for triggering an emergency measure. Particularly, in the field of airplane construction, the so-called two-out-of-three redundancy exists for this purpose. This means that three function branches or function chains are set up which are independent from one another, and a failure of one function branch is recognized by the failure-free functioning of the other two function branches, and the faulty function branch is eliminated in this manner. Devices of this type cannot be used in motor vehicles for reasons of cost and installation space.
In the case of track-bound bus systems, two parallel function branches are known, of which each separately carries out the desired control function. If there is a failure in one function branch, this function branch is switched off, and only the other function branch continues to operate. A system of this type represents no increase of system reliability because, in the case of a failure, only one single function branch is available which will then operate in a completely "unprotected manner". A failure of the remaining function branch can then no longer be recognized and eliminated.
In the case of a use of such a system in motor vehicles, there is the additional problem that a complete doubling of the function branches results in the doubling of the control element for the additional function In the case of a failure, the control element of the faulty function branch may now block the function of the other control element. This circumstance also indicates that such a safety concept is not suitable for motor vehicles.
Accordingly, it is an object of the present invention to providing an electronic control system of the initially mentioned type which, with low expenditures, offers a maximum of functional reliability and which, specifically in the case of a failure, reliably causes the carrying-out of an emergency measure.
In addition, a further object of the present invention is to provide a process which, by means of using such a control system, in the case of a failure, initiates an emergency measure with an effect which is as advantageous as possible with respect to safety.
These and other objects are achieved by preferred embodiments of the present invention by providing the control system with substantially redundant function chains including operating elements arranged in a novel and unobvious manner, one function chain operating the control element of the additional function and the other function chain operating as a safety back-up without direct control of the control element. Each function chain is divided into separate sections or function steps, which carry out a particular function, such as sensing, signal processing, controlling or the like.
With the prerequisite of the basic mechanical function, the safety concept for the control system is shaped by the monitoring of identically operating elements of each function step of the function chains as well as the triggering of the emergency measure when, during this comparison, a failure of one of the two elements of a function step of a function chain is determined. These elements are one or several sensor(s) for providing the input values of the computer, the computer itself as well as an emergency device.
In addition, a processing or converting unit for the sensor signals, which may be connected at the output side of the sensors and is not discussed here, may be provided as well as amplifiers or the like connected to the output side of the computer. Each emergency device should separately be able to carrY out a sufficient emergency measure.
In the case of the above-mentioned rear-axle steering arrangement, an emergency measure, in the case of a relatively minor failure, may consist of guiding the deflected rear wheels in a targeted manner and with finite speed back into the zero position. In the case of a severe failure of, for example, one of the computers or of the control element, it may be necessary to hold the rear wheels in the position which was adjusted last, i.e., immediately before the occurrence of the failure.
All emergency measures have in common that they either retain the just existing function condition or change it in a direction which increase safety. For the case of the rear axle steering arrangement, this means that the rear wheels, in the case of an emergency, remain in the present position, i.e., are held also in the deflected condition, or are led back to the central position, i.e., the deflection is eliminated.
In the case of the electronic gas pedal, the power adjusting element of the internal-combustion engine is held or is returned to the zero Position. In the case of the power adjusting element, this zero position is determined by the idling stop and, in the case of the rear-axle steering, is determined by the straight-ahead moving of the rear wheels and may also be reached by means of the basic mechanical function or within the scope of the basic mechanical function. For this purpose, simple spring elements may be provided, for example, which cause the adjusting of the basic function and against the effect of which the control element operates for the additional function. In the case of a failure, it may be provided as an emergency measure to disengage the control element and to carry out, by means of the mechanical spring elements, the adjustment of the basic mechanical function, in this case, the zero position of the adjusted part.
The monitoring of the individual elements of the function chains, in the case of the sensors supplying the input values, may take place at low expenditures by means of the computer connected on the output side of the sensors. For this purpose, the output signals of the sensors are supplied to each of the computers. These computers examine the output signals with respect to functional equality and are capable of determining a functional deviation of the output signals. In this case, the possibility also exists of identifying the faulty sensor and triggering a relatively careful emergency measure in that the control element is rendered ineffective at a finite speed.
The next element of the function chain, in the form of the computers, may advantageously be monitored by means of a communication device. This type of a device, in the simplest case, may be constructed as a data line or advantageously as a dual-port RAM. Each computer has a memory area there in which it can write and read itself and in which the respective other computer can read only.
It is another object of preferred embodiments of the present invention to insure the triggering of an emergency measure also if not only one failure occurs, but when a so-called double failure, i.e., two failures occur. In this case, these failures must be able to occur simultaneously, i.e., within one clock pulse at arbitrary points of the control system. By means of the step-by-step examining of the function chain with respect to the same function, the occurring of two failures at different steps is relatively uncritical because the emergency measure is already triggered by the failure of the step which is earlier in the signal sequence of the function chain.
However, a case is critical in which a failure occurs in one function step and particularly in the case of two elements which correspond functionally in a direct manner. It is theoretically possible that these failures are of the same type or lead in the same direction and can therefore not be recognized by a monitoring device. This problem is solved in that identically operating elements of the two function chains vary with respect to their method of operation and/or quality and/or quantity of their input or output signals.
The concrete significance of this is that, in the case of computers, the computer of each function chain, preferably, originates from different manufacturers and/or operate according to different algorithms and/or in a different fashion (for example, as 8-bit or 16-bit processors).
Equivalent sensors may vary in their output signals. If, for example, two sensors, i.e. one sensor for each function step, are provided for an angle of rotation, for example, of the steering wheel, the method of operation of the two sensors may differ with respect to its pulse quantity or its initial signal quality. The latter is, for example, achieved by the fact that one of the two sensors supplies a digital output signal and the other one supplies an analog output signal.
Output signals of a different polarity or different gradients, a different response behavior, a different mechanical transmission, different measuring principles, etc. should also be mentioned here.
In this manner, it becomes possible to achieve a maximum of reliability by means of microscopic variety, while macroscopically the function is the same, and to avoid with an almost certain probability the above-mentioned case of a malfunctioning in the same direction of two functionally identical elements of a corresponding function step.
Other objects, advantages and novel features of the present invention will become apparent from the following detailed description of the invention when considered in conjunction with the accompanying drawings.