The present invention relates to a combined system for controlling the driving behavior of an automotive vehicle.
The development of automotive vehicle control systems utilize a plurality of different types of control principles or control functions. A prior art driving dynamics control (DDC, ASMS, ESP) e.g. comprises an anti-lock system (ABS), a traction slip control system (TSC), a yaw torque control system (YTC), and a brake force distribution control system (EBD). Several or all of these types of function make use of the same input signals. For example, all systems demand the measurement and evaluation of the rotational behavior of the individual wheels. Other signals are required only for some of the types of function. The same applies to the electronic system and actuator system; the electronic circuits, computer modules, monitoring circuits, etc., and also the electrically controllable hydraulic valves by which the braking pressure is modulated can be used in many applications in a system compound of this type. Therefore, it is advisable to realize such a combined system in an integrated construction for simplification and reduction in structure.
On the other hand, the combination of the types of function and the integration of the different elements and control systems suffers from the disadvantage that errors affect the overall system and, therefore, cause disconnection of the overall system and, hence, disabling of all control functions.
German patent application No. 44 39 060 discloses using a microprocessor arrangement in a complex vehicle control system which is composed of three single microprocessor systems among which the individual functions, e.g., ABS, TSC, EBD are shared. This is advantageous because the individual control systems are relatively independent of each other.
The present invention relates to a method for controlling driving behavior of an automotive vehicle which involves assigning error sources to individual control functions and then ranking the individual control functions according to importance to overall vehicle safety, followed by monitoring the error sources for an error signal, and finally fully or partially deactivating the control function assigned to the error source upon detection of the error signal from the error source while allowing the control functions which are ranked below the partially or fully deactivated control function to continue to operate.
An object of the present invention is to develop a combined system of the type mentioned hereinabove, wherein upon the occurrence of an error, only the part which is directly affected by the error or the control function which is directly impaired is disabled, on the one hand, wherein, however, because the control functions are mainly safety-critical, it is ensured, on the other hand, that the safety of the vehicle is maintained by safeguarding a defined part of the control functions.
The system of the present invention includes ranking individual control functions according to safety levels, i.e., according to their necessity and/or their importance for the safety of the vehicle, and classifying the potential sources of error, types of error, malfunctions, etc., according to their possible effects on the control functions and assigned to the control functions classified on the basis of the ranking in such a fashion that upon detection of an error, only those control functions can be maintained which are ranked below the safety level that is assigned to the error.
Consequently, the present invention is based on the premise that such an arrangement and assignment, wherein the various control functions are arranged on different safety levels according to their importance, and wherein the sources of error within the single categories are sorted according to their effect on the control functions, permits achieving a combined system which reacts optimally in every failure situation in a determined way whenever an error occurs, depending on the arrangement and assignment of this type of error to the control functions or the function level. All functions that are above the corresponding level will be disabled or switched over in every failure situation with a high degree of reliability, while all functions below the corresponding safety level are maintained to an unlimited or limited extent.
In a favorable embodiment of the present invention, the sources of error are determined and sorted according to different categories largely independent of each other, and are arranged so that the sources of error of each category, irrespective of the sources of error of the other categories, are assigned to the control functions so that upon the occurrence of an error, only those functions are maintained which are ranked below the safety level that is assigned to the corresponding error. As an example of such categories in which defined types of error or sources of error are comprised, e.g. the sensor system, the electronic system (including the electrical system and communication) and the actuator system or hydraulic system are referred to.
In the course of time, vehicle control systems or combined systems have become so complex that it is no longer appropriate to disable all control functions when an error occurs. The present invention is based on the consideration that a graded abandonment of the functions in dependence on the malfunction that appeared or is detected should be preferred. In a driving dynamics control system (DDC, ASMS) which comprises TSC, EBD as well as communication and diagnosis functions, the ranking which corresponds to safety levels and is advisable for a graded abandonment, could look as follows: