In brake-by-wire braking systems, which as a rule are not provided with a mechanical, hydraulic, or pneumatic backup system, particular emphasis must be placed on availability, i.e. a braking function, even in case of error. Brake-by-wire systems having a centralized brake pedal module are described, for example, in the published German patent document DE 198 26 131 A1, the VDI report no. 1641 (2001), “Error-tolerant Components for Drive-by-wire Systems,” by R. Isermann, and the publication “Error-tolerant Pedal Unit for An Electromechanical Braking System,” by Stefan Stölzl, published in the year 2000 by VDI-Verlag, ISBN 3-18-342612-9.
A main priority in systems having such a central module is the reliable acquisition of the actuation of the brake pedal (the parking brake will not be considered in the present context), as well as the distribution of the information concerning the brake actuation to decentralized intelligent wheel brake modules. The reliability of such a system is ensured on the one hand by a diversified and multiply redundant sensor design (see, e.g., brake pedals S1 to S3 according to FIG. 3) and on the other hand by a redundant processor and communication design (see first and second communication bus 14, 14′ between central brake pedal module 15 and the four brake modules 10, each controlling a wheel 13), with the boundary condition of a multi-circuit on-board network.
In addition, the communication device or communication system is required to have a deterministic characteristic, from which the use of time-controlled communication systems, such as, for example, FlexRay, TTCAN, or TTP, results immediately. In this context, the brake pedal module and the communication system must have a fail-safe operational characteristic. In order to meet the requirement of a fail-safe operational characteristic in the case of simple errors, the brake pedal module must have at least three redundant processors as well as three redundant, diversified if necessary, sensors for the service brake. At least two redundant communication channels are required for the communication system.
Published German patent document DE 199 37 156 discloses an electromechanical braking system having a decentralized acquisition of the brake pedal actuation. This can be referred to as a distributed, decentralized pedal module functionality.
Within this electromechanical braking system design, shown with reference to FIG. 4, four diversified sensors S1 to S4 are provided for the acquisition of the actuation of a brake actuation device (not shown), respectively determining for example the pedal path and the pedal angle. Each of the sensors S1 to S4 is connected to exactly one wheel module 10 having a device 11 for determining a braking demand. Wheel modules communicate with one another via a system bus 14 and exchange the required sensor information or data, and, parallel thereto, calculate functional algorithms, agreeing on a protocol in such a way that in each wheel module 10 the same data, i.e. sensor actual values and sensor/function status, are present, and identical decisions can be made.
Consequently, in this way a symmetrical, decentralized system architecture is provided in which the required fail-safe operational approach of the central pedal module according to FIG. 3 is here (i.e. according to FIG. 4) reproduced via the redundancy of intelligent wheel modules 10, 11. However, if a common mode error now occurs in communication system 14, for example due to a mechanical wiring harness breakage in the area of the wheel housing caused by a foreign influence, e.g. during off-road operation, this will lead unavoidably to a total loss of communication, in particular given a bus topology of communication system 14. In such a case, each wheel module 10 will then have access only to one sensor value, which however will no longer be able to be sufficiently tested for plausibility. This can result in differing braking forces being applied to the different wheels 13 of the vehicle, resulting in a yawing moment, and thus in pulling to one side of the vehicle. Already in the case of a single error, this represents a significant loss of safety, independent of the backup management strategy.