The invention relates to an actuation system for a drive unit of a motor vehicle.
The control units of an actuation system for a drive unit are generally monitored at three levels. Such control is disclosed, for example, in German patent document DE 44 38 714 A1, in which the drive power of a vehicle is controlled by a microcomputer with at least two independent levels. A first level carries out the control functions and a second level carries out the monitoring functions. A third level forms a control level which controls the monitoring level and therefore the microcomputer.
One object of the present invention is to provide a highly available actuation system.
This and other objects and advantages are achieved by the actuation system according to the invention, in which the drive control unit has a second data transmission device, and is also connected to the external control unit via a second communication path. A predefined setpoint torque can be forwarded from the external control unit to the second data transmission device via the second communication path.
This arrangement has the advantage that in the event of a failure of one of the communication paths, a second communication path is still available for transmitting data. It therefore increases the availability of the actuation system.
In one embodiment, when a fault is detected in the data transmission of a data transmission device by the drive control unit, and the fault is present for less than a predefined time period, the last fault-free data of this data transmission device can be retained. Changes in the predefined setpoint values do not usually take place in an irregular fashion. For this reason, retaining the old value constitutes a good approximation of a missing value for short interruptions. It is therefore possible to compensate short-term faults without resorting to the data of the other communication path.
In one embodiment, when the drive control unit detects a fault in the data transmission by a data transmission device, the data of the respective other data transmission device can be transferred if the fault is present for longer than a predefined time period. Since the same data are transmitted in both data transmission devices, the data of one data transmission device which are transmitted incorrectly can be replaced by the data of the other data transmission device. The quality of the data is therefore ensured even if one of the data transmission devices fails.
According to another embodiment, when the drive control unit detects a fault in the data transmission of both data transmission devices, a setpoint torque with the value zero can be predefined if the fault is present for longer than the predefined time period. This ensures that the drive unit is operated in a permitted, safe state.
According to a further feature of the invention, a fault signal can be stored in the drive control unit, which permits the fault to be signaled to the driver and/or detected and eliminated within the scope of an external diagnosis by servicing personnel.
In another embodiment, this state can be retained until the next restart of the drive. It is therefore possible, given persistently occurring faults, to operate the system in a safe state continuously up to the next restart, and to signal the fault. This avoids an undefined state occurring.
In a further embodiment, each of the two communication paths can be assigned a separate identifier on the basis of which it is possible to detect via which communication path a setpoint torque of the control unit has been transmitted. It is therefore possible to assign to the data the communication path over which said data have been fed to the control unit. This facilitates later evaluation.
In a still further embodiment, the same setpoint torque can be transmitted with the same message frequency to the assigned data transmission device via both communication paths. This facilitates the synchronized reconciliation of the data of the two communication paths and the detection of faults.
According to another embodiment, the same setpoint torque can be transmitted with the same message counter and the same checksum, to the assigned data transmission device, via both communication paths. This also facilitates the synchronized reconciliation of the data of the two communication paths and improves the detection of faults.
According to yet another embodiment, the second data transmission device is arranged in the function monitoring level, so that it is possible to continue the transmission of data even if one of the levels, the function level or the function monitoring level, has a data transmission fault.
Finally, according to a further embodiment, the data of the two data transmission devices can be evaluated in parallel with one another, by the drive control unit. It is therefore possible to continue the data transmission even if one of the levels, the function level or the function monitoring level, is operating incorrectly.
Other objects, advantages and novel features of the present invention will become apparent from the following detailed description of the invention when considered in conjunction with the accompanying drawings.