The invention relates to a longitudinal dynamics control device for motor vehicles.
Such a longitudinal dynamics management device is known from German patent document DE 199 60 782 A1, for example. This patent describes a form of acceleration monitoring by comparing an actual acceleration with an ideal acceleration.
In addition, a longitudinal dynamics management device in the form of a cruise control unit having an interference immunity circuit is also known from German patent document DE 39 05 479 C2.
Both known devices use a form of error recognition which recognizes a malfunction of the longitudinal dynamics management device and optionally executes a safety function on occurrence of a malfunction. With these known longitudinal dynamics management devices, error recognition is combined with the cruise control functions.
A longitudinal dynamics management device here is understood to refer to any longitudinal dynamics regulating system or longitudinal dynamics management system (hereinafter abbreviated simply as LDM system) that can be used as a comfort system for driver assistance.
The object of the present invention is to provide longitudinal dynamics management devices with safety functions that are as simple as possible but operate as reliably as possible.
This object is achieved according to this invention by the subjects of the independent patent claims. Advantageous refinements are the subjects of the dependent patent claims. In addition, it is pointed out that the subjects of the independent patent claims may also be combined with one another.
The invention is based on the following findings:
For example, cruise control systems as longitudinal dynamics management systems with a safety concept are known, combining safety functions with cruise control functions, hereinafter referred to as generally valid driving functions for longitudinal dynamics management devices. With these concepts, local error recognition measures and safety functions should thus be independent of the algorithm of the driving functions. The subject of German patent document DE 39 05 479 C2, which was already cited above, is an example of this.
This combination of driving functions with safety functions requires a novel adaptation of safety functions to the driving functions when there is a change in driving functions.
Therefore, the first basic idea is to separate the safety functions from the driving functions that are classified as non-safety-relevant. The driving functions are executed in a first function unit (driving function unit) using a main computer. The driving functions may already be partially protected by limiting functions on the main computer. However, it is important for the safety functions to be performed fundamentally in an independent second function unit (safety function unit) which also comprises either the main computer or its own monitoring computer. The two function units which operate separately may, but need not, be integrated into a common controller. The term function unit is understood in particular to refer to a software module in a controller by which certain functions can be triggered in the vehicle by using the controller hardware and other vehicle components.
A safety-relevant subsystem comprising software (function unit), hardware (hardware of the controller into which the function unit is integrated) and other vehicle components, e.g., other electronic controllers, is created by the second function unit. This subsystem coincides with the risk scenarios identified in a risk analysis.
Another basic idea is that monitoring is of primary concern with regard to safety functions and should be as independent as possible of the driving functions in contrast with maintaining target variables and actual variables according to German patent document DE 199 60 782 A1. The second basic idea of the safety concept may be independent of or dependent on the first basic idea. The goal of the second basic idea is to ascertain the controllability of the respective state of the vehicle by the driver and prevent uncontrollable states. This determination is performed by using safety functions based on the change in dynamic quantities of the vehicle which are independent of the operands of the longitudinal dynamics management device as they pertain to the driving functions. The safety functions include plausibility checks on input signals which are independent of the driving functions. The safety functions are preferably as different from one another as possible and are as different as possible from the driving functions (functional diversity).
The safety functions as a function of the change in dynamic variables of the vehicle, and the regulated variables of the longitudinal dynamics management device pertaining to the driving functions, preferably include in particular an acceleration monitoring and/or monitoring of jolts. As part of acceleration monitoring, in a first alternative, there is monitoring to ascertain whether safety technical limits in changes in vehicle speed are maintained or, in a second alternative, which is especially advantageous because it is preventive, there is monitoring with regard to vehicle dynamics that are controllable by the driver to ascertain whether the safety technical limits to changes in vehicle speed to be expected on the basis of the change in the longitudinal dynamics management setpoint are maintained. As part of the monitoring of jolts, in a first alternative, there is monitoring to ascertain whether the safety technical limits in the instantaneous vehicle acceleration or, in a second alternative, which is especially advantageous because it is preventive, there is monitoring to ascertain whether the safety technical limits to changes in acceleration that are to be expected on the basis of the change in the longitudinal dynamics management setpoint value have been maintained with regard to vehicle dynamics controllable by the driver. The acceleration monitoring and monitoring of jolts may also be performed independently of the separation into two function units. The alternatives of acceleration monitoring and monitoring of jolts may be combined together in any desired form.
The functions performed with longitudinal dynamics management devices, i.e., so-called LDM systems, include in particular driver assistance functions, which are presented to the driver in the form of longitudinal controls as speed-based vehicle responses (e.g., cruise control or adaptive cruise control functions).
The goal of the safety functions is to control risks that can occur due to errors in the LDM driving functions for the driver. The errors to be assumed can be ascertained with the help of risk analysis and FMEA (error possibility and error influence analysis).
Safety goals include in particular:                Without driver activation, LDM must not result in any defective critical triggering of the actuators.        In the state activated by the driver, the vehicle acceleration must remain within a range that is controllable by the driver.        Decisive intervention by the driver into the vehicle performance must be ensured.        The vehicle must not be destabilized by an LDM intervention.        
The safety goals defined above are implemented by safety functions. The safety functions are not usually assigned to just one safety goal. In the present invention, as mentioned above, acceleration monitoring and monitoring of jolts are of primary concern as safety functions, as explained in greater detail below:
1. (Vehicle) Acceleration monitoring
This monitoring is based on the vehicle acceleration generated by the driving functions and it monitors this driving function for whether or not controllable limits are being observed. The controllability of the vehicle response is determined by the change in the prevailing speed of the vehicle, among other things. This monitoring may be implemented by monitoring the measured acceleration applied to the vehicle and monitoring same with respect to an acceleration range regarded as being controllable by the driver (such ranges may be predetermined, e.g., by specifications and standards).
If there is no input signal from an acceleration sensor, then an actual vehicle acceleration can be generated, e.g., from a vehicle speed signal and/or the wheel rotational speeds measured for a brake control system in the function unit that is performing the acceleration monitoring. Furthermore, the term “vehicle acceleration” is also understood to include any quantity proportional to the vehicle acceleration. The monitoring is preferably active only when the instantaneous vehicle acceleration results from the LDM driving function to be monitored. In other words, the driver should always be given an opportunity to override the function on his own responsibility, just as acceleration/deceleration requests by other systems should lie within their responsibility.
Alternatively or additionally, the acceleration monitoring may be implemented in a preventive manner through the monitoring of the vehicle acceleration (which still cannot be measured) that would be expected if the predetermined longitudinal dynamics management setpoint value were in fact to be implemented.
2. Monitoring of jolts
In addition to a change in speed, the change in acceleration (jolt) has a significant influence on the controllability of the vehicle.
2a (First alternative): Acceleration gradient monitoring
The actual change in vehicle acceleration is analyzed here with regard to controllability by the driver.
2b (Second alternative): Setpoint value gradient monitoring and/or torque gradient monitoring
This monitoring is based on the gradient of the longitudinal dynamics management setpoint value, in particular the gradient of the drive request or brake torque request output by an LDM driving function and limits the effects thereof on the acceleration to a limit value that is still controllable by the driver and/or is still to be appraised as comfortable by the driver. The coordination of this setpoint value gradient limit value is ascertained empirically, e.g., by evaluating the vehicle response caused by the setpoint value gradient, in particular a change in acceleration, and this is then stored in the function unit.
The acceleration monitoring and the monitoring of jolts together form the frame within which the driving function may vary in the state activated by the driver. In particular, sudden drive interventions or braking interventions are to be prevented. The “violent jolt” that is to be prevented, is relative and is designed in particular with regard to controllability.
By monitoring the actual vehicle response (actual acceleration) longer-lasting changes in vehicle speed are monitored. Shorter changes in the setpoint value that would lead to jerky changes in vehicle speed are monitored by monitoring the setpoint value (setpoint value gradient monitoring). These changes are prevented by the present invention before such jumps in setpoint value as a vehicle response can have any effect at all (preventive).
3. Monitoring of output
In addition to monitoring of acceleration and monitoring of jolts, the reliability of a setpoint output can also be monitored as an additional safety function because the output of setpoint values may no longer be controllable by the driver because they are linked to certain operating states. Then the reliability of the longitudinal dynamics management setpoint value, in particular of a driving torque or braking torque request, is preferably monitored for conformity to the activation requested by the driver. In other words, if an operating unit that is to be operated manually and is assigned to the longitudinal dynamics management device does not supply an activation signal (activation request by the driver) for the longitudinal dynamics management device to the function unit, then output of a longitudinal dynamics management setpoint value, in particular of a driving or braking torque request, is recognized as inadmissible.
Other monitoring may also be performed in addition, e.g., monitoring of the driver's decisive intervention. The goal of monitoring the driver's decisive intervention is to ensure that the driver can fulfill his responsibility for the vehicle performance and can intervene correctly at any time. In particular, the setpoint value requests of the driving function are checked for contradictions with the driver's intent via the pedal system and prevent any contradictions.
The basic ideas of this invention are summarized briefly:
1. Separation of driving function unit and safety function unit, whereby the safety functions are executed independently of the internal operands of the driving function unit and/or
2. Safety functions independent of the vehicle response (current) and the setpoint value (preventive) and/or
3. Acceleration monitoring based on the vehicle response (current) and/or setpoint value (preventive) and/or
4. Monitoring of jolts based on the vehicle response (current) and/or the setpoint value (preventive).
Other objects, advantages and novel features of the present invention will become apparent from the following detailed description of the drawings when considered in conjunction with the accompanying drawings.