Brake systems of automotive vehicles are becoming increasingly complex. Systems such as anti-lock control systems (ABS), traction control and vehicle stabilizing systems require individual brake management for individual wheels. These systems, when activated, often cause feedback pulsations through the brake pedal. These pulsations are highly annoying to the driver.
A remedy is provided by a mechanical decoupling of wheel brake actuation and brake pedal. The latter now only serves to detect the driver's intention to brake by means of suitable sensors. This intention is electrically transmitted to the brakes. Systems provided with such a decoupling have come to be known as "brake-by-wire systems". They have been described, e.g., in DE-Z "ATZ Automobiltechnische Zeitschrift 98 (1996) 6, pages 328-333 (translated as: GJAT German Journal of Automobile Technology), in U.S. Pat. No. 5,230,549, and in EP 0 467 112 B1. The lowest level of such a system of, typically, modular design is formed by four intelligent wheel brake modules. They perform wheel-individual adjustment of a required wheel brake torque. For the overall system, they are, in a manner of speaking, universal intelligent actuators. They consist of a microcontroller (slave) for control, a power booster and of the actual electromechanical wheel brake. This lowest level forms the wheel brake management.
The medium level is responsible for the brake management of the entire car, e.g., for a situation-specific distribution of the braking forces to the individual wheel brakes. The hardware of this medium level of the vehicle brake management consists of a central computing unit (master) which typically, for reasons of failure safety, is supervised by an additional system-supervising computing unit.
The top level of such a brake-by-wire system represents the interface with the driver. Typically, it consists of a conventional brake pedal reproduction with redundant sensor systems for detecting the driver's intention to brake and with additional elements of supervision which can indicate various error conditions of this so-called pedal module. This pedal module also takes care of pre-processing the sensor signals. This pedal module, also, may include a microcontroller of its own.
The individual levels are connected with each other in terms of data by means of defined logical interfaces and, typically, via a bus system adapted for real-time-based operation and preferably provided redundantly. Thus, these levels guarantee an optimum modularity of the system.
It is possible to substitute for the two bus systems (or rather for even just one bus system, only, if such is the case) by normal analog lines.
Power management or rather energy supply is a further central component of a modular-design brake system.
The brake-by-wire system is a functionally split-up safety-critical real-time system which must fulfill very high standards in terms of error detection and error handling.
The driver having no direct access to the brake, the brake system is required to maintain one emergency function in case of trouble. This is ensured by failure-active, functional redundancy in the known manner. Further, the systems are to include a high-performance online diagnosis in the known manner which, by all means, detects any errors cropping up so that an appropriate emergency function can be activated and the driver can be alerted.
These requirements have decisive effects on designing the energy supply, central brake control, and even the warning strategy of the electronic brake system.
Failure safety of the energy supply is ensured in the known manner (cf. the above-mentioned German journal) by introducing a tandem onboard network. If one partial system fails, there will be maintained a certain operability of the components supplied in the failed circuit.
It is necessary both to register any error appearing and to detect its source to ensure a safe operation of the vehicle brake management (regulatory and controlling functions). A known strategy is therefore the requirement of providing a supervisory device on this level by all means. The use of plausibility criteria and suitable, continuously performed check routines within the software are measures by means of which error conditions are localized and appropriate emergency functions are activated.
Thus, it is known from the quoted German journal to check the computing units (master and slaves) of the system by means of a supervisory computing unit. In doing so, all computing units are provided with the essential data (driver's intention to brake, vehicle speed, brake torques etc.), and by means of plausibility considerations it is possible to check the computations of the other computing units.
If there is a malfunction of the master or of the supervisory computing unit, the slaves are able to diagnosticate this and to switch over to an emergency function of the brake system without participation of the master.
Any malfunctions of a slave can be detected by the master and the supervisory computing unit. Then, the slave may be shut down, the emergency function of the remaining wheel brakes not being impaired.
Further, from DE 195 10 525 A1, measures have become known which improve the aforementioned electronic brake systems in view of any error conditions in the field of detecting the braking intention. There, error signals are reported to the wheel brake management via the vehicle brake management. Then, the wheel brake management initiates wheel-individual measures.
The aforementioned known measures, however, do not yet guarantee any comprehensive optimized safety concept.
Regarding a comprehensive safety concept in the corresponding error handling system, what is needed is to detect all errors of the electronic brake system and to consider their effects on the respective driving situations. Using the known concepts, this would imply to have to include a multitude of different conditions of the brake system in the safety considerations which would render the system very complex. However, the more complex the structure of a system is, the more prone it becomes to troubles or errors which then may lead to failures of components of the electronic brake system. Additionally, it will be difficult to perform a reconfiguration of the brake system after an error or trouble condition has developed.
Further, the known case does not feature a systematic strategy for handling conditions when there are multiple faults.
It is an object of this invention to implement the method referred to at the beginning or rather to expand the device so as to enable the number of the various conditions of the electronic brake system, the system finds itself in when error detection and handling take place, to be kept as small as possible and to have clearly defined conditions.
According to this invention, this task is solved by the steps of
determining and defining a small number of unambiguous technological operating conditions of the brake system with predefinition of certain, defined technological events which alone effect a transition from one operating condition to the next condition; PA1 of combining the technological operating conditions with condition-specific control/regulatory measures as well as with measures of warning to the driver of the vehicle; and of PA1 detecting errors in the brake system at the start of the vehicle by means of a pre-drive check and, on-line, during the operation of the vehicle; and of implementing error-condition-responsive error handling in accordance with the operating conditions. PA1 a small number of unambiguous technological operating conditions of the brake system is determined and defined with predefinition of defined technological events which alone effect a transition from one operating condition to the next condition; PA1 in that the computing unit combines the technological operating conditions condition-specifically with respectively control/regulatory and warning devices for the driver; and in that PA1 the error handling code includes a pre-drive check routine for detecting any errors in the brake system at the start of the vehicle and, on-line, during the operation of the vehicle, which implements error-condition-responsive error handling in accordance with the operating conditions. PA1 determining and defining a small number of unambiguous technological operating conditions of the respective module with predefinition of certain, defined technological events which alone effect a transition from one operating condition of the module to the next condition; PA1 combining the technological operating conditions of the module with condition-specific control/regulatory/reporting and warning measures, respectively; and PA1 detecting errors in the respective module at the start of the vehicle by means of a pre-drive check and, on-line, during the operation of the vehicle; and implementing error-condition-responsive error handling in accordance with the operating conditions of the module. PA1 a small number of unambiguous technological operating conditions of the respective module is determined and defined with predefinition of certain, defined technological events which alone effect a transition from one operating condition to the next condition; PA1 they combine the technological operating conditions condition-specifically with respectively control/regulatory and warning devices for the driver; and PA1 the error handling code includes a pre-drive check routine for detecting errors in the brake system at the start of the vehicle and, on-line, during the operation of the vehicle and implements error-condition-responsive error handling in accordance with the operating conditions.
Regarding the apparatus of the present invention, this task is solved by the following
The electronic modular-design brake system always is in an exactly defined condition when there appears any error or a plurality thereof, with the number of the various conditions being very small. Thus the system advantageously does not become too complex and therefore decisively less prone to errors or troubles which might lead to failures of system components. The factors which defined condition the system are fully known at all times. It is therefore easily possible to implement any reconfiguration of the brake system after an error appeared.
Preferably, even unused memory spaces of the computing units, RAMs, ROMs, etc. are set to a defined value in order to enable the operator to know even in this respect at any time which condition the system and its memory area, also, are in.
This invention further has the transition from one defined condition to the next defined condition take place only due to the occurrence of very certain defined events which likewise has a decisive effect on the failure safety of the system.
The inventive method with the defined conditions of the system and the defined transitions is usable for (preferably) electromechanical brake systems, yet just as well for electronically assisted brake systems in general.
Thus, this invention ensures error-condition-responsive error handling in a brake-by-wire system.
According to a further development of this invention, this method for error handling in an electronic modular-design brake system is implemented by the following steps:
Besides the central computing unit, the corresponding device includes modules in the form of autonomous subcomputing units with error handling codes. These autonomous subcomputing units are organized so that
Due to this further development of the invention, a self-diagnosis is carried out on the respective modules, (i.e., in a way, an error diagnosis within the modules themselves, which considerably relieves the central computing unit of the brake system).