The present invention relates to vehicle control systems and more, particularly relates to a circuit arrangement for safety-critical control systems, such as ABS, TCS, ASMS, brake-by-wire, suspension control systems, etc.
Safety-critical control systems of this type include, among others, control systems which intervene into the braking function of an automotive vehicle. These control systems are widely marketed and they are offered in many different designs. Anti-lock systems (ABS), traction slip control systems (TCS), driving stability control systems (DSC, ASMS), suspension control systems, etc., are examples of such systems. Failure of such a control system jeopardizes the driving stability of the vehicle. Therefore, operability of the systems is constantly monitored in order to deactivate the control when a malfunction occurs, or to switch it to a condition which is less dangerous under safety aspects.
Matters are even more critical for brake systems or automotive vehicle control systems where a switch-over to a mechanical or hydraulic system is not possible when the electronics fails. Among those systems are brake system concepts such as xe2x80x98brake-by-wirexe2x80x99 which are likely to increase in popularity. It is imperative for the braking function in systems of this type that the electronics is intact.
German patent No. 32 34 637 discloses an example of a circuit configuration for controlling and monitoring an anti-lock automotive vehicle brake system of the above-mentioned type. With this circuit, the input data of the automotive vehicle control system are processed in parallel and synchronously in two identically programmed microcomputers, in order to recognize proper functioning and the occurrence of errors by comparing the output data of both systems. This is because identical signals must prevail at the outputs of both microcomputers when data processing was executed properly. When an interference or malfunction occurs, i.e., in the event of non-correlation of the output signals, the entire control system is disconnected. The precondition of such a procedure, i.e., the complete disconnection of the control when an error occurs, is that the brake system will reliably function, even though without control, after disconnection of the control.
According to another prior art system disclosed in German patent application No. 41 37 124, the input data are also sent in parallel to two microcomputers, only one of which executes the complete sophisticated signal processing operation, however. The main purpose of the second microcomputer is monitoring the input signals can be processed further by way of simplified control algorithms and a simplified control philosophy. The simplified data processing is sufficient to generate signals which indicate the proper operation of the system by comparison with the signals processed in the more sophisticated microcomputer. The use of a test microcomputer of lower capacity permits reducing the manufacturing effort compared to a system with two complete sophisticated microcomputers of identical capacity.
German patent application No. 43 41 082 discloses a microprocessor system which is provided especially for the control system of an anti-lock brake system. The system known from the art which can be incorporated on one single chip comprises two central units in which the input data are processed in parallel. The read-only and the random-access memories which are connected to the two central units have additional memory locations for test information, each comprising a generator to produce the test information. The output signals of one of the two central units are further processed to produce the control signals, while the other central unit, being a passive central unit, is only used to monitor the active central unit.
Finally, a microprocessor system is known from German patent application No. 195 29 434 wherein two synchronously operated central units are provided on one or several chips which have been fed with the same input information and execute the same program. The two central units are connected to the read-only and the random-access memories by way of separate bus systems, as well as to input and output units. The bus systems are interconnected by bypasses which enable both central units to jointly read and execute the data available, including the test data or redundance data, and the commands. This prior art system which is based on redundant data processing renders it possible to economize memory locations which, in turn, reduces manufacturing costs.
All above-mentioned systems are principally based on the comparison of redundantly processed data and the generation of an error signal when differences between the data processing results or intermediate results occur. When an error is detected, that means, upon the occurrence of an error or failure of a system, the control will be deactivated. An emergency operation mode, i.e., continuing the control after the occurrence of the error, is in no case possible because it cannot be identified with the above-described type of error detection which system is still intact. An emergency operation mode on the basis of prior art circuitries as mentioned hereinabove would principally be possible only by doubling the redundant systems in connection with an identification and elimination of the error source.
An object of the present invention is to configure a circuit arrangement which necessitates at most little additional effort compared to the above-described prior art methods and which, nevertheless, initiates an emergency operation mode when an error occurs.
The circuit arrangement of the present invention has a dual-circuit or multiple-circuit design, and each circuit comprises a complete microprocessor system which processes the input data or input information and delivers an error identification signal when an error occurs. There will be a transition to an emergency operation mode upon error identification.
In a preferred aspect of the present invention, the input data of each microprocessor system are redundantly processed in the system and the data-processing results or intermediate results are compared, and the error identification signal is generated in the event of discrepancies between the results.
The circuit arrangement of the present invention can be achieved very simply on the basis of prior art circuits, for example, the prior art systems or circuits described hereinabove which output an error identification signal. It is important that not only the occurrence of an error is signaled but that it is also recognized and identified with the malfunctioning circuit.
According to another aspect of the present invention, each circuit or microprocessor system is only furnished with those input data which are required for the respective circuit. Upon failure of one circuit and transition to the emergency operation mode, the circuit where the error occurred is disabled. The actuators of the respective circuit will no longer be activated. When the example concerns an automotive vehicle brake system with a diagonal brake circuit allotment, it is sufficient to activate the brakes of one circuit in the emergency operation mode. This produces the same situation as in the case of failure of a hydraulic brake circuit of a known dual-circuit brake system with a diagonal circuit allotment.
In an alternative embodiment of the present invention, all input data are sent to each circuit or each microprocessor system directly or by way of communication units which connect the individual microprocessor systems and, upon failure of one circuit, the actuator activation is continued in the emergency operation mode without limitations by connecting the actuator activation to any one of the intact circuits.
Also, it has proven favorable to configure the circuit arrangement of the present invention for a combination of several automotive vehicle control systems such as brake-by-wire, ABS, TCS, ASMS, etc. The emergency operation mode covers either maintaining the operation of all control systems or only maintaining the operation of selected control functions, e.g. functions which are especially critical in terms of safety. It is advantageous when these special functions are assumed by the intact circuits as soon as an error occurs.