The increasingly intensive interaction of individual control units is of particular importance for realizing new functions in motor-vehicle electronics.
Modern vehicle equipment includes a plurality of digital control units, e.g. for ignition/injection, ABS, and transmission control. Advantageous properties and additional functions can be realized in that the processes controlled by the individual control units are synchronized, and their parameters are adjusted to one another continuously, i.e., particularly in real time. An example of such a function is the drive slip control, which accordingly reduces the drive torque of the individual wheels for rotating driven wheels.
Information is exchanged between the control units in the conventional manner, essentially via single lines. However, such point-to-point connections can only be advantageously used for a limited number of signals. In this context, a simple, automobile-compatible network topology for the serial transmission of data between the control units can expand the transmission possibilities.
The emerging significant increase in data exchange between the electronic components can no longer be managed using conventional cabling techniques (cable harness) since a cable harness, for example, can barely be handled in the case of high-end cars, among other things, due to its size and to the fact that too many PINs would be present at a few control units. These problems can be solved by using CAN, a serial bus system designed specifically for use in motor vehicles.
In the automotive industry, control unit interfacing is the essential application area for CAN. In the case of control unit interfacing, electronic systems, such as engine management systems, electronic transmission control systems, electronic engine-power management systems (EMS, E-gas) and traction control systems (TCS) are coupled to one another. Typical transmission rates range between about 120 kbit/s and 1 mbit/s. They must be high enough to be able to ensure the required real time properties. An advantage of the serial data transmission medium in comparison with conventional interfaces, such as pulse duty factors, switching signals, and analog signals, is higher speeds without significantly loading the central processing unit (CPU). Moreover, fewer Pins are needed at the control units.
Defective control units can significantly hinder the bus traffic and can also lead to safety-critical conditions. Therefore, CAN controllers are equipped, for example, with mechanisms that can distinguish occasionally occurring interferences from continuous interferences and can localize station malfunctions (control unit malfunctions). This typically occurs via a statistical evaluation of fault situations.
A device for controlling the drive force of a motor vehicle is described in German Patent No. 41 33 268. This device includes a first control unit for controlling the fuel quantity to be injected and a second control unit for controlling the throttle-valve position. Furthermore, a measuring device for determining the rotational speed of the vehicle, for example, is provided, this measuring device including at least two redundant sensors. The first control unit evaluates the signal of the first sensor, and the second control unit evaluates the output signal of an additional sensor of the measuring device. One of the control units checks the two signals for plausibility.
This device only makes it possible to check the sensor signals or the sensor. A fault in the region of a control unit or of the signal transmission between the control units cannot be detected with this device.
A method for controlling an internal combustion engine, in particular a diesel internal combustion engine, using a quantity-determining control element is described in German Patent No. 44 37 336, a first control unit specifying a fuel quantity as a function of first variables, and a second control unit determining an actuating variable for the control element on the basis of the fuel quantity variable and additional variables. This method distinguishes itself in that the second control unit signals the actuating variable back to the first control unit, and the first control unit compares the actuating variable and the fuel quantity variable for implausibility.
Finally, a method and a device for controlling the drive power of a vehicle is described in German Patent No. 44 38 714, only a computing element (microcomputer) for carrying out control functions and monitoring functions being provided for the power control. In this context, at least two independent levels are fixed in the microcomputer, a first level carrying out the control functions, and a second level the monitoring functions.
The present invention provides a simple monitoring concept for a motor vehicle having different mutually cooperating control units or computing elements, where safety-critical conditions can result in the case of a fault. An object is to detect such safety-critical conditions and to introduce countermeasures, e.g. an emergency control or to switch off a control unit detected as being defective, if necessary. In particular, the goal in this context is to keep the hardware expenditure minimal.
Using the introduced concept that is the basis of the system and method of the present invention, it is possible to monitor a group of control units using only an intrinsically safe control unit that monitors itself and the other control units. On the whole, the procedure according to the present invention results in a system that requires a significantly smaller hardware expenditure in comparison with conventional systems and, thus, can be produced more cost-effectively. The number of control units with which a motor vehicle having a plurality of operating levels must be equipped to ensure reliable operation can be reduced to a minimum since in accordance with the present invention, a single control unit assumes the monitoring function for all control units. The concept of the present invention is particularly suitable for controlling a drive unit of a motor vehicle, in particular for controlling an internal combustion engine.
Advantageously, the means for carrying out the control function of the first control unit and for monitoring this control function as well as the means for monitoring the control functions of at least one second control unit are configured as a microcomputer having at least two operating levels that are independent of one another at least outside of the fault case, the control function and the monitoring function of the first control unit being carried out in a first level, and the monitoring function for the at least one second control unit being carried out in a second level. Such operating levels are advantageously configured as channels within the microcomputer that do not influence each other""s functioning at least outside of the fault case. Thus, operational reliability and availability comparable to a control system having two computing units or microcomputers for every control unit can be achieved using only one microcomputer. It should be noted that the operating levels can also be defined in a different manner: For example, it is conceivable to organize the control function of the first control unit in a first operating level and all other monitoring functions in a second operating level.
According to a preferred specific embodiment of the system of the present invention, a third operating level is provided that checks the functioning method of the first control unit or of the microcomputer assigned to this control unit by monitoring the second level performing the monitoring. Such monitoring significantly increases the operational reliability of the system. In this context, it is advantageous, for example, to use an active watchdog that can monitor operation as a question-answer mode.
Advantageously, sensors are provided that under normal conditions are used as redundant sensors for the at least one second control unit, and that, in response to a malfunction of the second control unit being detected, can be assigned to the first control unit to ensure an emergency-operation function with respect to the control function of the at least one second control unit. Such a redundant sensory system, which can be evaluated in the event that the first, intrinsically safe control unit malfunctions, renders it possible to control different safe conditions of the actuator system of the at least one second control unit. In a fault case of the second control unit, it is possible using such sensors to optimally adjust the safe condition for the instantaneous operating point of the second control unit.
Advantageously, introducing safety or emergency measures includes switching off the actuator system of the at least one second control unit and/or switching off the at least one second control unit.
According to a particularly preferred development of the system of the present invention, a central emergency-operation signal line, via which the individual control units are connected to one another, is provided. This measure proves to be advantageous especially for combined units, e.g. for the drive train of the motor vehicle, that must actively trigger (select) a common safe condition. If all control units of the drive train are functioning normally, none of the control units powers this emergency-operation signal line. However, if one of the control units detects a fault, it turns itself off, thereby powering the emergency-operation signal line. In a control unit, this emergency-operation signal line is inactively powered, i.e., the control unit must actively suppress the powering of the emergency-operation signal line during normal operation.
The actuator system connected to this line moves into the emergency-operation position when the line is triggered. An attempt by the connected control unit to activate the actuator system no longer has any effect. The control unit has a lower priority. This emergency-operation strategy can preferably be realized by hardware, thereby making it possible to attain better reliability. For example, it is possible in the case of a drive train, in the event of a fault to move the clutch in the xe2x80x9copenxe2x80x9d direction for five seconds using a timing relay that is triggered by this emergency-operation control.