Traditional braking systems for motor vehicles include conventional hydraulic or pneumatic brakes associated with two or more wheels of the vehicle. Such conventional brakes are actuated by pressurized fluid or compressed air. When actuated, the brakes exert a force on a disk or drum which spins in conjunction with the wheel of the vehicle in order to create frictional forces which resist rotation of the wheel. Traditionally, control signals have been transmitted to each of the brake system's actuators mechanically, or by a hydraulic or pneumatic control circuit. However, it has more recently been proposed to employ a central control unit to generate electronic control signals and to use such electronic control signals to control actuation of a vehicle's brakes. This type of electronic control scheme has become even more prevalent in view of modern brake systems which now often include not only conventional hydraulic or pneumatic brake actuator functionality, but also supplemental electronic functions such as antilock protection (ABS) and/or electronic braking force distribution (EBV) between the front and rear axles.
U.S. Pat. No. 6,354,671 discloses a brake system in which electronic signals produced by a central controller in response to sensor input are used to at least partially control actuation of a vehicle's brakes. System redundancy is provided in the form of a back-up pneumatic control circuit. Should the electronic control unit malfunction, the braking system is controlled by the back-up pneumatic control circuit in much the same way as traditional brake systems operate.
U.S. Pat. No. 6,209,966 discloses a brake system which includes two electronic control units, which operate independently of each other, and which provide control signals in response to sensor input to a brake cylinder assigned to a wheel and a braking pressure modulator valve which is fluid-connected to the brake cylinder. The braking pressure modulator has a first electric actuating element, which can be activated by a first of the two control units, and a second electric actuating element which acts in the same direction when activated as the first electric actuating element. The second electric actuating element can be activated by the second electronic control unit at the same time as the first electric actuating element is being activated by the first electronic control unit. Thus, system redundancy is provided by providing two separate electronic control units, each of which controls one of two separate electric actuating elements associated with each wheel.
It has also been suggested to create a redundant electronic control system where two separate control networks are employed. Such a system employs one or more central control units provided to control, in response to sensor input, two or more brake assemblies, each having a brake actuator incorporating an electronic control unit. Central control unit or units is or are in electrical communication with the electronic control unit of each of the brake assemblies via at least two electronic control networks. All of the electronic control units of all brake assemblies are connected to each electronic control network. By providing such an arrangement, should one electronic control network fail, the other electronic control network would theoretically maintain control of all brake assemblies.
However, all three of the above-discussed prior art systems suffer from a number of disadvantages. One common disadvantage of all three systems is that the brake assemblies are essentially “dumb” in that no control signal generation is performed thereby. While it is true that in the last of the above-described systems each of the brake assemblies may be provided with an electronic control unit, the functionality of this electronic control unit is limited, for example, to processing (e.g. translating) control signals received from the central control unit in order to cause the brake to actuate. The electronic control units of the brake assemblies do not receive input from vehicle sensors, and do not generate (as opposed to manipulate) control signals. Thus, it is required for the central control unit in each of the above-described systems to process all sensor inputs and to generate all control signals for all brake assemblies. This is disadvantageous for several reasons.
It is often the case that the vehicle sensors are located remotely from the central control unit. As such, the time it takes for sensor signals to travel from the sensors to the central control unit, and then for the control signals, once generated, to travel from the central control unit to the brake assemblies may be relatively long, thereby causing the brake assemblies to respond to sensor input relatively slowly. It would be more desirable, particularly in situations where the vehicle sensors are located in closer proximity to the brake assemblies than to the central control unit, for the control signals to be generated at the brake assemblies themselves by “smart” brake assemblies.
Another disadvantage of requiring the central control unit to process all sensor inputs and to generate all control signals for all brake assemblies is that the processing of a large number of sensor signals and the generation of a large number of control signals by a single processor may take a relatively long period of time. This problem is exacerbated when the vehicle includes a large number of sensors and/or brake assemblies. It would be more desirable for control signals affecting only a single brake assembly and/or a group of brake assemblies to be generated at the brake assemblies themselves by “smart” brake assemblies, thereby freeing up the resources of the central control unit for the generation of control signals which affect many or all of the brake assemblies.
The disadvantage of all three of the above-described systems relating to the fact that the brake assemblies disclosed therein are essentially “dumb” (in that no control signal generation is performed thereby) may lead to additional problems as well.
As discussed above, in many automotive system applications, electronic control safety is currently approached at two levels: At a basic level, a mechanical system provides the degree of safety that is considered sufficient for safe operation; On top of this basic mechanical system, a computer system provides optimized performance. In case the computer system fails, the mechanical system takes over. A known anti-lock braking system (ABS) is a typical example of this approach: if the computer fails, the conventional mechanical brake is still operational. In the near future, this approach to safety will reach its limit for two reasons: (1) The improved price/performance of the microelectronic components will make the implementation of fault-tolerant computer systems cheaper than the implementation of mixed (computer/mechanical) systems—as a consequence, there will be a cost pressure to eliminate the redundant mechanical system; and (2) As the performance of the computer controlled system is further improved, the fall-back to the inferior performance of the mechanical system increasingly constitutes a safety risk for the operator who is accustomed to the high performance of the computer controlled system.
Both trends favor the deployment of fault-tolerant real-time systems that will provide the specified service despite a failure of any one of their components. It should be no surprise then that there are several such fault-tolerant real-time systems which have been developed, examples of which include the FlexRay™ communication system, the time triggered control area network (TTCAN), and the Time-Triggered Protocol TTP®/C. In general terms, each of these systems uses time as its underlying driving force, i.e., all activities of a system are carried out in response to the passage of certain points in time. This control strategy is realized based on a time division multiple access (TDMA) bus access strategy. The TDMA bus access strategy is based on the principle that the individual communication controllers on the bus have time slots allocated where exactly one communication controller is allowed to send information on the bus. It is thus possible to predict the latency of all messages on the bus, which guarantees hard real-time message delivery. If a control message is not received when expected, the system component which expected to receive the message “knows” that a communication error has occurred.
Such systems are beneficial in that messages are acted upon only if received in a timely manner. For example, in many vehicle systems, such as braking systems, it is critical that control signals be transmitted to, received by, and acted upon by brake actuators almost instantaneously. This is true because the vehicle condition which prompted the control signal to be generated in the first place may only exist for a very short time (i.e., a fraction of a second). If the vehicle condition no longer exists by the time the control signal which that condition prompted reaches the actuator, and the actuator acts upon that signal, the results may not only be unintended, but may actually be hazardous. When the above-described fault-tolerant real-time systems are employed, such may be avoided, since if the control signals are not received in a timely manner when expected, they may be ignored.
While this approach of ignoring untimely control signals may be more desirable than acting upon delayed signals, such an approach is still disadvantageous. This is true because oftentimes it is far more desirable that the actuator take some action (even if such action cannot be the ideal action determined by the system controller due to the communication error) rather than taking no action at all. However, in known prior art systems having “dumb” system actuators, the actuators cannot make a determination of a proper action to be taken. Instead, the actuators either act upon the control signals (if received in a timely manner), or ignore the control signals (if not received when expected).
What is desired, therefore, is an electrically controlled braking system which is intended for use with wheeled vehicles, which allows brake assemblies to respond to sensor input relatively quickly, which does not require the central control unit to process all sensor inputs and to generate all control signals for all brake assemblies, which frees up the resources of the central control unit for the generation of control signals which affect many or all of the brake assemblies, which in addition to a central control unit also includes “smart” brake assemblies capable of processing sensor input and generating control signals in response thereto, which employs a fault-tolerant real-time communications network, and which includes “smart” brake assemblies capable of switching to a failsafe mode of alternative control should the fault-tolerant real-time communications network fail.