Device for controlling a safety-relevant process, method for testing the functionality of the device, and motor vehicle with the device

This patent applicationis a reissue of U.S. patent application Ser. No. 15/940,433, filed Mar. 29, 2018, now U.S. Pat. No. 10,870,421, whichclaims priority to German Patent Application Nos. 10 2017 206 035.2, filed Apr. 7, 2017, and 10 2017 209 721.3, filed Jun. 8, 2017, the disclosures of which are incorporated herein by reference in their entirety.

Autonomous driving (sometimes also called automatic driving, automated driving or piloted driving) is understood to be the locomotion of transportation vehicles, mobile robots and driverless transport systems that behave substantially autonomously. There are different levels of the term autonomous driving. In this case certain levels of autonomous driving are referred to if there is still a driver in the transportation vehicle that may only be carrying out monitoring of the automatic driving process. In Europe, the different traffic ministries (in Germany the Federal Highway Research Institute was involved) have worked together and defined the following levels of autonomy.

Level 0: “Driver only”, the driver himself is driving, steering, accelerating, braking etc.

Level 1: Certain assistance systems help to operate the transportation vehicle (inter alia a distance control system—Automatic Cruise Control ACC).

Level 2: Partial automation. Inter alia automatic parking, lane keeping function, general longitudinal control, accelerating, decelerating etc. are carried out by the assistance systems (inter alia a traffic jam assistant).

Level 3: High automation. The driver does not have to monitor the system continuously. The transportation vehicle carries out functions autonomously such as triggering the indicators, lane changing and lane keeping. The driver can give attention to other things, but if necessary will be required by the system to take over control within a pre-warning time. The form of autonomy is technically feasible on freeways. The legislators are working towards allowing Level 3 transportation vehicles. The legal framework for this has already been created.

Level 4: Full automation. The control of the transportation vehicle is continuously carried out by the system. If the driving tasks are no longer being managed by the system, the driver can be required to carry out control.

Level 5: No driver necessary. Apart from the specification of the destination and starting the system, no human intervention is necessary.

Automated driving functions from level 3 absolve the driver of the responsibility for the control of the transportation vehicle. A braking and stabilizing system that is participating therein, which can fail owing to a single fault, therefore needs a suitable fallback level to always be able to keep the transportation vehicle in a safe driving dynamics state until the driver can intervene again. The brake systems for transportation vehicles of this type, which provide automated driving from level 3, are always designed redundantly. The braking systems consist of two components, namely a primary brake system and a secondary brake system, so that a component can fail without endangering driving stability.

For safety reasons, driving functions in the speed range from approx. 60 km/h require the guaranteed availability of traction control functions, such as, for example, the anti-lock brake system ABS, in addition to the guaranteed availability of deceleration. The traction control functions require sensor data as control variables. This also includes detection of the wheel revolution rates, such as is currently carried out by control units for transportation vehicle dynamics control (Electronic Stability Control ESC). If the ESC electronics (primary brake system) fail, there is no longer wheel-specific motion information available to the driving function and the traction control function in the secondary brake system, so that control at the fallback level is no longer possible.

Because of the electrical interface of the standard wheel revolution rate sensors, it is not easily possible to connect a sensor to two control units to be able to supply both control units with the required information. The sensor transmits the signals thereof by a transmission protocol that provides defined current levels. A VDA protocol is used for this purpose. In the case of a parallel circuit with two control units, the current would be divided, and the detection of the level would sometimes not be successful in either of the two control units. It would be different if the individual wheel revolution rate sensors were connected to a data bus, for example, a CAN bus (Controller Area Network), via which the data could be transmitted to a plurality of connected control units.

The following known solutions are mentioned:

a) The use of 4 additional wheel revolution rate sensors, so that in total 8 wheel revolution rate sensors are used. A wheel revolution rate sensor per wheel and control unit is thus used.

b) The use of 4 redundant wheel revolution rate sensors. In this case, the component for a wheel revolution rate sensorcontains sensor elements with separate outputs, one for each connected control unit. Depending on which control unit is controlling the braking process, the matching sensor element is thus analyzed. Both sensor elements are always in operation at the same time.

From DE 102015110965 A1, a device is known that is provided for safe deceleration of an autonomously controlled transportation vehicle. The device is of a redundant design. It contains a first brake control module, also known as the primary module, and a second brake control module, also known as the secondary module. All wheel revolution rate sensors are connected to the first brake control module in a first exemplary embodiment. The first brake control module provides the wheel revolution rate data of the wheel revolution rate sensors to the second brake control module via a data connection. In a second exemplary embodiment, the majority of wheel revolution rate sensors are connected to the first brake control module and only a smaller number of wheel revolution rate sensors are connected to the second brake control module.

From DE 102015209565 A1, a system is known that is also provided for safe deceleration of an autonomously controlled transportation vehicle. This also has a primary brake system and a secondary brake system. A first control unit is associated with the primary brake system (for example, an ESP/ABS control unit). The control unit is also of a redundant design. It consists of a first control device and a second control device embodied as an ASIC. The wheel revolution rate sensors can be supplied with voltage by both control devices. The wheel revolution rate data are detected by the second control device and can be forwarded via a transportation vehicle bus (for example, a CAN bus) to an external control unit, which carries out control for the secondary brake system. Even in the event of failure of the first control device and the microcontroller of the first control unit, the wheel revolution rate data can still be forwarded to the external control unit.

From EP1219489A2, a system for controlling and/or monitoring a control unit network comprising at least two control units is known. The first control unit has a plurality of functions, namely carrying out the own control function thereof, monitoring the own control function thereof and monitoring the second control unit. If the first control unit detects a malfunction of the second control unit, it switches the second control unit off.

The known solutions have some drawbacks. For 4 additional wheel revolution rate sensors or even 4 redundant wheel revolution rate sensors, twice as many lines than previously must be provided in the on-board electrical system. The costs of the standard sensors are increased, because twice as many are required. Redundant sensors have a smaller volume of items, and it is to be expected that the costs for this are even higher.

The solutions according to the mentioned published patent applications have the same aim, but they describe a circuit that is only used in one of the two control units. This has a number of drawbacks:

Twice as many plug contacts are necessary on the control unit that contains the circuit for the wheel revolution rate sensors (for example, 16 instead of 8 plug contacts).

When changing over to the secondary control unit in the event of a failure of the voltage supply in the primary control unit, sometimes a loss of voltage in the changeover logic must be accepted, because a self-conducting MOSFET must be used.

Within the scope of the disclosure, it has been recognized that the solutions provided do not utilize the wheel revolution rate sensors efficiently, and in this respect the costs for additional wheel revolution rate sensors are high.

According to the present disclosure, a hardware architecture is proposed. This contains a standardisable hardware interface for the connection of 4 standard wheel revolution rate sensors to two control units. According to the disclosure, for the hardware architecture a behavior model for the operating mode is also proposed, which ensures that also following the occurrence of a single fault in one of the two control units the data of all sensors can be directly received by the other control unit. In this case, the data are transmitted via the transportation vehicle bus to the other control unit and also made available to further receivers. Thus, fallback levels can be implemented in both control units, which can always rely on the existence of wheel revolution rate information. Furthermore, a test mode is proposed that is used to check the full operability of the system. It is thus ensured that the system satisfies the redundancy requirements of the driving function.

A benefit of the standardisable hardware interface is that the hardware can be implemented identically in all control units.

In principle, conventional circuits that contain the sensor interfaces are used in the control units. However, a sensor arrangement isolation circuit is still inserted in the control unit between the IC and the sensors, which can break the connection between the sensors and the defective control unit, so that no current can flow across the interface. As a result, a wheel revolution rate sensor can be connected in parallel to two control units, since it is ensured by the sensor arrangement isolation circuit that one of the two control units breaks the interface and the sensor current is thus not split.

Each control unit must control the isolation circuit and can communicate the respective state via the transportation vehicle bus. A failure of a control unit must result in any case in the circuit breaking the connection of the control unit to the sensors. This can, for example, be achieved using an already existing monitoring circuit (watchdog). The watchdog function is already present in current brake systems and stops the control unit once it has been detected that the actuation arrangement or electronics can no longer be controlled and there is thus a risk of destabilization of the transportation vehicle. If the control unit has not yet failed completely, the status of the interface can still be communicated via the transportation vehicle bus.

It is beneficial for this if the sensor arrangement isolation circuit contains an AND circuit that brings about a connection of the at least one sensor to the respective primary or secondary control unit if a signal arrives from the monitoring device that signals that the respective control unit is working faultlessly and the respective control unit is signaled by a microcontroller that the respective control unit is in a state in which there is processing and/or forwarding of the signals of the at least one sensor to the respective secondary or primary control unit.

In this case, the software of the control units must be designed to always only activate the interface if it is ensured that the interface of the other control unit is deactivated. This is carried out by an internal state machine that receives the states of the respective other state machine via the transportation vehicle bus. The software of the primary brake system must activate the interface in a standard manner and only deactivate it on the occurrence of certain faults. The software of the secondary brake system must deactivate the interface in a standard manner and must immediately activate it if a fault in the primary brake system has caused the own interface thereof to be deactivated.

According to the disclosed embodiments, in addition a test mode is proposed that enables checking of the ability to change the interfaces over. It is thus ensured that the required redundancy of the brake system is present before an automated driving function can be activated by the driver. The test mode runs as follows:

The primary control unit breaks the connection to the at least one sensor using the sensor arrangement isolation circuit associated therewith. It signals entry to the test mode to the secondary control unit via the communications bus, wherein the secondary control unit then makes a connection of the at least one sensor to the secondary control unit using the sensor arrangement isolation circuit associated therewith and sends the sensor data to the primary control unit via the communications bus. The primary control unit checks the correct reception of the sensor data, and in the event of a positive result of the check the primary control unit signals the end of the test mode via the communications bus.

It is beneficial if the secondary control unit switches off the at least one sensor after entry of the information regarding the end of the test mode via the sensor arrangement isolation circuit associated therewith, whereupon for its part the primary control unit makes a connection of the at least one sensor to the primary control unit by the sensor arrangement isolation circuit associated therewith because of the lack of transmitted sensor data, and continues the supply of sensor data to the secondary control unit as before the initiation of the test mode.

It is beneficial if the test of the operability of the device is carried out following a request to initiate the operating mode of highly automated driving of the motorized transportation vehicle. The test is then carried out before the transportation vehicle changes to the highly automated driving mode.

Furthermore, it is beneficial for the test mode if, in the case in which the primary control unit detects during the test that the sensor data cannot be correctly received by the secondary control unit, a connection of the at least one sensor to the primary control unit is made by the sensor arrangement isolation circuit associated therewith and, as previously, before the initiation of the test mode, continues the supply of sensor data to the secondary control unit. During this it is beneficial if the primary control unit signals the incorrect reception of the sensor data to the secondary control unit and the secondary control unit thereupon switches off the at least one sensor by the associated sensor arrangement isolation circuit.

Accordingly, it is beneficial if, in the case in which the secondary control unit detects during the test that the sensor data cannot be correctly received by the primary control unit, the at least one sensor is connected to the secondary control unit by the sensor arrangement isolation circuit associated therewith and the supply of sensor data to the primary control unit is carried out, wherein the secondary control unit signals the incorrect reception of the sensor data to the primary control unit and the primary control unit thereupon switches off the at least one sensor by the associated sensor arrangement isolation circuit.

The disclosed embodiments can be used in all transportation vehicles with an automated driving function from level 3 (according to the VDA), which operate in the higher speed range. At low speeds (for example, below 60 km/h), no wheel revolution rate sensor data are necessary to be able to decelerate the transportation vehicle in a stable manner.

The present description illustrates the principles of the disclosure. It is thus understood that persons skilled in the art are able to conceive of different arrangements that are not explicitly described here, but that embody principles according to the disclosure and that are also to be protected within the scope thereof.

shows a motorized transportation vehicle. A passenger transportation vehicle Pkw is represented. However, any other transportation vehicles could also be considered as the transportation vehicle. Examples of other transportation vehicles are: utility transportation vehicles, in particular, trucks Lkw, agricultural machines, building machinery, motor cycles, rail transportation vehicles, etc. The transportation vehicle is provided with reference number. As a Pkw, the transportation vehicle is fitted with 4 wheels. Present-day brake systems are usually also fitted with anti-slip regulation ASR. For this it is necessary to detect the wheel revolution rates of all 4 wheels, likewise for the anti-lock brake function ABS. Therefore, it is also shown in the drawing that a wheel revolution rate sensoris mounted on each wheel. The wheel revolution rate sensorsare connected to a brake control system. The brake control systemconsists of two control units that operate mutually independently. For the primary brake system, for example, an ESC control unit is provided that controls the primary brake system. This carries out the function of electronic ride stabilization, also known as Electronic Stability Control (ESC). The ESC control unit has the capability to decelerate the transportation vehiclefrom higher speeds in a controlled manner. For this, in modern ESC control units the functionality of the antilock brake system ABS is also present. Independently of the primary brake system, there is however also a secondary brake system that can also decelerate the transportation vehicle in a controlled manner. For example, an intelligent brake booster has been developed for this, which is referred to as an electrical brake booster (eBKV). The control unit thereof then forms the control unit of the secondary brake system.

The two control units do not have to be installed at the same location, as shown in, but they can also be installed at different locations in the motorized transportation vehicle. They are in any case connected to each other via the transportation vehicle bus. As an example of a transportation vehicle bus that is used to network control units in the motorized transportation vehicle, the Controller Area Network CAN is mentioned. The bus system is standardized and we refer to the corresponding specifications according to the ISO 11898 standard for further details. Because different versions of the CAN bus can be used for different categories of control unit, here the CAN drive bus is mentioned that is used to network control units of the drive train such as the engine control unit, brake control unit, gearbox control unit and ESC control unit. The high-speed version of the CAN bus according to the ISO 11898-2 specification is mainly used for this purpose.

now shows the hardware architecture of the brake control system. The disclosed embodiment contains a standardisable hardware interface for the connection of 4 standard wheel revolution rate sensors to two control units and a behavior model, which ensures that even after the occurrence of a single fault one of the two control units can receive the data of all the sensors directly and can provide the data via the transportation vehicle bus to the other control unit and further receivers. Thus, both control units can implement fallback levels, which can always rely on the existence of wheel revolution rate information.

The control unit of the primary brake system is denoted by reference number. As described above, it is the ESP/ABS control unit. The control unit of the secondary brake system is denoted by reference number. It is the control unit of the electronic brake booster. The 4 wheel revolution rate sensors are denoted by the reference number. The signal lines of the wheel revolution rate sensorsare denoted by reference number. The two control unitsandare networked together by a transportation vehicle data bus, abbreviated to transportation vehicle bus, via which data can be exchanged. Further control units can be connected to the transportation vehicle bus, such as the engine control unit and the gearbox control unit (not shown in the drawing). The architecture of the control units is also represented in. Typically, the control unitsandeach contain an application-specific circuit ASICand, which is responsible for the current/voltage supply of the wheel revolution rate sensorsand for the detection and processing of the signals of the wheel revolution rate sensors. The control unitsandare furthermore each fitted with a microcontrollerand. The control unit carries out the actual control functions. In addition, a monitoring circuitandis provided in each control unit. Such monitoring circuits are known by the term “watchdog” circuit. With these the correct program execution in the control unit is monitored. Connectionsandbetween the application-specific circuitsandand the microcontrollersandare provided to be able to transmit the detected sensor data, for example.

As mentioned, the wheel revolution rate sensorsare connected to both control units,. In principle, conventional circuits are used in the control units, which relate to the sensor interfaces. Between the respective ASIC,and the wheel revolution rate sensors, however, yet another sensor arrangement isolation circuit,is inserted in the respective control unit,, which can break the connection between the wheel revolution rate sensorsand the respective control unit,, so that current can no longer flow across the interface. Thus, a wheel revolution rate sensorcan be connected in parallel to two control units,, since it is ensured that one of the two control units,breaks the connection and the sensor current is thus not split.

Each control unit,must be able to control the sensor arrangement isolation circuit,and communicate the respective state via the transportation vehicle bus. A failure of a control unit must in any case result in the sensor arrangement isolation circuit breaking the connection of the control unit,to the wheel revolution rate sensors. This is achieved with the mentioned watchdog circuit. A watchdog circuit consists essentially of a counter that is reset at defined positions in the program execution. If this does not occur because of a fault, for example, because the program enters an endless loop, counter overflow occurs and the watchdog circuit disables the control unit. The watchdog function in the current brake systems disables the control unit once it has been detected that the actuation arrangement or electronics can no longer be controlled and hence a destabilization of the transportation vehicle is impending. If the control unit has not failed completely, the status of the interface can still be communicated via the transportation vehicle bus. An alternative procedure with the use of watchdog circuits is that the control unit is reset in the event of a fault to test whether the fault can be eliminated as a result.

The software of the control units,is designed so that it only ever activates the sensor interface if it is ensured that the sensor interface of the other control unit,is deactivated. This is carried out by an internal state machine, which receives the state of the respective other state machine via the transportation vehicle bus. The software of the control unitof the primary brake system activates the sensor interface thereof in a standard manner and the sensor interface is only deactivated on the occurrence of a defined fault. The software of the control unitof the secondary brake system deactivates the sensor interface thereof in a standard manner and immediately activates the sensor interface if a fault in the primary brake system has resulted in the sensor interface thereof being deactivated.

For the system environment it is necessary to comply with the following points because of the safety requirements:

Redundant power supply

Each control unit,is supplied with power from an independent voltage source.

Redundant communications

Each control unit,can communicate via two mutually independent communications paths with the respective other control unit,and certain further control units in the transportation vehicle.

Fault-tolerant driving function

The failure of a wheel revolution rate sensordoes not cause failure of the driving function. Safe control of the transportation vehicle is also possible with 3 wheel revolution rate sensors.