CN104590243B - Whole vehicle functional safety monitoring system - Google Patents

Whole vehicle functional safety monitoring system Download PDF

Info

Publication number
CN104590243B
CN104590243B CN201510003348.0A CN201510003348A CN104590243B CN 104590243 B CN104590243 B CN 104590243B CN 201510003348 A CN201510003348 A CN 201510003348A CN 104590243 B CN104590243 B CN 104590243B
Authority
CN
China
Prior art keywords
vehicle
acceleration
torque
safe
monitoring module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510003348.0A
Other languages
Chinese (zh)
Other versions
CN104590243A (en
Inventor
于世涛
郭辉
张威
蒋云
李君�
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
United Automotive Electronic Systems Co Ltd
Original Assignee
United Automotive Electronic Systems Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by United Automotive Electronic Systems Co Ltd filed Critical United Automotive Electronic Systems Co Ltd
Priority to CN201510003348.0A priority Critical patent/CN104590243B/en
Publication of CN104590243A publication Critical patent/CN104590243A/en
Application granted granted Critical
Publication of CN104590243B publication Critical patent/CN104590243B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W10/00Conjoint control of vehicle sub-units of different type or different function
    • B60W10/04Conjoint control of vehicle sub-units of different type or different function including control of propulsion units
    • B60W10/06Conjoint control of vehicle sub-units of different type or different function including control of propulsion units including control of combustion engines
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W10/00Conjoint control of vehicle sub-units of different type or different function
    • B60W10/02Conjoint control of vehicle sub-units of different type or different function including control of driveline clutches
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W10/00Conjoint control of vehicle sub-units of different type or different function
    • B60W10/04Conjoint control of vehicle sub-units of different type or different function including control of propulsion units
    • B60W10/08Conjoint control of vehicle sub-units of different type or different function including control of propulsion units including control of electric propulsion units, e.g. motors or generators
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W40/00Estimation or calculation of non-directly measurable driving parameters for road vehicle drive control systems not related to the control of a particular sub unit, e.g. by using mathematical models
    • B60W40/10Estimation or calculation of non-directly measurable driving parameters for road vehicle drive control systems not related to the control of a particular sub unit, e.g. by using mathematical models related to vehicle motion
    • B60W40/107Longitudinal acceleration
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/02Ensuring safety in case of control system failures, e.g. by diagnosing, circumventing or fixing failures
    • B60W50/038Limiting the input power, torque or speed
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W2520/00Input parameters relating to overall vehicle dynamics
    • B60W2520/10Longitudinal speed
    • B60W2520/105Longitudinal acceleration
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W2710/00Output or target parameters relating to a particular sub-units
    • B60W2710/02Clutches
    • B60W2710/021Clutch engagement state
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W2710/00Output or target parameters relating to a particular sub-units
    • B60W2710/06Combustion engines, Gas turbines
    • B60W2710/0666Engine torque
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W2710/00Output or target parameters relating to a particular sub-units
    • B60W2710/08Electric propulsion units
    • B60W2710/083Torque

Abstract

The invention discloses a whole vehicle functional safety monitoring system, which is a centralized whole vehicle functional safety monitoring system with a torque monitoring and an acceleration monitoring, an acceleration signal source is introduced for monitoring the instantaneous whole vehicle acceleration information in real time, the validity of the whole vehicle torque distribution control is considered by the torque comparison monitoring and the whole vehicle acceleration comparison monitoring, when the whole vehicle power system torque calculation and controlling occur an undesired torque increase, security protection can be carried out on the basis of the torque comparison information and the whole vehicle acceleration information of the current vehicle, so that the centralized monitoring of the vehicle functional safety can be realized; the whole vehicle functional safety monitoring system has the advantage that the requirement on the function safety level of the terminal power source controller is lowered, so that the complexity and cost of the monitoring system is reduced, and realization of the systematic design with the more higher functional security level is facilitated.

Description

Whole vehicle functions safety monitoring system
Technical field
The present invention relates to automotive safety technology, more particularly to a kind of whole vehicle functions safety monitoring system.
Background technology
With the development of energy-saving and emission-reduction technology of vehicles, vehicle power control system is increasingly complicated, from traditional single Power control system expands to many power control systems of car load (such as hybrid power system and control system of electric automobile), Fig. 1 with Fig. 2 is respectively the car load power control system structure diagram of hybrid vehicle and pure electric automobile, from Fig. 1, Fig. 2, whole The dynamical system of car is controlled by entire car controller, engine controller, electric machine controller and battery management system collaborative work, Car load dynamical system core is transferred to the car load power that entire car controller is core from traditional engine electronic control Control system, thus causes and proposes safely huge challenge for the whole vehicle functions of multi-power system.With the functional safety world The issue of standard ISO 26262 is implemented, and it is that car load power control system is vital to prevent vehicle from unexpected acceleration occurring Security Target, it is ASIL (Automotive Safety that prior art has the functional safety grade for the functional safety target Integrity Level, automotive safety integrity level) B technical scheme, but with it is vehicle-mounted auxiliary driving technology introducing (such as adaptive cruise, unmanned technology etc.), car load factory is gradually for car load power control system proposes higher function peace Congruent level and target call, thus exploitation meets the car load dynamical system of 26262 international standards of ISO and higher function safe class System controller is the technical barrier solved needed for car load power control system.
The existing acceleration correlation technique for preventing vehicle generation unexpected has:
(1) car engine electronic controller electronic air throttle body standardization monitoring
The correlation technique provides a three-level torque monitoring framework, according to 26262 standards of ISO for Motronic control maps Controller carries out functional safety system development, for the functional safety target of " preventing vehicle from unexpected acceleration occurring " provides phase Like the torque monitoring concept of property redundancy reaching the requirement of the functional safety grade of ASILB.
The correlation technique for the corresponding safe class of Security Target of " preventing vehicle from unexpected acceleration occurring " is ASILB, does not propose to meet the technical scheme of more high safety grade;Additionally, the correlation technique is only limitted to Motronic control maps control The functional safety of device processed proposes that three-level monitors the technical solution of framework, for the car load control for extending to many power control systems The application of device processed does not provide specific technical scheme, the limitation that there is expanded application.
(2) technical scheme of existing a kind of entire car controller torque monitoring, as shown in Figure 3, entire car controller 10 is responsible for meter Driver's car load torque demand is calculated, is realized for engine controller 20 and electric machine controller 30 through moment of torsion allocation unit 101 Demand torque distribution, while current rotating speed of the car load torque safety module 103 based on electromotor and motor and acceleration are stepped on Partitioned signal calculates the permission moment of torsion for engine controller and electric machine controller;The torque monitoring system scheme requires to send out Moment of torsion comparison module 205,305 inside motivation electronic controller and electric machine controller is realized turning round with permission for demand torque The monitoring of square.
The correlation technique is a kind of distributed whole vehicle functions safeguard construction based on torque monitoring, in order to meet ISO 26262 require, it is desirable to which entire car controller, engine controller and electric machine controller are required for meeting the corresponding peace shown in Fig. 5 Full level requirements, in Fig. 5, X can be A, B, C or D.The correlation technique is not carried out effectively to the functional safety grade of car load Degraded distribution, thus it requires engine electronic control and electric machine controller are required for functional safety according to car load aspect etc. Level is designed and developed, and causes whole control system complexity and system cost to greatly increase.
(3) existing a kind of distributed whole vehicle functions safeguard construction based on torque monitoring, as shown in figure 4, by full-vehicle control Device 10 sends torque request to electric machine controller 12, and entire car controller 10 is according to the torque feedback of electric machine controller 12 come further Monitoring car load safe condition.
The correlation technique, still adopts distributed torque monitoring structure, vehicle state monitoring work(in torque monitoring structure Vehicle acceleration information employed in energy comes solely from GES, and the checking signal of a redundancy is not being accelerated The verification of degree information, so as to not realizing centralized vehicle state monitoring, thus whole vehicle functions safe class does not have Effectively degraded distribution is obtained, so as to cause system complexity and system cost to greatly increase.
Therefore, existing whole vehicle functions safety monitoring system, it is the distributed function safety distributed based on moment of torsion to adopt Monitoring structure, is required based on 26262 standards of ISO, and the distributed function safety monitoring system generally adopts work(as shown in Figure 5 The topological structure of energy safe class, complex structure, high cost;Existing whole vehicle functions safety monitoring system, using similarity redundancy Functional safety Software Architecture Design, the similarity redundancy feature fail-safe software framework is insufficient for higher function safe class Functional safety design.
The content of the invention
The technical problem to be solved in the present invention is to provide a kind of whole vehicle functions safety monitoring system, can realize higher function The technical requirements of safe class, reduce for the functional safety class requirement of terminal power source controller, realize car load aspect Functional safety is degraded, and reduces complexity and the cost of monitoring system.
For solve above-mentioned technical problem, the present invention provide whole vehicle functions safety monitoring system, including acceleration signal source, Main control module;
The acceleration signal source, for exporting car load instantaneous acceleration to the main control module;
The main control module, including power train control module, safe torque monitoring module, safe acceleration monitoring module;
The power train control module, the driver for calculating car load dynamical system take turns end demand torque, by car load power Driver's wheel end demand torque of system resolves into engine demand moment of torsion and motor demand torque, by engine demand moment of torsion point Motor demand torque is distributed to electric machine controller, and controls the work of driving-chain clutch by dispensing engine electronic control;Such as Fruit receives functional safety failure response or the safe torque monitoring module output of the safe acceleration monitoring module Torque ratio compared with errored response, then control disconnects driving-chain clutch, and forbids to engine electronic control, motor control Device sends torque request;
The safe torque monitoring module, compares the car load reality output driving torque under operating mode at that time and the operating mode in real time Under vehicle maximum permissible torque, vehicle is minimum allows moment of torsion, if the car load reality output driving torque at that time under operating mode is big Vehicle maximum permissible torque under the operating mode, or it is minimum less than the vehicle under the operating mode allow moment of torsion, then output torque ratio Compared with errored response to the safe acceleration monitoring module and the power train control module;
The safe acceleration monitoring module, compares the actual instantaneous acceleration of vehicle and the operating mode under current working in real time Under the maximum allowable speed-raising acceleration and maximum allowable reduction of speed acceleration of vehicle of vehicle, if when vehicle raises speed under current working The actual instantaneous acceleration of vehicle exceedes the maximum allowable speed-raising acceleration of vehicle under the operating mode and meets fault confirming time, or The actual instantaneous acceleration of vehicle during vehicle reduction of speed under current working exceedes the maximum allowable reduction of speed acceleration of vehicle under the operating mode And meet fault confirming time, or receive the torque ratio of the safe torque monitoring module output compared with errored response, then it is defeated Go out functional safety failure response to the power train control module.
Preferably, the whole vehicle functions safety monitoring system, also including monitoring module;
The monitoring module, communicates with the main control module, monitors the power train control module, safe torque monitoring mould Whether block, safe acceleration monitoring module are normal, if the power train control module, safe torque monitoring module or safety accelerate Degree monitoring module runs abnormal or main control module and there is hardware fault, then trigger the main control module and reset.
Preferably, the power train control module, asks with reference to external torque and Full Vehicle System drive control pattern will be whole Driver's wheel end demand torque of car dynamical system resolves into engine demand moment of torsion and motor demand torque, and coordinates car load system The clutch work of system drive control Schema control driving-chain.
Preferably, the safe torque monitoring module, calculates car load reality based on the actual dynamical system topological structure of car load Output driving moment of torsion;
For multi power source, power combination of the safe torque monitoring module according to each power source drive moment of torsion, and Consider power train transmission when transmission efficiency, calculate car load reality output driving torque;
For single power source, the safe torque monitoring module calculates car load reality according to the torque model of single power source Border output driving moment of torsion;
The safe torque monitoring module, according to accelerator pedal information, the rotating speed of system of vehicle transmission chain output shaft and gear Etc. information, the minimum permission moment of torsion of vehicle maximum permissible torque, vehicle is calculated.
Preferably, the safe acceleration monitoring module, instantaneously accelerates according to the car load that the acceleration signal source is transmitted Degree information, and GES, carry out the actual instantaneous acceleration of vehicle and calculate and diagnose;
The instantaneous acceleration calculated if based on the car load instantaneous acceleration information that acceleration signal source is transmitted is same based on car The deviation of the instantaneous acceleration of fast signal of change judges acceleration detection information effectively in certain threshold range, then, it is determined that working as The actual instantaneous acceleration of vehicle under front operating mode;
The instantaneous acceleration calculated if based on the car load instantaneous acceleration information that acceleration signal source is transmitted is same based on car The instantaneous acceleration of fast signal of change beyond certain threshold range, then judge that acceleration detection information is invalid, output one plus Velocity information invalid signals are to the power train control module;
The power train control module, if receiving acceleration information invalid signals, reduce to engine electronic control, The greatest requirements moment of torsion of electric machine controller distribution.
Preferably, the safe acceleration monitoring module, according to accelerator pedal information, the rotating speed of system of vehicle transmission chain output shaft And automobile gear level information, calculate the maximum allowable speed-raising acceleration of the vehicle under current working and the maximum allowable reduction of speed of vehicle accelerates Degree.
Preferably, the safe acceleration monitoring module, because vehicle raises speed when current working under vehicle it is actual instantaneous Vehicle when acceleration speed-raising acceleration maximum allowable more than the vehicle under the operating mode, vehicle reduction of speed under current working is actual instantaneous Acceleration exceedes the maximum allowable reduction of speed acceleration of vehicle under the operating mode, and Trigger Function safety failure is responsive to the dynamic Control Module is after setting time, if the actual instantaneous acceleration of vehicle when vehicle raises speed under current working is still above vehicle most It is big to allow speed-raising acceleration, or the actual instantaneous acceleration of vehicle during vehicle reduction of speed under current working is maximum still above vehicle Reduction of speed acceleration is allowed, is then exported complete vehicle fault and is responsive to the monitoring module;The monitoring module, adds when the safety is received The complete vehicle fault response that speed monitoring module sends, then trigger the main control module and reset.
Preferably, the safe torque monitoring module, if the car load reality output driving torque at that time under operating mode is more than Vehicle maximum permissible torque under the operating mode exceedes setting time, or exceedes less than the minimum permission moment of torsion of vehicle under the operating mode Setting time, then trigger the first level failure response, and output torque comparison error is responsive to the safe acceleration monitoring module With the power train control module, forbid the torque request to terminal power controller, and driving-chain clutch is disconnected;If the After the failure response of one level is performed, when car load reality output driving torque exceedes setting still above vehicle maximum permissible torque Between, or car load reality output driving torque is minimum still less than vehicle allows moment of torsion to exceed setting time, then trigger the second layer Level failure response, output complete vehicle fault are responsive to the monitoring module;The monitoring module, monitors when the safe torque is received The complete vehicle fault response that module sends, then trigger the main control module and reset.
Preferably, the acceleration signal source, comes from external third-parties electronic controller signal, outside independent acceleration Degree sensor or acceleration hardware chip.
The whole vehicle functions safety monitoring system of the present invention, is the centralized car load work(with torque monitoring and acceleration monitor Energy safety monitoring system, is introduced acceleration signal source with real-time monitoring car load instantaneous acceleration information, is relatively monitored by torque ratio Distribute the correctness of control with car load acceleration ratio compared with monitoring to consider car load moment of torsion, when car load dynamical system torque arithmetic and control When there is unexpected moment of torsion and increase in system, by the moment of torsion comparison information and car load instantaneous acceleration information based on Current vehicle come Safeguard protection is carried out, it is achieved thereby that whole vehicle functions monitoring centralized safely, realizes the functional safety degraded of car load aspect, Reduce for the functional safety class requirement of terminal power source controller, so as to reduce monitoring system complexity and into This;Additionally, the invention adopts differentiation redundancy design method, centralized whole vehicle functions security system function fail-safe software is improved Error detection mechanism, can realize the design requirement (such as ASILD) of more high safety grade.
Description of the drawings
In order to be illustrated more clearly that technical scheme, the accompanying drawing to using required for the present invention makees simple below Introduce, it should be apparent that, drawings in the following description are only some embodiments of the present invention, for ordinary skill people For member, on the premise of not paying creative work, can be with according to these other accompanying drawings of accompanying drawings acquisition.
Fig. 1 is hybrid electric vehicle complete vehicle dynamical system control structure figure;
Fig. 2 is whole pure electric vehicle dynamical system control structure figure;
Fig. 3 is a kind of existing monitoring system of mixing dynamical vehicle torsional moment structure chart;
Fig. 4 is a kind of existing pure electric automobile torque monitoring system structure chart;
The distributed whole vehicle functions safeguard construction functional safety hierarchy topology structure charts of Fig. 5;
Fig. 6 is centralized whole vehicle functions safeguard construction functional safety hierarchy topology structure chart;
Fig. 7 is one embodiment schematic diagram of whole vehicle functions safety monitoring system of the present invention.
Specific embodiment
Below in conjunction with accompanying drawing, clear, complete description is carried out to the technical scheme in the present invention, it is clear that described Embodiment is a part of embodiment of the present invention, rather than the embodiment of whole.Based on the embodiment in the present invention, this area is general All other embodiment that logical technical staff is obtained on the premise of creative work is not made, belongs to protection of the present invention Scope.
Embodiment one
Whole vehicle functions safety monitoring system, as shown in fig. 7, comprises acceleration signal source, main control module 11;
The acceleration signal source, for exporting car load instantaneous acceleration to the main control module 11;
The main control module 11, including power train control module 111, the monitoring of safe torque monitoring module 112, safe acceleration Module 113;
The power train control module 111, the driver for calculating car load dynamical system take turns end demand torque, and car load is moved Driver's wheel end demand torque of Force system resolves into engine demand moment of torsion and motor demand torque, by engine demand moment of torsion Engine electronic control is distributed to, motor demand torque is distributed to into electric machine controller, and is controlled the work of driving-chain clutch; If receiving the functional safety failure response or the safe torque monitoring module of the safe acceleration monitoring module 113 Compared with errored response, then control disconnects driving-chain clutch to the torque ratios of 112 outputs, and forbid to engine electronic control, Electric machine controller sends torque request;
The safe torque monitoring module 112, compares the car load reality output driving torque under operating mode at that time in real time and is somebody's turn to do Vehicle maximum permissible torque under operating mode, vehicle are minimum to allow moment of torsion, if the car load reality output at that time under operating mode drives turned round Square is more than the vehicle maximum permissible torque under the operating mode, or less than the minimum permission moment of torsion of vehicle under the operating mode, then output is turned round Moment ratio is compared with errored response to the safe acceleration monitoring module 113 and the power train control module 111;
The safe acceleration monitoring module 113, compares the actual instantaneous acceleration of vehicle under current working in real time and is somebody's turn to do The maximum allowable speed-raising acceleration of vehicle and the maximum allowable reduction of speed acceleration of vehicle under operating mode, if current working when vehicle raises speed Under the vehicle maximum allowable speed-raising that exceedes under the operating mode of the actual instantaneous acceleration of vehicle acceleration and meet fault confirming time (continuing for some time, broken down with determining really, it is to avoid be mistaken for breaking down because transient state transfinites), or vehicle drop The actual instantaneous acceleration of vehicle when fast under current working exceedes the maximum allowable reduction of speed acceleration of vehicle under the operating mode and satisfaction Fault confirming time, or receive the torque ratio of safe torque monitoring module output compared with errored response, then output function Safety failure is responsive to the power train control module 111.
Preferably, the power train control module 111, asks with reference to external torque and Full Vehicle System drive control pattern (for example, engine driving, motor-driven, engine motor are driven jointly), by driver's wheel end of car load dynamical system Demand torque resolves into engine demand moment of torsion and motor demand torque, and coordinates Full Vehicle System drive control Schema control to be driven Chain clutch works.
Preferably, the safe torque monitoring module 112, calculates car load reality based on the actual dynamical system topological structure of car load Border output driving moment of torsion;
For multi power source (for example, using electromotor and motor as power source), the safe torque monitoring module 112 According to the power combination of each power source drive moment of torsion, and consider power train transmission when transmission efficiency, calculate car load actually defeated Go out driving torque;
For single power source (for example, using one of electromotor or motor as power source), the safe torque monitoring Module calculates car load reality output driving torque according to the torque model of single power source;
The safe torque monitoring module 112, according to accelerator pedal information, the rotating speed of system of vehicle transmission chain output shaft and shelves The information such as position, calculate the minimum permission moment of torsion of vehicle maximum permissible torque, vehicle.
Preferably, the acceleration signal source, can be from independent in external third-parties electronic controller signal, outside Acceleration transducer or acceleration hardware chip.
The whole vehicle functions safety monitoring system of embodiment one, the power train control module 111 of main control module 11 are responsible for car load and are moved The calculating and distribution of driver's wheel end demand torque of Force system, and the work of driving-chain clutch is controlled, in functional safety strategy Aspect, power train control module 111 perform the torque ratio of safe torque monitoring module 112 and monitor compared with errored response and safe acceleration The functional safety failure response operation of module 113, control driving-chain clutch disconnect and forbid controlling for terminal power source The torque request of device (engine electronic control, electric machine controller), so that ensure that no driving torque is defeated on car load power transmission chain Go out to wheel end, Full Vehicle System enters safe Claudication states, so as to realize for the guarantee of whole vehicle functions safety.Safe torque is monitored Module 112, monitors for whole vehicle functions safe torque, carries out car load actual torque point with the monitoring design method of similarity redundancy The monitoring matched somebody with somebody, if car load reality output driving torque exceeds limit value, output torque comparison error is responded to safe acceleration Monitoring module 113 and power train control module 111.Safe acceleration monitoring module 113, supervises for whole vehicle functions safe acceleration Control, compare in real time the actual instantaneous acceleration of vehicle under current working and the maximum allowable speed-raising acceleration of the vehicle under the operating mode with The maximum allowable reduction of speed acceleration of vehicle, if beyond restriction scope, or receive the torsion that safe torque monitoring module 112 is exported Moment ratio is responsive to power train control module 111 compared with errored response, then output function safety failure.
The whole vehicle functions safety monitoring system of embodiment one, is the centralized car load with torque monitoring and acceleration monitor Functional safety monitoring system, is introduced acceleration signal source with real-time monitoring car load instantaneous acceleration information, is relatively supervised by torque ratio Control and car load acceleration ratio consider the correctness of car load moment of torsion distribution control compared with monitoring, when car load dynamical system torque arithmetic and When control occurs unexpected moment of torsion increase, by the moment of torsion comparison information based on Current vehicle and car load instantaneous acceleration information To carry out safeguard protection, it is achieved thereby that whole vehicle functions monitoring centralized safely, reduces for terminal power source controller The functional safety class requirement of (engine electronic control, electric machine controller), realizes the functional safety degraded of car load aspect, So as to reduce complexity and the cost of monitoring system, and disclosure satisfy that the system application (such as ASILD) of more high safety grade.It is real The functional safety hierarchy topology structure of the whole vehicle functions safety monitoring system of example one is applied as shown in fig. 6, in Fig. 6, X be A, B, C or D。
Embodiment two
Based on embodiment one, the whole vehicle functions safety monitoring system, also including monitoring module 12;
The monitoring module 12, communicates with the main control module 11, monitors the power train control module 111, safe torque Whether monitoring module 112, safe acceleration monitoring module 113 are normal, if the power train control module 111, safe torque prison Control module 112 or safe acceleration monitoring module 113 run abnormal or main control module 11 and there is hardware fault, then trigger described Main control module 11 resets.
The whole vehicle functions safety monitoring system of embodiment two, monitoring module 12 are hardware monitoring layers, main to be responsible for for master The monitoring of control module 11, preventing main control module from logicality or the failure of timeliness occurring causes torque arithmetic mistake and causes vehicle There is unexpected acceleration risk.When power train control module 111, safe torque monitoring module 112 or safe acceleration monitor mould Block 113 runs abnormal or main control module 11 and there is hardware fault, then trigger the failure response of hardware view, by main control module 11 Resetting, forbidding torque request being sent to engine electronic control, electric machine controller, driving-chain clutch will also be disconnected, from And guarantee system enters safe condition.
Embodiment three
Based on the whole vehicle functions safety monitoring system of embodiment one, the safe acceleration monitoring module 113, according to described The car load instantaneous acceleration information that acceleration signal source is transmitted, and GES, carry out the actual instantaneous acceleration of vehicle and calculate And diagnosis;
The instantaneous acceleration calculated if based on the car load instantaneous acceleration information that acceleration signal source is transmitted is same based on car The deviation of the instantaneous acceleration of fast signal of change judges acceleration detection information effectively in certain threshold range, then, it is determined that working as The actual instantaneous acceleration of vehicle under front operating mode;
The instantaneous acceleration calculated if based on the car load instantaneous acceleration information that acceleration signal source is transmitted is same based on car The instantaneous acceleration of fast signal of change beyond certain threshold range, then judge that acceleration detection information is invalid, output one plus Velocity information invalid signals are to the power train control module 111;
Preferably, the power train control module, if receiving acceleration information invalid signals, reduces to Motronic control maps Controller, the greatest requirements moment of torsion of electric machine controller distribution.
The power train control module, to engine electronic control, motor control in the case of acceleration information invalid signals The greatest requirements moment of torsion of device distribution processed, needs are set according to the functional safety target of whole vehicle functions safety monitoring system, It is relatively low to the greatest requirements moment of torsion of engine electronic control, electric machine controller distribution in the case of acceleration information invalid signals, Such that it is able to, in the case of the actual instantaneous acceleration of vehicle for calculating is incredible, limiting modular power control module 111 and export Demand torque, it is ensured that vehicle operation is in safe condition.
Preferably, the safe acceleration monitoring module 113, according to accelerator pedal information, system of vehicle transmission chain output shaft Rotating speed and automobile gear level information, calculate the maximum allowable speed-raising acceleration of the vehicle under current working and the maximum allowable reduction of speed of vehicle adds Speed.
Preferably, the safe acceleration monitoring module, failure response is using degradation tupe, the failure of the second level Respond and be:Because vehicle raises speed when current working under the actual instantaneous acceleration of vehicle exceed the operating mode under vehicle it is maximum allowable The vehicle that the actual instantaneous acceleration of vehicle when speed-raising acceleration, vehicle reduction of speed under current working exceedes under the operating mode is maximum allowable Reduction of speed acceleration, Trigger Function safety failure are responsive to the power train control module after setting time, if vehicle speed-raising When current working under the actual instantaneous acceleration of vehicle still above the maximum allowable speed-raising acceleration of vehicle, or during vehicle reduction of speed The actual instantaneous acceleration of vehicle under current working then exports complete vehicle fault and rings still above the maximum allowable reduction of speed acceleration of vehicle The monitoring module should be arrived;The monitoring module, rings when the complete vehicle fault that the safe acceleration monitoring module sends is received Should, then trigger the main control module and reset.
Preferably, the safe torque monitoring module, failure response adopts degradation tupe, if at that time under operating mode Car load reality output driving torque exceedes setting time more than the vehicle maximum permissible torque under the operating mode, or is less than the operating mode Under vehicle it is minimum allow moment of torsion to exceed setting time, then trigger the first level failure response, the response of output torque comparison error To the safe acceleration monitoring module and the power train control module, forbid to (the Motronic control maps control of terminal power controller Device processed, electric machine controller) torque request, and by driving-chain clutch disconnect;After if the failure response of the first level is performed, Car load reality output driving torque exceedes setting time still above vehicle maximum permissible torque, or car load reality output drives Moment of torsion is minimum still less than vehicle to allow moment of torsion to exceed setting time, then trigger the second level failure response, export complete vehicle fault It is responsive to the monitoring module;The monitoring module, rings when the complete vehicle fault that the safe torque monitoring module sends is received Should, then trigger the main control module and reset.
The whole vehicle functions safety monitoring system of embodiment three, safe acceleration monitoring module 113, according to acceleration signal source The instantaneous acceleration information of Current vehicle is obtained, while the accuracy in order to ensure acceleration information, introduces GES pair The signal in acceleration signal source carries out signal redundancy verification, if based on the vehicle that the acceleration information in acceleration signal source is calculated Actual instantaneous acceleration and based on GES calculate the actual instantaneous acceleration of vehicle deviation in certain threshold range, then Think that the acceleration detection information for being now used for whole vehicle functions security monitoring is effective;When generation speed sensor failure, acceleration Signal source failure, or the actual instantaneous acceleration deviation of vehicle calculated based on GES and acceleration signal source signal exceeded In the case of pre-set threshold value, safe acceleration monitoring module 113 will judge that acceleration detection information is invalid, exports an acceleration Information invalid signals limit car load demand torque, it is possible to deposit by fault management module to the power train control module 111 Storage corresponding failure code, triggering safe early warning lamp are lighted.
The whole vehicle functions safety monitoring system of embodiment three, using acceleration signal source signal as the actual instantaneous acceleration of vehicle The main signal that degree is calculated, using GES as the redundancy check signal of acceleration signal source signal, such that it is able to effectively guarantee (it is difficult that prior art only calculates the actual instantaneous acceleration of vehicle with GES to the safe class that the actual instantaneous acceleration of vehicle is calculated To ensure the accuracy of car load longitudinal acceleration calculating and the effectiveness of acceleration information).The whole vehicle functions peace of embodiment three Full monitoring system, safe acceleration monitoring module are based on vehicle acceleration information realization with the monitoring design method of differentiation redundancy Car load acceleration ratio is relatively monitored, and prevents from (slowing down because torque arithmetic mistake causes vehicle that unexpected acceleration or deceleration failure occurs Suitable for hybrid power system and the electric machine control system of pure electronic electric car), further improve centralized whole vehicle functions safety Systemic-function security error testing mechanism, contributes to realizing the system design of higher function safe class.
Presently preferred embodiments of the present invention is the foregoing is only, not to limit the present invention, all essences in the present invention Within god and principle, any modification, equivalent substitution and improvements done etc. are should be included within the scope of protection of the invention.

Claims (9)

1. a kind of whole vehicle functions safety monitoring system, it is characterised in that including acceleration signal source, main control module;
The acceleration signal source, for exporting car load instantaneous acceleration to the main control module;
The main control module, including power train control module, safe torque monitoring module, safe acceleration monitoring module;
The power train control module, the driver for calculating car load dynamical system take turns end demand torque, by car load dynamical system Driver wheel end demand torque resolve into engine demand moment of torsion and motor demand torque, engine demand moment of torsion is distributed to Motor demand torque is distributed to electric machine controller, and controls the work of driving-chain clutch by engine electronic control;If connect Receive the torsion of functional safety failure response or the safe torque monitoring module output of the safe acceleration monitoring module Compared with errored response, then control disconnects driving-chain clutch to moment ratio, and forbids sending out engine electronic control, electric machine controller Send torque request;
The safe torque monitoring module, compares under car load reality output driving torque and the operating mode under operating mode at that time in real time Vehicle maximum permissible torque, vehicle are minimum to allow moment of torsion, if the car load reality output driving torque at that time under operating mode was more than should Vehicle maximum permissible torque under operating mode, or less than the minimum permission moment of torsion of vehicle under the operating mode, then output torque is more wrong The safe acceleration monitoring module and the power train control module is responsive to by mistake;
The safe acceleration monitoring module, compares under the actual instantaneous acceleration of vehicle and the operating mode under current working in real time The maximum allowable speed-raising acceleration of vehicle and the maximum allowable reduction of speed acceleration of vehicle, if vehicle when vehicle raises speed under current working Actual instantaneous acceleration exceedes the maximum allowable speed-raising acceleration of vehicle under the operating mode and meets fault confirming time, or vehicle The actual instantaneous acceleration of vehicle during reduction of speed under current working is more than the maximum allowable reduction of speed acceleration of vehicle under the operating mode and full Sufficient fault confirming time, or receive the torque ratio of safe torque monitoring module output compared with errored response, then output work Energy safety failure is responsive to the power train control module.
2. whole vehicle functions safety monitoring system according to claim 1, it is characterised in that
The whole vehicle functions safety monitoring system, also including monitoring module;
The monitoring module, communicates with the main control module, monitors the power train control module, safe torque monitoring module, peace Whether full acceleration monitor module is normal, if the power train control module, safe torque monitoring module or safe acceleration prison Control module is run abnormal or main control module and there is hardware fault, then trigger the main control module and reset.
3. whole vehicle functions safety monitoring system according to claim 1, it is characterised in that
The power train control module, asks with reference to external torque and Full Vehicle System drive control pattern is by car load dynamical system Driver's wheel end demand torque resolves into engine demand moment of torsion and motor demand torque, and coordinates Full Vehicle System drive control mould Formula control driving-chain clutch work.
4. whole vehicle functions safety monitoring system according to claim 1, it is characterised in that
The safe torque monitoring module, calculates car load reality output based on the actual dynamical system topological structure of car load and drives torsion Square;
For multi power source, power combination of the safe torque monitoring module according to each power source drive moment of torsion, and consider Power train is driven when transmission efficiency, calculates car load reality output driving torque;
For single power source, it is actually defeated that the safe torque monitoring module calculates car load according to the torque model of single power source Go out driving torque;
The safe torque monitoring module, according to accelerator pedal information, the rotating speed of system of vehicle transmission chain output shaft and gear information, Calculate the minimum permission moment of torsion of vehicle maximum permissible torque, vehicle.
5. whole vehicle functions safety monitoring system according to claim 2, it is characterised in that
The safe acceleration monitoring module, according to the car load instantaneous acceleration information that the acceleration signal source is transmitted, and GES, carries out the actual instantaneous acceleration of vehicle and calculates and diagnose;
The instantaneous acceleration calculated if based on the car load instantaneous acceleration information that acceleration signal source is transmitted is same based on speed letter The deviation of number instantaneous acceleration for calculating judges acceleration detection information effectively in certain threshold range, then, it is determined that current work The actual instantaneous acceleration of vehicle under condition;
The instantaneous acceleration calculated if based on the car load instantaneous acceleration information that acceleration signal source is transmitted is same based on speed letter Number instantaneous acceleration for calculating exceeds certain threshold range, then judge that acceleration detection information is invalid, output one acceleration letter Breath invalid signals are to the power train control module;
The power train control module, if receiving acceleration information invalid signals, reduces to engine electronic control, motor The greatest requirements moment of torsion of controller distribution.
6. whole vehicle functions safety monitoring system according to claim 5, it is characterised in that
The safe acceleration monitoring module, according to accelerator pedal information, the rotating speed of system of vehicle transmission chain output shaft and automobile gear level Information, calculates the maximum allowable speed-raising acceleration of vehicle and the maximum allowable reduction of speed acceleration of vehicle under current working.
7. whole vehicle functions safety monitoring system according to claim 6, it is characterised in that
The safe acceleration monitoring module, because vehicle raises speed when current working under the actual instantaneous acceleration of vehicle exceed should The actual instantaneous acceleration of vehicle when the maximum allowable speed-raising acceleration of vehicle under operating mode, vehicle reduction of speed under current working exceedes this The maximum allowable reduction of speed acceleration of vehicle under operating mode, Trigger Function safety failure are responsive to the power train control module through setting After time, if the speed-raising maximum allowable still above vehicle of the actual instantaneous acceleration of vehicle when vehicle raises speed under current working adds Speed, or the actual instantaneous acceleration of vehicle during vehicle reduction of speed under current working is still above the maximum allowable reduction of speed acceleration of vehicle Degree, then export complete vehicle fault and be responsive to the monitoring module;
The monitoring module, when the complete vehicle fault response that the safe acceleration monitoring module sends is received, then triggers described Main control module resets.
8. whole vehicle functions safety monitoring system according to claim 6, it is characterised in that
The safe torque monitoring module, if the car load reality output driving torque at that time under operating mode is more than the car under the operating mode Maximum permissible torque exceedes setting time, or it is minimum less than the vehicle under the operating mode allow moment of torsion to exceed setting time, then The first level failure response is triggered, output torque comparison error is responsive to the safe acceleration monitoring module and the power control Molding block, forbids the torque request to terminal power controller, and driving-chain clutch is disconnected;If the failure of the first level After response is performed, car load reality output driving torque exceedes setting time, or car load still above vehicle maximum permissible torque Reality output driving torque is minimum still less than vehicle to allow moment of torsion to exceed setting time, then trigger the second level failure response, Output complete vehicle fault is responsive to the monitoring module;The monitoring module, sends when the safe torque monitoring module is received Complete vehicle fault response, then trigger the main control module and reset.
9. the whole vehicle functions safety monitoring system according to any one of claim 1 to 8, it is characterised in that
The acceleration signal source, come from external third-parties electronic controller signal, outside independent acceleration transducer or Acceleration hardware chip.
CN201510003348.0A 2015-01-05 2015-01-05 Whole vehicle functional safety monitoring system Active CN104590243B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510003348.0A CN104590243B (en) 2015-01-05 2015-01-05 Whole vehicle functional safety monitoring system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510003348.0A CN104590243B (en) 2015-01-05 2015-01-05 Whole vehicle functional safety monitoring system

Publications (2)

Publication Number Publication Date
CN104590243A CN104590243A (en) 2015-05-06
CN104590243B true CN104590243B (en) 2017-03-22

Family

ID=53116406

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510003348.0A Active CN104590243B (en) 2015-01-05 2015-01-05 Whole vehicle functional safety monitoring system

Country Status (1)

Country Link
CN (1) CN104590243B (en)

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106379322A (en) * 2015-07-23 2017-02-08 冯春魁 Method and system integrating data measurement and calculation, monitoring, surveillance and processing of automobile
CN105573209A (en) * 2015-12-30 2016-05-11 惠州市德赛西威汽车电子股份有限公司 Function module monitoring and resetting method in vehicle electronic system
CN105774591B (en) * 2016-04-07 2018-05-08 浙江瀚广新能源科技有限公司 A kind of electrombile control method, device, system and electric car
CN107264518B (en) * 2017-06-14 2021-07-30 北京新能源汽车股份有限公司 Safety monitoring method and device based on hybrid vehicle
CN109969190B (en) * 2017-12-28 2020-09-18 宝沃汽车(中国)有限公司 Vehicle control method and system and vehicle
CN108749648A (en) * 2018-08-03 2018-11-06 深圳市大地和电气股份有限公司 A kind of electric machine control system and method reducing functional safety grade
CN109130886B (en) * 2018-09-11 2023-06-06 深圳市大地和电气股份有限公司 System and method for reducing ASIL (automatic service instruction level) level of motor controller
CN109027217B (en) * 2018-09-27 2020-04-07 重庆长安汽车股份有限公司 Gear shifting control method and device of double-clutch transmission and automobile
CN112537206A (en) * 2019-09-20 2021-03-23 广州汽车集团股份有限公司 New energy automobile torque monitoring method and system
CN111267868B (en) * 2020-03-30 2021-09-07 郑州精益达汽车零部件有限公司 Motor controller optimization design method meeting passenger car function safety
CN111674265B (en) * 2020-05-21 2023-05-23 中国汽车技术研究中心有限公司 Braking energy monitoring device and method for electric automatic driving automobile
CN112319238A (en) * 2020-11-17 2021-02-05 睿驰电装(大连)电动系统有限公司 Electric vehicle torque monitoring method and device and electric vehicle
CN112622637B (en) * 2020-12-28 2022-08-09 长城汽车股份有限公司 Vehicle torque control method, device, medium and vehicle
CN113859352A (en) * 2021-02-08 2021-12-31 联创汽车电子有限公司 EPS monitoring system
CN112918276A (en) * 2021-03-29 2021-06-08 东风汽车集团股份有限公司 Pure electric power assembly control method, device, equipment and storage medium
CN113954631B (en) * 2021-10-26 2023-10-20 华人运通(江苏)技术有限公司 Vehicle safe driving control method, device, equipment and medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101066674B (en) * 2007-02-09 2013-11-06 联合汽车电子有限公司 Architecture and system of safe torque monitor for mixed power automobile
DE102011075609A1 (en) * 2011-05-10 2012-11-15 Bayerische Motoren Werke Aktiengesellschaft Acceleration-based safety monitoring of a drive of a motor vehicle
CN102774375B (en) * 2011-05-12 2015-07-15 上海汽车集团股份有限公司 Torque monitoring system of hybrid power automobile
JP5970880B2 (en) * 2012-03-15 2016-08-17 オムロン株式会社 Power source control device

Also Published As

Publication number Publication date
CN104590243A (en) 2015-05-06

Similar Documents

Publication Publication Date Title
CN104590243B (en) Whole vehicle functional safety monitoring system
CN104590267B (en) The torque safety control method of new-energy automobile
US9944280B2 (en) Vehicle control system
CN104691555B (en) Whole vehicle functions safety monitoring system
CN109895787A (en) A kind of control method and control device of vehicle drive
CN101596901A (en) A kind of safety monitoring system of electronlmobil and method for supervising thereof
CN109484392A (en) A kind of integrated method for diagnosing faults of distributed hybrid power system of more wheels
CN103248281A (en) Electric automobile overspeed protection control method and system and electric automobile
CN109849933A (en) Determine method, apparatus, vehicle and the readable storage medium storing program for executing of operator demand's torque
CN107487323A (en) A kind of control method of electric vehicle cruise system
CN106476654A (en) A kind of failure self diagnosis and self-shield device with pedal and control method
CN107918377A (en) Pedal method for diagnosing faults based on entire car controller
CN106274550A (en) A kind of pure electric vehicle safe driving control method
CN106627443B (en) A kind of T BOX protecting information safety methods based on vehicle feature safe class
CN101624053A (en) Plug-in hybrid-power automobile shift signal safety controlling method
CN109353217A (en) A kind of traffic safety control method, apparatus and system
WO2021012474A1 (en) Vehicle control system and control method for electric airline catering truck
CN105711425B (en) A kind of vehicle drive control method and its system
CN110562047B (en) Redundant torque monitoring system based on master-slave hardware architecture
CN107336638B (en) The method and system for preventing electric vehicle from exceeding the speed limit
WO2023125127A1 (en) New energy vehicle safety protection method and apparatus, vehicle and storage medium
CN102947119A (en) Method of operating a motor vehicle transmission system
US9079577B2 (en) Method of operating a transmission system of an automotive vehicle of the four-wheel drive type comprising a means of mechanically coupling the first and second axles
US11535272B2 (en) Vehicle system for autonomous control in response to abnormality
CN114347803A (en) New energy vehicle torque safety monitoring and processing method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant