DE102013007857B4 - Method for operating a braking system in fully automatic driving and motor vehicles - Google Patents

Abstract

Method for operating a brake system (4) in a motor vehicle (1) having a driver assistance system (2) designed for fully automatic, independent vehicle guidance, characterized in that in an error-free operating phase of the brake system (4) a safe state of the motor vehicle, including the standstill of the motor vehicle, is maintained Motor vehicle (1) bringing about braking measures in a chronological sequence of action plan as a function of operating parameters, comprising at least one ego parameter describing the current operating state of the motor vehicle (1) and/or at least one environmental parameter describing the environment of the motor vehicle (1), determined and constantly based on current operating parameters is updated, the current action plan being stored in a storage means (10), and that an emergency module (19) when an error occurs in the brake system (4) the motor vehicle (1) using the current action plan ns is brought into the safe state, the action plan being stored and/or used in an additional control unit (9) that is independent of a control unit (7) that implements the functions of the braking system (4).

Description

The invention relates to a method for operating a brake system in a motor vehicle having a driver assistance system designed for fully automatic, independent vehicle guidance. In addition, the invention relates to a motor vehicle.

Brake systems in modern motor vehicles combine a large number of functions so that their design is becoming increasingly complex. Examples of control functions commonly applied to braking systems are electronic brake force distribution (EBV), anti-lock braking systems (ABS) and electronic stability control (ESC), all of which make braking safer and more comfortable. The control of the operation of modern brake systems is therefore usually organized in such a way that, for example, electronic stability control is provided as a superordinate control function, with ABS controllers and/or EBV controllers being provided subordinately. Overall, the controller structure of a brake system today is based on a large number of sensor signals, signals from other vehicle systems, plausibility checks, distributions and control loops for vehicle movement as well as for wheel and engine control, resulting in an extremely complex interaction.

Accordingly, such modern braking systems are designed in such a way that they switch to a safe system state in the event of a fault. This means that modern braking systems are often implemented as so-called "failsafe" braking systems. Fallback levels are defined, some of which can still be electronic, but are often mechanical and/or hydraulic. If a safety-relevant error occurs in the electronics that control the brake system, vehicle safety is guaranteed by deactivating the electronic components while resorting to the mechanical and hydraulic components, which means that at least the driver's mechanical intervention via the brake pedal is guaranteed as a fallback level.

More complex structures of fail-safe braking systems are also known, in which sub-controllers still remain active and the like. It is possible, for example, that in the event of a fault, for example if the electronic stability control as the driving dynamics control system fails, the driver initially does not feel any immediate impairment of the driving characteristics after the ABS controller and the EBV controller are still active. Even if the ABS controller fails, the basic function of the braking system, namely stable braking with brake force distribution, is still available. In this embodiment, starting from the full ESC system, there are a number of fallback levels, namely, for example, in the event of a signal error, an on-board electrical system fault, a plausibility error or a communication error, the activation of an ABS fallback level is the first step, whereby if a signal fault in the speed sensors and/or there is a voltage dip below 7V, it is possible to fall back to an EBV fallback level. If even this is no longer operable, the mechanical penetration still exists.

Such failsafe fallback level concepts, or failsafe braking systems as a whole, are designed in such a way that the driver is “in the loop”, ie is entrusted with the driving task and is driving the motor vehicle.

Research activity on fully automated driver assistance systems designed for independent vehicle control has recently increased. The fail-operational brake described here cannot be applied to such systems, since it assumes that the driver has the attention and responsibility for driving while the braking system is in operation. If, for example, in a fully automated driver assistance system there is a communication failure between the control unit requesting a braking deceleration and the control unit that implements the braking deceleration and thus controls the operation of the braking system, the desired braking deceleration could not be maintained, and the driver, who was distracted by other activities during fully automated driving, could also be prevented can be, can not take over the vehicle guidance again at short notice in the event of a detected and communicated error. A big difference between a safety concept for non- or partially automated driver assistance system functions and fully automated driver assistance system functions is the time reserve until the driver should take over driving again completely. In the case of partially automated driver assistance systems, such as ACC systems and the like, the driving task is not handed over by the driver, which means that the driver is still responsible for driving the vehicle and should be "in the loop" so that driving operation can be completely taken over at any time by the driver the driver should be able to be implemented.

Such permanent monitoring is no longer necessary for fully automated driver assistance systems designed for independent vehicle control, so that it can take a long time before the driver can actually perform the driving task himself again. Therefore, additional precautions are required to largely ensure the safety of the motor vehicle as soon as a system limit and/or a system failure, summarized as an error, occurs during operation of the braking system.

DE 10 2005 036 827 A1 relates to a safety system of a regulated electromechanical vehicle brake equipment, with a central controller generating control commands in cycles and outputting wheel controllers of the wheel brakes assigned to one wheel in each case. For a future cycle, the measures to be taken for at least one of the wheel brakes in the event of a defect are determined and a corresponding message is sent to the electronic wheel control assigned to this wheel brake. A central control body should give the local control bodies case-related instructions for error handling, which are tailored to the overall vehicle condition in order to solve problems at the local level. This is intended to achieve a kind of quasi-autonomous treatment and management of emergencies, with the wheel brakes still being allowed to be activated, which is beneficial overall to the stability of the motor vehicle, even in the event of a fault.

The Post-Released DE 10 2012 217 002 A1 relates to a method for operating a motor vehicle in automated driving mode, with a safety area being determined into which the motor vehicle is guided when automated driving mode is no longer ensured.

EP 2 314 490 A1 relates to a method for controlling the operation of a fully automatic driver assistance system of a motor vehicle designed for independent vehicle guidance, and to a motor vehicle. The problem presented is that the driver is provided as a fallback level in fully automatic driver assistance systems designed for independent vehicle control, but is not always able to react quickly enough in an adequate manner. In order to ensure improved safety when the driver is no longer available as a fallback level, it is proposed to no longer just issue a driver takeover request, but to expand this concept into an action plan that contains driving interventions that the motor vehicle can use even if the driver is not ready to take over the driver and as a Fallback level is eliminated, in a safe state, so particularly preferably the standstill of the motor vehicle, can transfer, so that another fallback level is created.

The invention is therefore based on the object of specifying a method for operating a braking system which, even when the vehicle is being driven independently by a fully automated driver assistance system, makes it possible to ensure that the motor vehicle is in a safe state within a sufficient time reserve.

In order to achieve this object, a method of the type mentioned at the outset provides that, in a fault-free operating phase of the brake system, an action plan that brings about a safe state of the motor vehicle, including the standstill of the motor vehicle, and includes braking measures in a time sequence, as a function of operating parameters, including at least one ego parameters describing the current operating state of the motor vehicle and/or at least one environmental parameter describing the surroundings of the motor vehicle is determined and constantly updated using current operating parameters, with the current action plan being stored in a storage medium, and that by an emergency module if a fault occurs in the brake system the motor vehicle is brought into the safe state using the current action plan, the storage and/or use of the action plan in one of the functions n of the braking system realizing control unit independent additional control unit.

The term "fault in the brake system" is to be understood broadly here, because it includes all faults that severely impair or completely exclude the normal operation of the brake system, which can also be present outside of the brake system, for example in the event of a failure of a communication link, the fully automatic driver assistance system or a failure of electrical energy. The method is carried out by one or more control units of a motor vehicle or by control devices in general.

The basic idea of the present invention is therefore to define a safe state, for example when the motor vehicle is stationary in the lane currently being traveled on or in an adjacent lane, for example an emergency lane. Based on the current operating state of the motor vehicle, described by the operating parameters, an action plan comprising braking measures and therefore desired braking decelerations can be determined, which brings about this safe state, possibly taking into account further boundary conditions. A braking profile is therefore generated as an action plan during error-free operation and is constantly kept up to date, with the action plan then being used in the event of an error. For the maximum possible time, the state of the motor vehicle and the environment was therefore taken into account, so that, for example, also by the brake, which will be discussed in more detail below system and/or a longitudinal system, steering interventions implemented in a timely manner can be present in the action plan, for example if the lane currently being traveled is to be kept. If, for example, the motor vehicle is brought to a standstill in the lane currently being traveled as a safe state, this means that when the action plan is executed, the motor vehicle automatically performs the driving maneuver “decelerate to a standstill in the lane currently being traveled”. The usual operation of the braking system is thus replaced by the implementation of the action plan, which is therefore advantageously stored in an independent, dedicated storage medium. The braking commands contained in the action plan are generated adapted to the current situation of the motor vehicle and lead to the safest possible result, which provides a time reserve in which the driver can then take over the task of driving again. The action plan allows the motor vehicle to be brought into a safe state without intervention by the driver. For typical error cases in which the usual implementation of a deceleration request generated by the driver assistance system is no longer possible, for example signal errors, plausibility errors or communication errors, a fallback level can thus be created even though the actual control function, for example electronic stability control, is no longer available the braking system is used, the motor vehicle is brought into a safe state.

This implementation of an emergency brake control ultimately replacing the usual brake control based on the action plan can be achieved particularly advantageously since the action plan is stored and/or used in an additional control unit that is independent of a control unit that implements the functions of the brake system. This means that the braking system is no longer controlled by the control unit responsible in the error-free operating phase, which is no longer suitable for carrying out its task due to the error, but is taken over by the additional control unit, which is solely responsible for storing and using the action plan and is functionally independent of the control unit responsible in the error-free operating phase. However, it should be pointed out that it is quite possible that subfunctions of the control unit responsible in the error-free operating phase that are still available can certainly be addressed by the additional control unit, which will be discussed in more detail below. In this way, there is an additional control unit that is independent of the functionality of the control unit that is actually responsible and that can still execute the action plan, so that the motor vehicle is brought into a safe state. For example, if the control unit responsible in the error-free operating phase generally fulfills the function of an electronic stability control, the conversion control unit can be understood as a kind of ESC add-on.

It is particularly expedient here if an additional control unit installed in a control device, in particular an ESC control device, is used for the brake system. In other words, the control unit, which is already responsible for controlling the brake system, is expanded to include the additional unit, which is therefore also located in close proximity to the interfaces and the like that may need to be addressed, and is therefore ideally largely independent of longer, error-prone communication links. The additional control unit is integrated into the existing infrastructure. The control unit that implements the functions of the brake system and the additional control unit are therefore integrated in the control unit, in particular the ESC control unit. It should be pointed out that it is of course also conceivable to integrate the additional control unit into other control devices or even to provide it as a separate structural unit.

It is also particularly advantageous if the additional control unit, at least when using the action plan, is supplied with an energy source that is assigned only to the additional control unit. It is also a possible error that the electrical energy supply of the motor vehicle fails, so that it can be extremely useful if the additional control unit, which implements the emergency module, can nevertheless remain active. Even in the event of a complete failure of the electrical energy supply, the driver is therefore provided with a time reserve until he can take over control himself, for example for the mechanical intervention that is still present, with the safety of the motor vehicle being maintained as far as possible, since the situation-appropriate, previously constantly updated action plan is followed and can also be followed due to the independent energy supply of the additional control unit.

As already indicated, it is also extremely expedient if the additional control unit that implements the emergency module uses an interface that is also addressed by the control unit that implements the functions of the brake system for the output of manipulated variables to components of the brake system to implement the action plan. This not only means that the specified output format for manipulated variables, i.e. control parameters, which is used in error-free operation, is also realized by the additional control unit, but also that hardware components that implement this interface are also addressed by both control units. This results in a simplified realization.

The additional control unit that implements the emergency module can also, generally speaking, be implemented cost-effectively, since it only requires the addition of standard components, particularly in a control unit that is assigned to the brake system anyway. A storage device and a computing device that accesses it, in particular a microprocessor, can already be sufficient, in which case the energy source assigned to the additional control unit, for example a battery, can also be installed.

In common system architectures, a deceleration request for the braking system is provided by vehicle systems that are “deciders” in their role. In the present case, the fully automatic driver assistance system designed for independent vehicle guidance provides the specification, which is then implemented in the braking system, in particular in the control unit used during the error-free operating phase, in order to implement the other functionalities, in particular ESC, ABS and EBV. This means that the fully automatic driver assistance system evaluates operating parameters anyway, in particular the operating parameters used to determine the action plan. It is therefore expedient if the action plan is determined and updated by the driver assistance system. If a control unit and the additional control unit that implements the emergency module are expediently implemented in a control unit, both the current action plan and the deceleration requirements necessary for the operation of the driver assistance system are sent to the control unit.

In a further embodiment of the invention, at least one safety criterion related to the safety of the motor vehicle and/or at least one other road user and/or at least one requirement criterion describing further requirements can be taken into account for determining and updating the action plan. For example, if the safe state was defined as "standstill in the lane currently being traveled on", it is useful to determine the action plan in such a way that on the one hand the safety of one's own vehicle and that of the other vehicles in the vicinity is given, but other boundary conditions or Requirements, for example with regard to an indication effect on the driver, have to be taken into account. For example, it is conceivable to provide a type of cascaded braking as an action plan, with, for example, a rather weak braking being initially provided for a certain period of time, for example two seconds, which then slowly increases for further periods of time until standstill is reached. In this way, on the one hand, there is no sudden, heavy braking, which increases the safety of the driver and avoids surprising other road users, and on the other hand, the driver is gently informed that there is a fault when the motor vehicle starts to accelerate brake. In order to be able to determine such concrete action plans, the security and/or requirement criteria are provided according to the invention. Safety and/or requirement criteria can also relate to the performance of the braking system. If the action plan was determined by the driver assistance system based on a currently desired speed of the motor vehicle, a request criterion can, for example, relate to the fact that the average braking deceleration can also be implemented by the braking system depending on the definition of the safe state. Requirements can also serve to meet legal requirements, so that a requirement criterion can provide, for example, that the maximum brake pressure build-up time must meet the legal requirements. These examples show that the determination of the action plan can be parameterized in various ways or provided with boundary conditions, so that the highest possible level of security and the executability of the action plan can be guaranteed, with requirement criteria of course also being able to focus on the comfort of the driver.

In this context, it can be expedient if at least one safety criterion and/or requirement criterion is checked again and/or at least one additional criterion, in particular a maximum permissible braking deceleration, is checked by the emergency module. A kind of plausibility check can therefore take place in the emergency module, which can also be followed by a check against generally applicable global limit values, for example for the braking deceleration. In particular, subsystems of the brake system are known that cannot provide the full braking power, for example in the case of brake components that control individual wheels. Such things can (particularly additionally) also be checked (particularly again) as part of the use of the action plan.

A particularly advantageous development of the method according to the invention provides that the action plan contains at least one steering measure to be implemented by wheel-selective braking and/or a steering system. It is preferred to implement steering measures by wheel-selective braking, after which no dependency Availability of an electrically driven steering system, which can also be affected by the error, is necessary. However, such a process can of course also be included in the method according to the invention. The impressing of steering torques in the movement of a motor vehicle by wheel-selective braking is already known in the prior art and need not be explained in detail here. However, such a functionality can be used particularly advantageously in the context of the present invention, so that a directional correction, for example to keep a lane currently being traveled on or to change to an adjacent lane, for example a hard shoulder, can be generated by the braking system itself by Wheel-selective or side-specific braking interventions can be implemented via the components of the braking system.

As already indicated, it is expedient if the steering measures are determined as a function of a further course of a lane in which the motor vehicle is driving, which is described by environmental data. This again clearly shows how advantageous it is to keep the action plan constantly up to date, since in this way it can be avoided, for example, that the motor vehicle leaves the current lane or even a target lane, for example a hard shoulder, when changing to the safe state not reached.

The emergency module can be implemented using suitable sub-functions. In a particularly advantageous embodiment, it can be provided that the emergency module detects an error in a diagnostic subfunction and/or in an action plan management subfunction of the emergency module at least one execution parameter that determines the specific execution of the action plan is determined and/or in an implementation subfunction from the braking measures of the action plan to be used as output parameters of the emergency module control parameters for at least one brake component of the brake system are determined. Consequently, the emergency module can be expediently subdivided into sub-functions, which can also be referred to as sub-modules and can be implemented using different hardware and/or software components that support specific specific functionalities.

A diagnostic sub-function can first be provided, which is necessary for determining whether an error is present. An action plan management subfunction can only be called if there is an error, which applies in particular, which will be discussed in more detail below, if the specific execution of the action plan is to be defined more precisely by further execution parameters. Finally, a conversion sub-function can be provided, which converts the braking measures that may still be abstractly present in the action plan into corresponding output parameters that can be used, for example, for interfaces for controlling the brake components of the brake system. The diagnosis sub-function can also be used as part of a plausibility check, which means it can be checked, for example by exchanging data with the brake module, whether the activation of the emergency module was correct. Overall, this results in an easily maintainable overall structure of the emergency module.

In a particularly preferred embodiment, it can be provided that an error type of the present error is determined in the diagnosis sub-function, whereupon the action plan management sub-function selects one of several variants of the action plan contained in the action plan and/or adapts the action plan and/or depending on the error type selects an output destination for output parameters to be output. The basic idea here is that if the type of error that has occurred is known, the action plan or the operation of the emergency module can also be adapted to the type of error and thus the best possible implementation of the action plan is realized. This is explained in more detail using examples.

It can be provided that, if a failure of an input data for a brake module that controls the operation of the brake system in the error-free operating phase and/or a communication link to the brake module is detected as an error, a subfunction of the brake module downstream of the signal processing is selected as the output destination, with in particular the output parameters are determined and output directly by the action plan management sub-function. If an error is therefore not in the brake module itself, for example, the functions of which can be implemented in the control unit that controls the operation of the brake system during the error-free operating phase, subfunctions of the brake module could still be used advantageously as long as it is supplied with suitable data. If, for example, a communication connection usually delivers desired braking decelerations from the driver assistance system, these braking decelerations can alternatively also be delivered by the emergency module using the action plan, in which case it is expedient no longer necessary to convert them into control parameters, but instead the braking deceleration of the action plan must be sent directly to a corresponding signal processing downstream sub-function of the brake module can be supplied, which can then advantageously still perform its other functions. In another embodiment, it is also conceivable to store sensor data in the action plan, so that the last sensor data available when the action plan was determined are available there and can also be forwarded to the brake module if necessary. Thus, despite a communication failure or sensor failure, a large part of the usual functions of the brake system are still available and can be used, only with a changed data source, since corresponding input data are now made available by the emergency module. It should also be noted at this point that with every system drop or every system limit of the fully automatic driver assistance system designed for independent vehicle guidance, such an error can be generated for the brake system, which then also triggers the consequences mentioned here, after the driver assistance system as a source of braking deceleration is omitted and can be replaced by the emergency module.

Another expedient exemplary embodiment, which can of course be used in combination with the aforementioned example, provides that if the failure of the brake module is determined to be an error, an interface that receives output parameters from the brake module and/or at least one brake component of the brake system is selected as the output target, with the Output parameters of the emergency module are determined by the translation subfunction. So if the brake module itself has failed, it is also no longer available as an output target, so that the conversion subfunction can be used here particularly expediently to output the output targets that are appropriate here, i.e. suitable interfaces for receiving control parameters or even the components of the brake system itself, to be controlled accordingly.

As already briefly indicated, there are various options for controlling brake components of a brake system, for example for wheel-selective or at least side-selective braking or for normal braking operation. In some cases, wheel-selective braking only allows lower braking decelerations, but also the possibility of influencing the steering. Consequently, different action plans can be suitable for different control variants, so that different implementation sub-functions can expediently also be provided for these control variants. An advantageous embodiment of the invention provides that a conversion subfunction configured for braking with all wheels and a conversion subfunction for wheel-selective braking are used, the latter also being referred to as a “lateral dynamic interface”.

A further advantageous embodiment of the present invention provides that at least one communication from and to the emergency module takes place via a communication link assigned only to the emergency module. It is therefore expedient to further ensure the functionality of the emergency module to also provide special communication links that are independent of other communication links of the motor vehicle, in particular of a bus system of the motor vehicle, and can therefore also be used if the usual communication system of the motor vehicle fails. These are expediently suitable not only for the emergency module to be able to receive data, but in particular also for ensuring that the emergency module can actuate the brake components of the brake system. Consequently, independent communication devices for the transmission of data are assigned to the emergency module.

In addition to the method, the present invention also relates to a motor vehicle, comprising a brake system and at least one control device designed to operate the brake system, which is designed to carry out the method according to the invention. All statements regarding the method according to the invention can be transferred analogously to the motor vehicle according to the invention, with which the advantages mentioned can therefore also be obtained. In particular, the control device can therefore be formed by at least one control device that correspondingly executes the steps of the method according to the invention. It is particularly advantageous if, as described, the motor vehicle includes a brake control unit which has two functional units, namely a control unit to be used in the error-free operating phase to operate the brake system, assigned to the brake module and an additional control unit, which is the emergency module realized. The additional control unit is advantageously assigned an energy source which feeds the additional control unit if the other electrical energy supply of the motor vehicle fails.

• 1 eine Prinzipskizze eines erfindungsgemäßen Kraftfahrzeugs,
• 2 einen Ablaufplan des erfindungsgemäßen Verfahrens, und
• 3 eine Zeichnung zur Wechselwirkung der Funktionskomponenten und Module der vorliegenden Erfindung.

Further advantages and details of the present invention result from the exemplary embodiments described below and from the drawing. show:

• 1 a schematic diagram of a motor vehicle according to the invention,
• 2 a flow chart of the method according to the invention, and
• 3 a drawing of the interaction of the functional components and modules of the present invention.

1 shows a schematic diagram of a motor vehicle 1 according to the invention. The motor vehicle 1 has a fully automatic driver assistance system 2 designed for independent vehicle guidance, in which operating parameters of the motor vehicle are evaluated in a control unit 3 in order to generate corresponding requirement data for other vehicle systems, here a steering system not shown in detail to generate not shown engine control system and a braking system 4, which allow the fully automatic operation of the motor vehicle 1. For example, a braking deceleration request is sent to the brake system 4 or its control unit 5 via a vehicle bus 6, for example a CAN bus, as a communication link.

The driver assistance system processes sensor data from various sensors and data from other vehicle systems as input data, which describe the operating state of the motor vehicle (ego parameters) and/or describe the surroundings of motor vehicle 1 (environmental parameters). Fully automatic driver assistance systems designed for independent vehicle guidance have already been proposed in the prior art and will not be described in detail here.

The braking deceleration request sent by the driver assistance system 2 is received by a control unit 7 of the brake control unit 5, where it is used in error-free operation to control various brake components 8 of the brake system 4, which are not specified here in more detail, via corresponding control parameters (manipulated variables) while implementing various functions. All of the functions/sub-functions with which the brake system 4 is operated in error-free operating phases should be referred to collectively below as the brake module, which means that the control unit 7 implements the sub-functions of the brake module.

An exemplary structure of the brake system 4 or its operating levels is explained briefly below. The brake module, which is implemented by the control unit 7, can have a sub-function for signal processing, in which the received data are processed accordingly. From this, an adaptation function determines setpoint values for the vehicle movement, possibly modified on the basis of transmitted data, for example taking into account the yaw rate, the sideslip angle and the like. The central content of the brake module is a regulation for the vehicle movement itself, from which the specific control parameters emerge, which can then be output via an interface to downstream control circuits not contained in the control unit 7 . Such downstream controllers can be, for example, a brake slip controller and a drive slip controller, which are implemented using their own hardware and/or software components. A setpoint value for the brake slip and setpoint values for the drive slip and the locking torque are forwarded accordingly to the brake slip control or the drive slip control. Subordinate to this are the actually executing components, for example a hydraulic and force model, from which the actual control values for valves, pumps and other brake components 8 are then generated, whereby it should be pointed out that the engine torque of the in 1 the drive motor of the motor vehicle 1, which is not shown in detail for the sake of clarity. Various functions can thus be implemented, with the brake system 4 being fully functional, ie in error-free operation, first the function of the electronic stability control (ESC).

If certain faults now occur, it is known in principle to downgrade the operation of the brake system 4 in stages via certain fallback levels (“ESC degradation”). If, for example, there are signal errors, vehicle electrical system errors, plausibility errors or communication errors, the full ESC system downgrades to an ABS fallback level that still provides the functions of the anti-lock braking system (ABS) and electronic brake force distribution (EBV). If there is also a signal error in the speed sensors or a voltage drop below 7V, the next fallback level is the EBV fallback level, in which only the electronic brake force distribution is made available. Other errors lead to the fact that only the mechanical fallback level still exists, which means that the brakes are actuated solely because of the mechanics actuated by the driver.

However, if the driver assistance system 3 is now active, the driver is no longer immediately available as a fallback level, since he does not necessarily devote his attention to the driving task, so that the driver should be given a time window within which the motor vehicle 1 should continue to be operated safely. despite this, the full functionality of the brake system 4 or the vehicle systems supplying this input data is no longer given. For this purpose, it is provided here that the motor vehicle 1 can be brought to a standstill on its own in a safe and comfortable manner lane or an adjacent hard shoulder.

In order to achieve this as independently as possible of the faults that may occur, it is now initially provided that the control unit 3 is designed to determine an action plan comprising braking measures in a time sequence (delay profile) in a fault-free operating phase of the brake system 4 . This action plan, when implemented, brings about the safe state of the motor vehicle 1 . It is determined as a function of at least some of the operating parameters mentioned, including the ego parameters and the environmental parameters, and is then constantly kept up to date, for example adapted to the current situation of the motor vehicle 1 at certain time intervals. The respective current action plan is transmitted via the vehicle bus 6 or a dedicated communication connection to the control unit 5, specifically an additional control unit 9 there, which implements the function of an emergency module. The current action plan is stored in a memory 10 in the control unit 9 .

If an error occurs, the emergency module at least partially takes over the control tasks of the brake module described above, whereby, in order to implement this even in the event of a failure of an electrical energy supply of the motor vehicle 1, the additional control unit 9 (and only this) is assigned an electrical energy source 11 . When an error occurs, the emergency module controls the braking system 4 using the current action plan stored in the storage means 10 in such a way that the motor vehicle 1 is brought into the safe state.

Consequently, control unit 3 and control unit 5 form a control device that implements the method according to the invention.

A specific embodiment of the method according to the invention will now be described with the aid of the 2 and 3 be explained in more detail.

2 shows a schematic flow chart of the method according to the invention. The curly brackets 12 symbolize the error-free operating phase, the curly brackets 13 the error case.

In a step 14, the action plan is determined or updated, for which purpose the operating parameters provided for this are taken into account. In addition to the operating parameters, safety criteria and requirement criteria are also included in the determination of the action plan, so that ultimately a driving maneuver is described by the action plan that satisfies safety-related and other requirements, which can be, for example, the performance of the braking system 4, comfort requirements and legal requirements Art brings about the standstill of the motor vehicle 1, being turned off by observing the operating parameters on the current situation of the motor vehicle 1. It should be noted that, in addition to the braking measures (and/or described by braking measures), the action plan can also include steering measures that can be carried out either by the braking system 4 itself or by controlling a steering system, for example if during the transition to safe State the current lane of the motor vehicle is to be kept or to another lane, such as an emergency lane, is to be steered, it being preferred according to the invention to dispense with the control of a steering system, since this could also be affected by the or an error. After the emergency module has been implemented in the brake control unit 5, it is ultimately already “on site” in order to control the brake components 8.

The precise determination of such an action plan is not described here, since a large number of variants and procedures for determining such a driving maneuver are known in the prior art, which will not be discussed in any more detail here.

The action plan that is obtained as a result, for example cascading braking in the current lane, is transmitted in its updated version in a step 15 to the additional control unit 9 and stored in the storage means 10 after it has been sent by the control unit 3 of the driver assistance system 2 was determined. If the normal, error-free operating phase according to the curly brackets 12 continues, schematically indicated check in step 16, the action plan is further updated and the current action plan is sent.

However, if an error occurs, the emergency module becomes active in a step 17 and executes the action plan from the storage means 10 .

This and the existing options should go through 3 be explained in more detail.

In doing so 3 represents a purely function-related representation, with, as already indicated, sub-functions of the brake module 10 being implemented in the control unit 7, sub-functions of the emergency module 19 within the additional control unit 9.

The emergency module 19 now initially has a diagnostic sub-function 20, which is ultimately about monitors whether there is an error that affects the functionality of the brake system 4, and if so, also determines an error type, which is then forwarded to an action plan management subfunction 21. The action plan management sub-function has access to the error type and the action plan in the storage means 10, which was received from the control unit 3 according to the arrow 22, and now determines certain execution parameters that describe how the emergency module 19 actually uses the action plan for the error type that is now present implements.

It should first be pointed out that the action plan can contain several variants that are assigned to different error types in order to be able to react adequately to different errors, the action plan management sub-function then selecting the variant corresponding to the error type. An adjustment of the action plan is also conceivable if it is only available in one variant, depending on the type of error. For example, a distinction can be made as to whether a steering system of motor vehicle 1 can still be controlled, with a variant that also contains steering measures for the steering system being discarded if the steering system is no longer available, for example in the event of a complete failure of the electrical energy supply of the motor vehicle 1.

On the other hand, the action plan management sub-function 21 also selects the specific modus operandi of the emergency module 19, here the output target and the form of the output parameters which the emergency module 19 generates. If, for example, there is an error that only denies the brake module 18 the necessary input data, for example a failure of the driver assistance system 2 or the communication link, here the vehicle bus 6, the output target can be a sub-function 23 of the brake module 18, which is subordinate to a signal processing sub-function 24 of the brake module 18 . In this case, exactly the input parameters can be supplied to subfunction 23 as output parameters, here directly from action plan management subfunction 21, see arrow 25, for example a braking deceleration request, which signal processing subfunction 24 would otherwise have supplied. In this way, most of the advantageous functions of the brake module 18, in particular the electronic stability control to a large extent, are retained.

However, if the error relates to a complete failure of the brake module 18 (i.e. specifically the control unit 7), a conversion sub-function 26 of the emergency module 19 is used to derive control parameters from the action plan as output parameters, the format of which corresponds to the output values of the brake module 18 and to one of the brake module 18 downstream controller circuit 27 are given via a corresponding interface, arrow 28. In principle, this can be the utilization of the ABS fallback level described above or the EBV fallback level described above, which are still available. The output parameters of the emergency module 19 are thus delivered to the uppermost still functional component of the corresponding fallback level, it being pointed out that in the case of more serious failures it is also possible to directly control the brake components 8 of the brake system, arrow 29. Corresponding output destinations and the format of the output parameters are selected by the action plan management subfunction 21. The conversion subfunction is used accordingly.

In this case, the conversion sub-function 26 is designed in such a way that it determines the output parameters for a wheel-selective control, which means that a braking process can be carried out wheel- or side-selectively in order to impose a steering torque on the motor vehicle, which can serve to change the lane currently being traveled on to stop or to change to an adjacent lane, for example an emergency lane. Appropriate measures are then already included in the action plan. However, after the maximum braking deceleration is reduced in such a wheel-selective braking control, it can be provided in other exemplary embodiments of the present invention that a further conversion sub-function is implemented for complete braking with all wheels.

It should also be noted at this point, which is not shown in more detail here in the figures, that separate communication devices can also be provided for the control unit 9 that implements the emergency module 19, for example separate lines to components to which the output parameters can be forwarded, but also one own communication connections to other vehicle systems, for example the driver assistance system 2, if communication should still be possible even if the vehicle bus 6 fails. This is a further safeguard.

Claims (13)

Method for operating a brake system (4) in a motor vehicle (1) having a driver assistance system (2) designed for fully automatic, independent vehicle guidance, characterized in that in a fault-free operating phase of the brake system (4) a standstill of the motor vehicle vehicle (1) that brings about a safe state of the motor vehicle (1), braking measures in a chronological sequence as a function of operating parameters, comprising at least one ego parameter describing the current operating state of the motor vehicle (1) and/or at least one environmental parameter describing the environment of the motor vehicle (1). , is determined and constantly updated based on current operating parameters, with the current action plan being stored in a storage medium (10), and that an emergency module (19) triggers the motor vehicle (1) when a fault occurs in the brake system (4) using the current action plan is brought into the safe state, the action plan being stored and/or used in a control unit (7) that is independent of a control unit (7) that implements the functions of the braking system (4). procedure after claim 1 , characterized in that an additional control unit (9) installed in a control unit (5), in particular an ESC control unit (5), for the braking system (4) is used and/or the additional control unit (9), at least when using the action plan, is supplied with an energy source (11) assigned only to the additional control unit (9). procedure after claim 1 or 2 , characterized in that the additional control unit (9) uses an interface, which is also addressed by the control unit (7) that implements the functions of the brake system (4), for the output of manipulated variables for the implementation of the action plan. Method according to one of the preceding claims, characterized in that the action plan is determined and updated by the driver assistance system (2) and/or at least one related to the safety of the motor vehicle (1) and/or at least one other road user to determine and update the action plan Safety criterion and/or at least one requirement criterion that describes further requirements can be taken into account procedure after claim 4 , characterized in that at least one safety criterion and/or requirement criterion is checked again by the emergency module (19) and/or at least one additional criterion, in particular a maximum permissible braking deceleration. Method according to one of the preceding claims, characterized in that the action plan contains at least one steering measure to be implemented by wheel-selective braking and/or a steering system. procedure after claim 6 , characterized in that the steering measure is determined as a function of a further course of a lane traveled in by the motor vehicle (1) described by environmental data. Method according to one of the preceding claims, characterized in that an error is detected by the emergency module (19) in a diagnosis sub-function (20) and/or in an action plan management sub-function (21) of the emergency module (19) at least one the specific execution of the action plan determining execution parameter is determined and/or control parameters to be used as output parameters of the emergency module (19) for at least one brake component (8) of the brake system (4) are determined in an implementation sub-function (26) from the braking measures of the action plan. procedure after claim 8 , characterized in that in the diagnosis sub-function (20) an error type of the present error is determined, whereupon the action plan management sub-function (21) selects one of several variants of the action plan contained in the action plan depending on the error type and/or adapts the action plan and/ or selects an output destination for output parameters to be output by the emergency module (19). procedure after claim 9 , characterized in that if a failure of a sensor that supplies input data for a brake module (18) that controls the operation of the brake system (4) in the error-free operating phase and/or a communication connection to the brake module (18) that supplies input data as an error is detected as an output destination, one downstream of the signal processing sub-function (23) of the braking module (18) is selected, in particular the output parameters being determined and output directly by the action plan management sub-function (21), and/or if the failure of the braking module (18) is determined to be an error, an output parameter of the braking module is selected as the output target (18) receiving interface and/or at least one braking component (8) of the braking system (4) is selected, in particular the output parameters of the emergency module (19) being determined by the conversion sub-function (26). Procedure according to one of Claims 8 until 10 , characterized in that a conversion sub-function (26) designed for braking with all wheels and one for wheel-selective braking are used. Method according to one of the preceding claims, characterized in that at least one communication from and to the emergency module (19) takes place via a communication link assigned only to the emergency module (19). Motor vehicle (1) comprising a braking system (4) and at least one control device which is designed to operate the braking system (4) and is designed to carry out a method according to one of the preceding claims.

Images