Patent Application
20110144866
1. Field of the Invention
The present invention relates to a control unit and to a method for triggering passenger protection means.
2. Description of Related Art
From published German patent document DE 10 2004 056 415 A1, an integrated switching circuit is known, which in addition to other functions also evaluates at least one acceleration signal in order to release at least one ignition output stage. This check of the acceleration signals is running parallel to the check of these signals by the microcontroller. This realizes separate evaluation paths. The triggering of the passenger protection means actually takes place only if both the microcontroller and the integrated switching circuit decide on triggering of the passenger-protection means.
In contrast, the control unit according to the present invention and the method according to the present invention for triggering passenger protection means for a vehicle have the advantage that when the sensor signal is made available via the evaluation circuit, e.g., the microcontroller, this sensor signal is linked to a test signal generated outside of the evaluation circuit in order to generate a check signal, and the check signal is then evaluated by the safety controller, i.e., the redundant evaluation. This prevents that in a situation where the microcontroller is in an uncontrolled state and thus also hands over the sensor signals to the safety controller in an uncontrolled manner, this will be detected based on the linkage with the test signal, which originates from outside the microcontroller, so that an evaluation does not take place and faulty triggering of the passenger protection means is thus prevented.
For instance, the linking of the sensor signals via the evaluation circuit may be provided when so-called bus concepts such as the FlexRay are used for transmitting the sensor signals to the control unit. The microcontroller may then include a receiving circuit for the CAN and/or FlexRay, for instance, so that the full computing power of the microcontroller is able to be utilized in the case at hand and the implementation of a receiver in the second signal path having the safety controller may be dispensed with.
In the present case, a control unit is an electrical device which processes at least one sensor signal and generates trigger signals for the passenger protection means, e.g., airbags, belt tighteners, or a crash-active headrest, as a function thereof. The triggering of the passenger protection means denotes the activation of these passenger protection means.
The test signal generator, which is situated outside of the evaluation circuit but inside the control unit, is used for providing the test signal. This test signal may be called up from a memory such as an EEPROM, or be generated with the aid of predefined data. As can be gathered from the dependent claims, the test signal may be a key or some other coding pattern. As the dependent claims reveal, the test signal generator may be provided on the integrated switching circuit which accommodates all kinds of different functions for the control unit, i.e., a system ASIC. A software-based implementation is possible as well in this case.
As already mentioned, the evaluation circuit may be a microcontroller, but any other type of processor may be used as well. Suitable ASICs are likewise an option. In the case of a processor such as a microcontroller, corresponding software will then be required for the function. According to the present invention, the evaluation circuit has an interface for providing the at least one sensor signal. This interface may be implemented as a software module or also as a hardware section. The interface permits the read-in of the sensor data in order to then allow them to be processed further. The useful data are separated from other transmission data.
The sensor signal is usually a signal from an accident sensor system such as an acceleration sensor, an air-pressure sensor, a structure-borne noise sensor system, or an environment sensor system. However, other sensor systems such as deformation sensor system may be used as well. In the case at hand, the sensor signal and also the other signals are of digital nature, but they may also be transmitted in analog manner. More particularly, the sensor signal may be a multiplex or an individual signal.
The evaluation module according to the present invention may be a software module or also a hardware section on the evaluation circuit. It is used for generating a first trigger decision as a function of the at least one sensor signal. In other words, the evaluation module calculates the evaluation algorithm based on the sensor signal. All kinds of different operations may be performed in the process, including advance processing such as an integration of an acceleration signal with subsequent threshold comparisons, and the like.
The logic module, too, may be implemented in hardware and/or software. It is used for linking the at least one sensor signal with the test signal. This linkage is implemented in such a way that the safety controller or elements assigned to it are able to detect on this basis whether the test signal has been corrupted in some manner by the evaluation circuit. This would then be true for the sensor signal as well.
The safety controller normally is hardware which is separate from the evaluation circuit and forms the second trigger decision as a function of the check signal, independently of the evaluation circuit. In this context it is also possible, for instance, that in the case of a multi-core processor, the evaluation circuit is located on one core, and the safety controller on another core. Usually, the safety controller uses a less complex algorithm than the evaluation module. The check signal also may be preprocessed for the evaluation by the safety controller, e.g., by separating it from the test signal again. This simpler algorithm, which requires fewer computing steps than the evaluation algorithm on the evaluation circuit, may be implemented either in the form of hardware or software.
The trigger circuit is a logic which links the first and second trigger decisions, then evaluates the produced result and triggers the corresponding passenger protection means as a function thereof. One simple example is a logical AND operation. However, the logic may be much more complex in order to also infer from the trigger decisions which particular passenger protection means are to be triggered, and when. The triggering normally takes place by triggering power switches such as MOSFETs, whose triggering then causes the activation of the passenger protection means, e.g., by supplying current to firing elements for airbags.
It is advantageous in this context that the test signal generator is configured to provide a key as the test signal. In other words, the test signal is a key with whose aid encoding is possible as it is known from encryption technology, for instance. This key may be stored permanently, or it may be calculated from predefined data. The test signal generator then has its own memory, or accesses a memory, in which the key is stored, e.g., in the form of a datum.
Furthermore, it is advantageous that the linking module is designed as encoder, the encoder encoding the at least one sensor signal with the key into the check signal, and a safety controller is then assigned a decoder for decoding the check signal. In this case the encoder is a module, which carries out the corresponding calculation, i.e., the encryption or encoding, and the decoder is a corresponding processor which rids the sensor signal of the encryption again. The decoder is not part of the evaluation circuit but part of the system ASIC, for example, as indicated below.
Furthermore, it is advantageous that the interface has a redundancy module, which adds redundancy to the at least one sensor signal and is connected to the linking module accordingly. The at least one sensor signal is then provided with redundancy so that a corresponding correction, for example, may take place. A check sum check may be used for this purpose. The sensor signal thus provided with a check sum is then forwarded for encoding in the linking module, for example.
In addition, it is advantageous that a check module is provided downstream from the decoder, which checks the sensor signal for integrity with the aid of this redundancy, and possibly corrects the sensor signal.
The evaluation circuit may be implemented as processor, as mentioned earlier already. This processor is usually made up of a single semiconductor substrate. The corresponding functions are then realized in silicon on this semiconductor substrate.
The test signal generator, the decoder, the check module and the safety controller as well as the evaluation circuit may advantageously be disposed on a single integrated switching circuit and thus form the system ASIC together with other functions, for example. This enables a cost-effective realization of these functions.
Using a block diagram,
A sensor control unit DCU transmits sensor signals or sensor data to control unit ECU, e.g., via a bus, and directly to microcontroller μC in so doing. In the case at hand, the FlexRay standard is used, but it is possible to implement a different standard.
Microcontroller μC itself has an interface R to enable it to receive the sensor data from sensor control unit DCU. This interface R is able to remove the useful data from the transmission frame used for the bus transmission and to forward it to the additional modules in microprocessor μC.
Instead of a sensor control unit DCU, which includes various types of sensors required for the passenger protection function, other structures such as sensor clusters or individual sensors may be provided as well.
The sensor data are forwarded to evaluation module A on the one hand, and to linking module C on the other.
Evaluation module A applies the evaluation algorithm to the sensor signal. Various signal-processing methods are used for this purpose. Threshold value comparisons are implemented, in particular. These threshold values may also be modified as a function of additional variables. If the relevant trigger thresholds are exceeded, then the first trigger decision will be formed by evaluation module A and transmitted to trigger circuit FLIC.
The sensor data are also processed by linking module C, i.e., by linking them to the test signal from test signal generator TG. In the case at hand, this linkage is implemented as encryption or by the simple addition of the key to the sensor signal since the test signal is realized in the form of a key. Linking module C is therefore implemented as encoder. Test signal generator TG is situated in the system ASIC, where a decoder D, safety controller SC and trigger circuit FLIC are disposed as well. Microcontroller μC transmits the encrypted data to decoder D on system ASIC SA via linking module C. Decoder D then checks whether the key is still in the condition in which test signal generator TG had originally transmitted it to encoder C. For this purpose, the key from the test signal generator is provided to decoder D, so that a simple comparison is possible. Decoder D may also receive the key from a memory or some other module.
The useful data are forwarded to safety controller SC, so that the safety controller is able to form the second trigger decision based on this sensor signal. Safety controller SC also carries out at least one threshold value comparison to form the trigger decision, this generation normally being of a simpler nature, i.e., entailing fewer computing steps, than executed by the evaluation algorithm on microcontroller μC.
This trigger decision is then transmitted to trigger circuit FLIC. Trigger circuit FLIC links the two trigger decisions, and the triggering of passenger protection means PS takes place only if both are positive.
Thus, encoder C integrates the key into the signal in order to form the check signal in this manner. The signal may simply be multiplied by the check pattern and then divided in the security path. In general, an unambiguous, reversible mathematical operation is required, i.e., one would search for a variant that is optimal for the propagation time in the signal theory in the realization.
The data including the check sum are forwarded to encoder 204, useful data 00111001 being supplemented by the check sum 11001 in the case at hand. Encoder 204 receives key 11000011 from test signal generator 206 on system ASIC 202. Encoder 204 integrates this key into the sensor signal. The signal produced in this manner is transmitted to decoder 207. Decoder 207 is likewise disposed on system ASIC 202. Decoder 207 also receives key 11000011 from test signal generator 206. By separating the key from the transmitted message from encoder 204 again, the decoder is able to infer, by way of by comparison, whether the key has been altered, e.g., by a malfunction of microcontroller 201.
The useful data with the redundancy, obtained through the decoding, are forwarded to a check module 208. This check module uses the redundancy to check whether the useful data were transmitted correctly. If necessary, a correction of the faulty data may take place. If the useful data are not in order, the method will be terminated at this point and no second trigger decision will be made. However, if the useful data are correct or if a correction is able to be implemented, then the useful data are forwarded to safety controller 209, which likewise is disposed on system ASIC 202. There, the second trigger decision may then be formed.
| Number | Date | Country | Kind |
|---|---|---|---|
| 10 2008 041 339.9 | Aug 2008 | DE | national |
| Filing Document | Filing Date | Country | Kind | 371c Date |
|---|---|---|---|---|
| PCT/EP2009/057950 | 6/25/2009 | WO | 00 | 2/11/2011 |
